cyberdefense technologies n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cyberdefense Technologies PowerPoint Presentation
Download Presentation
Cyberdefense Technologies

Loading in 2 Seconds...

play fullscreen
1 / 36

Cyberdefense Technologies - PowerPoint PPT Presentation

  • Uploaded on

Cyberdefense Technologies. Firewalls Intrusion detection And beyond. Defensive Strategy. Deceive the attacker Frustrate the attacker Resist the attacker Recognize and Respond to the attacker. Security Desires. Logging of successful connections, rejected packets and suspected attacks

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Cyberdefense Technologies

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cyberdefense technologies

Cyberdefense Technologies


Intrusion detection

And beyond

defensive strategy
Defensive Strategy
  • Deceive the attacker
  • Frustrate the attacker
  • Resist the attacker
  • Recognize and Respond to the attacker
security desires
Security Desires
  • Logging of successful connections, rejected packets and suspected attacks
  • Immunity to Denial of Service attacks
  • Protection against information gathering probes
defenses against dos
Defenses against DOS
  • The best defense against DDos attacks is to prevent initial system compromises
  • However, even vigilant hosts can become targets because of lesser prepared, less security aware hosts
  • It is difficult to specifically defend against becoming the ultimate target of a DDos attack but protection against being used as a daemon or master system is more easily attainable
ingress filtering
Ingress Filtering
  • Ingress filtering manages the flow of traffic as it enters a network under your administrative control
  • Servers are typically the only machines that need to accept inbound connections from the public Internet
  • Ingress filtering can be performed at the border to prohibit externally initiated inbound connections to non-authorized services
egress filtering
Egress Filtering
  • Egress filtering manages the flow of traffic as it leaves a network under your administrative control
  • Egress filtering from sources like university campuses can make a difference
  • Egress filtering alone does not provide a complete solution to the problem
  • Defensive “middle ground” between public and protected network
  • The demands from a firewall can differ significantly
  • An internal network, where a balance has to be found between what can come in and out, a website publicly accessible or a virtual Private Network pose very different problems
firewalls are for policy contro l
Firewalls are for policy control
  • They permit a site’s administrator to set a policy on external access
  • Just as file permissions enforce an internal security policy, a firewall can enforce an external security policy
firewall technologies
Firewall Technologies
  • Network Address Translation (NAT)
  • Most use packet filtering rules to determine packet access
  • Some use “stateful inspection” to manage connections
  • Some application proxy support
    • A few allow custom proxy creation *BONUS*
static packet filtering
Static Packet Filtering
  • Uses information in Packet headers:
    • Destination IP address
    • Source IP subnet
    • Destination service Port
      • Information compared with Access Control List (ACL)
  • Flag (TCP): stop Anything with SYN=1, but port scanners can choose to have ACK=1,FIN=1, all other flags set to 0…
    • Flag Not an option with UDP
example attack

Internet router is blocking tcp/udp ports 135-139

Firewall allows only outbound http (80) and smtp (25) traffic

Example Attack

Hacker’s Objective:Gain control of internal NT server from Internet

dynamic packet filtering stateful inspection
Dynamic Packet Filtering (Stateful Inspection)
  • Acts on the same principle as Static Packet Filtering, but maintains a connection or “state” table in order to monitor communication session
  • Less easy to abuse
  • Filtering hard to configure to full satisfaction and reduces router’s performance
problems with firewalls
Problems with Firewalls
  • Conventional firewalls rely on the notions of restricted topology and control entry points to function
    • Everyone on one side of the firewall is to be trusted
    • Anyone on the other side is potentially an enemy
  • “extranets” can allow outsiders to reach the “inside” of the firewall
  • Some machines need more access to the outside than do others
  • End-to-end encryption: firewalls generally do not have the necessary keys to inspect traffic
  • Log review, software currency, … (high maintenance)
distributed firewalls
Distributed Firewalls
  • In such a scheme, policy is still centrally defined; enforcement, however, takes place on each endpoint
  • Helps control trust issues
what are honeypots
What are Honeypots?
  • Honeypots are one of the methods used in intrusion detection
  • Setup a "decoy" system
    • Non-hardened operating system
    • Appears to have several vulnerabilities
    • Similar configuration to production
    • Fake content
  • Deceive intruder for alert and study
attracting blackhats
Attracting Blackhats
  • What do you do to attract blackhats to your Honeypot?
    • Absolutely nothing, that is the scary part. You have to sit back and wait.
    • The blackhat community is extremely aggressive, you would be surprised at what they will find.
honeypot as attack host
Honeypot as attack host
  • Once compromised, can't the bad guys use one of your honeypots to attack someone else?
      • That risk exists !
      • use several layers of access control devices that limit and control what type of outbound connections are allowed, and how many
the honeynet project
The Honeynet project
  • Distributed team of security experts
  • Hardware to capture and analyze intruder activity
  • Evolving honeypot technology and attack analysis
what s wrong with honeypots
What’s wrong with honeypots?
  • The insurance model will not allow you to take unnecessary risks without a substantial increase in premium
  • Risk management says that honey pots increase risk for demonstrably invalid reasons
  • You can learn more by using better instrumentation
  • Transient effectiveness
transient effectiveness
Transient Effectiveness
  • The threat reality is that most attackers are morons and will attack with DoS if denied real access
  • Honey pots must be kept up to date but in general aren’t
  • Honey pots must act like the host operating system
  • Fix current problems rather than generating new ones
too many hosts to secure
Too many hosts to secure
  • Virtually all operating systems and network devices are insecure out of the box
    • This must change
  • Operating systems maintained by normal users must be set to take care of themselves by default
  • Growth of the net will be the single largest factor as to why there are so many vulnerable systems
  • It is unrealistic to assume that the net will ever be safe
where does ids fit
Where does IDS fit?
  • IDS are useful as an additional layer of defense, no more
  • IDS are not helpful when advanced attackers are attacking you with new attacks
  • Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc)
  • Missing IDS type: application IDS
  • High false alarm rates (wasted admin time)
ids and policy
IDS and Policy
  • Security Policy is the first step (defining what is acceptable and what is being defended)
  • Notification
    • Who, how fast?
  • Response Coordination

Jane did

a port



ids implementation map


(Deception System)

Generic Server

(Host-Based ID)

(Snort 2.0)







(Perimeter Logs)

Statistical IDS (Snort)

Network IDS


IDS Implementation Map
detection engine
Detection Engine
  • Rules form “signatures”
  • Modular detection elements are combined to form these signatures
  • Wide range of detection capabilities
    • Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.
  • Rules system is very flexible, and creation of new rules is relatively simple
learning more
Learning More
    • Writing Snort Rules
    • FAQ, USAGE file, README file, man page
    • Snort mailing lists
  • Books
    • Intrusion Detection: An Analysts Handbook by Northcutt
    • Intrusion Signatures and Analysis by Northcutt
    • The Practical Intrusion Detection Handbook by Paul Proctor
but what slips through
But What Slips Through?
  • Signatures based on traffic model
    • Attacks stay with same source IP set
  • Signature assume fixed characteristics
    • Packets involving attack stay with similar content
  • Signature assume obvious distinction from legitimate traffic
    • What is legitimate is never malicious
how do we catch the slips
How do We Catch the Slips?
  • Non-signature based collection
    • Short-term (hours, max) packet collection, rotating -> libpcap
    • Medium-term (weeks, max) headers+content summary -> expanded flow
    • Long-term (years) headers+sizes -> flow
  • Privacy concerns
  • Efficiency concerns
  • Sampling concerns
what can you do with just flows
What can You Do with Just Flows?
  • Indicative, not probative
  • Time-series, with departures
    • DDoS ramp-up
    • Scanning: worms/virus
  • Threashold violations
    • Spam vs. email
    • Streaming media vs. web browsing
  • Locality violations
    • Malware beaconing
    • Worms/virus
    • Spyware
automated response
Automated Response
  • Ongoing work
  • Local indicators fused to alert
  • Firewalls/IDS exchange intrusion information
    • IODEF standard
  • Dynamically alter firewall rules
  • Dynamically alter routing tables to reconfigure network
layered defenses





Layered Defenses

Source: Shawn Butler, Security Attribute Evaluation Method

Goal 1

Goal 8

Goal 2

Goal 7

Goal 3

Goal 6

Goal 5

Goal 4