Intrusion Prevention: What's Next

1
"Intrusion Prevention What's Next?"

• Running an Effective Intrusion Detection
• and Response Program
• Presented by Scott Sidel, CISSP, Senior Security
  Manager, Computer Sciences Corporation

2
What is IDS/IPS/IDP?

• IDS
• Watches via a span port
• IPS
• Sits inline
• IDP
• Network-based Active Response
• What IDS is NOT
• It is not all seeing, all knowing

3
The Security Camera
IDS
Security Team Member
Firewall
4
What IDS Can (and cant) Do

• Provides information about inbound and outbound
  malicious network traffic
• Helps to identify the source of the incoming
  probes or attacks
• Collects forensic evidence, which could be used
  to identify intruders
• Alerts security personnel that potentially
  unwelcome traffic has passed by it
• Similar to a security camera placed at the door
  to an office building

5
An IDS Baseline

• Perimeter
• IDS sensor behind perimeter firewall
• Remote Access
• IDS on remote access network
• NCCS
• IDS sensor behind NCCS firewall
• All sensors report to the IDS Manager
• Tuned to provide more useful alerts

6
You Know What is Going On Or Do You?
???
???
7
IDS Placement

• Perimeter
• Behind the firewall
• Outbound Alerts
• If an internal host is exhibiting bad behavior,
  it is more likely something bad is happening
• Interconnects
• Smart Boarders division to division traffic, not
  just external to internal
• If another division is hacked, protect yourself

8
IDS Placement Network Architecture

• Security Zones and Risk Levels
• Public Servers
• Desktop Servers
• Development
• Infrastructure Servers
• Remote Access
• Different Roles Different Threats

9
Traffic Routed by Function - Virtual Sensors
Divided by Operational Area
10
IDS placement (cont.)

• Hosts
• Most attacks have migrated from the network layer
  to the application layer

11
IDS Accuracy

• A well organized network will reveal recognizable
  patterns of traffic
• If you know that a machine is a mail server, you
  will not be surprised to see Simple Mail Transfer
  Protocol (SMTP) traffic going to and coming from
  it.
• That traffic is acceptable even though the same
  behavior from another device on the network would
  be worrisome
• When the network is not as well organized, it
  makes spotting recognizable patterns of traffic
  much harder

12
The Fundamental Problem of IDS
Potential Problem
More Signal More Value
13
Skills Required to Interpret Alerts

• IDS alerts may not be obvious bad behavior
• What is acceptable traffic to/from one host may
  be unacceptable when going to/from another host
• Log analysis
• Familiarity with network topology
• Familiarity with hosts services

14
Understanding IDS Output
Better Signal Less Skill Required
15
Sifting Multiple Events
event
event
alert
event
alert
event
alert
event
alert
event
Operator Experience Filter
Operator Action
event
16
Responding to Events
VALIDATE Legitimate? Y/N IF LegitimateYES,
THEN CONTACT IPDivision
Alert
IDS
Security Team Member
CHECK Check system RESPOND Action COMMUNICATE
Response
Firewall
17
IDS Sample Alert
18
After Hours Response
Potentially Critical
Wait till AM
Investigate Further
No
Yes
19
Why Isnt this Good Enough?

• Response time
• Milliseconds (single packet attacks)
• Coverage
• 40 hours versus 24x7

20
IDS is Dead Long Live IPS

• In 2003 Gartner Group caused something of a stir
  with its pronouncement that Intrusion Detection
  Systems (IDS) and their Intrusion Prevention
  Systems (IPS) offspring were a market failure --
  and in fact will be obsolete by the middle of the
  decade.
• But does isolating the symptom -- IDS can be a
  challenge to manage -- mean that the technology
  is ineffective? In declaring IDS a failure
  because of manageability issues, is Gartner
  running the risk of missing the point altogether,
  and what does its proposed solution imply?
• Gartner suggests that this technology -- "deep
  packet inspection" -- will move into firewalls in
  the coming years.
• The problem is that most packet sniffing
  solutions -- whether an IDS, IPS or "deep packet
  inspection firewall" are context-free. They have
  no idea whether an attack is relevant.
• Simply moving the packet inspection out to the
  firewall doesn't help this issue at all the
  volume of false alarms will still be enormous,
  and the sensors will still be unaware of the
  larger IT ecosystem that they exist to protect.

21
Firewall vs. IDS

• Firewall
• The core purpose of a firewall is to allow or
  block network traffic based on how that traffic
  matches a policy the firewall has been given
• Firewall needs to be able to make decisions about
  whether traffic is allowed through (or not), very
  quickly and predictably, then pass or drop
  packets as quickly as possible.
• Firewall should not block traffic that the policy
  creator intended to allow.

22
Firewall vs. IDS (cont.)

• IDS
• The core purpose of a network IDS is to find
  attacks/intrusions/events-of-interest in the
  network traffic
• The IDS must not misunderstand a protocol or
  assume that the protocol in use is the one
  normally used on that port for that host
• The IDS must not decide if traffic is malicious
  or not without seeing all of it
• IDS must buffer or allow a significant portion
  of traffic to pass to seeing that there is
  nothing malicious in the packets
• An IDS must constantly recheck its conclusions
• IDS must look for a match against a single packet
  and then look for matches against the entire
  stream
• Firewall knows immediately to block or allow
• IDS does not know if an event-of-interest is a
  threat to the specific host it is destined for

23
IPS the Traffic Cop
Console
Security Team Member
IPS
Firewall
24
IPS Behaviors

• Data Link Layer Countermeasures
• Shut down the switch port of the offending system
• Set a timeout for return to service
• Con
• Works only for internal systems

25
Behaviors (cont.)

• Network Layer Countermeasures
• Interact with firewall or router to block
  offending external IP address
• Inline IPS could do same without talking to the
  firewall
• Set a timeout for return to service

26
Behaviors (cont.)

• Transport Layer Countermeasures
• Generate a TCP RST packet to tear down the
  session
• ICMP-UDP sends an error code response
• Application Layer Countermeasures
• Neutralize the attack (think anti-virus)

27
What IPS Can (and cant) Do

• The true benefit of network IPS lies in what it
  can do for companies that cant keep their
  systems patched
• Contain an ongoing attack before it propagates
• Makes a decision if traffic should be stopped
• May be able to stop unknown attacks
• Not a tool for stopping elite crackers

28
Confidence Level in Signatures
Confidence In Signature
?

Confidence In Signature
Knowledge About Attempted Attack
Knowledge About Potential Target
þ

29
Moving to Inline IPS Baby Steps

• In Line Passive Mode testing IPS devices within
  the environment
• Profiling appliance behavior
• Gain comfort level prior to enabling blocking
  mode
• In Line High Confidence Signature Blocking Mode
  IPS devices configured using only signatures
  which we have high confidence in for in-line IPS
  blocking
• Blocking profile is on a per signature basis
• In Line Industry Best Practice Blocking Mode IPS
  devices configured according to industry best
  practices guidelines for in-line IPS blocking
• Blocking profile is on a per signature basis
• Block All Mode for customers who want the maximum
  protection afforded by their IPS technologies

30
Active Response Dos and Donts

• To mitigate the effects of an attack
• Provide a minimal attack surface
• Patch Management
• Prevent the exploit packet from making it into
  the network in the first place
• Firewall
• Try not to have lots of openings
• IPS
• Attack packets must be able to be unambiguously
  identified
• Caveat Emptor False positives are commonplace,
  even from the most finely tuned IDS. It is
  impossible to avoid false positives when
  legitimate traffic can potentially contain some
  of the same characteristic signatures as
  malicious traffic. There is always the
  possibility that an active response system will
  block traffic that should be allowed through.
• Whitelist traffic that should never be blocked
• Specify a host (or network) that will be ignored
  even if IPS detects an attack originating from it

31
Security Event Analysis

• Aggregated IDS Event Management Console
• Log Watching Tools
• SIM-SEM
• One Screen to Bind Them All
• Correlation between vulnerability scans and IDS
  alerts
• The Irreplaceable Human Element
• Consider Respond Mitigate
• Care, feeding, and constant tuning

32
Pity the IDS Administrator

• No one can be expected review logs for 8 hours
• Needle-in-a-haystack
• The one event among a thousand that keeps us
  awake at night
• What if your onsite coverage is during business
  hours only?
• The joy and curse of the BlackBerry

33
Alert Handling

• Have a process in place for alerting the Systems
  Administrators of the target host
• Email about potential security issue
• A list of who is the POC for each subnet
• Expected time to response
• Policy
• Resolution
• Fixed
• False Positive
• Unfixable (but heres the mitigation)
• Follow-up note on what was the issue and how/why
  it is no longer an issue
• Metrics
• Number of incidents requiring some type of
  investigation per week

34
The Seven Mistakes People Make

• When Deploying IDS/IPS/IDP
• AND HOW TO AVOID THEM (!)

35
Tilting the Threat Landscape in Your Favor

• Tightly controlling what can get in and where
• Security Zones vs. Flat Network
• Default Deny-All at Perimeter
• White list of Allowed Services
• What is that in the fridge?
• Review firewall rules every 6 months
• Reducing the Attack Surface
• Patch Management
• Vulnerability
• 0day (hype)
• Missing patches (reality)

36
Minimizing Self-Inflicted Wounds

• Inventory
• You can only protect what you know about
• What you don't know can hurt you
• You need to know what you have and where it is
• Deployment Checklist and Signoff Process
• Change Control
• Hosts tend to mutate after they are deployed
• Change Control Board

37
Reducing Confusion in the Heat of Battle

• Subnet architecture
• Mixed hosts types are harder to sift
• Keep public Unix servers on one subnet, desktops
  that are windows on another
• What is the target?
• Does the attack attempted match the target?

38
Threat-based Analysis

• IDS doesn't work in a vacuum
• Good vulnerability assessment and remediation is
  a must
• Nessus
• Risk-based Analysis
• Scan from outside to assess the highest level of
  risk (what everyone else can see)
• Then scan inside the network

39
IPS Ups the Stakes

• Potential Payoff Instant Response
• Improved response time through automation
• Potential Liability Potential false positives
• Management does not like this
• Pattern matching of payload data
• Detection is only as good as the signatures
• What is your level of trust in signatures used
  for blocking
• Broad rules may cover more instances, but may be
  less accurate
• Anomaly Detection
• Only in very highly structured networks
• Bottom Line Know your network

40
Some Questions to Keep in Mind Before You Deploy
IPS

• How often are new rules delivered by the vendor
  (or OSS community)?
• Failover and fail-open
• Example IntruShield optical ports can first
  failover, then fail-open
• If you have a range of IP addresses being acted
  upon, can you easily exempt individual hosts?
• The law of unintended consequences
• The case of strict TCP enforcement intention was
  to avoid half open sessions
• Unintended consequence idle TCP sessions were
  killed with a RST packet

41
A Brief look at Host-Based Defenses

• Personal Firewall
• Anti-Virus
• TCP wrappers
• And in the category of useful, but not Host
  IDS/IPS
• Host Integrity Monitoring
• Samhain
• http//la-samhna.de/samhain/index.html
• Log Monitoring
• LogWatch
• http//www2.logwatch.org8080/

42
Evasion

• The Problem of Volume
• Signal to Noise ratio
• With so many script-kiddies attacking from
  everywhere a real pro is a ghost
• Low and Slow
• Extending scan time delays
• SSH sessions
• Reduce the number of hosts allowing SSH
• Restrict the IP addresses allowed to get to SSH
• Use an SSL Proxy with strong authentication
• Use one time password tokens
• Web Proxy
• Another organization contacts you about an attack
  from your organization, but the address is your
  web proxy

43
Who is in the IPS Market

• Vendor Offerings A discussion
• Strengths, Weaknesses and Hype

44
Business Requirements

• Timely and effective detection and response to
  unauthorized traffic involving all systems
  controlled by your organization
• Establish metrics that equal improvement
• Frequency of signature updates Daily / Weekly /
  Monthly
• Role-based access control for multiple
  administrators-users
• Alerting
• Reporting
• Ability to correlate IDS alerts with actual
  vulnerabilities on target

45
Technical Requirements
46
Technical Requirements (cont.)

• HA Dual-Power Supplies
• HA Stateful failover between devices
• HA Shared VIP/MAC
• HA Active-Active or Active-Passive Stateful
  Redundancy
• HA Fails open and falls back to L2 in the event
  of catastrophic failure
• HA support Active/Passive Redundant interfaces
  Configuration synchronization Session
  synchronization for firewall and VPN Session
  failover for routing change failure detection
  Link failure detection Authentication for new HA
  members Encryption of HA traffic
• Packet flow analysis 1000 match cases allowed
  (or higher) per filter
• Packet flow analysis 100 filters (or higher) can
  be chained in parallel
• Command Line Interface management supported via
  SSH 2
• Secure web UI supported (client software not
  required to manage / monitor)

47
Technical Requirements (cont.)

• Virtual Router Redundancy Protocol (VRRP), Open
  Shortest Path First (OSPF), and Cisco Hot Standby
  Router Protocol (HSRP) are passed transparently
  when inline
• Provides support for anti-evasion eliminating
  malformed or illegal packets, performs TCP
  reassembly and IP defragmentation
• 250,000 concurrent sessions
• 10,000 policies
• Port address translation
• Policy-based NAT
• VLAN aware (up to 250 supported)
• Attack Detection Mechanisms Stateful
  Signatures,Traffic Anomaly Detection, Protocol
  Anomaly Detection (Zero-day coverage)
• Attack Responses Drop Connection, Close
  Connection, Session Packet Log, Session Summary,
  E-mail, Custom, Log
• Attack Notification Session Packet Log, Session
  Summary, E-mail, SNMP, Syslog
• Authentication via RADIUS, RSA SecurID, and LDAP

48
Where Do We Go From Here?

• Know what resources need to be protected
• Know where those resources are
• Know what you are protecting against
• Know what your business needs and constraints are
• Hire (and keep) competent staff
• Technology can not (yet) replace human judgment