Intrusion Prevention Web Seminar

1
Intrusion Prevention Web Seminar

• Scott Lukes VP of Marketing and Product
  Management
• Rob Peterson Director of Product Management

2
the underground market for stolen information,
a surging white-collar crime affects as many as
10 million Americans at a price tag of 55B
Wall Street Journal, July 2005 .
Sven Jaschan, 19, was found guilty of computer
sabotage and illegally altering data he was
given a suspended sentence of one year and nine
months USA Today, July 2005
.
3
Modern Network Security Threats

• Being driven primarily by..

• Increasing complexity and distribution of
  networks
• Increasing sophistication of applications
• Financial incentives motivating criminal behavior

4
The Result A New Universe of Dynamic Threats
DoS/DDoS Attacks
Level of Sophistication
Zombies
Session Hijacking
Port Scans
Network-based threats
Hacking
2005
2010
2000
1995
5
Firewall Basics Stateful versus Deep Inspection

• Stateful Packet Inspection looks only at headers
• Equivalent to Post Office examining To/From, and
  the package type (envelope, tube, box)
• Good for preventing unauthorized users and
  service types

Header Layers
Application Layer
Email (SMTP, POP3, IMAP) Web (HTTP/S) File Xfer
(FTP, Gopher) Newsgroups Host Sessions Directory
Services
Ethernet Frame
Transmission Control Protocol (TCP)
Internet Protocol (IP)
Ethernet
6
Why Do You Need IPS?

• IPS uses Deep Packet Inspection to check Internet
  traffic for possible intrusions that would
  normally be seen as normal traffic to a
  traditional firewall.
• It can also enforce company acceptable use
  policies for IM and P2P use.

7
IPS Attacks 5-10 Years Ago The Smurf Attack
Router
Attack Source
OFFLINE!
OFFLINE!
Internet
Target
ICMP Packets Sent
Servers
Router
Corporate Desktop Network
8
IPS 5-10 Years Ago

• Many of us recall a series of DoS attacks that
  crippled huge sites in February of 2000,
  including Yahoo, Ebay, Amazon, CNN
• At the time it was deemed one of the most
  difficult problems to solve, but now referred to
  as a simple type of attack
• MOST BUSINESS-CLASS FIREWALLS PROTECT AGAINST DoS
  ATTACKS BY DEFAULT

9
Modern-day IPS Attacks The Sasser Worm
Target Network
Attack Source
A new PC is found and infected
CMD.ftp downloads AVserve2.exe on 9996
Portscan on 445 for LSASS
Newly infected PC performs random portscans on
5554 for LSASS
Buffer overflow attack on LSASS.exe
Router
Corporate Desktop Network
10
IPS Attacks Today

• Effects of Sasser?
• 75,000 clients infected in 18B in damage
• Other examples
• SQL Slammer, Outlook Overflow, Zotob
• Into the future
• Continued exploit of application-layer
  vulnerabilities
• Microsoft OS Updates
• Microsoft IE updates (and yes even Mozilla
  Firefox)
• Outlook/Exchange servers
• SQL, mySQL, postgres and other databases
• Increased polymorphism and speed-to-infection

11
Why is Intrusion Prevention Mandatory?

• The Internet is used every day for business
  transactions, communication and research
• Attackers are turning to vulnerabilities in
  Internet enabled applications to gain
  unauthorized access
• These applications must be enabled to use the
  Internet but absolutely need protected.
• Web browsers and web servers
• Email servers and clients
• VPN and remote access tools
• Other Internet enabled apps
• A traditional firewall does not protect your
  network because it is designed to either block
  or allow access to applications altogether

12
Securing Valid Connections to the Internet

• Go to the Action Profiles menu. Select the Mail
  Server Attacks Action Profile
• Your mail server obviously needs to be connected
  to the Internet in order to send and receive
  email. These attacks are designed to attack or
  compromise a mail server so that the hacker can
  crash or even take control of the server.

13
Enforce Acceptable Use Policies

• Are you okay with users downloading and sharing
  music and other files with Peer to Peer (P2P)
  programs like KaZaa and Limewire?
• How about Instant Messenger (IM) traffic like
  AIM, MSN Messenger and ICQ?
• These types of programs are designed to evade
  traditional firewalls, often by disguising the
  traffic as normal, acceptable Internet traffic
  such as web browsing. IPS protection is
  mandatory to detect and stop P2P and IM traffic.

14
How do you know it is working?

• ThreatMonitor
• Alert Viewer
• Email Alerts

15
Simple IPS Demo

• Go to Intrusion Prevention - Action Profiles to
  turn on an email alert option. Select High
  Priority Alerts and enter an email address. This
  can even be an email address of a cell phone for
  a text message alert.
• Now go to the eSoft Test Alert URL
• http//scm.esoft.com/ips.html
• Receive an alert within a few minutes
• For more documentation on this demo, visit
  www.esoft.com, and visit the IPS SoftPak Page!

16
Summary

• IPS IS todays firewall.
• Modern day attacks are not randomly looking for
  open networks.
• Todays hackers attack applications that are open
  to the Internet such as email and web servers or
  by infecting clients that they can lure to
  infected web pages and downloads.

17
Core Security Technology for Modern Threats
Intrusion Prevention (IPS)Includes technologies
to protect the network and users from network and
application-layer threats. This is MANDATORY
technology.IPS is a core technology that is
mandatory to provide protection for network,
email, and web based security threats.
18
eSoft Intrusion Prevention SoftPak

• Recently earned top ranking from SC Magazine in
  May, 2006 shootout!
• Beating Nortel, SourceFire and Fortinet

19
Intrusion Prevention Features

• Quick tuning from a single configuration page for
  fast setup
• Block worms, Trojans, buffer overflows, backdoor
  exploits, and code injections
• Policy controls to block IM and P2P applications
• Broad Operating System and Application support
• Training features to eliminate false positives
• Action profiles that automatically classify new
  rules
• Graphical statistics and reports

20
Intrusion Prevention Features (continued)

• Inbound/outbound scanning
• Dynamic blocking of application-based attacks
• Automatically updated signature database
• Zero day updates
• Granular control of signatures and actions
• Preview changes to an Action Profile
• Detailed threat analysis information
• Real-time logging and reporting
• Email alerts

21
Intrusion Prevention Amazon Promotion
Special Gift!

• As a part of IPS Awareness Month, eSoft is
  offering a free Amazon.com gift card (up to 350)
  for IPS SoftPaks purchased before June 30, 2006!
  
• For more details, visit

http//www.esoft.com/sales/programs_promotions.cfm

22
Try Intrusion Prevention Risk-Free

• eSoft invites you to download a full copy of our
  popular IPS SoftPak for a FREE 30-day period on
  either the ThreatWall or InstaGate platform.
  Installing IPS on an eSoft appliance is a simple
  process.
• To install the IPS SoftPak
• 1 Go to the SoftPak Catalog page on your device
  GUI
• 2 Select the IPS SoftPak drop-down box, and
  enter the code IPSAWARE
• 3 Once IPS is installed, activate by navigating
  to the IPS sub-page
• For more details on the IPS SoftPak, visit
  http//www.esoft.com/products/softpak_ips.cfm

23
Congratulations youve earned your shirt!

• Please visit the link below, fill out the survey,
  and we will send your clothing item that will
  most certainly stir up the fashion circles in
  your local area )

http//www.esoft.com/ips