Network Management

1
NetRanger Intrusion Detection SystemMarek
Makowskimmakowsk_at_cisco.com
0600_11F8_c2
2
The Security Wheel Defense In-Depth
Effective network security requires defense
in-depth, multiple capabilities - a combination
of framework/process, technology, and
expertise/ongoing operations

• ID/Authentication
• Encryption VPN
• Firewalls
• Security Design Implementation/Integration

2) SECURE
1) Corporate Security Policy
5) MANAGE IMPROVE
3) MONITOR

• Real-Time Intrusion
• Detection Response
• 7x24 Monitoring

• Centralized Policy Configuration Management
• Trend Analysis
• Management Reports
• Incident Response

• Policy Development
• Review

4) AUDIT/TEST

• Vulnerability Scanning Analysis
• Security Posture Assessment
• Risk Assessment

3
Why Active Audit?

• The hacker might be an employee or trusted
  partner
• Up to 80 of security breaches are from insiders
  -- FBI
• Your defense might be ineffective
• One in every thee intrusions occur where a
  firewall is in place -- Computer Security
  Institute
• Your employees might make mistakes
• Misconfigured firewalls, modems, old passwords,
  etc.
• Your network will Grow and Change
• Each change is a security risk
• Firewalls, Authorization, Encryption do not
  provide Visibility into these problems

4
Active Audit -- Goal Visibility

• NetRanger Intrusion Detection System
• Monitors user behaviors while on the network
• Similar to the guards, video cameras and motion
  detectors that help secure bank vaults

5
NetRanger Overview

• Real-Time Intrusion Detection and Response
• Finds and stops unauthorized activity occurring
  on the network --- reactive appliance
• Network motion sensor, video camera, and
  security guard
• Industry-leading technology
• Scalable, distributed operation
• High performance (100MB Ethernet, FDDI, Token
  Ring)
• On-the-fly re-configuration of Cisco Router
  ACLs to shun intruders

6
NetRanger Architecture
NetRanger Director
Software

Comm

• Alarm Handling
• Configuration Control
• Signature Control

• Detection
• Alarm Generation
• Response
• Countermeasures

7
Sensor Appliance
8
Sensor Front Panel
9
Sensor Back Panel
Monitoring NIC
Command NIC
10
Attack Signature Detection

• Scans Packet Header and Payload
• Single and multiple packet attacks
• Three-tier Attack Detection
• 1. Name Attacks (Smurf, PHF)
• 2. General Category (IP Fragments)
• 3. Extraordinary (TCP Hijacking, E-mail Spam)
• Customer Defined Signatures
• String matching (words)
• Quickly defend against new attacks
• Scan for unique misuse

11
SensorDetect Intrusions
Port Sweep SYN Attack TCP Hijacking
Ping of Death Land Attack
Context(Header)
Telnet Attacks Character Mode Attacks
MS IE Attack DNS Attacks
Content(Data)
Atomic Single Packet
Composite Multiple Packets
12
SensorEvent Logging
Events are Logged for Three Different Activities
Alarmswhen signature is detected
Ping Sweep
Errorswhen error is detected
Lost Communications
Director
Sensor
Commandswhen user executes command on Director
or Sensor
Shun Attacking Host
Sensor
Director
0973_03F8_c2 NW98_US_401
30
13
SensorAttack Response
Session Termination and Shunning
Session Termination
Kill current session
TCP Hijack
Attacker
Kills an active session
Sensor
Shun Attacker
Shunning
Network Device
Reconfigure router to deny access
Sensor
14
SensorSession Logging

• Capture evidence (Keystrokes) of suspicious or
  criminal activity
• Fish Bowl or Honeypot -- Learn and record a
  hackers knowledge of your network

Attacker
Attack
Sensor
SessionLog
Protected Network
15
NetRanger Deployment
Corporate Network
Cisco Secure Server
IOS Firewall Cisco Router
Engineering
Finance
NR/NS
WWW Server
Admin
DNS Server
Cisco Router
Remote Security Monitoring
Cisco Router
NetRanger Director
Dial-Up Access
Business Partner
16
NetRanger Director

• Geographically Oriented GUI
• Operations-friendly HP OpenView GUI
• Color Icon Alarm notification
• Quickly pinpoint, analyze and respond
• Maintain Security operations consistency
• Network Security Database
• Attack info, hotlinks, countermeasures
• Customizable
• Monitor Hundreds of Sensors per NOC

17
Software Requirements
Operating Systems Solaris 2.5.1 or 2.6 HP-UX
10.20 HP OpenView 4.11, 5.01, 6.0 Web browser
(for NSDB)
18
Hardware Requirements

• Sun SPARC platform with
• NetRanger install partition /usr/nr (50 MB)
• NetRanger log partition /usr/nr/var (2 GB)
• HP OpenView install partition /opt (110 MB)
• Java run-time environment /opt (12 MB)
• System RAM 96 MB

19
Hardware Requirements (cont.)

• HP-UX platform with
• NetRanger install partition /usr/nr (50 MB)
• NetRanger log partition /usr/nr/var (2 GB)
• HP OpenView install partition /opt (65 MB)
• Java run-time environment /opt (10 MB)
• System RAM 96 MB

20
Director - Distributed Management

• Enterprise Strategic Management

Director Tier 1

• Regional Operational Management

Director Tier 2

• Local Network Security Management

Director Tier 3
Director Tier 3
21
Alarm Display and Management
22
Configuration Management
23
Network Security Database

• On-line reference tool
• Contains
• Descriptions
• Recommendations and fixes
• Severity ratings
• Hyperlinks to external information/patches

24
E-mail and Script Execution
E-mail Notification
Sends notification to e-mail recipientor pager.
Custom Script Execution
Starts any user-defined script.
25
The Security Wheel Defense In-Depth
Effective network security requires defense
in-depth, multiple capabilities - a combination
of framework/process, technology, and
expertise/ongoing operations

• ID/Authentication
• Encryption VPN
• Firewalls
• Security Design Implementation/Integration

2) SECURE
1) Corporate Security Policy
5) MANAGE IMPROVE
3) MONITOR

• Real-Time Intrusion
• Detection Response
• 7x24 Monitoring

• Centralized Policy Configuration Management
• Trend Analysis
• Management Reports
• Incident Response

• Policy Development
• Review

4) AUDIT/TEST

• Vulnerability Scanning Analysis
• Security Posture Assessment
• Risk Assessment

26
What comprises Active Audit?

• NetSonar
• Vulnerability scanning
• Network mapping
• Measure exposure
• Security expertise

• NetRanger
• Real-time analysis
• Intrusion detection
• Dynamic response
• Assurance

Reactive
27
NetSonarSecurity ScannerProactive Security
0305_10F8_c2
28
Active AuditNetwork Vulnerability Assessment

• Assess and report on the security status of
  network components
• Scanning (active, passive), vulnerability
  database
• NetSonar

29
NetSonar Overview

• Vulnerability scanning and network mapping system
• Identifies and analyzes security vulnerabilities
  in ever-changing networks -- proactive software
• Industry-leading technology
• Network mapping
• Host and device identification
• Flexible reporting
• Scheduled scanning

30
Network Discovery Process

• Network Mapping
• Identify live hosts
• Identify services on hosts

• Vulnerability Scanning
• Analyze discovery data for potential
  vulnerabilities
• Confirm vulnerabilities on targeted hosts

Target
Target
Target
Target
31
Network Mapping Tool

• Uses multiple techniques
• Ping sweeps - Electronic Map
• Port sweeps - Service discovery
• Unique discovery features
• Detects workstations, routers, firewalls,
  servers, switches, printers, and modem banks
• Detects Operating Systems and version numbers
• Does not require SNMP

32
Vulnerability Assessment Engine

• Potential Vulnerability Engine -- Passive
• Compares network discovery data to rules to
  reveal potential vulnerabilities
• Confirmed Vulnerability Engine -- Active
• Uses well-known exploitation techniques to fully
  confirm each suspected vulnerability and to
  identify vulnerabilities not detected during
  passive mapping

33
How NetSonar Works
FTP Bounce Exploit
Ping Sweep - ID Hosts
Port Sweeps - ID Svcs
Active
Router
Discovery data analyzed by rules
Email Svr
Web Svr
Firewall

• SMTP
• FTP

Inactive
Exploits executed against target hosts
Workstation
Communicate results

• HTTP
• FTP
• Telnet

• Workstation
• Windows NT v4.0
• SMB Redbutton
• Anonymous FTP

34
(No Transcript)