Topic:Understanding Network Security

About This Presentation

Title:

Topic:Understanding Network Security

Description:

A malicious piece of code installed by a hacker on the victim's machine ... It is possible to insert malicious code (script) without the knowledge of the ... – PowerPoint PPT presentation

Number of Views:43

Avg rating:3.0/5.0

Slides: 53

Provided by: wba4

Category:

more less

Transcript and Presenter's Notes

Title: Topic:Understanding Network Security

1
Introduction

Topic Understanding Network Security
How Internet Protocols operate
How attacks (exploits) take advantage of
vulnerabilities
Defenses Firewalls
Defenses Intrusion Detection and Prevention
Speakers Vik Phatak Bob Scipioni
CTO, Lucid Security VP RD, Lucid Security

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
2
Foundation Internet Communications

The OSI (Open System Interconnection) model
Developed in the early 80s by the International
Organization for Standardization (ISO)
Standardizes the communication process
Each layer
Handles a specific function in the communication
process
Is Independent Changes to one layer does not
necessitate
changes to the other layers
The OSI model is a good tool
For studying the network processes
and the protocols associated with each layer
Problems with the OSI model
Vague regarding the exact details for
implementations

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
3
Foundation Internet Communications

The TCP/IP (Transmission Control
Protocol/Internet Protocol) model
Application Layer
Layer through which a user interacts with the
network
Consists of various applications (ftp, http,
telnet, etc.)
Converts the information into a data stream
and sends it to the transport layer
Transport Layer
Uses one of the two protocols (TCP and UDP)
Breaks the stream into pieces
and adds a header to each of the pieces forming
a Segment
TCP Connection Oriented Uses handshaking
signals
To ensure that the other host is ready for
communication
and that the packet has reached its destination
UDP Not Connection Oriented Forwards segments

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
4
Foundation Internet Communications

The TCP/IP (Transmission Control
Protocol/Internet Protocol) model
Internet Layer
Also known as the network layer
Internet Protocol (IP) is the primary protocol
Internet Control Message Protocol (ICMP) is used
to relay error messages
Main Function is to break the segments into
smaller packets called datagrams
To be handled by the network access layer
Then encapsulates the datagram with a header
Internet Protocol (IP) Not Connection Oriented
Forwards Datagrams
Connectionless
Does not ensure the receiving host is ready for
communication
Does not have any error detection/correction
facility
Does not guarantee the receipt of the datagram(s)
Always a possibility that a datagram is lost or
corrupted during transmission

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
5
Foundation Internet Communications

The TCP/IP (Transmission Control
Protocol/Internet Protocol) model
Network Access Layer
Also known as the link layer
Mainly consists of network interfaces, device
drivers
and other physical media
Address Resolution Protocol (ARP) is the primary
protocol
Converts IP Addresses into MAC Addresses
and vice versa
Sends and receives datagrams
in the form of frames to the wire

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
6
Foundation Internet Communications

How it fits together

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
7
Foundation Internet Communications

TCP Header - Detail
Source Port and Destination Port 16 bits
Sequence Number and
Acknowledgement number 32 bits
Facilitates the reassembly of packets at the
receiving end
Enables the TCP stack at both ends to determine
whether
or not all the packets have been received
Enables request for retransmission
by sending a negative acknowledgement.
Only the missing packet will be retransmitted
Data Offset 4 bits
Indicates the number of 32-bit words in the TCP
header.
Indicates the beginning of the data section
Reserved Reserved for future use
Flags 1 bit each. These are used as control and
error detection and correction mechanisms
URG indicates that the Urgent Pointer sent in
the packet is valid
ACK indicates that the ACK number sent in the
packet is valid

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
8
Foundation Internet Communications

TCP Header - Detail
Window Size 16 bits
Indicates to the receiver the maximum size of the
data
that the sender can receive
Checksum 16 bits
Used for error detection
Does not perform error correction
Sum of all the bytes in the TCP header
including the data bytes
Urgent Pointer 16-bit
Indicates a number which is a positive offset
from the
sequence number for this particular segment
If the URG flag is set then this field points to
the sequence
number of the last byte in a sequence of urgent
data
Options Variable length
All options are included in the checksum
It has two formats

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
9
Foundation Internet Communications

IP Header - Detail
Version 4-bits the current version of IP
IHL 4-bits
IP Header Length
Specifies the number of 32-bit words
forming the header
Minimum value for a valid header is 5
TOS 8-bit
Specifies the type of service
Utilized by networks to define how the datagrams
are to be handled during their transport
00000000 indicates a routine transfer
00100000 indicates a priority transfer
Total Length 16-bits
Indicates the size of the datagram,
including the header and the data
Identification 16-bits

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
10
Foundation Internet Communications

IP Header - Detail
Flags 3-bits
One of the bits is reserved
The other 2 bits are used to indicate
whether or not the packet is to be fragmented
Fragment Offset 13-bits
Identifies where each of the fragments
belong at the time of reassembly
Time-To-Live 8-bits
Indicates the lifetime of a datagram
Every time this datagram is forwarded
(by a router) it decrements this counter
Datagram is discarded when the counter
reaches zero
Ensures that the datagram does not loop
in the network forever
Protocol 8-bits

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
11
Foundation Internet Communications

IP Header - Detail
Header Checksum 32 bits
Based on the sum of all 16-bit words
in the header
Used for detecting errors
Must be recomputed at every hop
since TTL changes
Source Address 32-bits
IP Address of the sender
Destination Address 32-bits
IP Address of the receiver
Options Variable length
A single octet of option kind
Three octets
option kind
option length
option data

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
12
Foundation Internet Communications

How it fits together

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
13
Foundation Internet Communications

How it fits together IP TCP

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
14
Foundation Internet Communications

TCP/IP Communications
Initiating a connection
Computer A sends to Computer B a segment
with the SYN flag set
and an Initial Sequence Number (ISN A)
Computer B responds to Computer A
with a segment that has both SYN and ACK flag
bits set
and informs A which SQN it will start with (ISN
B)
Computer A sends Computer B the last segment
with the ACK bit set
before transmitting the actual data
The Acknowledgement number Computer A sends is
actually
Computer Bs sequence number 1 and is used to
indicate
the successful receipt of the last sent segment
Closing the connection

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
15
Attacks

Network Attacks 2 broad categories
Network and transport layer attacks
Application Layer attacks.
Network and Transport Layer Attacks
These attacks exploit basic flaws in the TCP/IP
protocol suite
(the compartmentalization of information between
TCP IP)
IP contains Source/Destination IP Address
TCP contains Source/Destination Port Sequence
Number

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
16
Attacks

Network and transport layer attacks SYN Flood
Step 1
Attacker (A) begins initiating communication with
SYN
Victim Server (B) responds with a SYNC/ACK
Attacker (A) refuses to send the ACK signal to
the victim server (B)
Step 2
Attacker (A) sends another SYN signal to the
victim server (B)
The victim server (B) again acknowledges it
with a SYN/ACK
and Attacker (A) again refuses to send the
final ACK signal
Goal Overflow the data structure of the host
server
Data structure keeps records of connections

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
17
Attacks

Network and transport layer attacks Blind
Non-Blind Spoofing
How it works
Attacker (A) crashes Victim (B) through SYN
flooding
Attacker (A) uses the IP address of server (B) to
talk to Target (C)
Attacker (A) must predict the proper TCP Sequence
Number
Since Target (C) is looking at the TCP
information, not the IP information it does not
know it is talking to (A)
Predicting TCP Sequence Numbers
RFC 793 - The generation of a SQN should be bound
to
a 32 bit clock which increments every 4
microseconds
Despite these guidelines, the majority of TCP
implementations increment the SQN by a constant
value
The SQN clock is incremented by 128,000/sec
and by a further 64,000 for each new connection.
Detecting IP spoofing
By looking at the source and destination address
fields of an IP packet,
a firewall can determine whether the addresses
are spoofed

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
18
Attacks

Network and transport layer attacks RST FIN
Attacks
Reset Attack Whereas SYN flooding attacks are
carried out at the beginning of the connection,
RST attacks usually occur in the middle of it.
Scenario Two machines (C) and (B) are in the
middle of a connection. Attacker (A) wants to
gain control of (C)
Attacker (A) disrupts the connection between (B)
(C) by sending (B)
a spoofed packet with RST flag set
and SQN number
The attacker then assumes Bs identity and starts
attacking (C).
FIN Attack A FIN is similar to the RST attack
and is used to disconnect the target. However it
concentrates on the end state of a TCP
connection. The attacker tries to establish a
series of new connections and closes them
immediately without any data transfers. The idea
is to keep the server busy and eventually crash
it with a large number of open and close
connection requests.
This is more popular than the RST attack because
the attacker can know immediately whether or not
the
attack was successful as the target (C) has to
reply with an ACK after it receives a FIN flag.

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
19
Attacks

Application Layer Attacks
Firewalls
Designed for
Access Control
Protocol Integrity Validation Enforcement
Irregular usage of Protocols
Not Designed for
Deep Packet Inspection of Payload at Application
Layer
Detecting attacks targeting specific
vulnerabilities in applications (such as IIS)
Hackers Goal
Denial-of-service to legitimate users.
Gaining administrative privileges on the
client/server machines.
Gain root privileges to execute malicious
commands.
Install Trojans/Backdoors to destroy/access
applications.
Hijack user accounts to get passwords and other
valuable information.

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
20
Attacks

Application Layer Attacks
Application Protocols
HTTP
FTP
SMTP
DNS
Applications
IIS 5.0, Apache 2.0.47,
iPlanet 4.1 (Netscape 4.1), etc.
Serv-U 4.1
Sendmail 8.12.9, Exchange 5.5
Bind 9.2.2, Microsoft DNS

Vulnerability Hierarchy
Unpatched / Vulnerable Application Application
Version Specific Category Specific (ftp,
http, etc.) Operating System Specific All
Known Vulnerabilities
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
21
Attacks

Application Layer Attacks
Buffer overflow When the string size exceeds
memory space allocated for a field
Programmers often fail to fix a bound on the user
input fields
The hacker can calculate the additional size that
needs to be added to the string so that it
exceeds the memory space allocated for the field
The hacker then sends this oversized field to the
system causing a buffer overflow
Buffer overflows could lead to security exploits
or simply denial-of-service.
Backdoors A backdoor is a mechanism used by
hackers to gain unauthorized access to the system
Backdoors are often the result of a software bug
or the unintended use of a legitimate service
Sometimes backdoors are covertly installed on a
victim system by a Trojan
A backdoor is a port of entry into the system and
is often used by Trojans to gain access
Trojans Stealthy code that is inserted into
legitimate software and is activated once on the
victims computer
A malicious piece of code installed by a hacker
on the victims machine
A program that does something which is different
from the purpose for which it was installed on
the system
Example An antivirus software that introduces a
virus into the system when installed

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
22
Attacks

Application Layer Attacks
Cross site scripting Inserting malicious code
onto a machine based upon a dynamic (automatic)
response to stimulus
A dynamic web-site returns user input to the
client in different ways based on the browser
settings of the client
It is possible to insert malicious code (script)
without the knowledge of the client or the server
machine
This could result in cookie theft, account
hijacking or spreading viruses
CGI abuses These attacks try to exploit the
flaws in the Common Gateway Interface (CGI) of an
application
CGI is used by web servers to interact with other
programs on the server, or the operating system
itself
Either incorrect configuration, or flaws in the
CGI code will allow unauthorized usage
Example Apache 2.0.x contains a default script
/cgi-bin/test-cgi.bat. An attacker could use
this CGI to execute arbitrary code by sending the
(pipe) character appended with the command as
parameters

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
23
Defenses Firewalls, IDS IPS

Types of Firewalls
Packet Filters
Proxy Firewalls
Circuit Level Proxies
Application Level Proxies
Stateful Inspection Firewalls
Types of Intrusion Detection/Prevention
Network Based
Signature
Anomaly
Host based

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
24
Defenses Firewalls

Packet Filters
Screening Routers that control the flow of
information by looking at
Source Address
Destination Address
Type of protocol used for transferring the data
Example Rules
Do not allow ICMP connections from
outside the network
Allow connection to a specific IP Address
Deny traffic with a destination of the internal
network
that has source address from the internal
network
Advantages
Very Efficient (Fast)
Good at preventing IP Spoofing

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
25
Defenses Firewalls

Proxy Firewalls Works as transfer agents between
internal and external networks
Proxy Firewalls prevent internal hosts from being
directly exposed to the outside world
Outbound connections
Accepts requests from internal hosts
Translates the IP Address
Requests communication with the external device
on behalf of the internal host
Inbound Connections
Accepts requests from external hosts
Translates IP Port request to specific internal
device
Requests communication with internal device
Circuit Level Proxies
Act as an agent
Creates a circuit (connection) between internal
host and external device

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
26
Defenses Firewalls

Proxy Firewalls Works as transfer agents between
internal and external networks
Proxy Firewalls prevent internal hosts from being
directly exposed to the outside world
Application Level Proxies
(Application Gateway or Application Firewall)
Similar to Circuit Level Proxy
It can understand and interpret commands in the
payload portion of the packets.
(Which even stateful inspection firewalls are
not able to do.)
It provides a robust authentication and logging
mechanism
Considered to be the most secured and advanced
firewalls
Limitations
Needs to have a different proxy mechanism for
each protocol supported
They do not support certain types of protocols
They have to analyze a large amount of
information from a large number of packets
which may lead to high processing time and
overheads
Not all applications are designed to use a proxy

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
27
Defenses Firewalls

Stateful Inspection Firewalls Hybrid between
packet filter and proxy firewalls
How it works
Makes traffic decisions with the help of a
dynamic state table
The state table keeps a record of past
communications
By Source and Destination address
By Source and Destination port
Validates and enforces protocol standards and
general accepted usage guidelines
No ACK with out the corresponding SYN?SYN/ACK
Answers ISN requests using a Sequence Numbers
(SQN) that are generated using RFC 793 standards
(makes spoofing more difficult)
When the external server responds with a file,
the firewall does a state table look up to decide
whether such a request had been made. If it had
been made, the packet is allowed in. If not, the
packet is discarded by the firewall.
Limitations
No application level security is provided.
They are only able to do Stateful Inspection for
connection oriented-protocols such as TCP
They do not look at the packets as closely as the
application gateway

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
28
Defenses Firewalls

Stateful Inspection Firewalls Hybrid between
packet filter and proxy firewalls
Check Point NG with Application Intelligence
Same features as regular stateful inspection
firewall
Additional validation of protocols at the
application layer
Same technology as protocol anomaly based
intrusion detection/prevention
Validates Enforces Protocol usage at
application layer
Protects against irregular behavior (Example
Excessive HTTP header length)
Same drawbacks as protocol anomaly based
intrusion detection/prevention
Benefits
Application protocol validation and enforcement
(Example HTTP)
Limitations
No application specific security is provided
(Example IIS)
Most attacks target vulnerabilities in specific
applications, not the transport protocol for the
application

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
29
Defenses Firewalls

Firewalls A Summary
Strengths of Firewalls Very good at enforcing
access control
User level / authentication
Filtering traffic by IP Port
Enforcing standards
Limitations of Firewalls
Cannot protect against turncoats and others using
socio-engineering techniques
They cannot protect against attacks that do not
go through them (Example dial up connections)
Very little or no effort is taken to look in
detail at the data contents of the packet
It also cannot protect against new threats which
are developed by exploiting the flaws within the
network or applications themselves that are often
overlooked or not considered to be serious or not
known to the security community at all
Firewalls almost do not protect against viruses
New viruses are developed very frequently these
days and there are many ways of encoding binary
files

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
30
Defenses Intrusion Detection Prevention
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
31
Defenses Intrusion Detection Prevention

Signature NIDS
Knowledge based systems
The most commonly and commercially available
systems
Logic lies in pattern matching
The traffic payload is compared to a set of known
attack patterns (Signatures)
Upon a match that particular traffic is flagged
as
dangerous and alerts are generated
Utilizes a network adapter (usually in
promiscuous mode)
on a segment to monitor the network traffic
Strengths
Very accurate when properly tuned
Very fast when properly tuned
Limitations
They are not able to detect attacks that are new
or dont have signatures for

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
32
Defenses Intrusion Detection Prevention

Signature Based NIDS

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
33
Defenses Intrusion Detection Prevention

Protocol Anomaly NIDS
TCP/IP protocol has standards available in the
form of Request for Comment (RFC)
Protocol anomaly detectors build a model based on
these guidelines
It can also include information not explicitly
mentioned in the protocol guidelines but known or
understood through usage of that protocol.
Example Maximum length of the HTTP header
Any variant is considered as an anomaly.
Example The SSH v1 specifications restricts the
length of the error messages to 262144 bytes.
An error message longer than 262144 bytes
indicates a protocol anomaly.
Advantages
They do not depend on signatures or on attacks
that are known
There is no time lapse for developing and
updating signatures as in case of signature based
IDSs.
Disadvantages
An anomaly does not necessarily mean an attack or
a misuse
Anomaly based IDSs generate a large number of
false positives.

34
Defenses Intrusion Detection Prevention

Vulnerability A bug in software which can be
used to compromise a system
Exploit An attack that has been written against
a known vulnerability
Vulnerability Scanner A program which simulates
real exploits on known vulnerabilities in order
to ascertain whether or not a system can be
compromised
Intrusion Any unauthorized or malicious user
connecting to a network with the objective
of disrupting / destroying services or
stealing information
Intrusion Detection System Software which
detects misuse or attacks against a network
Signature A unique traffic pattern which occurs
when an exploit is launched against a
vulnerability
Anomaly Any behavior that deviates from the
norm.
Statistical deviation from a baseline
Protocol deviation from a set of know rules
(usually written into RFC)
False Alarm An invalid alert that resulted
from

35
Intrusion Detection Methods

Non-harmful True Positive A valid result from
an irrelevant stimulus (such as a port scan)
36
Passive vs. Active Defense
False positives
Non-relevant
Traffic allowed by Firewall
Traditional IDS/IPS
ipANGEL
Relevant alerts logs
Traffic blocked by Firewall
Firewall
False positives
Non-relevant
Real-time Active Defense
Passive Monitoring
37
ipANGEL FireWall
(IIS exploit on Apache web server) Non-relevant
attacks flow unimpeded
Legitimate traffic flows unimpeded
ipANGEL instructs Firewall to block relevant
attacks
ipANGEL
Traffic Blocked by Firewall
Firewall
38
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
39
Customer Challenge

Why is a solution necessary?
Knowing that they cannot break through a
firewall,
hackers have looked for ways to circumvent
security.
Most new attacks exploit vulnerabilities in web
servers,
mail servers, etc. thereby bypassing the
firewalls defenses
Intrusion Prevention is the solution to this
problem

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
40
Customer Challenge

Intrusion Detection/Prevention technology has
many limitations
Extremely complex
High total cost of ownership
Riddled with inefficiencies
Manual tuning
Manual intervention required to address attacks
False positives
Overlap with existing security devices (firewall)
Reactive the damage has been done
A new breed of Intrusion Prevention needs to be
smarter to address these issues

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
41
Solution to Customer Challenge

Adaptive Intelligence
Precision Intrusion Prevention
ipANGEL adapts to the protect the hosts on a
network based upon their unique vulnerability
state.
Five (5) integrated engines which power ipANGEL
Firewall-1 Policy mapping engine
Vulnerability Scanning engine
Rule Correlation Management engine
Intrusion Detection engine
Defense Countermeasure engine
ipANGEL extends the capabilities of Check Point
Firewall-1 to provide a complete, automated
solution that protects your network and
applications in real-time.

Firewall
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
42
Passive vs. Active Defense
False positives
Non-relevant
Traffic allowed by Firewall-1
Traditional IDS/IPS
ipANGEL
Relevant alerts logs
Traffic blocked by Firewall-1
Firewall-1
False positives
Non-relevant
Real-time Active Defense
Passive Monitoring
43
Application Intelligence vs. ipANGEL

Application Intelligence (AI)
Validate compliance to standards
No binary characters in http headers
and expected usage
Block IM (Instant Messaging) over http
Content Filtering (limited IDS)
Rules limited to SANS Top 20
Manual Tuning
Manual update of rules
(may also require firewall policy changes)
False positives akin to traditional IDS

ipANGEL
Validate vulnerability state of protected hosts
Determine which IP Ports to scan
Firewall Policy Mapping
Determine what can harm hosts
Vulnerability Assessment
Real-time Correlation of VA results to IDS rules
Intrusion Detection/Prevention
Thousands of Rules to choose from
Self-tuning based on vulnerability state of
hosts
Auto-Update of VA attacks and IDS rules (daily)
(no firewall policy changes required)
No False Positives!!!

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
44
Features Benefits

Features
Vulnerability Scanning
Intrusion Detection
Self-tuning / Self Maintaining system
Auto-Update of attacks and corresponding rules
(daily)
Real-time attack protection via Firewall-1 (SAM)
Benefits
Affordable
Easy to deploy and maintain
Always up-to-date
Ongoing vulnerability protection
Enhanced perimeter security

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
45
Product Deployment
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
46
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
47
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
48
124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
49
Product Differentiation

Adaptive (Precision) Intrusion Prevention
Designed as an enhancement to FireWall-1
First gateway-sensor solution available
February 2003
Keeps you protected until you have the
opportunity to patch the vulnerable system.
Easy to install maintain Its TRUE!
Lower Total Cost of Ownership

124 South Maple Street, 2nd Floor Ambler, PA
19002 voice 1.215.371.3300 fax
1.215.371.1753 web http//www.lucidsecurity.com
50
Product Detail