Defense-in-Depth, Part 2: Advanced Intrusion Defense - PowerPoint PPT Presentation

About This Presentation
Title:

Defense-in-Depth, Part 2: Advanced Intrusion Defense

Description:

Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One jms_at_opus1.com Traditional perimeter technology is being A firewall is not just a firewall ... – PowerPoint PPT presentation

Number of Views:170
Avg rating:3.0/5.0
Slides: 34
Provided by: mediaTech
Category:

less

Transcript and Presenter's Notes

Title: Defense-in-Depth, Part 2: Advanced Intrusion Defense


1
Defense-in-Depth, Part 2Advanced Intrusion
Defense
Joel Snyder Opus One jms_at_opus1.com
2
Traditional perimeter technology is being
Supplemented?
3
A firewall is not just a firewall any more
  • IDS has been replaced by IPS
  • (No, I dont believe that, Im just repeating
    awful rumors)
  • Worms now outnumber viruses in your e-mail by a
    factor of 20 to 1
  • Spam represents 50 to 75 of all e-mail you
    receive
  • Firewalls now have advanced application
    intelligence
  • Actually, they had that already, but the
    marketroids had to keep themselves busy
  • Firewalls now are intrusion prevention systems
  • Isnt every firewall an intrusion prevention
    system?
  • Firewalls now do virus scanning, content
    scanning, and ironing
  • Application-layer firewalls are needed to protect
    legions of inadequate web programmers

4
Key question Do you need this?
  • Do you need to buy (or upgrade) to a bigger,
    smarter, faster, more capable firewall?
  • Do you need to buy an IPS?
  • an application layer firewall?
  • a smarter IDS?
  • an SSL VPN device?
  • Do I want an all-in-one thing?
  • Do I want individual parts?
  • The answer youve been waiting for is on the
    very next slide!

5
Should I buy a lot of this new security stuff?
And if I do buy this, what kind should I buy?And
where should I put it?And which product should I
buy?
Answer 42
6
I cant tell you what is right for your network
  • I can tell you what products are out there and
    what they are doing
  • I can also tell you what the trends are in these
    products
  • But the hard work remains yours

So lets look at whats happening in the firewall
business
7
March, 2004 Information Security sponsors
research on new firewall technologies
  • Products from Check Point, Cyberguard, NetScreen,
    Nortel Networks, Symantec, Secure Computing,
    Watchguard
  • Support from Andy Briney, Neil Roiter at
    Information Security

http//infosecuritymag.techtarget.com/
8
Firewalls have been around for a very long time
  • ATTs gateway creates a sort of crunchy shell
    around a soft, chewy center. (Bill Cheswick,
    Design of a Secure Internet Gateway, April, 1990)

First firewalls deployed in Internet-connected
organizations
CheckPoint revenues cross 100m
Firewalls and Internet Security published
WatchGuard introduces 1st FW appliance
Cisco buys PIX (Network Translation)
TIS toolkit commonly available
1989 1991 1993 1995 1997 1999 2001
2003 2005
9
Surely firewall makers have been busy since 1999 ?
  • Clear product trends
  • Add VPN features
  • Site-to-site
  • Remote Access (?)
  • Add policy-based URL control
  • Websense-type
  • Add interfaces
  • No longer just inside, outside, DMZ
  • Clear market trends
  • Faster
  • Cheaper
  • Smaller
  • New Guard NetScreen (Juniper), Watchguard,
    SonicWALL
  • Old Guard Cisco, Check Point

10
Surely, firewall makers have been busy since 1999
?
  • Clear product trends
  • Add VPN features
  • Site-to-site
  • Remote Access (?)
  • Add policy-based URL control
  • Websense-type
  • Add interfaces
  • No longer just inside, outside, DMZ
  • Clear market trends
  • Faster
  • Cheaper
  • Smaller
  • New Guard NetScreen (Juniper), Watchguard,
    SonicWALL
  • Old Guard Cisco, Check Point

11
Incremental improvements are not very exciting
  • Smaller, cheaper, faster thats great
  • VPNs, more interfaces thats great
  • But what have you done for me lately?
  • To answer that, we need to digress to the oldest
    battle in all of firewall-dom proxy versus
    packet filter!

12
Arguments between Proxy and Stateful PF continued
  • Proxy
  • More secure because you can look at application
    data stream
  • More secure because you have independent TCP
    stacks
  • Stateful PF
  • Faster to write
  • Faster to adapt
  • Faster to run
  • Faster also means cheaper

13
Proxy-based firewalls arent dead just slow!
Process Space
Proxy
RTL
TCP/IP
Outside net 1.2.3.4
Inside network 10.1.1.0/24
Src1.2.3.4 Dst5.6.7.8
Src10.1.1.99Dst5.6.7.8
Packet Filtering
Kernel
14
Firewall Landscape five years ago
  • IBM eNetwork
  • Secure Computing
  • Altavista Firewall
  • TIS Gauntlet
  • Raptor Eagle
  • Elron
  • Cyberguard
  • Ukiah Software
  • NetGuard
  • WatchGuard
  • SonicWALL
  • Check Point
  • Livermore Software
  • Milkyway
  • Borderware
  • Global Internet

Where have they all gone?
15
Stateful Packet Filtering dominates the market
Check PointCisco NetScreen SonicWALL
Freeware-based products Ipchains, IPF, Iptables,
IPFW
FW NewcomersFortinet, Toshiba, Ingate,
ServGate, many others
IP
Stateful Packet Filtering
Kernel
16
But the core argument was never disputed
  • Proxy-based firewalls do have the possibility to
    give you more control because they maintain
    application-layer state information
  • The reality is that proxy-based firewalls rarely
    went very far down that path
  • Why? Market demand, obviously

17
Firewall EvolutionWhat we hoped for
  • Additional granular controls on a wide variety of
    applications
  • Intrusion detection and prevention functionality
  • Vastly improved centralized management systems
  • More flexible deployment options

18
Firewall EvolutionWhat we found
  • Vastly improved centralized management systems
  • More flexible deployment options
  • Additional granular controls on somea wide
    variety of applications
  • Limited intrusion detection and prevention
    functionality

Why? Market demand, obviously
19
So whats going on in the firewall business?
  • Products are diverging, not converging
  • Personalities of products are distinct
  • IPS is a step forward, but not challenging the
    world of standalone products
  • Rate of change of established products is slow
    compared to new entries

20
What does this mean for me and my firewall?
  • Products are diverging
  • Personalities are distinct
  • IPS weaker than standalone
  • Change rate slow
  • Matching firewall to policy is hard change in
    application or policy may mean changing product!
  • Aggressive adoption of new features unlikely in
    popular products need new blood to overcome
    product inertia

21
Are Intrusion Detection Systems dead?
Massive Support from Marty Roesch, Ron Gula,
Robert Graham Products from ISS, Cisco, and
Tenable Cash and Prizes from Andy Briney and Neil
Roiter
http//infosecuritymag.techtarget.com/
22
This is an IDS alert
  • IDS saw a packet aimed at a protected system
  • IDS magic decoder technology correctly identifies
    this as Back Orifice!

23
This IDS alert aint no good
  • Last time I checked, FreeBSD 4.9 was not one of
    the supported platforms for BackOrifice

24
Please dont call that a false positive
  • Instead, lets invent a complex multisyllable
    termnon-contextual alert
  • IDS developers will jump down your throat
  • False Positive means the IDS cried wolf when
    there was no such attack
  • Usually the result of poorly written signatures

25
The IDS lacks context
  • IF the IDS knew that the destination system was
    not running Windows
  • IF the IDS knew that the destination system was
    not running Back Orifice
  • IF the IDS knew that there was no such
    destination system
  • IF the IDS knew that the destination system was
    more hops away then TTL allowed

26
IF IF IF the IDS knew more
  • THEN the IDS could tell the IDS operator more
    about this attack
  • Ron Gula (Tenable) says that alerts are raw
    intelligence. They are data, but are not
    information yet. We need to turn them into
    well-qualified intelligence to start a war.

27
Roesch Target-Based IDS
Target-based IDS has two components
  • Target-based Event Correlation
  • The output of the sensor is compared to knowledge
    of vulnerabilities
  • Target-based IDS Sensor
  • The sensor has knowledge about the network
  • The sensor has knowledge about the hosts

28
Start with a normal IDS
  1. IDS sensors generate enormous dinosaur-sized
    piles of alertsalerts are sent to the IDS
    console
  2. Operator gets enormous dinosaur-sized headache
    looking at hundreds of thousands of alerts

and add brains!
29
What does an IDS with brains look like?
30
Brainsknowledge process
  • Knowledge
  • Somehow figure out lots of information about
  • What systems are out there
  • What software they are running
  • What attacks they are vulnerable to
  • Process
  • Evaluate each alert with the additional
    contextual knowledge and decide
  • To promote the alert
  • To demote the alert
  • That we dont know

31
Can this quiet my IDS down?
  • It could
  • But none of the products I looked at have a
    feedback loop to the IDS!
  • Why dont the scanners tell the IDS what ports to
    look on?
  • Why dont the scanners tell the IDS what
    signatures to ignore?

32
Is this right for you?
  • YES!
  • I already have an IDS and I care about the
    alerts and I need some way to help prioritize
    them because I am drowning in alerts!
  • I need to get an IDS for alerts but dont have
    the manpower to analyze the alerts.
  • NO!
  • If I get this, my IDS will be a self-tuning
    smooth-running no-maintenance machine.
  • I have no network security policy which says
    what to do when an alert occurs.

33
Advanced Intrusion Defense Joel Snyder Opus
One jms_at_opus1.com
Write a Comment
User Comments (0)
About PowerShow.com