1 tongthe ve ips
TRANSCRIPT
Nội dung
Giới thiệu về Misoft và IBM ISS
Các nguy cơ và rủi ro đối với hệ thống mạng
Các khái niệm cơ bản về hệ thống IPS
LOGO
Công ty cổ phần phát triển phần mềm
và hỗ trợ công nghệ
www.misoft.com.vn
MISOFT
001011001101100010110011011000101100110110001011001
0010110011011000101100110110001011001101100010110011011
00101100110110001011001101100010110011011000101100110110001
• Thành lập năm 2001
• Có trụ sở tại Hà nội và chi nhánh tại
Tp Hồ Chí Minh
• Tổng số nhân viên: khoảng 60
• Các lĩnh vực hoạt động:
• Tư vấn về an toàn - an ninh cho
hệ thống thông tin
• Cung cấp các giải pháp bảo mật
• Thực hiện các dịch vụ bảo mật
We secure IT
MISOFT
We secure ITC¸c ®èi t¸c
NHÀ TƯ VẤN GIẢI PHÁP
VÀ TỔNG ĐẠI LÝ PHÂN PHỐI
SẢN PHẨM AN NINH MẠNG
HÀNG ĐẦU VIỆT NAM
Trụ sở Hà Nội:
11 Phan Huy Chú, Hoàn Kiếm
Tel: (84-4) 933 1613
Fax: (84-4) 933 1612
email: [email protected]
Trụ sở TP Hồ Chí Minh
60 Đường Trường Sơn,
Quận Tân Bình.
Tel: (84-8) 844 3027
Fax: (84-8) 844 3598
email: [email protected]
NHÀ TƯ VẤN GIẢI PHÁP
VÀ TỔNG ĐẠI LÝ PHÂN PHỐI
SẢN PHẨM AN NINH MẠNG
HÀNG ĐẦU VIỆT NAM
MISOFT
We secure ITKh¸ch hµng tiªu biÓu
NHÀ TƯ VẤN GIẢI PHÁP
VÀ TỔNG ĐẠI LÝ PHÂN PHỐI
SẢN PHẨM AN NINH MẠNG
HÀNG ĐẦU VIỆT NAM
Trụ sở Hà Nội:
11 Phan Huy Chú, Hoàn Kiếm
Tel: (84-4) 933 1613
Fax: (84-4) 933 1612
email: [email protected]
Trụ sở TP Hồ Chí Minh
60 Đường Trường Sơn,
Quận Tân Bình.
Tel: (84-8) 844 3027
Fax: (84-8) 844 3598
email: [email protected]
Why ISS?
Global Leader in Comprehensive Security Solutions
Leading Edge of Security Research and innovation, including the
invention of
Vulnerability assessment
Intrusion Detection and Prevention technologies
Pre-emptive protection
X-Force R&D Team – Oldest, best known commercial Security Research
group in the world
Discovers and analyzes previously unknown vulnerabilities
X-Force discovered 51% percent of the high-risk vulnerabilities found by
commercial security research groups from 1998 to 2005
ISS Virtual Patch Technology-proactive security content updates
ISS Platform Differentiators
THE POWER TO DELIVER THE MOST advanced internet security IN THE WORLD
THE WORLD’S LEADING
ENTERPRISE SECURITY
R&D ORGANIZATION
GLOBAL SECURITYOPERATIONS CENTER(INFRASTRUCTURE MONITORING)
ISS X-FORCE™
SECURITYR&D
ISS SECURITYOPERATIONS
ISS PROTECTIONPLATFORMEND-TO-END PREEMPTIVESECURITY SOLUTIONS
INTEGRATED SECURITY
“IPS capabilities are excellent, demonstrating wide
coverage and good resistance to evasion techniques.”
“ISS was the ONLY vendor to score a perfect 5 in the
security effectiveness category.”
“The G6116 exceeded maximum rated throughput
and blocked 100% of malicious traffic.”
The leader in Network Intrusion
Control Systems (IDS/IPS).
The Industry Pundits Love ISS Innovation
ISS is the leader in Worldwide IDS/IPS for the 5th
Consecutive Year.
ISS wins the Technology Leadership Award in Host IPS &
the Market Leadership Award in Network IPS for 2005.
Market Leadership:2007 Analyst Accolades
Gartner Magic Quadrants: MSSP Magic Quadrant Leader
Network IPS Appliances Magic Quadrant Leader
Personal Firewall Magic Quadrant Visionary
META Group META spectrum: IDS/IPS Leader
IDC Worldwide Market Share: #1 in IPS Appliances
#1 in IDS/IPS Software (Six Consecutive Years)
#1 in Vulnerability Assessment Software
(Six Consecutive Years)
Magic Quadrant
Leader
#1 Market Share
Magic Quadrant
Visionary
Leader
Frost & Sullivan Awards: Network Security Company of the Year Award
IDS/IPS Market Leadership Award
Vulnerability Assessment Market Leadership Award
MSS Customer Service Innovation Award
Endpoint Security Technology Leadership Award
Latin America IDS/IPS Market Share Leader
SC Magazine Award: Best Managed Security Service
Security Company of the year
Best Integrated Security Solution
“An Outstanding Customer Service Experience”
J.D. Power and Associates Certified Technology and Support ProgramSM, developed in conjunction with the Service & Support
Professionals Association (SSPA). For more information, visit www.jdpower.com or the sspa.com.
Market Leadership:2005 -2007 Awards
11
Proventia Network MFSMX5110, MX5008, MX4006, MX3006,
MX1004, MX0804
“All-in-One” Protection Appliance
- IDS/IPS
- FW / VPN
- AntiVirus (signature & behavioral)
- AntiSpam
- Web Filter
- Spyware
Proventia ADS Series –
“Anomaly/Behavioral” Protection and
Network Visability AppliancesProventia Desktop“All-in-One” Protection Agent
- Firewall
- Virus Prevention System
- Intrusion Protection
- VPN Enforcer
- Buffer Overflow ProtectionProventia Network IPSPreemptive Security for Enterprise Networks
Baby –G, GX4002, GX4004, GX5008, GX5108
GX5208, GX6116
Proventia Server“Multi-layered” Protection Agent
– Windows
– Linux
RealSecure Server Sensor– Windows
– Solaris
– AIX
– HP-UX
IBM ISS Products
An toàn thông tin là gì?
Legal Framework
People Procedures Policy Technology
Information Security
Confidentiality Integrity Availability
Authenticity Non-repudiation
• An toàn thông tin là các biện pháp
nhằm đảm bảo tính bí mật
(Confidentiality), tính toàn vẹn
(Integrity) và tính sẵn sàng
(Availability), đảm bảo tính xác
thực (Authenticity) và tính chống
từ chối (Non-Repudiation) của
thông tin,..
• An toàn an ninh cho hệ thống
thông tin không chỉ là giải pháp kỹ
thuật
• Cần phải có hành lang pháp lý để
đảm bảo cho an toàn an ninh hệ
thống thông tin
ISO/IEC-27001:2005
ISO/IEC-27001:2005
Accountability Reliability
Các nguy cơ, rủi ro và hậu quả
Dữ liệu bị mất tính bí mật:
Các máy tính bị Phishing dẫn
tới bị mất mật khẩu truy cập
Lộ bí mật trên đường truyền:
nghe lén, chặn bắt,...
Lộ bí mật do phương tiện lưu
trữ trung gian: ổ đĩa cứng, ổ
đĩa mềm, CD-ROM, USB,...
“VÀNG ANH” có biết đến
điều này ??
Các nguy cơ, rủi ro và hậu quả
Dữ liệu bị mất tính toàn
vẹn:
Do hư hỏng vật lý, lỗi
đường truyền
Do bị đánh chặn và
thay thế bởi Hacker
hoặc do chính các
Doanh nghiệp cạnh
tranh thực hiện
Virus làm thay đổi,
xóa dữ liệu
Các nguy cơ, rủi ro và hậu quả
Hệ thống không đáp ứng tính sẵn sàng:
Emergency! I can’t get to my data!
Response: Turn the computer on!
Tấn công từ chối dịch vụ DoSnhằm vào các dịch vụ mà ISP cung cấp
Khai thác các điểm yếu của HĐH (máy chủ, máy trạm) trong hệthống mạng
Nguy cơ bị giảm hiệu suất làmviệc do bị virus tấn công: gâynghẽn mạng, chiếm dụng tàinguyên hệ thống (băng thông & tàinguyên mạng bị chiếm dụng) dẫntới việc máy tính xử lý chậm
Các giải pháp bảo vệ hệ thống mạng
1. Virus: Trend Micro
2. FireWall: Check Point
3. IPS/IDS: IBM ISS
4. Xác thực: Vasco, Entrust, RSA
5. PKI: Entrust, RSA Keon, Verisign,...
6. Tư vấn, xây dựng chính sách ATTT
7. Thực hiện các dịch vụ bảo mật
Giải pháp ngăn chặn xâm nhập của
IBM Internet Security Systems
Sử dụng thiết bị network IPS
Sử dụng phần mềm host-IPS cài trên Máy chủ/Máy trạm
Sử dụng phần mềm dò quét, phát hiện điểm yếu trong hệ thống mạng
Sử dụng thiết bị an ninh tích hợp
Phần mềm quản trị tập trung
www.misoft.com.vn
–Intrusion Detection and Prevention
Principles
Intrusion detection: the process of monitoring the eventsoccurring in a computer system or network and analyzing themfor signs of possible incidents, which are violations or imminentthreats of violation of computer security policies, acceptable usepolicies, or standard security practices. Incidents: malware (worms, spyware), attackers gaining unauthorized
access to systems from the Internet, and authorized users of systems whomisuse their privileges or attempt to gain additional privileges for which theyare not authorized.
An intrusion detection system (IDS): automates the intrusiondetection process.
An intrusion prevention system (IPS): has all the capabilitiesof an intrusion detection system and can stop possibleincidents.
Intrusion detection and prevention systems (IDPS) refer toboth IDS and IPS technologies.
2222
The Airport Analogy
Firewall & NIPS comparison
Firewall :
– Like the Immigration at the Airport– Controls WHO & WHEN the entity is
permitted to enter or leave – Based on the Passport
Network IPS
– Like the Customs at the Airport– Controls WHAT & HOW is permitted
to enter or leave – Based on What you Bring/Carry
Key Functions of IDPS Technologies
Recording information related to observed events
Notifying security administrators of important observed
events, known as an alert, through e-mails, pages, in IDPS user interface, SNMP
traps, syslog messages, user-defined programs and scripts.
Producing reports
Stops the attack itself Terminate the network connection or user session that is being used for the
attack
Block access to the target (or possibly other likely targets) from the offending
user account, IP address, or other attacker attribute
Block all access to the targeted host, service, application, or other resource.
Changes the security environment: change the configuration of other
security controls to disrupt an attack.
Changes the attack’s content
www.misoft.com.vn
Common Detection Methodologies
Signature-Based Detection:
A pattern that corresponds to a known threat. Examples:
A telnet attempt with a username of “root”, which is a violation of an
organization’s security policy
An e-mail with a subject of “Free pictures!” and an attachment filename of
“freepics.exe”, which are characteristics of a known form of malware
An operating system log entry with a status code value of 645, which indicates
that the host’s auditing has been disabled.
The benefits :
Quickly identify defined attacks.
Help system administrators track attacks.
Don't generate many false alarms because they are programmed to recognize situations that
are typically attacks.
The limitations:
Requires updated attack signature files
Lack the ability to remember previous requests when processing the current request
www.misoft.com.vn
Common Detection Methodologies
Anomaly-Based Detection:
Using profiles
Comparing definitions of what activity is considered normal against observed
events to identify significant deviations
The benefits:
Can be very effective at detecting previously unknown threats
Don't need to rely on predefined attack signature files to identify attacks.
Can help to identify attack patterns that can be turned into attack signatures for misuse
detectors. The limitations:
Require more experienced security administrators because the detector can only point out
abnormalities, which might or might not be attacks.
Produces more false alarms than misuse detectors because not all irregularities
are actual attacks.
Requires more administrative involvement than misuse detectors.
www.misoft.com.vn
Common Detection Methodologies
Stateful Protocol Analysis (“deep packet inspection” )
Comparing predetermined profiles of generally accepted definitions of benign
protocol activity for each protocol state against observed events to identify
deviations
Based on Internet Engineering Task Force [IETF] Request for Comments [RFC]
The limitations:
Very resource-intensive because of the complexity of the analysis and the overhead involved
in performing state tracking for many simultaneous sessions
Cannot detect attacks that do not violate the characteristics of generally
acceptable protocol behavior, such as performing many benign actions in a short
period of time to cause a denial of service .
Might conflict with the way the protocol is implemented in particular versions of specific
applications and operating systems
www.misoft.com.vn
Types of IDPS Technologies
Network-Based:
Monitors network traffic for particular network segments or devices
Analyzes the network and application protocol activity to identify suspicious
activity.
Deployed at a boundary between networks: border firewalls or routers, virtual
private network (VPN) servers, remote access servers, and wireless networks.
Host-Based: Monitors the characteristics of a single host and the events occurring within that
host for suspicious activity: network traffic (only for that host), system logs,
running processes, application activity, file access and modification, system and
application configuration changes.
Deployed on critical hosts, servers, desktop, laptop..
www.misoft.com.vn
Components and Architecture
Sensor or Agent Monitor and analyze activity.
Management Server Centralized device that receives information from the sensors/ agents and
manages.
Database Server Repository for event information recorded by sensors, agents, and/or
management servers.
Console Program that provides an interface for the IDPS’s users and administrators.
Console software is typically installed onto standard desktop or laptop computers.
Configuring sensors / agents, applying software updates, monitoring and
analysis.
www.misoft.com.vn
Network-Based IDPS Deployment
www.misoft.com.vn
Passive Network-Based
IDPS Sensor Architecture Inline Network-Based
IDPS Sensor Architecture
Tính năng an ninh
Information Gathering Capabilities
Collecting information on hosts or networks from observed activity
Logging Capabilities Minimum: timestamp, the event type, event source, the sensor/ agent that
detected the event
Stored both locally and centrally
Provide a mechanism that allows users to associate each log entry with
corresponding external references, including Common Vulnerabilities and
Exposures (CVE) numbers, which provide universal identifiers for vulnerabilities,
and possibly other references such as vendor security advisories
www.misoft.com.vn
Tính năng an ninh
Detection Capabilities Which types of activities it currently and future analyzes fully and analyzes partially
Types of incidents it can identify: DoS attacks, backdoors, policy violations, port
scans, malware (worms, Trojan horses, rootkits, malicious mobile code), and
unauthorized application/protocol use.
How many worms, how many types of DoS attacks can identify.
How effective its default, out-of-the-box configuration is
How effective it is at detecting known malicious events:attacks, scans, malware.
Detecting previously unknown malicious events: new attacks/ variants on existing
attacks, without reconfiguring or updating the IDPS.
Detecting known and unknown malicious events that have been concealed through
evasion techniques
How accurately it can determine the success or failure of attacks.
What response mechanisms it offers, excluding prevention responses
Customize detection capabilities: modifying signatures, policies, and other settings.
How effectively the product can use data from other sources
www.misoft.com.vn
Tính năng an ninh
Prevention Capabilities Enabling or disabling only for particular alerts
Allowing administrators to specify which prevention method should be used.
Performing prevention actions only if a certain system is being attacked
Network-Based IPS Prevention Capabilities Ending the Current TCP Session.
Performing Inline Firewalling.
Throttling Bandwidth Usage.
Altering Malicious Content.
Host-Based IPS Prevention Capabilities Code Analysis: prevent code from being executed
Network Traffic Analysis
Network Traffic Filtering: stop unauthorized access and acceptable use policy
violations.
Filesystem Monitoring: prevent files from being accessed, modified, replaced, or
deleted, which could stop malware installation
www.misoft.com.vn
Performance
www.misoft.com.vn
Throughput Throughput, speed… là tốc độ lý thuyết của IPS hoạt động ở môi trường lý
tưởng, cần dự phòng tùy vào tính chất của vùng mạng cần bảo vệ
Tốc độ xử lý gói tin là chung cho tất cả các interface của IPS
Tốc độ xử lý gói tin của IPS giảm rất nhanh khi các gói tin nhỏ, nhiều kết nối
Concurrent sessions
Connections per second
Latency
High Availability: Active-Active, Active –Passive
Fail-closed/Fail-open
Khả năng quản trị
Quản trị tập trung
Quản trị phân tán
Giao diện đồ họa
Giao diện web
Giao diện command line
www.misoft.com.vn
Lựa chọn nhà cung cấp ?
Nên dùng các sản phẩm của các hãng “chuyên” về
security
Có khả năng hỗ trợ kỹ thuật tốt
Có giải pháp IPS toàn diện: host-based, network-based
…
Các câu hỏi kỹ thuật: NIST-SP800-94
www.misoft.com.vn