FIRST LINE OF DEFENSE

Intrusion Prevention System

Stephen Gates – CISSPstephen.gates@corero.com

Hoàng Thế Long – 13320795Nguyễn Thái Bình - 13320785

Sans Institute Top 10 Cyber Threats for 2013

1. Increasingly sophisticated website attacks that exploit browser vulnerabilities2. Increasing sophistication and effectiveness in botnets 3. Cyber espionage efforts by well-resourced organizations to extract large

amounts of data for economic and political purposes 4. Mobile phone threats, especially against iPhones, Google's Android phones,

and voice over IP systems 5. Insider attacks 6. Advanced identity theft from persistent bots 7. Increasingly malicious spyware 8. Web application security exploits 9. Increasingly sophisticated social engineering to provoke insecure behavior 10. Supply chain attacks that infect consumer devices

Source :SANS Institute

FIRST LINE OF DEFENSE

What is an IPS?

What is an IPS?

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.

Source :Principles of Information Security – Michael E. Whitman, Herbert J. Mattord

5

1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system

2. To detect attacks and other security violations that are not prevented by other security measures

3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)

4. To document the existing threat to an organization

5. To act as quality control for security design and administration, especially in large and complex enterprises

6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors

Why use an IDPS (cont.)?

6

Best Reason– One of the best reasons to install an IDPS is that they serve

as deterrents by increasing the fear of detection among would-be attackers. If internal and external users know that an organization has an intrusion detection and prevention system, they are less likely to probe or attempt to compromise it, just as criminals are much less likely to break into a house that has an apparent burglar alarm.

Why use an IDPS (cont.)?

Type of IDPS

Network - based IDPS (NIDPS)– monitors the entire network for suspicious traffic by analyzing

protocol activity• Wireless IDPS• Network Behavior Analysis System (NBA)

Host -based IDPS (HIDPS)– an installed software package which monitors a single host for

suspicious activity by analyzing events occurring within that host.

Type of IDS/IPS

9

IPDS Detection Methods

1. The signature-based approach

2. The statistical-anomaly approach

3. The stateful packet inspection approach

10

IPDS Response Options

Audible/visual alarm

E-mail message

Page or phone message

Log entry

Evidentiary packet dump

Take action against the intruder

Launch program

Reconfigure firewall

Terminal Session

Terminate connection

11

Strengths of IDPS

Monitoring and analysis of system events and user behaviors

Testing the security states of system configurations

Baselining the security state of a system, then tracking any changes to that baseline

Recognizing patterns of system events that correspond to known attacks

Recognizing patterns of activity that statistically vary from normal activity

Managing operating system audit and logging mechanisms and the data they generate

Alerting appropriate staff by appropriate means when attacks are detected

Measuring enforcement of security policies encoded in the analysis engine

Providing default information security policies

Allowing non-security experts to perform important security monitoring functions

12

Limitations of IDPSCompensating for weak or missing security mechanisms in the protection infrastructure,such as firewalls, identification and authentication systems, link encryption systems,access control mechanisms, and virus detection and eradication software

Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load

Detecting newly published attacks or variants of existing attacks

Effectively responding to attacks launched by sophisticated attackers

Automatically investigating attacks without human intervention

Resisting all attacks that are intended to defeat or circumvent them

Compensating for problems with the fidelity of information sources

Dealing effectively with switched networks

13

Others

Reporting and Archiving Capabilities

Failsafe Considerations for IDPS Reponses

Selecting IDPS Approaches and Products

Organizational Requirements and Contraints

IDPS Product Features and Quality

FIRST LINE OF DEFENSE

Why enterprise needs IPS?

Typical Network Topology

FirewallServers and Applications

SW

IT Infrastructure

Customer Traffic Customer TrafficCustomer Traffic

Assumption: Customer Traffic Flowing Through As Expected

“Good Users”

Internet’s No-Man’s Land

Router

What’s Firewall UTM limitation

FirewallServers and Applications

SW

IT Infrastructure

“Good Users”

Internet’s No-Man’s

Land

“Attackers”

Router

-Should I restrict access?

-Static restrict access based on source IP is impossible, there’re billion of IP out there

-At what rate can traffic enter my network?

-Policy based static rate limited without analysis the application and user’s behaviour is impossible, it’s easy to drop good traffic at the same time

- FW UTM has not enough insufficient resources to deal with DDoS attack

What’s else Firewall UTM can not do?

FirewallServers and Applications

SW

IT Infrastructure

“Good Users”

Internet’s No-Man’s

Land

“Attackers”

Router

-Bi-direction traffic inspection

-FW inspection the incoming traffic, how about return traffic from App Servers?

-How many applications/OS/BYOD are running in our company? Does Firewall UTM know about them?

-FW UTM has limited signature of Application and OS (no BYOD database), unknow traffic match FW policy are still pass through

18

Cyberoam Firewall UTM

Customer Traffic Customer Traffic

Firewall system

overload

DDoS Attacks

Protocol Abuse

Undesired Users & Service SW

SW

IT Infrastructure

SW

Server-Side Exploits

Customer Traffic

“Good Users”

Internet’s No-Man’s Land

“Attackers”

Router

Unwanted Traffic

Servers and Applications

Without IPS

Firewall system

IPDS

“Good Users”

“Attackers”

Undesired Users & Services

DDoS Attacks

Protocol Abuse

Server-Side Exploits

SW

SW

SW

SW

SW

SW“Good Users”

Internet’s No-Man’s Land

“Attackers”

Router

Foiled Attackers

Satisfied Customers

Customer Traffic Customer TrafficCustomer Traffic

IT Infrastructure

Servers and Applications

With IPS

21

Corero IPDS

IPDS Boongke

Centralized Management & ReportingCorero Security Operations Center SecureWatch

Excerpts of SecureWatch Reports

22

FIRST LINE OF DEFENSE

Q & A