docSistemas de Prevención de intrusiones(IPS)
download 
Demanda Transcripción
Sistemas de Prevención de intrusiones(IPS)
Sistemas de Prevención de intrusiones(IPS) y la integración con Network Access Control(NAC) Ricardo Rojas (Ric) Certified Information Systems Security Professional CISSP Team Lead Senior Security Engineer América Latina y Caribe Agenda • • • • • Evolución de Ataques Limitaciones de los Firewalls e IDSs Prevención de intrusiones (IPS) Defensa Proactiva Tecnología IPS de TippingPoint Sistemas de Prevención de intrusiones(IPS) y la integración con Network Access Control(NAC) Evolución de Ataques Code Red II (Julio, 2001) • Estimado de Perdidas • Velocidad de Infección $2.6 mil millones 2 mil hosts / min Sapphire/Slammer (Enero, 2003) • • Duplicación de tiempo de la población infectada 8.5 secs En 10 min. 90% la Infección afecto a nivel mundial Top Network Security Concerns – 2006 Types of Attacks / Misuse Detected in 2006 Top Four Categories of Attack / Misuse Account for 74% of Financial Losses (by percent of respondents) (Average loss per incident) Virus (worm, virus, Trojan) 60% Unauthorized access to info. $86K Insider abuse of net access Virus (worm, virus, Trojan) Unauthorized access to info. 42% 32% $69K Denial of service 25% Laptop Theft $30K System penetration 15% DoS $21K 9% Theft of Prop. Info Most Critical Issues for Next Two Years (falling within top 10 of all categories reported) Viruses / Worms Spyware Insider Threat Policy/Reg Compliance Data Protection Identity Theft / Data Leakage CSI/FBI Computer Crime and Security Survey 2006 Limitaciones del Firewall Capa 2 Dest MAC Capa 3 Capa 4 Source MAC … Source_IP Source_port Capa 5-7 Datos Dest_IP Dest_port Datos … Datos Gusano • Los Firewalls imponen políticas en Capa 3 y 4 • Los firewalls generalmente son desplegados en el borde de la red – Pero el perímetro se está disolviendo: dispositivos inalámbricos, VPN, notebooks – Los ataques que se originan internamente pasan por encima del firewall Limitaciones de los IDS • • • • • No paran los ataques Falsos positivos Generan alarmas en exceso Toman mucho recurso y tiempo para administrar Se requiere un experto de seguridad para interpretar las alarmas generadas • Arquitectura basada en procesador y bus PCI Defensas tradicionales: Firewalls y Sistemas de Detección de Intrusiones Ataques Externos Penetran el FW e IDS DMZ DNS EMAIL Web Server Application Backend Database Firewall DNS SMTP/POP Port 80 FTP RPC Telnet ALERTA Internal Network Internet Apache IIS Netscape PHP SQL C++ Perl IDS Las defensas tradicionales de FW e IDS dejan pasar los ataques Oracle SQL TippingPoint – A division of 3Com Intrusion Prevention System Evolution TippingPoint History 2002 2003 2004 2005 TippingPoint anuncia su IPS Netscreen, McAfee adquieren empresas de IDS hasta por 100 millones Otros fabricantes Lanzan IPS basados en CPU/Bus TippingPoint es la punta de lanza de las actividades de seguridad de 3Com Otros Fabricantes anuncian IDS Proclamción de Gartner: “El IDS está muerto” June 2003 Resultados de pruebas de NSS Group The Growing Security Gap Aumentando… – Vulnerabilidades nuevas – Ataques y atacantes – Type and sophistication of attacks Variación y sofisticación • Gusanos, Virus, Ataques hacia servidores WEB, DDoS, Spyware, Phishing, Bots, Blended attacks – Mayor numero de usuarios – Aplicaciones emergentes • VoIP, Video, IM, etc. Disminuye… – Tiempo para implementar “parches” – Recursos de TI IPS Defensa Proactiva – Inteligente y Poderosa Los ataques son detectados y bloqueados sin impactar el “performance” de su red. El IPS de TippingPoint actuar como un “parche virtual” para la red y las aplicaciones El IPS detiene los ataques antes de que entren a sus redes y causen daño a su infraestructura y aplicaciones Automated Protection – The Full Spectrum WAN Perimeter Interior Network WAN Perimeter Data Center Attack Entry Point Web Infrastructure El atacante manda un correo de un parche para Microsoft El usuario oprime la liga que lo lleva al sitio web controlado por el Worms Trojans DDoS Viruses Al entrar al sitio el atacante trata de explotar vulnerabilidades conocidas y “zero day”, inserta spyware o “keylogger” Spyware Non-Targeted Attacks Targeted Infrastructure Attack Targeted Application Attacks Spear Phishing Modern Blended / Targeted Attacks Elementos y Características de un Sistema IPS • No debe impactar el desempeño de la red cuando se instala • Debe contar con características de alta disponibilidad • Su uso debe ser transparente para las aplicaciones y los componentes de red que ya existen en el entorno • Debe tener herramientas de diagnóstico para facilitar el desempeño del IPS • Debe ser reconocido y probado por entidades y laboratorios independientes • Su arquitectura y diseño deben ser desde el inicio IPS, no basado en arquitectura IDS Elementos y Características de un Sistema IPS • • • • Debe de contar con varias técnicas y tecnologías de detección – Filtros de Vulnerabilidad( no sólo firmas de SNORT) – Capaz de detectar y parar DOS y DDOS – El rendimiento no debe de bajar con la subida de Amenazas El IPS no se debe degradar bajo carga y ataques Sistema de administración amigable y poderoso – Sin “punto único de falla” – Descarga automática de vacunas digitales – Capacidad de administrar varios IPS El departamento de vacunas digitales debe ser reconocido a nivel mundial y efectivo asegurando protección completa contra los últimos ataques y “exploits” Despliegue del IPS Access Aggregation Core Perimeter (1.5Mbps – 100Mbps) Protect Protect Major Major Zones Zones Protect Protect Core Core Network Network Protect Protect WAN WAN Perimeter Perimeter Internet DMZ Protect Protect E-Commerce E-Commerce Protect Protect Remote Remote Offices Offices Data Center Windows & Linux Blades VPN Protect Protect Business Business Applications Applications & & Data Data Shared Tape Shared Storage 10Mbps – 1Gbps 1Gbps – 10Gbps 1Gbps – 10Gbps nx1Gbps – nx10Gbps ¿Que hace TippingPoint? Tecnología de Punta IPS (Intrusion Prevention Systems) Network-Based Security – Every form of user, device and traffic security possible should be provided from within the network – Bump in the wire device that Classifies and Enforces policy-based action Clean Traffic Dirty Traffic Worms Trojans Viruses • Purpose-Built Custom Hardware • High availability • Multi-gigabit Throughput • Switch-like latency • Millions of Sessions • Thousands of Filters •Signatures •Protocol anomalies •Vulnerability •Traffic anomaly Spyware DoS Intelligence Updates Digital Vaccine® Automatic Protection • Applications • Operating Systems • Clients, Servers • Network Performance • VoIP Infrastructure • Routers, Switches Validated and Proven Expertise ICSA Labs Certification • Certified at faster throughput (3Gbps) and lower latency (84 µsec) than any other IPS in the world Best Security Solution 2005 • • TippingPoint IPS Overall Winner in SC Global Awards Over 1,000 products nominated NSS Gold Award • TippingPoint’s Intrusion Prevention System is the FIRST and ONLY product to win the coveted NSS Gold Award in the IPS space. TippingPoint Security Intelligence Network Traffic and Application Visibility • • • Automated capture of network traffic Source / Dest IP data correlated with protocols and applications External Research Vulnerability incentive program 500+ registered researchers Best zero-day protection Responsible disclosure Advance notice to other security vendors Security community recognition without negative repercussions • • • • • • Application and device fingerprinting Internal Research • • • • • • Vulnerability tracking & research Vaccine development Vaccine testing guards against False Positives Rapid, automated global delivery 30+ world class security researchers Unparalleled security & networking expertise Global Threat Activity • Automated collection & processing of global threat activity • Logs & filter settings from production IPS’s in customer networks • Experimental logs from global lighthouse IPS’s • Blogs, reports, web page communication to customers • Direct customer guidance on DV settings TippingPoint’s Customer Base (1) 18 Automotive Education Financial Government Media Healthcare Retail Technology TippingPoint’s Customer Base (2) Food & Bev / Leisure Transportation Energy Service Provider 19 Biotech/Chemical IPS vs. IDS Similar on the Surface, Polar Opposites Underneath IPS Objective In-line, Automatic Block IDS Priority Out-of-band, Human Alert Priority Stability • Crash is catastrophic – network goes down #1 • Crash is annoying to security analysts who lose visibility – but no impact on network or apps #4 Performance • Processing designed for peak network load (Gbps) • Small memory buffers (µsecs of latency) • Above required for interior network deployment & application transparency #2 • Processing designed for average network loads • Large memory buffers to absorb traffic bursts, creating seconds to minutes of latency • Above ok since out-of-band and well within human response time #3 Accuracy False Positives • False blocks @ Gbps rates & thousands of filters – kills applications #3 • Burdens security analysts with chasing false alarms #2 Accuracy False Negatives • Preventing automatic blocking of good traffic trumps failure to detect anomalies #4 • Missed anomalies may be missed attacks (information is power) #1 Fundamental design of an IDS prevents it from ever being an effective in-line, automatic blocking device at Gbps rates IPS Priority #1 – Network Up-Time Intrinsic High Availability • Dual Hot-Swappable Power Supplies • Self-Monitoring Watchdog Timers – Security and Management Engines – L2 switch fallback • 99.999% Network Reliability Stateful Network Redundancy • Stateful Redundancy – Active-Active – Active-Passive • No IP Address or MAC Address • Transparent to Router Protocols – HSRP, VRRP, OSPF • No loss of segments or ports in this scenario IPS Priority #2 - Performance Lo (3 Gbps, 81 µsecs) Latency ICSA Network IPS Development (NIPD) Consortium Vendors (100 Mbps, 441 µsecs) (350 Mbps, 398 µsecs) Hi Lo Throughput ICSA Labs Test Results – – – – Highest Throughput Lowest Latency 100% Filter Accuracy Depth and Breadth of Coverage Hi IPS Priority #3 - Security Accuracy Vulnerability “Fingerprint” Exploit A “Fingerprint” Exploit B “Fingerprint” (Missed by Coarse Exploit A signature) Virtual Software Patch False Positive (coarse signature) Simple Exploit A Filter TERM DEFINITION Vulnerability • Un defecto de seguridad en un programa de software Exploit (Ataque) • Un programa que aprovecha una vulnerabilidad de seguridad para obtener acceso a un sistema, computador, sistema operativo o aplicación Exploit Filter • Escrito solo para un ataque especifico • Los desarrolladores de filtros se ven forzados a realizar implementaciones basicas debido a las limitaciones de desempeño del sistema IDS/IPS • Impacto - Ataques sin detectar, falsos positivos y un continuo riesgo de vulnerabilidad. TippingPoint Vulnerability Filter acts as a Virtual Software Patch, accurately covering entire vulnerability Differences Between Vulnerability Filters and Exploit Filters • In the next several slides, we will use the Microsoft RPC DCOM buffer overflow vulnerability (disclosed in Microsoft Security Bulletin MS03-026, and exploited by the Blaster and Nachi worms) to discuss the pros and cons of using the following common filtering approaches – Vulnerability filters – Exploit-Specific filters – Policy filters • Note: The TippingPoint IPS supports several more filter types than just these three. Microsoft RPC DCOM Overflow Vulnerability (Security Bulletin MS03-026) SERVER PACKETS FROM CLIENT Pkt 1 Server Port 135/tcp BIND Interface: ISystemActivator Interfaces Available: e1af8308-5d1f-11c9-91a4-08002b14a0fa 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b 975201b0-59ca-11d0-a8d5-00a0c90d8051 e60c73e6-88f9-11cf-9af1-0020af6e72f4 99fcfec4-5260-101b-bbcb-00aa0021347a b9e79e60-3d52-11ce-aaa1-00006901293f 412f241e-c12a-11ce-abff-0020af6e7a17 00000136-0000-0000-c000-000000000046 c6f3ee72-ce7e-11d1-b71e-00c04fc3111a 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 000001a0-0000-0000-c000-000000000046 v3.0 v1.1 v1.0 v2.0 v0.0 v0.2 v0.2 v0.0 v1.0 v0.0 v0.0 000001a0-00000000-c000000000000046 v0.0 REQUEST Function Call: Opnum 4 -------------- Pkt 2 Function Arguments \\server\file Pkt 3 •Server - RPC Service listens on port 135/tcp •Pkt 1- Client connects to the RPC listener & sends a request to bind a particular interface •Once "bound" to an interface, the client program will issue function calls. •Pkt 2 - Function call #4 contain a heap-based buffer overflow •The overflow can be triggered by sending an excessively long parameter. •Pkt 3 A specially crafted sequence of byte codes can follow the long parameter and give the attacker access to the victim machine with SYSTEM level privileges. Filtering Approach A: Vulnerability Filters In EVERY attack, the following must be true to exploit the buffer overflow \\server\filename becomes \\...44+ character buffer...\filename A vulnerability filter detects that the exploitation conditions are satisfied. • TCP session established to appropriate port (135) • BIND to the appropriate RPC interface • REQUEST the appropriate function call (opnum=4) • Navigate to the vulnerable parameter • Notice that an overlong servername has been supplied Most work is done to gain enough contextual awareness to apply the final test effectively Guarantees no false negatives and no false positives Filtering Approach B: Exploit-Specific Filters In the posted exploits \\server\filename becomes \\...long buffer with shellcode...\filename An exploit-specific filter detects the shellcode used in a particular exploit. High false negatives. Example: The following hex string can be used to detect HD Moore’s exploit and the MS Blaster worm. These are machine instructions that are passed directly to the victim processor once the buffer overflow is successful. EB 19 5E 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 Filtering Approach C: Policy Filters Example: Snort's signature for the RPC DCOM overflow http://www.snort.org/snort-db/sid.html?sid=2192 alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;) Signature detects all BINDs to the vulnerable interface BINDs happen in normal transactions as well as attack traffic Blocking on this filter cuts off all communication to the interface, disabling normal DCOM communications. The administrator must make a policy decision. Shutting down the interface entirely is a broader action than precisely blocking exploitation of the flaw. Policy filters yield high false positives when used to detect attacks. Filtering Microsoft’s RPC DCOM Overflow : The Bottom Line • Vulnerability Filters – Pros: High-precision filters, no misses or false matches, hard to evade – Cons: Requires powerful filtering engine to apply complex test criteria at high speeds • Exploit-Specific Filters – Pros: Simple string match, easy to design and implement, suitable for weak engines – Cons: High false negatives, filter is blind if exploit is modified • Policy Filters – Pros: Simple string match, easy to design and implement, suitable for weak engines – Cons: High false positives when used to detect exploitation of a vulnerability Network Access Control (NAC) Nuevos Problemas y Retos que Enfrantan las Empresas Access Challenges • Mobile workforce • Wired & wireless • Laptops blur perimeter • Device proliferation Attack Challenges Application Challenges • Networks under constant attack • Consolidation onto one IP infrastructure • Mission critical data apps & non-critical apps compete • VOIP, Video, IM exacerbate • Directed and nondirected attacks • Continuously evolving Need Need Need Pervasive, uniform access control & auditing Proactive, evergreen protection Application-level performance & visibility Management Problems • • • • CIO – Can’t address these needs CFO – Can’t afford forklift upgrade CEO – Can’t afford business risk When the network stops, the business stops La Seguridad Tradicional Security Challenges • Don’t know who / what is on network • Don’t know health / compliance of devices • Can’t restrict device or user access based on combined device, user, location, time, and flow conditions Security Problems • Mobile device pandemic attacks • Critical asset vulnerability / breach Internet Un-trusted Boundary Traffic check only Firewall IPS Trusted Vendors Executive Unknown Guests • Theft, corruption, misuse of servers, applications, files, databases • Intellectual property, financial/patient records • Lack of internal / external compliance Trusted Domain Limited user policies Infrastructure, Infrastructure, Application Application & & Information Information Assets Assets Admin VPN • Penalties, fines, jail • Mobile devices unprotected in the wild Teleworker Un-trusted Boundary Credential Check only Mobile Employee IT Value Proposition - Secure Ecosystem Security Challenges • Don’t know who / what is on network • Don’t know health / compliance of devices • Can’t restrict device or user access based on combined device, user, location, time, and flow conditions Security Problems • Mobile device pandemic attacks • Critical asset vulnerability / breach Need policy-based control of all users, devices, traffic, Attack Protection 360o Trusted Vendors New Firewall Un-trusted Boundary IPS Executive Unknown Guests • Theft, corruption, misuse of servers, applications, files, databases • Intellectual property, financial/patient records • Lack of internal / external compliance Internet Infrastructure, Infrastructure, Application Application & & Information Information Assets Assets Admin VPN • Penalties, fines, jail • Mobile devices unprotected in the wild Teleworker Mobile Employee IT A Non Invasive Strategy for Securing and Controlling Networks APPLICATIONS VOICE VIDEO CRM WEB CLIENTS E MAIL SERVERS CONTROL PLANE Bi-Planar Network CONNECTIVITY PLANE • No change to applications • No change to connectivity plane • Investment Protection of Infrastructure and Equipment Una Red Protegida, y Controla por IPSs Access Control Application Control IPS with Network Control Point Attack Control Control Plane L2 Access Switches L3 Core Switches L3 Distribution Switches Connectivity Plane RED Bi-Planar Segura y Convergente ¿Como Ayuda un Sistema de Seguridad de Prevencion de Intrusos para resolver estos Problemas? Central Policy Manager Devices Users Traffic Data Voice Video Music Games Fax Attacks Other Access Policies Admit Deny Quarantine Attack Policies Allow Block Alert Application Policies Throttle Prioritize Compress EL IPS Se Convierte en un Punto de Control en la Red Unknown, Unauthorized Dirty, Un-prioritized IPS Network Control Point Classify INC API Controlled, Clean, Prioritized Enterprise Network Enforce Dynamic Intelligence Updates Access Filters Users, Rights, Devices, Device Attributes, SLAs Attack Filters Worms, Trojans, Viruses, DDoS, Spyware, Phishing, etc. Application Filters Oracle, Voice, Video, Email, HTTP, P2P, IM, FTP Network Access Control to Secure Company Resources Policy Control Center Access Control Services / Policy Server Users • • • • Unknown Guests Trusted Vendors Employees IT Staff… Entry Points • Wired / Wireless ports • VPN • WAN Perimeter 360o Perimeter User / Device IPS Policy Enforcer User / Device 802.1x 802.1x enforceenforcement ment Uncontrolled, Unclean • Devices • Users Add • Flows Attack Protection DHCP DHCP enforceenforcement ment Fine-Grained CLASSIFICATION Fine-Grained ENFORCEMENT NCP Simple idea extended… user and device classification / enforcement to NCP Solution Controlled, Clean • Devices • Users • Flows TippingPoint Product Line Gracias! www.tippingpoint.com +1 888 TRUE IPS (+1 888 878 3477)
