14 IDS IPS Firewalls

7/23/2019 14 IDS IPS Firewalls

1/52

Eng. Hector M Lugo-Cordero, MSEng. Hector M Lugo-Cordero, MS

April 2012April 2012

Intrusion Detection, Firewalls, andIntrusion Detection, Firewalls, and

Intrusion PreventionIntrusion Prevention

CIS 4361CIS 4361


2/52

Most Slides are FromMost Slides are From

Computer Security:Computer Security:Principles and PracticePrinciples and Practice

Firt EditionFirt Edition!" #illi$% St$lling $nd L$&rie 'ro&n!" #illi$% St$lling $nd L$&rie 'ro&n

Lecture lide !" L$&rie 'ro&nLecture lide !" L$&rie 'ro&n

Chapter 6 Chapter 6

Intrusion DetectionIntrusion Detection


3/52

IntrudersIntruders

igni(ic$nt iue )otile*un&$nted trep$igni(ic$nt iue )otile*un&$nted trep$ (ro% !enign to eriou(ro% !enign to eriou

uer trep$uer trep$ un$ut)ori+ed logon, priilege $!ueun$ut)ori+ed logon, priilege $!ue

o(t&$re trep$o(t&$re trep$

iru, &or%, or tro$n )oreiru, &or%, or tro$n )ore cl$e o( intrudercl$e o( intruder

%$/uer$der, %i(e$or, cl$ndetine uer%$/uer$der, %i(e$or, cl$ndetine uer


4/52

Eamples o! IntrusionEamples o! Intrusion

re%ote root co%pro%iere%ote root co%pro%ie &e! erer de($ce%ent&e! erer de($ce%ent gueing * cr$cing p$&ordgueing * cr$cing p$&ord cop"ing ie&ing enitie d$t$ * d$t$!$ecop"ing ie&ing enitie d$t$ * d$t$!$e running $ p$cet ni((errunning $ p$cet ni((er ditri!uting pir$ted o(t&$reditri!uting pir$ted o(t&$re

uing $n unecured %ode% to $cce netuing $n unecured %ode% to $cce net i%peron$ting $ uer to reet p$&ordi%peron$ting $ uer to reet p$&ord uing $n un$ttended &ort$tionuing $n un$ttended &ort$tion


5/52

Security Intrusion " DetectionSecurity Intrusion " Detection

Security IntrusionSecurity Intrusion

$ ecurit" eent, or co%!in$tion o( %ultiple ecurit"$ ecurit" eent, or co%!in$tion o( %ultiple ecurit"

eent, t)$t contitute $ ecurit" incident in &)ic) $neent, t)$t contitute $ ecurit" incident in &)ic) $n

intruder g$in, or $tte%pt to g$in, $cce to $intruder g$in, or $tte%pt to g$in, $cce to $

"te% or "te% reource &it)out )$ing"te% or "te% reource &it)out )$ing$ut)ori+$tion to do o.$ut)ori+$tion to do o.

Intrusion DetectionIntrusion Detection

$ ecurit" erice t)$t %onitor $nd $n$l"+e "te%$ ecurit" erice t)$t %onitor $nd $n$l"+e "te%

eent (or t)e purpoe o( (inding, $nd proiding re$l-eent (or t)e purpoe o( (inding, $nd proiding re$l-

ti%e or ne$r re$l-ti%e &$rning o( $tte%pt to $cceti%e or ne$r re$l-ti%e &$rning o( $tte%pt to $cce

"te% reource in $n un$ut)ori+ed %$nner."te% reource in $n un$ut)ori+ed %$nner.


6/52

Intrusion #echni$uesIntrusion #echni$ues

objective to gain access or increase privilegesobjective to gain access or increase privileges

initial attacks often exploit system or softwareinitial attacks often exploit system or software

vulnerabilities to execute code to get backdoorvulnerabilities to execute code to get backdoor e.g. !u((er oer(lo&e.g. !u((er oer(lo&

or to g$in protected in(or%$tionor to g$in protected in(or%$tion

e.g. p$&orde.g. p$&ord guessing or acquisitionguessing or acquisition


7/52

%ac&ers%ac&ers

%oti$ted !" t)rill o( $cce $nd t$tu%oti$ted !" t)rill o( $cce $nd t$tu )$cing co%%unit" $ trong %eritocr$c")$cing co%%unit" $ trong %eritocr$c"

t$tu i deter%ined !" leel o( co%petencet$tu i deter%ined !" leel o( co%petence

!enign intruder %ig)t !e toler$!le!enign intruder %ig)t !e toler$!le do conu%e reource $nd %$" lo& per(or%$ncedo conu%e reource $nd %$" lo& per(or%$nce

c$nt no& in $d$nce &)et)er !enign or %$lignc$nt no& in $d$nce &)et)er !enign or %$lign

IS * I5S * 57 c$n )elp counterIS * I5S * 57 c$n )elp counter

$&$rene led to et$!li)%ent o( CE89$&$rene led to et$!li)%ent o( CE89 collect * die%in$te ulner$!ilit" in(o * reponecollect * die%in$te ulner$!ilit" in(o * repone


8/52

%ac&er 'ehavior Eample%ac&er 'ehavior Eample

1.1. select target using IP lookup toolsselect target using IP lookup tools

2.2. map network for accessible servicesmap network for accessible services

3.3. identify potentially vulnerable servicesidentify potentially vulnerable services4.4. brute force (guess) passwordsbrute force (guess) passwords

5.5. install remote administration toolinstall remote administration tool

6.6. wait for admin to log on and capturewait for admin to log on and capturepasswordpassword

7.7. use password to access remainder ofuse password to access remainder ofnetworknetwork


9/52

Criminal EnterpriseCriminal Enterprise

org$ni+edorg$ni+ed groups of hackers now a threatgroups of hackers now a threat corporation / government / loosely affiliated gangscorporation / government / loosely affiliated gangs typically youngtypically young

often Eastern European or Russian hackersoften Eastern European or Russian hackers common target credit cards on e-commerce servercommon target credit cards on e-commerce server

criminal hackers usually have specific targetscriminal hackers usually have specific targets

once penetrated act quickly and get outonce penetrated act quickly and get out

IS * I5S )elp !ut le e((ectieIS * I5S )elp !ut le e((ectie sensitive data needs strong protectionsensitive data needs strong protection


10/52

Criminal Enterprise 'ehaviorCriminal Enterprise 'ehavior

1.1. act quickly and precisely to make theiract quickly and precisely to make their

activities harder to detectactivities harder to detect

2.2. exploit perimeter via vulnerable portsexploit perimeter via vulnerable ports3.3. use trojan horses (hidden software) touse trojan horses (hidden software) to

leave back doors for re-entryleave back doors for re-entry

4.4. use sniffers to capture passwordsuse sniffers to capture passwords5.5. do not stick around until noticeddo not stick around until noticed

6.6. make few or no mistakes.make few or no mistakes.


11/52

Insider (ttac&sInsider (ttac&s

$%ong %ot di((icult to detect $nd preent$%ong %ot di((icult to detect $nd preent

e%plo"ee )$e $cce : "te% no&ledgee%plo"ee )$e $cce : "te% no&ledge

%$" !e %oti$ted !" reenge * entitle%ent%$" !e %oti$ted !" reenge * entitle%ent &)en e%plo"%ent ter%in$ted&)en e%plo"%ent ter%in$ted

t$ing cuto%er d$t$ &)en %oe to co%petitort$ing cuto%er d$t$ &)en %oe to co%petitor

IS * I5S %$" )elp !ut $lo needIS * I5S %$" )elp !ut $lo need

le$t priilege, %onitor log, trong $ut)entic$tion,le$t priilege, %onitor log, trong $ut)entic$tion,ter%in$tion proce to !loc $cce : %irror d$t$ter%in$tion proce to !loc $cce : %irror d$t$


12/52

Insider 'ehavior EampleInsider 'ehavior Eample

1.1. create network accounts for themselves andcreate network accounts for themselves andtheir friendstheir friends

2.2. access accounts and applications they wouldn'taccess accounts and applications they wouldn't

normally use for their daily jobsnormally use for their daily jobs3.3. e-mail former and prospective employerse-mail former and prospective employers

4.4. conduct furtive instant-messaging chatsconduct furtive instant-messaging chats

5.5. visit web sites that cater to disgruntledvisit web sites that cater to disgruntledemployees, such as f'dcompany.comemployees, such as f'dcompany.com

6.6. perform large downloads and file copyingperform large downloads and file copying

7.7. access the network during off hours.access the network during off hours.


13/52

Intrusion Detection SystemsIntrusion Detection Systems

classify intrusion detection systems (IDSs) as:classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activityHost-based IDS: monitor single host activity

Network-based IDS: monitor network trafficNetwork-based IDS: monitor network traffic logical components:logical components:

sensors - collect datasensors - collect data

analyzers - determine if intrusion has occurredanalyzers - determine if intrusion has occurred user interface - manage / direct / view IDSuser interface - manage / direct / view IDS


14/52

IDS PrinciplesIDS Principles

$u%e intruder !e)$ior di((er (ro%$u%e intruder !e)$ior di((er (ro%

legiti%$te uerlegiti%$te uer e;pect oerl$p $ )opect oerl$p $ )o&n

o!ere dei$tiono!ere dei$tion

(ro% p$t )itor"(ro% p$t )itor"

pro!le% o(pro!le% o(

< ($le poitie($le poitie

< ($le neg$tie($le neg$tie

< %ut co%pro%ie%ut co%pro%ie


15/52

IDS )e$uirementsIDS )e$uirements

run continu$ll"run continu$ll" !e ($ult toler$nt!e ($ult toler$nt reit u!erionreit u!erion i%poe $ %ini%$l oer)e$d on "te%i%poe $ %ini%$l oer)e$d on "te% con(igured $ccording to "te% ecurit" policiecon(igured $ccording to "te% ecurit" policie $d$pt to c)$nge in "te% $nd uer$d$pt to c)$nge in "te% $nd uer

c$le to %onitor l$rge nu%!er o( "te%c$le to %onitor l$rge nu%!er o( "te% proide gr$ce(ul degr$d$tion o( ericeproide gr$ce(ul degr$d$tion o( erice $llo& d"n$%ic recon(igur$tion$llo& d"n$%ic recon(igur$tion


16/52

%ost*'ased IDS%ost*'ased IDS

peci$li+ed o(t&$re to %onitor "te% $ctiit" topeci$li+ed o(t&$re to %onitor "te% $ctiit" to

detect upiciou !e)$iordetect upiciou !e)$ior primary purpose is to detect intrusions, log suspiciousprimary purpose is to detect intrusions, log suspicious

events, and send alertsevents, and send alerts can detect both external and internal intrusionscan detect both external and internal intrusions

two approaches, often used in combination:two approaches, often used in combination: anomaly detection - defines normal/expected behavioranomaly detection - defines normal/expected behavior

threshold detectionthreshold detection

profile basedprofile based

signature detection - defines proper behaviorsignature detection - defines proper behavior


17/52

(udit )ecords(udit )ecords

$ (und$%ent$l tool (or intruion detection$ (und$%ent$l tool (or intruion detection

t&o $ri$ntt&o $ri$nt

n$tie $udit record - proided !" =*Sn$tie $udit record - proided !" =*S< $l&$" $$il$!le !ut %$" not !e opti%u%$l&$" $$il$!le !ut %$" not !e opti%u%

detection-peci(ic $udit record - IS peci(icdetection-peci(ic $udit record - IS peci(ic

< $ddition$l oer)e$d !ut peci(ic to IS t$$ddition$l oer)e$d !ut peci(ic to IS t$

< o(ten log indiidu$l ele%ent$r" $ctiono(ten log indiidu$l ele%ent$r" $ction

< e.g. %$" cont$in (ield (or u!ect, $ction, o!ect,e.g. %$" cont$in (ield (or u!ect, $ction, o!ect,

e;ception-condition, reource-u$ge, ti%e-t$%pe;ception-condition, reource-u$ge, ti%e-t$%p


18/52

Eample o! (uditEample o! (udit

Conider cop".e;e g$%e.e;eConider cop".e;e g$%e.e;e

>"te%?*g$%e.e;e>"te%?*g$%e.e;e

Seer$l record %$" !e gener$ted (or $Seer$l record %$" !e gener$ted (or $ingle co%%$ndingle co%%$nd

1.1. E;ecute cop".e;eE;ecute cop".e;e

2.2. 8e$d g$%e.e;e8e$d g$%e.e;e

3.3. #rite >"te%?*g$%e.e;e#rite >"te%?*g$%e.e;e


19/52

(nomaly Detection(nomaly Detection

t)re)old detectiont)re)old detection c)ec e;ceie eent occurrence oer ti%ec)ec e;ceie eent occurrence oer ti%e

$lone $ crude $nd ine((ectie intruder detector$lone $ crude $nd ine((ectie intruder detector

%ut deter%ine !ot) t)re)old $nd ti%e inter$l%ut deter%ine !ot) t)re)old $nd ti%e inter$l pro(ile !$edpro(ile !$ed

c)$r$cteri+e p$t !e)$ior o( uer * groupc)$r$cteri+e p$t !e)$ior o( uer * group

t)en detect igni(ic$nt dei$tiont)en detect igni(ic$nt dei$tion

!$ed on $n$l"i o( $udit record!$ed on $n$l"i o( $udit record

< g$t)er %etric counter, gu$ge, inter$l ti%er, reource utili+$tiong$t)er %etric counter, gu$ge, inter$l ti%er, reource utili+$tion

< $n$l"+e %e$n $nd t$nd$rd dei$tion, %ulti$ri$te, %$ro$n$l"+e %e$n $nd t$nd$rd dei$tion, %ulti$ri$te, %$ro

proce, ti%e erie, oper$tion$l %odelproce, ti%e erie, oper$tion$l %odel


20/52

Eamples o! (nomalyEamples o! (nomaly


21/52

Eamples o! (nomalyEamples o! (nomaly


22/52

Si+nature DetectionSi+nature Detection

o!ere eent on "te% $nd $ppl"ing $o!ere eent on "te% $nd $ppl"ing $

et o( rule to decide i( intruderet o( rule to decide i( intruder

$ppro$c)e$ppro$c)e rule-!$ed $no%$l" detectionrule-!$ed $no%$l" detection

< $n$l"+e )itoric$l $udit record (or e;pected$n$l"+e )itoric$l $udit record (or e;pected

!e)$ior, t)en %$tc) &it) current !e)$ior!e)$ior, t)en %$tc) &it) current !e)$ior

rule-!$ed penetr$tion identi(ic$tionrule-!$ed penetr$tion identi(ic$tion< rule identi(" no&n penetr$tion * &e$neerule identi(" no&n penetr$tion * &e$nee

< o(ten !" $n$l"+ing $tt$c cript (ro% Interneto(ten !" $n$l"+ing $tt$c cript (ro% Internet

< upple%ented &it) rule (ro% ecurit" e;pertupple%ented &it) rule (ro% ecurit" e;pert


23/52

Eample o! Si+naturesEample o! Si+natures

@er )ould not re$d (ile in ot)er uer@er )ould not re$d (ile in ot)er uerperon$l directorieperon$l directorie

@er %ut not &rite ot)er uer (ile@er %ut not &rite ot)er uer (ile

@er &)o log in $(ter )our o(ten $cce t)e@er &)o log in $(ter )our o(ten $cce t)e$%e (ile t)e" uer e$rlier$%e (ile t)e" uer e$rlier

@er do not gener$ll" open di deice !ut@er do not gener$ll" open di deice !utrel" on )ig)er-leel oper$ting "te% utilitierel" on )ig)er-leel oper$ting "te% utilitie

@er )ould not !e logged in %ore t)$n once to@er )ould not !e logged in %ore t)$n once tot)e "te%t)e "te%

@er do not %$e copie o( "te% progr$%@er do not %$e copie o( "te% progr$%


24/52

Distriuted %ost*'ased IDSDistriuted %ost*'ased IDS


25/52

Distriuted %ost*'ased IDSDistriuted %ost*'ased IDS


26/52

-etwor&*'ased IDS-etwor&*'ased IDS

net&or-!$ed IS 7ISnet&or-!$ed IS 7IS %onitor tr$((ic $t elected point on $ net&or%onitor tr$((ic $t elected point on $ net&or in ne$r re$l ti%e to detect intruion p$tternin ne$r re$l ti%e to detect intruion p$ttern %$" e;$%ine net&or, tr$nport $nd*or%$" e;$%ine net&or, tr$nport $nd*or

$pplic$tion leel protocol $ctiit" directed$pplic$tion leel protocol $ctiit" directedto&$rd "te%to&$rd "te%

co%prie $ nu%!er o( enorco%prie $ nu%!er o( enor inline poi!l" $ p$rt o( ot)er net deiceinline poi!l" $ p$rt o( ot)er net deice p$ie %onitor cop" o( tr$((icp$ie %onitor cop" o( tr$((ic


27/52

-IDS Sensor Deployment-IDS Sensor Deployment


28/52

Intrusion Detection #echni$uesIntrusion Detection #echni$ues

ign$ture detectionign$ture detection $t $pplic$tion, tr$nport, net&or l$"er$t $pplic$tion, tr$nport, net&or l$"er

une;pected $pplic$tion erice, polic" iol$tionune;pected $pplic$tion erice, polic" iol$tion

$no%$l" detection$no%$l" detection o( deni$l o( erice $tt$c, c$nning, &or%o( deni$l o( erice $tt$c, c$nning, &or%

&)en potenti$l iol$tion detected enor&)en potenti$l iol$tion detected enor

end $n $lert $nd log in(or%$tionend $n $lert $nd log in(or%$tion ued !" $n$l"i %odule to re(ine intruionued !" $n$l"i %odule to re(ine intruion

detection p$r$%eter $nd $lgorit)%detection p$r$%eter $nd $lgorit)%

!" ecurit" $d%in to i%proe protection!" ecurit" $d%in to i%proe protection


29/52

Distriuted (daptive IntrusionDistriuted (daptive Intrusion

DetectionDetection


30/52

IntrusionIntrusion

DetectionDetection

Echan+eEchan+eFormatFormat


31/52

%oneypots%oneypots

$re deco" "te%$re deco" "te% (illed &it) ($!ric$ted in(o(illed &it) ($!ric$ted in(o

intru%ented &it) %onitor * eent loggerintru%ented &it) %onitor * eent logger

diert $nd )old $tt$cer to collect $ctiit" in(odiert $nd )old $tt$cer to collect $ctiit" in(o

&it)out e;poing production "te%&it)out e;poing production "te%

initi$ll" &ere ingle "te%initi$ll" &ere ingle "te%%ore recentl" $re*e%ul$te entire net&or%ore recentl" $re*e%ul$te entire net&or


32/52

%oneypot%oneypot

DeploymentDeployment


33/52

S-.)#S-.)#

lig)t&eig)t ISlig)t&eig)t IS re$l-ti%e p$cet c$pture $nd rule $n$l"ire$l-ti%e p$cet c$pture $nd rule $n$l"i

p$ie or inlinep$ie or inline


34/52

S-.)# )ulesS-.)# )ules

use a simple, flexible rule definition languageuse a simple, flexible rule definition language

with fixed header and zero or more optionswith fixed header and zero or more options

header includes: action, protocol, source IP, sourceheader includes: action, protocol, source IP, source

port, direction, dest IP, dest portport, direction, dest IP, dest port

many optionsmany options

example rule to detect !P "#$-%I$ attac&:example rule to detect !P "#$-%I$ attac&:

Alert tcp $EXTERNAL_NET any -> $HOME_NET any \Alert tcp $EXTERNAL_NET any -> $HOME_NET any \(msg: "SCAN SYN FIN"; flags: SF, 12; \(msg: "SCAN SYN FIN"; flags: SF, 12; \

reference: arachnids, 198; classtype: attempted-recon;)reference: arachnids, 198; classtype: attempted-recon;)


35/52

SummarySummary

introduced intruder : intruion detectionintroduced intruder : intruion detection )$cer, cri%in$l, inider)$cer, cri%in$l, inider

intruion detection $ppro$c)eintruion detection $ppro$c)e )ot-!$ed ingle $nd ditri!uted)ot-!$ed ingle $nd ditri!uted

net&ornet&or

ditri!uted $d$ptieditri!uted $d$ptie

e;c)$nge (or%$te;c)$nge (or%$t )one"pot)one"pot

S7=89 e;$%pleS7=89 e;$%ple


36/52

Most Slides are FromMost Slides are From

Computer Security:Computer Security:Principles and PracticePrinciples and Practice

Firt EditionFirt Edition

!" #illi$% St$lling $nd L$&rie 'ro&n!" #illi$% St$lling $nd L$&rie 'ro&n

Lecture lide !" L$&rie 'ro&nLecture lide !" L$&rie 'ro&n

Chapter / Chapter / Firewalls and IntrusionFirewalls and IntrusionPrevention SystemsPrevention Systems


37/52

Firewall Capailities " 0imitsFirewall Capailities " 0imits

c$p$!ilitiec$p$!ilitie de(ine $ ingle c)oe pointde(ine $ ingle c)oe point proide $ loc$tion (or %onitoring ecurit" eentproide $ loc$tion (or %onitoring ecurit" eent

conenient pl$t(or% (or o%e Internet (unction uc)conenient pl$t(or% (or o%e Internet (unction uc)$ 7A9, u$ge %onitoring, I5SEC 57$ 7A9, u$ge %onitoring, I5SEC 57

li%it$tionli%it$tion c$nnot protect $g$int $tt$c !"p$ing (ire&$llc$nnot protect $g$int $tt$c !"p$ing (ire&$ll

%$" not protect (ull" $g$int intern$l t)re$t%$" not protect (ull" $g$int intern$l t)re$t i%properl" ecure &irele LA7i%properl" ecure &irele LA7 l$ptop, 5A, port$!le tor$ge deice in(ected outidel$ptop, 5A, port$!le tor$ge deice in(ected outide

t)en ued inidet)en ued inide


38/52

#ypes o!#ypes o!

FirewallsFirewalls


39/52

Pac&et Filterin+ FirewallPac&et Filterin+ Firewall

$pplie rule to p$cet in*out o( (ire&$ll$pplie rule to p$cet in*out o( (ire&$ll !$ed on in(or%$tion in p$cet )e$der!$ed on in(or%$tion in p$cet )e$der

rc*det I5 $ddr : port, I5 protocol, inter($cerc*det I5 $ddr : port, I5 protocol, inter($ce

t"pic$ll" $ lit o( rule o( %$tc)e on (ieldt"pic$ll" $ lit o( rule o( %$tc)e on (ield i( %$tc) rule $" i( (or&$rd or dic$rd p$ceti( %$tc) rule $" i( (or&$rd or dic$rd p$cet

t&o de($ult policiet&o de($ult policie dic$rd - pro)i!it unle e;prel" per%itteddic$rd - pro)i!it unle e;prel" per%itted

< %ore coner$tie, controlled, ii!le to uer%ore coner$tie, controlled, ii!le to uer

(or&$rd - per%it unle e;prel" pro)i!ited(or&$rd - per%it unle e;prel" pro)i!ited

< e$ier to %$n$ge*ue !ut le ecuree$ier to %$n$ge*ue !ut le ecure


40/52

Pac&etPac&et

FilterFilter

)ules)ules


41/52

Pac&et Filter 1ea&nessesPac&et Filter 1ea&nesses

&e$nee&e$nee c$nnot preent $tt$c on $pplic$tion !ugc$nnot preent $tt$c on $pplic$tion !ug

li%ited logging (unction$lit"li%ited logging (unction$lit"

do no upport $d$nced uer $ut)entic$tiondo no upport $d$nced uer $ut)entic$tion

ulner$!le to $tt$c on 9C5*I5 protocol !ugulner$!le to $tt$c on 9C5*I5 protocol !ug

i%proper con(igur$tion c$n le$d to !re$c)ei%proper con(igur$tion c$n le$d to !re$c)e

$tt$c$tt$c I5 $ddre poo(ing, ource route $tt$c, tin"I5 $ddre poo(ing, ource route $tt$c, tin"

(r$g%ent $tt$c(r$g%ent $tt$c


42/52

State!ul Inspection FirewallState!ul Inspection Firewall

reie& p$cet )e$der in(or%$tion !ut $loreie& p$cet )e$der in(or%$tion !ut $lo

eep in(o on 9C5 connectioneep in(o on 9C5 connection t"pic$ll" )$e lo&, Bno&n port no (or erert"pic$ll" )$e lo&, Bno&n port no (or erer

$nd )ig), d"n$%ic$ll" $igned client port no$nd )ig), d"n$%ic$ll" $igned client port no i%ple p$cet (ilter %ut $llo& $ll return )ig) porti%ple p$cet (ilter %ut $llo& $ll return )ig) port

nu%!ered p$cet !$c innu%!ered p$cet !$c in

t$te(ul inpection p$cet (ire&$ll tig)ten rule (ort$te(ul inpection p$cet (ire&$ll tig)ten rule (or

9C5 tr$((ic uing $ director" o( 9C5 connection9C5 tr$((ic uing $ director" o( 9C5 connection onl" $llo& inco%ing tr$((ic to )ig)-nu%!ered port (oronl" $llo& inco%ing tr$((ic to )ig)-nu%!ered port (or

p$cet %$tc)ing $n entr" in t)i director"p$cet %$tc)ing $n entr" in t)i director"

%$" $lo tr$c 9C5 e/ nu%!er $ &ell%$" $lo tr$c 9C5 e/ nu%!er $ &ell


43/52

(pplication*0evel 2ateway(pplication*0evel 2ateway

$ct $ $ rel$" o( $pplic$tion-leel tr$((ic$ct $ $ rel$" o( $pplic$tion-leel tr$((ic uer cont$ct g$te&$" &it) re%ote )ot n$%euer cont$ct g$te&$" &it) re%ote )ot n$%e $ut)entic$te t)e%ele$ut)entic$te t)e%ele g$te&$" cont$ct $pplic$tion on re%ote )otg$te&$" cont$ct $pplic$tion on re%ote )ot

$nd rel$" 9C5 eg%ent !et&een erer $nd$nd rel$" 9C5 eg%ent !et&een erer $ndueruer

%ut )$e pro;" code (or e$c) $pplic$tion%ut )$e pro;" code (or e$c) $pplic$tion %$" retrict $pplic$tion (e$ture upported%$" retrict $pplic$tion (e$ture upported

%ore ecure t)$n p$cet (ilter%ore ecure t)$n p$cet (ilter !ut )$e )ig)er oer)e$d!ut )$e )ig)er oer)e$d


44/52

Circuit*0evel 2atewayCircuit*0evel 2ateway

et up t&o 9C5 connection, to $n inideet up t&o 9C5 connection, to $n inideuer $nd to $n outide )otuer $nd to $n outide )ot

rel$" 9C5 eg%ent (ro% one connectionrel$" 9C5 eg%ent (ro% one connection

to t)e ot)er &it)out e;$%ining contentto t)e ot)er &it)out e;$%ining content )ence independent o( $pplic$tion logic)ence independent o( $pplic$tion logicut deter%ine &)et)er rel$" i per%ittedut deter%ine &)et)er rel$" i per%itted

t"pic$ll" ued &)en inide uer trutedt"pic$ll" ued &)en inide uer truted %$" ue $pplic$tion-leel g$te&$" in!ound%$" ue $pplic$tion-leel g$te&$" in!ound

$nd circuit-leel g$te&$" out!ound$nd circuit-leel g$te&$" out!ound )ence lo&er oer)e$d)ence lo&er oer)e$d


45/52

Eamples o! FirewallsEamples o! Firewalls

#indo& e(ender Applic$tion leel#indo& e(ender Applic$tion leel

I5 9$!le 5$cet leelI5 9$!le 5$cet leel

S=CDS circuit-leelS=CDS circuit-leelMAC =S peron$l (ire&$llMAC =S peron$l (ire&$ll

S7=89S7=89


46/52

Eample Connection StateEample Connection State

Co%%on to )$e $long &it) 7et&orCo%%on to )$e $long &it) 7et&or

Addre 9r$nl$tion $nd 5ort AddreAddre 9r$nl$tion $nd 5ort Addre

9r$nl$tion 7A9 $nd 5A99r$nl$tion 7A9 $nd 5A9

SrcAddrSrcAddr Src5ortSrc5ort etAddretAddret5ortet5ort St$tuSt$tu

St$tu %$" !e et$!li)ed, e;pired, ended,St$tu %$" !e et$!li)ed, e;pired, ended,etc.etc.


47/52

DistriutedDistriuted

FirewallsFirewalls


48/52

Intrusion Prevention SystemsIntrusion Prevention Systems

3IPS43IPS4 recent $ddition to ecurit" product &)ic)recent $ddition to ecurit" product &)ic)

inline net*)ot-!$ed IS t)$t c$n !loc tr$((icinline net*)ot-!$ed IS t)$t c$n !loc tr$((ic

(unction$l $ddition to (ire&$ll t)$t $dd IS(unction$l $ddition to (ire&$ll t)$t $dd IS

c$p$!ilitiec$p$!ilitie

c$n !loc tr$((ic lie $ (ire&$llc$n !loc tr$((ic lie $ (ire&$ll

uing IS $lgorit)%uing IS $lgorit)%%$" !e net&or or )ot !$ed%$" !e net&or or )ot !$ed


49/52

%ost*'ased IPS%ost*'ased IPS

identifies attac&sidentifies attac&suinguingboth:both: signature techni'uessignature techni'ues

malicious application pac&etsmalicious application pac&ets

anomaly detection techni'uesanomaly detection techni'ues behavior patterns that indicate malwarebehavior patterns that indicate malware

can be tailored to the specific platformcan be tailored to the specific platform

e(g( general purpose, web/database server specifice(g( general purpose, web/database server specific can also sandbox applets to monitor behaviorcan also sandbox applets to monitor behavior

may give des&top file, registry, I/) protectionmay give des&top file, registry, I/) protection


50/52

-etwor&*'ased IPS-etwor&*'ased IPS

inline 7IS t)$t c$n dic$rd p$cet orinline 7IS t)$t c$n dic$rd p$cet orter%in$te 9C5 connectionter%in$te 9C5 connection

ue ign$ture $nd $no%$l" detectionue ign$ture $nd $no%$l" detection

%$" proide (lo& d$t$ protection%$" proide (lo& d$t$ protection %onitoring (ull $pplic$tion (lo& content%onitoring (ull $pplic$tion (lo& content

c$n identi(" %$liciou p$cet uingc$n identi(" %$liciou p$cet uing p$ttern %$tc)ing, t$te(ul %$tc)ing, protocolp$ttern %$tc)ing, t$te(ul %$tc)ing, protocol

$no%$l", tr$((ic $no%$l", t$titic$l $no%$l"$no%$l", tr$((ic $no%$l", t$titic$l $no%$l"

c(. S7=89 inline c$n drop*%odi(" p$cetc(. S7=89 inline c$n drop*%odi(" p$cet


51/52

5ni!ied5ni!ied

#hreat#hreat

Mana+ementMana+ementProductsProducts


52/52

SummarySummary

introduced need (or : purpoe o( (ire&$llintroduced need (or : purpoe o( (ire&$ll

t"pe o( (ire&$llt"pe o( (ire&$ll

p$cet (ilter, t$te(ul inpection, $pplic$tionp$cet (ilter, t$te(ul inpection, $pplic$tion$nd circuit g$te&$"$nd circuit g$te&$"

(ire&$ll )oting, loc$tion, topologie(ire&$ll )oting, loc$tion, topologie

intruion preention "te%intruion preention "te%

14 IDS IPS Firewalls

Documents

Transcript of 14 IDS IPS Firewalls