Jim Risler Security Acm Presentation v1

Firewalls, IPS and Cyber Attacks How do they do it
James Risler
Technology Education Specialist, MBA CISSP, CCIE# 15412 jarisler@cisco.com
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
! How does a Firewall Function ! What is an Intrusion Prevention System (IPS)

! How does it function ! Limitations
! What are some of the latest Cyber attacks?

How do they get around a Firewall Why does IPS not find these
! What is the job role of a security Security Analyst

! Tools used by Security Investigators
Cisco Public
! Firewalls and Security
Domains
Cisco Public
Firewall System: Definition

! A firewall is a system that
enforces access control between security domains:

It should be resistant to attacks itself and the only transit point between zones. A system means it can be made of many devices (e.g., stateful packet filters, proxies, network IPS devices, etc.)
Internet
Public Web
Public DNS
E-Commerce Application Tier
FIREWALL SYSTEM
To Internal Networks
Public LDAP
E-Commerce Web Tier
RA VPN
IPS
IPS SPF IPS
PF
IPS
IPS
Cisco Public
Traffic Filtering Layers

Application Presentation
Application layer (L5-L7) Control: allow download only, of binary content, and scan for viruses
7 6 5 4 3 2 1
Session Transport Network Data Link
Network layer (L2-L4) control: permit HTTP from A to B
Host
Host
Physical
! Firewall components can operate on different OSI layers: Application layer (Layers 57) access control: Controls payload and content inside permitted connections Network layer (Layers 24) access control: Minimizes connectivity between hosts and their applications
Cisco Public
! Network IPS
Cisco Public
Intrusion Detection Systems

An IDS has the capability to detect misuse and abuse of, and unauthorized access to, networked resources. An IDS generates alerts when it detects security incidents. When alerted, network administrators must take appropriate actions to stop misuse, abuse, or unauthorized access.
Alert Unauthorized activity detected!
IDS Device
Administrator
Analysis and Response
Cisco Public
Intrusion Prevention Systems

An IPS has the capability to detect and prevent misuse and abuse of, and unauthorized access to, networked resources. Network administrator intervention is usually not needed to stop misuse, abuse, or unauthorized access. Administrators examine alerts that are generated by the IPS.
Unauthorized activity detected and prevented!
IPS Device
Alert
Administrator
Analysis
Cisco Public
Signature-Based IPS
Attacker
Known bad traffic! /etc/ shadow detected in HTTP request arguments.
Target Web Server
HTTP GET /scripts/badscript.php?ID=test%0acat+/etc/shadow
Analyze network traffic, and act if a known malicious event is detected:

Requires a database of known malicious traffic. The database must be continuously updated.
Cisco Public
IPS Alerts
View Tree
Alerts
Event Monitoring > Event Monitoring
Cisco Public
10
! Cyber Attacks
Cisco Public
11
Customized Threat Bypasses Security Gateways

Firewall IPS N-AV Web Sec Email Sec
Customized Threat Enters from Inside Threat Spreads Inside Perimeter
Threat Spreads to Devices
Perimeter security stops many threats but sophisticated Cyber threats evade existing security constructs Fingerprints of threats are often found in network fabric
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
! Professional attackers have a tried-and-true
methodology.
Gather info Scan Gain Access Escalate Persist Expand Accomplish Goal Clean Up
! At each step, attackers have specific concerns
and goals before they move on to the next step.

! Some steps are optional, depending on the goals
and methods of the attack.

! By understanding the steps of the process,
analysts can stop an attack in progress.
Cisco Public
13
! Four South Korean Think Tanks Attacked ! Phishing Attack Emails sent to people in organizations with
infected links from Bulgarian emails

! ! ! ! !
! Trojan dropper Dynamic Link Library (DLL)

Keystroke logging Directory listing collection HWP document theft only documents being worked on Remote control download and execution Remote control access
! Not typical Command & Control used email servers ! Disables machines firewall
Cisco Public
14
Traffic got around Firewall and IPS and now corporate data is going out of your network via FTP
Attack bypasses perimeter and traverses network Netflow at the access layer provides greater granularity
ACTIVE FLOWS: 23,892 SRC/65.32.7.45 DST/171.54.9.2/US : HTTP DST/34.1.5.78/China : HTTPS DST/165.1.4.9/Uzbekistan : FTP DST/123.21.2.5/US : AIM DST/91.25.1.1/US : FACEBOOK
Cisco Threat Context Grid Automating Context Collection

SRC/65.32.7.45 DST/165.1.4.9/Uzbekistan : FTP Context: User /ORG = Pat Smith, R&D Client = Dell XYZ100 DST = Poor Reputation
The need for visibility could/should drive information sharing!

2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
! What Skills to Develop?

Major areas of competency
! ! ! ! Understanding security policy Data & Traffic Analysis Identifying Security Events > How & when to alarm Incident Response
! Foundation/Background
! ! ! ! Network infrastructure knowledge Diverse device configuration ability Security configuration knowledge Data management & teamwork
! Challenge is Arming Security Investigators

! ! ! Not tied to a product or solution Complex knowledge Not one specific process is correct or product solution Diverse set of skills are needed
Cisco Public
16
Prevent
Network IPS firewall AntiVirus Host IPS
Detect
Web Proxy Spam Prevention
Network IDS Behavioral anomaly
Adv. Malware Netflow anomaly
Collect
Analyze
Mitigate
NetFlow Event Logs
Proxy Logs Web Firewall
NetFlow Analyze Malware Analyze
SIEM Analysis Other Tools
IP Blackhole DNS Poisoning
Adv. ACLs
Foundation
Device Config
Traffic Capture
Performance Monitoring
Device Monitoring
Cisco Public
17
IP Address
Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarm
Cisco Public
18
Complex Threat Puzzle

WHERE WHAT WHO WHEN HOW
Flow, Context and Control

NETWORK
Reputation?
Posture?
Vulnerability AV Patch
Device?
User?
Events?
65.32.7.45
Use Netflow data to extend visibility to the Access Layer

Unite Flow data with identity, reputation, application for context
Network switches as enforcement points for increased control

Cisco Public 19
Hacked While Browsing
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
21
Cisco Public
21
Cisco Public
22
Cisco Public
23
24
Cisco Confidential
24
Cisco Public
25
Cisco Public
26
Cisco Public
27
Cisco Public
28
Cisco Public
29
Cisco Public
30
Cisco Public
31
Cisco Public
32
! Firewalls are a critical piece ! IPS helps - but does not catch everything ! Cyber attackers are skilled ! Complex problem
Cisco Public
33
Questions/Discussion?
Thank You

Jim Risler Security Acm Presentation v1

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Jim Risler Security Acm Presentation v1

Cargado por

Copyright:

Formatos disponibles

Firewalls, IPS and Cyber Attacks How do they do it

2010 Cisco and/or its affiliates. All rights reserved.

! How does a Firewall Function ! What is an Intrusion Prevention System (IPS)

! What are some of the latest Cyber attacks?

! What is the job role of a security Security Analyst

2010 Cisco and/or its affiliates. All rights reserved.

! Firewalls and Security

2010 Cisco and/or its affiliates. All rights reserved.

Firewall System: Definition

enforces access control between security domains:

E-Commerce Application Tier

E-Commerce Web Tier

IPS SPF IPS

2010 Cisco and/or its affiliates. All rights reserved.

Traffic Filtering Layers

Session Transport Network Data Link

Network layer (L2-L4) control: permit HTTP from A to B

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Intrusion Detection Systems

2010 Cisco and/or its affiliates. All rights reserved.

Intrusion Prevention Systems

2010 Cisco and/or its affiliates. All rights reserved.

Target Web Server

HTTP GET /scripts/badscript.php?ID=test%0acat+/etc/shadow

Analyze network traffic, and act if a known malicious event is detected:

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Event Monitoring > Event Monitoring

2010 Cisco and/or its affiliates. All rights reserved.

Customized Threat Bypasses Security Gateways

Customized Threat Enters from Inside Threat Spreads Inside Perimeter

Threat Spreads to Devices

! Professional attackers have a tried-and-true

! At each step, attackers have specific concerns

and goals before they move on to the next step.

and methods of the attack.

analysts can stop an attack in progress.

2010 Cisco and/or its affiliates. All rights reserved.

infected links from Bulgarian emails

! Trojan dropper Dynamic Link Library (DLL)

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Threat Context Grid Automating Context Collection

The need for visibility could/should drive information sharing!

! What Skills to Develop?

! Challenge is Arming Security Investigators

2010 Cisco and/or its affiliates. All rights reserved.

Web Proxy Spam Prevention

Network IDS Behavioral anomaly

Adv. Malware Netflow anomaly

NetFlow Event Logs

Proxy Logs Web Firewall

NetFlow Analyze Malware Analyze

SIEM Analysis Other Tools

IP Blackhole DNS Poisoning

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Complex Threat Puzzle

Flow, Context and Control

Use Netflow data to extend visibility to the Access Layer

Unite Flow data with identity, reputation, application for context

Network switches as enforcement points for increased control

Hacked While Browsing