Ltrsec 2004

Detecting and Mitigating Attacks Using Your Network Infrastructure
LTRSEC-2004
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
LTRSEC-2004
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
State of Network Security Threat Models for IP Networks Six Phase Methodology Telemetry Data: NetFlow, Flexible NetFlow, and DNS Identifying and Reacting to Attacks with Cisco Firewalls Remotely-Triggered Black Hole (RTBH) Filtering
LTRSEC-2004
Cisco Public
Threat Landscape and Getting Connected
State of Network Security
Network Security is a System

Firewall + AV != Network Security Network security is not something you can just buy
- Technology will assist
- Policy, operations, and design are more important Network security system
- A collection of network-connected devices, technologies, and best practices that work in complementary ways to provide security to information assets
LTRSEC-2004
Cisco Public
Strive for Operational Simplicity

Network ops is critical to security system design
- How will your system hold up under attack? - Do you have the tools and procedures to respond effectively?
Good management tools

- Ensure manageability when under attack - Excellent visibility of threats
Good operational processes

- Ensure late night changes will not cripple security - Monitor tools, respond to threats
Operational simplicity helps reduce downtime

LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Is Core Security?

Often thought of as "SP Security"
- However, who is not an SP today?
Internal networks are no longer truly internal

- Tunneling - VPN - Worms, worms, worms
The infrastructure is critical; if we can't protect it, nothing else matters

- Edge security initiatives abound: NAC, 802.1X, HIPS (CSA), personal firewalls, etc. - Defense in Depth is key
LTRSEC-2004
Cisco Public
Threat Models for IP Networks
Threat Models for IP Networks

Knowledge of threats provides a firmer understanding of vulnerabilities and risks associated with your network Without a thorough understanding of threats, you cannot take the necessary steps to implement an effective security solution Network design techniques to mitigate the risks are presented in later sections of this presentation Vulnerability scoring can help determine risk (CVSS)
LTRSEC-2004
Cisco Public
10
Common Vulnerability Scoring System

Open framework to analyze and communicate the risk, impact, exploitability, and characteristics of vulnerabilities
http://www.first.org/cvss/ http://www.first.org/cvss/cvss-guide.html
Utilizes three metric groups to calculate vulnerability score

Base metric are the constant vulnerability characteristics Temporal metric adjusts score based on Exploitability (E), Remediation Level (RL), and Report Confidence (RC) (these may or may not change over time) Environmental metric adjusts score based on the risk and impact to an organization or your environment (optional)
11
Threats Against IP Networks

Many factors threaten network infrastructures
- Natural disasters - Unintentional, man-made attacks based on human error - Malicious attacks
Clear distinction between human error and malicious attacks is intent Protection against malicious and unintentional attacks must both be considered
- An outage is an outage
LTRSEC-2004
Cisco Public
12
Threat and Attack Models

Description
Resource Exhaustion Attacks Spoofing Attacks DoS attack makes target unavailable for its intended service Attempted by direct, transit, or reflection-based attack Uses packets that masquerade with false data (such as source IP address) to exploit a trust relationship Prevents upper-layer communication between hosts or hijacks established session Exploits previous authentication measures Enables eavesdropping or false data injection Prevents or disrupts routing protocol peering or redirects traffic flows Attempts to inject false information, alter existing information, or remove valid information
Transport Protocol Attacks
Routing Protocol Attacks
LTRSEC-2004
Cisco Public
13
Threat and Attack Models (cont.)
Description
Attacks Against IP control-plane Services Unauthorized Access Attacks Software Vulnerabilities Malicious Network Reconnaissance Attacks against DHCP, DNS, and NTP Affects network availability and operations Attempts to gain unauthorized access to restricted systems and networks Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic Gathering info about a target device, network, or organization Enables attacker to id specific security weaknesses that may be exploited in a future attack.
LTRSEC-2004
Cisco Public
14
Spoofing Attacks
Miscreants Spoof Packets to Cause Havoc in the Network
Which parts of the packet can be spoofed?
IP Header L7 TCP Header
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ~~~~~~~~~~~~~~~~~~ + 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 16-bit src port number | 16-bit dst port number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32-bit sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32-bit acknowledgement number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | THL | Rsrvd |U A P R S F| 16-bit window size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 16-bit TCP Checksum | 16-bit Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HTTP GET URL CGI. www.victim.com
Source IP address (bypass ACLs) TCP flags (SYN, RST, etc.) and TCP port numbers (consume host resources, reset sessions, etc.) Fragmentation parameters Spoofing most often happens in combinations (several fields)
Spoofing is useful because?

Hide source of attack (attacker not revealed) Bypass security (e.g., ACLs) by masquerading as valid packets Spoofing the "real target" - have others take out the target for you (reflection attacks)
LTRSEC-2004
Cisco Public
15
IPv6 Attacks with Strong IPv4 Similarities

Sniffing
- Without IPSec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Application layer attacks

- Even with IPSec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
Rogue devices
- Rogue devices will be as easy to insert into an IPv6 network as in IPv4
Man-in-the-Middle Attacks (MITM)

- Without IPSec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
Flooding
- Flooding attacks are identical between IPv4 and IPv6
LTRSEC-2004
Cisco Public
16
Collateral Damage
Attacks may have additional consequences beyond the intended target A DoS attack against one remote network may adversely affect other networks resulting in collateral damage and a wider impact Collateral damage must also be considered when evaluating risk and impact of potential attacks
LTRSEC-2004
Cisco Public
17
Six-Phase Methodology
Six Phases of Incident Response

Preparation Postmortem
What was done? Can anything be done to prevent it? How can it be less painful in the future? Prep the network Create tools Test tools Prep procedures Train team Practice Baseline your traffic
Identification
How do you know about the attack? What tools can you use? Whats your process for communication?
Reaction
What options do you have to remedy? Which option is the best under the circumstances?
Classification Traceback
Where is the attack coming from? Where and how is it affecting the network?
Cisco Public
What kind of attack is it?
LTRSEC-2004
19
IP Addressing as Security Tool

Assign devices or interfaces with similar security profiles out of contiguous IP ranges
- Router loopback interfaces - Subnets providing connectivity to partners - Remote access subnets - Voice subnets
Develop security policies that can take advantage of this uniform addressing
- Control Plane Policing can allow iBGP from all peers with a single ACE - ACLs can identify traffic from guest, wireless, or otherwise untrusted subnets more easily
20
IP Addressing as Security Tool (cont.)

Only possible with strong anti-spoofing capabilities in the network
- But we are all doing that, correct?
Possible to use non-contiguous wildcard masks in ACLs rules to apply consistency across subnets
- 10.0.1/24, 10.1.1/24, 10.2.1/24, 10.3.1/24, etc., can be matched using 10.0.1.0 0.255.0.255 - Possible but not always recommended
Whitepaper: A Security-Oriented Approach to IP Addressing

- http://www.cisco.com/web/about/security/intelligence /security-for-ip-addr.html
21
Domains of Trust (Zones)

1stcase.com
Internal WAN
2ndcase.com
Internal External WAN Servers
External Servers
Internet Internet Labs
Employees Labs
VPN Remote Access
VPN Remote Access Employees
Domains of Trust segment communities by policy
LTRSEC-2004
Cisco Public
22
Purpose of Domains of Trust

Risk defines policy
- Importance to the business - Likelihood of being attacked
Security Domains based on like "policy"

- Network segments have different trust levels - Consistent security controls within a segment - Define trust relationships between segments
Gradient of trust differentiate domains

- Trust gradient may be minor or extreme - Gradient determines security measures
Choke points control trust between segments

- Commonly a network firewall or access control
Domains of trust are key to good network security design

23
Sample Domains of Trust

Private Public
Production
Lab HQ Public Branch
Steep gradient = high risk Considerable safeguards

Advanced Firewalling Flow-based inspection Misuse detection (IPS) Constant monitoring
Lesser gradient = low risk Basic safeguards

Basic access control Casual monitoring
Considerable safeguards between corporate and public Protect data transiting steep gradients
Communication security Confidentiality, integrity, authentication
LTRSEC-2004
Cisco Public
24
Enterprise Security Zones: Logical
Mail
DNS
Finance
ISP
Internet Access
DMZ
Corporate Core
Dev
Web Apps
Ops
LTRSEC-2004
Cisco Public
25
Enterprise Security Zones: Physical
DNS
Email
Finance
Internet
Dev
Web Apps
Ops
LTRSEC-2004
Cisco Public
26
Defense Depth and Breadth Security

Edge
Interface ACLs Unicast RPF Flexible packet matching IP option filtering Marking/rate-limiting Routing techniques eBGP techniques ICMP techniques
Network Operations Center (NOC)
Transit
X
Internet AS1 Service Provider Core Network Enterprise Network
Internal Assets, Servers E-mail, Web Servers
Cisco Public
AS2
X X
Internet
Remote Access Systems
X X Edge
Core
LTRSEC-2004
Receive ACLs AS3 CoPP ICMP techniques Transit QoS techniques Routing techniques Disable unused services Protocol specific filters Password security SNMP security Remote terminal access security System banners AAA Network telemetry Secure file systems
27
LAB: Lab Overview and Getting Connected
Lab Overview
All equipment is located at a Cisco location There are 10 student pods
- Two 2811 routers - One ASA 5510 with embedded IPS (AIP)
Lab Infrastructure
- Attackers - Victim Servers - Switches and routers
LTRSEC-2004
Cisco Public
29
High Level Network Diagram
LTRSEC-2004
Cisco Public
30
Per-Pod Network Diagram
LTRSEC-2004
Cisco Public
31
Accessing the Pod Equipment

Telnet to each device
- 10.<pod>.11.1: First 2811 router - 10.<pod>.12.1: Second 2811 router - 10.<pod>.13.1: ASA 5500 firewall - 10.<pod>.13.3: IPS Module
Use assigned usernames and passwords

- Username is pod<number>, password is as assigned
Can also use DNS names for devices

- For example, pod1-rtr1, pod1-rtr2, pod1-fw1 or pod1-ips1
Use the terminal server only as a backup

32
Using a Terminal Server

Connect to the terminal server using telnet 10.0.1.11 Use show hosts to find hostname
- For example, pod1-rtr1 or pod10-fw1
Type the hostname to access the device console

- Use Ctrl-Shft-6 x to return to the terminal server - Use Ctrl-Shft-66 x to send break to end device
Use show sessions to list open connections

- Enter session number to return to the end device
Use disconnect to close old sessions
LTRSEC-2004
Cisco Public
33
What is in the LTRSEC-2004 folder

/configs/pod<pod>/ Configurations
- Base configurations without passwords
/labs/<lab-name>/ Lab-specific information

- Completed configurations from each scenario - Video of the lab solution
/presentation/ Copy of the presentation as PDF /references/ Reference information

- Cisco Security Center, Cisco IntelliShield trial, and Cisco product documentation
LTRSEC-2004
Cisco Public
34
If You Get Stuck

Try accessing the device using the terminal server instead of via Telnet Original configurations are saved on the device
- copy flash:backup-config startup-config and then reload
Look in the LTRSEC-2004 folder

- Solution configurations, videos and reference material
We are here to teach and you are here to learn, please do not hesitate to ask for help! We are very friendly, I promise!!! ;-)
LTRSEC-2004
Cisco Public
35
NetFlow, Flexible NetFlow, and DNS
What is NetFlow
Packet capture is like a wiretap NetFlow is like a phone bill This level of granularity allows NetFlow to scale for very large amounts of traffic
- We can learn a lot from studying the phone bill - Who is talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc., etc. - NetFlow is a form of telemetry pushed from routers and switches - each one can be a sensor
37
NetFlow Versions
NetFlow Version 1 5 Comments
Original Standard and most common Specific to Cisco Catalyst 6500 and 7600 Series Switches
Similar to version 5, but does not include AS, Interface, TCP Flag, and TOS Information Choice of 11 aggregation schemes Reduces resource usage Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop
LTRSEC-2004
Cisco Public
38
Version 5: Flow Export Format

Packet Count Byte Count Start sysUpTime End sysUpTime Input ifIndex Output ifIndex Type of Service TCP Flags Protocol Source IP Address Source IP Address Destination IP Address Destination IP Address Source TCP/UDP Port Destination TCP/UDP Port Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask
Usage
Time of Day Port Utilization
Routing and Peering
QoS
Version 5 Used Extensively Today

39
What Is a Traditional IP Flow?
NetFlow Key Fields
1. 2. 3.
Inspect a packets seven key fields and identify the values If the set of key field values is unique, create a flow record or cache entry When the flow terminates, export the flow to the collector
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
3 Reporting
NetFlow Export Packets
LTRSEC-2004
40
NetFlow
Internal Threat Information Resource
router (config-if)# ip flow ingress router (config)# ip flow-export destination 172.17.246.225 9996
NetFlow is available on routers and switches Provides syslog-like information without having to buy a firewall One NetFlow packet has information about multiple flows
Header
Sequence number Record count Version number
Flow Record
Flow Record
NetFlow Cache Export Packets

Approximately 1500 bytes Typically contain 2050 flow records Sent more frequently if traffic increases on NetFlow-enabled interfaces
41
NetFlow: On-device Cache Output

Internal Threat Information Resource
Traffic classification Flow Summary
Detail
NetFlow Performance
http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml
42
Configuring NetFlow on 7600/Catalyst 6500

Enable NetFlow
C6500(config)#mls NetFlow
Set the flow mask

C6500(config)#mls flow ip ? destination destination-source keyword full interface-destination-source flow keyword interface-full source destination flow keyword destination-source flow full flow keyword interface-destination-source interface full flow keyword source only flow keyword
Configure the interface

C6500(config)#interface g1/1 C6500(config-if)#ip route-cache flow
LTRSEC-2004
Cisco Public
43
NetFlow Version 9 Export Packet

To Support Technologies such as MPLS or Multicast, this Export Format Can Be Leveraged to Easily Insert New Fields Flows from Interface A Flows from Interface B
Template FlowSet
(Version, Number of Packets, Sequence Number, Source ID) Template Record Template ID #1 (Specific Field Types and Lengths) Template Record Template ID #2 (Specific Field Types and Lengths)
Data FlowSet
FlowSet ID #1
Data Record Data Record
Data FlowSet
FlowSet ID #2
Data Record
Option Template FlowSet

Template ID (Specific Field Types and Lengths)
Option Data FlowSet FlowSet ID Option Option Data Data Record Record (Field (Field Values) Values)
(Field Values)
(Field Values)
(Field Values)
Matching ID numbers is the way to associate template to the data records The header follows the same format as prior NetFlow versions so collectors will be backward compatible Each data record represents one flow If exported flows have the same fields, they can be contained in the same template record; that is, unicast traffic can be combined with multicast records If exported flows have different fields, they cannot be contained in the same template record; that is, BGP next-hop cannot be combined with MPLS-aware NetFlow records
44
NetFlow Version 9 Export

Configuring Version 9 Export
router(config)# ip flow-export version ? 1 5 9 router(config)# ip flow-export version 9
Export Versions Available for Standard NetFlow Flows
Configuring Version 9 Export for an Aggregation Scheme

router(config)# ip flow-aggregation cache as router(config-flow-cache)# enabled router(config-flow-cache)# export ? destination Specify the Destination IP address version configure aggregation cache export version router(config-flow-cache)# export version ? 8 Version 8 export format 9 Version 9 export format router(config-flow-cache)# export version 9 Configuring Version 9 Export
Export Versions Available for Aggregated NetFlow Flows
LTRSEC-2004
Cisco Public
45
Introduction to Flexible NetFlow (FNF)

Fixed export formats (NetFlow version 1, 5, 7, 8) are not flexible and adaptable. Each new version contains new export fields; incompatible with previous version Flexible NetFlow completely separates the collection and export process Allows customization of NetFlow collection
- Scalable by maintaining flow records of the granularity that is required for a particular users application - Supports more than 100 fields to configure flow records - Capture and export complete packet headers for security and other applications
Offers new export protocols (UDP, SCTP) New Cache concept (normal, permanent, no-cache) Flexible NetFlow is available in Release 12.4(9)T
LTRSEC-2004
Cisco Public
46
FNF Components
The flow monitor is a flow cache with flow records
- Applied to an interface
- Flow monitors can be ingress or egress - Packet sampling possible per flow monitor
Flow monitor components

- Flow recorddefines what is captured by NetFlow - Flow records have two formats
Pre-defined or user-defined schemes Include key and non-key fields
Flow exporter - where NetFlow will be exported

- Multiple flow exporters per Flow Monitor
LTRSEC-2004
Cisco Public
47
FNF
Multiple Monitors with Unique Key Fields Traffic
Flow monitor 1 Flow monitor 2
Key Fields Source IP Destination IP Source port Destination port Layer 3 Protocol TOS Byte Input Interface
Packet 1 3.3.3.3 2.2.2.2 23 22078 TCP - 6 0 Ethernet 0
Non Key Fields Packets Bytes Time Stamps Next-Hop Address
Key Fields Source IP Dest IP Input Interface Packet Section
Packet 2 3.3.3.3 2.2.2.2 Ethernet 0 1010101
Non Key Fields Packets Time Stamps
Traffic Analysis Cache

Source IP 3.3.3.3 1.1.1.1 Dest. IP 2.2.2.2 2.2.2.2
LTRSEC-2004
Security Analysis Cache

TOS 0 0 Pkts 11000 11000
Cisco Public
Dest. I/F E1 E1
Protocol 6 6
Source IP 3.3.3.3
Dest. IP 2.2.2.2
Dest. I/F E1
Input I/F E1
Sec 101
Pkts 11000
48
Using FNF for Detection

Different Flow monitors for detecting different types of information:
Peering Flows
ISP
Dest. AS Dest. Traffic Index BGP Next Hop DSCP

BRANCH
DATA CENTER
Si
WAN
Si
CAMPUS
IP Flows
Multicast Flows Protocol Ports IP Subnets Packet Replication
Security Flows
Protocol Ports IP Addresses TCP Flags Packet Section
IP Subnets Ports Protocol Interfaces Egress/Ingress
LTRSEC-2004
Cisco Public
49
FNF Configuration Example

Configure the Flow Record
1
flow record my-app-traffic match transport tcp source-port match transport tcp destination-port match ipv4 source address match ipv4 destination address collect counter bytes collect counter packets
Configure the Exporter

flow exporter my-exporter destination 10.1.1.1
Configure the flow monitor

3
flow monitor my-monitor exporter my-exporter record my-app-traffic
Configure the Interface

4
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved.
int s3/0 ip flow monitor my-monitor input

Cisco Public
50
NFDump Output
http://nfdump.sourceforge.net/
IP Precedence Breakdown
Top N Destination Ports
Top Protocols - % of Flows
LTRSEC-2004
Cisco Public
51
NetFlow Tools: Analyzing data

NFDump analysis of a customers /24 network NetFlow data 2008 special event network former darknet, only up for 2 weeks
- 4 Internal Hosts communicating with Botnet C&C channel - High percentage of traffic attempting flows on TCP/7212 and TCP/8000 (scans for proxy servers) - ICMP was 20% of captured flows - TCP was 71% of capture flows - TCP/135 and TCP/445 were 11% of captured flows - UDP/1434 scans still roaming the Internet - Several top 10 source IP Addresses from APNIC network prefix blocks
LTRSEC-2004
Cisco Public
52
NetFlow Open Source Tools

Product Name
Cflowd Flow-tools Flowd FlowScan IPFlow
Primary Use
Traffic Analysis Collector Device Collector Device Reporting for FlowTools Traffic Analysis
Comment
No longer supported Scalable Support V9 UNIX UNIX
OS
BSD, Linux UNIX
Support V9, IPv4, IPv6, MPLS, SCTP, etc.. Supports V9 V5, support v9
Linux, FreeBSD, Solaris BSD, Linux UNIX Linux UNIX UNIX
NetFlow Guide NetFlow Monitor Netmet NTOP Stager Nfdump/nfsen
Reporting Tools Traffic Analysis Collector Device Security Monitoring Reporting for FlowTools Traffic Analysis Supports V5 and v9
UNIX
Different costs: implementation and customization

53
Network Behavioral analysis (NBA)

Networks and network enabled devices constantly create traffic. However, this traffic follows certain patterns according to the applications and user behaviour Analyzing these patterns allows us to see what is NOT normal The key is to collect traffic information (Netflow) and calculate various statistics. These are then compared against a baseline and abnormalities are then analyzed in more detail.
54
NetFlow Deployment Considerations

Enable Netflow on all router interfaces
- NetFlow should typically be enabled on all router interfaces where possible, it is useful for on-box troubleshooting via CLI as well as for export to analysis systems
How to sample Netflow records

- 1:1 NetFlow is useful for troubleshooting, forensics, traffic analysis, and behavioral/relational anomaly-detection
- Sampled NetFlow is useful for traffic analysis and behavioral/relational anomaly-detection.
LTRSEC-2004
Cisco Public
55
Reducing Performance Impact

Reduce CPU and Memory Impact on the Device, Collector, and Network
Aging timers Sampled NetFlow Leverage distributed architectures (VIP, linecards) Flow masks (only Catalyst 6500/Cisco 7600) Enable on specific subinterface Aggregation schemes (v8 on router or on collector) Filters (router or collector) Data compression (collector) Increase collection bucket sizes (collector) Collector and router can be placed on same LAN segment (network)
LTRSEC-2004
Cisco Public
56
NetFlow Traceback Techniques
Traceback with NetFlow

Victim
router1#sh ip cache flow | include <destination> Se1 <source> Et0 <destination> 06 0050 0A1F 159
. (lots more flows to the same destination)
Flows are ingressing on interface Serial 1

router1#sh ip cef Serial 1 Prefix 0.0.0.0/0 10.10.10.0/30 Next Hop 10.10.10.2 attached Interface Serial1 Serial1
Find the Upstream Router on Serial 1
Continue on This Router
LTRSEC-2004
Cisco Public
58
show ip cache flow

router_A#sh ip cache flow IP packet size distribution (85435 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes Protocol 2728 active, 1368 inactive, 85310 added 463824 ager polls, 0 flow alloc failures Flow Information Active flows timeout in 30 minutes Summary Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-X 2 0.0 1 1440 0.0 0.0 9.5 TCP-other 82580 11.2 1 1440 11.2 0.0 12.0 Total: 82582 11.2Flow Details 1 1440 11.2 0.0 12.0 SrcIf Et0/0 Et0/0 Et0/0
LTRSEC-2004
SrcIPaddress 132.122.25.60 139.57.220.28 165.172.153.65
DstIf Se0/0 Se0/0 Se0/0
DstIPaddress 192.168.1.1 192.168.1.1 192.168.1.1

Cisco Public
Pr 06 06 06
SrcP 9AEE 708D CB46
DstP 0007 0007 0007
Pkts 1 1 1
59
Useful NetFlow CLI Tricks

Router>show ip cache flow | include <ip address>
- Determine flows pertaining to a specific victim or attacker
Router>show ip cache flow | include _1 $

- Determine single packet flows (potential scanning flows)
Router>show ip cache flow | include K|M $

- Determine really large flows (in 1,000s or 1,000,000s of packets)
Router>show ip cache flow | include <protocol / port>

- Determine flows with specific protocols/ports
LTRSEC-2004
Cisco Public
60
Traceback With NetFlow

Example Tracing Conficker Infected Hosts Conficker infected hosts attempt to replicate to random systems using TCP port 445, which is hexadecimal value 0x01BD Router>show ip cache flow | include 01BD SrcIf Fa2/0 Fa2/0 Fa2/0 Fa2/0 Fa2/0 Fa2/0 SrcIPaddress XX.XX.XX.242 XX.XX.XX.242 XX.XX.XX.204 XX.XX.XX.204 XX.XX.XX.204 XX.XX.XX.204 DstIf Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 DstIPaddress XX.XX.XX.119 XX.XX.XX.169 XX.XX.XX.63 XX.XX.XX.111 XX.XX.XX.95 XX.XX.XX.79 Pr 06 06 06 06 06 06 SrcP 0B88 0BF8 0E80 0CB0 0CA0 0C90 DstP 01BD 01BD 01BD 01BD 01BD 01BD Pkts 1 1 1 1 1 1
LTRSEC-2004
Cisco Public
61
DNS
Utilizing DNS Telemetry for Detection

The Domain Name System (DNS) is a background service we often dont think about, but is in actuality used many, many times each day Many types of application use name-based lookups Web browsers, email servers, Web serversand malware such as trojans and bots running on compromised hosts By examining DNS logs and statistics, we can detect activity which should be further investigated Correlating DNS-related info with other forms of telemetry (NetFlow, packet capture, application logs, etc.), we can often infer the causes and effects of unusual network activity
63
Example: dnstop query types

0 new queries, 38 total queries Wed Jun 1 17:35:51 2011
Query Type
count
---------- --------- -----A? NS? SOA? PTR? MX? TXT? 9 1 1 15 10 2 23.7 2.6 2.6 39.5 26.3 5.3
Source: http://dns.measurement-factory.com/tools/dnstop/
LTRSEC-2004
Cisco Public
64
Additional Examples of dnstop Output

dnstop sources output
0 new queries, 38 total queries Wed Jun 1 17:35:51 2011 Sources count %
---------------- --------- -----172.19.61.44 172.19.60.28 172.19.61.33 19 9 9 50.0 25.0 25.0
dnstop destination output

0 new queries, 38 total queries Wed Jun 1 17:35:51 2011 Destinations count %
---------------- --------- -----172.19.226.120 10.158.254.13 172.19.220.131

LTRSEC-2004
29 5 4
77.7 15.0 9.3

Cisco Public
65
RRDTool Graph of DNS Queries/Sec
Source: http://oss.oetiker.ch/rrdtool/
66
DNS Correlation: Detecting Botnets
Kumamoto University in Tokyo have published several very good papers on DNS correlation see http://dua.cc.kumamoto-u.ac.jp/~musashi/
LTRSEC-2004
Cisco Public
67
Fast Flux and Double-flux

C&C system is hidden Very low time to live (TTL) in DNS A Record Botnets are the new DNS servers Now double-flux with multiple disposable DNS servers per malicious domain
Source: www.honeynet.org
68
LAB: Identify an Ongoing Attack
LAB: Identify an Ongoing Attack

Use NetFlow to identify an ongoing attack taking place in the lab
- Use packet capture capabilities on Cisco IOS to classify attack packets
Can use local packet display functionality or save as pcap and view on your workstation using Wireshark Use the packet capture functionality in the Cisco ASA firewall to capture and classify attack packets
- A different attack is transiting the firewall
LTRSEC-2004
Cisco Public
70
Identifying and Reacting to Attacks with Cisco Firewalls
Cisco Firewall Basics
Cisco Firewall: What is It?

Adaptive Security Appliance (ASA) firewall appliance, proprietary OS has one expansion slot for service modules. Ethernet and fiber ports on box.
- Does not run IOS but has a similar look and feel
Adaptive Security Appliance Service Module (ASA-SM) and Firewall Services Module (FWSM) line card in Catalyst 6500 that provides firewall services. No physical interfaces, uses VLANs as virtual interfaces IOS device running a firewall feature set in software (IOS-FW) configuration is in IOS (not covered in this session) IOS device stateless filtering using access-lists Ciscos firewall has been around over 15 years, PIX the legacy platform
73
Packet Conformance
Several attacks use fuzzed or irregular packet fields to identify hosts or exploit vulnerabilities or evade detection Fragmentation overwrite, overlap, short, long (teardrop, jolt, evasion) Nmap passive OS identification scanning Source routing to evade access control or cause other vulnerabilities Abnormal TCP flags, values, overwrite TTL abnormalities
74
Firewall Packet Conformance

Virtual Fragmentation Reassembly: reassemble, perform consistency checks (overlap, overwrite, long, short) then forward fragment chain command (Default: 24 fragments per packet, 200 packets) Dropping packets with IP options present Fuzzy TCP flags TCP intercept (SYN Cookies) ttl-evasion-protection in MPF (on by default) TCP-MAP (TCP options, SYN data) Accelerated Security Path (ASP) checks
75
Modular Policy Framework
Understanding Modular Policy Framework

Modular Policy Framework (MPF) is a programming construct for applying granular policy controls in the ASA Used for QOS policies, Application Inspection policies, TCP State bypass, TCP option policies and NetFlow Secure Event Logging Two options: modify the global policy or apply an interface policy Global policy affects all traffic regardless of interface Interface policies override global policy Policies are built from class-maps and policymaps
77
Modular Policy Framework (MPF)

MPF defines specific policy or set of policies to classify traffic for advanced inspection MPF is built on three related CLI commands:
- Class-map - identifies traffic that needs a specific type of control - Policy-map - actions to take on traffic described in classmap - Service-policy - where the traffic should be intercepted for control
Only one service-policy can exist per interface Additional service-policy called global-service-policy applies to traffic on all interfaces
LTRSEC-2004
Cisco Public
78
SYN Cookies for DoS Mitigation

SYN floods
- If a TCP SYN requires the server to allocate memory, then the total amount of available memory becomes a finite resource which can be DoSed - The TCP server will hold the SYN in SYN_RCVD state until timeout - Multiple SYNs open multiple SYN_RCVD waiting
SYN
Cookie Created via HASH from SYN Data SYN ACK No Resources Used
- Nothing needs to be spoofed With SYN cookies, the server/network device doesnt need to allocate memory, thus the higher resilience to the DoS
ACK COOKIE + 1
Cookie Decrypted and Validated
TCP Connection Established
LTRSEC-2004
Cisco Public
79
TCP-Intercept
!-- Using Modular Policy Framework (MPF) !-- which is available on ASA and PIX access-list management permit tcp any 192.168.131.0 255.255.255.0 ! class-map connection-limit match access-list management ! policy-map spoof-protect class connection-limit ! !-- Setting limit to one forces all connections after !-- first to be validated set connection embryonic-conn-max 1 service-policy spoof-protect interface outside
Using MPF
! !-- Static NAT, this will map the inside IP address of Static NAT !-- 192.168.111.111 to the outside IP address 192.168.222.222 !-- and will create an embryonic connection limit of 1 static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1 ! !- Static Identity NAT, ie: No Address Translation static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 tcp 0 1 !
LTRSEC-2004
Cisco Public
80
Regex Pattern Matching

Regex matching provides an incredible amount of flexibility for application inspection A regular expression is a string of characters that describes or matches a set of strings according to a certain syntax Can focus on filename, content matching, string matching or any combination thereof The Cisco ASA and FWSM firewalls include a regex wizard that includes a useful testing facility More information on regex can be found at http://www.cisco.com/en/US/docs/security/asa/asa8 3/configuration/guide/objects.html#wp1310726
81
Regex Example
Requirement: Match on any HTTP GET or POST messages:
asa(config)# regex test_get get asa(config)# regex test_post post
Would only match GET and POST that were in lower-case Better regex expression to match any mix of case:
asa(config)# regex test_get [Gg][Ee][Tt] asa(config)# regex test_post [Pp][Oo][Ss][Tt]
Use either CLI test regex <regexp> or the Cisco ASDM Regex Wizard for validation of regex string syntax
LTRSEC-2004
Cisco Public
82
Application Layer Protocol Inspection

class-map inspection_default
Feature on ASA and FWSM security devices Stateful deep packet inspection
- Good for protocols that open secondary ports and use embedded IP addresses - Potential DoS vector due to performance implications
User-defined policies Response actions for undesirable traffic Default inspection policy shown
match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy global_policy global Cisco Public
LTRSEC-2004
83
Using Modular Policy Framework

Firewall Application Layer Protocol Inspection used for services that:
- Embed IP addresses in data packet - Open secondary channels on dynamically assigned ports - Require deep packet inspection
Protects against specific vulnerabilities associated with HTTP traffic

- Supported on ASA with 7.2(1) and FWSM with 4.0(1)
Inspects traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326
- Default ports for Cisco IPS #WEBPORTS variable
Implemented using inspect class maps and inspect policy maps Caution: Regex matches text strings at any location in body of HTML response Caution: ALPI will decrease firewall performance
84
MPF: Class-Maps
Class-maps are the building blocks of a service policy They set the match criteria for a given policy and commonly match a value using a regex
!-- Configure regexes for ActiveX Class ID "D27CDB6E-AE6D-11cf-96B8-444553540000 and ProgID !-- "ShockwaveFlash.ShockwaveFlash., and combination of .wbcat file extension and malicious library !-- file fveapi.dll ! regex CLSID_activeX "[dD]27[cC][dD][bB]6[eE][-][aA][eE]6[dD][-]11[cC][fF][-]96[bB]8[-]444553540000 regex ProgID_activeX "ShockwaveFlash\.ShockwaveFlash\. regex MS11-001_1 ".+\x2e[Ww][Bb][Cc][Aa][Tt].*[Ff][Vv][Ee][Aa][Pp][Ii]\x2e[Dd][Ll][Ll]" regex MS11-001_2 "[Ff][Vv][Ee][Aa][Pp][Ii]\x2e[Dd][Ll][Ll].*.+\x2e[Ww][Bb][Cc][Aa][Tt]" ! !-- Configure a regex class to match on the regular !-- expressions that are configured above ! class-map type regex match-any vulnerable_activeX_class match regex CLSID_activeX match regex ProgID_activeX class-map type regex match-any MS11-001_regex_class match regex MS11-001_1 match regex MS11-001_2
LTRSEC-2004
Cisco Public
85
MPF: Class-Maps (cont.)

Access-list:
! object-group service WEBPORTS tcp port-object eq www port-object eq 3128 port-object eq 8000 port-object eq 8010 port-object eq 8080 port-object eq 8888 port-object eq 24326 ! access-list Webports-ACL extended permit tcp any any object-group WEBPORTS ! class-map Webports-Class match access-list Webports-ACL !
TCP/UDP port number or DSCP/ToS marking
LTRSEC-2004
Cisco Public
86
MPF: Policy-Maps
Policy-maps contain the response action Can contain multiple class-maps Typically setting a connection limit, traffic shaping, priority queuing, or an inspection policy
!-- HTTP application inspection policy map drops connections with regexes configured on previous !-- slide ! policy-map type inspect http http-Policy parameters ! !-- "body-match-maximum is maximum number of characters in body of an HTTP message that is !-- searched n a body match. The default value is 200 bytes. A large number may have an impact !-- on system performance. ! body-match-maximum 1380 match response body regex class vulnerable_activeX_class drop-connection log match response body regex class MS11-001_regex_class drop-connection log ! policy-map global_policy class Webports-Class inspect http http-Policy
87
Applying the Service Policy

Similar to an access list, service policies must be applied before they take action
! Apply policy "global_policy" globally, inspects traffic entering firewall from all interfaces ! service-policy global_policy global
To see statistics on a given service policy use show service-policy

asa(config)# show service-policy Global policy: Service-policy: global_policy Class-map: Webports-Class Inspect: http http-Policy, packet 0, drop 0, reset-drop 0
LTRSEC-2004
Cisco Public
88
Displaying Service Policy Statistics

show service-policy inspect protocol command will identify the number of HTTP packets that are inspected and dropped The following example shows output for show service-policy inspect http
asa(config)# show service-policy inspect http Global policy: Service-policy: global_policy Class-map: Webports-Class Inspect: http http-Policy, packet 0, drop 0, reset-drop 0 protocol violations packet 0 match response body regex class vulnerable_activeX_class drop-connection log, packet 0 match response body regex class MS11-001_regex_class drop-connection log, packet 0
LTRSEC-2004
Cisco Public
89
DNS Protocol Inspection Example

! Firewall(config)# regex domain1 "yahoo\.com Firewall(config)# regex domain2 google\.com" Create Regex Match ! Firewall(config)# class-map type regex match-any dns_filter_class Firewall(config-cmap)# match regex domain1 Firewall(config-cmap)# match regex domain2 ! Create Regex Class Map Firewall(config)# class-map type inspect dns dns_inspect_class Firewall(config-cmap)# match not header-flag QR Firewall(config-cmap)# match question Inspection Class Map Firewall(config-cmap)# match domain-name regex class dns_filter_class ! Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policy Firewall(config-pmap)# class dns_inspect_class Firewall(config-pmap-c)# drop log Perform Policy Map Action ! Firewall(config-pmap-c)# class-map inspection_default Firewall(config-cmap)# match default-inspection-traffic ! Firewall(config-cmap)# policy-map egress_policy Firewall(config-pmap)# class inspection_default Firewall(config-pmap-c)# inspect dns dns_inspect_policy ! Firewall(config-pmap-c)# service-policy egress_policy interface inside !
Reference: DNS Best Practices, Network Protections, and Attack Identification
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
90
DNS Protocol Inspection Example

DNS resolution fails after service policy is enabled
Disable and then Enable Service Policy which Inspects DNS Queries
Firewall(config)# no service-policy egress_policy interface inside Firewall(config)# service-policy egress_policy interface inside
[user@linux ~]# dig www.google.com
DNS Resolver on Endpoints
; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: f ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7 ;; QUESTION SECTION: ;www.google.com. ;; ANSWER SECTION: www.google.com. www.l.google.com. www.l.google.com. www.l.google.com. www.l.google.com.
IN
Successful DNS Resolution
118837 37 37 37 37
IN IN IN IN IN
CNAME A A A A
www.l.google.com. 209.85.165.147 209.85.165.99 209.85.165.103 209.85.165.104
[user@linux ~]$ [user@linux ~]$ dig www.google.com ; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: printcmd ;; connection timed out; no servers could be reached [user@linux ~]$
Failed DNS Resolution
LTRSEC-2004
Cisco Public
91
Firewall Protocol Inspection References

Configuring a Service Policy Using the Modular Policy Frameworkhttp://www.cisco.com/en/US/docs/securit y/asa/asa84/configuration/guide/mpf_service_policy .html Getting Started With Application Layer Protocol Inspectionhttp://www.cisco.com/en/US/docs/securit y/asa/asa84/configuration/guide/inspect_overview.h tml
LTRSEC-2004
Cisco Public
92
The PDF Problem

Widely used Many vulnerabilities Many ways to obfuscate exploitation Difficult to detect with AV or IPS Some common traits
LTRSEC-2004
Cisco Public
93
A Bad PDF
PDFiD 0.0.10_PL z5r.pdf PDF Header: %PDF-1.3 obj 14 endobj 14 stream 2 endstream 2 xref 1 trailer 1 startxref 1 /Page 1 /Encrypt 0 /ObjStm 0 /JS 2 /JavaScript 3 /AA 0 /OpenAction 1 %%EOF After last %%EOF 0 Total entropy: 7.396393 ( Entropy inside streams: 7.922360 ( Entropy outside streams: 5.004960 ( 0000 0010 0020 0030 0040 25 0A 6E 68 53 50 31 41 69 20 44 20 63 73 2F 46 30 74 2E 4A 2D 20 69 71 61 31 6F 6F 77 76 2E 62 6E 65 61 33 6A 20 72 53 0D 0D 3C 5C 63 0A 0A 3C 28 72 25 3C 2F 5C 69 E2 3C 4A 29 70
Open Action / this.qwer ()
4301 bytes) 2671 bytes) 1630 bytes) E3 2F 53 29 74 CF 4F 20 0D 0D D3 70 28 0A 0A 0D 65 74 2F 3E %PDF-1.3..%..... .1 0 obj..<</Ope nAction <</JS (t his.qwer.(.))../ S /JavaScript..>
LTRSEC-2004
Cisco Public
94
The PDF Problem

Open Action (requires no user interaction) Javascript is what is automatically executed Javascript is compressed in file , needs to be decompressed In this case, a large section of javascript used char / int to obfuscate the true code Once code was decoded, variables used search and replace functions to break any sort of string comparison So if the device, looked at the file, went to the offset, decompressed, then deobfuscated the content, things such as offsets, Nops still would need to be decoded
95
LAB: Malicious File Download
LAB: Malicious File Download

A new vulnerability is discovered in how various software products process specially crafted Portable Document Format (PDF) files
- Download for analysis: http://www-pod<pod>rtr<dev>/birthdayandbeer.pdf, for example http://wwwpod5-rtr2/birthdayandbeer.pdf
PDF files contain objects and elements, some that can be used maliciously
- Hint: /JavaScript, /JS, and /AA, - see slides 92 - 94
Configure a Application Layer Protocol Inspection policy to detect and drop the malicious PDF file
- Hint: See slides 84 - 91 (on how to configure an ALPI inspection policy)
LTRSEC-2004
Cisco Public
97
For Your Reference
Module 13 Advanced Firewall Configurations
ASA Threat Detection

Statistical visibility into packets being dropped by ASA ASA tracks intervals at which events occur
For Your Reference
When a threat is detected, ASA generates syslog events 733100 - 733103 Two options: Basic and Advanced
- Basic is enabled by default and has no performance impact - Advanced provides more granular object tracking including ports, protocols and individual hosts. Could significantly impact CPU
8.3 introduces memory optimization of TD Use show threat-detection memory for TD memory footprint
LTRSEC-2004
Cisco Public
99
ASA Protecting Against Attacks

ASA Threat Detection Description
For Your Reference
ASA monitors dropped packets and security events attempting to identify threats and then generates syslog messages (733100 - 733103) when a threat is detected
Denies By ACL
Exceeding Connection Limits Interface Overload Bad Packets
Scanning Attack Detected
No Data UDP Session Packets Failing Application Inspection

100

Basic Threat Detection Defaults
Packet Drop Reason DoS Attack Bad Packet Format Connection Limit Exceeded Suspicious ICMP Detected Scanning Attack Detected Average Rate 100 Drops/Sec over Last 600 Sec 80 Drops/Sec over Last 3600 Sec 5 Drops/Sec over Last 600 Sec 4 Drops/Sec over Last 3600 Sec 100 Drops/Sec over Last 600 Sec 80 Drops/Sec over Last 3600 Sec 400 Drops/Sec over Last 600 Sec 320 Drops/Sec over Last 3600 Sec
For Your Reference
Burst Rate 400 Drops/Sec over Last 10 Sec 320 Drops/Sec over Last 60 Sec 10 Drops/Sec over Last 10 Sec 8 Drops/Sec over Last 60 Sec 200 Drops/Sec over Last 10 Sec 160 Drops/Sec over Last 60 Sec 800 Drops/Sec over Last 10 Sec 640 Drops/Sec over Last 60 Sec
101
Incomplete Sessions (UDP and TCP Combined)
Denied by ACL
LTRSEC-2004

Basic Threat Detection Defaults (cont.)
Packet Drop Reason Basic Firewall Checks Failed Packets Failed Application Inspection Average Rate 400 Drops/Sec over Last 600 Sec 80 Drops/Sec over Last 3600 Sec 2000 Drops/Sec over Last 600 Sec 1600 Drops/Sec over Last 3600 Sec Burst Rate
For Your Reference
400 Drops/Sec over Last 10 Sec 320 Drops/Sec over Last 60 Sec 8000 Drops/Sec over Last 10 Sec 6400 Drops/Sec over Last 60 Sec
Interface Overload
Cisco Security Appliance 8.2 Configuration Guide: Preventing Network Attacks http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide /conns_threat.html
LTRSEC-2004
Cisco Public
102

Basic Threat Detection Options (cont.) Keywords acl-drop bad-packet-drop conn-limit-drop dos-drop fw-drop icmp-drop inspect-drop scanning-threat syn-attack
Parameters rate-interval average-rate burst-rate Low (Sec) 600 0 0
For Your Reference
High (Sec) 2592000 2147483647 2147483647
LTRSEC-2004
Cisco Public
103

Configuring Basic Threat Detection Enable feature
For Your Reference
ASA(config)# threat-detection basic-threat

Configure options
ASA(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
LTRSEC-2004
Cisco Public
104

Configuring Scanning Threat Detection Enable feature
For Your Reference
ASA(config)# threat-detection scanning-threat shun except object-group NO-SHUN-LIST

Shunning Optional Configure options (same as basic threat detection)
ASA(config)# threat-detection rate scanning-threat rate-interval 600 average-rate 6 burst-rate 10
LTRSEC-2004
Cisco Public
105
For Your Reference
LAB: ASA Threat Detection
Lab - Threat Detection on the ASA
For Your Reference
Use Threat Detection on the ASA to identify and block an ongoing attack
-This is not the same attack as seen in other scenarios
Enable Basic and Scanning Threat Detection

-Remember to enable logging!
Use Threat Detection logs to identify the attack Use access control lists on the ASA to block the attacker
-Correctly update the existing ACL if one exists
LTRSEC-2004
Cisco Public
107
Reacting with BGP
Blackhole Filtering
Blackhole Filtering or Blackhole Routing, forwards a packet to a devices bit bucket
- Also known as route to Null0
Works only on destination addresses because it is really part of the forwarding logic Forwarding ASICs are designed to work with routes to Null0 - dropping the packet with minimal to no performance impact Used for years as a way to blackhole unwanted packets
LTRSEC-2004
Cisco Public
109
Customer is DoSed: Before

IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
Upstream A Upstream B
C Upstream D
Target
F POP
Target Is Taken Out

Cisco Public
NOC
LTRSEC-2004
110
Customer is DoSed
Before Collateral Damage
IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
C Upstream D
Target Customers
F POP
Attack Causes Collateral Damage

Cisco Public
NOC
LTRSEC-2004
111
Remotely Triggered Blackhole Filtering

Use BGP to trigger a network-wide response to attacks A simple static route and BGP will enable a network-wide destination address blackhole as fast as iBGP can update the network This provides a tool that can be used to respond to security related events and forms a foundation for other remote triggered uses Often referred to as RTBH
LTRSEC-2004
Cisco Public
112
Remotely Triggered Blackhole

Configure all edge routers with static route to Null0 (must use reserved network)
ip route 192.0.2.1 255.255.255.255 Null0
Configure trigger router

- Part of iBGP mesh
- Dedicated router recommended Activate blackhole

- Redistribute host route for victim into BGP with nexthop set to 192.0.2.1 - Route is propagated using BGP to all BGP speaker and installed on routers with 192.0.2.1 route - All traffic to victim now sent to Null0
113
Step 1: Prepare All Routers with Trigger

Select a small block that will not be used for anything other than blackhole filtering Commonly used address allocations
- TEST-NET-1 (192.0.2.0/24) - TEST-NET-2 (198.51.100.0/24) - TEST-NET-3 (203.0.113.0/24)
Configure a static route with a /32 mask from one of the TESTNET address space allocations Set the next-hop to the Null0 interface Add this static route to every edge router/switch on the network
ip route 192.0.2.1 255.255.255.255 Null0
LTRSEC-2004
Cisco Public
114
Step 1: Prepare All Routers with Trigger

Edge Router with Test-Net to Null0
IXP-W
Peer A Peer B
Sinkhole Network Upstream C
IXP-E
Upstream D
10.68.19.0/24 Target
POP 172.19.61.1
LTRSEC-2004

Cisco Public
NOC
115
Step 2: Prepare the Trigger Router

The trigger router is the device that injects the iBGP announcement into the network Should be part of the iBGP meshbut does not have to accept routes Can be a separate router (recommended) Can be a production router Can be a workstation with Zebra/Quagga (interface with Perl scripts and other tools)
LTRSEC-2004
Cisco Public
116
Trigger Router Configuration

Redistribute Static with a Route-Map
Match Static Route Tag
router bgp 65535 . redistribute static route-map static-to-bgp . ! route-map static-to-bgp permit 10 Set Next-Hop match tag 66 to the Trigger set ip next-hop 192.0.2.1 set community no-export set origin igp
LTRSEC-2004
Cisco Public
117
Step 3: Activate the Blackhole

Add a static route to the destination to be blackholed; the static is added with the tag 66 to keep it separate from other statics on the router
ip route 172.19.61.1 255.255.255.255 Null0 Tag 66
BGP advertisement goes out to all BGP-speaking routers Routers received BGP update, and glue it to the existing static route; due to recursion, the next-hop is now Null0
LTRSEC-2004
Cisco Public
118
Step 3: Activate the Blackhole (cont.)

FIB Glues 172.19.61.1s Next-Hop to Null0 Triggering the Blackhole Filtering
BGP Best Path Selection
BGP 65501 RIB

AS 65000s Routes AS 65510s Routes AS 65511s Routes 172.19.61.1 NextHop = 192.0.2.1 with No-Export
FIB Best Path Selection
FIB
(Unless Multipath)
172.19.61.1 NextHop = 192.0.2.1
OSPF RIB
192.0.2.1/32 = Null0
Static and Connected Routes

Cisco Public
192.0.2.1/32 = Null0
LTRSEC-2004
119
Activating RTBH
The BGP update sent out after step 2
BGP Sent: 172.19.61.1 Next-Hop = 192.0.2.1
Static Route in Edge Router: 192.0.2.1 = Null0
The static route entered in step 1
172.19.61.1= 192.0.2.1 = Null0
What happens when the next-hop in the routing table is null0?

LTRSEC-2004
Next-Hop of 172.19.61.1 Is Now Equal to Null0

120
Step 3: Activate the Blackhole (cont.)

IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
C Upstream D
Target
iBGP Advertises List of Blackholed Prefixes F POP G NOC
LTRSEC-2004
Cisco Public
121
Customer Is DoSed
After Packet Drops Pushed to the Edge
IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
C Upstream D
Target
iBGP Advertises List of Blackholed Prefixes F POP G NOC
LTRSEC-2004
Cisco Public
122
Using Remote Triggered Blackhole

Service providers and enterprises use frequently Often only scaleable answer to large-scale DoS attack
- Proven very effective
Interprovider triggers not implemented

- Rely on informal channels
Service: customer triggered

- Edge customers trigger the update, SP doesnt get involved - Implication: you detect, you classify, etc.
White list allowed traffic to prevent self-DoS http://www.cymru.com/gillsr/documents/golden-networks
LTRSEC-2004
Cisco Public
123
For Your Reference
Attract and Analyze: Sinkholes
Sinkhole Routers/Networks
Sinkholes are a topological security featurethink network honeypot Router or workstation built to draw in traffic and assist in analyzing attacks (original use) Redirect attacks away from the customerworking the attack on a router built to withstand the attack Used to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or unused IP space) Traffic is typically diverted via BGP route advertisements and policies Leverage instrumentation in a controlled environment
- Pull the traffic past analyzers/analysis tools
For Your Reference
LTRSEC-2004
Cisco Public
125
Sinkhole Routers/Networks (cont.)
For Your Reference
Sinkhole Network Customers Customers Target of Attack
Customers
192.168.20.0/24Target Network
192.168.20.1 Host is Target
LTRSEC-2004
Cisco Public
126
For Your Reference
Router Advertises 192.168.20.1/32
Customers
192.168.20.1 Host is Target
LTRSEC-2004
Cisco Public
127

Attack is pulled away from customer/aggregation router Can now apply classification ACLs, packet capture, etc. Objective is to minimize the risk to the network while investigating the attack incident
Customers Target of Attack
For Your Reference

Router Advertises 192.168.20.1/32
Sinkhole Network Customers
192.168.20.1 Host Is Target
LTRSEC-2004
Cisco Public
128

Advertising space from the sinkhole will pull down all sorts of traffic:
- Customer traffic when circuits flap - Network scans to unallocated address space - Worm traffic - Backscatter
Customers Customers
For Your Reference

Router Advertises space
Sinkhole Network Customers Customers
Place tracking tools in the sinkhole network to monitor the noise
LTRSEC-2004
Cisco Public
129
What to Monitor in a Sinkhole?

Scans on dark IP (allocated and announced but unassigned address space)
- Who is monitoring the network; pre-attack planning; worms
For Your Reference
Scans on bogons (unallocated)

- Worms, infected machines, and bot creation
Backscatter from attacks

- Who is being attacked
Backscatter from garbage traffic (RFC-1918 leaks)

- Which customers have misconfigurations or leaking networks
LTRSEC-2004
Cisco Public
130
Sinkhole Architecture
To Backbone
For Your Reference
Static ARP to Target Router

Target Router To Backbone Gateway Sniffers and Analyzers
To Backbone
Expand sinkhole with dedicated router into a variety of tools Pull DDoS attack to the sinkhole and forward data toward target router Static ARP to the target router keeps the sinkhole operationaltarget router can crash from attack and static ARP will keep gateway forwarding traffic to the Ethernet switchrather than generating lots of ICMP error messages Observe trends and deviations, reserve packet detail for research and specific analysis
131
Sinkholes: Worm Detection

Sinkhole Advertising Bogon and Dark IP Space
For Your Reference
Sinkhole Network
May Also Use NetFlow Data from Edge Routers for This Purpose
Customer
Computer Starts Scanning the Internet
Conficker
LTRSEC-2004
Cisco Public
132
But Im Not a Core Provider

All networks aggregate traffic somewhere
- Control where and how, control your traffic - Default route is a strange attractor - Do you use a default route internally, with full routes at the edge? Congratulations, you have a sinkhole! - Dont let those packets drop in vain
For Your Reference
Collect data about the traffic and realize the benefits of sinkholes
LTRSEC-2004
Cisco Public
133
Why Sinkholes?
They work. Providers, enterprise operators, and researchers use them for data collection and analysis More uses are being found through experience and individual innovation Deploying sinkholes correctly takes preparation Team Cymru Darknet Projecthttp://www.teamcymru.org/Services/darknets.html
For Your Reference
LTRSEC-2004
Cisco Public
134
Anycast and Sinkholes

Anycast builds redundancy by duplicating resources so that IP routing determines which resource traffic is routed to Sinkholes are designed to pull in traffic, potentially large volumes Optimal placement in the network requires mindful integration and can have substantial impact on network performance and availability A single sinkhole might require major reengineering of the network Anycast sinkholes provide a means to distribute the load throughout the network
For Your Reference
135
Anycast Sinkholes
Sinkhole
For Your Reference Peer A
IXP-W
Sinkhole
Peer B
Sinkhole
Upstream C
IXP-E
Sinkhole
Sinkhole
Upstream D
192.168.19.0/24 Customer
Sinkhole
POP 192.168.19.1
Sinkhole
Services Network
Sinkhole Employs Same Anycast Mechanism

Primary DNS Servers

136
Enterprise Sinkhole Placement
For Your Reference
Baselining is the key

- Measure deviations from normal
Core
Distribute sinkholes as appropriate for traffic engineering and routing architecture Some key locations
- Inside internet connection
Server Farm
WAN
Internet
- In front of servers - Distribution layer

Cisco Public
LTRSEC-2004
137
BGP Sinkhole Trigger

Leverage the same BGP technique used for RTBH Dedicated trigger router redistributes more specific route for destination being re-rerouted
- Next-hop set via route-map
For Your Reference
All BGP-speaking routers receive update Complex design can use multiple route-maps and next-hops to provide very flexible designs May require BGP on all routers
LTRSEC-2004
Cisco Public
138
Example: BGP Sinkhole Triggers

Sinkhole IP: 192.0.2.8 Victim IP: 192.168.20.1 Trigger router configuration
router bgp 65500 redistribute static route-map static-to-bgp route-map static-to-bgp permit 10 match tag 66 set origin igp set next-hop 192.0.2.8 <-- sinkhole address, not Null0 set community NO-EXPORT ip route 192.168.20.1 255.255.255.255 Null0 tag 66
For Your Reference
All traffic destined to 192.168.20.1 will be redirected to the sinkhole
LTRSEC-2004
Cisco Public
139
Sinkhole Routers/Networks
For Your Reference Router Advertises 192.168.20.1/32
Customers
192.168.20.0/24Targets Network
192.168.20.1 Host Is Target
LTRSEC-2004
Cisco Public
140
Safety Precautions
Do not allow advertisements to leak
- BGP no-export, no-advertise, additive communities - Explicit egress prefix policies (community, prefix, etc.)
Do not allow traffic to escape the sinkhole

- Backscatter from a sinkhole defeats the function of a sinkhole (egress ACL on the sinkhole router)
Advanced sinkhole designs

- True honeypot potential; protect resources in the sinkhole - Dont become part of the attack - Filter/rate limit outgoing connections
141
LAB: Remotely Triggered Blackhole Filtering
LAB: Remotely Triggered Blackhole Filtering

Use RTBH and other techniques to mitigate a distributed attack
- Attack traffic is traversing podX-rtr1
Classify the attack using NetFlow Use RTBH as to remove attack traffic from the network
- Configure podX-rtr2 as trigger router
Use NetFlow on podX-rtr1 to verify that attack packets are being dropped
LTRSEC-2004
Cisco Public
143
Source-Based RTBH
Flipping RTBH Around

Triggered Source Drops
Source-based Remotely Triggered Blackhole Filtering aka SRTBH Dropping on destination is important
- Dropping on source is often what we really need
Reacting using source address provides some interesting options:

- Stop the attack without taking the destination offline - Filter command and control servers - Filter (contain) infected end stations
Must be rapid and scalable

- Leverage pervasive BGP again
145
Quick Review: Unicast RPF Loose Mode

router(config-if)# ip verify unicast source reachable-via any
int 2 int 1 Sy D data

FIB Dest Sx Sy Sz Path int 1 int 2 null0
int 2 int 3 int 1 Sz D data

FIB Dest Sx Sy Sz Path int 1 int 2 null0
int 3
Sy D data
sourceIP=any int?
Cisco Public
sourceIP=any int?
146
IP Verify Unicast Source ReachableVia any

LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved.
Configuring SRTBH
Uses the same architecture as Destination-Based Filtering + Unicast RPF Edge routers must have static in place They also require Unicast RPF BGP trigger sets next hop - in this case the attacker is the source we want to drop
Blackhole Filtering
147
Configuring Routers for SRTBH

Like RTBH, most configuration is on the trigger router
- Trigger router is identical in both scenarios
Remotely Triggered Black Hole configuration on non-trigger routers

ip route 192.0.2.1 255.255.255.255 Null0
Source-based RTBH configuration for non-trigger routers

ip route 192.0.2.1 255.255.255.255 Null0 ! interface GigabitEthernet0/0 ip verify unicast source reachable-via any !
148
SRTBH
What do we have?
- Blackhole Filtering - if the destination address equals Null0, we drop the packet - Remote Triggered - trigger a prefix to equal Null0 on routers across the Network at iBGP speeds - Unicast RPF Loose Check - if the source address equals Null0, we drop the packet
Put them together and we have a tool to trigger drop for any packet coming into the network whose source or destination equals Null0
LTRSEC-2004
Cisco Public
149
Customer Is DoSed: After

Packet Drops Pushed to the Edge
Edge Routers Drop Incoming Packets Based on A Their Source Address
IXP-W
Peer A Peer B
Upstream C
Edge Routers Drop Incoming Packets Based on Their Source IXP-E Address D
C Upstream D iBGP Advertises List of Blackholed Prefixes Based on Source Addresses
Target
F POP
NOC
LTRSEC-2004
Cisco Public
150
Internal Source-Based Drops

Both source and destination drops can be used internally
- Source drops likely the most interesting case - Destination drops still result in target DoS - Dont forget the Internet and WAN edges
Provides an effective mechanism to handle internal attacks

- Drop worm-infected PCs off the network - Drop owned devices off the network - Protect the infrastructure - Whitelist to prevent self DoS
LTRSEC-2004
Cisco Public
151
SRTBH: Key Advantages

No ACL update No change to the routers configuration Drops happen in the forwarding path Frequent changes when attacks are dynamic (for multiple attacks on multiple customers)
LTRSEC-2004
Cisco Public
152
BGP: Not Just For Routing, Anymore

I dont want to use BGP as a routing protocol
- Think of BGP as a signaling protocol - Routing protocols operate as ships in the night
BGP has a unique property among routing protocols: arbitrary next hops can be administratively defined There is no need to actually carry routes in BGP
- Deploy iBGP mesh internally and do not use it for routing - Under normal conditions, BGP holds zero routes - When used for drops, only the blackholed addresses are in the table
If BGP is used for inter-region routing, drop boundaries can be both local within a campus and global
- Use communities to scope the drops
153
What If I Cant Deploy RTBH?

Start with Unicast RPF and static routes to NULL0 Results in traffic source drops
interface g0/0 ip verify unicast source reachable-via rx allow-default ip route 10.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.0.2.0 255.255.255.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0
For example, traffic from 10.1.1.1 will be discarded Can be deployed in reaction to attacks A start but wont be fast and doesnt scale
154
LAB: Source-based RTBH
LAB: Source-based RTBH

Change the network mitigation to filter attacking source or sources using Source-based RTBH Verify the correct configuration of Unicast RPF Apply the Source-based RTBH configuration Remove RTBH filtering added in the previous lab
- Do not remove the RTBH configuration, just remove the filtering via a trigger router configuration change
Use any available technique to see if attack packets are correctly being dropped
LTRSEC-2004
Cisco Public
156
Keeping Up to Date
Join the Conversation!

Visit the Cisco Security Blog
http://blogs.cisco.com/security
Posts from across Ciscos security community Wide range of topics

- Emerging threats - Innovative techniques - Security research
Tell us what you think!
LTRSEC-2004
Cisco Public
158
Security Intelligence Operations: Where to Find It

Single Point of Access
Dynamic Content
www.cisco.com/security
Security Alerts CVSS Scores IPS Signatures PSIRT Security Advisories Applied Mitigation Bulletins
159
Cisco PSIRT
Monitor Cisco Security Advisories
In order for a network to be secure, the network devices within the network must use secure software Security bugs in Cisco products are disclosed using Security Advisories and Responses
- http://www.cisco.com/go/psirt
By monitoring these documents, an administrator is more able to learn about security vulnerabilities that may affect their network
- Available as RSS feeds - Subscribe to cust-securityannounce@cisco.com
LTRSEC-2004
Cisco Public
160
Intelligence at a Glance
Cisco IntelliShield Event Response Summary information, threat analysis, and mitigation techniques that feature Cisco products
Microsoft Security Bulletin ID Cisco IntelliShield Alert ID CVE ID Cisco Mitigations CVSS Base Score Impact on Cisco Products Related Information
LTRSEC-2004
Cisco Public
161
Intelligence Services
Cisco IntelliShield Alert Manager Threat and vulnerability intelligence alerting service Receive vital intelligence that is relevant and targeted to your environment
Tactical, operational, and strategic intelligence Vendor neutral Lifecycle reporting Vulnerability workflow management system Comprehensive searchable alert database
162
Use Your Infrastructure

Cisco Applied Mitigation Bulletin Actionable intelligence that can be used with your existing Cisco infrastructure
Vulnerability Characteristics Mitigation Technique Overview Risk Management Device-Specific Mitigation and Identification
Cisco IOS Routers and Switches Cisco IOS NetFlow Cisco ASA, and FWSM Firewalls Cisco ACE Application Control Engine Cisco Intrusion Prevention System Cisco Security Monitoring, Analysis, and Response System
163
Intelligence Summary Example

Cisco IntelliShield Cyber Risk Report A strategic intelligence report that highlights current security activity and mid-to long-range perspectives Addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield and IronPort teams
LTRSEC-2004
Cisco Public
164
Cisco IOS Software Checker

Tool on Security Intelligence Operations Portal
http://blogs.cisco.com/security/introducing-the-cisco-ios-software-checker/ http://tools.cisco.com/security/center/selectIOSVersion.x
Allows querying one or more Cisco IOS Software versions against previously published Security Advisories Simplifies identification of affected software versions Long requested feature by Cisco customers Cisco IOS Software specific only but more to come!
165
Cisco Remote Management Services for Security

The Remote Management and Monitoring arm of SIO
SensorBase Remote Management Services
Global
Security Policy Security Intelligence
Enterprise Branch Outsource Partner Security Reporting Troubleshooting Public Sector
Cisco Security Device + SmartNet + Cisco RMS Security with SIO
Insight
Visibility across different devices, services, and network layers
LTRSEC-2004
Control
Consistent policy across offices and for remote users
Cisco Public
Peace of Mind
Actionable remediation and governance controls
166
Cisco Live London 2012! Thats All Folks!
Dont forget to complete your surveys
LTRSEC-2004
Cisco Public
167
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store

168
Recommended Reading
Additional resources for your security library Check the Recommended Reading flyer for suggested books
Available at Your Local Book Stores

169
References
Security Research
Public Security Mailing Lists
BugTraq
- http://www.securityfocus.com/archive/1/description
Full Disclosure
- http://lists.grok.org.uk/full-disclosure-charter.html
Web Application Security

- http://www.securityfocus.com/archive/107/description
VoipSec
- http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
LTRSEC-2004
Cisco Public
171
Security Research
Public Security Websites
http://www.securityfocus.com/ http://voipsa.org/ http://www.owasp.org/ http://www.voipshield.com/ http://www.cymru.com
LTRSEC-2004
Cisco Public
172
CVSS and Risk Triage Links

Web-based CVSS Calculators
- http://nvd.nist.gov/cvss.cfm?calculator&version=2 - http://intellishield.cisco.com/security/alertmanager/cvss
Common Vulnerability Scoring System Q & A

- http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
CVSS Usage within Cisco

- http://www.cisco.com/web/about/security/intelligence/Cisco_CVSS.html
Risk Triage for Security Vulnerability Announcements

- http://www.cisco.com/web/about/security/intelligence/vulnerability-risktriage.html
Risk Triage and Prototyping

- http://www.cisco.com/web/about/security/intelligence/risk-triagewhitepaper.html
LTRSEC-2004
Cisco Public
173
References
DoS detection:
- Inferring Internet Denial-of-Service Activity: David Moore et al, May 2001 - http://www.caida.org/outreach/papers/2001/BackScatter/usenixs ecurity01.pdf - The Spread of the Code Red Worm: David Moore, CAIDA, July 2001 - http://www.caida.org/research/security/code-red/
DoS tracing:
- Tracing Spoofed IP Addresses: Rob Thomas, Feb 2001 (good technical description of using NetFlow to trace back a flow) - http://www.cymru.com/Documents/tracking-spoofed.html - Cisco Security Intelligence Operations - http://www.cisco.com/security/ - Cisco Applied Mitigation Bulletins - http://tools.cisco.com/security/center/searchAIR.x
174
NetFlow
Cisco NetFlow home
- http://www.cisco.com/en/US/tech/tk812/tsd_technology_support _protocol_home.html
Introduction to Cisco IOS NetFlow - A Technical Overview

- http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6 555/ps6601/prod_white_paper0900aecd80406232.html
Getting Started with Configuring NetFlow and NetFlow Data Export

- http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide /get_start_cfg_nflow.html
Linux NetFlow reports HOWTO

- http://www.dynamicnetworks.us/netflow/netflow-howto.html
LTRSEC-2004
Cisco Public
175
SNMP
Cisco SNMP object tracker
- http://tools.cisco.com/Support/SNMP/do/Browse MIB.do?local=en
Cisco MIBs and trap definitions

- http://www.cisco.com/public/swcenter/netmgmt/cmtk/mibs.shtml
SNMPLink
- http://www.snmplink.org/
LTRSEC-2004
Cisco Public
176
RMON
IETF RMON WG
- http://www.ietf.org/proceedings/99mar/44th-99mar-ietf77.html
Cisco RMON home

- http://www.cisco.com/en/US/tech/tk648/tk362/tk560/tsd_te chnology_support_sub-protocol_home.html
Cisco Network Analysis Module (NAM) Products

- http://www.cisco.com/en/US/products/ps5740/Products_S ub_Category_Home.html
LTRSEC-2004
Cisco Public
177
Packet Capture
tcpdump/libpcap home
- http://www.tcpdump.org/
Wireshark
- http://www.wireshark.org/
Vinayak Hegdes Linux Gazette article

- http://linuxgazette.net/issue86/vinayak.html
Catalyst Switched Port Analyzer (SPAN) Configuration Example

- http://www.cisco.com/en/US/products/hw/switches/ps708/ products_tech_note09186a008015c612.shtml
LTRSEC-2004
Cisco Public
178
Syslog
Syslog.org
- http://www.syslog.org/
Syslog logging with PostGres HOWTO

- http://kdough.net/projects/howto/syslog_postgresql/
Agent Smith explains Syslog

- http://routergod.com/agentsmith/
Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events
- http://www.cisco.com/web/about/security/intelligence/ident ify-incidents-via-syslog.html
LTRSEC-2004
Cisco Public
179
BGP
Cisco BGP home
- http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technolo gy_support_sub-protocol_home.html
Slammer/BGP analysis
- https://wiki.netsec.colostate.edu/images/8/88/Netsec_iwd c03.pdf
Team CYMRU BGP tools

- http://www.cymru.com/BGP/index.html
LTRSEC-2004
Cisco Public
180
Traceback: Direct Contact Information

APNIC - reporting network abuse: spamming and hacking
- http://www.apnic.net/info/faq/abuse/index.html
RIPE - reporting network abuse: spamming and hacking

- http://www.ripe.net/info/faq/abuse/index.html
ARIN - network abuse: FAQ

- http://www.arin.net/abuse.html
LTRSEC-2004
Cisco Public
181
Sinkholes
Worm Mitigation Technical Details
- http://www.cisco.com/web/about/security/intelligence/wor m-mitigation-whitepaper.html
DoS Attackshow your ISP can help

- http://www.techworld.com/networking/features/index.cfm?f eatureid=1098&pagtype=samechan&categoryid=9
Sink HolesA Swiss Army Knife ISP Security Tool

- http://www.arbornetworks.com/dmdocuments/Sinkhole_T utorial_June03.pdf
LTRSEC-2004
Cisco Public
182
References
Ciscos product vulnerabilities
- http://www.cisco.com/en/US/products/products_security_adviso ries_listing.html
Cisco Security Intelligence Operations

- http://www.cisco.com/security
ISP essentials: Technical tips for ISPs every ISP should know
- ftp://ftp-eng.cisco.com/cons/isp/
Tech Tip: Troubleshooting High CPU Utilization on Cisco Routers

- http://www.cisco.com/en/US/products/hw/routers/ps133/products _tech_note09186a00800a70f2.shtml
LTRSEC-2004
Cisco Public
183
References
The show processes command
- http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_tech_note09186a00800a65d0.shtml
NetFlow performance white paper

- http://www.cisco.com/en/US/technologies/tk543/tk812/tec hnologies_white_paper0900aecd802a0eb9.html
Mailing list:
- cust-security-announce@cisco.com - all customers should be on this list
LTRSEC-2004
Cisco Public
184
References
Security Intelligence Operations Best Practices
- http://tools.cisco.com/security/center/intelliPapers.x?i=55
Service Provider Security Best Practices

- http://tools.cisco.com/security/center/serviceProviders.x?i =76
Cisco Nexus 7000 Series NX-OS Security Configuration Guide

- http://www.cisco.com/en/US/docs/switches/datacenter/sw/ 4_1/nx-os/security/configuration/guide/sec_preface.html
LTRSEC-2004
Cisco Public
185
References
Cisco Guide to Harden Cisco IOS XR Devices
- http://cisco.com/web/about/security/intelligence/CiscoIOS XR.html
Implementing LPTS on Cisco IOS XR Software

- http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/ad dr_serv/configuration/guide/ic37lpts.html
LTRSEC-2004
Cisco Public
186
Recommended Reading
LTRSEC- 2004
Please complete your Session Survey

We value your feedback
Don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite which can also be accessed through the screens at the Communication Stations Or use the Cisco Live Mobile App to complete the surveys from your phone, download the app at www.ciscolivelondon.com/connect/mobile/app.html
1. Scan the QR code (Go to http://tinyurl.com/qrmelist for QR code reader software, alternatively type in the access URL above) 2. Download the app or access the mobile site 3. Log in to complete and submit the evaluations
http://m.cisco.com/mat/cleu12/
188
LTRSEC-2004
Cisco Public
189
Thank you.
LTRSEC-2004
Cisco Public
190

Ltrsec 2004

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Ltrsec 2004

Cargado por

Copyright:

Formatos disponibles

Detecting and Mitigating Attacks Using Your Network Infrastructure

Follow us on Twitter for real time updates of the event:

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Threat Landscape and Getting Connected

State of Network Security

Network Security is a System

2012 Cisco and/or its affiliates. All rights reserved.

Strive for Operational Simplicity

Good management tools

Good operational processes

Operational simplicity helps reduce downtime

What Is Core Security?

Internal networks are no longer truly internal

The infrastructure is critical; if we can't protect it, nothing else matters

2012 Cisco and/or its affiliates. All rights reserved.

Threat Models for IP Networks

Threat Models for IP Networks

2012 Cisco and/or its affiliates. All rights reserved.

Common Vulnerability Scoring System

Utilizes three metric groups to calculate vulnerability score

Threats Against IP Networks

2012 Cisco and/or its affiliates. All rights reserved.

Threat and Attack Models

Transport Protocol Attacks

Routing Protocol Attacks

2012 Cisco and/or its affiliates. All rights reserved.

Threat and Attack Models (cont.)

2012 Cisco and/or its affiliates. All rights reserved.

Spoofing is useful because?

2012 Cisco and/or its affiliates. All rights reserved.

IPv6 Attacks with Strong IPv4 Similarities

Application layer attacks

Man-in-the-Middle Attacks (MITM)

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Six Phases of Incident Response

What kind of attack is it?

2012 Cisco and/or its affiliates. All rights reserved.

IP Addressing as Security Tool

IP Addressing as Security Tool (cont.)

Whitepaper: A Security-Oriented Approach to IP Addressing

Domains of Trust (Zones)

Internet Internet Labs

VPN Remote Access

VPN Remote Access Employees

Domains of Trust segment communities by policy

2012 Cisco and/or its affiliates. All rights reserved.

Purpose of Domains of Trust

Security Domains based on like "policy"

Gradient of trust differentiate domains

Choke points control trust between segments

Domains of trust are key to good network security design

Sample Domains of Trust

Lab HQ Public Branch

Steep gradient = high risk Considerable safeguards

Lesser gradient = low risk Basic safeguards

2012 Cisco and/or its affiliates. All rights reserved.

Enterprise Security Zones: Logical

2012 Cisco and/or its affiliates. All rights reserved.

Enterprise Security Zones: Physical

2012 Cisco and/or its affiliates. All rights reserved.