Post on 26-Jan-2017
transcript
Tools and Methods for Auditing Enterprise Grade Security
Appliances
Jonathan SuldoInformation Security Analyst @ Arma-Net
jsuldo@arma-net.orgTalk Length:45 Min.
Topic
Penetration Testing methods/ toolsets utilized to audit Enterprise grade UTM, NGFW, SIEM, and
ASA.
Biography
BriefingPoint 1 I will provide concise utility explanations, “Key Feature Differentiators”, Deciding factors between UTM, NGFW, SIEM, and ASA. Research Examples will be reserved for market leaders and comparing offerings associated with each. The above utilizes are discussed first because they normally control many features. Point 2Popular Detection IDS & FW utilities and their usage in typical network topographies.
Point 3 Methods and Tool-sets for Evading Firewalls and IPS
Point 4 Tools and Report Format utilized to translate and present metrics from auditing data.
Point 5The remainder of the talk will be for creating a specialized auditing methodology and lost cost testing lab creation.
What’s the point?
Point 1
Definition, Features(“Key Differentiators” ), Disadvantages/advantages, between UTM, NGFW, SIEM, and ASA. Research Examples
will be reserved for market leaders and comparing offerings associated with each.
Unified Threat Management
UTM VS. THE HACKER MINDSET
Next Generation FireWall(NGFW)
**Put pictures brands for industry leading NGFW
UTM VS. NGFW
Cisco ASA Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls help you to balance security effectiveness with productivity. This solution offers the combination of the industry's most deployed stateful firewall with a comprehensive range of next-generation network security services, including:
Granular visibility and control Robust web security onsite or in the cloud Industry-leading intrusion prevention system (IPS) to
protect against known threats Comprehensive protection from threats and advanced
malware World's most widely deployed ASA firewall with highly
secure Cisco AnyConnect remote access
SIEM: Security Information and Event Management
Security information and event management (SIEM) tools are used to collect, aggregate and correlate log data for unified analysis and reporting. Typically, these tools can take logs from a large number of sources, normalize them and build a database that allows detailed reporting and analysis. While forensic analysis of network events may be a feature of a SIEM, it is not the only feature, nor is it the primary focus of the tool.
SIEM-Continued AlienVault for AlienVault Unified Security
Management Platform Hewlett-Packard for HP ArcSight ESM LogRhythm for LogRhythm's SIEM and
Security Analytics Platform McAfee for McAfee Enterprise Security
Manager SolarWinds for SolarWinds Log & Event
Manager Splunk for Splunk Enterprise
SIEM-Continued What is the goal of a SIEM? That depends on
the organization, but the common use cases are to detect, validate and adequately respond to system compromises, data leakage events, malware outbreaks, investigations into a particular user and service outages. At least that's what it is for my
organization. Simplistic as it may sound, I expect that this would be theanswer from most other organizations, too.
Development Life Cycle One view of assessing the maturity of an organization in terms of the
deployment of log-management tools might use successive categories such as:
Level 1: in the initial stages, organizations use different log-analyzers for
analyzing the logs in the devices on the security-perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.
Level 2: with increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security-perimeter.
Level 3: at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information-assets whose availability organizations regard as vital.
Level 4: organizations integrate the logs of various business-applications into an enterprise log manager for better value proposition.
Level 5: organizations merge the physical-access monitoring and the logical-access monitoring into a single view.
Logging Management Resources
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf http://www.prismmicrosys.com/newsletters_august2007.php
http://www.docstoc.com/docs/19680768/Top-5-Log-Mistakes---Second-Edition
Chris MacKinnon: "LMI In The Enterprise". Processor November 18, 2005, Vol.27 Issue 46, page 33. Online at http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp, retrieved 2007-09-10
MITRE: Common Event Expression (CEE) Proposed Log Standard. Online at http://cee.mitre.org, retrieved 2010-03-03
NIST 800-92: Guide to Security Log Management. Online at http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf, retrieved 2010-03-0
IDS & FW Utilities Function and Placement
Types of Intrusion Detection Systems
Network-Based
Intrusion Detection
-These mechanisms are placed
inline on an network, set
to promiscuous
mode in order to monitor
traffic for signs of
intrusion.
Host-Based Intrusion Detection
-These mechanisms
monitor events on a
specific host.-Are
uncommon due to require
continuous monitoring.
Log File Monitoring
-These mechanisms
log/parse files “post-event”
File Integrity Checking
-This mechanism will monitor
file structure modification in an attempt to recognize unauthorized
system access.
Intrusion Detection Systems & Network Implementation
IDS Intrusions Detection Methods
The Purpose of IDS Implementation
IDS Utilities Snort
Snort Log Sample
IDS System: Tipping Point
Intrusion Detection Tools
Intrusion Detection Tools (cont’d)
Intrusion Detection Tools
Firewalls
What they can’t do!
Types of Firewalls
Firewall Architecture
Fire Wall- Utilities
Firewall-Utilities
Firewall and IDS Evasion Tools and Techniques
Graphic s of malware and APT evading something
Firewall Evasion Techniques