Tools and Methods for Auditing Enterprise Grade Security

Appliances

Jonathan SuldoInformation Security Analyst @ Arma-Net

jsuldo@arma-net.orgTalk Length:45 Min.

Topic

Penetration Testing methods/ toolsets utilized to audit Enterprise grade UTM, NGFW, SIEM, and

ASA.

Biography

BriefingPoint 1 I will provide concise utility explanations, “Key Feature Differentiators”, Deciding factors between UTM, NGFW, SIEM, and ASA. Research Examples will be reserved for market leaders and comparing offerings associated with each. The above utilizes are discussed first because they normally control many features.  Point 2Popular Detection IDS & FW utilities and their usage in typical network topographies.

Point 3 Methods and Tool-sets for Evading Firewalls and IPS

Point 4 Tools and Report Format utilized to translate and present metrics from auditing data.

Point 5The remainder of the talk will be for creating a specialized auditing methodology and lost cost testing lab creation.

What’s the point?

Point 1

Definition, Features(“Key Differentiators” ), Disadvantages/advantages, between UTM, NGFW, SIEM, and ASA. Research Examples

will be reserved for market leaders and comparing offerings associated with each.

Unified Threat Management

UTM VS. THE HACKER MINDSET

Next Generation FireWall(NGFW)

**Put pictures brands for industry leading NGFW

UTM VS. NGFW

Cisco ASA Adaptive Security Appliances

Cisco ASA 5500-X Series Next-Generation Firewalls help you to balance security effectiveness with productivity. This solution offers the combination of the industry's most deployed stateful firewall with a comprehensive range of next-generation network security services, including:

Granular visibility and control Robust web security onsite or in the cloud Industry-leading intrusion prevention system (IPS) to

protect against known threats Comprehensive protection from threats and advanced

malware World's most widely deployed ASA firewall with highly

secure Cisco AnyConnect remote access

SIEM: Security Information and Event Management

Security information and event management (SIEM) tools are used to collect, aggregate and correlate log data for unified analysis and reporting. Typically, these tools can take logs from a large number of sources, normalize them and build a database that allows detailed reporting and analysis. While forensic analysis of network events may be a feature of a SIEM, it is not the only feature, nor is it the primary focus of the tool.

SIEM-Continued AlienVault for AlienVault Unified Security

Management Platform Hewlett-Packard for HP ArcSight ESM LogRhythm for LogRhythm's SIEM and

Security Analytics Platform McAfee for McAfee Enterprise Security

Manager SolarWinds for SolarWinds Log & Event

Manager Splunk for Splunk Enterprise

SIEM-Continued What is the goal of a SIEM? That depends on

the organization, but the common use cases are to detect, validate and adequately respond to system compromises, data leakage events, malware outbreaks, investigations into a particular user and service outages. At least that's what it is for my

organization. Simplistic as it may sound, I expect that this would be theanswer from most other organizations, too.

Development Life Cycle One view of assessing the maturity of an organization in terms of the

deployment of log-management tools might use successive categories such as:

  Level 1: in the initial stages, organizations use different log-analyzers for

analyzing the logs in the devices on the security-perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.

Level 2: with increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security-perimeter.

Level 3: at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information-assets whose availability organizations regard as vital.

Level 4: organizations integrate the logs of various business-applications into an enterprise log manager for better value proposition.

Level 5: organizations merge the physical-access monitoring and the logical-access monitoring into a single view.

Logging Management Resources

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf http://www.prismmicrosys.com/newsletters_august2007.php

http://www.docstoc.com/docs/19680768/Top-5-Log-Mistakes---Second-Edition

Chris MacKinnon: "LMI In The Enterprise". Processor November 18, 2005, Vol.27 Issue 46, page 33. Online at http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp, retrieved 2007-09-10

MITRE: Common Event Expression (CEE) Proposed Log Standard. Online at http://cee.mitre.org, retrieved 2010-03-03

NIST 800-92: Guide to Security Log Management. Online at http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf, retrieved 2010-03-0

IDS & FW Utilities Function and Placement

Types of Intrusion Detection Systems

Network-Based

Intrusion Detection

-These mechanisms are placed

inline on an network, set

to promiscuous

mode in order to monitor

traffic for signs of

intrusion.

Host-Based Intrusion Detection

-These mechanisms

monitor events on a

specific host.-Are

uncommon due to require

continuous monitoring.

Log File Monitoring

-These mechanisms

log/parse files “post-event”

File Integrity Checking

-This mechanism will monitor

file structure modification in an attempt to recognize unauthorized

system access.

Intrusion Detection Systems & Network Implementation

IDS Intrusions Detection Methods

The Purpose of IDS Implementation

IDS Utilities Snort

Snort Log Sample

IDS System: Tipping Point

Intrusion Detection Tools

Intrusion Detection Tools (cont’d)

Intrusion Detection Tools

Firewalls

What they can’t do!

Types of Firewalls

Firewall Architecture

Fire Wall- Utilities

Firewall-Utilities

Firewall and IDS Evasion Tools and Techniques

Graphic s of malware and APT evading something

Firewall Evasion Techniques