23
Proprietary & Confidential to MIMOS Berhad Header (Book Antiqua - 28) Header (Book Antiqua - 28) Prevent Intrusion : What is relevant By Rozana Rusli, MIMOS Consulting Group 23 July, 2004
| Date post: | 30-Jan-2016 |
| Category: |
Documents |
| Upload: | moris-blankenship |
| View: | 215 times |
| Download: | 0 times |
Proprietary & Confidential to MIMOS Berhad
Header (Book Antiqua - 28)Header (Book Antiqua - 28)
Prevent Intrusion : What is relevantBy
Rozana Rusli, MIMOS Consulting Group23 July, 2004
Proprietary & Confidential to MIMOS Berhad
OutlineOutline
• A scenario – W32.Nachi Worm• How it bypass firewall
– Limitation - Solution• How IDS able to detect but not enough
– Limitation - Solution• How IPS adds to Defense-in-depth
– Limitation - Solution• How does HoneyPot fit in• Overall deployment
Proprietary & Confidential to MIMOS Berhad
PC
PC
PC
Firewall
Router
IDS
INTERNET
Microsoft
Laptop PC
(1) PC dial up to the Internet infected with W32.Nachi Worm
PC scans using crafted ICMP packet to other networks
(3) Notebook/laptop infected with
W32.Nachi Worm
(2) Drop DLLHOST.exe through port 135/TCPOpen port 707/TCPDownload RPC DCOM patch from MicrosoftInstall Microsoft MS03-026 patch reboot
(4) Notebook/laptop starts scanning using crafted ICMP packet to other PCs/Notebooks on the network
INFECTION OF W32.NACHI WORMINFECTION OF W32.NACHI WORM
(5) Get other PCs/Notebooks in the network infected with the W32.Nachi worm
Proprietary & Confidential to MIMOS Berhad
Key factsKey facts
•The Attack • Exploit DCOM RPC and WebDAV vulnerabilities exist in MS Windows Systems
• The Motive
• The Damage
• Denial of Service
• Causes system instability on vulnerable Windows 2000 machines due to the RPC service crash.
• Performs ping which consequently causes in increased ICMP traffic
Proprietary & Confidential to MIMOS Berhad
Sample Firewall LogsSample Firewall Logs
• Actual Nachi icmp scan11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
• Firewall logs show
09:31:38.307409 202.X.X.X > 203.Y.Y.1: icmp: echo request (DF)09:31:38.307409 202.X.X.X > 203.Y.Y.2: icmp: echo request (DF)09:31:38.307409 202.X.X.X > 203.Y.Y.3: icmp: echo request (DF)
• Event Analysis
Firewall most commonly configured to allow icmp request (ping) from outside for the purpose of connectivity checks hence this is regarded as valid traffic
It had no knowledge of whether the request had legitimate or malicious content
Proprietary & Confidential to MIMOS Berhad
Sample IDS LogsSample IDS Logs• Actual Nachi icmp san11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
• With signature updates, IDS logs show
Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows[Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X -203.Y.Y.1Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows[Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X -203.Y.Y.2 Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows[Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X –203.Y.Y.3
• Event Analysis
False Positives : Alerts are also received for targets which are non-Windows Even if it identified the attack, it cannot stop it
Proprietary & Confidential to MIMOS Berhad
IDS:Definition & ApproachesIDS:Definition & ApproachesDefinition: IDS is a system that is responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized occurring on a network or host
Approaches:1.Misuse detection - The ability to identify intrusions based on a known pattern (signatures)for malicious activity.ie NFR, RealSecure, Snort, Cisco Secure IDS
Benefits of adopting this method:• The potential for low alarm rates
• Accuracy of detection
• Detailed textual log
2.Anomaly detection - The attempt to identify malicious traffic based on deviations from established normal network traffic patterns
Proprietary & Confidential to MIMOS Berhad
IDS:Limitations and SolutionsIDS:Limitations and Solutions
No awareness
Tuning an ongoing process
Interpreting output require expertise
Data management Does not protect network
Bringing context
Automate process for signature management
Automate prioritization
Central repository
IPS
Proprietary & Confidential to MIMOS Berhad
Sample IPS LogsSample IPS Logs• Actual Nachi icmp san11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
With signature updates, IPS logs show
08/20-02:55:06.197828 [**] [1:0:0] Packet Dropped-cyberkit drop [**]{ICMP} 202.188.17.56 - 202.X.X.X08/20-02:55:06.408366 [**] [1:0:0] Packet Dropped-cyberkit drop [**]{ICMP} 202.188.17.56 - 202.X.X.X
• Event Analysis
Prevent attack But False positive may subject to network failures.
Proprietary & Confidential to MIMOS Berhad
IPS:Definition & ApproachesIPS:Definition & ApproachesDefinition:
IPS are proactive defense mechanisms designed to detect malicious packets within normal network traffic and stop intrusions by blocking the offending traffic automatically before it does any damage
Approaches–Software heuristics:profile based (anamoly detection)–Sandbox: runs codes in restricted area and monitors behaviour–Hybrid: combine traffic anamoly and signature detection–Kernel protection: prevent execution of malicious system calls
Proprietary & Confidential to MIMOS Berhad
Generic Operation Overview Generic Operation Overview ((inlineinline))
cmd.exe abc.exe
|e8c0 ffff ff|/bin/sh
www.abc.com www.abc.compass
drop
replace
Proprietary & Confidential to MIMOS Berhad
IPS: Limitations and SolutionsIPS: Limitations and Solutions
False positive will subject to failure
Can lead to network problem
Commercial – expensive
Monitor & Automate process of signature management
Incident Response
Alternatives – Open SourceLimited Options
Proprietary & Confidential to MIMOS Berhad
IPS:ToolsIPS:Tools
Open Source– Hogwash
– Snort Inline ( RedHat Linux only )
Commercial– Okena – StormWatch (bought over by CISCO)
– Intruvert – Intrushield 2600 & 4000
– Harris Corp. – STAT Neutralizer
Proprietary & Confidential to MIMOS Berhad
UpdateUpdate• June 2003 – Gartner Group report sparked the
security community with ids == dead!• The fact : IPS develop over IDS.• HoneyNet popularised IPS.
Proprietary & Confidential to MIMOS Berhad
How HoneyPot fits inHow HoneyPot fits inDefinitionSystem that are installed and configured to emulate network devices i.e. server, switch, router etc. The system should attract attacker into attacking while security professional will closely monitor the activity without taking any action to stop the attacker
How– By emulating as critical server, attacker will be trying
to attack the honeypot instead of the real server– By emulating, honeypot will be able to detect the
new pattern of attack– Able to monitor and understand encrypted attack
which cannot be detected by IDS and IPS
Proprietary & Confidential to MIMOS Berhad
Security FrameworkSecurity Framework
Prevention
Response
Det
ectio
n
Preventive Controls Preventive controls are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
Detective Controls Detective controls used to identify undesirable events or attack attempts
Corrective Controls Corrective controls used to correct or respond to any undesirable events that have occurred
and to mitigate the impact of a loss event through data recovery procedures.
Proprietary & Confidential to MIMOS Berhad
Solution MatrixSolution Matrix
IPS
HoneyPot
IDS
Firewall
ResponseDetectionPrevention
Proprietary & Confidential to MIMOS Berhad
Key to Successful Intrusion Key to Successful Intrusion PreventionPrevention
1. Define organization’s security goals– What are you trying to protect?– Which system?– Against what threat?Internal attackers?Internet attackers?– What is the impact to the business?
2. Define response scenarios– How will you respond to intrusion or attempts?– Who is responsible for response decisions?– What is the Incident Response policy?
3. Design the installation– Where is the system accessible from ? e.g. Internet, branches
via WAN etc.– What is the system platform? e.g. Unix/Windows– What is protecting the servers? e.g. Network Firewall, Host
Level Firewalls, switch/router rules, IDS, Access Control Lists
Proprietary & Confidential to MIMOS Berhad
Key to Successful Intrusion Key to Successful Intrusion PreventionPrevention
4. Identify the analysts– Understand the company’s business and information
security policy– Skilled in networking and security
• firewall, routers, IDS, OS• TCP/IP behaviour• Incident Respond Handling
5. Implement– Apply defense and networking rules– Install and Test – know your network first– Define security rules– Identify time and personnel involvement– Define SOP
Proprietary & Confidential to MIMOS Berhad
Deployment Architecture – Defense in DepthDeployment Architecture – Defense in Depth
Outside Firewall
Inside Firewall
Router
NIPS
Web Server with HIPS
NIDS
IDS
NIDS
Computer Computer Computer
NIPS (Switch)
SMTP Relay Server
with HIPSDNS Server with HIPS
Application Server with HIPS
Database Server with HIPS
Email Server with HIPS
Authentication Server with HIPS
HoneyPot
HoneyPot
DMZ
Server Farm
User Segment
Proprietary & Confidential to MIMOS Berhad
Although the infrastructure can successfully be used to create a secure environment, it is not the only factor for an optimum network security.
– An awareness of the importance of security and accountability within an organization should be created.
– Establishing good security policy– Staying up to date on the latest development in the hacker
and security communities– Maintaining and monitoring all system with sound system
administration practices
are amongst the heart of best practices in network security.
ConclusionConclusion
Proprietary & Confidential to MIMOS Berhad
Thank YouThank YouFor more information, please
contact:
Technology Park Malaysia57000 Kuala LumpurTel: +60 3 8996 5000Fax: +60 3 8996 1672
Proprietary & Confidential to MIMOS Berhad
ReferenceReference• “Intrusion Prevention Systems– Security’s Silver Bullet?” Dinesh
Sequeira, http://www.sans.org/rr• “Top 5 ways to make your IDS better”, Martin Roesch, Sourcefire July
2003, http://www.sans.org/webcasts/archive.php• Hogwash, Jed Haile
http://www.blackhat.com/html/bh-media-archives/bh-archives-2002.html
• “Update on recent Worm Outbreak” ,NISER Panel of Experts Workshop 2003
• Sophos Virus Analysis:W32/Nachi-A http://www.sophos.com/virusinfo/analyses/w32nachia.html
