Embed Size (px)
DESCRIPTION
NetRanger Intrusion Detection System Marek M ą kowski [email protected]. 0600_11F8_c2. The Security Wheel: Defense In-Depth. Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology , and expertise/ongoing operations …. - PowerPoint PPT Presentation
Citation preview
The Security Wheel: Defense In-DepthEffective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations…
•Real-Time Intrusion Detection & Response•7x24 Monitoring
•Vulnerability Scanning & Analysis•Security Posture Assessment•Risk Assessment
•Centralized Policy & Configuration Management
•Trend Analysis•Management Reports•Incident Response
•ID/Authentication•Encryption & VPN•Firewalls•Security Design & Implementation/Integration
1)Corporate Security Policy
2) SECURE
3) MONITOR
4) AUDIT/TEST
5) MANAGE & IMPROVE
•Policy Development& Review
Why Active Audit?
• The hacker might be an employee or ‘trusted’ partner
Up to 80% of security breaches are from insiders -- FBI
• Your defense might be ineffective
One in every thee intrusions occur where a firewall is in place -- Computer Security Institute
• Your employees might make mistakes
Misconfigured firewalls, modems, old passwords, etc.
• Your network will Grow and Change
Each change is a security risk
Firewalls, Authorization, Encryption do not provide Visibility into these problems
Active Audit -- Goal: Visibility
• NetRanger Intrusion Detection System
Monitors user behaviors while on the network
Similar to the guards, video cameras and motion detectors that help secure bank vaults
NetRanger Overview
• Real-Time Intrusion Detection and Response
• Finds and stops unauthorized activity occurring on the network --- “reactive” appliance
• Network “motion sensor, video camera, and security guard”
• Industry-leading technologyScalable, distributed operation
High performance (100MB Ethernet, FDDI, Token Ring)
“On-the-fly” re-configuration of Cisco Router ACLs to shun intruders
NetRanger Architecture
NetRanger Director
* Software *
NetRanger Sensor
* Appliance *
• Alarm Handling• Configuration Control• Signature Control
• Detection• Alarm Generation• Response• Countermeasures
Comm
Sensor Appliance Sensor Appliance
Sensor Front Panel Sensor Front Panel
Sensor Back PanelSensor Back Panel
Monitoring NIC
Monitoring NIC
Command NIC
Command NIC
Attack Signature Detection
• Scans Packet Header and Payload
Single and multiple packet attacks
• Three-tier Attack Detection
1. Name Attacks (Smurf, PHF)
2. General Category (IP Fragments)
3. Extraordinary (TCP Hijacking, E-mail Spam)
• Customer Defined Signatures
String matching (words)
Quickly defend against new attacks
Scan for unique misuse
Sensor—Detect Intrusions
Context:(Header)
Content:(Data)
“Atomic”Single Packet
“Composite”Multiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
DNS Attacks
Telnet Attacks
Character Mode Attacks
Sensor—Event Logging
Events are Logged for Three Different Activities
AlarmsAlarms—when signature is detected
ErrorsErrors—when error is detected
CommandsCommands—when user executes command on Director or Sensor
Ping Sweep
DirectorDirector
Lost Communications
DirectorDirector Sensor
Shun Attacking Host
300973_03F8_c2NW98_US_401
Sensor
Sensor—Attack ResponseSession Termination and Shunning
Session Session TerminationTermination TCP Hijack
Kill currentsession
Kills an active session
ShunningShunning NetworkNetworkDeviceDevice
ShunAttacker
Reconfigure routerto deny access
Sensor
AttackerAttacker
Sensor
Sensor—Session Logging
ProtectedNetwork
SessionLog
Attack
Sensor
AttackerAttacker
• Capture evidence (Keystrokes) of suspicious or criminal activity
• Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network
NetRanger Deployment
DNS
IOS FirewallCisco Router
WWW Server
DNS Server
Corporate Network
Engineering Finance
Admin
Business Partner
Dial-UpAccess
Cisco RouterCisco Router
NetRangerDirector
ID/Auth.TACACS+
Cisco SecureServer
Switch
PIX Firewall
InternetNR/NS
NetRangerNetRanger
Remote Security
Monitoring
NetRangerNetRanger
NetSonar
NetRanger Director
• Geographically Oriented GUI
Operations-friendly HP OpenView GUI
Color Icon Alarm notification
Quickly pinpoint, analyze and respond
Maintain Security operations consistency
• Network Security Database
Attack info, hotlinks, countermeasures
Customizable
• Monitor Hundreds of Sensors per NOC
Software RequirementsSoftware Requirements
Operating Systems
Solaris 2.5.1 or 2.6
HP-UX 10.20
HP OpenView 4.11, 5.01, 6.0
Web browser (for NSDB)
Hardware RequirementsHardware Requirements
• Sun SPARC platform with:
NetRanger install partition: /usr/nr (50 MB)
NetRanger log partition: /usr/nr/var (2 GB)
HP OpenView install partition: /opt (110 MB)
Java run-time environment: /opt (12 MB)
System RAM: 96 MB
Hardware Requirements (cont.)Hardware Requirements (cont.)
• HP-UX platform with:
NetRanger install partition: /usr/nr (50 MB)
NetRanger log partition: /usr/nr/var (2 GB)
HP OpenView install partition: /opt (65 MB)
Java run-time environment: /opt (10 MB)
System RAM: 96 MB
Director - Distributed Management
N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM
• Enterprise Strategic Management
• Regional Operational Management
• Local Network Security Management
DirectorTier 1
DirectorTier 2
DirectorTier 3
DirectorTier 3
Alarm Display and ManagementAlarm Display and Management
Director icon
Director icon
Context intrusion
alarm
Context intrusion
alarm
Content intrusion
alarm
Content intrusion
alarm
Sensor icon
Sensor icon
Configuration ManagementConfiguration Management
Network Security Database
• On-line reference tool
• Contains:
Descriptions
Recommendations and fixes
Severity ratings
Hyperlinks to external information/patches
Custom Script ExecutionStarts any user-defined script.
E-mail and Script ExecutionE-mail and Script Execution
E-mail NotificationSends notification toe-mail recipientor pager.
The Security Wheel: Defense In-DepthEffective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations…
•Real-Time Intrusion Detection & Response•7x24 Monitoring
•Vulnerability Scanning & Analysis•Security Posture Assessment•Risk Assessment
•Centralized Policy & Configuration Management
•Trend Analysis•Management Reports•Incident Response
•ID/Authentication•Encryption & VPN•Firewalls•Security Design & Implementation/Integration
1)Corporate Security Policy
2) SECURE
3) MONITOR
4) AUDIT/TEST
5) MANAGE & IMPROVE
•Policy Development& Review
What comprises Active Audit?
NetSonar
• Vulnerability scanning
• Network mapping
• Measure exposure
• Security expertise
NetRanger
• Real-time analysis
• Intrusion detection
• Dynamic response
• Assurance
ProactiveProactiveReactiveReactive
NetSonar™Security Scanner
“Proactive Security”
0305_10F8_c2
Active Audit—Network Network Vulnerability AssessmentVulnerability Assessment
• Assess and report on the security status of network components
Scanning (active, passive), Scanning (active, passive), vulnerability databasevulnerability database
NetSonarNetSonar
NetSonar Overview
• Vulnerability scanning and network mapping system
• Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software
• Industry-leading technology
Network mapping
Host and device identification
Flexible reporting
Scheduled scanning
Network Discovery Process
Network Mapping• Identify live hosts• Identify services on hosts
Vulnerability Scanning• Analyze discovery data for potential vulnerabilities• Confirm vulnerabilities on targeted hosts
Target Target
Target
Target
Network Mapping Tool
• Uses multiple techniques
Ping sweeps - Electronic Map
Port sweeps - Service discovery
• Unique discovery features
Detects workstations, routers, firewalls, servers, switches, printers, and modem banks
Detects Operating Systems and version numbers
Does not require SNMP
Vulnerability Assessment Engine
• Potential Vulnerability Engine -- Passive
Compares network discovery data to rules to reveal potential vulnerabilities
• Confirmed Vulnerability Engine -- Active
Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping
How NetSonar Works
Network Discovery
Active
Ping Sweep - ID Hosts
Inactive
Port Sweeps - ID Svcs
EmailSvr
WebSvr
Workstation
Firewall
Router
• SMTP• FTP
• HTTP• FTP
• Telnet
Passive VulnerabilityAnalysis
Active VulnerabilityAnalysis
Presentation &Reporting
Exploits executed against target hosts
Discovery data analyzed by rules
Workstation:Windows NT v4.0•SMB Redbutton•Anonymous FTP
Communicate results
FTP Bounce Exploit
