FIRST LINE OF DEFENSE Intrusion Prevention System Stephen Gates – CISSP Hoàng Thế Long – Nguyễn Thái Bình

Sans Institute Top 10 Cyber Threats for Increasingly sophisticated website attacks that exploit browser vulnerabilities 2.Increasing sophistication and effectiveness in botnets 3.Cyber espionage efforts by well-resourced organizations to extract large amounts of data for economic and political purposes 4.Mobile phone threats, especially against iPhones, Google's Android phones, and voice over IP systems 5.Insider attacks 6.Advanced identity theft from persistent bots 7.Increasingly malicious spyware 8.Web application security exploits 9.Increasingly sophisticated social engineering to provoke insecure behavior 10.Supply chain attacks that infect consumer devices Source :SANS Institute

FIRST LINE OF DEFENSE What is an IPS?

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.network security Source :Principles of Information Security – Michael E. Whitman, Herbert J. Mattord

5 1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system 2. To detect attacks and other security violations that are not prevented by other security measures 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities) 4. To document the existing threat to an organization 5. To act as quality control for security design and administration, especially in large and complex enterprises 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors Why use an IDPS (cont.)?

6 Best Reason –One of the best reasons to install an IDPS is that they serve as deterrents by increasing the fear of detection among would-be attackers. If internal and external users know that an organization has an intrusion detection and prevention system, they are less likely to probe or attempt to compromise it, just as criminals are much less likely to break into a house that has an apparent burglar alarm. Why use an IDPS (cont.)?

Type of IDPS Network - based IDPS (NIDPS) –monitors the entire network for suspicious traffic by analyzing protocol activity Wireless IDPS Network Behavior Analysis System (NBA) Host -based IDPS (HIDPS) –an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Type of IDS/IPS

IPDS Detection Methods 9 1. The signature-based approach 2. The statistical-anomaly approach 3. The stateful packet inspection approach

IPDS Response Options 10 Audible/visual alarm message Page or phone message Log entry Evidentiary packet dump Take action against the intruder Launch program Reconfigure firewall Terminal Session Terminate connection

Strengths of IDPS 11 Monitoring and analysis of system events and user behaviors Testing the security states of system configurations Baselining the security state of a system, then tracking any changes to that baseline Recognizing patterns of system events that correspond to known attacks Recognizing patterns of activity that statistically vary from normal activity Managing operating system audit and logging mechanisms and the data they generate Alerting appropriate staff by appropriate means when attacks are detected Measuring enforcement of security policies encoded in the analysis engine Providing default information security policies Allowing non-security experts to perform important security monitoring functions

Limitations of IDPS 12 Compensating for weak or missing security mechanisms in the protection infrastructure,such as firewalls, identification and authentication systems, link encryption systems,access control mechanisms, and virus detection and eradication software Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load Detecting newly published attacks or variants of existing attacks Effectively responding to attacks launched by sophisticated attackers Automatically investigating attacks without human intervention Resisting all attacks that are intended to defeat or circumvent them Compensating for problems with the fidelity of information sources Dealing effectively with switched networks

Others 13 Reporting and Archiving Capabilities Failsafe Considerations for IDPS Reponses Selecting IDPS Approaches and Products Organizational Requirements and Contraints IDPS Product Features and Quality

FIRST LINE OF DEFENSE Why enterprise needs IPS?

Typical Network Topology SW Customer Traffic “Good Users” Internet’s No-Man’s Land

What’s Firewall UTM limitation SW “Good Users” Internet’s No-Man’s Land “Attacker s”

What’s else Firewall UTM can not do? SW “Good Users” Internet’s No-Man’s Land “Attacker s”

18 Cyberoam Firewall UTM

Customer Traffic DDoS Attacks Protocol Abuse Undesired Users & Service SW Server-Side Exploits Customer Traffic “Good Users” Internet’s No-Man’s Land “Attackers” Without IPS

“Good Users” “Attackers” Undesired Users & Services DDoS Attacks Protocol Abuse Server-Side Exploits SW “Good Users” Internet’s No-Man’s Land “Attackers” Customer Traffic With IPS

21 Corero IPDS

IPDS Boongke Centralized Management & ReportingCorero Security Operations Center SecureWatch Excerpts of SecureWatch Reports 22

FIRST LINE OF DEFENSE Q & A