Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proprietary & Confidential to MIMOS Berhad Header (Book Antiqua - 28) Prevent Intrusion : What is relevant By Rozana Rusli, MIMOS Consulting Group 23 July,

Published byMoris Blankenship Modified over 10 years ago

Similar presentations

Presentation on theme: "Proprietary & Confidential to MIMOS Berhad Header (Book Antiqua - 28) Prevent Intrusion : What is relevant By Rozana Rusli, MIMOS Consulting Group 23 July,"— Presentation transcript:

1 Proprietary & Confidential to MIMOS Berhad Header (Book Antiqua - 28) Prevent Intrusion : What is relevant By Rozana Rusli, MIMOS Consulting Group 23 July, 2004

2 Proprietary & Confidential to MIMOS Berhad Outline A scenario – W32.Nachi Worm How it bypass firewall –Limitation - Solution How IDS able to detect but not enough –Limitation - Solution How IPS adds to Defense-in-depth –Limitation - Solution How does HoneyPot fit in Overall deployment

3 Proprietary & Confidential to MIMOS Berhad (1) PC dial up to the Internet infected with W32.Nachi Worm PC scans using crafted ICMP packet to other networks (3) Notebook/laptop infected with W32.Nachi Worm (2) Drop DLLHOST.exe through port 135/TCP Open port 707/TCP Download RPC DCOM patch from Microsoft Install Microsoft MS03-026 patch reboot (4) Notebook/laptop starts scanning using crafted ICMP packet to other PCs/Notebooks on the network INFECTION OF W32.NACHI WORM (5) Get other PCs/Notebooks in the network infected with the W32.Nachi worm

4 Proprietary & Confidential to MIMOS Berhad Key facts The Attack Exploit DCOM RPC and WebDAV vulnerabilities exist in MS Windows Systems The Motive The Damage Denial of Service Causes system instability on vulnerable Windows 2000 machines due to the RPC service crash. Performs ping which consequently causes in increased ICMP traffic

5 Proprietary & Confidential to MIMOS Berhad Sample Firewall Logs Actual Nachi icmp scan 11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request 0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8. 0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa...T...Q...X.... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa............ Firewall logs show 09:31:38.307409 202.X.X.X > 203.Y.Y.1: icmp: echo request (DF) 09:31:38.307409 202.X.X.X > 203.Y.Y.2: icmp: echo request (DF) 09:31:38.307409 202.X.X.X > 203.Y.Y.3: icmp: echo request (DF) Event Analysis  Firewall most commonly configured to allow icmp request (ping) from outside for the purpose of connectivity checks hence this is regarded as valid traffic  It had no knowledge of whether the request had legitimate or malicious content

6 Proprietary & Confidential to MIMOS Berhad Sample IDS Logs Actual Nachi icmp san 11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request 0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8. 0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa...T...Q...X.... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa............ With signature updates, IDS logs show Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X -203.Y.Y.1 Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X -203.Y.Y.2 Aug 20 10:55:06 ids snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 202.X.X.X –203.Y.Y.3 Event Analysis  False Positives : Alerts are also received for targets which are non-Windows  Even if it identified the attack, it cannot stop it

7 Proprietary & Confidential to MIMOS Berhad IDS:Definition & Approaches Definition: IDS is a system that is responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized occurring on a network or host Approaches: 1.Misuse detection - The ability to identify intrusions based on a known pattern (signatures)for malicious activity.ie NFR, RealSecure, Snort, Cisco Secure IDS  Benefits of adopting this method: The potential for low alarm rates Accuracy of detection Detailed textual log 2.Anomaly detection - The attempt to identify malicious traffic based on deviations from established normal network traffic patterns

8 Proprietary & Confidential to MIMOS Berhad IDS:Limitations and Solutions No awareness Tuning an ongoing process Interpreting output require expertise Data management Does not protect network Bringing context Automate process for signature management Automate prioritization Central repository IPS

9 Proprietary & Confidential to MIMOS Berhad Sample IPS Logs Actual Nachi icmp san 11:47:47.576542 202.X.X.X > 203.Y.Y.Y: icmp: echo request 0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8. 0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa...T...Q...X.... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa............ With signature updates, IPS logs show 08/20-02:55:06.197828 [**] [1:0:0] Packet Dropped-cyberkit drop [**] {ICMP} 202.188.17.56 - 202.X.X.X 08/20-02:55:06.408366 [**] [1:0:0] Packet Dropped-cyberkit drop [**] {ICMP} 202.188.17.56 - 202.X.X.X Event Analysis  Prevent attack  But False positive may subject to network failures.

10 Proprietary & Confidential to MIMOS Berhad IPS:Definition & Approaches Definition: IPS are proactive defense mechanisms designed to detect malicious packets within normal network traffic and stop intrusions by blocking the offending traffic automatically before it does any damage Approaches –Software heuristics:profile based (anamoly detection) –Sandbox: runs codes in restricted area and monitors behaviour –Hybrid: combine traffic anamoly and signature detection –Kernel protection: prevent execution of malicious system calls

11 Proprietary & Confidential to MIMOS Berhad Generic Operation Overview ( inline ) cmd.exe abc.exe |e8c0 ffff ff|/bin/sh www.abc.com pass drop replace

12 Proprietary & Confidential to MIMOS Berhad IPS: Limitations and Solutions False positive will subject to failure Can lead to network problem Commercial – expensive Monitor & Automate process of signature management Incident Response Alternatives – Open Source Limited Options

13 Proprietary & Confidential to MIMOS Berhad IPS:Tools Open Source –Hogwash –Snort Inline ( RedHat Linux only ) Commercial –Okena – StormWatch (bought over by CISCO) –Intruvert – Intrushield 2600 & 4000 –Harris Corp. – STAT Neutralizer

14 Proprietary & Confidential to MIMOS Berhad Update June 2003 – Gartner Group report sparked the security community with ids == dead! The fact : IPS develop over IDS. HoneyNet popularised IPS.

15 Proprietary & Confidential to MIMOS Berhad How HoneyPot fits in Definition System that are installed and configured to emulate network devices i.e. server, switch, router etc. The system should attract attacker into attacking while security professional will closely monitor the activity without taking any action to stop the attacker How –By emulating as critical server, attacker will be trying to attack the honeypot instead of the real server –By emulating, honeypot will be able to detect the new pattern of attack –Able to monitor and understand encrypted attack which cannot be detected by IDS and IPS

16 Proprietary & Confidential to MIMOS Berhad Security Framework Prevention Response Detection Preventive Controls Preventive controls are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system. Detective Controls Detective controls used to identify undesirable events or attack attempts Corrective Controls Corrective controls used to correct or respond to any undesirable events that have occurred and to mitigate the impact of a loss event through data recovery procedures.

17 Proprietary & Confidential to MIMOS Berhad Solution Matrix IPS HoneyPot IDS Firewall ResponseDetectionPrevention     

18 Proprietary & Confidential to MIMOS Berhad Key to Successful Intrusion Prevention 1. Define organization’s security goals –What are you trying to protect? –Which system? –Against what threat?Internal attackers?Internet attackers? –What is the impact to the business? 2. Define response scenarios –How will you respond to intrusion or attempts? –Who is responsible for response decisions? –What is the Incident Response policy? 3. Design the installation –Where is the system accessible from ? e.g. Internet, branches via WAN etc. –What is the system platform? e.g. Unix/Windows –What is protecting the servers? e.g. Network Firewall, Host Level Firewalls, switch/router rules, IDS, Access Control Lists

19 Proprietary & Confidential to MIMOS Berhad Key to Successful Intrusion Prevention 4. Identify the analysts –Understand the company’s business and information security policy –Skilled in networking and security firewall, routers, IDS, OS TCP/IP behaviour Incident Respond Handling 5.Implement –Apply defense and networking rules –Install and Test – know your network first –Define security rules –Identify time and personnel involvement –Define SOP

20 Proprietary & Confidential to MIMOS Berhad Deployment Architecture – Defense in Depth Outside Firewall Inside Firewall Router NIPS Web Server with HIPS NIDS IDS NIDS Computer NIPS (Switch) SMTP Relay Server with HIPS DNS Server with HIPS Application Server with HIPS Database Server with HIPS Email Server with HIPS Authentication Server with HIPS HoneyPot DMZ Server Farm User Segment

21 Proprietary & Confidential to MIMOS Berhad Although the infrastructure can successfully be used to create a secure environment, it is not the only factor for an optimum network security. –An awareness of the importance of security and accountability within an organization should be created. –Establishing good security policy –Staying up to date on the latest development in the hacker and security communities –Maintaining and monitoring all system with sound system administration practices are amongst the heart of best practices in network security. Conclusion

22 Proprietary & Confidential to MIMOS Berhad Thank You For more information, please contact: www.consult.mimos.my mcg@mimos.my Technology Park Malaysia 57000 Kuala Lumpur Tel: +60 3 8996 5000 Fax: +60 3 8996 1672

23 Proprietary & Confidential to MIMOS Berhad Reference “Intrusion Prevention Systems– Security’s Silver Bullet?” Dinesh Sequeira, http://www.sans.org/rr “Top 5 ways to make your IDS better”, Martin Roesch, Sourcefire July 2003, http://www.sans.org/webcasts/archive.php Hogwash, Jed Haile http://www.blackhat.com/html/bh-media- archives/bh-archives-2002.html “Update on recent Worm Outbreak”,NISER Panel of Experts Workshop 2003 Sophos Virus Analysis:W32/Nachi-A http://www.sophos.com/virusinfo/analyses/w32nachia.html

Download ppt "Proprietary & Confidential to MIMOS Berhad Header (Book Antiqua - 28) Prevent Intrusion : What is relevant By Rozana Rusli, MIMOS Consulting Group 23 July,"

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
seminar on Intrusion detection system

seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Similar presentations

Ads by Google