Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Threat Management Lancope, Inc. 3155 Royal Drive, Bldg. 100 Alpharetta, GA 30022 Presentation to the Georgia Research Alliance June 14, 2002 Chairman.

Published byGwen Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Threat Management Lancope, Inc. 3155 Royal Drive, Bldg. 100 Alpharetta, GA 30022 Presentation to the Georgia Research Alliance June 14, 2002 Chairman."— Presentation transcript:

1 Network Threat Management Lancope, Inc. 3155 Royal Drive, Bldg. 100 Alpharetta, GA 30022 Presentation to the Georgia Research Alliance June 14, 2002 Chairman - Dr. John Copeland VP Eng. - John Jerrim VP Sales - Barry Fischel VP Op.s - John Balsam CFO - David Cocchiara 30 employees and growing

2 Network Threat Management History Dec. 1999 - Dr. John Copeland discovers preparations for a DDOS involving Mac OS-9 computers. No signatures available. Work starts on a system that will detect network mischief without prior signatures. Aug. 2000 - First StealthWatch system starts running at a NC College. Oct. 2000 - LANcope incorporates, with $1.5M from private investor. Joins ATDC at Georgia Tech. April 2001 - First commercial sales to S-A, Neilsen TV Ratings, Bass Hotels, … May 2001 - GigE System sees Short-Fragment Attack at Weather.com. Code Red seen arriving at Carnival Cruise lines. March 2002 - $5.5M investment from HIG Ventures and GMG Partners allows build up of Sales and Marketing teams. May 2002 - StealthWatch wins PC Magazine/eWeek Award for most innovative product in the Security Area for 2002

3 Network Threat Management 3 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data,...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data,...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls.

4 Network Threat Management 4 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Trojan Horse From email, Web, floppy disk

5 Network Threat Management 5 Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world- wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. On Microsoft PC’s, a program like Zone Alarm is easier to install than learning how to reset default parameters to make the system safe.

6 Network Threat Management Network Traffic Monitoring Systems, such as SteathWatch (SW) can be placed at various points in a network - using taps, repeating hubs, or monitoring ports on an Ethernet switch. Protection from a Network Intrusion

7 Network Threat Management 7 Statistical Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detection Threshold Undetected Intrusions False Alarms

8 Network Threat Management 8 Distributed Host-Based IDS Modules must be installed and configured on hosts. Highly recommended for critical servers

9 Network Threat Management Data Packets are compared to a growing library of known attack signatures. These include port numbers or sequence numbers that are fixed in the exploit application, and sequences of characters that appear in the data stream. Packet streams must be assembled and searched, which reduces the maximum possible data rate on the link being observed. Signature-Based IDS

10 Network Threat Management alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411 - RealAudio-DoS"; flags: AP; content: "|fff4 fffd 06|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362 - MISC - Shellcode X86 NOPS-UDP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOW-NOOP- HP-TCP2";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOW-NOOP- Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP- Sparc-UDP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291 - MISC - Shellcode x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|";) Six “Signatures” from the Snort Database www.snort.org

11 Network Threat Management Signature-Based Intrusion Detection Systems May Not Detect New Types of Attack Back Orifice Win Nuke Trino IP Blob Land Attack Attacks with Names Alarm on Activities in these areas. Attacks without Names (not analyzed yet)

12 Network Threat Management Flow-Based Technology - An approach that recognizes normal traffic can detect new types of intrusions. Back Orifice Win Nuke Trino IP Blob Land Attack Attacks with Names Normal Network Activities Attacks without Names (not analyzed yet) FTP NetBIOS Email Web Alarm on Activities in this areas.

13 Network Threat Management A “Flow” is the stream of packets from one host to another related to the same service (e.g., Web, email, telnet, …). Data in packet headers is used to build up counts (leads to high speed). Flow-based Analysis Counters Flow- Statistics Counters Number of Packets Number of Total Bytes Number of Data Bytes Start Time of Flow Stop Time of Flow Duration of Flow Flag-Bit True-False Combo Fragmentation Bits ICMP Packet Responses to UDP Packets After the flow is over, counters are analyzed and a value is derived for the probability that the flow was crafted, perhaps for probing the network for vulnerabilities or for denial of service.

14 Network Threat Management 14 Port Profiling (as in StealthWatch) Detecting “Ugly” that otherwise looks “Good”

15 Network Threat Management Zone Profiling (as in StealthWatch) Detecting “Ugly” that otherwise looks “Good”

16 Network Threat Management FTP Client Internet Finance Subnet Engineering Subnet FTP Server FTP Client FTP Server “Port Locking” will not alarm if the FTP Client and Server App.s are in the Hosts’ Port Profiles “Zone Locking” will alarm if the FTP Client and Server App.s are not in the same Zone and cross-zone is not permitted

17 Network Threat Management Host-Based Signature-Based Anomaly-Based Flow-Based Can detect misuse of OS access and file permissions. Can detect attacks embedded in network data -if signature is known On host or network. Can detect new types, but high false alarm rate. Can detect new types of attacks by network activity. Should be used with Host-Based and/or Signature Based IDS Solutions Should be Combined

18 Network Threat Management 18 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Flow-based "CI”, ”Port-Lock”, and/or “Zone-Lock”; signature-based? Signature-based, if Known exploit Host-based Flow-based "Port-Locking” & ”Zone-Locking” Flow-based "Port-Locking” & “Port-Locking”, Host-based Host-based Trojan

19 Network Threat Management Examples of “Bad” that have been seen At 8 p.m. on a Sunday evening, a T1 Internet is completely jamming for 45 minutes because 120 hosts start downloading 1.2 MB files from a CAI FTP server. At 11 am. on Saturday morning external host on the same Class C subnet start sucking down 100’s of Megabytes of data from every Web server on campus. One week-end before Napster was reportedly going out of business, two hosts jam the T1 Internet connection by downloading Gigabytes of data from peer- to-peer servers. A host appears to be repeatedly scanning the network for servers on a half- dozen different port numbers. A host in Europe repeatedly scans the U.S. division’s network for UDP servers on dozens of high-number ports. A host sends 25 packets per second for hours to a NetBIOS port on another host, all of which receive ICMP Port Unavailable responses. A broadcast server that consumes a good fraction of a network’s bandwidth operates at 10% efficiency (90% of the bytes are header bytes).

20 Network Threat Management Examples of “Ugly” that have been seen A host at a U.S. college starts scanning networks in the UK and France using SYN-FIN packets, while reporting the results of the scans by a Telnet connection to a host in Slovinia. At 6 p.m. on a Friday before Spring Break at a U.S.college, a host starts scanning networks in Korea at the rate of almost one million per hour. This continues for days, causing one sniffer to fail just because of the high rate of short packets. An interactive Internet game server open for world-wide participation is discovered operating deep within a supposedly secure network. A half-dozen hosts have active SubSeven Trojans operating. A rapid rate of short fragmented packets brings down a top-ten Web site for half a day. Logs reveal the attacker was experimenting with different types of crafted fragmented packets.

21 Network Threat Management Type "A" Probes (detected by Dr. John Copeland – Lancope Founder - in Dec. 1999) The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) 1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA) 1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh. 21 Detection of the “Mac Attack” DDoS Plan

22 Network Threat Management "Double-zero" Probes (James Bond, "00" -> "license to kill"), detected in Dec. 1999. We have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. 1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) 1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) *DNS name: cwa129.emirates.net.ae 1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas) *DNS: none 1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net 2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com 2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA) *DNS name: ad11-s16-201-41.cwci.net 22 2nd Generation, “Mac Attack” Scanning

23 Network Threat Management Drawing from Atlanta Journal- Constitution article, Dec. 1999. Full details at www.csc,gatech. edu /macattack/ 2nd Generation, “Mac Attack” Scanning

24 Network Threat Management Web - www. Lancope. com Sales - 678 566-4751

Download ppt "Network Threat Management Lancope, Inc. 3155 Royal Drive, Bldg. 100 Alpharetta, GA 30022 Presentation to the Georgia Research Alliance June 14, 2002 Chairman."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Intruders.

1 Ola Flygt Växjö University, Sweden Intruders.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals.

1 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google