 
  
 版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)
文檔簡介
1、Advanced Enterprise IDS Deployment and Tuning,,,The Potential Impact to the Bottom Line Is Significant,The Number of Security Incidents Continues to Rise Exponentially,,The Complexity and Sophistication of Attacks and Vu
2、lnerabilities Continues to Rise,The Challenge: Security in Modern Networks,Mitigating the Risk: Defense in Depth,Comprehensive security policyPervasive security—end to endSecurity in layersMultiple technologies, work
3、ing together,Defense in Depth:The Role of Intrusion Detection,Complementary technology to firewallsBeen around for more than a decade, started coming into prominence in the late ’90sPerforms deep packet inspection, ga
4、ining visibility into detail often missed by firewalls,,Internet,,,,,,Advanced Enterprise IDS Deployment: Agenda,Intrusion Protection SystemsNetwork SensorsHost AgentsManagement ConsolesCase Studies,Intrusion Protect
5、ion Systems,Intrusion Protection Agenda,Terminology and TechnologiesComplete Architecture:Sensors, Agents, Management ConsolesPlacement StrategiesWhere to Place Your Sensors, what Traffic to Watch, How to Get Traffic
6、 to ThemOrganization-Level ConcernsResponding to Intrusions, Ownership and Organization, Outsourcing,IDS Terminology: False Positives,A False Alarm occurs when an IDS reports an attack even though noattack is underway
7、Benign activity that the system mistakenly reports as maliciousTypically due to improper tuningCan easily overwhelm alarm consoles creating enormous amount of background noiseCan result in mistrust of the IDS by secur
8、ity personnel,IDS Terminology False Negatives,A False Negative occurs when an IDS fails to report an ongoing attackMalicious activity that the system does not detect or reportTend to be worse because the purpose of an
9、IDS is to detect such eventsCan be due to a variety of eventsCan be the result of IDS evasion efforts by an attackerCan also be due to out-of-date signature knowledge base (misuse detection systems)Minor state transi
10、tion that is below a detectable threshold (anomaly-based systems),IDS Terminology:Signatures and Anomalies,Signatures explicitly define what activity should be considered maliciousSimple pattern matchingStateful patte
11、rn matchingProtocol decode-based analysisHeuristic-based analysisAnomaly detection involves defining “normal” activity and looking for deviations from this baseline,,,IDS Architecture: Sensors, Agents, and Management
12、,,,,,,,,,,,Agents,Sensors,Management,Production Network,Management Network,IDS Components,Network-Based SensorsSpecialized software and/or hardware used to collect and analyze network trafficAppliances, modules, embedd
13、ed in network infrastructureHost-Based AgentsServer-Specific AgentProvides both packet- and system-level monitoring, and active responseSecurity Management and MonitoringPerforms configuration and deployment service
14、sAlert collection and aggregation for monitoring,,,,Data Flow,Data Capture,Monitoring the Network,,,,,Network Link to the Management Console,IP Address,Passive InterfaceNo IP Address,Network-Based IDS: The Sensor,,Data
15、 Flow,,,Network Link to the Management Console,IP Address,Passive InterfacesNo IP Address,Network-Based IDS: The In-line Sensor,,,,,,Data Flow,,,Network-Based IDS:Functions and Capabilities,Monitors all traffic on a gi
16、ven segmentCompare traffic against well known attack patterns (signatures); also look for heuristic attack patterns (i.e. multi-host scans, DoS)Includes fragmentation and stream reassembly logic for de-obfuscation of a
17、ttacksPrimarily an alarming and visibility tool, but also allows active response: IP session logging, TCP reset, shunning (blocking),Host Agents:Functions and Capabilities,Distributed Agent residing on each server to
18、 be protectedIntimately tied to underlyingoperating systemCan allow very detailed analysisCan allow some degree of Intrusion ProtectionAllows analysis of data encrypted for transportMonitors kernel-level applicati
19、on behavior, to mitigate attacks such as buffer-overflow and privilege escalation,,,,,Cons,Network-Based,Host-Based,Pros,Can verify success or failure of attackGenerally not impacted by bandwidth or encryptionUnders
20、tands host context and may be able to stop attack,Impacts host resourcesOperating system dependentScalability—Requires one agent per host,Protects all hosts on monitored networkNo host impactCan detect network probe
21、s and denial of service attacks,Switched environments pose challengesMonitoring >100Mbps is currently challengingGenerally can’t proactively stop attacks,Should View as Complementary!,Some General Pros and Cons,Plac
22、ement Strategies,Monitoring critical trafficDeploy network sensors at security policy enforcement points throughout the networkDeploy host sensors on business critical serversBeware of sensor overload — sensors must b
23、e able to handle peak traffic loadsOtherwise they will suffer packet drop/loss and possibly miss attacks,Deploying IDS Solutions,Overview,Often, IDS cannot be implemented “everywhere” due to cost restrictions.Where do
24、you need to detect an intrusion as soon as it occurs?Where an incident would be most expensive (most valuable data)At the entry to a sensitive domain (to detect the first successful step of the attacker)At other locat
25、ions, where attempts need to be analyzedLook at the risks again—make sure you prioritized based on the value of a resource and the exposure involved.,Network IDS Primary Functions,Identify Malicious ActivityIdentify Ne
26、twork AnomaliesNetwork Traffic EnforcementFirst Alert: Day ZeroFirst Packet ResponseTCP Traffic Normalization,NIDS Deployment Considerations,General Location Selection IssuesPurpose of Deployment Defines LocationIn
27、side, Outside, or DMZInternal vs PerimeterResponse Actions vs Passive MonitoringTrusted vs Non-Trusted Zones (chokepoints)Security Operations vs Network Operations,NIDS Deployment Considerations (cont),Specific Locat
28、ion Selection IssuesLocation Requirements Define PlatformSensor PerformanceLarge Network Pipes can result in Data OverflowProper Platform Selection is CrucialLoad Balancing Issues (Sweep and Flood Fidelity)Data Red
29、uction PossibilitiesHighly Available or Asymmetrically Routed Networks,NIDS Deployment Considerations (cont),Specific Location Selection IssuesEncrypted TrafficSSL or IPSecIDS Monitoring SourcesNetwork TapsSPAN (an
30、d RSPAN)VACL CaptureAggregation SwitchInline,IDS Sensor Monitoring Considerations,NIDS sensors should monitor segments, where you need to detect attacks the most:Monitor most sensitive internal segments (management n
31、etwork)Monitor most sensitive internal serversMonitor network entry points:Internet firewall, business partner entry, vpn/dial-up entrySwitched network edge (biggest performance issue)Monitor exposed hosts most like
32、ly to be compromised:If they are likely to be used as a jump-off pointIf your reputation depends on them,Monitoring Sensitive Internal Servers or Segments with NIDS,Performance considerations:Select the correct Senso
33、r platformUse a dedicated sensor per network/vlan (if required)Move the sensor to a different location to see more specifically defined trafficIf necessary, only capture a subset of traffic (exclude traffic that ca
34、n’t be inspected: IPSec, SSL, Multicast)Use HIDS (not a performance issue)Use Load Balancing to distribute network flows,IDS Placement and Tuning,Network Sensor Deployment Locations,Inside (trusted side) network moni
35、toring:Typical initial IDS deployment spot (along with DMZ)Usually broad monitoring to detect any attacksSees traffic filtered by the firewallDetects attacks that penetrate the firewallDetects outgoing attacks
36、(even if blocked by the firewall)Useful to check config of firewall,Network Sensor Deployment Locations,Outside (untrusted side) network monitoring:“Broad” monitoring for all types of attacksAlso detects attacks whic
37、h the firewall will block (early warning, trends, new risks, “Internet thermometer”)Serious risk of operator overload as sensor monitors uncontrolled network space (no man’s land)Usually requires special configuration
38、and possibly special management and monitoring considerationsUseful for correlation with inside sensors,Multi-Sourced NIDS Sensors,Multiple capture interfaces forwarding to the same IDS engine:Monitors multiple segment
39、s with similar properties (same IDS policy, simple with service modules)Potential for IDS oversubscriptionPossible issues with address range overlap,Network Sensor Deployment Locations,High Availability or Asymmetrical
40、ly Routed NetworksIDS must see all packets involved in a connectionUsually requires a sensor with multiple interfaces to capture data from all pointsData overflow to IDS is serious possibility in an active/active netw
41、ork setup,Network Sensor Deployment Locations,Inline IDS Deployments (IPS)IDS is able to block offending packetIDS signature quality must be very accurate with low false positives otherwise legitimate network traffic i
42、s disruptedSince packets flow through device, the IDS must have no measurable impact to traffic flow (ex. loss rate, latency, jitter, etc)Network reliability must follow standard proceduresFailover in a highly availab
43、le networkFail open or fail closed?,,,,,,,,,,,,,,,,,,,,,,,,,,Data Center,,,,,,,,,,,,Web Tier,Application Tier,Mainframe,NIDS,NIDS,Aggregation,Access,Deployment Example:IDS Load Balancing for the Data Center,,,,,Encrypt
44、ed Traffic and Network IDS,IPSec - Use a Network Module in the tunnel termination router to inspect traffic before it gets sent out the interfacesSSL - Early decryption of SSL sessions at an SSL acceleratorFor crypto t
45、unnels terminated on the host, use HIDS,NIDS Switched Environment Considerations,In a switched environment, you can monitor:Inside a switch (IDSM) or router (NM-IDS)Using a network TAPUsing SPAN or VACL CaptureOn
46、 the host (HIDS) Avoid oversubscribing the device or port:Lost packets break stream and composite signaturesSmart VACLs (specific protocols)Perhaps monitor only one port via SPANUnderstand the limitations of the
47、 packet sourcing deviceReference IDS_Capture_Techniques[1].ppt,SPAN Overview,SPAN means Switch Port AnalyzerSPAN copies ALL packets from source VLANS or ports to a destination portSupported across most Cisco switches
48、Different switches have different limitations on use of SPAN, including number of SPAN destination portsSome switches do not allow incoming packets on SPAN destination port. This is necessary if a customer wishes to us
49、e TCP Reset.,NIDS Switched Environment Considerations,A VLAN aware sensor is:Able to process 802.1q tagged packetsIssues when using the SPAN port:If SPAN belongs to a single VLAN, packets enter the SPAN port without t
50、he VLAN headers.Configure SPAN as a trunking port, if necessary (supporting ALL active VLANs).Which VLAN do you send the RST to?,VACL Capture Overview,A VLAN ACL, also known as Security ACL, specifies traffic to captur
51、e.The VACL Capture copies filtered packets from source VLANS to a destination port.,Management Interface Security Guidelines,Perimeter (outside monitoring) placement options:Classic firewall sandwich (in-band)Manageme
52、nt interface on separate inside VLANsManagement interface on separate DMZManagement interface on separate physical network,,,BusinessPartnerAccess,Extranet Connections,,Corporate Network,,,Internet,,,,Internet Conn
53、ections,Remote Access Systems,,Remote/Branch Office Connectivity,Intrusion Detection DeploymentWhat Areas of the Network Are Candidates?,Data Center,,,,Management Network,,,,Sensor Placement Rationale,No real standardN
54、o primer or cookbook that says “Place IDS here”Varies tremendously from network to networkIDS is typically found around firewallsThese are usually perceived as transit points from one network to anotherAlso found wh
55、ere there are differing trust levels within the network,Typical Order of Deployment,How far down the deployment path you go often depends on your resources; if resources are tight, always look at where you can get the mo
56、st ‘bang for your buck’,Data centers, high risk, or other ‘HDV’ areasDirectly behind perimeter firewallsInternet DMZ areasRemote access and remote offices,Why at Internet Connections?,Firewalls usually don’t protect
57、against data driven attacksConsider a Web server on a DMZVarious web server vulnerabilities have been found over the past few yearsMicrosoft IIS Directory Traversal Vulnerability (UNICODE)Apache/OpenSSL SSL2 Handsh
58、ake Process buffer overflowMicrosoft IIS WebDAV buffer overflowMicrosoft SQL Slammer wormPatches are available, but…Can be exploited to deny service or access the server,Attacking through the Firewall,,,WWW,Telnet,F
59、irewall Rules:Permit any DMZ port 80Permit DMZ insidePermit DMZ outsidePermit inside anyDeny any any,Internet,Attacker,Vulnerable Web Server,Inside or Outside?,Somewhat of a “religious” debateDepends on the situat
60、ion and the needsMade more effective with good ACLs at the edge router(s)Must be tuned properly—otherwise false alarms will significantly reduce the value of the IDS on the outside,Sensor Placement—Inside or Outside?,S
61、ensors on OutsideSees everything including traffic blocked by firewallCan’t distinguish betweenwhat is denied or permittedby firewallTools like Stick can generate lots of noiseMonitors both DMZand inside traffic,S
62、ensors on InsideSees only traffic permitted by the firewallResponse is neededSensor is needed for each internal leg of the firewall,,,,,,,,Attacker,DMZ,Inside,,,,,Next Steps:Getting Traffic to your Network Sensors,Tr
63、affic must be mirrored to network sensors (replicated)Choices:Shared media (hubs)Network tapsSwitch-based traffic mirroring (SPAN)Selective mirroring (traffic capture—VACLs),,,,TX and RX,,,,,,,From Firewall,From Rou
64、ter,Traffic from Firewall,Traffic from Router,,TX and RX,,,,,SPAN Tap Traffic,Full Duplex Link,Aggregation Switch,Using a Network Tap,Tap splits full duplex link into two streamsFor sensors with only one sniffing interf
65、ace, need to aggregate traffic to one interfaceBe careful of aggregate bandwidth of two tapped streamsDon’t exceed SPAN port or sensor capacity,Switch-Based Traffic Capture,Port Mirroring: SPAN functionality and comma
66、nd syntax varies between product lines and switch vendorsSome limit the number of SPAN portsSome allow you to monitor multi-VLAN trafficNote that not all sensor vendors can’t handle multi-VLAN traffichttp://www.cisco
67、.com/warp/public/473/41.html Rule-Based Capture: VLAN Capture/MLS IP IDSPolicy Feature Card (PFC) required on Catalyst 6500Allows you to monitor multi-VLAN trafficUse “mls ip ids” when using “router” interfaces or wh
68、en interface is configured for Cisco IOS FWhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm,Switch-Based Traffic Capture Example,Using SPAN,switch>(enable) set span 4/5 6/1 rx crea
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- cisco寬帶城域網(wǎng)解決方案總匯1
- cisco寬帶城域網(wǎng)解決方案總匯3
- cisco寬帶城域網(wǎng)解決方案總匯2
- 市解決方案_智慧生產(chǎn)企業(yè)園區(qū)解決方案
- 創(chuàng)業(yè)計劃cisco寬帶城域網(wǎng)解決方案總匯2
- 創(chuàng)業(yè)計劃cisco寬帶城域網(wǎng)解決方案總匯3
- 中型企業(yè)解決方案
- ippbx企業(yè)通信解決方案
- 企業(yè)培訓(xùn)系統(tǒng)解決方案
- 市解決方案_智慧倉儲解決方案
- 市解決方案_智慧黨建解決方案
- 市解決方案_智慧工地解決方案
- 市解決方案_智慧教育解決方案
- 市解決方案_智慧應(yīng)急解決方案
- 企業(yè)軟件定制開發(fā)解決方案
- 企業(yè)知識門戶解決方案分享
- 企業(yè)培訓(xùn)系統(tǒng)解決方案-長
- 信息化企業(yè)解決方案
- 愛立信企業(yè)移動辦公解決方案
- 企業(yè)人效提升解決方案
 
 
評論
0/150
提交評論