Dragon solution. Zdeněk Pala. ECIE certified engineer ECI certified instructor There is nothing more important than our customers

Transcription

1 There is nothing more important than our customers Dragon solution Zdeněk Pala ECIE certified engineer ECI certified instructor A Division of Siemens Enterprise Communications GmbH & Co KG 2010 Enterasys Networks, Inc. All rights reserved.

2 The Internet and Network Security The wonderful thing about the Internet is that you re connected to everyone else. The terrible thing about the Internet is that you re connected to everyone else. - Vint Cerf 2010 Enterasys Networks, Inc. All rights reserved.

3 Web traffic analysis Zákazník: cca 250 uživatelů (660 síťových zařízení /VoIP, Kamery, tiskárny/) požadavků za 3 dny, zatříděno do kategorií 87% (12 669) Provoz přímo související s činností společnosti: 4% Mravně závadný obsah: 2% Nijak nesouvisející s činností společnosti: 38% 2010 Enterasys Networks, Inc. All rights reserved. 3

4 Time distribution 2010 Enterasys Networks, Inc. All rights reserved. 4

5 Threats 2010 Enterasys Networks, Inc. All rights reserved. 5

6 Causes of Intrusions Intrusions are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them NIST Special Publication on Intrusion Detection Systems 80 % of all data loss is due to internal threats Internal Threats External Threats 2010 Enterasys Networks, Inc. All rights reserved. 6

7 Detection Techniques Pattern Matching: - Look for patterns in the data filed that indicate an attack - Signatures Protocol Analysis: - Look for header values that indicate an attack - Do the headers match the RFC Behavior Based: - Does the current traffic pattern match the normal pattern - Flow Based 2010 Enterasys Networks, Inc. All rights reserved. 7

8 Responding to an Intrusion Assume an attacker has penetrated a network and corrupted some hosts. The ideal response gathers evidence of the attacker s activity, removes the attacker s access to the network, undoes the damage, and reconfigures the network to resist the attacker s penetration technique. NIST Interim Report (IR) 6416 IDS detects, monitors and reports it does not mitigate an attack IPS can prevent an attack from reaching its target but the attacker is not removed from the network DIR can remove or quarantine an attacker after the attack but it does not prevent the Attack from reaching its target 2010 Enterasys Networks, Inc. All rights reserved. 8

9 What is Dynamic Intrusion Response? Dynamic Intrusion Response uses IDS, ASM and Policy enabled switches to remove an attacker from the network or to limit his ability to continue the attack Respond ASM Notify Detect ( IDS ) Attack 2010 Enterasys Networks, Inc. All rights reserved. 9

10 A Complete IPS Solution IPS is used to detect and prevent the attack from reaching its target and DIR is used to remove the attackers ability to mount an additional attack Respond ASM Notify Detect and Prevent ( IPS ) Attack 2010 Enterasys Networks, Inc. All rights reserved. 10

11 There is nothing more important than our customers Dragon Intrusion Defense

12 Dragon 7 Event Detection Technology Anomaly Detection Pattern Matching Protocol Decoding Dragon 7.0 is built upon a multifaceted event detection engine. In addition to Dragon s extensive pattern matching capabilities, there are over 200 analysis functions that give Dragon its technical advantage Dragon s event detection methods include - Signature Based Pattern Matching Dragon looks for known patterns of malicious activity Enterasys has one of the most robust threat signature libraries in the market - Anomaly Detection Dragon looks for suspicious or out of the ordinary events - Protocol Decoding Dragon monitors for protocol anomalies 2010 Enterasys Networks, Inc. All rights reserved. 12

13 Packet Flow Dragon Network Sensor Analysis Stages Signature Detection Application Anomaly Analysis IP Session Analysis Layer 4 (UDP/TCP/ ICMP) Layer 3 Complex Signature analysis Case sensitive/insensitive searching with support for wildcarding of and character types Protocol Decoding Analysis Specific application security event analysis Generic Denial of Service testing Pattern Matching in the IP Headers of IP TCP/UDP/ICMP TCP Analyze and Store header variables TCP Checksum verification TCP options verification and logging TCP flags verification and logging UDP Analyze and Store header variables ICMP ICMP Logging Backdoor Checks Data Collection for out of band processing Stream Reassembly Port Scan and Sweep Detection IP Options Logging IP Protocol Logging Header Verification and Analysis IDS Evasion Checking IP Fragment Reassembly & Event Logging IP Address Checks IP Header Values Retrieved/Checked/Stored Events Events Events Events Events Enterprise Manager System Interface Dragon Network Sensor analyses network traffic at all layers. Dragon first ensures the validity of the network traffic in layers 2, 3 and 4. Dragon reassembles fragmented frames and reconstructs UDP and TCP application streams to counter act detection evasion tools. Dragon further uses advanced techniques such as protocol decoding analysis and complex signature analysis to detect advanced threats. Layer 2 Layer 1 Frame Filtering Basic security checks Frame Capture Events 2010 Enterasys Networks, Inc. All rights reserved. 13

14 Dragon s Threat and Event Detection Coverage Dragon s Signature Detection technology covers a wide and diverse range of threats and events. Dragon supports approximately 7500 signatures. Signature Distribution - Compromises & Backdoors Detect compromised systems and backdoors - Network Misuse Detect network misuse and monitors for compliance. - Web Events Detects Web delivered attacks and vulnerabilities - Client Attacks Detects activities directed to client systems - Adaptive Signatures Detects attacks and events regardless of whether the vulnerability is known or unknown - Advanced Detection Employ advanced detection methodologies such as anomalous data and overflow functions, data ordering analysis and others - VoIP signatures - Worms & Viruses Compromises & Backboors Web Events Adaptive Signatures Network Misuse Client Attacks Advanced Detection 2010 Enterasys Networks, Inc. All rights reserved. 14

15 Day 0 Detection Adaptability Dragon s Threat Detection Engine Adapts to Day 0 threats. This adaptability is derived from the flexibility built into its signature definition language and threat detection engine. Viruses, exploits and vulnerabilities are almost always variations of previously know threats. Dragon s detection engine looks for similarities in multiple generations of the threats allowing a very high probability of the detecting these threats. Threat Red is similar to know threat purple, send alert to EMS 2010 Enterasys Networks, Inc. All rights reserved. 15

16 Intrusion Defense System Dragon Three types of architecture: - Network Intrusion Defense NIDS - Host Intrusion Defense HIDS - Server for corelation and management HIDS NIDS NIDS Internet Interal LAN Switch Firewall Dragon Server HIDS DMZ 2010 Enterasys Networks, Inc. All rights reserved. 16

17 There is nothing more important than our customers Dragon 7 Network Sensor

18 Dragon Network Sensors Dragon Network Sensors can be purchased as software or as network appliances - Multiple hardware options are available that scale in capacity and performance. Performances scales from 10 Mbps to 10 Gbps per sensor. - Dragon customers can choose to purchase Dragon 7.x software directly and deploy it on their own systems. Built in path to Intrusion Prevention Functionality - Every Dragon appliance or software license is upgradeable to Dragon Intrusion Prevention 2010 Enterasys Networks, Inc. All rights reserved. 18

19 Virtual Sensors Virtual Sensor Technology (VST) enables a single Dragon network sensor to operate as multiple individually configurable sensors. This advanced capability provides a more flexible deployment model for internal enterprise deployments. - Multiple Wiring Closets VLANs within Enterprise can be monitored. - Multiple DMZ segments can be guarded simultaneously. - Enterprises can have customized policies per application being monitored. Virtual Sensor analysis is defined by configuring Dragon to associate each virtual sensor with IP Addresses, VLAN Tags, IP Protocol, TCP/UDP port or physical interface. Subnet 1 DMZ Policies Subnet 1 Web Portal Policies Campus Policies VLAN 10 TCP 80 VLAN Enterasys Networks, Inc. All rights reserved. 19

20 Advanced Forensics Dragon provides an unmatched set of forensic analysis tools which enable security personnel to analyze and remediate attacks after they have occurred - Offending Packet Capture Network Sensor captures the packet that tripped the signature and can be configured to collect additional packets and even the entire session. This is critical in understanding why a signature tripped and identifying the true from the false positive. - Session Reconstruction Network Sensor can reconstruct an attackers session and display it for the user. This an absolute requirement in identifying true attacks from false positives. - Session VCR Network Sensor can be configured to collect all session information for services such as HTTP, FTP, and POP and/or certain IPs or networks. This is extremely valuable in collecting forensic information pertaining to known or suspected misuse on the network. - Pre-event Collection Capture packets preceding but related to the packets that triggered the attack. Enables seeing activity that led up to the attack Results can be viewed in the Real Time Console 2010 Enterasys Networks, Inc. All rights reserved. 20

21 Dragon Network Sensor Key Features Open and customizable signatures - Signatures are written in a high-level language and are exposed to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment. DOS Detection - Network Sensor employs multiple methods, including signature and protocol analysis techniques, in identifying known and unknown DOS techniques, including distributed attacks. Backdoor and rogue server detection - Protocol analysis - Session analysis - ICMP traffic profiling. Intrusion Prevention - Event Sniping Terminate sessions via a TCP reset or ICMP unreachable message - Shunning Configure ACLs on third-party firewalls and routers Advanced buffer overflow detection - Recognizes unique patterns sent during an attack. Requires a database of known buffer overflow attacks IDS evasion and DOS countermeasures (protect the IDS from being a victim of DOS) - IP de-fragmentation and TCP/UDP stream reassembly - Protocol decoding HTTP FTP Telnet Etc. - DOS countermeasures techniques for defeating tools such as stick and snot that attempt to DOS an intrusion detection system Enterasys Networks, Inc. All rights reserved. 21

22 There is nothing more important than our customers Dragon 7 Host Sensor

23 Dragon 7 Host Sensor Solutions Host-based intrusion defense via a modular, flexible architecture for today s most common operating system Protects at the host and application level by monitoring the operating system and crucial applications Application Intrusion Prevention module averts attacks on the most commonly targeted applications DNS servers, mail servers, web servers Built-in upgradeability for Web and Host Intrusion Protection technology - Dragon 7.0 introduces Web Server Intrusion Prevention. Every 7.0 HIDS can be upgraded with IIS or Apache IPS modules - Dragon 7.1 introduces full featured kernel level Intrusion Prevention Enterasys Networks, Inc. All rights reserved. 23

24 Dragon 7 Host Sensor Methods Multi-method detection - Log file analysis Analyze any file against a signature policy whether it s the system log, the security log, or a custom built application. - File attribute monitoring Monitor of specific file attributes such as: owner, group, permissions and file size for changes. - File integrity checking (MD5) Monitoring files to determine if there content has been changed via MD5. - Backdoor service monitoring Monitor a system for new TCP and UDP ports, providing critical protection against backdoor unauthorized access through the firewall and/or being a staging point for a distributed denial of service or outright attack. - Registry monitoring Host Sensor will analyze the Windows registry for attributes that should not be accessed and/or modified. This is essential in identifying attacks against often-targeted Microsoft servers. - SysInfo monitoring Monitor of system information: memory usage, CPU usage, disk usage, NIC usage,... - Kernel monitoring IRQ, drivers, modules Enterasys Networks, Inc. All rights reserved. 24

25 Dragon 7 Web Intrusion Prevention Dragon 7.x WIPS is based on dual protective application components, Dragon HIDS and the Web IPS. WIPS is an application level program that protects the web server at the packet level, and is configurable per attack type. - This allows Dragon WIPS to detect Network IDS evasion tactics such as those used by Nikto (formerly Whisker) Dragon WIPS dynamically reloads its configuration when the Web server is brought up, ensuring that the web server is never unprotected. Dragon HIDS monitors the WIPS as well as the Web Server LOGs and server applications (CGI/ASP etc) for threats that may not be stopped by the WIPS. - This ensures fail safe protection Dragon HIDS Kernel Integrity System health Deceptive Services TCP/UDP backdoors Monitors File Content & web logs, SNMP traps for 1900 attack signatures Monitors for File Integrity and, inappropriately changed File Attributes Web Logs CGI/ASP/.Net Apache Microsoft IIS Dragon Web IPS Operating System Windows, Unix or Linux XML/HTML 2010 Enterasys Networks, Inc. All rights reserved. 25

26 There is nothing more important than our customers Prevention / protection 26

27 Dragon Intrusion Defense Dragon not only can detect security threats, but can respond to them Dragon ensures Enterprise security through integrated Active Response functions and by enabling Enterasys Dynamic Intrusion Response Solution Dragon Active Response supports the following network protection mechanisms: - Event Snipping Dragon will dynamically interfere with TCP session between a treat source and its target - Event Shunning Dragon will automatically configure Checkpoint Firewalls and network routers to dynamically filter threat traffic System is attempting to break into system , disrupt the session System is attempting to break into the network, program the firewall to block it 2010 Enterasys Networks, Inc. All rights reserved. 27

28 IPS techniques Dragon allows for preventive actions to be assigned to any event or group of events generated within the system. Initial support for three Prevention Actions, each of which can be enabled or disabled on a per event or threshold basis. Drop Packet action All packets that match a signature or cause an event to be generated will be dropped. Packets can be dropped after a configurable threshold is reached. Session Disruption through transport error messages Disrupts the operation of TCP or UDP protocols involved in the malicious session Dynamic Firewall Policy Rule Used to block all future traffic from a threat source Rules can be persistent or temporary (user configurable 2010 Enterasys Networks, Inc. All rights reserved. 28

29 There is nothing more important than our customers Dragon management

30 Dragon 7 Advanced Management Advanced management framework designed for scalability to meet the needs of Enterprises and Managed Security Service Providers. True Client Server Architecture with role based access control - Per sensor access control Unified Management System - All components of the Dragon System can be managed from one system Enhancement for greater interoperability with Netsight Automated Security Manager in a Dynamic Intrusion Response Solution - Dynamic Dragon Alerts suppression per Source IP or Destination IP when multiple events recorded Support for IPv6 management communication 2010 Enterasys Networks, Inc. All rights reserved. 30

31 Conclusion Dragon Intrusion Defense is a key element in Enterasys Secure Networks Strategy. Dragon is a family of products that provides comprehensive threat detection for LAN, WAN and Wireless Networks while also protecting host and server systems. Dragon technology is adaptive and has the ability to detect Day 0 threats. Dragon uses multiple threat detection techniques to ensure that no threat goes undiscovered. Dragon is managed by a highly scalable and flexible management framework that include role based access control. Dragon enhances the capabilities of existing routers, firewalls and third party security platforms by providing direct analysis of the threat data they gather. Dragon enables network wide threat prevention with built-in intrusion response capabilities Enterasys Networks, Inc. All rights reserved. 31

32 There is nothing more important than our customers Dynamic Intrusion Response

33 Enterasys Dynamic Intrusion Response Enterasys Dynamic Intrusion Response is a comprehensive threat remediation solution that combines the threat detection capabilities of Dragon with the system location and the network device configuration capabilities of Netsight Automated Security Manager. In this solution, Dragon Network and Host Sensors monitor the network and its resources for security threats and network misuse. The Dragon Enterprise Manager System and Netsight Automated Security Manager work in conjunction to automate network responses to threats detected by the Dragon Sensors. This solution automates the location and mitigation of threats thus ensuring the quickest resolution of events 2010 Enterasys Networks, Inc. All rights reserved. 33

34 Automated Security Manager How Does it Work? Quarantine Role - No Access to Business Services - No Access to Other Users Quarantine policy Role centrally configured with NetSight Atlas Policy Manager (Role contains restrictive security policy to limit network resource exposure) Policy distributed to network accessible points and server distribution points Guest - Highly Restricted Web Access - Security Scanning of Client System NetSight Atlas V2 Staff RoamAbout R2 Sales RoamAbout R2 XSR1850 XSR3020 Matrix N7 XSR1805 VPN Matrix E7 Matrix N7 XSR 3250 CORE Matrix N7 Matrix N7 Matrix E7 Matrix N7 X-Pedition ER-16 Dragon IDS RADIUS Server DATA CENTER Engineer EDGE DISTRIBUTION 2010 Enterasys Networks, Inc. All rights reserved. 34

35 Automated Security Manager How Does it Work? Quarantine Role - No Access to Business Services - No Access to Other Users Network intrusion detected with Dragon IDS - Highly Restricted Web Access - Security Scanning of Client System Intrusion event information dynamically sent to NetSight Atlas Automated Security Manager application Guest NetSight Atlas Staff V2 RoamAbout R2 Sales RoamAbout R2 XSR1850 XSR3020 XSR1805 VPN Matrix N7 Matrix E7 Matrix N7 XSR 3250 CORE Matrix N7 Hacker Matrix N7 Dragon IDS Matrix N7 X-Pedition ER-16 RADIUS Server DATA CENTER Matrix E7 Engineer EDGE DISTRIBUTION 2010 Enterasys Networks, Inc. All rights reserved. 35

36 Automated Security Manager How Does it Work? Quarantine Role - No Access to Business Services - No Access to Other Users Intruder location services launched from NetSight Atlas Console upon arrival of event information from Dragon Source of intrusion determined Guest - Highly Restricted Web Access - Security Scanning of Client System NetSight Atlas Staff V2 RoamAbout R2 Sales RoamAbout R2 XSR1850 XSR3020 XSR1805 VPN Matrix N7 Matrix E7 Matrix N7 XSR 3250 CORE Matrix N7 Hacker Matrix N7 Dragon IDS Matrix N7 X-Pedition ER-16 RADIUS Server DATA CENTER Matrix E7 Engineer EDGE DISTRIBUTION 2010 Enterasys Networks, Inc. All rights reserved. 36

37 Automated Security Manager How Does it Work? Quarantine Role - No Access to Business Services - No Access to Other Users User causing security event is quarantined by the dynamic application of the Quarantine Policy Role to the network access port where the user is connected Guest - Highly Restricted Web Access - Security Scanning of Client System NetSight Atlas Staff V2 RoamAbout R2 Sales RoamAbout R2 XSR1850 XSR3020 XSR1805 VPN Matrix N7 Matrix E7 Matrix N7 XSR 3250 CORE Matrix N7 Hacker Matrix N7 Dragon IDS Matrix N7 X-Pedition ER-16 RADIUS Server DATA CENTER Matrix E7 Engineer EDGE DISTRIBUTION 2010 Enterasys Networks, Inc. All rights reserved. 37

38 There is nothing more important than our customers SIEM

39 What is SIEM? Without SIEM SIEM SIEM Administrators Present Prioritize Correlate Store Normalize Firewalls Host systems Routers / switches IDS / IPS Servers & applications 2010 Enterasys Networks, Inc. All rights reserved.

40 Questions? 2010 Enterasys Networks, Inc. All rights reserved. 40

41 There is nothing more important than our customers