White Paper June, Product Solution. Host and Network Intrusion Prevention Competitors or Partners?

Transcription

1 White Paper June, 2004 Product Solution Host and Network Intrusion Prevention Competitors or Partners?

2 Competitors or Partners 2 Table of Contents Introduction 3 The Need for IPS 3 Intrusion Prevention Overview 3 The Benefit of Overlapping and Integrated Technologies McAfee Security IPS 5 Entercept Host IPS 5 IntruShield Network IPS 7 Key Selection Considerations 9 Conclusion 10

3 Competitors or Partners 3 Introduction Intrusion Prevention Systems are designed to protect information systems from unauthorized access, damage or disruption. Vendors have developed IPS to counteract the rapidly evolving threats presented by the latest generation of worms, software and network exploits. As the number and frequency of threats has increased, the increasing complexity of the network environment has made mitigation of these threats harder to achieve. Modern networks have evolved for the purposes of distributing critical information and services to an ever-expanding group of users. The need for access to these critical services has led to the development of redundant communication links, wireless networks, mobile notebook computers, handheld digital devices, even internet-enabled cellular phones. These new access technologies and links increase the value of the information systems they support, but at the same time provide more paths for attack and compromise. This paper will address the need for Intrusion Prevention Systems, will explore the two most popular IPS architectures and will try to provide insight into the selection and use of these systems. The Need for IPS As hacker attacks and network worms began to appear in the late 1990s, Intrusion Detection systems were developed to identify and report attacks to corporate Security personnel for manual remediation. Traditional Intrusion Detection technologies do nothing to stop an attack they simply detect hostile traffic and send alerts. As the level of threats and the size of IDS deployments increased, it was found that the amount of time needed to analyze and respond to the IDS systems was becoming prohibitively large. The evolution of new hybrid attacks that use multiple vectors to breech the security infrastructure highlighted the need for the enterprise to defend itself against a constantly shifting threat. Organizations have suffered catastrophic damage to their business confidentiality, integrity and availability as intrusions have become more virulent. In a matter of minutes, Fortune 500 companies suffered millions of dollars of lost revenue as production lines went dark and order taking and fulfillment processes came to a halt because of attacks like Sasser, SQL Slammer or Nimda. Traditional Firewall and anti-virus solutions while valuable, cannot address the new generation of threats. A solution that proactively protects vital information assets in a timely manner, without waiting for new signature creation and distribution was needed. Intrusion Prevention Overview For the purposes of this paper, we will define an Intrusion Prevention System as a system that protects the following; Confidentiality The confidentiality of information stored in electronic format on a computer system from unauthorized viewing or copying. Threats include the introduction of back-door programs, keyboard-logging programs etc. which are designed to allow access to information to unauthorized personnel. Integrity The integrity of the information stored in electronic format on a computer system from unauthorized alteration or modification. Threats include back door programs, network worms etc. that are designed to alter or erase information. Availability The availability of a computing resource, network, system etc. or information stored in electronic format on such a system or network for use by authorized personnel. Threats include Denial of Service attacks, back-door programs that allow the use of resources by non-authorized personnel for non-authorized purposes etc. There are currently two basic approaches to achieving the goals outlined above. Host Intrusion Prevention A software system that loads directly on the computer system being protected. Network Intrusion Prevention A software or dedicated hardware system that connects directly to a network segment and protects all of the systems attached to the same or downstream network segments. Both of these approaches have their strengths and their weaknesses and are better at protecting against some types of threats than others. Both architectures provide the protection features outlined above to varying degrees. Due to the dynamic nature of network intrusion threats, deploying a mixture of both technologies will provide the greatest level of protection for critical assets.

4 Competitors or Partners 4 Host IPS Host IPS is a software program that resides on individual systems such as servers, workstations or notebooks. Traffic flowing into or out of that particular system is inspected and the behavior of the applications and operating system may be examined for indications of an attack. These host system-specific programs or agents may protect just the operating system, or applications running on the host as well (such as web servers). When an attack is detected, the Host IPS software either blocks the attack at the Network Interface level, or issues commands to the application or operating system to stop the behavior initiated by the attack. For example, Buffer overflow attacks may be prevented by prohibiting the execution of the malicious program inserted into the address space exploited by the attack. Attempts to install back door programs via applications like Internet Explorer are blocked by intercepting and denying the write file command issued by IE. Benefits of Host IPS Software installed directly on the system protects against not just the attack, but against the results of an attack, such as blocking a program from writing a file, blocking the escalation of a users privileges etc. Protects mobile systems from attack when attached outside the protected network. Roaming laptop computers are a primary vector for introducing worms into a protected network. Carrying a Network IPS with the mobile system is not a practical solution. Protects against local attacks. Personnel with physical access to a system can launch local attacks by executing programs introduced via CD, Floppy disk etc. These attacks often focus on escalating the user s privileges to root or administrator to facilitate compromise of other systems in the network. Provides a Last line of defense against attacks that have evaded other security tools. The potential victim system itself is the last defense point available to Security personnel to guard against system compromise. Prevents internal attack or misuse on devices located on the same network segment, Network IPS only provides protection for data moving between different segments. Attacks launched between systems located on the same segment can only be countered with Host IPS. Protects against encrypted attacks where the encrypted data stream terminates at the system being protected. Host IPS examines data and/ or behavior after encrypted data has been decrypted on the host system. Independent of network architecture; allows for protection of systems located on obsolete or unusual network architectures such as Token Ring, FDDI etc. Network IPS Network IPS devices are deployed in-line with the network segment being protected. All data that flows between the protected segment and the rest of the network must pass through the Network IPS device. As the traffic passes through the device, it is inspected for the presence of an attack. Attack detection mechanisms vary between systems, but the most accurate systems integrate several techniques to achieve very high levels of confidence in the detection of attacks and mis-use. Extreme accuracy and high levels of performance are crucial to an effective system as mis-identification of an attack can cause legitimate traffic to be blocked, which would be, in essence a self-inflicted Denial of Service condition. High performance is necessary to ensure that legitimate traffic is not delayed or disrupted as it flows through the device. When an attack is identified, the Network IPS discards or blocks the offending data from passing through the system to the intended victim thus blocking the attack. Benefits of Network IPS A single control point for traffic can protect thousands of systems located down stream of the device. This allows an organization to scale their solution quickly and provides the flexibility needed to responds to the constant changes in network architecture. Easy deployment as a single sensor can protect hundreds on systems. Deploying a few, to a few dozen sensors requires significantly less time and effort than distributing software to hundreds or thousands of systems.

5 Host and Network Intrusion Prevention Competitors or Partners 5 Provides a broader view of the threat environment such as scans, probes and attacks against non-system based assets. Network IPS, by working at the network level provides a broader view of the threat environment than a host based product. Having a strategic vision of the threat environment allows security management to proactively adapt to a changing security landscape. Protects non-computer based network devices. Not all attacks are directed against systems that run operating systems supported by Host based IPS, E.g. routers, firewalls, VPN concentrators, print servers etc. are all vulnerable to attack and require protection. Platform Neutral. Protects legacy and unusual Operating Systems and applications Host IPS systems are not available for all systems that might be present in an organization. Network IPS provides a measure of protection for all devices, no matter what the operating system or application. Protects against network DoS, DDos attacks, bandwidth-oriented attacks, SYN flood etc. A common form of attack is to flood a network with irrelevant traffic that denies or degrades the network for the use of the authorized personnel. Working at the network level allows a Network IPS to protect against these types of attacks. To summarize, Intrusion Prevention technology is the only proven protection for the sophisticated threats encountered in today network environments. No organization today would consider running their networks and systems without perimeter and personal firewalls. Intrusion Prevention technology is the logical successor and compliment to traditional network and host firewalls and has been developed to provide the protection that simple firewalls can no longer deliver. Organizations that are serious about security are rapidly adopting this latest tool to keep up with the frantic pace of change. The Benefit of Overlapping and Integrated Technologies Network Associates Intrusion Prevention Combining Best of Breed Host and Network IPS technology results in a more comprehensive and robust defensive posture, meaning fewer successful attacks, more efficient use of scarce security resources and lower operating costs than simply deploying one technology or the other. An intrusion or compromise consists of multiple stages: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks. Although both Host and Network IPS have the ability to prevent each stage, both technologies are not equally adept at detecting and blocking each stage. Integrating the strengths of each architecture provides a solution whose sum is greater than its parts. By deploying complementary, integrated Protection-in-Depth technologies like McAfee Network and Host IPS, organizations can achieve superior protection at a reasonable cost. Integrated IPS Deployment Remote Users Web Server Switch Firewall DMZ Public IntruShield Global Manager Switch File Server Private Engineering Servers Customer DB A single, centralized console displays all alerts, both HIPS and NIPS Entercept Host IPS McAfee Entercept delivers patented host intrusion prevention for critical servers, desktops, database servers and web servers. It protects critical systems against the constantly evolving threats facing organizations today, detecting and blocking known and unknown attacks with its award-winning technology. Centrally managed agents reside on each host and actively enforce default or custom policies, preventing malicious activity from compromising the integrity and confidentiality of the systems and the data that resides on those systems. Agents There are three versions of McAfee Entercept agents:

6 Competitors or Partners 6 Standard Edition for critical servers and desktops Database Edition for databases servers Web Server Edition for web servers Each agent utilizes a unique combination of behavioral rules, signatures and a process firewall to detect and block attacks with unmatched accuracy: Behavioral Rules Evaluate requests to the operating system or applications before they are processed by the host, thus protecting systems against unknown or zero day attacks that target new vulnerabilities for which there is no patch Signatures Intercept known hostile content in the data and eliminate dangerous payloads before they are processed the host, thus protecting systems Process Firewall Blocks requests for applications and services, into or out of the host; blocks specific attacks at the network level before being processed by the host; blocks the IP address of an attacker inside or outside of the perimeter McAfee Entercept Database and Web Server agents are the only Host Intrusion Prevention solutions with application-specific content interception engines that detect and block malicious activity before it can affect operating systems, applications or data. Management System The McAfee Entercept Management System centrally manages up to 5,000 Standard, Database or Web Server agents per management server. The Management System enables enterprises to import and export configurations across multiple management servers and enforce security configurations and policies across applications, user groups and agents, significantly decreasing the cost of installing and maintaining large deployments. McAfee Entercept enables deployment of single set of policies across Windows, Solaris and HP-UX platforms, enabling consistent, reliable host security for today s heterogeneous server environments. The Entercept Alert Management system is integrated with the IntruShield Management server and forwards alerts to IntruShield for centralized integration and correlation of all security incidents detected by the Entercept Agents. Integrating these two powerful systems enhances the productivity of the Security staff and provides unparalleled threat management capability with the lowest investment of critical talent and resources. Strengths of Entercept Host IPS Application Shielding McAfee Entercept Web Server Edition and Database Edition provide shielding for specific applications like IIS, Apache and MS SQL Protection tailored to the specific application provides the most comprehensive protection available. Architectural Independence Not all networks architectures allow for easy monitoring of all connections to and from critical systems. McAfee Entercept resides on the critical hosts so that it can analyze threats to that machine, regardless of the make up of the network or what route the attack took. Local Attacks Host IPS can block an attacker who has physical access to a server and is trying to perform a privilege escalation or other type of attack on the machine. A Network IPS would never see this type of attack. Not evaded by encrypted attacks Entercept defends critical systems when the attacks are contained within encrypted protocols that terminate at the host itself. Entercept inspects data and behavior after it has been decrypted on the system to guard against all types of encrypted attacks. Protecting mobile machines Entercept protects mobile users if they are communicating over a network that does not have a Network IPS sensor or firewall. With the increase in mobile workers and home offices, security cannot be restricted to the physical networks at the main organizational locations. Optimized for unique host environments Since Entercept is written for the specific platform and application, it allows for more powerful and granular security policies, enabling unique policy configuration and enforcement for every system.

7 Competitors or Partners 7 Powerful Buffer Overflow Protection Entercept s powerful generic buffer overflow protection provides unsurpassed detection and blocking of unknown or zero-day attacks. Last Line of Defense Because it resides locally, Entercept is ideal for protecting applications and preventing them from performing actions out of the bounds of their design. System shielding provides a protective envelope of operation that prevents both outside penetration and malicious use of the system, preventing those attacks that have bypassed other security tools from successfully executing. Examples of attacks that only Host IPS can detect and block: Local Privilege Escalation Attacks- Client Side Attacks- IntruShield Network IPS McAfee IntruShield delivers Best of Breed Network Intrusion Prevention for all resources located on a network. It protects network infrastructure and critical systems against the constantly evolving threats facing organizations today, detecting and blocking known and unknown attacks with its award-winning technology. Centrally managed hardware sensors are deployed in the network and actively enforce default or custom policies, preventing malicious activity from compromising the confidentiality, integrity and availability of the network. There are 3 models of IntruShield sensor available. I4000: Provides protection for the Enterprise core with throughput of 2 Gbps with all protection features enabled. The sensor protects two Gigabit network segments I2600: Provides protection for the Enterprise perimeter with throughput of 600 Mbps with all protection features enabled. Protects three 100 BaseT segments or one lightly loaded Gigabit network segment. I1200: Protects the branch office or small business perimeter with 100 Mbps throughput and protection for (1) 100 BaseT segment. IntruShield sensors are designed from the ground up to provide the most accurate and powerful Network IPS functionality. The sensor incorporates multiple, high performance processing elements and programmable gate arrays that work in concert to provide unparalled accuracy with wire speed performance at up to 2 Gbps. IntruShield integrates advanced protocol normalization and anomaly detection, multi-field stateful signature inspection and dynamic statistical anomaly detection techniques to achieve the highest level of accuracy in the industry. Protocol normalization and anomaly detection Provides for the detection of potential attacks without the need for a database of signatures. All packets entering the sensor are normalized or scrubbed to provide a view of the data to the sensor identical to the view that the protected system will see when the packets are re-assembled at their destination. This process is key to IntruShield's ability to detect attacks that have been specifically crafted to evade a Network IPS. After the normalization process, the protocol is fully decoded and is compared against the rules that pertain to that specific protocol. Any deviations from the norm in the construction of the packet is flagged as a protocol anomaly and is forwarded to the Detection Correlation engine where it is integrated with the other detection engines before a final attack detection decision is made. The Signature detection engine Within IntruShield provides highly detailed and accurate detection of attacks flowing through the sensor for which a signature is available. Signatures are written to identify both specific attacks, as well as unknown attacks that are targeted at a vulnerability within an operating system or application. IntruShield signatures are capable of examining numerous different values within a packet or flow simultaneously. The sensor monitors the validity of the TCP/IP session and tracks the state of each session in its state table. Tracking the state of all flows through the sensor allows for Stateful Inspection via the signature engine. By tracking the connection state, IntruShield can focus only on packets that may compromise a system, those that are part of a valid connection. By understanding the connection state, IntruShield minimizes the potential for falsely detecting an attack. Correlating the Signature engine with the Protocol Anomaly engine adds to accuracy by ensuring that a value within a packet that matches a signature element is contained within the proper protocol, and is in the appropriate area of the flow as defined by the specific protocol.

8 Competitors or Partners 8 For example, if two security analysts are discussing a particular attack via Instant Messaging within a network, and they include a portion of an HTTP attack within their Instant Messaging conversation. Most competing IPS devices would generate an alarm on the HTTP attack code. IntruShield will recognize that although there is attack data within the Instant Messaging packets flowing through the sensor, the data is not a valid attack, as an HTTP attack cannot compromise an Instant Messaging process. A complete understanding of not only the data that comprises the attack, but also the context within which the data is detected is required to provide this degree of accuracy. IntruShield is the only system on the market that performs such advanced correlation functions and these processes are the key to IntruShield accuracy. Competitive systems are based on general-purpose computer platforms, or on layer two traffic switches that have been adapted to perform simple string matches of data patterns within a signature with data patterns within a packet. The Statistical anomaly detection engine Within IntruShield detects and protects against Denial of Service and Distributed Denial of Service attacks. This engine monitors and records information on all traffic passing into and out of a protected segment. A dynamic profile incorporating over 100 different values is built and maintained by the system for each segment. The system tracks things like the number and types of packets passing between addresses one side of the senor and the other, the most common addresses and address ranges in the traffic flow, the percentage of different types of traffic etc. This profile forms a baseline value for the typical activity seen on a segment. DoS and DDoS attacks are detected as rapid variations in activity that are outside of the baseline maintained by the sensor for a segment. When an attack is detected, the system is able to determine what packets belong to the attack, and which packets belong to legitimate traffic. Packets that are identified as being part of the attack are dropped; packets that are part of the legitimate traffic flow are passed to the destination. In contrast, competing systems typically require the operator to manually set a value based merely on the number of packets per second that should be allowed onto the segment. If this value is exceeded, their systems indiscriminately drop packets with no ability to determine if they belong to the attack or to legitimate traffic. With version 2.1 of the product, IntruShield now provides protection against SSL encrypted attacks for critical E-Commerce infrastructure. The I4000 and I2600 sensors decrypt incoming SSL packets and provide full inspection and protection of the traffic contained within the encrypted flow. This is achieved by securely caching a copy of the SSL servers private encryption key on the sensor. This unique capability is indicative of the advanced design of the system and the forward thinking ability of the IntruShield design team. IntruShield Manager The McAfee IntruShield Management System centrally manages all IntruShield sensors installed in an enterprise. The Management System enables enterprises to import and export configurations across multiple sensor, significantly decreasing the cost of installing and maintaining large deployments. The system provides centralized alert monitoring and provides an enterprise wide view all events from both the IntruShield sensors and Entercept agents deployed throughout the network. Powerful forensic analysis and reporting capabilities are provided to enable in-depth analysis and reporting of the global security posture at the organization. Strengths of IntruShield Network IPS Accuracy and Performance IntruShield's unique, purpose built hardware appliance and integrated detection technology provides the most accurate Network detection and prevention of known and unknown attacks, whether clear text or encrypted with SSL. Multi-gigabit performance supports the most demanding enterprise network core protection needs. Comprehensive Protection IntruShield protects all assets connected to the protected network segment including network infrastructure components like routers, switches, print servers etc. No Host IPS runs on every version of every operating system, so IntruShield protects environments that are not running Windows, Solaris or HP-UX platforms protected by McAfee Entercept. A single strategically placed IntruShield appliance can protect hundreds of different systems and devices at the same time, minimizing installation and maintenance costs and maximizing staff effectiveness. Virtual Firewall Capability IntruShield provides the full capabilities of a stateful firewall with advanced Access Control capability between physical or virtual segments protected by the sensor. With this capability, IntruShield can act as an interior firewall and prevent attacks from spreading into other parts of the network. For example, a McAfee IntruShield

9 Competitors or Partners 9 product installed at or near the WAN interface could prevent an attack from spreading into other regions. Alternatively, it could detect a buffer overflow for which there is an exploit or vulnerability signature before it reaches the target host, preventing the attack from succeeding. Comprehensive Forensic and Reporting Capabilities The integration of Entercept Host and IntruShield Network alerts provides the ability to correlate and integrate attack events network wide. Sophisticated forensic analysis and reporting capabilities provide a powerful centralized view of the overall security environment. Ease of Management and Deployment An IntruShield network sensor can be deployed in a network in less than one hour. The IntruShield management console provides centralized control of all software and hardware features of the installed network sensors. Numerous security templates are provided to enable the system to be rapidly configured and customized to suit the customers environment. Network Reconnaissance Detection Because of its network-wide view and ability to capture all of the packets off the wire, IntruShield is able to detect network wide reconnaissance activities such as port sweeps and pings. It is ideal for gathering forensic information detailing from where an attack came and what it is targeting. An example of a reconnaissance technique is SNMP Harvesting in which it is possible to obtain an entire user database or even configuration details of a router by probing SNMP MIBs. This kind of reconnaissance activity places distinct traffic on the network, which is detectible by IntruShield. A Host based IPS would not detect this activity. Examples of attacks that only Network IPS can detect and block: ARP Poisoning - Protocol Flooding - Routing Protocol Attacks - Key Selection Considerations Determining where and when to use the appropriate IPS technologies requires an understanding of the strengths and weaknesses of each product. Following is a summary of the critical issues to keep in mind with a brief description of each technologies approach to addressing the issues. Threat Effectiveness Blocking Zero-Day Attacks Entercept uses behavioral application protection rules to prevent exploits that use unknown vulnerabilities (e.g., WebDAV using an attack vector other than HTTP), whereas IntruShield uses protocol anomaly detection and general vulnerability signatures to prevent novel exploits (e.g., ASN.1 encoding errors in SNMP and Kerberos). IntruShield can recognize worm propagation by detecting changes in network traffic distribution with its statistical analysis capability. Entercept can block worm propagation with its process firewall technology. Mitigating the Patching Emergency Both systems provide complementary help in reducing the urgency of patch deployment. IntruShield can safeguard unpatched systems if anomaly-based protection is implemented and deployed for the affected protocol (e.g., MS RPC DCOM buffer overflow). Entercept makes use of its generic buffer overflow exploit prevention to deflect overflow exploits. This protection allows customers to test critical patches and schedule their deployment in a controlled fashion. Ensuring System Availability Working in concert, Entercept and IntruShield provide effective remediation of Denial of Service and Distributed Denial of Service attacks. IntruShields sophisticated Statistical Anomaly Detection capability protects against traffic-oriented attacks while Entercepts leading edge buffer overflow and process firewall technology ensures that hosts remain available for service at all times. Implementation Considerations Coverage IntruShield protects types of computer systems as well as network infrastructure devices such as routers and switches as long as it is deployed in the path between target and attacker (e.g., Cisco IOS vulnerabilities). Entercept

10 Competitors or Partners 10 Conclusion protects servers and desktops against local exploits and malicious operations that do not involve any network access or traffic. Deployment Entercept is independent on how an exploit gets to a machine, but needs to be installed on every box in order to protect it. IntruShield only requires a few devices for many servers and desktops, but needs to cover all paths leading to an asset in order to be effective. To the security administrator or CISO, the prospect of implementing both a Host and a Network IPS is problematic because of one particular rationale: If one solution is so effective then why do I need to invest in both? Arguably, the overlap between Network and Host IPS is very large. Nevertheless, this is more an argument in theory rather than practice. With the exception of a local attack where the hacker has physical access to the target system, all attacks put traffic on the wire and so it is theoretically possible to create a detection capability and block it. In practice, it is another matter. In many instances, a Host IPS is better positioned to evaluate the intent of a particular action, which may appear innocuous on the wire. A single prevention approach, based upon single or point-technologies, will continue to fail against these evolving blended attacks. Defense in depth and Protection-in-Depth are philosophies, and security professionals that follow them build solutions on the premise that any single security measure has limitations and will eventually fail. If the single technology approach were correct, this argument would have ended long ago when firewalls were originally introduced as a technology. Technology often fails through poor configuration. For example, intrusion detection and intrusion prevention technology can be used to simply provide visibility (detection) into critical systems and the network rather than prevention. A firewall s effectiveness is only as good as its policy. Anti virus only detects known viruses if it is up to date. The list goes on. If malicious code writing and hacking stood still then it might be harder to rationalize redundant security technology. However, this is not the case. We can never predict all of the vulnerabilities that are yet to be discovered nor can we predict the exploits that invariably will follow. Host and Network Intrusion Prevention Systems are both targeted at the same goal, protecting critical assets from very sophisticated threats. Two different approaches to achieving this goal are more powerful and effective than any single design could possibly be. McAfee Security 3965 Freedom Circle, Santa Clara, CA Network Associates products denote years of experience, and commitment to customer satisfaction. The PrimeSupport team of responsive, highly skilled support technicians provides tailored solutions, delivering detailed technical assistance in managing the success of mission critical projects all with service levels to meet the needs of every customer organization. McAfee Research, a world leader in information systems and security research, continues to spearhead innovation in the development and refinement of all our technologies. [List all trademarks used in the text of the document] are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. Year Networks Associates Technology, Inc. 3-xxx-xxx-001-mmyy