Application Security Backgrounder

Transcription

1 Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ Tel: (888) International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel:

2 According to a recent IDC report 1, over the next decade the explosion of network touch points coupled with a move into the era of invisible computing will result in a challenging array of emerging security threats for IT managers. Rapid changes to the source, form, timing, and volume of these threats contribute to their increasing number and complexity. IT managers are further burdened by the growing administrative complexities of the security solutions they must deploy in order to effectively mitigate enterprise risk. Against this backdrop, Radware has prepared an application security backgrounder that explains the primary concepts and solution capabilities IT managers need to understand when defining iterative security architectures relying on Intrusion Prevention Systems (IPSs) and Denial of Service (DoS) Protection. Security as a Business Enabler Security has often been thought of as requiring a company to trade-off performance for protection with legitimate users having to pay a price for protection against the growing number of application level threats perpetrated today. However, deploying application security solutions based on new, advanced technologies can actually improve business productivity while concurrently blocking attacks and ensuring compliance. Application-Smart Security Today s security solutions need to block both network and application level attacks. Application level attacks are targeted at disabling and damaging application operations. Viruses, intrusions, Trojans, malicious signatures and illicit traffic and protocol patterns including Denial of Service (DoS) and SYN attacks are examples of application-level attacks. Typically these layer 4-7 attacks can be identified by deep packet inspection and not by layer 3-4 parameters since these attacks use malicious actions within legitimate type of traffic. Intrusion Prevention System (IPS) IPSs are in-line devices that inspect application-level content and block a wide variety of attacks that would typically evade traditional firewalls and anti-virus solutions. IPSs feature several blocking techniques such as blocking packets, intercepting and resetting connections to protect against worms, spyware, Denial of Service (DoS) / Distributed Denial of Service (DDoS) and other types of application level attacks. State-of-the-art solutions provide multiple, proactive protection features and can be flexibly deployed to protect against known threats as well as unknown attacks such as zero-day exploits. Zero-day attacks occur when a security vulnerability is exploited on the same day as it has been publicly announced. Signature-based Protection Signatures are used to protect against known exploits and vulnerabilities. Signature-based intrusion prevention solutions examine traffic for specific signature pattern matches. Signaturematching is a resource intensive process which requires high-performance hardware, usually ASICbased, for large traffic volumes. Signatures are typically written by vendors security teams who constantly research the latest vulnerabilities and exploits. The signature sets are continuously updated and the latest versions can be automatically downloaded to the IPS from vendor websites. 1 Source: IDC. Threat Management: Protecting Organizations from Emerging Security Challenges, Chris Christiansen and Gerry Pintal, June Page 2

3 Zero-Day Attack These attacks exploit an unpublicized vulnerability without forewarning. While signatures are ideal for identifying known exploits and vulnerabilities, they are not effective in stopping unknown zeroday attacks for which no signatures exist. Behavior-based protection is best suited to block unknown attacks. Ideally, IPSs should combine both these techniques into a single appliance. Behavior-Based Protection Adaptive behavior-based technologies automatically create accurate signatures on-the-fly to block zero-day attacks, which otherwise might escape traditional signature-based detection because there is not an existing signature for the new attacks. Behavioral IPSs block both unknown zero-day attacks and other sophisticated blended/hybrid attacks which would slip through other defenses. Adaptive behavior based systems create baselines of normal network traffic. If any traffic deviates from the baseline it is characterized as anomalous. If the anomaly is sufficiently severe the traffic is blocked. Advanced behavior-based systems use self-learning and self-adapting techniques to model traffic. Iterative closed-loop processes are used to constantly fine-tune the blocking filters to accurately block only malicious traffic, while letting legitimate traffic through with minimal delay. Encrypted Attack Encrypted SSL-based transactions can contain attack traffic such as worms that can strike servers and other critical infrastructure elements. Most intrusion prevention solutions do not offer SSL attack protection. The best solutions include optional modules that use connection termination and blocking techniques to stop the SSL attacks. SSL traffic is inspected in parallel with regular traffic ensuring no added latency or performance loss and allowing for easy scalability. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack DoS and DDoS attacks are assaults that flood a network with enormous amounts of bogus messages and requests. They cause the slow down or complete interruption of legitimate traffic. Unlike a virus or worm, which can cause severe damage to databases, DoS and DDoS attacks interrupt network service. Access to the largest and most well-connected websites can be denied by these types of attacks. In addition to large websites, other targets of DoS/DDoS attacks include root servers, large enterprises, and ISPs who require massive bandwidth attacks to be knocked down. A multi-layer approach is required to effectively mitigate DoS/DDoS attacks. The first layer of protection uses a combination of rate-based and signature-based techniques to block known attacks that are launched from attack tools with identifiable signatures. Unknown zero-day DoS/DDoS attacks can be effectively blocked by behavior-based protection. The next effective layer is bandwidth management, which limits the rate and spread of attacks. Protocol Anomaly Hackers can compromise a target resource by misusing established network layer and applications layer protocols in a session that violates the state transition defined by a specific protocol (e.g., TCP, UDP, ICMP, SMTP, HTTP, DNS, etc). Stateful inspection can prevent such malicious use of protocols. Stateful inspection is a powerful tool designed to deal with a variety of attacks whereby packets exchanged between a client and a server are legitimate, yet the security threat is revealed only when inspecting a sequence of packets within a session and not when inspecting individual packets. Stateful inspection is a standard feature in a good intrusion prevention product that offers multiple layers of security. Page 3

4 Access Control Access control is traditionally a firewall function. IPSs today incorporate some of these functions. These include the ability to block specific hosts, IPs, network segments and application ports. Black and White access lists enable highly granular access control to make it easier for security administrators to temporarily block or unblock specific hosts without making time consuming changes to security policies. Below are a few examples of temporary black/white listing that is beneficial: Blocking all activities arriving from a specific host that is infected by a worm or virus, until the host is disinfected. Allowing network management activity that can be considered a security infraction, such as scanning for an available PC from specific PCs. Allowing uninterrupted network traffic from a certain host due to suspicion of specific false-positives, until clearing the case. Pre-Attack Scan Hacking techniques (such as port scanning and ping sweeps) that scan vulnerable application ports and hosts. This potentially malicious activity reveals information about the hosts and vulnerable applications. Anti-scanning capabilities protect against many types of scans. For example: Vertical scanning (multiple ports on a single host) Horizontal scanning (a single port across multiple hosts) ICMP (ping) sweeps Slow scanning Scanning from many source ports Scanning of multiple destination IPs and ports The anti-scanning measures protect the business network before an attack occurs because a scan usually precedes an actual attack. Bandwidth Management During an attack (even if unsuccessful) an enterprise s bandwidth could get clogged by attack traffic (especially denial of service). In such conditions, legitimate mission-critical applications may not get the bandwidth they need. In such cases, bandwidth management becomes an important feature of an IPS because it limits and isolates attack traffic to ensure that business applications are not affected even when under attack. Flexible, granular bandwidth management policies that enable users to prioritize critical traffic by subnet, application, hosts or session are desirable. Attack Isolation Attack isolation limits the propagation of an attack across users, applications and networks. Attack isolation is particularly important for securing multi-segment networks, limiting the attack while concurrently enabling the availability and continuity of all legitimate traffic. Page 4

5 Spyware Spyware is software that sends information about web surfing habits to its web site. It is often quickly installed on computers in combination with a free download selected from the web, spyware transmits information in the background as a user moves around the web. Also known as "parasite software," "scumware," "junkware", and "thiefware, spyware is also occasionally installed just by visiting a web site. IPSs can block spyware by preventing installation on user computers and preventing infected hosts from disclosing information by detecting and blocking uploads to spyware servers. IPSs include signatures to protect against various, common spyware threats on the internet. They provide protection against spyware infection, hacker communications to the spyware, and spyware communications to remote servers that disclose private user information. Self-Propagating Worms A self-propagating worm, by definition, spreads without human intervention. A self-propagating worm typically uses a random IP address generation technique (i.e. scanning) in order to locate a vulnerable host to infect. When a vulnerable host is identified, the worm immediately executes it code on this host, thereby infecting the computer with the worm s malicious code. At this point, both infected hosts initiate similar scanning techniques and infect other hosts. In this way, the worm propagates exponentially. Advanced behavior-based IPSs detect, characterize, and prevent worm spreading activities without any human intervention. They can pinpoint and protect infected systems, thus providing the system administrator with time to implement reactive measures (i.e., system patching and upgrading) while ensuring business continuity. Behavior-based IPSs enable accurate prevention of worms and other network attacks that plague organizations today. Evasion Techniques Evasion techniques are attempts to hide attacks aimed at harming servers or operating systems. They are used by hackers who are aware of specific types of traffic protection and are attempting to bypass IPSs. Since most security systems recognize attacks by spotting the attack signature in the packet, attacks can be disguised by dividing them into two or more packets, or by sending them through encrypted SSL channels. Good IPSs use a variety of anti-evasion techniques including packet reassembly, signature-based protection, protocol anomaly detection and behavioral analysis to block these attacks. Multi-Layer Defense (firewalls, anti-virus, intrusion prevention systems) Traditional security solutions such as firewalls and anti-viruses are unable to protect against the newest threats. To lower security risk it is important to deploy multiple layers of defense. These include: Firewalls are complementary solutions. Many of these devices are bound by legacy technology and typically operate from layer two to layer three. Traditional firewalls are not application-smart. Page 5

6 The second layer is anti-virus. These are also seen as complementary solutions and not comprehensive, restrictive to the individual host, and usually do not offer protection against unknown threats. The third and critical layer of defense is intrusion prevention systems. IPSs provide a strong, critical layer of defense against unknown zero-day threats. State-of-the-art solutions provide multiple, proactive protection features and can be flexibly deployed Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A. Page 6