Barracuda Intrusion Detection and Prevention System

Transcription

1 Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques which can be used by the bad guys to trick traditional firewalls and Intrusion Prevention systems in order to gain access to the corporate network and its critical data. The Barracuda NG Firewall inline Intrusion Detection and Prevention System (IDS/IPS) is tightly integrated in the firewall architecture and can strongly enhance network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits and exposures. In addition the Barracuda IDS/IPS keeps spyware and worms out of the corporate network in order to prevent fraud and to maintain strict privacy. By constantly monitoring network and system activities for malicious or suspicious behavior, the Barracuda NG Firewall can react in real-time to block and prevent such activities. RELEASE 2 Strong and robust protection against a multitude of threats and exploits The Barracuda NG Firewall provides easy to use and immediate out-of-the box protection against a vast number of exploits and vulnerabilities in operating systems, applications and databases thus preventing network attacks such as: SQL Injections Arbitrary Code Executions Access Control Attempts and Privilege Escalations Cross Site Scripting Buffer Overflows Denial of Service (DoS) and Distributed Denial of Service (DDos) Attacks Directory Traversal Attempts Probing and Scanning Attempts Backdoor Attacks, Trojans, Rootkits, Viruses, Worms and Spywares Identifying advanced IPS evasion and obfuscation techniques By providing various additional attack and threat protection features such as packet anomaly protection, TCP stream reassembly, IP- and RPC defragmentation as well as URL- and HTML decoding the Barracuda NG Firewall is able to identify and to block advanced evasion attempts and obfuscation techniques which are widely used by attackers to circumvent and trick traditional signature based intrusion prevention systems. Packet Anomaly Protection: Packet anomaly protection carries out several network level sanity checks on the received packets. The checks include identifying malformed packets by checking the IP checksum, proper length encoding or misused IP options. In addition, packets with illegal source IP addresses or time-to-live (TTL) settings, and source routed packets are eliminated. IP Fragmentation Protection: IP fragments received by the Barracuda NG Firewall are reassembled to proper packets by way of defragmentation. No fragments are directly forwarded thereby protecting against fragmentation attacks such as fragment overlaps or interleaved duplicate packets on destination systems. 1

2 TCP Stream Reassembly: The Barracuda NG Firewall provides support for TCP stream reassembly (SRA). In general, TCP streams are broken into TCP segments that are encapsulated into IP packets. By manipulating the way a TCP stream is segmented, it is possible to evade detection, e.g. by overwriting a portion of a previous segment within a stream with new data in a subsequent segment. This method allows attackers to hide or obfuscate network attacks. The firewall engine receives the segments in a TCP conversation, buffers them and reassembles the segments into a correct stream by e.g. checking for segment overlaps, interleaved duplicate segments, invalid TCP checksums, and so forth. In addition, TCP sequence number manipulations an additional check of the TCP sequence number is performed, thus protecting against injections of manipulated or replayed packets into a forwarded TCP stream. After the TCP stream has been reassembled the firewall engine passes the reassembled stream to the IPS engine for inspection. RPC Defragmentation: Attackers may transmit a single request fragmented over a hundred actual requests containing small fragments of the malicious payload, thus tricking any traditional signature based IPS. At the same time, an attacker could transmit both, the BIND and the request fragments, in one large TCP segment, thus circumventing any signatures which are using simple size checks. The Barracuda NG Firewall reassembles all RPC request and checks for malicious payload, thus providing solid protection against RPC related exploits and attacks. FTP Evasion Protection: The IPS engine is able to avert FTP exploits where attackers are trying to hide their attacks by inserting additional spaces or TELNET escape sequences in FTP sessions. URL Decoding: By using URL encoding techniques such as escape encoding or path character transformation, attackers can convert any URL into a meaningless and harmless string to any intrusion prevention system which is only using simple URL matching in their signatures and patterns. The Barracuda NG Firewall performs URL decoding thus providing solid protection against any URL encoding related attack. HTML Decoding and Decompression: Attackers can make use of malicious HTML documents to exploit flaws in web browsers in order to install malware such as Trojans or rootkits on client systems and the enterprise network. The Barracuda IPS engine is able to detect and block such malicious HTML documents even in case attackers are trying to evade detection by employing advanced IPS evasion techniques such HTML character encoding (e.g. UTF-16, UTF-32, base64, etc.), chunked encoding or compression (GZIP and deflate). TCP Split Handshake Protection: The Barracuda NG Firewall provides a technique to block the usage of TCP split handshakes. Although the TCP split handshake is a legitimate way to start a TCP connection (RFC793), it can also be used by attackers to gain access to the internal network by way of establishing a trusted IP connection. Denial of Service, Spoofing and Flooding Protection In addition to the comprehensive intrusion pattern database and the advanced anti evasion countermeasures, the Barracuda NG Firewall offers a wide range of transport layer protection mechanisms: IP Spoofing Protection Portscan and Sniffing Protection TCP SYN Flood Protection ICMP Flood Protection Duplicate local IP detection Resource exhaustion protection ARP spoofing and trashing protection 2

3 Ongoing signature updates As part of the Barracuda Energize Update subscription automatic signature updates are delivered on a weekly schedule or on an emergency basis in order to ensure that the Barracuda NG Firewall is constantly up-to-date and aware of the latest threats, vulnerabilities and exploits, thus ensuring strong and robust network protection. In case the firewall is centrally managed, the pattern updates can be conveniently distributed by the Barracuda NG Control Center. Currently, the Barracuda NG Firewall delivers two optimized out-of-the-box signature sets for its next generation firewall appliances. Barracuda NG Firewall models F100, F101, F200, F201, F300 and F301 are using a downsized signature set of 1,600 pattern definitions (the majority being client centric) in order to guarantee the best performance/protection ratio for branch office deployments. Models F400, F600, F800, F900 as well as all virtual appliances (VF25-VF8000) are using the full signature set of +4,000 patterns to provide maximum protection against all levels of network attacks, both client and server oriented. Signature Customization via Generic Patterns The Barracuda NG Firewall allows for the creation of custom signatures for detecting and blocking network based attacks such as the internet worms or exploit attempts on the corporate network. Customized signatures can conveniently be grouped in profiles and applied to a specific firewall rule. 3

4 Threat identification, analysis and remediation In case an attack is detected, the Barracuda NG Firewall can drop the offending packets and sessions while still allowing all other traffic to pass or just detect and log the intrusion attempt. Depending on the severity of the threat highly granular actions can be assigned on a per firewall rule base, thus enabling the Barracuda NG Firewall with intuitive and easy to use policy management to allow, block or log questionable traffic based on severity, location, user/group, type and application in single pass mode. By this means, the Barracuda NG Firewall is not only reducing risk exposure but also providing network administrators an effective yet simple tool to protect corporate investments. The Barracuda NG Firewall features intuitive, easy to use and granular IDS/IPS policy management capabilities. 4

5 Managing False Positives A false positive detection is triggered when legitimate network activity is interpreted and reported by the IDS/IPS as suspicious or malicious traffic and by this means as an attack on the corporate network. Usually this happens when network activity meets certain criteria that were specified in order to identify an attack. With the Barracuda NG Firewall a false positive can be easily addressed by either tuning the IPS policy configuration on signature level (disable respective signature in the respective IPS policy) or by overriding the signature in the IPS Overrides part of the user interface. False positives can easily be overridden and modified in order to allow certain network traffic and to minimize the total amount of false positive hits displayed on the Threat Scan View. The Barracuda Threat Scan displays a detailed and customizable overview of all intrusion events, providing also full application and user visibility. 5

6 Features and Capabilities F100 F101 Firewall Throughput IPS Throughput 1 33 F200 F F300 F F400 F600 F800 F900 Vx , ,650 Number of threat patterns in library 2 1,600 1,600 1,600 4,100 4,100 4,100 4,100 4,100 Packet Anomaly Protection Packet Reassembly TCP Stream Reassembly TCP Checksum Check HTML Obfuscation Protection UTF-7 character set encoding supported UTF-16 little-endian encoding supported UTF-16 big endian encoding supported UTF-32 little-endian encoding supported UTF-32 big endian encoding supported Chunked encoding (random chunk size, fixed chunk size) Deflate Compression (RFC 1951) supported Gzip Compression (RFC 1952) supported URL Obfuscation Protection Escape Encoding supported Microsoft %u Encoding supported Path Character transformations and expansions supported RPC Fragmentation Protection MS-RPC (DCE) defragmentation supported (RFC 1151) Sun-RPC (ONC) defragmentation supported (RFC 1151) FTP Evasion Protection Detection of inserted spaces in FTP command lines Detection of additional telnet control sequences in FTP commands N/A 3 N/A Denial of Service, Spoofing & Flooding Protection IP Spoofing Protection Portscan Protection Sniffing Protection SYN/DoS/DDoS Attack Protection ICMP Flood Ping Protection Reverse Routing Path Check Measured with large packets (MTU1500) 2... as of November Depending on hardware 4... Measured with large packets (MTU9000) About Barracuda Networks Inc. Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company s expansive product portfolio includes offerings for protection against , Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks range of affordable, easy-todeploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit Barracuda Networks 3175 S. Winchester Boulevard Campbell, CA United States info@barracuda.com 6