UNDERSTANDING AND DEPLOYING HOST-BASED INTRUSION PREVENTION TECHNOLOGY SESSION 1 Agenda Defining Host-Based Intrusion Prevention Host-Based Intrusion Prevention Components and Capabilities Cisco Security Agent Components and Capabilities Case Studies Deployment Process Integration with Network-Based Security Technologies 2 Printed in USA.
Associated Sessions SEC-2006 Managing Security Technologies SEC-2030 Deploying Network-Based Intrusion Detection and Prevention Systems SEC-2040 Understanding and Deploying Network Admission Control SEC-3030 Troubleshooting Intrusion Detection Systems 3 DEFINING HOST-BASED INTRUSION PREVENTION 4 Printed in USA.
Defining Host-Based Intrusion Prevention (HIPS) Software installed on endpoints desktops and servers as opposed to network appliances Successor to host-based intrusion detection and an attempt to make up for its deficiencies: Information overload Reactive with little in the way of remediation capabilities Difficult to manage and keep up-to-date in dynamic environments Can require expert log analysis 5 Defining Host-Based Intrusion Prevention (HIPS) Developed in Response to the Following Challenges: The network perimeter is no longer static 2500 Proliferation of encrypted network traffic Safeguards that rely only on attack signatures are under stress Application-layer attacks are more prevalent, fast-moving, sophisticated, target common applications, and target required services Vulnerability to exploit window is shrinking 2000 1500 1000 500 0 1998 1999 2000 2001 Number of reported Vulnerabilities Source: CERT 6 Printed in USA.
HIPS Capabilities Increase system availability Provide data integrity Act as enforcement tool for corporate computer security policy Corporate Security Policy 7 Host-Based Intrusion Prevention Capabilities This technology can apply policies based on predefined rules or learned behavior analysis to block malicious server or PC actions. Host-based intrusion prevention can stop attackers from implementing buffer overflow strikes, changing registry keys, overwriting Dynamic Link Libraries or engaging in other approaches to obtain control of the operating system. J. Pescatore, R. Stiennon Gartner Group Research Note 29 May 2003 8 Printed in USA.
Host Intrusion Prevention Requirements 1. Must be able to block malicious code actions 2. Must not disrupt normal operations 3. Must be able to know the difference between attack events and normal events 4. Must be able to stop previously unknown attacks 5. Must protect flaws in permitted applications 6. Should be centrally managed 9 HOST-BASED INTRUSION PREVENTION COMPONENTS AND CAPABILITIES 10 Printed in USA.
Typical HIPS Components Management Server Deploys Security Policies to Endpoints, Receives and Stores Events, Sends Alerts to Administrators, May Deploy Software Endpoint Agents Enforces Security Policy Received from Management Server, Sends Events, Interacts with User (If Necessary), Protects Itself Management Console Administrative Interface, Policy Configuration Tool, Provides Event Views 11 HIPS Implementation Approaches Endpoint software implementation approaches: Intercept system calls between applications and the operating system Apply kernel modifications that apply stringent security controls Security policy approaches: Pre-defined rules Learned behavior Signatures Heuristics Combination of methods 12 Printed in USA.
HIPS State Approaches System State Approaches: Location Where is the system within the network? Examples: Remote office, VPN, corporate network User context Who is using the system? Examples: Power user, call center agent, administrator, helpdesk Application behavior What are the running applications doing? Examples: network applications, server applications Compliance query Does this system have an approved security posture? Examples: Operating system version, patch levels, anti-virus signatures 13 HIPS Functional Aggregation Security Application Network Interceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed Firewall Host Intrusion Detection Application Sandbox Network Worm Prevention File Integrity Monitor 14 Printed in USA.
Common Security Functions System hardening Syn-flood protection Malformed packet protection Restart of failed services Resource protection File access control Network access control Registry access control COM component access control Control of executable content Protection against email worms Protection against automatic execution of downloaded files or ActiveX controls Application-related Application run control Executable file version control Protection against code injection Protection of process memory Protection against buffer overflows Protection against keystroke logging Detection Packet sniffers and unauthorized protocols Network scans Monitoring of OS event logs Network firewalling 15 Security Architecture Security Management: Event Reporting and Correlation Intelligent Investigation, Validation, and False Alarm Reduction Endpoint Protection (Anti-Virus, HIPS, Host Firewalls) Server Protection Network Protection Firewall Appliance Desktop Protection Firewall Switch Blades Network IDS Switch Blades Network IDS Appliances 16 Printed in USA.
CISCO SECURITY AGENT COMPONENTS AND CAPABILITIES 17 Cisco Security Agent (CSA) Components Management Server deploys Security Policies, Receives and Stores Events in SQL Database, Alerts Administrators, Deploys Software, Part of Cisco VPN and Security Management System Cisco Security Agents Enforce Security Policy Received from Management Server, Sends Events Immediately, Interacts with User (If Necessary), Protects Itself, Poll for Policy Updates, Run on Windows and Solaris CSA Management Console Web Browser Interface, Policy Configuration Tool, Provides Event Views and All Access to 18 Printed in USA.
Management Architecture Remote Users or Branch Offices Management Server Events are pushed to it Configuration is pulled from it DMZ Campus 19 CSA Communications Requirements Agent to MC TCP/5401, TCP/5402 CSA profiler to MC TCP/5402 Administrator to MC TCP/1741 and TCP/1742 (SSL) Agents MUST be able to resolve fully qualified domain name of MC Depending on deployment, firewall rules or ACLs may have to be modified 20 Printed in USA.
Cisco SA Management Model: Groups Used to Organize Logical Collections of Hosts e.g. IIS Servers, Executive Desktops, or SQL Servers 21 Cisco SA Management Model: Policies Are attached to zero or more groups Are composed of logical collections of rules 22 Printed in USA.
Cisco SA Management Model: Rules Are attached to policies Are where security functions are specified May enable specific heuristics 23 Agent Management Model Diagram GROUP Web Servers HOSTS Web1.cisco.com Web2.cisco.com POLICIES IIS Module Windows Module 24 Printed in USA.
CSA Implementation Approach Endpoint software implementation approaches: Intercept system calls between applications and the operating system Security policy approaches: Pre-defined rules Heuristics Combination of methods System state approaches: Application behavior What are the running applications doing? 25 System Call Interceptors System Call Interceptor Web Server Email Client Web Browser Host Operating System File System Access Registry Access COM Object Access HTTP Access Memory Access Code Execution Network Protocol Stack Network Interceptor Inbound Packets Outbound Packets 26 Printed in USA.
CSA Functionality Intercept requests to access key resources File system, network, packet, COM, registry, key system functions and interprocess communication calls Keystroke logging, code injection, buffer overflow detection, memory modification, detection on network scans, OS and AV event log monitoring Real-time decision to: Allow, deny, query, change internal state Done efficiently with little performance impact Not just traditional static ACLs due to state change 27 Performance Impact Windows CPU usage: 1-5% Solaris CPU usage: 3-10% Memory usage: 7 10MB, up to 20 Network impact: Policy download: 35-70k Event: ~3k Poll: ~2.5k Polling interval change: ~3k Software update: Varies Transactions per second is a very good way to measure latency 28 Printed in USA.
Performance: Transactions per Second Note: Performed on W2K SP3 Running IIS 5.0; Single 2Ghz P4 CPU, 1Gbps NIC, Non-hyperthreaded, 533Mhz System Bus 29 CSA Policy Approach Endpoint software implementation approaches: Intercept system calls between applications and the operating system Security policy approaches: Pre-defined rules Heuristics Combination of methods System state approaches: Application behavior What are the running applications doing? 30 Printed in USA.
Example Pre-Defined Rules Web servers can only write log and temp files Office applications cannot read or write executables Email clients or their descendents should not be able to invoke installer applications SendMail application can only receive email protocol connections Only system applications may make changes to windows registry run keys 31 Example: Email Worm Heuristic Files written by network applications are considered downloaded content Files written by applications which read downloaded content are also tagged Applications which access downloaded content are placed in a less trusted class When an application in this class tries to: Access mail COM objects, mail dlls, files used by mailers, an IRC client, or the TCP SMTP port The user is queried An event is sent to management console 32 Printed in USA.
CSA System State Approach Endpoint software implementation approaches: Intercept system calls between applications and the operating system Security policy approaches: Pre-defined rules Heuristics Combination of methods System state approaches: Application behavior What are the running applications doing? 33 State Change Examples An application that has accessed a restricted document should not be able to connect to the network Applications that have received a network connection cannot create command shells Network servers are not allowed to invoke email applications Processes executing downloaded content should not access outlook using COM 34 Printed in USA.
CASE STUDIES: HIPS IN ACTION 35 CSA in Action: Protection Against MYdoom Persist Phase N/A Arrived as Email Attachment Edit shimgapi.dll Modify Taskmon.exe System Is Compromised, Worm Spreads Access.wab Address Book File Attempts to Open TCP Port 3127 36 Printed in USA.
CSA in Action: Protection Against MYdoom Persist Phase: Part 1 N/A arrived as email attachment Edit shimgapi.dll Modify Taskmon.exe Access.wab address book file. attempts to open TCP port Any3127 Time an RULE: Ask the User System is Applicationcompromised, AttemptsWorm to Modify a System spreadsor Executable Library, Driver, 37 CSA in Action: Protection Against MYdoom Persist Phase: Part 2 N/A arrived as email attachment Edit shimgapi.dll Modify Taskmon.exe Access.wab address book file. attempts to open TCP port Any3127 Time an RULE: Ask the User System is Applicationcompromised, AttemptsWorm to Modify a System spreads Library, Driver, or Executable Printed in USA. 38
CSA in Action: Protection Against MYdoom Propagate Phase N/A Arrived as Email Attachment Edit shimgapi.dll Modify Taskmon.exe Access.wab Address Book File Attempts to Open TCP Port 3127 System Is Compromised, Worm Spreads 39 CSA in Action: Protection Against MYdoom Propagate: Phase Part 1 N/A arrived as email attachment Edit shimgapi.dll Modify Taskmon.exe Access.wab address book file. attempts to open TCP port 3127 System is compromised, Worm HEURISTIC: Network Worm spreads Printed in USA. Propagation 40
CSA in Action: Protection Against MYdoom Propagate: Phase Part 2 N/A arrived as email attachment Edit shimgapi.dll Modify Taskmon.exe Access.wab address book file. attempts to open TCP port 3127 System is compromised, Worm spreads STATE CHANGE: Recently Downloaded Content Should Not Modify the Registry 41 DEPLOYMENT PROCESS 42 Printed in USA.
Step 1: Install Management Console CSA MC Is Part of VMS 2.2 Prepare target system Install CiscoWorks common services reboot Install Microsoft SQL server reboot BEST PRACTICE: Install MSDE if under 500 agents, SQL server standard if over 500 Install management center for Cisco security agents reboot Installation should take 45 90 minutes in total 43 Step 2: Configure Groups Use default server and desktop groups These groups offer most bang for buck Default groups should be left intact BEST PRACTICE: Make copies of default desktop and server groups (e.g. CSCO default desktops ) BEST PRACTICE: Put groups in TESTMODE so that invalid policy assumptions do not prevent applications from operating normally 44 Printed in USA.
Step 3: Configure Policies Default policies should be left intact if possible Make copies of default policies and attach to new groups (e.g. CSCO common security module ) 45 Step 4: Build and Deploy Agent Kits Create agent kits associated with copied groups (e.g. CSCO default desktops kit ) Deploy agent kits to pilot group 1 10% of your ultimate agent population Representative of the whole based on application package Agents can be deployed using almost any method Email link to installation package, login scripts, SMS, Radia, Altiris, ZenWorks, etc. 46 Printed in USA.
Step 5: Collect Data in Pilot At least 2 weeks of TESTMODE operation is recommended Good time to begin operational discussions and involve desktop/server teams How will backups be handled? Log archive procedure? Event handling? Change management? 47 Step 6: Tune Policies Assuming pilot systems are not compromised, almost all events will be normal activity Some events will require corporate policy decisions Are users allowed to install software? Are instant messengers prohibited? Use Event management wizard to make exceptions BEST PRACTICE: Put exception rules in exception policies Goal: Tune 95% of legitimate events, many will be repetitive 48 Printed in USA.
Step 7: Collect More Data Another 2 weeks of TESTMODE operation is recommended Questionable events should be discussed with desktop/server teams This step is to be sure that nothing was missed during the first tuning phase 49 Step 8: Tune Policies Goal: 1 2 events per host per day on average Good time to determine pilot user perception Are there too many queries? What has been your experience with the product? 50 Printed in USA.
Step 9: Move Out of Pilot Move pilot users out of TESTMODE Deploy agents on all remaining hosts in TESTMODE Implement all operational steady state procedures 51 Step 10: Finalize Deployment Perform any final rule tuning as a result of new users in TESTMODE This phase lasts as long as necessary to feel comfortable with tuning effort Move all remaining users out of TESTMODE 52 Printed in USA.
INTEGRATION WITH NETWORK-BASED SECURITY TECHNOLOGIES 53 VPN Are You There Validates that CSA is running before tunnel is established Available now Refer to chapter 1 of VPN Client Administrator Guide Requires version 4.0 of Cisco VPN client and concentrator Also supported in Checkpoint VPN-1 54 Printed in USA.
Network Access Control Functionality Part of the self-defending network initiative Will be available in NAC phase 1 1HCY 04 CSA posture credentials Installed service packs Installed hotfixes CSA version CSA operational state (enabled or disabled) FQDN of MC this agent is assigned CSA status Time since agent last polled into the CSA-MC Supported in CSA version 4.0.2 55 Network Intrusion Detection Complementary technology Naming the attack Combining signature detection at the network and behavioral protection on the endpoint provides best of breed identification, protection and analysis Layered defense requires different technologies at different layers in order to achieve optimum security If signatures fail at the network, alternative protection is required on the endpoint Behavioral protection on the endpoint will speed the development and deployment of new network signatures 56 Printed in USA.
Anti-Virus Also complementary technology Most HIPS products do not have the ability to eradicate a virus, worm, or trojan Excellent first line of defense, especially at the network gateways Again, layered defense with multiple technologies and vendors Multiple safeguards means better chance of success 57 Log Collectors and Correlators Integrates directly with CiscoWorks SIMS (NetForensics OEM) using agent on the CSA management console to forward events to collectors Can integrate with most other collectors using flat log file, email, or SNMP Events can be forwarded to SecMon along with all other Cisco security events 58 Printed in USA.
Summary How does HIPS fit into the big picture? Last line of defense against first strike malicious code Enforcement of corporate security policy Potential reduction in patch management costs Where should I put it first? Remote desktops and laptops Critical DMZ servers Operational systems like kiosks, call center desktops 59 Q AND A 60 Printed in USA.
Reference Materials Training course Securing Hosts Using Cisco Security Agent (HIPS) 1.0 Whitepaper Cisco Security Agent with Intrusion Protection for Remote Corporate Users Download CSA software 61 Recommended Reading Host Intrusion Prevention Software Server Shields, by Mike Demaria Network Computing Magazine http://www.networkcomputing.com/ showitem.jhtml?docid=1508f2 Defining Intrusion Prevention, by J. Pescatore and R. Stiennon Gartner Research Note 29 May 2003 Host Intrusion Prevention is the Last Line of Defense for Networks, by Eric Ogren CSO Magazine http://www.csoonline.com/analyst/report1265.html Available on-site at the Cisco Company Store 62 Printed in USA.
Deployment Best Practices Install MSDE if under 500 agents, SQL server standard if over 500 Make copies of groups and policies before using them so that defaults are left intact Put groups in TESTMODE so that invalid policy assumptions do not prevent applications from operating normally Put exception rules in exception policies 63 Complete Your Online Session Evaluation! WHAT: WHY: Complete an online session evaluation and your name will be entered into a daily drawing Win fabulous prizes! Give us your feedback! WHERE: Go to the Internet stations located throughout the Convention Center HOW: Winners will be posted on the onsite Networkers Website; four winners per day 64 Printed in USA.
65 Printed in USA.