View
215
Download
0
Embed Size (px)
Citation preview
1© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Advanced Enterprise IDS Deployment and Tuning
222© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
The Potential Impact to the Bottom Line Is Significant
The Potential Impact to the Bottom Line Is Significant
The Number of Security Incidents Continues to Rise Exponentially
The Number of Security Incidents Continues to Rise Exponentially
The Complexity and Sophistication of Attacks and Vulnerabilities Continues to Rise
The Complexity and Sophistication of Attacks and Vulnerabilities Continues to Rise
The Challenge: Security in Modern Networks
333© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Mitigating the Risk: Defense in Depth
• Comprehensive security policy
• Pervasive security—end to end
• Security in layers
• Multiple technologies, working together
444© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Defense in Depth:The Role of Intrusion Detection
• Complementary technology to firewalls
• Been around for more than a decade, started coming into prominence in the late ’90s
• Performs deep packet inspection, gaining visibility into detail often missed by firewalls
Internet
555© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Advanced Enterprise IDS Deployment: Agenda
• Intrusion Protection Systems
• Network Sensors
• Host Agents
• Management Consoles
• Case Studies
6© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Intrusion Protection Systems
777© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Intrusion Protection Agenda
• Terminology and Technologies
• Complete Architecture:
Sensors, Agents, Management Consoles
• Placement Strategies
Where to Place Your Sensors, what Traffic to Watch, How to Get Traffic to Them
• Organization-Level Concerns
Responding to Intrusions, Ownership and Organization, Outsourcing
888© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Terminology: False Positives
• A False Alarm occurs when an IDS reports an attack even though noattack is underway
• Benign activity that the system mistakenly reports as malicious
• Typically due to improper tuning
• Can easily overwhelm alarm consoles creating enormous amount of background noise
• Can result in mistrust of the IDS by security personnel
999© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Terminology False Negatives
• A False Negative occurs when an IDS fails to report an ongoing attack
• Malicious activity that the system does not detect or report
• Tend to be worse because the purpose of an IDS is to detect such events
• Can be due to a variety of eventsCan be the result of IDS evasion efforts by an attacker
Can also be due to out-of-date signature knowledge base (misuse detection systems)
Minor state transition that is below a detectable threshold (anomaly-based systems)
101010© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Terminology:Signatures and Anomalies
• Signatures explicitly define what activity should be considered malicious
Simple pattern matching
Stateful pattern matching
Protocol decode-based analysis
Heuristic-based analysis
• Anomaly detection involves defining “normal” activity and looking for deviations from this baseline
111111© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Architecture: Sensors, Agents, and Management
Agents
Agents
Agents
Agents
Sensors
Sensors
Sensors
Sensors
Management
Management
Management
Management
Production Network
Management Network
121212© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Components
• Network-Based SensorsSpecialized software and/or hardware used to collect and analyze network traffic
Appliances, modules, embedded in network infrastructure
• Host-Based AgentsServer-Specific Agent
Provides both packet- and system-level monitoring, and active response
• Security Management and MonitoringPerforms configuration and deployment services
Alert collection and aggregation for monitoring
131313© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Data Flow
Data Capture
Monitoring the Network
Network Link to the Management Console
IP Address
Passive InterfaceNo IP Address
Network-Based IDS: The Sensor
141414© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Data Flow
Network Link to the Management Console
IP Address
Passive InterfacesNo IP Address
Network-Based IDS: The In-line Sensor
Data Flow
151515© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network-Based IDS:Functions and Capabilities
• Monitors all traffic on a given segment
• Compare traffic against well known attack patterns (signatures); also look for heuristic attack patterns (i.e. multi-host scans, DoS)
• Includes fragmentation and stream reassembly logic for de-obfuscation of attacks
• Primarily an alarming and visibility tool, but also allows active response: IP session logging, TCP reset, shunning (blocking)
161616© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Host Agents:Functions and Capabilities
• Distributed Agent residing on each server to be protected
• Intimately tied to underlyingoperating system
Can allow very detailed analysis
Can allow some degree of Intrusion Protection
• Allows analysis of data encrypted for transport
• Monitors kernel-level application behavior, to mitigate attacks such as buffer-overflow and privilege escalation
171717© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
ConsCons
Network-Based
Host-Based
ProsPros
• Can verify success or failure of attack
• Generally not impacted by bandwidth or encryption
• Understands host context and may be able to stop attack
• Can verify success or failure of attack
• Generally not impacted by bandwidth or encryption
• Understands host context and may be able to stop attack
• Impacts host resources
• Operating system dependent
• Scalability—Requires one agent per host
• Impacts host resources
• Operating system dependent
• Scalability—Requires one agent per host
• Protects all hosts on monitored network
• No host impact
• Can detect network probes and denial of service attacks
• Protects all hosts on monitored network
• No host impact
• Can detect network probes and denial of service attacks
• Switched environments pose challenges
• Monitoring >100Mbps is currently challenging
• Generally can’t proactively stop attacks
• Switched environments pose challenges
• Monitoring >100Mbps is currently challenging
• Generally can’t proactively stop attacks
Should View as Complementary!Should View as Complementary!
Some General Pros and Cons
181818© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Placement Strategies
• Monitoring critical traffic
• Deploy network sensors at security policy enforcement points throughout the network
• Deploy host sensors on business critical servers
• Beware of sensor overload — sensors must be able to handle peak traffic loads
Otherwise they will suffer packet drop/loss and possibly miss attacks
19© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Deploying IDS Solutions
202020© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Overview
Often, IDS cannot be implemented “everywhere” due to cost restrictions.
Where do you need to detect an intrusion as soon as it occurs?
Where an incident would be most expensive (most valuable data)
At the entry to a sensitive domain (to detect the first successful step of the attacker)
At other locations, where attempts need to be analyzed
Look at the risks again—make sure you prioritized based on the value of a resource and the exposure involved.
212121© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network IDS Primary Functions
•Identify Malicious Activity
•Identify Network Anomalies
•Network Traffic Enforcement
•First Alert: Day Zero
•First Packet Response
•TCP Traffic Normalization
222222© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
NIDS Deployment Considerations
•General Location Selection Issues
Purpose of Deployment Defines Location
Inside, Outside, or DMZ
Internal vs Perimeter
Response Actions vs Passive Monitoring
Trusted vs Non-Trusted Zones (chokepoints)
Security Operations vs Network Operations
232323© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
NIDS Deployment Considerations (cont)
•Specific Location Selection Issues
Location Requirements Define Platform
Sensor Performance
Large Network Pipes can result in Data Overflow
Proper Platform Selection is Crucial
Load Balancing Issues (Sweep and Flood Fidelity)
Data Reduction Possibilities
Highly Available or Asymmetrically Routed Networks
242424© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
NIDS Deployment Considerations (cont)
•Specific Location Selection Issues
Encrypted Traffic
SSL or IPSec
IDS Monitoring Sources
Network Taps
SPAN (and RSPAN)
VACL Capture
Aggregation Switch
Inline
252525© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Sensor Monitoring Considerations
• NIDS sensors should monitor segments, where you need to detect attacks the most:
Monitor most sensitive internal segments (management network)
Monitor most sensitive internal servers
Monitor network entry points:
Internet firewall, business partner entry, vpn/dial-up entry
Switched network edge (biggest performance issue)
Monitor exposed hosts most likely to be compromised:
If they are likely to be used as a jump-off point
If your reputation depends on them
262626© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Monitoring Sensitive Internal Servers or Segments with NIDS
• Performance considerations:
Select the correct Sensor platform
Use a dedicated sensor per network/vlan (if required)
Move the sensor to a different location to see more specifically defined traffic
If necessary, only capture a subset of traffic (exclude traffic that can’t be inspected: IPSec, SSL, Multicast)
Use HIDS (not a performance issue)
Use Load Balancing to distribute network flows
27© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Placement and Tuning
282828© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network Sensor Deployment Locations
• Inside (trusted side) network monitoring:
Typical initial IDS deployment spot (along with DMZ)
Usually broad monitoring to detect any attacks
Sees traffic filtered by the firewall
Detects attacks that penetrate the firewall
Detects outgoing attacks (even if blocked by the firewall)
Useful to check config of firewall
292929© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network Sensor Deployment Locations
• Outside (untrusted side) network monitoring:
“Broad” monitoring for all types of attacks
Also detects attacks which the firewall will block (early warning, trends, new risks, “Internet thermometer”)
Serious risk of operator overload as sensor monitors uncontrolled network space (no man’s land)
Usually requires special configuration and possibly special management and monitoring considerations
• Useful for correlation with inside sensors
303030© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Multi-Sourced NIDS Sensors
• Multiple capture interfaces forwarding to the same IDS engine:
Monitors multiple segments with similar properties (same IDS policy, simple with service modules)
Potential for IDS oversubscription
Possible issues with address range overlap
313131© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network Sensor Deployment Locations
•High Availability or Asymmetrically Routed Networks
IDS must see all packets involved in a connection
Usually requires a sensor with multiple interfaces to capture data from all points
Data overflow to IDS is serious possibility in an active/active network setup
323232© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network Sensor Deployment Locations
•Inline IDS Deployments (IPS)
IDS is able to block offending packet
IDS signature quality must be very accurate with low false positives otherwise legitimate network traffic is disrupted
Since packets flow through device, the IDS must have no measurable impact to traffic flow (ex. loss rate, latency, jitter, etc)
Network reliability must follow standard procedures
Failover in a highly available network
Fail open or fail closed?
333333© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Data Center
Web Tier
Application Tier
Mainframe
NIDS NIDS
Aggregation
Access
Deployment Example:IDS Load Balancing for the Data Center
343434© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Encrypted Traffic and Network IDS
IPSec - Use a Network Module in the tunnel termination router to inspect traffic before it gets sent out the interfaces
SSL - Early decryption of SSL sessions at an SSL accelerator
For crypto tunnels terminated on the host, use HIDS
353535© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
NIDS Switched Environment Considerations
• In a switched environment, you can monitor:
Inside a switch (IDSM) or router (NM-IDS)
Using a network TAP
Using SPAN or VACL Capture
On the host (HIDS)
• Avoid oversubscribing the device or port:
Lost packets break stream and composite signatures
Smart VACLs (specific protocols)
Perhaps monitor only one port via SPAN
Understand the limitations of the packet sourcing device
Reference IDS_Capture_Techniques[1].ppt
363636© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
SPAN Overview
• SPAN means Switch Port Analyzer
• SPAN copies ALL packets from source VLANS or ports to a destination port
• Supported across most Cisco switches
• Different switches have different limitations on use of SPAN, including number of SPAN destination ports
• Some switches do not allow incoming packets on SPAN destination port. This is necessary if a customer wishes to use TCP Reset.
Traffic SPAN
SPAN directs copy of ALL traffic from SOURCE port or VLAN
373737© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
NIDS Switched Environment Considerations
•A VLAN aware sensor is:
Able to process 802.1q tagged packets
•Issues when using the SPAN port:
If SPAN belongs to a single VLAN, packets enter the SPAN port without the VLAN headers.
Configure SPAN as a trunking port, if necessary (supporting ALL active VLANs).
Which VLAN do you send the RST to?
383838© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
VACL Capture Overview
• A VLAN ACL, also known as Security ACL, specifies traffic to capture.
• The VACL Capture copies filtered packets from source VLANS to a destination port.
Traffic VACL
VACL directs copy of FILTERED traffic from SOURCE port
393939© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Management Interface Security Guidelines
•Perimeter (outside monitoring) placement options:
Classic firewall sandwich (in-band)
Management interface on separate inside VLANs
Management interface on separate DMZ
Management interface on separate physical network
404040© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
BusinessPartnerAccessExtranet
Connections
Corporate NetworkInternet
Internet Connections
Remote Access Systems
Remote/Branch Office Connectivity
Intrusion Detection DeploymentWhat Areas of the Network Are Candidates?
Data Center
Management Network
414141© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Sensor Placement Rationale
• No real standard
• No primer or cookbook that says “Place IDS here”
• Varies tremendously from network to network
• IDS is typically found around firewalls
These are usually perceived as transit points from one network to another
• Also found where there are differing trust levels within the network
424242© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Typical Order of Deployment
• How far down the deployment path you go often depends on your resources; if resources are tight, always look at where you can get the most ‘bang for your buck’
• Data centers, high risk, or other ‘HDV’ areas
• Directly behind perimeter firewalls
• Internet DMZ areas
• Remote access and remote offices
434343© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Why at Internet Connections?
• Firewalls usually don’t protect against data driven attacks
• Consider a Web server on a DMZVarious web server vulnerabilities have been found over the past few years
Microsoft IIS Directory Traversal Vulnerability (UNICODE)
Apache/OpenSSL SSL2 Handshake Process buffer overflow
Microsoft IIS WebDAV buffer overflow
Microsoft SQL Slammer worm
Patches are available, but…
• Can be exploited to deny service or access the server
444444© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Attacking through the Firewall
WWW
Telnet
Firewall Rules:• Permit any DMZ port 80
• Permit DMZ inside
• Permit DMZ outside
• Permit inside any
• Deny any any
Internet
Attacker
Vulnerable Web Server
454545© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Inside or Outside?
• Somewhat of a “religious” debate
• Depends on the situation and the needs
• Made more effective with good ACLs at the edge router(s)
• Must be tuned properly—otherwise false alarms will significantly reduce the value of the IDS on the outside
464646© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Sensor Placement—Inside or Outside?
Sensors on Outside• Sees everything including
traffic blocked by firewallCan’t distinguish betweenwhat is denied or permittedby firewallTools like Stick can generate lots of noise
• Monitors both DMZand inside traffic
Sensors on Inside• Sees only traffic permitted
by the firewallResponse is needed
• Sensor is needed for each internal leg of the firewall
AttackerDMZ Inside
474747© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Next Steps:Getting Traffic to your Network Sensors
• Traffic must be mirrored to network sensors (replicated)
• Choices:
Shared media (hubs)
Network taps
Switch-based traffic mirroring (SPAN)
Selective mirroring (traffic capture—VACLs)
484848© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
TX and RXTX and RX
Fro
m F
irew
all
Fro
m F
irew
all
Fro
m R
ou
ter
Fro
m R
ou
ter Traffic from
Firewall
Traffic from RouterTX and RXTX and RX
SPAN Tap Traffic
Full Duplex LinkAggregation
Switch
Using a Network Tap
• Tap splits full duplex link into two streams
• For sensors with only one sniffing interface, need to aggregate traffic to one interface
• Be careful of aggregate bandwidth of two tapped streams
Don’t exceed SPAN port or sensor capacity
494949© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Switch-Based Traffic Capture
• Port Mirroring: SPAN functionality and command syntax varies between product lines and switch vendors
Some limit the number of SPAN ports
Some allow you to monitor multi-VLAN traffic
Note that not all sensor vendors can’t handle multi-VLAN traffic
http://www.cisco.com/warp/public/473/41.html
• Rule-Based Capture: VLAN Capture/MLS IP IDS
Policy Feature Card (PFC) required on Catalyst 6500
Allows you to monitor multi-VLAN traffic
Use “mls ip ids” when using “router” interfaces or when interface is configured for Cisco IOS FW
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm
505050© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Switch-Based Traffic Capture Example
Using SPAN switch>(enable) set span 4/5 6/1 rx createswitch>(enable) set span 401 6/1 rx create
• Sets port 5 on module 4 and VLAN 401 to span to the monitoring
port on the IDS Module in slot 6Using VACL
switch>(enable) set security acl ip WEBONLY permit tcp any any eq 80 capture
switch>(enable) set security acl ip WEBONLY permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBONLYswitch>(enable) set security acl map WEBONLY 401switch>(enable) set security acl capture-ports 6/1
• Captures web traffic on VLAN 401 only, and sends the captured traffic to the monitoring port on the IDS Module in slot 6
515151© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Additional Deployment Considerations: Organizational Issues
• As with all security technologies, it is critical to have a robust security policy
• Intrusion Detection technologies cross many different business functions:
IT Security—Policy, deployment, monitoring
Networking—Traffic direction, active response
Server Admins—installation, maintenance
Who determines how/where to connect sensorson the network? Install new agents?
Switch configuration considerations, tap considerations, management considerations
525252© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Incident Response:Policies and Procedures
• Security policy must also address incident response
Must be approved by senior management
• Must address containment/recovery procedures
Which areas do you respond to first?
When do you start severing connections?
Under what circumstances do you notify senior management?
Under what circumstances do you engage law enforcement (if ever)?
535353© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Incident Response:Responding to an Intrusion
• Following investigation and alarm validation, an appropriate triage solution is put in place
• It is important to understand that this is not the end of the incident life cycle
A root cause analysis must be performed
A long term fix must be implemented
The IDS policy and security policy in general must be updated as appropriate
545454© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Planning Ahead: Other Resource Issues
• 24x7x365 monitoring and response capability
Cross-functional skill set (networking, security, operating systems, etc.)
Staffing and training considerations
Escalation paths—constant availability
• Consider outsourced managed security service provider
Could employ to augment internal security resourcesin cooperative fashion
Note that service level agreements for outsourced managed IDS services are difficult to develop
555555© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
“Layer 8” of the OSI Model
• IDS is cross functional
• Challenges
Who “owns” IDS?
Does the owner of IDS own both host IDS and network IDS?
Who determines how/where to connect sensors on the network?
• Must be worked out up front before deploying
PhysicalPhysical
Data LinkData Link
NetworkNetwork
TransportTransport
SessionSession
PresentationPresentation
ApplicationApplication
PoliticalPolitical
56© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Tuning
575757© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Terminology
• False Alarms: State in which the ID system mistakenly reports a benign activity as being malicious
• False Negative: State in which the ID system does not detect and report actual malicious activity even though it is monitored
585858© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
What Is IDS Tuning?
• IDS Tuning is the art of balancing between false alarms and false negatives
• The intent is to achieve the following:
• We want to minimize the value of TIDS
TIDS =
Falarms + Fneg
ATotal
595959© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Where to Start?
• Start by understanding the network
“Learn the network, know the network…live the network!”
• Look at where you place your IDS sensors
Remember, we discussed this just a few slides ago
• Understand the traffic patterns near your sensors
606060© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Tuning Methodology
Start
Apply InitialConfiguration
FalseAlarms?
FalseAlarms?
ImplementSignature
Tuning
ImplementResponseActions
UpdateSensors
MonitorIdentify PotentialLocation for Sensors
Monitor
NegativeEffects?NegativeEffects?
Yes
No
Yes No
616161© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
IDS Sensor Tuning Tasks
1. Determine what traffic requires monitoring to protect critical assets
2. Connect “sensors” to network
3. Apply initial configuration
4. Run for a week or so with default configuration
5. Analyze the alarms and tune out false positives
6. Selectively implement response actions
7. Update sensors with new signatures
626262© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Tuning Your Sensors
• Tuning is the most important part of intrusion detection deployment
The data reduction that results from proper tuning is essential for a fully functional system
• Not every sensor needs to alert onevery event
Implementing environment specific configurations increases scalability of the entire system
636363© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Tuning: Where to Start
• Most sensors ship with a default signature configuration
This is a good starting point for an initial deployment in most cases
• Start by listening to high/medium severity alarms
Prioritize the tuning of the high priority alarms, and then move on to the mediums
646464© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
How to Tune a Sensor: Techniques
• Understand the environment and traffic patterns
• List out potential false positives
Analyze each alert and classify stimulus and response
• Define policy, and policy exceptions
i.e. Ping sweeps generate alarms, except when coming from the management network
• Turn down severity of signatures not applicable to that environment
• Iterative process: as traffic patterns change, sensors can require re-tuning
656565© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Example Tuning Features
• Signature Specific:
Ports, Protocols, Services, Analysis Length, etc.
• Filtering: what networks to alarm on
• MinHits: number of events to see before alarm
• Severity: what level of alarm to send
• Alarm Aggregation: how many alarms to send
Alarm Throttle: Summarization characteristics
Alarm Interval: Summarization window
Choke Threshold: High water mark to force summary
• Actions: what to do following an alarm
666666© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Customizing Your Signatures
• Customize vendor-provided signatures
• New environment specific signatures can be created
• Cisco Custom Signature configuration tasks:
Select the signature micro-engine that best meets your requirements
Enter values for the signature parameters that are required and meet your requirements
Save and apply the custom signature to the sensor
• Signature customization is not trivial
Writing signatures requires detailed knowledge of attack “loose” signatures will generate false positives and mistakes might result in false negatives
Test, test and test again before you deploy
67© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Host Agents
686868© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Agenda
• Host Agents and the Security Architecture
Capabilities of a host agent
• Cisco Security Agent Architecture
Policy, Rules, and Anomalies
• Server Selection and Deployment Techniques
Which Servers Are Candidates for Deployment? Initial Configuration and Tuning Techniques
696969© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Host IDS in the Security Architecture
• Host-based agents installed on a specific host
Can be based on behavioral/anomalies, signatures, file system integrity checking, and/or system event analysis
• Can provide:
Event visibility and analysis
Buffer overflow protection
Malicious code protection
OS lockdown
• Endpoint security: Host IDS and…
Personal firewalls?
Anti-virus?
707070© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Host IDS: System Level Architecture
• Agents
Some products provide server-specific and desktop-specific agents
Some products provide application-specific agents (such as web-server, or database)
Agents are specific to a particular OS
• Management Console
Required to communicate with and manage the agents
Tends to have significant scalability requirements
Beginnings of correlation facilities appearing in the management stations
717171© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Cisco Security Agent Architecture
• Rules-based architecture; static and dynamic rules (behavioral)
• Composed of a set of “interceptors”
COM Component Interceptor
Network Application Interceptor
Network Traffic Interceptor
File Interceptor
Registry Interceptor
• Other components: Rule/Event Correlation Engine, Local Event Manager, Agent Policy Manager
727272© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Agent Architecture: Windows
COM Component Interceptor
Network Application Interceptor
Network Traffic
Interceptor
File Interceptor
Registry Interceptor
TCP/IP
NIC Disk System
Rule/Event Rule/Event Correlation Correlation
EngineEngine
Agent Policy Agent Policy ManagerManager
Local Event Local Event ManagerManager
Internet/ Intranet
Policies from Management
Console
Log and Event Notifications
to Management
Console
737373© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Agent Architecture: Windows
COM Component Interceptor
Network Application Interceptor
Network Traffic
Interceptor
File Interceptor
Registry Interceptor
TCP/IP
NIC Disk System
Rule/Event Rule/Event Correlation Correlation
EngineEngine
Agent Policy Agent Policy ManagerManager
Local Event Local Event ManagerManager
Word
Install
Policies from Management
Console
Log and Event Notifications
to Management
Console
Internet Explorer
Internet/ Intranet
747474© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Agent Architecture: Rules
• Agent architecture based around a series of rules guiding behavior passing through an interceptor
e.g. Internet Explorer is not allowed to access the memory space of Word (or any other application)—stops many buffer overflows
• A series of default rule profiles ship with the product
90% of the time, these rule-sets are sufficient to meet a security policy requirement
• Rules can be custom built on the management console, or “learned” through behavioral analysis
757575© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Deploying Host Agents:Server Selection and Critical Assets
• Which servers to protect?
Servers that can receive external connections from unknown parties
Servers that perform services critical to business continuity
Servers that receive traffic that can’t be monitored through other means
SSL
767676© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Policy Deployment on Agents: Grouping
• Some products allow for host groupings
Simplifies policy deployment through grouping similar hosts into a larger policy group
• For large scale deployments, this can be a significant benefit
Call Manager
ERPInternal
Web Development Servers
777777© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Initial Configuration and Tuning
• Initial configuration is very agent/vendor specific
Most agents install with a default secure configuration, but check specifics
• Host agents can need tuning to specific environment, just like network sensors (particularly signature-based agents)
• Recommend using similar techniques as network sensors
Install in environment
Monitor for a week
Tune signatures and responses based on results
787878© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Response Actions and Updates
• Agents can active alert on suspicious action
• In certain cases, agents can actually prevent intrusions before they occur by not allowing trigger action
• For signature-based agents: Signature response is only as current as database
Ensure agent signature files are kept up to date
79© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Management Considerations
808080© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Agenda
• Management Paradigms
One Device vs. Many
• Secure Management Guidelines
Protecting the Management Network
• Scaling IDS Management
Alarm Aggregation, Data Reduction
Device, Network, Console, and User Level
818181© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Management Paradigms
• Small deployments
1–5 sensors
• Low alarm rates
• Small deployments
1–5 sensors
• Low alarm rates
• Medium/large deployments
Many sensors
• High alarm rates
• Medium/large deployments
Many sensors
• High alarm rates
Device-Level ManagementDevice-Level Management
Multi-Device ManagementMulti-Device Management
828282© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Attacker
InsideDMZ
Internet
Secure Management Guidelines:Secure Management Out of Band
• Monitoring and Management Network Segment
• A conceptual air gap between IDS and Management segment provides the most security
Mgmt
838383© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
When Out of Band Management Isn’t Possible
• When an “air-gapped” management subnet isn’t possible:
Encrypt all in-band communications (SSH, SSL, or IPSec)
Firewall all access points to the Management Network
• Use IPSec Tunnel between network devices when traversing “untrusted” networks
Aggregate multiple sensors though one tunnel
848484© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
InsideDMZ
Inband Management through Tunnels
• Firewall brokers connection from inside to Management Segment
• Encrypted tunnels terminated at firewall or at Management Station
Mgmt
InternalNetwork
858585© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
The Intrusion Detection Challenge:Turning Data into Information
• Intrusion detection systems have a (somewhat well deserved) reputation for being very noisy
• If not solved, this problem will eventually cripple the IDS network
• The challenge is to optimize the entire system to get the most usable information out
The Single Biggest Barrier to Large The Single Biggest Barrier to Large Scale IDS Deployments Is Dealing Scale IDS Deployments Is Dealing
with All the Data They Generatewith All the Data They Generate
868686© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Scaling Intrusion Detection Management
• Scalability limitations:
Sensor-to-console ratio
Aggregate event rate
• Solutions:
Sensor/Agent Level: Use tuning and alarm validation techniques for data reduction
Network Level: Hierarchical deployment
Console Level: Event correlation, separate configuration, monitoring, and archive stations
User Level: Notification Services
878787© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Network Level:Hierarchical Management
• Local consoles managing local sensors—detailed analysis
• Global consoles managing high level, critical events—event correlation is important here
Local vs. Global Management Domains
888888© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Console Level: Event Correlation
• Event Correlation: Combining multiple alarms into one meaningful security incident
• Many products trying to solve this problem
• While not completely “solved”, good steps have been made
898989© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Console Level:Archival/Trend Reporting Database
• Run on separate platform and database
• Determine how long you want to keep data
Regulatory or policy considerations
• Can import alarm data from log files on:
Sensors
Monitoring consoles
Archive DB
Reporting GUI Real-Time GUI
Event DB Event DB
909090© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
User Level: Scaling Monitoring
• Most products have some sort of notification feature
e.g., E-mail sent when event detected with some event information
• Use notifications to let you know something significant happened
Rule of thumb for pager notification: Only page you if it’s something you want to know about at 3am
• Then look at console for details
Web-based console functionality (e.g., Security Monitor) make this easier
• Caution: Overuse of notifications can actually lead to a DoS effect on page or mailer systems
91© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Case Studies
929292© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Internet Edge
Internet
• What sort of traffic is being monitored?
• Where to place network sensors?
• Which servers are candidates for agents?
• How do I tune to the environment?
• What level of sensitivity on the sensors?
• What is the connectivity to the management network?
939393© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Corporate Data Center
• What sort of traffic is being monitored?
• Where to place network sensors?
• Which servers are candidates for agents?
• How do I tune to the environment?
• What level of sensitivity on the sensors?
• What is the connectivity to the management network?
949494© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Internet Data Center
• What sort of traffic is being monitored?
• Where to place network sensors?
• Which servers are candidates for agents?
• How do I tune to the environment?
• What level of sensitivity on the sensors?
• What is the connectivity to the management network?
95© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Closing
Intrusion Detection in the Comfort of Your own Home…
969696© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Further Reading
• Cisco IDS product documentationhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm
• Cisco IDS Discussion Forumhttp://www.cisco.com/go/netpro
• Proactive Field Notices Tool for signature updateshttp://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
• Document describing SPAN functionality on Cisco switcheshttp://www.cisco.com/warp/public/473/41.html
• Cisco SAFE Blueprinthttp://www.cisco.com/go/safe
• Cisco Security Advisories (includes a number of security documents)http://www.cisco.com/warp/public/707/advisory.html
• Vulnerability informationhttp://www.cisco.com/go/csec http://www.cert.org/ http://www.securityfocus.com http://whitehats.com
http://www.incidents.org
• Ethereal tool to view IP Session Logshttp://www.ethereal.com
979797© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1
Summary
• Intrusion Detection is a mature yet still evolving field of technology
• Effective deployment strategies are critical to the successful implementation of the technology
• Intrusion Detection has become a key component of a defense in depth strategy
989898© 2003, Cisco Systems, Inc. All rights reserved.
SEC-20308175_05_2003_c1