Upload
susana-sosa-padilla
View
224
Download
0
Embed Size (px)
Citation preview
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 1
StoneGate IPS 4.3 Technical Overview
Javier Larrea Jaspe
April 22, 2023
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 2
¿Qué es Stonegate IPS?High availability & performance IPS
Tráfico válido
Tráfico malicioso
Spyware
Adware
Worms
Troyanos
DoS
Tráfico válidoStonesoft Intrusion Prevention System
10 Gigabit inline throughputHigh availability & clustering
Solución escalable Gestión centralizada y
distribuidaDetección precisa y flexible
Protege:•Aplicaciones•Sistemas operativos•Infraestructura de red•Eficiencia de red
AUP
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 3
StoneGate IPS Protection
Infraestructura &Aplicaciones Infraestructura &Aplicaciones
RendimientoEficiencia de redRendimientoEficiencia de red
Detecta y previene
Ataques contra aplicativos o S.O. vulnerables, switches, routers, …WormsVirusDoS y DDoS Accesos no autorizadosConteo de eventos y umbrales
PermitiendoProtección perimetralProtección redes internasVirtual patchingModifica la necesidad de establecer frecuentes ventanas de mantenimiento
Detecta y previene
Detección de uso de aplicativos P2PSpyware, Adware y MalwareMensajeria, streaming, tunneling,..
PermitiendoEvitar la degradación del rendimiento de lar redProteger el tráfico críticoTener visibilidad de lo que ocurre
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 4
Arquitectura StoneGate IPS
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 5
Características StoneGate IPS
Característica Ventaja
Inline Attack Blocking & hibrid mode
Bloqueo de conexiones proactivo en modo transparente y a la vez en modo pasivo
Métodos de sensor precisos Eliminación de falsos positivos
Correlación de eventos Mayor inteligencia en la detección
Gestor de politicas de seguridad muy granular
Permite hacer un tunning muy “fino”. Además permite realizar desde las configuraciones más sencillas a las más complejas de forma sencilla.
Preemptive Protection Detección temprana de ataques, exploits o gusanos no identificados hasta el momento
HTTPS protection v 5.0 Detección de tráfico malicioso en HTTPS
Gestión centralizada Reducción de costes de implementación y manteniminento (TCO, TCA) en despliegues de sondas distribuidos
Herramientas de gestión de la información
Convertir datos en información comprensible y manejable
High Availability Todos los elementos de StoneGate IPS disponen de esta capacidad evitando puntos de fallo. También tolerancia a fallos en hardware.
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 6
Configuraciones del Sensor
• Implementación • El sensor opera simultaneamente en modo IDS e inline IPS.
• 802.1q• El sensor puede tener varios interfaces para captura de tráfico y modo inline.
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 7
State Table
Inline IPS filtrado L2-L7
Access Rules
Allow (inspect)
Discard
Allow
Terminate
Permit
(no match)
Existing connection under inspection...
Inspection Rules
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 8
Precisión en los métodos de detecciónStoneGate IPS Detection Methods
• Métodos de detección• De tráfico malicioso• Validación de protocolo• Detección DoS• Detección de escaneos • Correlación de eventos
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 9
Correlación de eventosAnalyzer Detection Methods
• Compresión de eventos (log flooding)• Conteo y umbrales • Correlación de eventos
• Detección de ataques complejos y/o exitosos
Correlación Secuencias
Alert Alert
Correlación por grupos
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 10
Gestión granular de políticas Inspection Rules
• Inspection Rules• Política de inspección a nivel 7• Aquí se especifican la acciones que tomará el IPS (acept, terminate, altert, blacklist,…), en base al evento detectado
Deep inspection and protection. Implementación rápida y flexibilidad
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 11
• Security policies are based on templates• Policies follow the template changes
automatically• Main policy can contain jumps to Sub-Policies• By using aliases you can use the same policy
for several engines.
Gestion centralizada - SMCHierarchical Policies
Many concepts to keep your policies easy to understand
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 12
• Rule Search tool helps you to find the rules• Policy Validation tool identifies the potential
problems with your policies• Policy Comparison tool enables you to review
the changes since the last upload• Policy Snapshots enable you to review the old
configurations per engine• Rule meta data lets you know about the history
of each rule
Gestion centralizada - SMC Efficient Policy Management
Many tools to ensure your policies are up-to-date
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 13
Preemptive protection Caso Downadup worm
The Downadup worm is nasty case. It has three spreading vectors and it can update itself. The attack vectors are:
Exploit MS08-067 msrpc vulnerability.Brute force administrator password via connecting to $ADMIN shareCopy itself to removable media such as USB sticks. When the removable media is connected to a computer, the worm will be run via windows autorun feature.
Switch Switch
Switch
SwitchStoneGate IPS Access Control + Inspection
The StoneGate IPS can block all attacks against the MSRPC vulnerability. In fact, we had a pre-emptive protection against this vulnerability. The fingerprint situation blocking exploits against vulnerability MS06-040 released in year 2006 also protected the MS08-067 vulnerability. So hosts protected by inline SGIPS with the default policy, cannot get exploited by the Downadup.The StoneGate IPS is also able to detect Brute Force attacks against Windows shares, such as the $ADMIN share. Although the default action for situation “Analyzer SMB Brute Force Attack detected” is an alert, it is possible to configure a black listing response to this situation, limiting the Worm’s brute force attempts.
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 14
HTTPS Inspection
• Server & Client side protection• Detección y bloqueo de ataques contra servidores HTTPS• Inspección del tráfico SSL• Requiere el uso de certificados en el IPS
Protección de ataques contra servidor y contra cliente cifrados SSL
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 15
Gestion centralizada - SMC Overview of installed base
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 16
Gestión de la informaciónAnálisis recursivo de eventos
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 17
Gestión de la información One click details about relevant events
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 18
Gestión de la información Summarizing data at different levels
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 19
• View top rate statistics as a map and see where the IP addresses are located
• Map diagram type is available even with live Overview statistics
• View the city and country information directly in the log details
• Geolocation is resolved from internal database
• Queries do not open any new connections!
Gestión de la información Geographical Resolving of IP Addresses
See where the attacks are coming from
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 20
Gestión de la información Incident Management
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 21
Gestión de la información Regulatory Compliance
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 22
HA & ClusteringBypass Network Interfaces
• Bypass NICs cambio a estado bypass en caso de fallo crítico
• Fallo eléctrico• Fallo software (offline)
• Bypass disponible para todos los modelos• IPS-400 (2 x bypass NICs)• IPS-2000 (4 x bypass NICs)• IPS-6000 (8 x bypass NICs)
Failsafe inline operation
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 23
HA & Clustering External HA/ Balanceo de carga
• HA y balanceo de carga para IPS Inline engines con Etherchannel
• Control de acceso e inspeccíon para redes core
• Cluster serie para la versión 4.2
Switch Switch
Etherchannel
StoneGate IPS Access Control
+ Inspection
Load balancing para IPS Inline
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 24
HA & Clustering Inline IPS Serial Cluster
• Escalabilidad en el rendimiento de IPS
• Proporciona HA en inspección
• Mejora TCO
• 10Gbit networks
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 25
Certificación ICSA Labs
Copyright © 2006 Stonesoft Corp. Confidential, All rights reserved.Slide 26
StoneGate IPS Appliances H1 2009
Appliance Model IPS-1030 IPS-1060/P IPS-6000/6100 IPS-6105
Targeted for Branch offices with Fast Ethernet networks
Sites with fast external connectivity, DMZ’s, and internal networks where the amount of traffic is less than 600 Mbps
Internal networks, Server segmets, Backbones,
Core networks.
Internal networks, Server segmets, Backbones,
10 Gb Core networks.
Performance (Mbit/s) 200 350/600 2000/4000 10Gbps
Bypass interface pairs 2 2 4/8 1x10Gbps opc. 4 x1Gbps & 2x10Gbps
Concurrent connections >300.000 1.500.000 1.500.000 1000.000
New connections/s 15.000 15.000 40.000 >120.000
HTTPS inspection client/server Yes/Yes Yes/Yes No Yes/Yes
HTTPS inspection performance 40Mbit/s 60Mbit/s na 1Gbit/s
Appliance chassis 1U, short 1U, short 3U 3U