Intrusion Detection & Response: Leveraging Next-Generation Firewalls

1SANS Technology Institute - Candidate for Master of Science Degree 1

Intrusion Detection & Response:Leveraging Next-Generation

Firewalls

Ahmed Abdel-AzizNovember 2009

GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT)CISSP

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

1) Describe Recent Threat Trends & Security Statistics

2) What are Next-Generation Firewalls (NGFWs)

3) How to Leverage NGFWs in Intrusion Detection NGFWs in Bot Detection & Extrusion Detection

4) How to Leverage NGFWs in Intrusion Response NGFWs in Incident Handling, NAC, and Application Enforcement

5) Important Planning Considerations


Threat Trends & Security Statistics

• Bots Increasing - Trojan variants spiked 300% from 2007 to 08 [source: McAfee Virtual Criminology Report, 2008]

• Compromise Discovery takes at least months, 65% of the time

• Responding to Compromise takes at least weeks, 63% of the time

[source: Verizon Business, 2008 Data Breach Investigations Report]

• NGFWs Can Significantly Reduce Compromise Discovery (specifically Bot detection) & Response Times.

Section 1 of 5


NGFWs – The Evolution

• NGFWs Incorporate Multiple Security Services

• NGFWs Not a Solution to Every Problem: (examples)– Use WAF for web application attacks (XSS, SQL Injection,

etc.)– Use dedicated email security solution for advanced spam

filtering• Firewalls Typically a Prevention Control; NGFWs Can

Also Become a Detection & Reactive Control – More Effective, Simpler, and Economical Security

Section 2 of 5


NGFWs in Bot Detection

• What Bots Do:– Steal Sensitive Info– Send Spam, Act as Proxy– Execute DDOS & Other Attacks

Bot Detection Techniques:• (1) Detection by Using NIPS Component of NGFW

– NIPS Blocks Attacks Originating from Internal Bots– NIPS Cuts Communication Between Bot & its Command-

and-Control (C&C) Server using Known Traffic Signatures

(Popular Bots Only, Unencrypted Communication Only)

Section 3 of 5 (Intrusion Detection)


• (2) Detection by Blocking Protocol Used in Command-and-Control (C&C)– Stop Storm Bot Updates by Blocking eDonkey P2P Protocol– Configured in Fortinet Technology using a Protection Profile

• (3) Detection by Logging Violations & Audit Trail– Add Explicit Deny Rule at End of Firewall Policy for Logging– Tighten Outgoing Firewall Policy Too – Not Just Incoming– Network Audit Trail for Traffic Flow Analysis – Anomalies??(Malware Can be Detected Without Antivirus, Interesting!!)


NGFWs in Bot Detection Continued


• (4) Detection by Filtering Malicious Content in Traffic– Leverage Perimeter Antimalware, Antispam, URL Filtering– Configured in Fortinet Technology Using a Protection Profile– Use SSL Inspection for Network Encrypted Protocols:

HTTPS, SMTPS, POPS, IMAPS

• (5) Detection Using DNS Based Techniques– High Number of MX DNS Requests From Non SMTP Server– Same DNS Request From Many Internal Hosts At Same Time– Very Small TTL Values in DNS Replies (FastFlux)

(What’s in Common? ….. DNS Anomalous Traffic)


NGFWs in Bot Detection Continued


• Basic Data Leakage Prevention – Prevent Confidential Documents Leakage Through HTTP– Achieved by Defining Watermark & Creating Custom IPS

Rule– Sample Rule for Fortinet NGFW Below:

config ips customedit DataLeakageThroughHTTPset signature 'F-SBID(--name “DLP” --dst_port 80; --flow bi-

direction; --default_action DROP; --protocol tcp; --pattern “Organization Confidential X!kltsrodm*(&!sldrk4#dk-+”; )'

end

• Other Rules Can be Used to Detect Credit Card Numbers using Regular Expressions


NGFWs in Extrusion Detection


• Security Incident Took Place While On-site (Process Proved Effective in Responding to Spambot)

• (1) Identification Phase – Incident Handling Process– Users Suddenly Unable to Send Email to Any Destination– nslookup & telnet to Send Email, SMTP Connection

Rejected– Public IP Blacklisted as Spam Sender– Sudden Spike in Email Activity,

Spambot on the Network

NGFWs in Incident HandlingSection 4 of 5 (Intrusion Response)


NGFWs in Incident Handling Continued

• (2) Containment Phase – Incident Handling Process– Block All Outgoing TCP/25 Except from Mail Server– Spambots on Network Unable to Send More Spam, Damage Already Done (Public IP has been Blacklisted)

• (3) Eradication Phase – Incident Handling Process– Goal: Remove Attacker’s Artifacts– Spambots Detected by Logging Violations to TCP/25 Rule

Configured in Containment 12 Spambots Detected!– Eradication Needs Time, Disconnect Bots, Move to Recovery

Section 4 of 5 (Intrusion Response)


NGFWs in Incident Handling Continued


• (4) Recovery Phase – Incident Handling ProcessAction 1: (Change Mail Server Blacklisted Public IP)– In Fortinet Technology, Feature is Called IP Pools – Effect on Outgoing Mail Traffic Only, Otherwise DNS MX

Record Must be ChangedAction 2: (Remove Public IP from Blacklists)– Get Blacklists from MXtoolbox.com – Request Removal of IP

• (5) Lessons Learned Phase – Incident Handling Process– Duration from Identification to Recovery – Only one Hour!!– Compare to Typical Intrusion Response Time of WeeksSource: Verizon Business, 2008 Data Breach Investigations

Report


• Pre-Admission Network Access Control in NGFW– Checks for Existing, Running & Updated Endpoint

Security Solution (Isolate Hosts with Compromised Endpoint Security Solution)

– Pre-build Application White-list & Enable On-Demand (Isolate Hosts with Unknown Applications Installed)

• Post Admission Network Access Control in NGFW– Isolate Hosts that Originate Attacks Detected by NIPS– Isolate Virus Senders Detected by Antimalware– Isolate Hosts Violating Configured DLP Rules

• Allows Very Fast Response Time (Self DOS Potential)


NGFWs in Network Access Control


NGFWs in Application Enforcement


• Enforcing Application Use– Only Windows Firefox Allowed as a Web Browser– IPS –ve Security Model Becomes +ve Security

Model– Achieved by Creating Custom IPS Rule on NGFW– Sample Rule for Fortinet NGFW Below:

config ips customedit NotFirefoxBrowserOnWindowsset signature 'F-SBID(--name “App Enforcement” --service

HTTP; --default_action DROP; --flow established; --pattern “GET”; --context header; --pattern !“User-Agent: Mozilla/5.0 (Windows: U: Windows NT 5.1: en-us: rv:1.9.0.5) Gecko/2008120123 Firefox/3.0.5\r\n”; --context header; )'

end


Important Planning Considerations

• Proper Product Selection & Sizing Key to Performance– Research Underlying HW Technology & SW Integration– Datasheet Figures not Enough, Check Independent Testing

Lab Certification for Real-World Performance Ex: NSS Labs Report on the FortiGate 3810A NGFW States

“Sustained 270Mbps Throughput with all Security Services Enabled”

• Check Quality of Security Services Included in NGFW(ICSA Labs Certification for IPS, Firewall, AntiMalware, etc…)

• Avoid Single Point of Failure by Clustering; Decide whether to Fail Open or Closed (Balance Availability need with Confidentiality & Integrity Need)

Section 5 of 5


Summary

• Statistics Demonstrate Improvement Needed in Current State of Intrusion Detection & Response

• NGFWs Can be Leveraged to Significantly Improve Intrusion Detection & Response Times

Including Bot Intrusions

• Planning Deployment Critical to Reap Rewards

• Paper in SANS Reading Room Includes More Infohttp://www.sans.org/reading_room/whitepapers/firewalls/

intrusion_detection_and_response_leveraging_next_generation_firewall_tec

hnology_33053 or … search on “NGFW” in SANS site