Embed Size (px)
Citation preview
Intrusion Prevention
Presenter : Sherif Sadek Ali
1
Introduction
2
• Network Security: consists of the provisions and policies adopted by network administrators to preventand monitor unauthorized access, misuse, modification, or denial of network resources.
• Intrusion: Actions aimed to compromise and gain unauthorized access to the security assets.
• We need more than aFIREWALL.
Need for Intrusion Detection
3
• What the firewall can’t see:
SignaturesBased on current exploits (worm, viruses)Detect Malware, Spyware.Malicious traffic detection, traffic normalization.
Need for Intrusion Detection
4
• What the firewall can’t see:
Zero day exploits (XSS, SQL Injection)Not caught by signatures.Not detected by normalization triggers.Specific to custom applications.
Social engineeringVerbal communication.Malicious access via legitimate
credentials.
Poor configuration managementMisconfigurations allow simple access
not detected.Increases attack vectors.
Increased Visibility
5
Definition: IDS
6
Intrusion Detection System (IDS)
Is the ability to detect intruders in the Network.
A IDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. “Promiscuous monitoring mode”
Definition: IPS
7
Intrusion Prevention System (IPS) A technology that monitors network traffic to immediately react to block a malicious attack, for a quick action to block an attack.
One of the major differences between a NIDS and a NIPS is its location, as it would be located “in-line” on the firewall.
Difference
8
Key Performance Metrics
9
• False Positive
• True Positive
• False Negative
• True Negative
How it WorksDetection Mechanisms
• Protocol Detection
• Signature Detection (Statically Based)
• Profile Detection (Statistically Based)
10
Signature Detection
Intrusion
Patterns
activities
pattern
matching
intrusion
if (src_ip == dst_ip) then “Attack”
11
Host Based IPS (HIPS)
HIPSOperating System
Events
Network Packets
Collected
12
Anomaly Detection (Adaptive)
activity
measurements0
10
20
30
40
50
60
70
80
90
CPU Process
Size
normal profile
abnormal
probable intrusion
(AD) Analyzes TCP/IP parameters: Normalization, Fragmentation/reassembly, Header & checksum problems
With Relatively high false positive rate, anomalies can just be new normal activities.
13
ChallengesHow Attackers Used to do:
• Overwhelm by Flooding.
• Disguise by Fragmenting.
• Hide by Encrypting.
• Confuse by Obfuscation.
14
New Approach
BehaviorDetect anomalies in configuration,
connections and data flow
NetworkKnow what’s therewhat’s vulnerable,
and what’s under attack
ApplicationIdentify change and enforce policy
on hundreds of applications
IdentityKnow who is doing what,
with what,and where
15
Next-Generation IPS
• New Hardware Design
• Intelligent Correlation to the Target
• Intelligent Anomaly Detection
• Intelligent Application Violation
• Global Network Threat Intelligence & Correlation
16
Intelligent Correlation to the Target
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management CENTER
IPS SENSOR
BlockedEvent
Logged
LINUXSERVER
WINDOWSSERVER
Linux server not vulnerableWindows
server vulnerable
AttackBlocked
Attack Is Correlated to Targets
Latest Windows attack targets
Microsoft Windows Server and Linux Server.
Attacks are correlated to targets.
High-priority event generated for Windows Server target. 17
Intelligent Anomaly Detection
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management CENTER
IPS SENSOR
Abnormal Behavior Logged &
Alerts Triggered
ITRemediates
Hosts
HostsCompromised
New rogue host connects
internally.IPS Sensor detects new host
and abnormal server behavior.
Management Center triggers alerts for IT to remediate.
New Asset Detected
Abnormal Behavior Detected
18
Intelligent Application Violation
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management CENTER
IPS SENSOR
P2P App TriggersWhitelist Violation
Compliance Event Logged & User Identified
Security team uses
compliance whitelists to detect IT policy violations.
Host detected using Skype.
User identified and then contacted by IT.
ITContacts User
19
Global Network Threat Intelligence
• Based on IP/Domain Reputation.
20
Real-Life IPS Environment
21
Conclusion
22
• Think, Evaluate, Review Logs, Implement Strategies.• It is impossible to achieve 100% total Security.• Security is not just a Network Appliance, It is a Concept.
Questions
23
