cisco企业IDS解决方案.ppt

1 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 advanced enterprise ids deployment and tuning 2 2 2 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 the potential impact to the bottom line is significant the number of security incidents continues to rise exponentially the complexity and sophistication of attacks and vulnerabilities continues to rise the challenge: security in modern networks 3 3 3 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 mitigating the risk: defense in depth comprehensive security policy pervasive securityend to end security in layers multiple technologies, working together 4 4 4 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 defense in depth: the role of intrusion detection complementary technology to firewalls been around for more than a decade, started coming into prominence in the late 90s performs deep packet inspection, gaining visibility into detail often missed by firewalls internet 5 5 5 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 advanced enterprise ids deployment: agenda intrusion protection systems network sensors host agents management consoles case studies 6 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 intrusion protection systems 7 7 7 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 intrusion protection agenda terminology and technologies complete architecture: sensors, agents, management consoles placement strategies where to place your sensors, what traffic to watch, how to get traffic to them organization-level concerns responding to intrusions, ownership and organization, outsourcing 8 8 8 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids terminology: false positives a false alarm occurs when an ids reports an attack even though noattack is underway benign activity that the system mistakenly reports as malicious typically due to improper tuning can easily overwhelm alarm consoles creating enormous amount of background noise can result in mistrust of the ids by security personnel 9 9 9 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids terminology false negatives a false negative occurs when an ids fails to report an ongoing attack malicious activity that the system does not detect or report tend to be worse because the purpose of an ids is to detect such events can be due to a variety of events can be the result of ids evasion efforts by an attacker can also be due to out-of-date signature knowledge base (misuse detection systems) minor state transition that is below a detectable threshold (anomaly-based systems) 101010 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids terminology: signatures and anomalies signatures explicitly define what activity should be considered malicious simple pattern matching stateful pattern matching protocol decode-based analysis heuristic-based analysis anomaly detection involves defining “normal” activity and looking for deviations from this baseline 111111 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids architecture: sensors, agents, and management agentsagents sensorssensors managementmanagement production network management network 121212 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids components network-based sensors specialized software and/or hardware used to collect and analyze network traffic appliances, modules, embedded in network infrastructure host-based agents server-specific agent provides both packet- and system-level monitoring, and active response security management and monitoring performs configuration and deployment services alert collection and aggregation for monitoring 131313 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 data flow data capture monitoring the network network link to the management console ip address passive interface no ip address network-based ids: the sensor 141414 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 data flow network link to the management console ip address passive interfaces no ip address network-based ids: the in-line sensor data flow 151515 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network-based ids: functions and capabilities monitors all traffic on a given segment compare traffic against well known attack patterns (signatures); also look for heuristic attack patterns (i.e. multi-host scans, dos) includes fragmentation and stream reassembly logic for de-obfuscation of attacks primarily an alarming and visibility tool, but also allows active response: ip session logging, tcp reset, shunning (blocking) 161616 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 host agents: functions and capabilities distributed agent residing on each server to be protected intimately tied to underlying operating system can allow very detailed analysis can allow some degree of intrusion protection allows analysis of data encrypted for transport monitors kernel-level application behavior, to mitigate attacks such as buffer-overflow and privilege escalation 171717 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 cons network- based host- based pros can verify success or failure of attack generally not impacted by bandwidth or encryption understands host context and may be able to stop attack impacts host resources operating system dependent scalabilityrequires one agent per host protects all hosts on monitored network no host impact can detect network probes and denial of service attacks switched environments pose challenges monitoring 100mbps is currently challenging generally cant proactively stop attacks should view as complementary! some general pros and cons 181818 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 placement strategies monitoring critical traffic deploy network sensors at security policy enforcement points throughout the network deploy host sensors on business critical servers beware of sensor overload sensors must be able to handle peak traffic loads otherwise they will suffer packet drop/loss and possibly miss attacks 19 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 deploying ids solutions 202020 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 overview often, ids cannot be implemented “everywhere” due to cost restrictions. where do you need to detect an intrusion as soon as it occurs? where an incident would be most expensive (most valuable data) at the entry to a sensitive domain (to detect the first successful step of the attacker) at other locations, where attempts need to be analyzed look at the risks againmake sure you prioritized based on the value of a resource and the exposure involved. 212121 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network ids primary functions identify malicious activity identify network anomalies network traffic enforcement first alert: day zero first packet response tcp traffic normalization 222222 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 nids deployment considerations general location selection issues purpose of deployment defines location inside, outside, or dmz internal vs perimeter response actions vs passive monitoring trusted vs non-trusted zones (chokepoints) security operations vs network operations 232323 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 nids deployment considerations (cont) specific location selection issues location requirements define platform sensor performance large network pipes can result in data overflow proper platform selection is crucial load balancing issues (sweep and flood fidelity) data reduction possibilities highly available or asymmetrically routed networks 242424 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 nids deployment considerations (cont) specific location selection issues encrypted traffic ssl or ipsec ids monitoring sources network taps span (and rspan) vacl capture aggregation switch inline 252525 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids sensor monitoring considerations nids sensors should monitor segments, where you need to detect attacks the most: monitor most sensitive internal segments (management network) monitor most sensitive internal servers monitor network entry points: internet firewall, business partner entry, vpn/dial-up entry switched network edge (biggest performance issue) monitor exposed hosts most likely to be compromised: if they are likely to be used as a jump-off point if your reputation depends on them 262626 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 monitoring sensitive internal servers or segments with nids performance considerations: select the correct sensor platform use a dedicated sensor per network/vlan (if required) move the sensor to a different location to see more specifically defined traffic if necessary, only capture a subset of traffic (exclude traffic that cant be inspected: ipsec, ssl, multicast) use hids (not a performance issue) use load balancing to distribute network flows 27 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 ids placement and tuning 282828 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network sensor deployment locations inside (trusted side) network monitoring: typical initial ids deployment spot (along with dmz) usually broad monitoring to detect any attacks sees traffic filtered by the firewall detects attacks that penetrate the firewall detects outgoing attacks (even if blocked by the firewall) useful to check config of firewall 292929 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network sensor deployment locations outside (untrusted side) network monitoring: “broad” monitoring for all types of attacks also detects attacks which the firewall will block (early warning, trends, new risks, “internet thermometer”) serious risk of operator overload as sensor monitors uncontrolled network space (no mans land) usually requires special configuration and possibly special management and monitoring considerations useful for correlation with inside sensors 303030 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 multi-sourced nids sensors multiple capture interfaces forwarding to the same ids engine: monitors multiple segments with similar properties (same ids policy, simple with service modules) potential for ids oversubscription possible issues with address range overlap 313131 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network sensor deployment locations high availability or asymmetrically routed networks ids must see all packets involved in a connection usually requires a sensor with multiple interfaces to capture data from all points data overflow to ids is serious possibility in an active/active network setup 323232 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 network sensor deployment locations inline ids deployments (ips) ids is able to block offending packet ids signature quality must be very accurate with low false positives otherwise legitimate network traffic is disrupted since packets flow through device, the ids must have no measurable impact to traffic flow (ex. loss rate, latency, jitter, etc) network reliability must follow standard procedures failover in a highly available network fail open or fail closed? 333333 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 data center web tier application tier mainframe nidsnids aggregation access deployment example: ids load balancing for the data center 343434 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 encrypted traffic and network ids ipsec - use a network module in the tunnel termination router to inspect traffic before it gets sent out the interfaces ssl - early decryption of ssl sessions at an ssl accelerator for crypto tunnels terminated on the host, use hids 353535 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 nids switched environment considerations in a switched environment, you can monitor: inside a switch (idsm) or router (nm-ids) using a network tap using span or vacl capture on the host (hids) avoid oversubscribing the device or port: lost packets break stream and composite signatures smart vacls (specific protocols) perhaps monitor only one port via span understand the limitations of the packet sourcing device reference ids_capture_techniques1.ppt 363636 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 span overview span means switch port analyzer span copies all packets from source vlans or ports to a destination port supported across most cisco switches different switches have different limitations on use of span, including number of span destination ports some switches do not allow incoming packets on span destination port. this is necessary if a customer wishes to use tcp reset. traffic span span directs copy of all traffic from source port or vlan 373737 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 nids switched environment considerations a vlan aware sensor is: able to process 802.1q tagged packets issues when using the span port: if span belongs to a single vlan, packets enter the span port without the vlan headers. configure span as a trunking port, if necessary (supporting all active vlans). which vlan do you send the rst to? 383838 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 vacl capture overview a vlan acl, also known as security acl, specifies traffic to capture. the vacl capture copies filtered packets from source vlans to a destination port. trafficvacl vacl directs copy of filtered traffic from source port 393939 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 management interface security guidelines perimeter (outside monitoring) placement options: classic firewall sandwich (in-band) management interface on separate inside vlans management interface on separate dmz management interface on separate physical network 404040 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 business partner accessextranet connections corporate network internet internet connections remote access systems remote/branch office connectivity intrusion detection deployment what areas of the network are candidates? data center management network 414141 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 sensor placement rationale no real standard no primer or cookbook that says “place ids here” varies tremendously from network to network ids is typically found around firewalls these are usually perceived as transit points from one network to another also found where there are differing trust levels within the network 424242 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 typical order of deployment how far down the deployment path you go often depends on your resources; if resources are tight, always look at where you can get the most bang for your buck data centers, high risk, or other hdv areas directly behind perimeter firewalls internet dmz areas remote access and remote offices 434343 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 why at internet connections? firewalls usually dont protect against data driven attacks consider a web server on a dmz various web server vulnerabilities have been found over the past few years microsoft iis directory traversal vulnerability (unicode) apache/openssl ssl2 handshake process buffer overflow microsoft iis webdav buffer overflow microsoft sql slammer worm patches are available, but can be exploited to deny service or access the server 444444 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 attacking through the firewall www telnet firewall rules: permit any dmz port 80 permit dmz inside permit dmz outside permit inside any deny any any internet attacker vulnerable web server 454545 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 inside or outside? somewhat of a “religious” debate depends on the situation and the needs made more effective with good acls at the edge router(s) must be tuned properlyotherwise false alarms will significantly reduce the value of the ids on the outside 464646 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 sensor placementinside or outside? sensors on outside sees everything including traffic blocked by firewall cant distinguish between what is denied or permitted by firewall tools like stick can generate lots of noise monitors both dmz and inside traffic sensors on inside sees only traffic permitted by the firewall response is needed sensor is needed for each internal leg of the firewall attacker dmz inside 474747 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 next steps: getting traffic to your network sensors traffic must be mirrored to network sensors (replicated) choices: shared media (hubs) network taps switch-based traffic mirroring (span) selective mirroring (traffic capture vacls) 484848 2003, cisco systems, inc. all rights reserved. sec-2030 8175_05_2003_c1 tx and rx from firewall from router traffic from firewall traffic from router tx and rx span tap traffic full duplex link aggregation switch using a networ