IPS-1技术培训课件

CheckPointIPS-1AgendaNetworkSecurityChallengesIPS-1ProductLineOverviewIntroducingIPS-1Accurate&GranularAttackPreventionAware,Adaptive&ActionableSecurityAdvancedForensics&ReportingIntuitiveCentralizedManagementSummaryVelocityofchangedrivingnew

securityrequirementsOperatingSystemPatchesNetworkEnvironmentChangesNewVulnerabilitiesNetwork&ApplicationAttacksExposureExposureExposureExposureAssetClassification&PrioritizationNetworkAwarenessDynamicVulnerability“Shielding”ActiveDetection&PreventionAdvancedForensicsEnvironmentalChangeNewSecurityRequirementsMultiplethreatvectorsWormsTrojansEvasionsScansSpywareHybridAttacksMobileDevicesWormsTrojansDataTheftBackdoorsRevengeNetworkChangesCriticalVulnerabilitiesPolicyViolationsComplianceMoresuccessfulattacksFalsepositivesPolicyenforcementGranularmonitoringandreportingOverburdenedStaffComplexitySecurityIssuesAttacksInsiderThreatsPassiveThreatsWhatisneeded:Aware,AdaptiveandActionableIntrusionPreventionAttacksInsiderThreatsPassiveThreatsVectorDetection&PreventionRequirementsDEFENDthePerimeterMultipledetectiontechniquesAccuratedetectionGranularpolicyenforcementPROTECTtheInteriorCustomizeddetectionmethodsActivequarantineDynamicwormmitigationSHIELD&ControlDynamicallyshieldvulnerabilitiesAwareness&controlGranularforensics&reportingIPSMarketOppurunity

IDC:AnnualSecuritySurveyDedicatedvs.IntegratedIPSMarketSize

2007IPSMarketsDedicatedIPS-$1.2BillionIntegratedIPS-$400MillionGrowthMarketsCheckPointpositionedinbothsegmentsCheckPointIPS-1™*RobustandaccurateintrusionpreventionAccurate&GranularAttackPreventionAware,Adaptive&ActionableSecurityAdvancedForensicsAnalysis&ReportingIntuitiveCentralizedManagementIDS/IPSMaturityModel

MaturityTimeBlissfulIgnoranceAwarenessPhasePreventivePhaseOperationsExcellencePhaseIDS,VAIPS,VACheckPointIPS-1FirewallsAgendaNetworkSecurityChallengesIPS-1ProductOverviewIntroducingIPS-1Accurate&GranularAttackPreventionAware,Adaptive&ActionableSecurityAdvancedForensics&ReportingIntuitiveCentralizedManagementSummaryIPS-1Architecture3rdPartyIntegration

HPOpenView

Arcsite,Intellitactics

Netforensics

NessusMore…IPS-1ManagementDashboardCentralizedManagementRealTimeViewsAdvancedForensicsReportingandCompliance

IPS-1ManagementServerOptimizedDataStoreMulti-ElementCorrelationDynamicShielding

IPS-1SensorHybridDetectionEngineConfidenceIndexingOpensignaturelanguageMulti-modepreventionappliancewithFailover

IPS-1ProductLineRemoteofficesBranchoffice&MidsizebusinessesEnterprise&DataCentersPricePerformance$16,000$7,000$28,0004Gbps500Mbps100MbpsIPS-1Sensor50and200IPS-1Sensor500$110,000IPS-1PowerSensor1000and2000$75,000IPS-1ModelsIPS-1Sensor50IPS-1Sensor200IPS-1Sensor500IPS-1PowerSensor1000IPS-1PowerSensor2000NetworklocationRemoteoffice/networkperimeterRemoteoffice/networkperimeterNetworkperimeter(multi-segment)Networkcore(multi-segment)Networkcore(multi-segment)Throughput(IPS/IDS)50/75Mbps200/250Mbps500Mbps/1Gbps1/2Gbps2/4GbpsConcurrentsessions100,000200,000500,0001.2million2.8millionMonitoringinterfaces2x10/100/1000Mbpscopper2x10/100/1000Mbpscopperor2x1000Mbpsfiber4x10/100/1000Mbpscopperor4x1000Mbpsfiber8x10/100/1000Mbpscopperor8x1000Mbpsfiber8x10/100/1000Mbpscopperor8x1000MbpsfiberAgendaNetworkSecurityChallengesIPS-1ProductOverviewIntroducingIPS-1Accurate&GranularAttackPreventionAware,Adaptive&ActionableSecurityAdvancedForensics&ReportingIntuitiveCentralizedManagementSummaryMissionCriticalProtection

IPS-1HybridEngineHybridDetectionEngineVulnerabilitysignaturesExploitsignaturesAnomalydetectionProtocolanalysisApplicationawarenessIPreassemblyOSfingerprintingApplicationfingerprintingMulti-elementcorrelationDynamicwormmitigationN-Code™SignatureLanguagePowerfulandflexiblesignaturelanguageextendsdetectioncapabilities“0-day”AttackPreventionfor30+ApplicationsLayerProtocolsProtocolAnalysisIntroducingNetworkLayer&TransportLayerprotocolanalysis网络和传输层的协议分析技术ApplicationLayerpre-processinganalysis应用层预处理技术ApplicationLayerprotocolanalysis应用层协议分析技术Protocolmis-use协议误用Protocolabnormal,static&dyamicabnormal协议异常,静态&动态异常State-basedapplicationlayerprotocolanalysis基于状态的应用层协议分析技术PatternmatchingvsProtocolAnalysisPM-O(n)PA-O(logn)ThesearchingpathofProtocolAnalysisAlgorithmComplexityAnExampleofProtocolAnalysisInspectionAnoldversionSendmail

BufferOverflowvulnerability$telnet25WIZshellorDEBUG#Thenyoucangaintherootshell！TraditionalPatternMatchingInspectionInspecteverypacket

,ifitcontains： “WIZ” |“DEBUG”Step1Inspecttheportnumber,Minimizetheinspectionscope

Port25:{ “WIZ” |“DEBUG”}Step2Ifthepacketsendbyclientside （查看数据包是否由client端发送）

Port25:{ Client-sends:“WIZ”| Client-sends:“DEBUG”}Step3StatefulInspection+AbnormalDetection (状态检测＋异常分支判断）

Port25:{

statefulclient-sends:“WIZ”|

statefulclient-sends:“DEBUG” afterstateful“DATA”client-sends line>1024bytesmeans possiblebufferoverflow}ApplicationLayerStatefulInspectionIntroducing(ContextBasedInspection)TransportLayerstatetrack(传输层状态跟踪)UnidirectionBidirection

Session+SequencenumberApplicationLayerstatetrack（应用层状态跟踪）Data/CommandSequenceFinitestatemachineAnexampleofFinitestatemachineAnExampleofcontextbasedinpsection

Recordastateoftheconnection，contextbasedinspectionAttackString1helotestmailfrom:testrcptto:testvrfydecodedatahellotest.quit

AttackString2helotestmailfrom:testrcptto:testdatahellotestvrfydecode.quitOSfingerPrintandApplicationfingerprintExampleofOSfingerprintx86basedoverflowattackwillnoteffectSPARCplatformAware,Adaptive&ActionableSecurity

DynamicShieldingArchitecutreDynamicShieldingArchitectureNetworkFlowsNetworkChangesEndpointProfilingVulnerabilityInformationAdaptiveUpdatesActiveQuarantineSmartPolicyComplianceContextDetectionManageandproactivelyprotect

againstvulnerabilitiesinthenetworkVulnerabilityBrowserenablesvulnerabilityscanning,viewingandmanagementTakeactiontopreventdiscoveredvulnerabilitiesfrombeingexploitedResult:ensuresyournetworkisadequatelyprotectedIPS-1providesrecommendationsonactionstobetakentosecurethenetworkNessusIntroducingTheNessusprojectStartedbyRenaud

Deraisonin1998;SupportbyTenableNetworkSecurity,Since2002;ThemostpopularVULscanner,Nessusscannerisusedby75,000organizationsworld-wide;UNIXbased,nowwindowsbasedversionisavailable(3.0.5)Licensefree,noIPlimitation.(Update7dayslaterthan“directfeedsupport”,whichis$1200peryear)AdvancedForensics&Reporting

ConfidenceIndexing&AlertcorrelationQuicklydissectattackdataMonitorinrealtimeattackandpreventionactivityPinpointattacksbygroupinganddrillingdownoneventsandalertsCreateinformativereportsfromeitheradhocorpre-definedreportsEasy,in-depthmonitoringofalertsAlertBrowserbringsallalertinformationintoasingledashboardforviewingandprioritizationNumerousbuilt-inalertgroups–orcreatenewgroupstosuityourforensicneedsResult:FasteranalysisandmoreefficientuseofadministratorresourcesConfidenceIndexingRealtimeAlertCorrelationSimplicityforsmalldeployments…Central,scalablemanagement…yetscalableforlargeenterprisesGraphics,automationandWizard-drivenfeaturessavesyournetworksecuritystafftimeandeffortIPS-1ProtectionEngine(Linux,Solaris)IPS-1EnterpriseServer(Linux,Solaris)EnterpriseDeploymentSmartSensor100(Appliance)CentralizedManagementClient(Windows,Linux,Solaris)InternetMgmtNetSales&AccountingIT&EngineeringPowerSensor1000(Appliance)BasicDeploymentD.C.Seattle.SanJoseDallas

NewYork.EasternRegionalServer(Linux,Solaris)WesternRegionalServer(Linux,Solaris)Real-TimeVisibilityMangementReportsDetailedKnowledgeTheIPS-1AdvantageHighPerformanceProtectionDataraterangesfrom50Mbpsto4Gbps.IPS-1PowerSensorsofferportdensity,highavailabilityfeaturesandplug-indatarateexpandability,guaranteeingdatarateexpansionwithoutforkliftupgrades.IPv6SupportIPv6isacriticalrequirementintheU.S.FederalgovernmentandEuropeandIPS-1offersfullIPv6support.OpenSignatureLanguageIPS-1signaturesandsignaturelanguagecalledN-Code,isopenallowingcustomerstomodifyexistingsignaturesorwritetheirownsignatures.SmartDefenseResearchCenterDedicatedteamofseasonedsecurityresearchexpertswhomonitortheInternetfornewexploitsandvulnerabilitiesonacontinuousbasisandproviderapidsolutions.Summary:Accurate&GranularAttackPreventionMissionCriticalProtectionIn-line,ApplicationLayerIntrusionPreventionSystem“0-day”AttackPreventionfor30+ApplicationLayerProtocolsSuperioraccuracy,resistancetoIDS/IPSevasionTheHybridDetectionEngine:Right-fitsolutionsforyourprice/performanceneeds- Verdict:NetworkSanitization&WormDefenseActiveDynamicNetworkProtectionCriticalcomponentofCheckPoint’slong-termIPSvisionAutomaticallyimport,correlate,andadapttovulnerabilitydataThemostaccuratereportspossibleonbreachesandchangesCheckPointIPS-1SmartDefense