воскресенье, 17 августа 2014 г.

IPS tutorial, basic concepts and terminology


SITUATIONS

True positive: A situation in which a signature fires correctly when intrusive traffic for that signature is detected on the network. The signature correctly identifies an attack against the network. This represents  normal and optimal operation.
Атаки обнаруживаются корректно. Нормальный режим работы.

False positive: A situation in which normal user activity triggers an alarm or response. This is a consequence of nonmalicious activity. This represents an error and generally is caused by excessively tight proactive controls or excessively relaxed reactive controls. 
Ситуация, в которой деятельность обычного пользователя деятельность вызывает тревогу или срабатывание. Это является следствием либо слишком жёстких политик мониторинга либо слишком мягкой политикой регламента работы персонала.




True negative: A situation in which a signature does not fire during normal user
traffic on the network. The security control has not acted and there was no malicious
activity. This represents normal and optimal operation.
Нет срабатываний на обычного пользователя. Нормальный режим работы.

False negative: A situation in which a detection system fails to detect intrusive traffic
although there is a signature designed to catch the activity. In this situation, there
was malicious activity, but the security control did not act. This represents an error
and generally is caused by excessively relaxed proactive controls or excessively tight
reactive controls.
Не удалось обнаружить подозрительный трафик, хотя правила для него присутствовали.


TERMINS

■ Vulnerability (уязвимость) is a weakness that compromises either the security or the functionality of a system.
a) Insecure communications (незашифрованные коммуникации): Any form of data or voice susceptible to interception,
such as system passwords, personnel records, and confidential documents. 
b) Poor passwords (слабые пароли): Often referred to as the first line of defense. Weak or easily
guessed passwords are considered vulnerabilities.
c) Improper input handling (неправильная-уязвимая обработка входящих) : Software that hasn’t been through a good security and
quality scan (which usually involves evaluating all possible input and results) can lead
to a form of DoS or access denied or restricted to system resources.
■ Exploit is the mechanism used to leverage a vulnerability to compromise the security
functionality of a system.
a) Executable code: Often referred to as more advanced form of an exploit, these are
exploits written as executable code requiring programming knowledge and access to
software tools such as a compiler.
b) Password-guessing tools: There are tools built specifically for this function that
can be easily found on the Internet designed to “guess” or “crack” passwords using
knowledge of the algorithm used to generate the actual password or by attempting to
access a system using combinations and permutations of different character sets.
c) Shell or batch scripts: Scripts created to automate attacks or perform simple procedures
known to expose the vulnerability.
Risk rating (RR): A rating based on numerous factors besides just the attack severity.
Deep-packet inspection: Decoding protocols and examining entire packets to allow
policy enforcement based on actual protocol traffic (not just a specific port
number).
Event correlation: Associating multiple alarms or events with a single attack.
Inline mode: Examining network traffic while having the ability to stop intrusive
traffic from reaching the target system.
Promiscuous mode: Also known as passive mode, a way to passively examine network
traffic for intrusive behavior.
Signature: A rule configured in a network IPS or IDS device that describes a pattern
of network traffic that matches a specific type of intrusion activity.
Signature engine: An engine that supports signatures that share common characteristics
(such as the same protocol, service, operating system, and so on). The Cisco IPS
Sensor has multiple signature engines called microengines.
Atomic signature: A signature that triggers based on the contents of a single packet.
Flow-based signature: A signature that triggers based on the information contained
in a sequence of packets between two systems (such as the packets in a TCP
connection).
Anomaly-based signature: A signature that triggers when traffic exceeds a baseline.
Behavior-based signature: A signature that triggers when traffic deviates from
regular user behavior.
Meta-event generator: The capability to define metasignatures based on multiple
existing signatures that trigger at or near the same window of time within a sliding
time interval.


 IPS


Aspects of analyze:
■ Reassembles Layer 4 sessions and analyzes their contents
■ Monitors packet and session rates to detect and/or prevent deviations from the baseline
(or normal) network profiles
■ Analyzes groups of packets to determine whether they represent reconnaissance
attempts
■ Decodes application layer protocols and analyzes their contents
■ Analyzes packets to address malicious activity contained in a single packet

Following are some common factors that often influence the addition of sensors:
■ Network implementation: Additional sensors might be required to enforce security
boundaries based on the security policy or network design.
■ Exceeded traffic capacity: Additional bandwidth requirements might require an
addition or upgrade of network link(s), thus requiring a higher-capacity sensor.
■ Performance capabilities of the sensor: The current sensor might not be able to
perform given the new traffic capacity or requirements.


To maximize the intrusion prevention analysis for networks of all types, there are three essential elements to the IPS hardware:
■ Memory: Intrusion prevention analysis is memory intensive. The memory directly affects
the ability of a network IPS to detect and prevent an attack accurately.
■ Network interface card (NIC): The network IPS must have the capability to connect
into any network infrastructure. Network IPS NICs today include Fast Ethernet,
Gigabit Ethernet, and 10 Gigabit Ethernet.
■ Processor: CPU power to perform intrusion prevention protocol analysis and pattern
matching is required for an effective intrusion prevention system.

A network IPS has four main features:
1) A network IPS can detect attacks on several different types of operating systems and applications,  depending on the extent of its database.
2) A single device can analyze traffic for a large scale of hosts on the network, which makes network IPSs a cost-effective solution that decreases the cost of maintenance and deployment.
3) As sensors observe events from and to various hosts and different parts of the network, they can correlate the events, hosts, and networks to higher-level information. In conjunction with the correlation, they can obtain deeper knowledge of malicious activity and act accordingly.
4) A network IPS can remain invisible to the attacker through a dedicated interface that monitors only network traffic and is unresponsive to various triggers or stimuli.


The most commonly known limitations of network IPS are as follows:
■ The network IPS can require expert tuning to adapt the sensor to its network, host, and application environments.
■ The network IPS sensor is unable to analyze traffic on the application layer when traffic is encrypted either with IPsec or SSL (Secure Socket Layer).
■ The network IPS can be overloaded by network traffic if not properly sized. Thus, the IPS can easily fail to respond to real-time events in a timely manner if it is sized improperly.
■ The network IPS might interpret traffic improperly, which can lead to false negatives. This is often a result of the sensor’s seeing traffic differently from how the end system or target sees the traffic.


Intrusion Prevention Approaches

1)  Signature-based. A network IPS that analyzes network traffic and compares the
data in the flow against a database of known attack signatures. A signature-based IPS
looks at the packet headers and/or data payloads when analyzing network traffic. All
signature-based IPSs require regular updates for their signature databases.
a) Complexity 
Simple for administrators to add new signatures, customize signatures, extend, and so on. Often the simplest of IPS approaches to deploy (depends on the environment).
Sensors require constant and quick updates of the signature database to ensure that the IPS can detect the most recent attacks. Can require expert tuning to be effective in complex and unsteady environments.
b) Susceptibility and Accuracy (чувствительность и точность)
Relatively low false positive rate (if the IPS is properly tuned and using well-designed signatures).
More susceptible to evasion through complex signatures that are designed to evade a signature-based IPS. Cannot detect unknown attacks of which there is no signature in the database.
с) Reporting 
Ability to name attacks and provide the administrator with additional information about a specific attack.
2) Anomaly-based. A network IPS that analyzes or observes network traffic and acts if a network event outside normal network behavior is detected. The two types of anomaly-based network IPSs are
a) statistical anomaly detection
b) protocol verification.
3) Policy-based. A network IPS that analyzes traffic and acts if it detects a network
event outside a traffic policy. A traffic policy usually involves permitted or denied
communications over a network segment similar to an enterprise-class firewall.


Cisco IPS Management Products


Cisco IPS Device Manager (IDM)
Cisco IPS Manager Express (IME)
Cisco Security Manager (CSM)
  
Network IPS Traffic Analysis Methods

A network IPS sensor uses a number of different aspects to analyze network traffic. Some
of the most common methods of network analysis include the following:
  • Stateful content matching
  • Protocol decoding
  • Packet correlation
  • Rate analysis
  • Packet header matching
  • Packet content matching
  • Statistical modeling
  • Event correlation
Stateful Content Matching.
Собирает фрагментированные по сессиям и пакетам данные в полную историю с помощью буфера, чтобы предотвратить пересылку фрагментированного вредоносного кода. Не всегда правильно оценивает имеющиеся данные, что ведёт в возможныс ложным срабатываниям.

Protocol Decoding
Анализирует application layer протокол.
1) Изучает меньше трафика
2) Проверяет протокол и отклоняет действия не соотвествующие стандарту протокола. Например: переполнение буфера, избыточные данные на хост, пинг-смерти и т.д.
3) Cнижает количество False Positive. Поскольку например ищет вредоносный HTTP
URLs именно в части запроса на HTTP где URL находится, а не во всей цепочке TCP байтов.
Packet Сorrelation
Сложная система анализа различных потоков трафика в режиме реального времени с целью установления корреляционных связей. После установления связей, проводится их поведенческий анализ в определённых промежутках времени с целью выявления различных видов атак. Например: хост генерирует больше 4 ping сообщений на различные хосты в сети, вероятна  атака: сканирование портов.
Rate analysis
Проводит проверку количественно-качественного трафика в сети. При превышении допустимого порога подаёт сигнал/etc. Например при превышении количества установленных TCP пакетов в сети (торрент).

Statistical modeling
A network IPS sensor can use an analysis technique and supervised learning to build a statistical model that describes certain traffic properties. Often, infected servers or PCs try to open a much larger number of sessions. An IPS sensor would detect such anomalies  and identify a worm attack.
Event correlation

Обеспечивает более высокий(сложный) метод поведенческого анализа за счёт связывания нескольких событий в одну систему, однако время для одного логического построения ограничено, поэтому рекомендуется мониторить логи на предмет обнаружения  длительных системных атак.

Network IPS Evasion Techniques

  • Encryption and tunneling
  • Timing attacks
  • Resource exhaustion
  • Traffic fragmentation
  • Protocol-level misinterpretation
  • Traffic substitution and insertion

Encryption and Tunneling

One common method of evasion used by attackers is to avoid detection simply by encrypting
the packets or putting them in a secure tunnel.

  • Secure Shell (SSH) connection to an SSH server
  • Client-to-LAN IPsec (IP Security) VPN (Virtual Private Network) tunnel
  • Site-to-site IPsec VPN tunnel
  • SSL (Secure Socket Layer) connection to a secure website
Timing Attacks

Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows that the signatures use to correlate different packets together.
Медленный и распределённый механизм атак, который н фиксируется порогами срабатывания.


Resource Exhaustion "Ложный след"
Создаётся большое количество ложных атак, в результате персонал не имеет достаточно времени, чтобы увидеть целевую атаку.

Traffic Fragmentation
  • TCP segmentation and reordering: The sensor must correctly reassemble the entire
    TCP session, including possible corner cases, such as selective ACKs and selective
    retransmission.
  • IP fragmentation: The attacker fragments all traffic if the network IPS does not perform
    reassembly.Most sensors do perform reassembly, so the attacker fragments the
    IP traffic in a manner that it is not uniquely interpreted. This action causes the sensor
    to interpret it differently from the target, which leads to the target being compromised.
Protocol-Level Misinterpretation
Игра в: нормальное содержимое с плохой чек-суммой, затем вредоносное содержимое с нормальной чек-суммой. IPS поймав первый пакет, видит что чек-сумма неисправна, и второй пакет не проверяет, предполагая, что это пересылка пакета из-за битой чек-суммы.

Traffic Substitution and Insertion

Почти неисчерпаемый источник вдохновения для атак на основе кодировок. Ещё в ходе изучения материала, используя производную от данного метода, я смогу перекинуть через IPS вредоносный код. Требует очень креативного и гибкого мышлением администратора для анализа и выявления атак.



Sensor Deployment Considerations

  • Security
  • Prevention mode or detection mode
  • Performance
  • Virtualization requirements
Prevention Mode Versus Detection Mode

Всё как обычно зависит от того, кого и на что вы ловите. И чего хотите добиться от установки IPS'ов. Нет смысл распиcывать и разворачивать все рекомендации, достаточно ограничиться базовыми концептами и просмотреть рекомендуемые best-practice.

Performance Considerations

Опять же при развёртывании нужно расчитывать:
1) надлежающую пропускную способность трафика
2) количество соединений в секунду
3) jitter для голосовых потоков, иначе словите "квакушку" :D


Virtualization Requirements

Ключевая фраза: there can be multiple virtual sensors running on a single Cisco IPS platform, where each of these sensors applies a different inspection policy based on the IP addresses of hosts communicating through the virtual sensor.



Network IPS Implementation Guidelines

Несмотря на то, что у циски есть стандартные practice, считать их практически годной схемой для употребление отнюдь не стоит, хотя классификация очень достойная.


  • Enterprise or provider Internet edge
  • Wide-area networks (WAN)
  • Data center
  • Centralized campus
Итак начнём разбор по концептам

Enterprise or Provider Internet Edge



На данном, очень схематическом концепте, представлен типичный способ внедрения IPS. Первый IPS развёртывается прямым лайном между ASA и корпоративной сеткой, обеспечивая немедленное применение политик и остановку вторжений, а так же IDS контроль. Критически важен.
Два других IPS развёрнуты прозрачно в режиме IDS для отслеживания согласно поставленным задачам, если они есть.

Wide-Area Network





Типичный концепт



Следующий концепт демонстрирует потенциально готовое решение в плане защиты, к сожалению далеко не каждая компания может позволить себе дублирование входящих лайнов на одного провайдера, поэтому в подавляющем большинстве случаев схема сжимается дл одного лайна.
Минусом данной схемы можно отнести низкую информированность IPS о трафике в сети, поскольку трафик внfчале проходит логический файервол. В некоторых случаях имеет смысл выносить сенсор на второй лайн после VPN роутеров, иногда даже за них. Однако, в этом случае количество срабатываний, в том числе ложняков, может превысить все ожидания, и, даже  положить IPS :).




DMVPN и FlexVPN. Practice 1. Простой вариант.





DMVPN и FlexVPN. Practice 2. Комплексный вариант.


Data Centers







Centralized campus

Не забываем про использование SPAN и RSPAN














Комментариев нет:

Отправить комментарий