Cisco IPS Adaptive Intrusion Prevention · Cisco IPS Adaptive Intrusion Prevention ... and attack...

Cisco IPSAdaptive Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1

Adaptive Intrusion Prevention

Ng Tock Hiong

Director, Systems Engineering

[email protected]

Today’s Discussion

� The Self-Defending Network and Cisco® IPS

� Cisco Intelligent Detection Architecture and Technologies




� Cisco Security Intelligence Engineering

� IPS Application Examples

� Summary



� Summary

The Evolution of IntentFrom Hobbyists to Professionals

Threats Becoming Increasingly Difficult to Detect and Mitigate

Financial:Theft and Damage


Th

rea

t S

eve

rity

1990 1995 2000 2005 What’s Next?

Testing the Waters:Basic Intrusions and Viruses

Fame:Viruses and Malware

Sophisticated Hacking Tools Are Easily Accessible

Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the freefree, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits.

Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the freefree, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits.


“…provides a wizard“…provides a wizard--based exploitation system“based exploitation system“

“…includes a bristling arsenal of exploit modules “…includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every that are sure to put a smile on the face of every information warrior"information warrior"

“…provides a wizard“…provides a wizard--based exploitation system“based exploitation system“

“…includes a bristling arsenal of exploit modules “…includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every that are sure to put a smile on the face of every information warrior"information warrior"

Sophisticated Hacking Tools Are Easy to Use too…

Choose Your Target and Exploit Type…Choose Your Target and Exploit Type…Choose Your Target and Exploit Type…Choose Your Target and Exploit Type…


Reducing the Gray: Uncertainty Equals Risk and Cost

GOOD: Allow

RELEVANT: Pass and Log

GOOD: Allow

Relevant: Pass and Log

NACTraffic Shaping

IPS

Monitoring &

Good: Allow


Good: Allow


NACTraffic Shaping

IPS

Monitoring &


Inefficient;Highly Manual

Efficient OperationsEffective Security

SUSPICIOUS: Pass and Alarm

BAD: Block

Suspicious: Pass and Alarm

BAD: BlockIPS,

Anti-X, DDoS,Firewall

Monitoring &

Correlation

Self-Defending Network

Inefficient;Highly Manual

Efficient OperationsEffective Security


Bad: Block


Bad: BlockIPS,

Anti-X, DDoS,Firewall

Monitoring &

Correlation

Self-Defending Network

BH1 Monitoring and Correlation

Content Security (instead of Anti-X)Bonnie Hupton, 2/26/2008









� Summary



� Summary

Cisco IPS Intelligent Detection


Intelligent Detection

� Unmatched threat analysis and mitigation engines based on 15 years of continuous innovation

� Deep protection from known and unknown attacks that other solutions don’t catch

� Superior anti-evasion and day-zero attack protection

Proactive Protection

� Rapid updates from Cisco® global security intelligence engineering

� Vulnerability-focused signatures for superior protection ahead of the threat

� Expedited coverage of important security events, including Microsoft Patch Tuesday Vulnerabilities

Comprehensive Application Protection

� End-to-end Cisco on Cisco voice protection from the unified communications experts

� In-depth inspection capabilities

to protect critical Web 2.0

application farms

� Adaptive wireless protection

collaboration with Cisco wireless

controllers

BH7 pls add bullet in first box

middle box needs to be larger to include all textBonnie Hupton, 2/26/2008

Cisco IPS ArchitectureIntelligent Detection and Precision Response

Modular Inspection Engines

Signature Updates

Engine Updates

Cisco Threat Intelligence Services

Risk-Based Policy Control

• Calibrated “risk rating” computed for each event

Normalizer Module

• Layer 3–7

On-Box Correlation

Engine

Context Data

Network Context

Information


Forensics Capture

• Before attack

• During attack

• After attack

• Vulnerability

• Exploit

• Behavioral anomaly

• Protocol anomaly

• Universal engines

computed for each event

• Event action policy based on risk levels

• Filters for known benign triggers

• Layer 3–7 normalization of traffic to remove attempts to hide an attack

• Meta event generator for

event correlation

Mitigation and Alarm

• “Threat rating” of event indicates level of residual risk

Virtual Sensor Selection

• Traffic directed to appropriate virtual sensor by interface or VLAN

In Out

Intelligent Detection:Key Threat Analysis and Mitigation Technologies

Evasion Protection

Protection against stealthy attacks designed to deceive security systems


security systems

Vulnerability-Focused Signatures

Verified protection against tens of thousands of threats and millions of potential exploit variants with a minimal number of signatures

Local Event Correlation

Real-time protection against multivector attacks

Normalizer Module

üüüüüüüü

üüüü

üüüü

üüüüüüüü üüüü

“Correct” Stream

Stream with Evasion Attempt

üüüüüüüüüüüü üüüü

“Normalized”Stream


Cisco® anti-evasion technology detects deceptive attack techniques that may go undetected by other IPS devices. This adaptive technology provides protection against some of the most dangerous tools currently used by attackers today.

Evasion Attempt

Vulnerability-Focused Signaturesfor Unparalleled Coverage


Cisco® commitment to vulnerability-focused signatures provides exceptional detection of both known and tested exploits as well as exploits yet to be written (day-zero exploits.)

Cisco® commitment to vulnerability-focused signatures provides exceptional detection of both known and tested exploits as well as exploits yet to be written (day-zero exploits.)

3000 Vulnerability-Focused Signatures

30,000Known Exploits

and Variants

Countless ExploitVariants

Yet to Be Written

Outstanding Coverage

One Sub-Signature: 5477-2 Possible Heap Payload Construction

39 Different Exploits Covered (as of 2/8/2008)

Metasploit: mozilla_compareto v1.3

Microsoft Internet Explorer window Arbitrary Code Execution Vulnerability

[xxxxx]: Microsoft Internet Explorer window() exploit 1.6

Mozilla Firefox InstallVersion.compareTo() Overflow

Metasploit 2.5 - mozilla_compareto 1.3

[xxxxx]: Firefox and Mozilla compareTo

Metasploit: Mozilla Firefox Memory corruption via QueryInterface on Location, Navigator objects

[xxxxx] MS07-004 CVE-2007-0024 Vulnerability in Vector Markup Language Could Allow Remote Code Execution

milw0rm: MS Internet Explorer VML Remote Buffer Overflow Exploit (MS07-004)

MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)

[xxxxx]: McAfee ePolicy Orchestrator ActiveX Exploit

Milw0rm: Yahoo Messenger Web Cam Exploits

[xxxxx] Microsoft Speech API ActiveX control Exploit for IMPACT v6.2


Location, Navigator objects

[xxxxx]: IE createTextRange() exploit v1.3

Metasploit ie_createtextrange v1.4

MS April - CVE-2006-1359 Cumulative Security Update for Internet Explorer

Metasploit: Multiple Mozilla Products Memory Corruption/Code Injection/Access Restriction Bypass Vulnerabilities firefox_queryi

IE MS06-42 Patch Exploit for [xxxxx]

milw0rm IE COM Object Heap Overflow DirectAnimation.PathControl

[Milw0rm] MS Internet Explorer (VML) Remote Buffer Overflow Exploit (SP2) (pl)

[xxxxxx] : IE VML buffer overflow exploit update 1.6

[milw0rm] MS Internet Explorer WebViewFolderIcon setSlice() Exploit (pl)

[milw0rm] MS Internet Explorer WebViewFolderIcon setSlice() Exploit (c)

Media Player PNG header overflow exploit

MS06-071 - Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution Vulnerability

milw0rm: MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit 2

MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit 3

[xxxxx]: IE XML HTTP Exploit for IMPACT v1.5

[xxxxx] Microsoft Speech API ActiveX control Exploit for IMPACT v6.2

milw0rm: Yahoo! Widget < 4.0.5 GetComponentVersion() Remote Overflow Exploit

[xxxxx] McAfee Subscription Manager ActiveX Exploit

[xxxxx] CVE-2007-3040 KB938827 Vulnerability in Agent could allow Remote Code Execution

[xxxxx] - Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow Vulnerabilities

[xxxxx] KB942615: Cumulative Security Update for Internet Explorer CVE-2007-3902



[xxxxx]:Microsoft Agent MS07-051 Exploit Update for IMPACT v7

AskJeeves Toolbar 4.0.2.53 activex Remote Buffer Overflow Exploit

Milw0rm: Yahoo! Music Jukebox Remote exploits (3)

Event 3

Local Event CorrelationProtection from Multivector Attacks

üüüü

üüüü

üüüü

Event 1

Event 3

Event 2

Event 1

Event 2


Single events may appear normal when taken alone, but may indicate a multivector attack when taken together. Unlike security event manager-based correlation, local event correlation enables the IPS to take preventive action before the end system is compromised.

Single events may appear normal when taken alone, but may indicate a multivector attack when taken together. Unlike security event manager-based correlation, local event correlation enables the IPS to take preventive action before the end system is compromised.

IPS Passes Multivector Attack

IPS With Local Event Correlation Blocks Multivector Attack

Dynamic Protocol Analysis Engine Updates

Dynamically updated Protocol Analysis Engines provide a framework for sophisticated inspection and analysis capabilities that, unlike hard-

HTTPHTTP

MSRPCMSRPC


capabilities that, unlike hard-ware-based engines, can be updated as-needed to reflect changes and enhancements to network protocols as easily as a signature update.

SMTPSMTP

SMBSMB

� Anomaly-detection algorithms to detect and stop zero-day threats

� Real-time learning of normal network behavior

� Automatic detection and policy-based protection from anomalous threats to the network

� Result: Protection against attacks for which there is no signature

Real-Time Anomaly Detection for Zero-Day Threats


Internet

Traffic Conforms to Baseline

Traffic Conforms to Baseline

Anomalous Activity Detected, Indicating Potential Zero-Day Attack

� Attack target contextual information used to refine security response

� Contextual information gathered through:

� Passive OS fingerprinting

� Static OS mapping for exception handling

� CSA Linkages

� Dynamic Risk Rating adjustment based on attack relevance

� Result: More appropriate and effective security response actions

Endpoint Attack Relevance VisibilityIncreasing the Fidelity of Risk-based Policy


Network Scanner

A

Windows Server Linux Server

Not VulnerableFilter Event

VulnerableIncrease Risk Rating

Event / Action FilteringMonitoring Console:

Non-relevant events filteredAttacker initiates IIS attack destined for servers

� Result: More appropriate and effective security response actions

� Cisco Security Agent (CSA) provides data on suspicious hosts through Watch List (Network Context)

� IPS Sensor risk sensitivity increased dynamically for suspicious hosts (risk rating increase)

� Result: Improved risk management

Network-Endpoint CollaborationIncreasing the Fidelity of Risk-based Policy


1. Attacker tries to brute force attack an internal server

2. CSA blocks the attack and adds attacker to its watchlist

3. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the attacker

4. Future attacks from hacker are blocked at the IPS device

Real-Time Risk-based PolicyRisk Rating and IPS Policy

Event Severity

Signature Fidelity

Urgency of threat?

How Prone to false positive?+

Risk Rating IPS Policy Action

RR < 34 Alarm

RR >35 and < 84

Alarm and

A quantitative measure of each threat before IPS mitigation


Fidelity

Attack Relevancy

Asset Value of Target

false positive?

Important to attack target?

How critical is this destination host?

= Risk Rating

+

+

+

and < 84Alarm and Log Packets

RR > 85 Deny Attacker

= IPS Policy Action

Network Context

What additional risk information is available?+

A quantitative measure of each threat after IPS mitigation

• High risk attacks that have been denied no longer require urgent operator attention

Threat RatingPrioritize Incident Response Efforts by Residual Risk

IPS Policy:RR > 85 �� Deny Attacker

70

80

90

100

85

Risk measurement is updated based on IPS policy actions


attention

• Prioritize incident response on Events with high Residual Risk

Example:

• Event 2: Very high Risk Rating, but denied by policy � Low urgency, low Threat Rating

• Event 4: Quite high Risk Rating, but not high enough to deny � Higher urgency and Threat Rating

Result: Increased efficiency of response and productivity of operations by automatic prioritization of high risk incidents

0

10

20

30

40

50

60

70

1 2 3 4 5

Event Number

Risk Rating Threat Rating

MARSCSM

Mo

nito

rin

g

Po

licy

Total Security System Management

Configuration and Management

Policy Implementation

��

��


MARSCSM

Mo

nito

rin

g

Po

licy

Threat Intelligence

Reduced complexity for more effective risk analysis and operational control

�

Event Sharing and Collaboration

�

��









� Summary



� Summary

Cisco Security Intelligence

IntelliShieldIntelliShield

Cisco PSIRTCisco PSIRT

IPS Signature Team

IPS Signature Team

Applied Intelligence

Applied Intelligence

Critical Infrastructure Assurance Group

Critical Infrastructure Assurance Group

Cisco STATCisco STAT

Global Security Analysts

• IPS signature development

• Vulnerability research

• Product security testing

• Incident management


• Cisco® security mitigation expertise

• Global critical infrastructure security research

Cisco Global IPS Signature TeamCisco Global IPS Signature Team

Cisco Security IntelliShield Alert Manager Service

Customer Profile

� Network is mission critical to business

Customizable, web-based security alert service that allows customers to easily access and receive timely, accurate, actionable, and vendor-neutral intelligence about potential threats and vulnerabilities in their environment

Security IntelliShield

Alert Manager


� Network is mission critical to business

� Needs proactive support for a more secure network

Sales and Delivery

� Sold by Cisco and certified partners, delivered by Cisco

Service Capabilities and Features

� Updates on threats and vulnerabilities that may impact network enabling devices, software, or IT infrastructure

� Built-in tools to proactively manage intelligence within organizations

� Configurable portal with flexible service packages

� Detailed information; historical coverage of approximately 10,000 alerts

� Correlation of Cisco IPS signatures SMB LB SPNEW

Responding to Security Events as They Occur

Incident Response

Groups

Incident Response

Groups

Primary Research

(Cisco Products)

Primary Research

(Cisco Products)

Cisco STATCisco STATCisco® PSIRTCisco® PSIRT

OtherVendors

ISACsISACs


ExternalSecurity

Research

ExternalSecurity

Research

InternalSecurity

Research

InternalSecurity

ResearchBugTraqBugTraq

Full DisclosureFull Disclosure

“Back-Channel”“Back-Channel”

Cisco AppliedIntelligence

Cisco AppliedIntelligence

Cisco IntelliShieldCisco IntelliShield

IPS SignatureTeam

IPS SignatureTeam

Cisco IPS Signature Delivery Process

Create NewSignature

Create NewSignature

AnalyzeVulnerability

AnalyzeVulnerability

Discovery, Analysis, and Signature GenerationDiscovery, Analysis, and Signature Generation

DiscoverVulnerability

DiscoverVulnerability

OverallProcess Time


Test SignatureIntegration

Test SignatureIntegration

Test Signature

Field

Test Signature

Field

PublishSignaturePublish

Signature

Testing and PublishingTesting and Publishing Critical: 8 hours

Urgent: 24 hours

Standard: 1 week

Cisco Security Center: Mission Control

� Applied mitigation bulletins

� CVSS scores

� PSIRT security alerts

� Integration with IronPort®

� IPS signatures


� Six-month free trial

� Integration with IronPort®

BH8 IronPort is a registered TM, so needs a noun after. I don't know what it is. IronPort device?IronPort technology

pls add a noun that is correct after IronPortBonnie Hupton, 2/27/2008









� Summary



� Summary

Cisco High-Performance IPS Applications:Wireless Intrusion Prevention

• Protect the enterprise from wireless users

High-performance IPS helps protect at WLAN speeds for guest users’ and employees’ infected computers.

• Selectively block malicious traffic

Cisco High-Performance IPS


• Selectively block malicious traffic

Cisco IPS inspection services help enable accurate protection from wireless traffic.

• Remove repeat offenders from the network

Cisco IPS and Cisco WLAN Controllers work collaboratively to detect attackers from Layer 2 to Layer 7, and remove repeat offenders from the network.

Cisco WLAN Controller

Cisco Access Point

Securing Cisco Unified Communication Manager and Phones with Cisco IPS

� In-line inspection of voice and video traffic

� Protect Infrastructure that Voice runs on:

Protect Call Management infrastructure from attack

Real-time anomaly detection for day zero threats

Drop calls that are coming from IP addresses identified on the Cisco Security Agent “watch list”


Security Agent “watch list”

� Complements firewall application inspection technology

Cisco IPS’ Risk-based Policy enables easy management of IPS by non-experts

Protection against

• Application Misuse

• DoS/Hacking

• Known Attacks

• Zero-day Attacks

• Viruses/worms, spyware infecting traffic

Legitimate traffic

Firewall IPS

Cisco ASA 5500 with IPS: Threat Protected VPN Protecting the VPN Threat Vector

Worm/Virus Spyware Exploit

Remote AccessVPN User

Threat MitigationMalware DetectionWorm DetectionSpyware Detection

Application Firewall and Access ControlApplication Inspection/ControlGranular, Per-User/Group Access ControlProtocol Anomaly DetectionStateful Traffic Filtering


ASA 5500Unwanted

ApplicationIllegal

Access

Accurate EnforcementReal-Time CorrelationRisk RatingAttack DropSession Removal and Resets

Comprehensive Endpoint SecurityPre-Connection Posture AssessmentMalware MitigationSession/Data SecurityPost-Session Clean-Up

Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!









� Summary



� Summary

Cisco IPS Intelligent Detection


Intelligent Detection

� Unmatched threat analysis and mitigation engines based on 15 years of continuous innovation

� Deep protection from known and unknown attacks that other solutions don’t catch

� Superior anti-evasion and day-zero attack protection

Proactive Protection

� Rapid updates from Cisco® global security intelligence engineering

� Vulnerability-focused signatures for superior protection ahead of the threat

� Expedited coverage of important security events, including Microsoft Patch Tuesday Vulnerabilities

Comprehensive Application Protection

� End-to-end Cisco on Cisco voice protection from the unified communications experts

� In-depth inspection capabilities

to protect critical Web 2.0

application farms

� Adaptive wireless protection

collaboration with Cisco wireless

controllers

BH4 pls add bullet in first box

middle box needs to be larger to include all textBonnie Hupton, 2/26/2008

Cisco IPS Product Portfolio

IPS 4240

IPS 4255

IPS 4260

IPS 4200 Series

Catalyst 6500 Series

IPS 4270

IDSM2Catalyst 6500 IDSM2 bundle

Switch Integrated Service Modules for data center and switch integration

Dedicated Appliances for high performance, data center, and focused function environments


IOS IPS

Performance

ISR Series Routers

ASA5520-AIP20

ASA 5500 Series

IDSM2 bundle

Remote Office / Branch services for scalable remote office protection

Firewall-Integrated for comprehensive security and Unified Threat Management

ASA5510-AIP10 ASA5540-AIP40

AIM-IPS NME-IPS

Enhanced Operational Health and Monitoring

Signature Update Status

Sensor heartbeat

Sensor software restart status

Simplified Deployment and Management

Auto Signature Updates from CCO

IPS Device ManagementEase of use and Greater Visibility


Auto Signature Updates from CCO

Simplified configuration copy

Easier setup

Enter host name[sensor]:

Enter IP interface[192.168.1.2/24,192.168.1.1]:

Modify current access list?[no]: yes

Current access list entries:

No entries

Permit: 0.0.0.0/0

Permit:

Modify system clock settings?[no]:

[0] Go to the command prompt without saving this

config.

[1] Return to setup without saving this config.

[2] Save this configuration and exit setup.

[3] Continue to Advanced setup.

Intranet

Cisco Intrusion Prevention Strategy Comprehensive Threat Protection for the SDN

Endpoint Protection

Branch Protection

Perimeter Protection

Data Center Protection

Server Protection

Monitoring and Correlation

Solution Management

Internet

Cisco® Security Agent

Cisco Security Manager

Cisco Catalyst® Services Modules

Cisco Integrated Services Routers

Cisco ASA 5500 Adaptive Security

Appliance

Cisco SecurityMARS

Cisco IPS 4200 Series


• Modular inspection engines: Respond rapidly with minimal downtime

• Behavioral anomaly detection: Protect against zero-day attacks

• Dynamic risk-based threat rating: Adapt threats policy in real time

• The most diverse line of IPS sensors: The right tool for the right job, anywhere in the network

• IPS integrated into the fabric of the network

• Built on Cisco security and network intelligence

• On-box and networkwide correlation to provide greater accuracy and confidence

• Endpoint and network sensors sharing live network information

• Reduced operational costs with a common, solution-based management interface

Adaptive CollaborativeIntegrated

Location Matters Focused Protection Better Together

Cisco IPS Adaptive Intrusion Prevention · Cisco IPS Adaptive Intrusion Prevention ... and attack...

Documents

Transcript of Cisco IPS Adaptive Intrusion Prevention · Cisco IPS Adaptive Intrusion Prevention ... and attack...