Defense-in-Depth, Part 2:Advanced Intrusion

Defense

Joel SnyderOpus Onejms@opus1.com

Traditional perimeter technology is being…… Supplemented?

A firewall is not just a firewall any more

Firewalls now have “advanced application

intelligence”

• Actually, they had that already, but the

marketroids had to keep themselves busy

Firewalls now are “intrusion prevention

systems”

• Isn’t every firewall an intrusion

prevention system?

Firewalls now do virus scanning, content

scanning, and ironing

Application-layer firewalls are needed to

protect legions of inadequate web

programmers

IDS has been replaced by IPS

• (No, I don’t believe that, I’m just

repeating awful rumors)

Worms now outnumber viruses in

your e-mail by a factor of 20 to 1

Spam represents 50% to 75% of all

e-mail you receive

Key question: Do you need this? Do you need to buy (or

upgrade) to a bigger, smarter,

faster, more capable firewall?

Do you need to buy an IPS?

…an application layer firewall?

…a smarter IDS?

…an SSL VPN device?

Do I want an all-in-one thing?

Do I want individual parts?The answer you’ve been waiting

for… is on the very next slide!

Should I buy a lot of this new security stuff?

And if I do buy this, what kind should I buy?

And where should I put it?And which product should I buy?

Answer: 42

I can’t tell you what is right for your network

I can tell you what

products are out there

and what they are

doing

I can also tell you

what the trends are in

these products

But the hard work

remains yours

So let’s look at what’s happening in the firewall business

March, 2004: Information Security sponsors research on new firewall technologies

Products from Check

Point, Cyberguard,

NetScreen, Nortel

Networks, Symantec,

Secure Computing,

Watchguard

Support from Andy Briney,

Neil Roiter at Information

Security

http://infosecuritymag.techtarget.com/

Firewalls have been around for a very long time

“[AT&T’s gateway creates] a sort of crunchy shell around

a soft, chewy center.”

(Bill Cheswick, Design of a Secure Internet Gateway, April,

1990)

1989 1991 1993 1995 1997 1999 2001 2003 2005

First firewalls deployed in Internet-connected organizations

“Firewalls and Internet Security” published

TIS toolkit commonly available

Cisco buys PIX (Network Translation)

CheckPoint revenues cross $100m

WatchGuard introduces 1st FW appliance

Surely firewall makers have been busy since 1999 ?

Clear market trends

Faster

Cheaper

Smaller

• New Guard:

NetScreen (Juniper),

Watchguard,

SonicWALL

• Old Guard: Cisco,

Check Point

Clear product trends

Add VPN features

• Site-to-site

• Remote Access (?)

Add policy-based URL

control

• Websense-type

Add interfaces

• No longer just inside,

outside, DMZ

Surely, firewall makers have been busy since 1999 ?

Clear market trends

Faster

Cheaper

Smaller

• New Guard:

NetScreen (Juniper),

Watchguard,

SonicWALL

• Old Guard: Cisco,

Check Point

Clear product trends

Add VPN features

• Site-to-site

• Remote Access (?)

Add policy-based URL

control

• Websense-type

Add interfaces

• No longer just

inside, outside, DMZ

Incremental improvements are not very exciting

Smaller, cheaper, faster: that’s great

VPNs, more interfaces: that’s great

But what have you done for me lately?

To answer that, we need to digress to the oldest

battle in all of firewall-dom: proxy versus packet

filter!

Arguments between Proxy and Stateful PF continued

Proxy

More secure because you

can look at application

data stream

More secure because you

have independent TCP

stacks

Stateful PF

Faster to write

Faster to adapt

Faster to run

Faster also means

cheaper

Proxy-based firewalls aren’t dead… just slow!

Proxy

Packet Filtering

Src=10.1.1.99Dst=5.6.7.8

TCP/IP

Src=1.2.3.4Dst=5.6.7.8

Kernel

Inside network = 10.1.1.0/24

Outside net = 1.2.3.4

RTL

Process Space

Firewall Landscape: five years ago

IBM eNetwork

Secure Computing

Altavista Firewall

TIS Gauntlet

Raptor Eagle

Elron

Cyberguard

Ukiah Software

NetGuard

WatchGuard

SonicWALL

Check Point

Livermore Software

Milkyway

Borderware

Global Internet

Stateful Packet Filtering dominates the market

Stateful Packet Filtering

IP

Kernel

Check PointCisco NetScreen SonicWALL

Freeware-based products: Ipchains, IPF, Iptables, IPFW

FW Newcomers:Fortinet, Toshiba, Ingate, ServGate, many others

But… the core argument was never disputed

Proxy-based firewalls do have the possibility to give you

more control because they maintain application-layer

state information

The reality is that proxy-based firewalls rarely went

very far down that path

Why? Market demand, obviously…

Firewall Evolution:What we hoped for…

Additional granular

controls on a wide

variety of applications

Intrusion detection

and prevention

functionality

Vastly improved

centralized

management

systems

More flexible

deployment options

Firewall Evolution:What we found…

Additional granular

controls on some

a wide variety of

applications

Limited intrusion

detection and

prevention

functionality

Vastly improved

centralized

management

systems

More flexible

deployment options

Why? Market demand, obviously…

So what’s going on in the firewall business?

Products are diverging, not converging

Personalities of products are distinct

IPS is a step forward, but not challenging the world of

standalone products

Rate of change of established products is slow

compared to new entries

What does this mean for me and my firewall?

Products are

diverging

Personalities are

distinct

IPS weaker than

standalone

Change rate slow

Matching firewall to policy is

hard; change in application or

policy may mean changing

product!

Aggressive adoption of new

features unlikely in popular

products; need new blood to

overcome product inertia

Are Intrusion Detection Systems dead?

http://infosecuritymag.techtarget.com/

Massive Support from Marty Roesch, Ron Gula, Robert Graham

Products from ISS, Cisco, and Tenable

Cash and Prizes from Andy Briney and Neil Roiter

This is an IDS alert…

IDS saw a packet

aimed at a protected

system

IDS magic decoder

technology correctly

identifies this as

“Back Orifice!”

This IDS alert ain’t no good

Last time I checked, FreeBSD 4.9 was not one of the

supported platforms for BackOrifice…

Please don’t call that a false positive

IDS developers will

jump down your

throat

“False Positive”

means the IDS cried

wolf when there was

no such attack

• Usually the result

of poorly written

signatures

Instead, let’s

invent a complex

multisyllable

term:

“non-contextual

alert”

The IDS lacks “context”

IF the IDS knew that

the destination

system was not

running Windows…

IF the IDS knew that

the destination

system was not

running Back Orifice…

IF the IDS knew that

there was no such

destination system…

IF the IDS knew that

the destination

system was more

hops away then TTL

allowed…

IF IF IF the IDS knew more…

THEN the IDS could tell the IDS operator more

about this attack

Ron Gula (Tenable) says that alerts are “raw

intelligence.” They are data, but are not

information yet.

We need to turn them into “well-qualified

intelligence” to start a war.

Roesch: “Target-Based IDS”

Target-based IDS

Sensor• The sensor has knowledge

about the network

• The sensor has knowledge

about the hosts

Target-based

Event Correlation• The output of the

sensor is compared

to knowledge of

vulnerabilities

Target-based IDS has two components

Start with a normal IDS…

1. IDS sensors generate

enormous dinosaur-sized

piles of alerts;

alerts are sent to the IDS

console

2. Operator gets enormous

dinosaur-sized headache

looking at hundreds of

thousands of alerts… and add brains!

What does an IDS with brains look like?

Brains=knowledge + process

Knowledge

Somehow figure out lots

of information about

• What systems are out

there

• What software they

are running

• What attacks they

are vulnerable to

Process

Evaluate each alert

with the additional

contextual knowledge

and decide

• To promote the alert

• To demote the alert

• That we don’t know

Can this quiet my IDS down?

It could…

But none of the

products I looked at

have a feedback loop

to the IDS!

Why don’t the

scanners tell the IDS

what ports to look on?

Why don’t the

scanners tell the IDS

what signatures to

ignore?

Is this right for you?

YES! “I already have an IDS

and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!”

“I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.”

NO! “If I get this, my IDS will

be a self-tuning smooth-running no-maintenance machine.”

“I have no network security policy which says what to do when an alert occurs.”

Advanced Intrusion DefenseJoel SnyderOpus One

jms@opus1.com