NetRanger Intrusion Detection System Marek Mąkowski [email protected] 0600_11F8_c2.
-
Upload
erick-richardson -
Category
Documents
-
view
214 -
download
0
Transcript of NetRanger Intrusion Detection System Marek Mąkowski [email protected] 0600_11F8_c2.
![Page 2: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/2.jpg)
The Security Wheel: Defense In-DepthEffective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations…
•Real-Time Intrusion Detection & Response•7x24 Monitoring
•Vulnerability Scanning & Analysis•Security Posture Assessment•Risk Assessment
•Centralized Policy & Configuration Management
•Trend Analysis•Management Reports•Incident Response
•ID/Authentication•Encryption & VPN•Firewalls•Security Design & Implementation/Integration
1)Corporate Security Policy
2) SECURE
3) MONITOR
4) AUDIT/TEST
5) MANAGE & IMPROVE
•Policy Development& Review
![Page 3: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/3.jpg)
Why Active Audit?
• The hacker might be an employee or ‘trusted’ partner
Up to 80% of security breaches are from insiders -- FBI
• Your defense might be ineffective
One in every thee intrusions occur where a firewall is in place -- Computer Security Institute
• Your employees might make mistakes
Misconfigured firewalls, modems, old passwords, etc.
• Your network will Grow and Change
Each change is a security risk
Firewalls, Authorization, Encryption do not provide Visibility into these problems
![Page 4: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/4.jpg)
Active Audit -- Goal: Visibility
• NetRanger Intrusion Detection System
Monitors user behaviors while on the network
Similar to the guards, video cameras and motion detectors that help secure bank vaults
![Page 5: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/5.jpg)
NetRanger Overview
• Real-Time Intrusion Detection and Response
• Finds and stops unauthorized activity occurring on the network --- “reactive” appliance
• Network “motion sensor, video camera, and security guard”
• Industry-leading technologyScalable, distributed operation
High performance (100MB Ethernet, FDDI, Token Ring)
“On-the-fly” re-configuration of Cisco Router ACLs to shun intruders
![Page 6: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/6.jpg)
NetRanger Architecture
NetRanger Director
* Software *
NetRanger Sensor
* Appliance *
• Alarm Handling• Configuration Control• Signature Control
• Detection• Alarm Generation• Response• Countermeasures
Comm
![Page 7: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/7.jpg)
Sensor Appliance Sensor Appliance
![Page 8: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/8.jpg)
Sensor Front Panel Sensor Front Panel
![Page 9: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/9.jpg)
Sensor Back PanelSensor Back Panel
Monitoring NIC
Monitoring NIC
Command NIC
Command NIC
![Page 10: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/10.jpg)
Attack Signature Detection
• Scans Packet Header and Payload
Single and multiple packet attacks
• Three-tier Attack Detection
1. Name Attacks (Smurf, PHF)
2. General Category (IP Fragments)
3. Extraordinary (TCP Hijacking, E-mail Spam)
• Customer Defined Signatures
String matching (words)
Quickly defend against new attacks
Scan for unique misuse
![Page 11: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/11.jpg)
Sensor—Detect Intrusions
Context:(Header)
Content:(Data)
“Atomic”Single Packet
“Composite”Multiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
DNS Attacks
Telnet Attacks
Character Mode Attacks
![Page 12: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/12.jpg)
Sensor—Event Logging
Events are Logged for Three Different Activities
AlarmsAlarms—when signature is detected
ErrorsErrors—when error is detected
CommandsCommands—when user executes command on Director or Sensor
Ping Sweep
DirectorDirector
Lost Communications
DirectorDirector Sensor
Shun Attacking Host
300973_03F8_c2NW98_US_401
Sensor
![Page 13: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/13.jpg)
Sensor—Attack ResponseSession Termination and Shunning
Session Session TerminationTermination TCP Hijack
Kill currentsession
Kills an active session
ShunningShunning NetworkNetworkDeviceDevice
ShunAttacker
Reconfigure routerto deny access
Sensor
AttackerAttacker
Sensor
![Page 14: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/14.jpg)
Sensor—Session Logging
ProtectedNetwork
SessionLog
Attack
Sensor
AttackerAttacker
• Capture evidence (Keystrokes) of suspicious or criminal activity
• Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network
![Page 15: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/15.jpg)
NetRanger Deployment
DNS
IOS FirewallCisco Router
WWW Server
DNS Server
Corporate Network
Engineering Finance
Admin
Business Partner
Dial-UpAccess
Cisco RouterCisco Router
NetRangerDirector
ID/Auth.TACACS+
Cisco SecureServer
Switch
PIX Firewall
InternetNR/NS
NetRangerNetRanger
Remote Security
Monitoring
NetRangerNetRanger
NetSonar
![Page 16: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/16.jpg)
NetRanger Director
• Geographically Oriented GUI
Operations-friendly HP OpenView GUI
Color Icon Alarm notification
Quickly pinpoint, analyze and respond
Maintain Security operations consistency
• Network Security Database
Attack info, hotlinks, countermeasures
Customizable
• Monitor Hundreds of Sensors per NOC
![Page 17: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/17.jpg)
Software RequirementsSoftware Requirements
Operating Systems
Solaris 2.5.1 or 2.6
HP-UX 10.20
HP OpenView 4.11, 5.01, 6.0
Web browser (for NSDB)
![Page 18: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/18.jpg)
Hardware RequirementsHardware Requirements
• Sun SPARC platform with:
NetRanger install partition: /usr/nr (50 MB)
NetRanger log partition: /usr/nr/var (2 GB)
HP OpenView install partition: /opt (110 MB)
Java run-time environment: /opt (12 MB)
System RAM: 96 MB
![Page 19: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/19.jpg)
Hardware Requirements (cont.)Hardware Requirements (cont.)
• HP-UX platform with:
NetRanger install partition: /usr/nr (50 MB)
NetRanger log partition: /usr/nr/var (2 GB)
HP OpenView install partition: /opt (65 MB)
Java run-time environment: /opt (10 MB)
System RAM: 96 MB
![Page 20: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/20.jpg)
Director - Distributed Management
N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM
• Enterprise Strategic Management
• Regional Operational Management
• Local Network Security Management
DirectorTier 1
DirectorTier 2
DirectorTier 3
DirectorTier 3
![Page 21: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/21.jpg)
Alarm Display and ManagementAlarm Display and Management
Director icon
Director icon
Context intrusion
alarm
Context intrusion
alarm
Content intrusion
alarm
Content intrusion
alarm
Sensor icon
Sensor icon
![Page 22: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/22.jpg)
Configuration ManagementConfiguration Management
![Page 23: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/23.jpg)
Network Security Database
• On-line reference tool
• Contains:
Descriptions
Recommendations and fixes
Severity ratings
Hyperlinks to external information/patches
![Page 24: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/24.jpg)
Custom Script ExecutionStarts any user-defined script.
E-mail and Script ExecutionE-mail and Script Execution
E-mail NotificationSends notification toe-mail recipientor pager.
![Page 25: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/25.jpg)
The Security Wheel: Defense In-DepthEffective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations…
•Real-Time Intrusion Detection & Response•7x24 Monitoring
•Vulnerability Scanning & Analysis•Security Posture Assessment•Risk Assessment
•Centralized Policy & Configuration Management
•Trend Analysis•Management Reports•Incident Response
•ID/Authentication•Encryption & VPN•Firewalls•Security Design & Implementation/Integration
1)Corporate Security Policy
2) SECURE
3) MONITOR
4) AUDIT/TEST
5) MANAGE & IMPROVE
•Policy Development& Review
![Page 26: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/26.jpg)
What comprises Active Audit?
NetSonar
• Vulnerability scanning
• Network mapping
• Measure exposure
• Security expertise
NetRanger
• Real-time analysis
• Intrusion detection
• Dynamic response
• Assurance
ProactiveProactiveReactiveReactive
![Page 27: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/27.jpg)
NetSonar™Security Scanner
“Proactive Security”
0305_10F8_c2
![Page 28: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/28.jpg)
Active Audit—Network Network Vulnerability AssessmentVulnerability Assessment
• Assess and report on the security status of network components
Scanning (active, passive), Scanning (active, passive), vulnerability databasevulnerability database
NetSonarNetSonar
![Page 29: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/29.jpg)
NetSonar Overview
• Vulnerability scanning and network mapping system
• Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software
• Industry-leading technology
Network mapping
Host and device identification
Flexible reporting
Scheduled scanning
![Page 30: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/30.jpg)
Network Discovery Process
Network Mapping• Identify live hosts• Identify services on hosts
Vulnerability Scanning• Analyze discovery data for potential vulnerabilities• Confirm vulnerabilities on targeted hosts
Target Target
Target
Target
![Page 31: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/31.jpg)
Network Mapping Tool
• Uses multiple techniques
Ping sweeps - Electronic Map
Port sweeps - Service discovery
• Unique discovery features
Detects workstations, routers, firewalls, servers, switches, printers, and modem banks
Detects Operating Systems and version numbers
Does not require SNMP
![Page 32: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/32.jpg)
Vulnerability Assessment Engine
• Potential Vulnerability Engine -- Passive
Compares network discovery data to rules to reveal potential vulnerabilities
• Confirmed Vulnerability Engine -- Active
Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping
![Page 33: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/33.jpg)
How NetSonar Works
Network Discovery
Active
Ping Sweep - ID Hosts
Inactive
Port Sweeps - ID Svcs
EmailSvr
WebSvr
Workstation
Firewall
Router
• SMTP• FTP
• HTTP• FTP
• Telnet
Passive VulnerabilityAnalysis
Active VulnerabilityAnalysis
Presentation &Reporting
Exploits executed against target hosts
Discovery data analyzed by rules
Workstation:Windows NT v4.0•SMB Redbutton•Anonymous FTP
Communicate results
FTP Bounce Exploit
![Page 34: NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649e055503460f94af1cc3/html5/thumbnails/34.jpg)