cisco企業(yè)ids解決方案

1、Advanced Enterprise IDS Deployment and Tuning,,,The Potential Impact to the Bottom Line Is Significant,The Number of Security Incidents Continues to Rise Exponentially,,The Complexity and Sophistication of Attacks and Vu

2、lnerabilities Continues to Rise,The Challenge: Security in Modern Networks,Mitigating the Risk: Defense in Depth,Comprehensive security policyPervasive security—end to endSecurity in layersMultiple technologies, work

3、ing together,Defense in Depth:The Role of Intrusion Detection,Complementary technology to firewallsBeen around for more than a decade, started coming into prominence in the late ’90sPerforms deep packet inspection, ga

4、ining visibility into detail often missed by firewalls,,Internet,,,,,,Advanced Enterprise IDS Deployment: Agenda,Intrusion Protection SystemsNetwork SensorsHost AgentsManagement ConsolesCase Studies,Intrusion Protect

5、ion Systems,Intrusion Protection Agenda,Terminology and TechnologiesComplete Architecture:Sensors, Agents, Management ConsolesPlacement StrategiesWhere to Place Your Sensors, what Traffic to Watch, How to Get Traffic

6、 to ThemOrganization-Level ConcernsResponding to Intrusions, Ownership and Organization, Outsourcing,IDS Terminology: False Positives,A False Alarm occurs when an IDS reports an attack even though noattack is underway

7、Benign activity that the system mistakenly reports as maliciousTypically due to improper tuningCan easily overwhelm alarm consoles creating enormous amount of background noiseCan result in mistrust of the IDS by secur

8、ity personnel,IDS Terminology False Negatives,A False Negative occurs when an IDS fails to report an ongoing attackMalicious activity that the system does not detect or reportTend to be worse because the purpose of an

9、IDS is to detect such eventsCan be due to a variety of eventsCan be the result of IDS evasion efforts by an attackerCan also be due to out-of-date signature knowledge base (misuse detection systems)Minor state transi

10、tion that is below a detectable threshold (anomaly-based systems),IDS Terminology:Signatures and Anomalies,Signatures explicitly define what activity should be considered maliciousSimple pattern matchingStateful patte

11、rn matchingProtocol decode-based analysisHeuristic-based analysisAnomaly detection involves defining “normal” activity and looking for deviations from this baseline,,,IDS Architecture: Sensors, Agents, and Management

12、,,,,,,,,,,,Agents,Sensors,Management,Production Network,Management Network,IDS Components,Network-Based SensorsSpecialized software and/or hardware used to collect and analyze network trafficAppliances, modules, embedd

13、ed in network infrastructureHost-Based AgentsServer-Specific AgentProvides both packet- and system-level monitoring, and active responseSecurity Management and MonitoringPerforms configuration and deployment service

14、sAlert collection and aggregation for monitoring,,,,Data Flow,Data Capture,Monitoring the Network,,,,,Network Link to the Management Console,IP Address,Passive InterfaceNo IP Address,Network-Based IDS: The Sensor,,Data

15、 Flow,,,Network Link to the Management Console,IP Address,Passive InterfacesNo IP Address,Network-Based IDS: The In-line Sensor,,,,,,Data Flow,,,Network-Based IDS:Functions and Capabilities,Monitors all traffic on a gi

16、ven segmentCompare traffic against well known attack patterns (signatures); also look for heuristic attack patterns (i.e. multi-host scans, DoS)Includes fragmentation and stream reassembly logic for de-obfuscation of a

17、ttacksPrimarily an alarming and visibility tool, but also allows active response: IP session logging, TCP reset, shunning (blocking),Host Agents:Functions and Capabilities,Distributed Agent residing on each server to

18、 be protectedIntimately tied to underlyingoperating systemCan allow very detailed analysisCan allow some degree of Intrusion ProtectionAllows analysis of data encrypted for transportMonitors kernel-level applicati

19、on behavior, to mitigate attacks such as buffer-overflow and privilege escalation,,,,,Cons,Network-Based,Host-Based,Pros,Can verify success or failure of attackGenerally not impacted by bandwidth or encryptionUnders

20、tands host context and may be able to stop attack,Impacts host resourcesOperating system dependentScalability—Requires one agent per host,Protects all hosts on monitored networkNo host impactCan detect network probe

21、s and denial of service attacks,Switched environments pose challengesMonitoring >100Mbps is currently challengingGenerally can’t proactively stop attacks,Should View as Complementary!,Some General Pros and Cons,Plac

22、ement Strategies,Monitoring critical trafficDeploy network sensors at security policy enforcement points throughout the networkDeploy host sensors on business critical serversBeware of sensor overload — sensors must b

23、e able to handle peak traffic loadsOtherwise they will suffer packet drop/loss and possibly miss attacks,Deploying IDS Solutions,Overview,Often, IDS cannot be implemented “everywhere” due to cost restrictions.Where do

24、you need to detect an intrusion as soon as it occurs?Where an incident would be most expensive (most valuable data)At the entry to a sensitive domain (to detect the first successful step of the attacker)At other locat

25、ions, where attempts need to be analyzedLook at the risks again—make sure you prioritized based on the value of a resource and the exposure involved.,Network IDS Primary Functions,Identify Malicious ActivityIdentify Ne

26、twork AnomaliesNetwork Traffic EnforcementFirst Alert: Day ZeroFirst Packet ResponseTCP Traffic Normalization,NIDS Deployment Considerations,General Location Selection IssuesPurpose of Deployment Defines LocationIn

27、side, Outside, or DMZInternal vs PerimeterResponse Actions vs Passive MonitoringTrusted vs Non-Trusted Zones (chokepoints)Security Operations vs Network Operations,NIDS Deployment Considerations (cont),Specific Locat

28、ion Selection IssuesLocation Requirements Define PlatformSensor PerformanceLarge Network Pipes can result in Data OverflowProper Platform Selection is CrucialLoad Balancing Issues (Sweep and Flood Fidelity)Data Red

29、uction PossibilitiesHighly Available or Asymmetrically Routed Networks,NIDS Deployment Considerations (cont),Specific Location Selection IssuesEncrypted TrafficSSL or IPSecIDS Monitoring SourcesNetwork TapsSPAN (an

30、d RSPAN)VACL CaptureAggregation SwitchInline,IDS Sensor Monitoring Considerations,NIDS sensors should monitor segments, where you need to detect attacks the most:Monitor most sensitive internal segments (management n

31、etwork)Monitor most sensitive internal serversMonitor network entry points:Internet firewall, business partner entry, vpn/dial-up entrySwitched network edge (biggest performance issue)Monitor exposed hosts most like

32、ly to be compromised:If they are likely to be used as a jump-off pointIf your reputation depends on them,Monitoring Sensitive Internal Servers or Segments with NIDS,Performance considerations:Select the correct Senso

33、r platformUse a dedicated sensor per network/vlan (if required)Move the sensor to a different location to see more specifically defined trafficIf necessary, only capture a subset of traffic (exclude traffic that ca

34、n’t be inspected: IPSec, SSL, Multicast)Use HIDS (not a performance issue)Use Load Balancing to distribute network flows,IDS Placement and Tuning,Network Sensor Deployment Locations,Inside (trusted side) network moni

35、toring:Typical initial IDS deployment spot (along with DMZ)Usually broad monitoring to detect any attacksSees traffic filtered by the firewallDetects attacks that penetrate the firewallDetects outgoing attacks

36、(even if blocked by the firewall)Useful to check config of firewall,Network Sensor Deployment Locations,Outside (untrusted side) network monitoring:“Broad” monitoring for all types of attacksAlso detects attacks whic

37、h the firewall will block (early warning, trends, new risks, “Internet thermometer”)Serious risk of operator overload as sensor monitors uncontrolled network space (no man’s land)Usually requires special configuration

38、and possibly special management and monitoring considerationsUseful for correlation with inside sensors,Multi-Sourced NIDS Sensors,Multiple capture interfaces forwarding to the same IDS engine:Monitors multiple segment

39、s with similar properties (same IDS policy, simple with service modules)Potential for IDS oversubscriptionPossible issues with address range overlap,Network Sensor Deployment Locations,High Availability or Asymmetrical

40、ly Routed NetworksIDS must see all packets involved in a connectionUsually requires a sensor with multiple interfaces to capture data from all pointsData overflow to IDS is serious possibility in an active/active netw

41、ork setup,Network Sensor Deployment Locations,Inline IDS Deployments (IPS)IDS is able to block offending packetIDS signature quality must be very accurate with low false positives otherwise legitimate network traffic i

42、s disruptedSince packets flow through device, the IDS must have no measurable impact to traffic flow (ex. loss rate, latency, jitter, etc)Network reliability must follow standard proceduresFailover in a highly availab

43、le networkFail open or fail closed?,,,,,,,,,,,,,,,,,,,,,,,,,,Data Center,,,,,,,,,,,,Web Tier,Application Tier,Mainframe,NIDS,NIDS,Aggregation,Access,Deployment Example:IDS Load Balancing for the Data Center,,,,,Encrypt

44、ed Traffic and Network IDS,IPSec - Use a Network Module in the tunnel termination router to inspect traffic before it gets sent out the interfacesSSL - Early decryption of SSL sessions at an SSL acceleratorFor crypto t

45、unnels terminated on the host, use HIDS,NIDS Switched Environment Considerations,In a switched environment, you can monitor:Inside a switch (IDSM) or router (NM-IDS)Using a network TAPUsing SPAN or VACL CaptureOn

46、 the host (HIDS) Avoid oversubscribing the device or port:Lost packets break stream and composite signaturesSmart VACLs (specific protocols)Perhaps monitor only one port via SPANUnderstand the limitations of the

47、 packet sourcing deviceReference IDS_Capture_Techniques[1].ppt,SPAN Overview,SPAN means Switch Port AnalyzerSPAN copies ALL packets from source VLANS or ports to a destination portSupported across most Cisco switches

48、Different switches have different limitations on use of SPAN, including number of SPAN destination portsSome switches do not allow incoming packets on SPAN destination port. This is necessary if a customer wishes to us

49、e TCP Reset.,NIDS Switched Environment Considerations,A VLAN aware sensor is:Able to process 802.1q tagged packetsIssues when using the SPAN port:If SPAN belongs to a single VLAN, packets enter the SPAN port without t

50、he VLAN headers.Configure SPAN as a trunking port, if necessary (supporting ALL active VLANs).Which VLAN do you send the RST to?,VACL Capture Overview,A VLAN ACL, also known as Security ACL, specifies traffic to captur

51、e.The VACL Capture copies filtered packets from source VLANS to a destination port.,Management Interface Security Guidelines,Perimeter (outside monitoring) placement options:Classic firewall sandwich (in-band)Manageme

52、nt interface on separate inside VLANsManagement interface on separate DMZManagement interface on separate physical network,,,BusinessPartnerAccess,Extranet Connections,,Corporate Network,,,Internet,,,,Internet Conn

53、ections,Remote Access Systems,,Remote/Branch Office Connectivity,Intrusion Detection DeploymentWhat Areas of the Network Are Candidates?,Data Center,,,,Management Network,,,,Sensor Placement Rationale,No real standardN

54、o primer or cookbook that says “Place IDS here”Varies tremendously from network to networkIDS is typically found around firewallsThese are usually perceived as transit points from one network to anotherAlso found wh

55、ere there are differing trust levels within the network,Typical Order of Deployment,How far down the deployment path you go often depends on your resources; if resources are tight, always look at where you can get the mo

56、st ‘bang for your buck’,Data centers, high risk, or other ‘HDV’ areasDirectly behind perimeter firewallsInternet DMZ areasRemote access and remote offices,Why at Internet Connections?,Firewalls usually don’t protect

57、against data driven attacksConsider a Web server on a DMZVarious web server vulnerabilities have been found over the past few yearsMicrosoft IIS Directory Traversal Vulnerability (UNICODE)Apache/OpenSSL SSL2 Handsh

58、ake Process buffer overflowMicrosoft IIS WebDAV buffer overflowMicrosoft SQL Slammer wormPatches are available, but…Can be exploited to deny service or access the server,Attacking through the Firewall,,,WWW,Telnet,F

59、irewall Rules:Permit any DMZ port 80Permit DMZ insidePermit DMZ outsidePermit inside anyDeny any any,Internet,Attacker,Vulnerable Web Server,Inside or Outside?,Somewhat of a “religious” debateDepends on the situat

60、ion and the needsMade more effective with good ACLs at the edge router(s)Must be tuned properly—otherwise false alarms will significantly reduce the value of the IDS on the outside,Sensor Placement—Inside or Outside?,S

61、ensors on OutsideSees everything including traffic blocked by firewallCan’t distinguish betweenwhat is denied or permittedby firewallTools like Stick can generate lots of noiseMonitors both DMZand inside traffic,S

62、ensors on InsideSees only traffic permitted by the firewallResponse is neededSensor is needed for each internal leg of the firewall,,,,,,,,Attacker,DMZ,Inside,,,,,Next Steps:Getting Traffic to your Network Sensors,Tr

63、affic must be mirrored to network sensors (replicated)Choices:Shared media (hubs)Network tapsSwitch-based traffic mirroring (SPAN)Selective mirroring (traffic capture—VACLs),,,,TX and RX,,,,,,,From Firewall,From Rou

64、ter,Traffic from Firewall,Traffic from Router,,TX and RX,,,,,SPAN Tap Traffic,Full Duplex Link,Aggregation Switch,Using a Network Tap,Tap splits full duplex link into two streamsFor sensors with only one sniffing interf

65、ace, need to aggregate traffic to one interfaceBe careful of aggregate bandwidth of two tapped streamsDon’t exceed SPAN port or sensor capacity,Switch-Based Traffic Capture,Port Mirroring: SPAN functionality and comma

66、nd syntax varies between product lines and switch vendorsSome limit the number of SPAN portsSome allow you to monitor multi-VLAN trafficNote that not all sensor vendors can’t handle multi-VLAN traffichttp://www.cisco

67、.com/warp/public/473/41.html Rule-Based Capture: VLAN Capture/MLS IP IDSPolicy Feature Card (PFC) required on Catalyst 6500Allows you to monitor multi-VLAN trafficUse “mls ip ids” when using “router” interfaces or wh

68、en interface is configured for Cisco IOS FWhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm,Switch-Based Traffic Capture Example,Using SPAN,switch>(enable) set span 4/5 6/1 rx crea