Intrusion Detection and Prevention System (IPS) – Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail: nfhuang@broadweb.com, nfhuang@cs.nthu.edu.tw 2005/8/26 1/42
Outline � Network Security Introduction � Attack Categories � Emerging IM/P2P Threats � IPS � Technology and Product Trends � Conclusion and Discussion 2005/8/26 2/42
3/42 Attacking Tools 2005/8/26
4/42 UDP Flooder DDoSPing Attacking Tools Pinger 2005/8/26
Attacking Tools N-Stealth Scanner 2005/8/26 5/42
Attack Categories � Denial of Service (DoS), Distributed Denial of Service (DDoS) � Network Invasion � Network Scanning � Network Sniffing � Torjan Horse and Backdoors � Worm 2005/8/26 6/42
(1) DoS/ DDoS � Prevent another user from using network connection, or disable server or services: e.g. “Smurf” and “Fraggle” attacks, “Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death”, IGMP Nuke, buffer overflow. � Caused by protocol fault or program fault. � It damages the “Availability”. 2005/8/26 7/42
DoS Example: Smurf attack � Uses ICMP echo/ reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic � Requires the ability to send spoofed packets ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim 2005/8/26 8/42
(2) Network Invasion � Goal is to get into the target system and obtain information � Account usernames, passwords � Source code, business critical information � Usually caused by improper configurations or privilege setting, or program fault. 2005/8/26 9/42
Example of network invasion: IIS unicode buffer overflow For IIS 5.0 on windows 2000 without this security patch, a simple URL string: http:/ / address.of.iis5.system/ sc ripts/ ..%c1%1c../ winnt/ system3 2/ cmd.exe?/ c+dir+c:\ will show the information of root directory. 2005/8/26 10/42
(3) Network Scanning � Goal is to obtain the chance, the topology of victim’s network. � The name and the address of hosts and network devices. � The opened services . � Usually uses technique of ICMP scanning, X’mas scan, SYN-FIN scan, SNMP scan. � There are powerful tools: Nmap and Nessus. 2005/8/26 11/42
(4) Sniffing � Goal is to obtain the content of communication � Account usernames, passwords, mail account � Network Topology � Hosts running the sniffer program (e.g. NetBus) is often compromised using host attack methods. 2005/8/26 12/42
(5) Backdoor and Torjan horse � Usually, the backdoor and torjan horse is the consequences of invasion or hostile programs. � It may open a private communication channel and wait for remote commands. � Available toolkits: � Subseven, � BirdSpy, � Dragger � It can be detected by monitoring known control channel activities, but not with 100% precision. 2005/8/26 13/42
(6) Worm � The chief intention of worm is to propagate and survive. � It takes advantages of system vulnerabilities to infect and then tries to infect any possible targets. � It may decrease the production of system, leave back doors, steal confidential information and so on. 2005/8/26 14/42
Emerging P2P/ IM Threats � P2P (Peer-to-Peer) � IM (Instant Messenger) � Spyware � Adware � Tunneling 2005/8/26 15/42
P2P: a new paradigm � Bottleneck of Server � Powerful PC � Flexible, efficient information sharing � P2P changes the way of Web (Internet) 2005/8/26 16/42
Why P2P? � Bottleneck of Server � Powerful PC � Flexible, efficient information sharing � P2P changes the way of Web (Internet) 2005/8/26 17/42
General Issues of P2P � How to find resources? � How to know on-line peers? � How to route requests? � How to download resources? � Flooding messages and � Huge number of connections to be established concurrently 2005/8/26 18/42
Famous P2P Examples � BitTorrent � Shareaza � SoftEther � eZpeer � Direct-connect � iMESH � Kuro � Gnutella � MIB � eDonkey � Soulseek � WinMix � eMule � Opennap � WinMule � MLdonkey � Worklink � Skype � Gnutella � Opennext � Kazaa/ Morpheus � J elawat � PP 點點通 2005/8/26 19/42
Instant Messenger (IM) � MSN � Yahoo Messenger � ICQ � YamQQ � AIM (AOL IM) � Google Talk (new) 2005/8/26 20/42
Network Security Technology Trend � Layer-7 Content Inspection Technology � IPS (Layer-7) � Application Firewall (Layer-7) � UTM/ SCM � SOHO IPS Routers 2005/8/26 21/42
Layer-7 Content Inspection Technology � Packet Normalizer � Pattern Matching Algorithms � Software Based � Hardware Based � Policy Engine 2005/8/26 22/42
A Generic Layer-7 Engine � Packet Normalizer � Makes sure the integrity of incoming packets � Eliminates the ambiguity � Decodes URI strings if necessary � Pattern-Matching Engine � Where the pattern-matching operation executed. � Policy Engine � Gather information from pattern-matching engine and issue the verdict to allow/ drop the packets 2005/8/26 23/42
Pattern Matching is Expensive! •~50 Instructions/ 1500 Byte packet •~30 Instructions/ Byte. 45K Instructions/1500 Byte packet Source: Intel Corp . 2005/8/26 24/42
Pattern-Matching Engine � The most computation-intensive task in packet processing. Normally the pattern-matching engine needs to process every single byte in packet payloads while layer-4 operations deal with packet header only. � In Snort, the pattern matching routine accounts for 31% of the total execution time 2005/8/26 25/42
Policy Engine � Collect the matching events from Pattern-Matching Engine. � Clarify the relationship between matched patterns: � Ordered: A policy may consists more than one pattern and should be matched in order. � Offset, Depth: The matched position should be within a certain range or location. � Distance, Within: The distance between two matched patterns should be taken into consideration also. � Trace Application States 2005/8/26 26/42
Policy Engine (cont.) � Some applications are difficult to identify by using only one signature (e.g. P2P). � Policy Engine needs to track the connection state like the following diagram: Msg Data Request Exchange Exchange File S 1 S 0 S 2 S 3 2005/8/26 27/42
Intrusion Detection and Prevention System (IPS) 2005/8/26 28/42
29/42 2005/8/26
NK-3000 Features � Intrusion Detection & Prevention System (IPS) � Anti-Intrusion � Anti-Worm � Anti-P2P � Anti-IM (Instant Messenger) � Anti-Porn � Anti-Webpost 2005/8/26 30/42
NK-3000 Features � Signature-based and Anomaly-based detection technology (1800+ signatures) � DoS/ DDoS attacks � Mydoom, NetSky � MS-Blaster, SQL Slammer, So-Big, Code Red � In-Line Mode/ IDS Mode/ Sniffer Mode � Hardware/ Software Bypass (Fail Open) � J ava-based Broadweb Extensible Management System (BEMS) � Automatic Signatures Update via Internet 2005/8/26 31/42
BSST- BroadWeb Security Service Team � Team of Security Experts (CISSP) � Provide Security Service Consulting to Customers � Signatures Collection and Verification � Issued 1800+ Signatures, including top virus patterns � Security Technical Training � Issue Security Notes periodically � Issue certifications of Broadweb Certificated Security Engineer (BCSE) for NK products � http:/ / bsst.broadweb.com.tw 2005/8/26 32/42
33/42 Application Firewalls 2005/8/26
Application Firewalls � Layer 7 Packet Deep Inspection Technology for better processing of � NAT/ ACL/ VPN � IDP � Worms (SQL Slammer, Blaster, NetSky, Sasser, etc) � Spam � IM (MSN, ICQ, QQ, etc) � P2P (e-Donkey, eMule, Bit-torrent, etc) � Webpost � Porn � Spyware/ Adware � Others 2005/8/26 34/42
Unified Threat Management (UTM) and Security Content Management (SCM) 2005/8/26 35/42
UTM and SCM � Unified Threat Management (UTM) � Firewall � Intrusion Detection and Prevention (IPS) � Anti-Virus � Secure Content Management (SCM) � Anti-Virus � Web Filtering � Messaging Security (P2P/ IM) 2005/8/26 36/42
37/42 UTM Appliance Revenue 2005/8/26
38/42 SOHO IPS Routers 2005/8/26
Security SoC-based SOHO IPS Routers � Security Processor (SoC) � ARM922 RISC CPU � Hardware NAT (Layer-4) � Hardware Content Inspection Engine (Layer-7) � Two 10/ 100/ 1000 RJ -45 Ports � Embedded-Linux � For SOHO IPS Routers market 2005/8/26 39/42
Conclusions � Multiple pattern matching is the key technology for layer 7 content inspection � More complex relationship between matched patterns. � Software issues � Multiple pattern matching algorithms � Protocol behavior analysis � Signature database � Hardware platform issues � Network Processor � Pentium + Content Inspection Co-processor � Security SoC � IPS will be introduced into SOHO market soon � IPS SOHO routers 2005/8/26 40/42
Recommend
More recommend