Scribd
Upload
30 views

Introduction To Network Security

The document discusses network security and covers topics such as security incidents in recent years, security policies, perimeter security, identity services, secure connectivity, intrusion protection, and security management. It provides details on security issues like the SQL Slammer worm and outlines what should be included in a security policy.

Uploaded by

journal CFP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views

Introduction To Network Security

The document discusses network security and covers topics such as security incidents in recent years, security policies, perimeter security, identity services, secure connectivity, intrusion protection, and security management. It provides details on security issues like the SQL Slammer worm and outlines what should be included in a security policy.

Uploaded by

journal CFP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 88

Introduction to

Network Security

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 1
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 2
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 3
Security Year in Review

• Are incidents decreasing?


• SQL slammer
• Other security headlines

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 4
Are Incidents Decreasing?
Type of Crime 2001 2002

Theft of Proprietary Information $151.2 $170.8


Financial Fraud $92.9 $115.7
Insider Net Abuse $45.3 $49.9
Sabotage $5.2 $15.1
Unauthorized Access by Insiders $6.1 $4.5
Laptop Theft $8.8 $11.7
Denial of Service $4.3 $18.4
System Penetration by Outsiders $19.0 $13.0
Total $378M $456M

Compare This to the Cost of Implementing a Comprehensive Security Solution!

Source: FBI 2002 Report on Computer Crime


SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 5
Number of Incidents
Always on the Rise
CERT—Number of Incidents Reported (*)
http://www.cert.org/stats/cert_stats.html#incidents
90000

80000
70000

60000

50000
40000

30000

20000

10000

0
1988 1990 1992 1994 1996 1998 2000 2002

(*) An Incident May Involve One Site or Hundreds (or Even Thousands) of Sites;
Also, Some Incidents May Involve Ongoing Activity for Long Periods of Time
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 6 .
Two of the Most Serious Intruder Activities
Reported to the CERT/CC in 2002
• Exploitation of vulnerabilities in Microsoft SQL Server
Intruders compromised systems through the automated exploitation of null
or weak default SA passwords in Microsoft SQL Server and Microsoft Data
Engine; the CERT/CC published advice on protecting systems that run
Microsoft SQL Server in CA-2002-04 (February 25, 2002)
In July 2002, intruders continued to compromise systems and obtain
sensitive information by exploiting several serious vulnerabilities in the
Microsoft SQL Server; the CERT/CC published additional advice in CA-2002-
22 (July 29, 2002)

• Apache/mod_ssl Worm
Intruders used a piece of self-propagating malicious code (referred to here
as Apache/mod_ssl) to exploit a vulnerability in OpenSSL, an open-source
implementation of the Secure Sockets Layer (SSL) protocol
The CERT/CC initially published CA-2002-23 (July 30, 2002), describing four
vulnerabilities in OpenSSL that could be used to create denial of service;
when these and other vulnerabilities finally manifested themselves in the
form of the Apache/mod_ssl Worm, the CERT/CC published advice in CA-
2002-27 (September 14, 2002)
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 7
The SQL Slammer Worm:
What Happened?

• Released at 5:30 GMT,


January 25, 2003
• Saturation point
reached within
2 hours of start
of infection
• 250,000–300,000
hosts infected
• Internet connectivity
affected worldwide

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 8
The SQL Slammer Worm:
30 Minutes after “Release”

• Infections doubled every 8.5 seconds


• Spread 100x faster than Code Red
• At peak, scanned 55 million hosts per second
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 9
Network Effects of the SQL
Slammer Worm

• Several service providers noted significant


bandwidth consumption at peering points
• Average packet loss at the height of
infections was 20%
• Country of South Korea lost almost all
Internet service for period of time
• Financial ATMs were affected
• SQL Slammer overwhelmed some airline
ticketing systems
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 10
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 11
Security Policy

• Setting a good foundation


• What is a security policy
• Why create a security policy
• What should it contain

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 12
Start with a Security Policy
• Security policy defines and sets a good
foundation by:
Definition—Define data and assets to be covered by
the security policy
Identity—How do you identify the hosts and
applications affected by this policy?
Trust—Under what conditions is communication
allowed between networked hosts?
Enforceability—How will the policies implementation
be verified?
Risk Assessment—What is the impact of a policy
violation? How are violations detected?
Incident Response—What actions are required upon
a violation of a security policy?
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 13
What Is a Security Policy?

“A security policy is a formal


statement of the rules by
which people who are given
access to an organization’s
technology and information
assets must abide.”
RFC 2196, Site Security Handbook

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 14
Why Create a Security Policy?

• To create a baseline of your current


security posture
• To set the framework for security implementation
• To define allowed and not allowed behaviors
• To help determine necessary tools
and procedures
• To communicate consensus and define roles
• To define how to handle security incidents

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 15
What Should the
Security Policy Contain?

• Statement of authority and scope


• Acceptable use policy
• Identification and
authentication policy
• Internet use policy
• Campus access policy
• Remote access policy
• Incident handling procedure

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 16
Security Policy Elements
Data Assessment
Vulnerabilities
Host Addressing
Denial of Service
Application Definition POLICY
Misuse
Usage Guidelines
Reconnaissance
Topology/Trust Model

• On the left are the network design factors upon which


security policy is based
• On the right are basic Internet threat vectors toward
which security policies are written to mitigate
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 17
Enforcement
• Secure
Identity and authentication
Filtering and stateful inspection Secure
Encryption and VPNs
• Monitor
Intrusion detection and response

Manage

Monitor
Content-based detection and response
Employee monitoring Policy
• Audit
Security posture assessment
Vulnerability scanning
Patch verification/application auditing
• Manage Audit
Secure device management
Security Wheel
Event/data analysis and reporting
Network security intelligence
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 18
Risk Assessment
• Some elements of network security are
absolute, others must be weighed relative
to the potential risk
When you connect to the Internet, the Internet connects
back to you
• Sound operational procedures and management
are easier to implement than technical solutions
You can’t secure a bad idea
• The cost of secure solutions must be factored
into the overall Return on Investment (ROI)
Security must be included in planning and design
Effective security requires managerial commitment
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 19
What Is Trust?

• Trust is the inherent ability for hosts to


communicate within a network design
• Trust and risk are opposites; security is
based on enforcing and limiting trust
• Within subnets, trust is based on Layer 2
forwarding mechanisms
• Between subnets, trust is based on
Layer 3+ mechanisms

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 20
Incident Response
• Attacks are intentional, there are no
accidental or stray IP packets
• Four levels of incident response:
Network misuse
Reconnaissance
Attack
Compromise
• Without incident response plans, only
passive defenses have value
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 21
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 22
Extended Perimeter Security

• Can you define the perimeter?


Dissimilar policy boundaries
• Access control
• Firewalls—first line of defense

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 23
Can You Define the Perimeter?

Enterprise IP Telephony
Mobility Security/VPN
Campus LAN
International
Sales Offices
Multiservice
WAN (Sonet, IP,
ATM, Frame
Relay) Suppliers
Campus/WAN
Mainframe
Backbone
Video
Conferencing
Multi-Gigabit
Ethernet
ISDN Telecommuters

PSTN Mobile Users


Content
Networking Storage
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 24
Filtering Network Traffic

• Examining the flow of data


across a network
• Types of flows:
Packets
Connections
State

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 25
Access Control Lists (ACLs)

• Simple ACLs look at information in IP packet headers


0 15 16 31 bit

20 bytes
Source IP Address
Destination IP Address

IP Packet Header

• Many filters are based on the packets Source and


Destination IP address
• Extended ACLs look further into the packet or at the TCP
or UDP port number in use for the TCP/IP connection
between hosts
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 26
The Evolution of ACLs…

• Dynamic ACLs
Lock-and-key filtering (Dynamic ACLs) allows
an authenticated user to pass traffic that would
normally be blocked at the router
• Reflexive ACLs
Creates a temporary ACL to allows specified IP
packets to be filtered based on TCP or UDP
session information; the ACL “expires” shortly
after the session ends (no sequence #)

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 27
Firewalls
• Four types of firewalls
Proxies (application-layer firewalls)
Stateful
Hybrid
Personal
• Implementation methods
Software
Appliance

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 28
Proxy Firewalls
• Proxy firewalls permit no traffic to pass
directly between networks
• Provide “intermediary” style connections
between the client on one network and the
server on the other
• Also provide significant logging and
auditing capabilities
• For HTTP (application specific) proxies all
web browsers must be configured to point
at proxy server
• Example Microsoft ISA Server
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 29
Stateful Firewalls

• Access Control Lists plus…


• Maintaining state
Stateful firewalls inspect and maintain a record (a state
table) of the state of each connection that passes
through the firewall
To adequately maintain the state of a connection the
firewall needs to inspect every packet
But short cuts can be made once a packet is identified
as being part of an established connection
Different vendors record slightly different information
about the state of a connection

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 30
Hybrid Firewalls

• Hybrid firewalls combine features of other


firewall approaches such as…
Access Control Lists
Application specific proxies
State tables

• Plus features of other devices…


Web (HTTP) cache
Specialized servers SSH, SOCKS, NTP
May include VPN, IDS

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 31
Personal Firewalls

• Personal firewalls
Protecting remote users/home users
Watching inbound/outbound traffic
Creating basic rules
• Example—ZoneAlarm

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 32
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 33
Identity Services

• User identity
• Passwords
• Tokens
• PKI
• Biometrics

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 34
User Identity
• Mechanisms for proving who you are
Both people and devices can be authenticated

• Three authentication attributes:


Something you know
Something you have
Something you are

• Common approaches to Identity:


Passwords
Tokens
Certificates
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 35
Validating Identity
• Identity within the network is based
overwhelmingly on IP Layer 3 and 4 information
carried within the IP packets themselves
Application-level user authentication exists, but is most
commonly applied on endpoints

• Therefore, identity validation is often based on


two mechanisms:
Rule matching
Matching existing session state
• Address and/or session spoofing is a major
identity concern
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 36
Passwords

• Correlates an
authorized user
with network
resources
Username and Password Required
PIX
Enter username for CCO at www.com
Firewall

User Name: student


Password: 123@456

OK Cancel

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 37
Passwords

• Passwords have long been, and will continue to


be a problem
• People will do what is easiest
• Create and enforce good password procedures
Non-dictionary passwords
Changed often (90–120 days)

• Passwords are like underwear—they should be


changed often and neither hung from your
monitor or hidden under your keyboard

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 38
Tokens

• Strong (2-factor) Authentication based


on “something you know” and “something
you have”

Username and Password Required


PIX Firewall
Enter username for server at www.com

User Name:
Access Is
jdoe
Password: Granted or
234836

OK
Denied Cancel

Ace Server
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 39
Public Key Infrastructure (PKI)
• Relies on a two-key system
J Doe signs a document with his private key
Person who receives that document uses JDoe’s
public key to:
Verify authenticity and decrypt

I am
jdoe! Authenticate
Internet
and Decrypt
Certificates
Signed by
us.org
This Is
jdoe
jdoe
Signed by
us.org Certificate Certificate Authority
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 40
Biometrics
• Authentication based on physiological or
behavioral characteristics
Features can be based on:
Face
Fingerprint
Eye
Hand geometry
Handwriting
Voice
• Becoming more accepted and widely used
Already used in government, military, retail, law
enforcement, health and social services, etc.
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 41
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 42
Secure Connectivity

• Work happens everywhere!


• Virtual Private Networks

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 43
Work Happens Everywhere
Increasing Need for Transparent Corporate Connectivity

• On the road (hotels, airports,


convention centers)
280 million business trips a year
Productivity decline away from office >60–65%

• At home (teleworking)
137 million telecommuters by 2003
40% of U.S. telecommuters from large or
mid-size firms

• At work (branch offices, business partners)


E-business requires agile networks
Branch offices should go where the talent is

Source: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001,
Cahners Instat 5/01); At Work (Wharton Center for Applied Research)
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 44
What Are VPNs?

• A network built on a less expensive shared


infrastructure with the same policies and
performance as a private network

Regional Sites

Branches

SoHo

Telecommuters
Mobile Users
Virtual Private
Central/HQ
Network
Partners Customers
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 45
Secure Connectivity
• Defines “peers”
Two devices in a network that need to connect
Tunnel makes peers seem virtually next to each other
Ignores network complexity in between
• Technologies
PPTP—Point-to-Point Tunneling Protocol
L2TP—Layer 2 Tunneling Protocol
IPSec
Secure shell
SSL

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 46
Encryption

• Symmetric Cryptography
Uses a shared secret key
to encrypt and decrypt
transmitted data
Data flow is bidirectional
• Provides data confidentiality only
Does not provide data integrity or
non-repudiation
• Examples: DES, 3DES, AES
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 47
Symmetric Cryptography

Cleartext Cleartext

Secret
Encrypt Key Decrypt
(One)
(Lock) (Unlock)

Ciphertext Ciphertext
Data
Confidentiality

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 48
Encryption
• Asymmetric cryptography
Also known as Public Key Cryptography
Utilizes two keys: private and public keys
Two keys are mathematically related but
different values
• Computationally intensive
• Provides data confidentiality
Can provide for data integrity as well
as non-repudiation
• Examples: RSA Signatures
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 49
Asymmetric Cryptography

Cleartext Cleartext
Public Private
Key Key

Encrypt Decrypt

(Lock) (Unlock)

Ciphertext Ciphertext
Key
Confidentiality

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 50
Digital Signatures

Message

One-Way Hash
Function Pri
(MD5, SHA1)

Hash of Message 0FB6CD3451DA Encryption Signature

Hash Is Encrypted with Digital Signature Is the


the Sender's Private Key Encrypted Hash

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 51
Security Association
IKE SA—Main Mode
IPSec SAs—Quick Mode
Peer Peer

• A Security Association (SA) is an agreement between


two peers on a common security policy, including:
If and how data will be encrypted
How entities will authenticate
Shared session keys
How long the association will last (lifetime)
• Types of security associations
Uni-directional (IPSec SAS)
Bi-directional (IKE SAS)
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 52
What Is IPSec?
IP Data Packet
IP TCP Data
• IPSec: An IETF
standard* framework Authentication Header (AH)
for the establishment IP AH TCP Data
and management of
data privacy between Authenticated

network entities
Encapsulating Security Payload (ESP)
IPSec is an evolving ESP ESP ESP
IP TCP Data
standard Header Trailer Auth

Encrypted

Authenticated
*RFC 2401–2412
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 53
Key Management

• IKE = Internet Key


Exchange protocols
• Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
• Re-keying at
appropriate intervals

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 54
An IPSec VPN Is…
• IPSec provides the framework that lets you
negotiate exactly which options to use
IPSec provides flexibility to address different
networking requirements

• A VPN which uses IPSec to insure data


authenticity and confidentiality
AH provides authenticity
ESP provides authenticity and confidentiality

• The IPSec framework is open and can


accommodate new encryption and
authentication techniques
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 55
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 56
Intrusion Protection

• Monitoring the network and hosts


• Network scanning
• Packet sniffing
• Intrusion detection
primer

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 57
Monitoring

Where Did
This Car
Where Is
Come
This Van
from?
Going?

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 58
Network Scanning

• “Active” tool
Identifies devices on the network
Useful in network auditing
• “Fingerprinting”
How a scanner figures out what OS
and version is installed
• Examples: Nmap, Nessus

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 59
Packet Sniffing

• Diagnostic tools
Used capture packets
Used to examine packet data (filters)
Can reconstruct sessions and streams
• Sniffers can be “promiscuous”
Passive, listening
• Examples: Sniffer, Ethereal

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 60
Intrusion Detection

• Create a system of distributed


“promiscuous” Sniffer-like devices
Watching activity on a network and
specific hosts
• Different approaches
Protocol anomaly/signature
detection
Host-based/network-based
• Different IDS technologies can be
combined to create a better solution
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 61
Terminology

• False positives: System


mistakenly reports certain
benign activity as malicious
• False negatives: System
does not detect and report
actual malicious activity

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 62
Intrusion Detection Approaches

Misuse/Signature vs.
Anomaly Detection
Network vs. Host-Based

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 63
Anomaly vs. Signature Detection

• Anomaly detection: Define


normal, authorized activity, and
consider everything else to be
potentially malicious
• Misuse/signature detection:
Explicitly define what activity
should be considered malicious
Most commercial IDS products
are signature-based

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 64
Host vs. Network-Based
• Host-based “agent” software monitors
activity on the computer on which it is
installed
Cisco HIDS (Okena)—System activity
TripWire—File system activity
• Network-based appliance collects and
analyzes activity on a connected network
• Integrated IDS
Network-based IDS functionality as deployed
in routers, firewalls, and other network devices
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 65
Some General Pros and Cons

Pros Cons
• Can verify success or failure • Impacts host resources
of attack
• Operating system dependent
Host- • Generally not impacted by
• Scalability—requires one
Based bandwidth or encryption
agent per host
• Understands host context and
may be able to stop attack

• Protects all hosts on • Switched environments pose


monitored network challenges
Network- • No host impact • Monitoring multi-gig is
currently challenging
Based • Can detect network probes
and denial of service attacks • Generally can’t proactively
stop attacks

Should View as Complementary!


SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 66
Network IDS Sensor

Network Link to the


Management Console

IP Address

Passive Interface
No IP Address
Monitoring the Network
Data Capture

Data Flow

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 67
Host IDS Sensor

Syslog

Passive Agent Active Agent


(OS Sensor) (Server Sensor)
• Syslog monitoring • Attack interception
• Detection • Prevention
• Wider platform support • Focused protection

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 68
Typical IDS Architecture
• Management console
Management
Real-time event display Console
Event database
Sensor configuration
• Sensor
Packet signature analysis Component
Communications
Generate alarms Host-
Based
Response/ IDS
countermeasures IDS Sensor

• Host-based Production
Generate alarms Network Segment
Response/countermeasures

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 69
Too Many Choices?

• Generally, most efficient approach is to implement


network-based IDS first
Easier to scale and provides broad coverage
Less organizational coordination required
No host/network impact

• May want to start with host-based IDS if you only


need to monitor a couple of servers
• Vast majority of commercial IDS is signature-based
• Keep in mind that IDS is not the “security panacea”

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 70
Agenda
• Security Year in Review
Slammer, et. al.
• Security Policy
Setting a Good Foundation
• Extended Perimeter Security
Define the Perimeter, Firewalls, ACLs
• Identity Services
Passwords, Tokens, PKI, Biometrics
• Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
• Intrusion Protection
Network, Host
• Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 71
Security Management

• Wrapping it all together


• Security management
Scalable and manageable
• Syslog and log analysis

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 72
Wrapping It All Together
• In the previous sections we discussed:
Security policy
Perimeter security and filtering
Identity services
Virtual Private Networks
Intrusion detection and prevention systems
• No one system can defend your networks
and hosts
With all this technology, how do we survive?
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 73
Integrated Network Security

Security Management
Management Device Manageability, Embedded Management Tools, Security Policy,
Monitoring and Analysis, Network and Service Management

Analysis Distributed Investigation

End-to-End
Coverage
Network and End Point Security

Flexible Security Switch Router Security


Deployment Appliances Modules Modules Software

Security Intrusion Identity


Functions VPN Firewall Protection Svcs

Network Seamless Collaboration of


Services Security and Networking Services

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 74
Security Management
• How to manage the network securely
• In-band versus out-of-band management
In-band management—management information travels
the same network path as the data
Out-of-band management—a second path exists to
manage devices; does not necessarily depend on the
LAN/WAN
• If you must use in-band, be sure to use
Encryption
SSH instead of telnet
• Making sure that policies are in place and that
they are working
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 75
Syslog
• A protocol that supports the transport
of event notification messages
Originally developed as part of BSD Unix
• Syslog is supported on most
internetworking devices
• BSD Syslog—IETF RFC 3164
The RFC documents BSD Syslog
observed behavior
• Work continues on reliable and
authenticated Syslog
http://www.employees.org/~lonvick/index.shtml
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 76
Log Analysis
• Log analysis is the process of examining
Syslog and other log data
Building a baseline of what should be considered
normal behavior
This is “post event” analysis because it is not
happening in real-time
• Log analysis is looking for
Signs of trouble
Evidence that can be used to prosecute
• If you log it, read and use it!
• Resources
http://www.counterpane.com/log-analysis.html
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 77
Security = Tools Implementing Policy

• Now more than ever


Identity tools
Filtering tools
Connectivity tools
Monitoring tools
Management tools

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 78
The Threat Forecast

• New vulnerabilities and exploits are


uncovered everyday
Subscribe to bugtraq to watch the fun!
• Crystal ball
Attacks will continue
Greater complexity
Still see unpatched vulnerabilities taken
advantage of

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 79
Conclusions

• Things sound dire!!!


• The sky really is not falling!!!
• Take care of those security issues that
you have control over
• Security is a process, not a box!

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 80
Security Resources at Cisco

• Cisco Connection Online—


http://www.cisco.com/go/security
• Cisco Product Specific Incident
Response Team (PSIRT)—
http://www.cisco.com/go/psirt

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 81
Security Resources on the Internet

• Cisco Connection Online—http://www.cisco.com


• SecurityFocus.com—http://www.securityfocus.com
• SANS—http://www.sans.org
• CERT—http://www.cert.org
• CIAC—http://www.ciac.org/ciac
• CVE—http://cve.mitre.org
• Computer Security Institute—http://www.gocsi.com
• Center for Internet Security—http://www.cisecurity.org

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 82
Thank You

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 83
Questions

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 84
Recommended Reading

Designing Network
Security, Second Ed.
ISBN: 1587051176
Available in Oct 2003

Designing Network Security


ISBN: 1578700434

Managing Cisco Network


Security
ISBN: 1578701031

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 85
Recommended Reading

Network Security Principles


and Practices
ISBN: 1587050250

Cisco Secure Internet


Security Solutions
ISBN: 1587050161

Cisco Secure Intrusion


Detection System
ISBN: 158705034X

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 86
Recommended Reading

CCSP Cisco Secure PIX


Firewall Advanced Exam
Certification Guide
ISBN: 1587200678

CCSP Cisco Secure VPN


Exam Certification Guide
ISBN: 1587200708

SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 87
SEC-1000
8020_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 88

You might also like