1305 0893_04F9_c3
1
© 1999, Cisco Systems, Inc.
Intrusion Detection and Scanning with Active Audit Session 1305 1305 ...
10 downloads
514 Views
1MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
1305 0893_04F9_c3
1
© 1999, Cisco Systems, Inc.
Intrusion Detection and Scanning with Active Audit Session 1305 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
2
1
The Security Wheel
Secure
Manage and Improve
Corporate Security Policy
Real-Time Intrusion Detection Monitor
Audit/Test
Proactive Network Vulnerability Assessment 1305 0893_04F9_c3
3
© 1999, Cisco Systems, Inc.
Maximize Your Security Coverage with Active Audit Know Where to Deploy Active Audit Technologies
How To
Know How to Deploy Active Audit Technologies 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
4
2
Agenda
• NetRanger™
• How to Use It How To
• NetSonar™ • Cisco IOS ® Firewall with Intrusion Detection 1305 0893_04F9_c3
• Where to Place It
5
© 1999, Cisco Systems, Inc.
Do You Need Active Audit?
Your Servers Are Occasionally NetRanger Crashing but There Is No Internal NetSonar Reason to Account for It. Could It Be Cisco IOS Firewall that Someone within with Your Network Is Intrusion Detection Launching Attacks against Them? 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
6
3
Intrusion Detection NetRanger Detects and Reports Suspicious and Unauthorized Activities that Can Be Matched to an Attack or Information Gathering Signature
“Cisco’s NetRanger Creates Security Visibility into the Network” 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
7
Network Security Database
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
8
4
NetRanger Components
NetRanger Director
NetRanger Sensor
Communications
How To 1305 0893_04F9_c3
9
© 1999, Cisco Systems, Inc.
NetRanger Packet Capture
Network Link to the Director IP Address Passive Interface No IP Address Monitoring the Network Data Capture Data Flow
How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
10
5
Event Actions: Response Session Termination and Shunning Session Termination
Attacker
TCP Hijack
Kill Current Session
Terminates an Active TCP Session Shun Attacker
Shunning Reconfigure Filters This Requires the Device Management Option
Modify ACL
How To 1305 0893_04F9_c3
11
© 1999, Cisco Systems, Inc.
Use with a Switch
• CAM table mix-up when the sensor sends TCP/RSTs using the MAC addresses of the two ends of the session
SPAN
VLAN Passive Interface
100+100+100+100 = 100
How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
12
6
Use around a Firewall
Passive Interface
Passive Interface
How To 1305 0893_04F9_c3
13
© 1999, Cisco Systems, Inc.
Event Actions: Alarm Notification • Alarms are transmitted as soon as they are detected. This generally occurs within a second. • The PostOffice protocol relies upon a positive acknowledgement scheme over UDP to make sure that a director receives the alarm
How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
14
7
NetRanger Communications Alarm Sent
Reliability : Sensor waits for an Director
acknowledgment of every alarm sent to the director
Alarm Received Director
Redundancy: The sensor can send alarms to multiple directors
Director
Fault Tolerance : The sensor
Director
supports multiple routes to a single destination. If the primary route is down the sensor defaults to secondary route
Primary Path Down Director
Default to Secondary Path
How To 1305 0893_04F9_c3
15
© 1999, Cisco Systems, Inc.
NetRanger Director Placement • Enterprise Strategic Management
Director Tier 1
• Regional Operational Management • Local Security Management
Director Tier 2
Director Tier 3
Director Tier 3
How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
16
8
Network Node Manager View of the Network
1305 0893_04F9_c3
17
© 1999, Cisco Systems, Inc.
NetRanger Sensor Placement Data Center
Users
Internet
Workgroup Server Cluster
1305 0893_04F9_c3
Network Access Server
Business Partner Access
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
DMZ Servers
18
9
Visibility of the Firewall Security A sensor placed inside of the firewall will detect and report attacks that get past the firewall. One example of this is an attack that Is started from a compromised WWW server on the DMZ
A sensor placed outside of the firewall will detect and report attacks that the firewall may stop
Internet
DMZ Servers
1305 0893_04F9_c3
19
© 1999, Cisco Systems, Inc.
Visibility of VPN Link Security
• A sensor placed at the access point to your VPN links will monitor the activities with your business partners 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
Business Partner Access
20
10
Visibility of Dial-In Security
• A sensor placed at the access point to your remote access server will monitor the activities of your dial-in users
1305 0893_04F9_c3
Network Access Server
© 1999, Cisco Systems, Inc.
21
Visibility of the Security of Critical Services
• Sensors placed at the access points to your critical business servers and subnets will monitor the security interactions between your users and the services provided by these devices 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
22
11
Visibility of the Security of Critical Services
• Sensors placed at the access points to your users networks will monitor the security of your users
1305 0893_04F9_c3
23
© 1999, Cisco Systems, Inc.
b Do You Need Active Audit? m da
bo
You NetRanger Are Setting Up Internal Firewalls andNetSonar You Have Been Asked to Verify that the Firewalls Meet Cisco IOS Firewall the Company with Policy Intrusion Detection
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
24
12
Network Vulnerability Assessment NetSonar Automates the Process of Identifying Network Security Vulnerabilities through its Comprehensive Vulnerability Scanning and Network Mapping Capabilities
“With Cisco’s NetSonar, Users Don’t Have to Be Security Experts to Have Security Expertise” 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
25
NetSonar Components
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
26
13
NetSonar Process
• Network mapping Identify live hosts Identify services on hosts
• Vulnerability scanning Analyze potential vulnerabilities Confirm vulnerabilities on targeted hosts How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
27
NetSonar and NetRanger
• NetRanger will report the scans and probes used by NetSonar
How To 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
28
14
Scan through a Firewall • Target the scans— firewall and hosts behind it • NAT considerations • ACL considerations
1305 0893_04F9_c3
29
© 1999, Cisco Systems, Inc.
Scan Subnets • Target the scans—all interfaces of the routers and hosts • Time to scan • ACL considerations
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
30
15
Do You Need Active Audit?
NetRanger You Installed a Firewall to Protect Your NetSonar Network from Threats from the CiscoOnly IOS to Internet, Find Someone Firewall with Attacked Your Intrusion Network through a Detection Dialup Modem 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
31
Cisco IOS Firewall with Intrusion Detection • Available in Cisco IOS 12.0(5)T • Bundled with the Cisco IOS Firewall Feature Set
• These features can be used to enforce a security policy 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
32
16
Cisco IOS—Firewall Signatures • 59 signatures taken from a broad range to detect the most common information gathering scans and attacks Applications UDP
TCP
ICMP
IP How To 1305 0893_04F9_c3
33
© 1999, Cisco Systems, Inc.
Event Actions Attack
Info
Alarm Console Messages syslog PostOffice
Drop Reset These Are Expected to Be Used Together but Can Be Individually Configured
Alarm Sent Packet Dropped
TCP RSTs Sent If it Is a TCP Session How to use it.
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
34
17
Implementation • The Cisco IOS Firewall with Intrusion Detection can be used to supplement an Intrusion Detection System
Core Distribution Access 1305 0893_04F9_c3
35
© 1999, Cisco Systems, Inc.
Do You Need Active Audit? NO TRESPASSING!
1305 0893_04F9_c3
You Just Received an Email from the Security Administrator of Another Company Saying that They Have Tracked an Information Conclusions Gathering Scan Back to Your Firewall. They Would Like Your Help to Prevent this from Happening Again
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
36
18
Your Security Coverage with Active Audit Know Where and How to Deploy Active Audit Technologies to Maximize Your Security Coverage Secure
Manage and Improve
1305 0893_04F9_c3
Corporate Security Policy
Monitor
Audit/Test 37
© 1999, Cisco Systems, Inc.
Please Complete Your Evaluation Form Session 1305 Session #1305 1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
38
19
1305 0893_04F9_c3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0893_04F9_c3.scr
39
20