Deployment Of An IPS & CS-MARS At INRIA

And, we thought, thought…We thought, in order to classify what we wanted the most • High Availability • Or even more virtualization All constructors can propose “hardware bypass”… the st

Trang 2

We value your feedback- don't forget to complete your

online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times

including the Party

Trang 5

Presentation of INRIA

Trang 6

Grenoble Rhône-Alpes

Sophia Antipolis Méditerranée

Rennes Bretagne Atlantique

Bordeaux Sud-Ouest

Lille Nord Europe

Saclay Île-de-France

Paris Rocquencourt

* Institut National de Recherche en Informatique et en Automatique

Trang 7

– 181 PhD students and post-doctoral students

– 141 engineers, technicians and administrative people

Trang 9

Paradigm shift

People become more and more mobile and connected

They don’t need to have a desktop and a laptop, the latter is

becoming more and more powerful

The frequency of connections to other networks has grown for

several orders of magnitude

We often have more than one hundred visitors in our buildings at the same time with guest Internet access

Trang 10

We needed a better way than a FW to improve our security !

But… we really needed to improve the security

Less pressure on the teams that manage public servers (for updates)

We don’t trust our clients anymore

Trang 11

• Common attacks (virus, worm, ActiveX, etc)

Either from the Internet → Inside

Or from the clients → Servers

For us, the answer was an IPS, not a FW

checking of authorized ports

Trang 12

What we did / What we had

As a public institution, the French law obliges us to do a call for competition with advertising correlated to the amount of purchase

We wrote and published specifications of what we wanted

We received answers from several competitors

The solution proposed by Telindus & Cisco won the competition

• Best overall coverage of specifications

• Price (TCA over 3 years)

Bandwidth allocation Included Seamless update Included VLAN pairing Included Graphical vizualisation of attacks CS-MARS

Trang 14

The solution that was proposed

Trang 15

Realized Solution (IPS)

Trang 16

What we did not like in this first draft

The solution included an IPS model 4260

• We asked for an IPS model 4270 (4 Gbps)

They proposed to physically insert the IPS between

• Trusted networks

• Untrusted networks

This is simple and effective

But not very scalable, for each network that that you want to protect, the

consumption of IPS resources is :

• 2 ports minimum

• Or 4 ports (redundancy)

You will lack ports before lacking of Virtual Sensors

} are a The ports on an IPS very expensive

resource !

Trang 17

We wanted more “virtualization”

We said “your equipment is capable of VLAN pairing”

Why don’t we use it ?

VLAN pairing permits to change VLAN tags “on the fly”

2 ports can be used to pair several VLANs two by two

Trang 18

The changes that we proposed

WAN

Core Data Center

Trang 19

Yes, good idea… but

Well, yes it’s a good Idea, but :

• You asked for “High Availability”

• We designed your IPS with NIC with “hardware bypass”

With Hardware Bypass, you cannot use VLAN Pairing…

The VLAN tags are switched by the IPS software, not by the

hardware…

When the IPS is down… there is no more VLAN Pairing

Trang 20

And, we thought, thought…

We thought, in order to classify what we wanted the most

• High Availability

• Or even more virtualization

All constructors can propose “hardware bypass”… the strong point of Cisco’s offer is virtualization

We know how to secure a link : we do it all the time when designing networks

Why not using robust and effective network technologies ?

Trang 21

Cisco’s Flexlink

Cisco’s Flexlink is a layer 2 feature that can co-exist with Spanning Tree

It allows convergence time of less than 50 milliseconds

This time remains consistent regardless of the number of VLANs or MAC addresses on the links

So we can secure a failure of the IPS :

• Connecting the IPS on a Flexlink primary link

• Connecting directly the two equipments at both ends of the IPS links with a

backup link

This is consistent, even in the case of a failure of a Network Interface Card

on the IPS : no Single Point of Failure

In fact, we prefer this solution, rather than hardware bypass, even for the WAN router ↔ Core Router interconnection

Trang 22

How to simulate VLAN Pairing ?

But, the IPS is the glue… if the IPS is down, we still have to stick

VLANs two by two…

We can simulate the glue, using a single switch

WAN

Core Data Center

4 x 1G links 802.1q Aggregated Flexlink primary

1G link 802.1q Flexlink backup

Manual VLAN Pairing

Unprotected Server

Protected Server

X

Not so well

Trang 23

So be it

We proposed these changes

The answer was : … … … yes, this should work, but we should test

it before we engage !

Then, we said that we wanted to do the very same thing with the

WAN ↔ Core link to be supervised by the IPS

But there was a new problem

• The Core router always knows when the path between himself and the IPS is down

• But how could the WAN router be informed of a failure of the link between the IPS and the Core router ?

Trang 24

How to detect a N+1 link failure ?

Core Data Center

Buildings

… WAN

1G Flexlink primary link

1G Flexlink backup link

Unprotected Server

Protected Server

The WAN router

knows when the

primary link fails

Trang 25

WAN

Core Data Center

failed, lets use the

backup link ! »

X

Trang 26

WAN

Core Data Center

link is up, I don’t

have to use the

backup link »

X

Trang 27

UDLD

It is used in order to detect and disable unidirectional Ethernet or

Fiber links

It operates at layer 2 in conjunction with layer 1

The IPS is transparent for UDLD packets

We can configure UDLD on the equipments at both ends of IPS links

Trang 28

WAN

Core Data Center

Trang 29

WAN

Core Data Center

Buildings

…

Unprotected Server

Protected Server

« the core router

does not answer

to my probes, lets

use the backup

link »

X

Trang 30

Final scenario

2 virtual sensors were defined

• Vs0 : sensor protecting the servers from outside and from inside clients

• 4 GigaEthernet Interfaces on two cards with inline VLAN pairing (VLAN tag switching)

• Vs1 : sensor protecting the inside from outside (and vice versa) It does not apply

to the flows to/from the servers protected by vs0

• 2 GigaEthernet Interfaces inline VLAN Group (no VLAN tag switching)

Two

• Signature sets

• Anomaly Detection engine (different thresholds)

• Filter Rules sets

Vs1 is less customized (less filters, less inactive/retired signatures)

Trang 31

Final scenario

WAN

Core Data Center

Trang 32

In our specifications, we asked for 2 main phases

Verification of ability

• Verification of the solution in IDS mode : no dropping

• Tuning : reduction of false positive

• 15 days Verification of regular service

Trang 33

Deployment without loss of service

To move a server from an non-inspected zone to an inspected zone

• On the IPS, we filter all the actions applied to this server, except Alerts

• On the switch were the server is connected, we change the VLAN → no

interruption (not even a packet lost)

• On the IPS, we possibly do some tuning (filter some signatures)

• Then we stop initial filtering of actions applied to this server

Trang 34

Problems with the IPS 4270

Between 7 or 8 bugs were discovered and fixed on the sensor running on our site since we installed it

• A lot of crashes

• Big latency for flows crossing the sensor

We had to write a monitoring script which monitors

• Running state of the sensor

• Latency of flows

The script could restart the sensor if necessary

Very, very good interaction with Cisco’s developers

• Direct communication with the developers

• Direct access of the developers on the IPS

• Problems not totally corrected yet

Trang 35

Points to improve

High CPU usage which impacts latency

On the road of virtualization… but there is still some way to go

• There is still common objects

• This is to preserve performance

Now the virtualization should go one step further

• Most of the stability problems are linked to common objects

Trang 37

• Graphical view of attacks

In our specifications, we asked for a one day training for CS-MARS

It is very important to have such a training

• You have to be careful with the trainer

It takes some time to be really familiar with the internals of CS-MARS

Trang 38

• We used it a lot in order to detect False Positives

We are using CS-MARS for a lot of reports on the IPS activity

In a second phase, we started to use CS-MARS with other devices

• Layer 2 switches

• Routers

• Web Servers (Apache)

• Linux servers (syslog)

We wrote a parser for the logs of an anonymous FTP server

Trang 39

Our “best practices”

In the Event action rules of the IPS we always use Event variables

• It makes the rules more readable and more compact

• In CS-MARS the Raw Event coming from the IPS contain the event variable name as the field locality → you can custom rules based on these names

We spent a lot of time for tuning → we systematically create a case for

every Red Incident (High)

• And we investigate

We periodically look at the Yellow Incidents (Medium)

• Based on daily reports only → for further investigations if necessary

• DoS, Probe, Penetrate, Persist event types

We never look at green incidents…

Picture

Trang 40

Points to improve on IPS/CS-MARS

CS-MARS ↔ IPS

• CS-MARS does not know anything of the virtualization 2 virtual sensors on the same box are seen like one

sensor (2 reporting address ?)

• Global summary or Regular Summary events from IPS does not carry the action value → CS-MARS does not see in a HIGH severity alert if packets were dropped (no false positive detection)

A customized signature on the IPS cannot be created on CS-MARS → the event appears as an Unknown

Event Type in CS-MARS (solved : documented in a special documentation… It did not work yet, a case is opened)

Impossible to customize the parser for a platform type which is already known (solved in 6.x)

More General (CS-MARS)

• Fields for Drop Rules are limited → at least Keyword (preferably regular expressions)

• The color of an incident is fully determined by the severity of the event the more severe correlated, there is

no way for a rule to modify this dynamically

Impossible to import/export parser rules (solved in 6.x)

• It would be so cool to be able to do some pattern matching with some regular expressions in queries on user rules !

• It’s impossible to match not something (apply an operator on the first string), you have to match something not other thing

Improve the display in Firefox (Windows/Linux)

• The buttons that appear just on the scrollbar are boring

• The summary page with Hotspot graph and attack diagrams with ActiveX… is it really necessary ?

solved

Trang 41

Conclusion

If you talk about problems in a presentation, there is a danger that people only remember that…

Even if there are points to improve, we are satisfied by the couple

formed by Cisco’s IPS and CS-MARS

I would like to focus on some points :

• Virtualization for sensors is a good point, that helps you consolidating your investment for the hardware

• VLAN pairing helps you doing your deployment : it is not only a Firewall technology, it is a next step on the way to virtualization

• We had a direct access and direct communication with Cisco’s developers

Trang 43

Source: Cisco Press

Định dạng
Số trang	49
Dung lượng	6,89 MB