Intrusion detection and scanning with active audit

Corporate Security Policy Corporate Security Policy Secure Monitor Audit/Test Manage and Improve Proactive Network Vulnerability Assessment Proactive Network Vulnerability Assessment Rea

1 0893_04F9_c3 © 1999, Cisco Systems, Inc 1 0893_04F9_c3 © 1999, Cisco Systems, Inc

Intrusion Detection and Scanning with Active Audit Session 1305

3 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Corporate Security Policy

Corporate Security Policy

Secure

Monitor

Audit/Test

Manage and Improve

Proactive Network Vulnerability Assessment

Proactive Network Vulnerability Assessment

Real-Time Intrusion Detection

Real-Time Intrusion Detection

The Security Wheel

Deploy Active Audit Technologies

Deploy Active Audit Technologies

Maximize Your Security Coverage

with Active Audit

How To

5 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

How To

Agenda

• Cisco IOS ®

Firewall with Intrusion Detection

Your Servers Are Occasionally Crashing but There

Is No Internal Reason to Account for It Could It Be that Someone within Your Network Is Launching Attacks against Them?

Do You Need Active Audit?

NetRanger

NetSonar

Cisco IOS Firewall

with Intrusion Detection

7 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

“Cisco’s NetRanger Creates Security Visibility into the Network”

NetRanger Detects and Reports Suspicious and Unauthorized Activities that Can Be Matched to an Attack or Information Gathering Signature

Intrusion Detection

Network Security Database

9 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

NetRanger Components

NetRanger Director NetRanger Sensor

Communications

How To

Data Flow

Data Capture Monitoring the Network

Network Link to the Director

IP Address

Passive Interface

No IP Address

NetRanger Packet Capture

How To

11 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Session Termination and Shunning

Shunning

Shun Attacker

Reconfigure Filters This Requires the Device Management Option Modify ACL

Event Actions: Response

Session Termination TCP Hijack

Kill Current Session

Terminates an Active TCP Session

Attacker

How To

Use with a Switch

VLAN

SPAN

Passive Interface

100+100+100+100 = 100

• CAM table mix-up when the sensor sends TCP/RSTs using the MAC addresses of the two ends of the session

How To

13 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Use around a Firewall

Passive Interface

Passive Interface

How To

Event Actions: Alarm Notification

• Alarms are transmitted as soon as they are detected This generally occurs within a second.

• The PostOffice protocol relies upon a positive acknowledgement scheme over UDP to make sure that a director receives the alarm

How To

15 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Alarm Received

Alarm Sent

Director

Reliability: Sensor waits for an acknowledgment of every alarm sent to the director

Director Director

Redundancy: The sensor can send alarms to multiple directors

Primary Path Down

Default to Secondary Path

Director

Director

Fault Tolerance: The sensor supports multiple routes to a single destination If the primary route is down the sensor defaults

to secondary route

NetRanger Communications

How To

Director Tier 1

Director Tier 3

Director Tier 3

Director Tier 2

How To

NetRanger Director Placement

• Enterprise Strategic Management

• Regional Operational Management

• Local Security Management

17 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Network Node Manager View of the Network

NetRanger Sensor Placement

Network Access Server

DMZ Servers

Workgroup Server Cluster

Business Partner Access

Internet

19 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Visibility of the Firewall Security

A sensor placed outside of the firewall will detect and report attacks that the firewall may stop

A sensor placed inside of the firewall will detect and report attacks that get past the firewall One example of this is an attack that Is started from a

compromised WWW server on the DMZ

DMZ Servers

Internet

Business Partner Access

Visibility of VPN Link Security

• A sensor placed at the access point to your VPN links will monitor the activities with your

business partners

21 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Network Access Server

Visibility of Dial-In Security

• A sensor placed at the access point to your remote access server will monitor the activities of your dial-in users

Visibility of the Security

of Critical Services

access points to your critical business servers and subnets will monitor the security interactions between your users and the services provided by these devices

23 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Visibility of the Security

of Critical Services

• Sensors placed at the access points to your users networks will monitor the security

of your users

You Are Setting Up Internal Firewalls and You Have Been Asked to Verify that the Firewalls Meet the Company Policy

Do You Need Active Audit?

NetRanger

NetSonar

Cisco IOS Firewall

with Intrusion Detection

da bomb

25 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

NetSonar Automates the Process of Identifying Network Security Vulnerabilities through its Comprehensive Vulnerability Scanning and Network Mapping Capabilities

“With Cisco’s NetSonar, Users Don’t Have to Be Security Experts to Have

Security Expertise”

Network Vulnerability Assessment

NetSonar Components

27 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

NetSonar Process

Identify live hosts Identify services on hosts

Analyze potential vulnerabilities Confirm vulnerabilities

on targeted hosts

How To

NetSonar and NetRanger

• NetRanger will report the scans and probes used

by NetSonar

How To

29 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Scan through a Firewall

• Target the scans—

firewall and hosts behind it

• NAT considerations

• ACL considerations

Scan Subnets

• Target the scans—all interfaces

of the routers and hosts

• Time to scan

• ACL considerations

31 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

You Installed a Firewall to Protect Your Network from Threats from the Internet, Only to Find Someone Attacked Your Network through a Dialup Modem

Do You Need Active Audit?

NetRanger NetSonar

Cisco IOS Firewall with Intrusion Detection

Cisco IOS Firewall with Intrusion Detection

Cisco IOS Firewall Feature Set

to enforce a security policy

33 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Applications

IP

Cisco IOS—Firewall Signatures

to detect the most common information gathering scans and attacks

How To

How to use it.

Event Actions

Alarm

Console Messages syslog

PostOffice Alarm Sent

Drop Reset

These Are Expected

to Be Used Together but Can Be Individually Configured TCP RSTs Sent If

it Is a TCP Session Packet Dropped

Attack Info

35 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Implementation

Detection can be used to supplement

an Intrusion Detection System

Access

Distribution

Core

You Just Received an Email from the Security Administrator of Another Company Saying that They Have Tracked an Information Gathering Scan Back to Your Firewall They Would Like Your Help

to Prevent this from Happening Again

Do You Need Active Audit?

NO

TRESPASSING!

NO

TRESPASSING!

Conclusions

37 1305

0893_04F9_c3 © 1999, Cisco Systems, Inc

Your Security Coverage with

Active Audit

Know Where and How to Deploy Active Audit Technologies to Maximize

Your Security Coverage

Corporate Security Policy

Corporate Security Policy

Secure

Monitor

Audit/Test

Manage and Improve

Please Complete Your Evaluation Form

Session 1305

39 0893_04F9_c3 © 1999, Cisco Systems, Inc