Intrusion Detection and Prevention System (IPS) Technology, - - PowerPoint PPT Presentation

intrusion detection and prevention system ips technology
SMART_READER_LITE
LIVE PREVIEW

Intrusion Detection and Prevention System (IPS) Technology, - - PowerPoint PPT Presentation

Nov 04, 2023 419 likes •849 views

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail:

slide-1
SLIDE 1

2005/8/26 1/42

Intrusion Detection and Prevention System (IPS) – Technology, Applications, and Trend

  • Dr. Nen-Fu (Fred) Huang

Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail: nfhuang@broadweb.com, nfhuang@cs.nthu.edu.tw

slide-2
SLIDE 2

2005/8/26 2/42

Outline

Network Security Introduction Attack Categories Emerging IM/P2P Threats IPS Technology and Product Trends Conclusion and Discussion

slide-3
SLIDE 3

2005/8/26 3/42

Attacking Tools

slide-4
SLIDE 4

2005/8/26 4/42

Attacking Tools

DDoSPing UDP Flooder Pinger

slide-5
SLIDE 5

2005/8/26 5/42

Attacking Tools N-Stealth Scanner

slide-6
SLIDE 6

2005/8/26 6/42

Attack Categories

Denial of Service (DoS), Distributed Denial

  • f Service (DDoS)

Network Invasion Network Scanning Network Sniffing Torjan Horse and Backdoors Worm

slide-7
SLIDE 7

2005/8/26 7/42

(1) DoS/ DDoS

Prevent another user from using network

connection, or disable server or services: e.g. “Smurf” and “Fraggle” attacks, “Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death”, IGMP Nuke, buffer overflow.

Caused by protocol fault or program fault. It damages the “Availability”.

slide-8
SLIDE 8

2005/8/26 8/42

DoS Example: Smurf attack

Uses ICMP echo/ reply (smurf) or UDP echo (fraggle)

packets with broadcast networks to multiply traffic

Requires the ability to send spoofed packets

Internet Perpetrator Victim ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply

slide-9
SLIDE 9

2005/8/26 9/42

(2) Network Invasion

Goal is to get into the target system and

  • btain information

Account usernames, passwords Source code, business critical information

Usually caused by improper

configurations or privilege setting, or program fault.

slide-10
SLIDE 10

2005/8/26 10/42

Example of network invasion: IIS unicode buffer overflow

For IIS 5.0 on windows 2000 without this security patch, a simple URL string: http:/ / address.of.iis5.system/ sc ripts/ ..%c1%1c../ winnt/ system3 2/ cmd.exe?/ c+dir+c:\ will show the information of root directory.

slide-11
SLIDE 11

2005/8/26 11/42

(3) Network Scanning

Goal is to obtain the chance, the topology of

victim’s network.

The name and the address of hosts and network

devices.

The opened services. Usually uses technique of ICMP scanning, X’mas

scan, SYN-FIN scan, SNMP scan.

There are powerful tools: Nmap and Nessus.

slide-12
SLIDE 12

2005/8/26 12/42

(4) Sniffing

Goal is to obtain the content of

communication

Account usernames, passwords, mail

account

Network Topology Hosts running the sniffer program (e.g.

NetBus) is often compromised using host attack methods.

slide-13
SLIDE 13

2005/8/26 13/42

(5) Backdoor and Torjan horse

Usually, the backdoor and torjan horse is the

consequences of invasion or hostile programs.

It may open a private communication channel

and wait for remote commands.

Available toolkits:

Subseven, BirdSpy, Dragger

It can be detected by monitoring known control

channel activities, but not with 100% precision.

slide-14
SLIDE 14

2005/8/26 14/42

(6) Worm

The chief intention of worm is to propagate

and survive.

It takes advantages of system

vulnerabilities to infect and then tries to infect any possible targets.

It may decrease the production of system,

leave back doors, steal confidential information and so on.

slide-15
SLIDE 15

2005/8/26 15/42

Emerging P2P/ IM Threats

P2P (Peer-to-Peer) IM (Instant Messenger) Spyware Adware Tunneling

slide-16
SLIDE 16

2005/8/26 16/42

P2P: a new paradigm

Bottleneck of Server Powerful PC Flexible, efficient information sharing P2P changes the way of Web (Internet)

slide-17
SLIDE 17

2005/8/26 17/42

Why P2P?

Bottleneck of Server Powerful PC Flexible, efficient information sharing P2P changes the way of Web (Internet)

slide-18
SLIDE 18

2005/8/26 18/42

General Issues of P2P

How to find resources? How to know on-line peers? How to route requests? How to download resources? Flooding messages and Huge number of connections to be

established concurrently

slide-19
SLIDE 19

2005/8/26 19/42

Famous P2P Examples

BitTorrent eZpeer Kuro eDonkey eMule MLdonkey Gnutella Kazaa/ Morpheus

Shareaza Direct-connect Gnutella Soulseek Opennap Worklink Opennext J elawat PP點點通 SoftEther iMESH MIB WinMix WinMule Skype

slide-20
SLIDE 20

2005/8/26 20/42

Instant Messenger (IM)

MSN Yahoo Messenger ICQ YamQQ AIM (AOL IM) Google Talk (new)

slide-21
SLIDE 21

2005/8/26 21/42

Network Security Technology Trend

Layer-7 Content Inspection Technology IPS (Layer-7) Application Firewall (Layer-7) UTM/ SCM SOHO IPS Routers

slide-22
SLIDE 22

2005/8/26 22/42

Layer-7 Content Inspection Technology

Packet Normalizer Pattern Matching Algorithms

Software Based Hardware Based

Policy Engine

slide-23
SLIDE 23

2005/8/26 23/42

A Generic Layer-7 Engine

Packet Normalizer

Makes sure the integrity of

incoming packets

Eliminates the ambiguity Decodes URI strings if

necessary

Pattern-Matching Engine

Where the pattern-matching

  • peration executed.

Policy Engine

Gather information from

pattern-matching engine and issue the verdict to allow/ drop the packets

slide-24
SLIDE 24

2005/8/26 24/42

Pattern Matching is Expensive!

  • ~30 Instructions/ Byte.

45K Instructions/1500 Byte packet

  • ~50 Instructions/

1500 Byte packet

Source: Intel Corp.

slide-25
SLIDE 25

2005/8/26 25/42

Pattern-Matching Engine

The most computation-intensive task in packet

  • processing. Normally the pattern-matching engine

needs to process every single byte in packet payloads while layer-4 operations deal with packet header only.

In Snort, the pattern matching routine accounts for 31%

  • f the total execution time
slide-26
SLIDE 26

2005/8/26 26/42

Policy Engine

Collect the matching events from Pattern-Matching

Engine.

Clarify the relationship between matched patterns: Ordered: A policy may consists more than one pattern

and should be matched in order.

Offset, Depth: The matched position should be within

a certain range or location.

Distance, Within: The distance between two matched

patterns should be taken into consideration also.

Trace Application States

slide-27
SLIDE 27

2005/8/26 27/42

Policy Engine (cont.)

Some applications are difficult to identify by

using only one signature (e.g. P2P).

Policy Engine needs to track the connection

state like the following diagram:

Data Exchange Msg Exchange

S0 S1 S2 S3

Request File

slide-28
SLIDE 28

2005/8/26 28/42

Intrusion Detection and Prevention System (IPS)

slide-29
SLIDE 29

2005/8/26 29/42

slide-30
SLIDE 30

2005/8/26 30/42

NK-3000 Features

Intrusion Detection & Prevention System (IPS) Anti-Intrusion Anti-Worm Anti-P2P Anti-IM (Instant Messenger) Anti-Porn Anti-Webpost

slide-31
SLIDE 31

2005/8/26 31/42

NK-3000 Features

Signature-based and Anomaly-based detection

technology (1800+ signatures)

DoS/ DDoS attacks Mydoom, NetSky MS-Blaster, SQL Slammer, So-Big, Code Red

In-Line Mode/ IDS Mode/ Sniffer Mode Hardware/ Software Bypass (Fail Open) J

ava-based Broadweb Extensible Management System (BEMS)

Automatic Signatures Update via Internet

slide-32
SLIDE 32

2005/8/26 32/42

BSST- BroadWeb Security Service Team

Team of Security Experts (CISSP) Provide Security Service Consulting to Customers Signatures Collection and Verification Issued 1800+ Signatures, including top virus patterns Security Technical Training Issue Security Notes periodically Issue certifications of Broadweb Certificated Security

Engineer (BCSE) for NK products

http:/ / bsst.broadweb.com.tw

slide-33
SLIDE 33

2005/8/26 33/42

Application Firewalls

slide-34
SLIDE 34

2005/8/26 34/42

Application Firewalls

Layer 7 Packet Deep Inspection Technology for better

processing of

NAT/ ACL/ VPN IDP Worms (SQL Slammer, Blaster, NetSky, Sasser, etc) Spam IM (MSN, ICQ, QQ, etc) P2P (e-Donkey, eMule, Bit-torrent, etc) Webpost Porn Spyware/ Adware Others

slide-35
SLIDE 35

2005/8/26 35/42

Unified Threat Management (UTM) and Security Content Management (SCM)

slide-36
SLIDE 36

2005/8/26 36/42

UTM and SCM

Unified Threat Management (UTM)

Firewall Intrusion Detection and Prevention (IPS) Anti-Virus

Secure Content Management (SCM)

Anti-Virus Web Filtering Messaging Security (P2P/ IM)

slide-37
SLIDE 37

2005/8/26 37/42

UTM Appliance Revenue

slide-38
SLIDE 38

2005/8/26 38/42

SOHO IPS Routers

slide-39
SLIDE 39

2005/8/26 39/42

Security SoC-based SOHO IPS Routers

Security Processor (SoC)

ARM922 RISC CPU Hardware NAT (Layer-4) Hardware Content Inspection Engine

(Layer-7)

Two 10/ 100/ 1000 RJ

  • 45 Ports

Embedded-Linux For SOHO IPS Routers market

slide-40
SLIDE 40

2005/8/26 40/42

Conclusions

Multiple pattern matching is the key technology for

layer 7 content inspection

More complex relationship between matched patterns. Software issues

Multiple pattern matching algorithms Protocol behavior analysis Signature database

Hardware platform issues

Network Processor Pentium + Content Inspection Co-processor Security SoC

IPS will be introduced into SOHO market soon

IPS SOHO routers

slide-41
SLIDE 41

2005/8/26 41/42

Broadweb Introduction

Leading network security technology and experiences

(NSS Approved Award).

Leading security (signature DB) service

Broadweb Security Service Team (BSST)

Leading IPS products

No.1 market share in Taiwan

Leading Security SOC ASIC Attractive Roadmap

NK6000 (Multiple Virtual IPS) Intelligent Centralized IPS Management System Unified Threat Management (UTM) Appliance Security Content Management (SCM) Appliance

Worldwide Channels