Deployment of an IPS & CS-MARS at INRIA CCS-1027 Didier Benza CCS-1027 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Housekeeping We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party CCS-1027 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Deployment of an IPS & CS-MARS at INRIA Cisco Networkers 2009 Didier Benza 28th january 2009 CCS-1027 CCS-1027 Content Presentation of INRIA Problem Statement Realized Solution (IPS) CS-MARS CCS-1027 Presentation of INRIA CCS-1027 INRIA INRIA stands for : National Institute for Research in Computer Science Lille and Control* Nord Europe main sites in France : Key figures • • • • 151 research teams 2800 scientists 290 expert engineers 560 engineers, technical and administrative Nancy Grand Est Paris Rocquencourt Rennes Bretagne Atlantique Saclay Île-de-France Grenoble Rhône-Alpes Bordeaux Sud-Ouest * Institut National de Recherche en Informatique et en Automatique Sophia Antipolis Méditerranée CCS-1027 INRIA This project concern the Research Centre of Sophia-Antipolis Mediterranean (CRISAM) Key figures • • • • • Created in 1983 ~ 500 people including : – 161 scientists – 181 PhD students and post-doctoral students – 141 engineers, technicians and administrative people 220 recruitments in 2007 44 nationalities One hundred international conferences in years (5000 people with guest internet access) I am working in the IT team CCS-1027 Problem statement CCS-1027 Paradigm shift People become more and more mobile and connected They don’t need to have a desktop and a laptop, the latter is becoming more and more powerful Scientists want to travel with their laptop ! The frequency of connections to other networks has grown for several orders of magnitude Is a laptop, coming back from a trip, dangerous ? We often have more than one hundred visitors in our buildings at the same time with guest Internet access What is really inside and outside what should we trust ? CCS-1027 10 Original context We have a very important turn over → it’s not very easy to rely on training of users Our users are scientists, limitations of their behaviors are not well admitted It’s quite impossible to translate application needs in a list of ports… We needed a better way than a FW to improve our security ! But… we really needed to improve the security Less pressure on the teams that manage public servers (for updates) We don’t trust our clients anymore CCS-1027 35 Points to improve High CPU usage which impacts latency On the road of virtualization… but there is still some way to go • • There is still common objects This is to preserve performance Now the virtualization should go one step further • CCS-1027 Most of the stability problems are linked to common objects CS-MARS CCS-1027 37 Objectives Cisco and Telindus proposed CS-MARS in order to meet some of our specifications : • • • Event Correlation from IPS, servers and network equipments Reports Graphical view of attacks In our specifications, we asked for a one day training for CS-MARS It is very important to have such a training • You have to be careful with the trainer It takes some time to be really familiar with the internals of CS-MARS CCS-1027 38 Using of CS-MARS For some time, our only usage of CS-MARS was to give us a better view of the IPS events and alarms • • Without such a platform it would have been very difficult to really understand the IPS activity We used it a lot in order to detect False Positives We are using CS-MARS for a lot of reports on the IPS activity In a second phase, we started to use CS-MARS with other devices • • • • Layer switches Routers Web Servers (Apache) Linux servers (syslog) We wrote a parser for the logs of an anonymous FTP server CCS-1027 39 Our “best practices” In the Event action rules of the IPS we always use Event variables • • It makes the rules more readable and more compact In CS-MARS the Raw Event coming from the IPS contain the event variable name as the field locality → you can custom rules based on these names We spent a lot of time for tuning → we systematically create a case for every Red Incident (High) • And we investigate We periodically look at the Yellow Incidents (Medium) • • Based on daily reports only → for further investigations if necessary DoS, Probe, Penetrate, Persist event types We never look at green incidents… Picture CCS-1027 40 Points to improve on IPS/CS-MARS CS-MARS ↔ IPS • • CS-MARS does not know anything of the virtualization virtual sensors on the same box are seen like one sensor (2 reporting address ?) Global summary or Regular Summary events from IPS does not carry the action value → CS-MARS does not see in a HIGH severity alert if packets were dropped (no false positive detection) A customized signature on the IPS cannot be created on CS-MARS → the event appears as an Unknown Event Type in CS-MARS (solved : documented in a special documentation… It did not work yet, a case is opened) Impossible to customize the parser for a platform type which is already known (solved in 6.x) More General (CS-MARS) • • • • Fields for Drop Rules are limited → at least Keyword (preferably regular expressions) The color of an incident is fully determined by the severity of the event the more severe correlated, there is no way for a rule to modify this dynamically Impossible to import/export parser rules (solved in 6.x) It would be so cool to be able to some pattern matching with some regular expressions in queries on user rules ! It’s impossible to match not something (apply an operator on the first string), you have to match something not other thing Improve the display in Firefox (Windows/Linux) • • The buttons that appear just on the scrollbar are boring The summary page with Hotspot graph and attack diagrams with ActiveX… is it really necessary ? solved CCS-1027 41 Conclusion If you talk about problems in a presentation, there is a danger that people only remember that… Even if there are points to improve, we are satisfied by the couple formed by Cisco’s IPS and CS-MARS I would like to focus on some points : • • • CCS-1027 Virtualization for sensors is a good point, that helps you consolidating your investment for the hardware VLAN pairing helps you doing your deployment : it is not only a Firewall technology, it is a next step on the way to virtualization We had a direct access and direct communication with Cisco’s developers 42 CCS-1027 43 Recommended Reading Source: Cisco Press CCS-1027 Meet The Expert To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions CCS-1027 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 44 CCS-1027 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 45 Annex CCS-1027 47 Example of raw event from the IPS evIdsAlert: eventId="1210560971153453387" severity="medium" vendor="Cisco" originator: hostId: explorer appName: sensorApp appInstanceId: 6329 time: Nov 14 2008 09:09:55 CET (1226650195467797000) offset="60" timeZone="GMT+01:00" signature: created="20050516" type="other" version="S167" description="Nachi Worm ICMP Echo Request" id="2158" subsigId: sigDetails: Nachi ICMP marsCategory: Propagate/Worm interfaceGroup: vs0 vlan: 100 participants: attacker: addr: 72.158.223.99 locality="OUT" target: addr: 138.96.0.39 locality="WWW_SOP" os: idSource="configured" relevance="not-relevant" type="linux" actions: droppedPacket: true triggerPacket: View Decode [View Decode] riskRatingValue: 60 attackRelevanceRating="not-relevant" targetValueRating="medium" threatRatingValue: 25 interface: ge4_3 protocol: icmp Back CCS-1027 48 Incidents on a week Back CCS-1027 CCS-1027 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 49