1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Intrusion Detection and Scanning with Active Audit Session 1305 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr The Security Wheel Secure Manage and Improve Corporate Security Policy Real-Time Intrusion Detection Monitor Audit/Test Proactive Network Vulnerability Assessment 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Maximize Your Security Coverage with Active Audit Know Where to Deploy Active Audit Technologies How To Know How to Deploy Active Audit Technologies 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr Agenda • NetRanger™ • How to Use It How To • NetSonar™ • Cisco IOS ® Firewall with Intrusion Detection 1305 0893_04F9_c3 • Where to Place It © 1999, Cisco Systems, Inc Do You Need Active Audit? Your Servers Are Occasionally NetRanger Crashing but There Is No Internal NetSonar Reason to Account for It Could It Be Cisco IOS Firewall that Someone within with Your Network Is Intrusion Detection Launching Attacks against Them? 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr Intrusion Detection NetRanger Detects and Reports Suspicious and Unauthorized Activities that Can Be Matched to an Attack or Information Gathering Signature “Cisco’s NetRanger Creates Security Visibility into the Network” 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Network Security Database 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr NetRanger Components NetRanger Director NetRanger Sensor Communications How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc NetRanger Packet Capture Network Link to the Director IP Address Passive Interface No IP Address Monitoring the Network Data Capture Data Flow How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 10 Event Actions: Response Session Termination and Shunning Session Termination Attacker TCP Hijack Kill Current Session Terminates an Active TCP Session Shun Attacker Shunning Reconfigure Filters This Requires the Device Management Option Modify ACL How To 1305 0893_04F9_c3 11 © 1999, Cisco Systems, Inc Use with a Switch • CAM table mix-up when the sensor sends TCP/RSTs using the MAC addresses of the two ends of the session SPAN VLAN Passive Interface 100+100+100+100 = 100 How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 12 Use around a Firewall Passive Interface Passive Interface How To 1305 0893_04F9_c3 13 © 1999, Cisco Systems, Inc Event Actions: Alarm Notification • Alarms are transmitted as soon as they are detected This generally occurs within a second • The PostOffice protocol relies upon a positive acknowledgement scheme over UDP to make sure that a director receives the alarm How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 14 NetRanger Communications Alarm Sent Reliability : Sensor waits for an Director acknowledgment of every alarm sent to the director Alarm Received Director Redundancy: The sensor can send alarms to multiple directors Director Fault Tolerance : The sensor Director supports multiple routes to a single destination If the primary route is down the sensor defaults to secondary route Primary Path Down Director Default to Secondary Path How To 1305 0893_04F9_c3 15 © 1999, Cisco Systems, Inc NetRanger Director Placement • Enterprise Strategic Management Director Tier • Regional Operational Management • Local Security Management Director Tier Director Tier Director Tier How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 16 Network Node Manager View of the Network 1305 0893_04F9_c3 17 © 1999, Cisco Systems, Inc NetRanger Sensor Placement Data Center Users Internet Workgroup Server Cluster 1305 0893_04F9_c3 Network Access Server Business Partner Access © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr DMZ Servers 18 Visibility of the Firewall Security A sensor placed inside of the firewall will detect and report attacks that get past the firewall One example of this is an attack that Is started from a compromised WWW server on the DMZ A sensor placed outside of the firewall will detect and report attacks that the firewall may stop Internet DMZ Servers 1305 0893_04F9_c3 19 © 1999, Cisco Systems, Inc Visibility of VPN Link Security • A sensor placed at the access point to your VPN links will monitor the activities with your business partners 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr Business Partner Access 20 10 Visibility of Dial-In Security • A sensor placed at the access point to your remote access server will monitor the activities of your dial-in users 1305 0893_04F9_c3 Network Access Server © 1999, Cisco Systems, Inc 21 Visibility of the Security of Critical Services • Sensors placed at the access points to your critical business servers and subnets will monitor the security interactions between your users and the services provided by these devices 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 22 11 Visibility of the Security of Critical Services • Sensors placed at the access points to your users networks will monitor the security of your users 1305 0893_04F9_c3 23 © 1999, Cisco Systems, Inc b Do You Need Active Audit? m da bo You NetRanger Are Setting Up Internal Firewalls andNetSonar You Have Been Asked to Verify that the Firewalls Meet Cisco IOS Firewall the Company with Policy Intrusion Detection 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 24 12 Network Vulnerability Assessment NetSonar Automates the Process of Identifying Network Security Vulnerabilities through its Comprehensive Vulnerability Scanning and Network Mapping Capabilities “With Cisco’s NetSonar, Users Don’t Have to Be Security Experts to Have Security Expertise” 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc 25 NetSonar Components 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 26 13 NetSonar Process • Network mapping Identify live hosts Identify services on hosts • Vulnerability scanning Analyze potential vulnerabilities Confirm vulnerabilities on targeted hosts How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc 27 NetSonar and NetRanger • NetRanger will report the scans and probes used by NetSonar How To 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 28 14 Scan through a Firewall • Target the scans— firewall and hosts behind it • NAT considerations • ACL considerations 1305 0893_04F9_c3 29 © 1999, Cisco Systems, Inc Scan Subnets • Target the scans—all interfaces of the routers and hosts • Time to scan • ACL considerations 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 30 15 Do You Need Active Audit? NetRanger You Installed a Firewall to Protect Your NetSonar Network from Threats from the CiscoOnly IOS to Internet, Find Someone Firewall with Attacked Your Intrusion Network through a Detection Dialup Modem 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc 31 Cisco IOS Firewall with Intrusion Detection • Available in Cisco IOS 12.0(5)T • Bundled with the Cisco IOS Firewall Feature Set • These features can be used to enforce a security policy 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 32 16 Cisco IOS—Firewall Signatures • 59 signatures taken from a broad range to detect the most common information gathering scans and attacks Applications UDP TCP ICMP IP How To 1305 0893_04F9_c3 33 © 1999, Cisco Systems, Inc Event Actions Attack Info Alarm Console Messages syslog PostOffice Drop Reset These Are Expected to Be Used Together but Can Be Individually Configured Alarm Sent Packet Dropped TCP RSTs Sent If it Is a TCP Session How to use it 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 34 17 Implementation • The Cisco IOS Firewall with Intrusion Detection can be used to supplement an Intrusion Detection System Core Distribution Access 1305 0893_04F9_c3 35 © 1999, Cisco Systems, Inc Do You Need Active Audit? NO TRESPASSING! 1305 0893_04F9_c3 You Just Received an Email from the Security Administrator of Another Company Saying that They Have Tracked an Information Conclusions Gathering Scan Back to Your Firewall They Would Like Your Help to Prevent this from Happening Again © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 36 18 Your Security Coverage with Active Audit Know Where and How to Deploy Active Audit Technologies to Maximize Your Security Coverage Secure Manage and Improve 1305 0893_04F9_c3 Corporate Security Policy Monitor Audit/Test 37 © 1999, Cisco Systems, Inc Please Complete Your Evaluation Form Session 1305 Session #1305 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 38 19 1305 0893_04F9_c3 © 1999, Cisco Systems, Inc Copyright © 1998, Cisco Systems, Inc All rights reserved Printed in USA 0893_04F9_c3.scr 39 20 ... Coverage with Active Audit Know Where and How to Deploy Active Audit Technologies to Maximize Your Security Coverage Secure Manage and Improve 1305 0893_04F9_c3 Corporate Security Policy Monitor Audit/ Test... Firewall with Intrusion Detection can be used to supplement an Intrusion Detection System Core Distribution Access 1305 0893_04F9_c3 35 © 1999, Cisco Systems, Inc Do You Need Active Audit? NO... Cisco Systems, Inc Maximize Your Security Coverage with Active Audit Know Where to Deploy Active Audit Technologies How To Know How to Deploy Active Audit Technologies 1305 0893_04F9_c3 © 1999, Cisco