Industry Overview

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Industry Overview

Victor KasacavageSystems EngineerJuniper Networks

2Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Agenda

Why does security matter?

Types of Protection

IDS vs IPS

Layer 7 vs Layer 4

Attack Phases and Tools

Summary


Why Do People Care?

Money Service Providers

• Loss of bandwidth/connectivity = Loss of product = Loss of reputation

• Theft of customer info = Loss of reputation

Enterprise

• Loss of productivity = Loss of immediate business + future business

• Loss of intellectual property User

• Loss of passwords = network vulnerability

• Loss of personal identity/passwords = theft


Security Has Changed

Source: CERT Coordination Center

Security Incidents Reported by Year

0

20000

40000

60000

80000

100000

120000

140000

160000

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

Year

Nu

mb

er

of

Inc

ide

nts

“Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of

incidents reported.”

An incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time.


224238

249

244251265255195

485422

356260

1294370$0

$200

$400

$600

Rev

enue

($

M)

CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08

Calendar Year

Worldwide Network-Based IPS and IDS Product Manufacturer Revenue

•Market doubled in 2005 for IPS, over half a billion for IDS/IPS this year

• IPS one of fastest growing segments in industry

• IDS users moving to IPS!

•“Most of the market remains a green field of prospects with interest and demand”*

If You Sell It, They Will Buy

IDS IPS

*Network Security and Intrusion Prevention, ESG, Jan 2005


Types of Protection

The market would buy insurance, if it only knew what to buy!

• Must be comprehensive (not a half-solution)

• Must be implementable

• Must be actionable (not just advice)

• Should help with compliance issues

$$X XRisk =

Vulnerability Threat Asset Value

Countermeasures

SOX

HIPAACESG

GLB

Basel II

What technologies are available today? Firewalls

•Controls access between networks•Some firewalls have more advanced inspection methods •Limits access to provide security

Antivirus•Inspects for viruses in files or network traffic•Prohibits viruses embedded in files•Available as a host software or network software/devices•Market began with host software, and is further developed

Intrusion Detection Systems/Intrusion Prevention Systems•Watches for attacks on networks or on the host•Evaluates network traffic to determine if a suspected intrusion has taken place•Signals an alarm, creates a log, (IDS/IPS) or drops traffic (IPS) (One or all)•Available as network software and/or host software


Intrusion Detection & Intrusion Prevention

Product What it does Pluses MinusesIntrusion Detection System

(IDS)

Hangs off switch (SPAN) or wire (TAP)

Examines inbound and outbound network traffic for attacks but does not block them

Responds with an alert

Usually PC-based

Does not slow network

Cannot operate inline Cannot block traffic Does not take any action…

just sends an alert Can generate a data

overload (tons of alerts) Can be very hard to

manage

• Network Worms• Non-File Based Trojans• Spyware/Adware/ Keyloggers

“phoning-home”

• Other Malware & Zero-Day Attacks

• DOS

IDS and IPS are designed to protect from:

Intrusion Prevention System

(IPS)

Deployed inline but some can also be deployed in IDS mode

Examines network traffic for attacks and can alert and/or block

Often purpose-built

Can be placed inline Can be configured to

drop traffic without requiring any user intervention (hence can be easier to manage)

Can be used to deliver true application visibility

Since it operates inline, it can introduce extra latency and an extra failure point

Differences in attack coverage and accuracy between vendors may cause customers to wrongly compare on performance


A Complete SolutionAt a minimum, the enterprise needs:

• Firewall – necessary for first line perimeter defense

• Host-based antivirus – prevents many viruses where they start

• Network intrusion detection and prevention solution –

• Need application layer visibility to stop only attacks real-time

• Full Layer 7 application visibility, which provides:

• Context – not just the “bits” or “words,” but the “conversation”

• Application/Protocol Breadth – Insight into many different protocols

• 2-Way Traffic Inspection – not just one direction of data, but both directions

• “Zero-Day” Intelligence – not just known attacks, but unexploited vulnerability protection and protocol anomalies

• Different detection methods for different phases of attack


Context Layer 7 IPS vs Layer 4 IPS Concept

11001001100011110010101010110101001011111001101010010110101010001010010101010101010101011110000111010101010111010101101101010110010101010101010100

Traffic Bit Stream

Layer 7 processing

Extract • application state,• application message, • application message value

• Precise L7 Pattern Match • Can perform Protocol Anomaly• Can detect zero-day attacks

Basic error-prone Pattern Match

Layer 4 processing

0010100101010101010


Protocol Breadth• Compares protocol behavior as seen in the traffic to the protocol RFC

• Requires support of many common protocols


Two-Way Traffic InspectionMust look at incoming and outgoing traffic

1

One-way IPS inspects only request side

1

Two-way IPS inspects both

request….

2

AND response

2

Let ALL response traffic through


Context + Protocol Breadth + 2-Way Need all for Zero-day protection

• Zero-day attacks have no signatures

• They can be discovered only with a combination of:

• Layer 7 information

• Protocol behavior comparisons

• Both sides of the network “conversation


Attack Phases and Tools

Different methods for different attack phases

• Preparing to attack – the recon phase

• External and internal attacks

• Unknowing employees bring in infection


Detection Methods Protocol Anomaly

Stateful Signatures

Backdoor Detection

Traffic Anomaly

Syn-Flood Detection

IP Spoof Detection

Layer 2 Detection


Multiple Methods Of Detection:Recon Detection

Traffic Anomaly Detection Notes unusual traffic based on

admin-configurable rules X ports per Y time; X IP

addresses per Y time; X sessions per Y time

The attacker is trying to find vulnerabilities

Network Honeypot Impersonates services, sending

fake information in response to scans to try an entice attackers to access the non-existent services.

There is no reason for legitimate traffic to access these resources because they don’t exist, so any attempt to connect constitutes an attack.

FTP, SSH, Telnet

Real Server

Real Server

Fake Server


Multiple Methods Of Detection:Attack Detection

The attacker has identified vulnerabilities or proceeded

Protocol Anomaly Detection Compares how traffic to

protocol specification Only as useful as the number

of protocols supported

Establishes connection

Server expects <256

bytes

Attacker sends 512

bytes! Stateful Signatures Tracks state of the network

“conversation.” For example, differentiates

control portion from body of e-mail

Significantly reduces false positives!

CNTL > From, ToData > expn root isan exploit…

CNTL > expn root

FALS

E POSIT

IVE


Multiple Methods Of Detection:Propagation/Proliferation Detection

Initial attack has succeeded and is now proliferating

Spyware Recognizes spyware when it

attempts to “phone home: Identifies source of message,

so it can be eliminated before it spreads

Backdoor Detection Attackers can send a worm or

Trojan is downloaded with something else

Attacker will activate it to open a backdoor into the network

IDP recognizes the non-allowed interactive traffic between the attacker and the worm.

IM (with a surprise!)

Dormant til the attacker “opens the backdoor”

Download “freeware”(with a spyware surprise)


Multiple Methods Of Detection: Propagation/Proliferation Detection

Initial attack has succeeded and is now proliferating

IP Spoof Detection Attacker spoofs IP addresses

to make it look the message is coming from inside the network

Just define IP subnets behind each interface

Validate source IP against inbound interfaces.

Layer 2 Attack Detection arpspoof’ and ‘dsniff’ MAC/IP flip-flops between interfaces Mismatch between Ethernet frame

and ARP header IP address change for the same

MAC Invalid ARP request/reply frames

10.1.1.0/24

10.1.1.1

SRC-IP

10.1.1.55

DST-IP

53

DST-Port

DATA

Typical ARP request/reply

Forged ARP

packet


Summary - IPS Selection Criteria

Detection Methods

Network and Application Visibility

Accuracy

Management and Ease of Use

Throughput

System Transparency


Juniper Standalone IDP Product Line

IDP

IDP 50Small network segments or low speed links• 50Mb Throughput• 10,000 Maximum Sessions• 1 GB Memory• Integrated Bypass Ports

IDP 200Medium central site and large branch offices• 250Mb Throughput• 50,000 Maximum Sessions• 1 GB Memory• HA Clustering and Integrated Bypass Ports

IDP 600C/FMedium to large central site or high traffic areas• 500Mb Throughput• 200,000 Maximum Sessions• 4 GB Memory• HA Clustering• Fiber or Copper Gigabit Port Versions•Dual SCSI drives and redundant power

All contain full IDP features and are

managed using the same interface

= Increased Security

throughout the Network & Lower TCO

IDP 1100C/FLarge central site or high traffic areas• 1 GB Max Throughput*• 500,000 Maximum Sessions• 4 GB Memory• HA Clustering• Fiber or Copper Gigabit Port Versions•Dual SCSI drives and redundant power

*As tested with IDP 3.0 software

Industry Overview

Documents