Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Industry Overview
Victor KasacavageSystems EngineerJuniper Networks
2Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda
Why does security matter?
Types of Protection
IDS vs IPS
Layer 7 vs Layer 4
Attack Phases and Tools
Summary
3Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Why Do People Care?
Money Service Providers
• Loss of bandwidth/connectivity = Loss of product = Loss of reputation
• Theft of customer info = Loss of reputation
Enterprise
• Loss of productivity = Loss of immediate business + future business
• Loss of intellectual property User
• Loss of passwords = network vulnerability
• Loss of personal identity/passwords = theft
4Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Has Changed
Source: CERT Coordination Center
Security Incidents Reported by Year
0
20000
40000
60000
80000
100000
120000
140000
160000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
Year
Nu
mb
er
of
Inc
ide
nts
“Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of
incidents reported.”
An incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time.
5Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
224238
249
244251265255195
485422
356260
1294370$0
$200
$400
$600
Rev
enue
($
M)
CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08
Calendar Year
Worldwide Network-Based IPS and IDS Product Manufacturer Revenue
•Market doubled in 2005 for IPS, over half a billion for IDS/IPS this year
• IPS one of fastest growing segments in industry
• IDS users moving to IPS!
•“Most of the market remains a green field of prospects with interest and demand”*
If You Sell It, They Will Buy
IDS IPS
*Network Security and Intrusion Prevention, ESG, Jan 2005
6Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Types of Protection
The market would buy insurance, if it only knew what to buy!
• Must be comprehensive (not a half-solution)
• Must be implementable
• Must be actionable (not just advice)
• Should help with compliance issues
$$X XRisk =
Vulnerability Threat Asset Value
Countermeasures
SOX
HIPAACESG
GLB
Basel II
What technologies are available today? Firewalls
•Controls access between networks•Some firewalls have more advanced inspection methods •Limits access to provide security
Antivirus•Inspects for viruses in files or network traffic•Prohibits viruses embedded in files•Available as a host software or network software/devices•Market began with host software, and is further developed
Intrusion Detection Systems/Intrusion Prevention Systems•Watches for attacks on networks or on the host•Evaluates network traffic to determine if a suspected intrusion has taken place•Signals an alarm, creates a log, (IDS/IPS) or drops traffic (IPS) (One or all)•Available as network software and/or host software
7Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Intrusion Detection & Intrusion Prevention
Product What it does Pluses MinusesIntrusion Detection System
(IDS)
Hangs off switch (SPAN) or wire (TAP)
Examines inbound and outbound network traffic for attacks but does not block them
Responds with an alert
Usually PC-based
Does not slow network
Cannot operate inline Cannot block traffic Does not take any action…
just sends an alert Can generate a data
overload (tons of alerts) Can be very hard to
manage
• Network Worms• Non-File Based Trojans• Spyware/Adware/ Keyloggers
“phoning-home”
• Other Malware & Zero-Day Attacks
• DOS
IDS and IPS are designed to protect from:
Intrusion Prevention System
(IPS)
Deployed inline but some can also be deployed in IDS mode
Examines network traffic for attacks and can alert and/or block
Often purpose-built
Can be placed inline Can be configured to
drop traffic without requiring any user intervention (hence can be easier to manage)
Can be used to deliver true application visibility
Since it operates inline, it can introduce extra latency and an extra failure point
Differences in attack coverage and accuracy between vendors may cause customers to wrongly compare on performance
8Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
A Complete SolutionAt a minimum, the enterprise needs:
• Firewall – necessary for first line perimeter defense
• Host-based antivirus – prevents many viruses where they start
• Network intrusion detection and prevention solution –
• Need application layer visibility to stop only attacks real-time
• Full Layer 7 application visibility, which provides:
• Context – not just the “bits” or “words,” but the “conversation”
• Application/Protocol Breadth – Insight into many different protocols
• 2-Way Traffic Inspection – not just one direction of data, but both directions
• “Zero-Day” Intelligence – not just known attacks, but unexploited vulnerability protection and protocol anomalies
• Different detection methods for different phases of attack
9Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Context Layer 7 IPS vs Layer 4 IPS Concept
11001001100011110010101010110101001011111001101010010110101010001010010101010101010101011110000111010101010111010101101101010110010101010101010100
Traffic Bit Stream
Layer 7 processing
Extract • application state,• application message, • application message value
• Precise L7 Pattern Match • Can perform Protocol Anomaly• Can detect zero-day attacks
Basic error-prone Pattern Match
Layer 4 processing
0010100101010101010
10Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Protocol Breadth• Compares protocol behavior as seen in the traffic to the protocol RFC
• Requires support of many common protocols
11Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Two-Way Traffic InspectionMust look at incoming and outgoing traffic
1
One-way IPS inspects only request side
1
Two-way IPS inspects both
request….
2
AND response
2
Let ALL response traffic through
12Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Context + Protocol Breadth + 2-Way Need all for Zero-day protection
• Zero-day attacks have no signatures
• They can be discovered only with a combination of:
• Layer 7 information
• Protocol behavior comparisons
• Both sides of the network “conversation
13Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Attack Phases and Tools
Different methods for different attack phases
• Preparing to attack – the recon phase
• External and internal attacks
• Unknowing employees bring in infection
14Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Detection Methods Protocol Anomaly
Stateful Signatures
Backdoor Detection
Traffic Anomaly
Syn-Flood Detection
IP Spoof Detection
Layer 2 Detection
15Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Multiple Methods Of Detection:Recon Detection
Traffic Anomaly Detection Notes unusual traffic based on
admin-configurable rules X ports per Y time; X IP
addresses per Y time; X sessions per Y time
The attacker is trying to find vulnerabilities
Network Honeypot Impersonates services, sending
fake information in response to scans to try an entice attackers to access the non-existent services.
There is no reason for legitimate traffic to access these resources because they don’t exist, so any attempt to connect constitutes an attack.
FTP, SSH, Telnet
Real Server
Real Server
Fake Server
16Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Multiple Methods Of Detection:Attack Detection
The attacker has identified vulnerabilities or proceeded
Protocol Anomaly Detection Compares how traffic to
protocol specification Only as useful as the number
of protocols supported
Establishes connection
Server expects <256
bytes
Attacker sends 512
bytes! Stateful Signatures Tracks state of the network
“conversation.” For example, differentiates
control portion from body of e-mail
Significantly reduces false positives!
CNTL > From, ToData > expn root isan exploit…
CNTL > expn root
FALS
E POSIT
IVE
17Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Multiple Methods Of Detection:Propagation/Proliferation Detection
Initial attack has succeeded and is now proliferating
Spyware Recognizes spyware when it
attempts to “phone home: Identifies source of message,
so it can be eliminated before it spreads
Backdoor Detection Attackers can send a worm or
Trojan is downloaded with something else
Attacker will activate it to open a backdoor into the network
IDP recognizes the non-allowed interactive traffic between the attacker and the worm.
IM (with a surprise!)
Dormant til the attacker “opens the backdoor”
Download “freeware”(with a spyware surprise)
18Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Multiple Methods Of Detection: Propagation/Proliferation Detection
Initial attack has succeeded and is now proliferating
IP Spoof Detection Attacker spoofs IP addresses
to make it look the message is coming from inside the network
Just define IP subnets behind each interface
Validate source IP against inbound interfaces.
Layer 2 Attack Detection arpspoof’ and ‘dsniff’ MAC/IP flip-flops between interfaces Mismatch between Ethernet frame
and ARP header IP address change for the same
MAC Invalid ARP request/reply frames
10.1.1.0/24
10.1.1.1
SRC-IP
10.1.1.55
DST-IP
53
DST-Port
DATA
Typical ARP request/reply
Forged ARP
packet
19Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Summary - IPS Selection Criteria
Detection Methods
Network and Application Visibility
Accuracy
Management and Ease of Use
Throughput
System Transparency
20Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper Standalone IDP Product Line
IDP
IDP 50Small network segments or low speed links• 50Mb Throughput• 10,000 Maximum Sessions• 1 GB Memory• Integrated Bypass Ports
IDP 200Medium central site and large branch offices• 250Mb Throughput• 50,000 Maximum Sessions• 1 GB Memory• HA Clustering and Integrated Bypass Ports
IDP 600C/FMedium to large central site or high traffic areas• 500Mb Throughput• 200,000 Maximum Sessions• 4 GB Memory• HA Clustering• Fiber or Copper Gigabit Port Versions•Dual SCSI drives and redundant power
All contain full IDP features and are
managed using the same interface
= Increased Security
throughout the Network & Lower TCO
IDP 1100C/FLarge central site or high traffic areas• 1 GB Max Throughput*• 500,000 Maximum Sessions• 4 GB Memory• HA Clustering• Fiber or Copper Gigabit Port Versions•Dual SCSI drives and redundant power
*As tested with IDP 3.0 software