Intrusion Detection

1
Intrusion Detection ResponseLeveraging
Next-Generation Firewalls

• Ahmed Abdel-Aziz
• November 2009
• GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT)
• CISSP

2
Objective

• 1) Describe Recent Threat Trends Security
  Statistics
• 2) What are Next-Generation Firewalls (NGFWs)
• 3) How to Leverage NGFWs in Intrusion Detection
• NGFWs in Bot Detection Extrusion Detection
• 4) How to Leverage NGFWs in Intrusion Response
• NGFWs in Incident Handling, NAC, and Application
  Enforcement
• 5) Important Planning Considerations

3
Threat Trends Security Statistics
Section 1 of 5

• Bots Increasing - Trojan variants spiked 300
  from 2007 to 08 source McAfee Virtual
  Criminology Report, 2008
• Compromise Discovery takes at least months, 65
  of the time
• Responding to Compromise takes at least weeks,
  63 of the time
• source Verizon Business, 2008 Data Breach
  Investigations Report
• NGFWs Can Significantly Reduce Compromise
  Discovery (specifically Bot detection) Response
  Times.

4
NGFWs The Evolution
Section 2 of 5

• NGFWs Incorporate Multiple Security Services
• NGFWs Not a Solution to Every Problem (examples)
• Use WAF for web application attacks (XSS, SQL
  Injection, etc.)
• Use dedicated email security solution for
  advanced spam filtering
• Firewalls Typically a Prevention Control NGFWs
  Can
• Also Become a Detection Reactive Control
• More Effective, Simpler, and Economical Security

5
NGFWs in Bot Detection
Section 3 of 5 (Intrusion Detection)

• What Bots Do
• Steal Sensitive Info
• Send Spam, Act as Proxy
• Execute DDOS Other Attacks
• Bot Detection Techniques
• (1) Detection by Using NIPS Component of NGFW
• NIPS Blocks Attacks Originating from Internal
  Bots
• NIPS Cuts Communication Between Bot its
  Command-and-Control (CC) Server using Known
  Traffic Signatures
• (Popular Bots Only, Unencrypted Communication
  Only) ?

6
NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)

• (2) Detection by Blocking Protocol Used in
  Command-and-Control (CC)
• Stop Storm Bot Updates by Blocking eDonkey P2P
  Protocol
• Configured in Fortinet Technology using a
  Protection Profile
• (3) Detection by Logging Violations Audit Trail
• Add Explicit Deny Rule at End of Firewall Policy
  for Logging
• Tighten Outgoing Firewall Policy Too Not Just
  Incoming
• Network Audit Trail for Traffic Flow Analysis
  Anomalies??
• (Malware Can be Detected Without Antivirus,
  Interesting!!)

7
NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)

• (4) Detection by Filtering Malicious Content in
  Traffic
• Leverage Perimeter Antimalware, Antispam, URL
  Filtering
• Configured in Fortinet Technology Using a
  Protection Profile
• Use SSL Inspection for Network Encrypted
  Protocols HTTPS, SMTPS, POPS, IMAPS
• (5) Detection Using DNS Based Techniques
• High Number of MX DNS Requests From Non SMTP
  Server
• Same DNS Request From Many Internal Hosts At Same
  Time
• Very Small TTL Values in DNS Replies (FastFlux)
• (Whats in Common? .. DNS Anomalous Traffic)

8
NGFWs in Extrusion Detection
Section 3 of 5 (Intrusion Detection)

• Basic Data Leakage Prevention
• Prevent Confidential Documents Leakage Through
  HTTP
• Achieved by Defining Watermark Creating Custom
  IPS Rule
• Sample Rule for Fortinet NGFW Below
• config ips custom
• edit DataLeakageThroughHTTP
• set signature 'F-SBID(--name DLP --dst_port 80
  --flow bi-direction --default_action DROP
  --protocol tcp --pattern Organization
  Confidential X!kltsrodm(!sldrk4dk- )'
• end
• Other Rules Can be Used to Detect Credit Card
  Numbers using Regular Expressions

9
NGFWs in Incident Handling
Section 4 of 5 (Intrusion Response)

• Security Incident Took Place While On-site
• (Process Proved Effective in Responding to
  Spambot)
• (1) Identification Phase Incident Handling
  Process
• Users Suddenly Unable to Send Email to Any
  Destination
• nslookup telnet to Send Email, SMTP Connection
  Rejected
• Public IP Blacklisted as Spam Sender
• Sudden Spike in Email Activity,
• Spambot on the Network

10
NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)

• (2) Containment Phase Incident Handling Process
• Block All Outgoing TCP/25 Except from Mail Server
• Spambots on Network Unable to Send More Spam,
• Damage Already Done (Public IP has been
  Blacklisted)
• (3) Eradication Phase Incident Handling Process
• Goal Remove Attackers Artifacts
• Spambots Detected by Logging Violations to TCP/25
  Rule Configured in Containment ? 12 Spambots
  Detected!
• Eradication Needs Time, Disconnect Bots, Move to
  Recovery

11
NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)

• (4) Recovery Phase Incident Handling Process
• Action 1 (Change Mail Server Blacklisted Public
  IP)
• In Fortinet Technology, Feature is Called IP
  Pools
• Effect on Outgoing Mail Traffic Only, Otherwise
  DNS MX Record Must be Changed
• Action 2 (Remove Public IP from Blacklists)
• Get Blacklists from MXtoolbox.com Request
  Removal of IP
• (5) Lessons Learned Phase Incident Handling
  Process
• Duration from Identification to Recovery Only
  one Hour!!
• Compare to Typical Intrusion Response Time of
  Weeks
• Source Verizon Business, 2008 Data Breach
  Investigations Report

12
NGFWs in Network Access Control
Section 4 of 5 (Intrusion Response)

• Pre-Admission Network Access Control in NGFW
• Checks for Existing, Running Updated Endpoint
  Security Solution (Isolate Hosts with Compromised
  Endpoint Security Solution)
• Pre-build Application White-list Enable
  On-Demand (Isolate Hosts with Unknown
  Applications Installed)
• Post Admission Network Access Control in NGFW
• Isolate Hosts that Originate Attacks Detected by
  NIPS
• Isolate Virus Senders Detected by Antimalware
• Isolate Hosts Violating Configured DLP Rules
• Allows Very Fast Response Time (Self DOS
  Potential)

13
NGFWs in Application Enforcement
Section 4 of 5 (Intrusion Response)

• Enforcing Application Use
• Only Windows Firefox Allowed as a Web Browser
• IPS ve Security Model Becomes ve Security Model
• Achieved by Creating Custom IPS Rule on NGFW
• Sample Rule for Fortinet NGFW Below
• config ips custom
• edit NotFirefoxBrowserOnWindows
• set signature 'F-SBID(--name App Enforcement
  --service HTTP --default_action DROP --flow
  established --pattern GET --context header
  --pattern !User-Agent Mozilla/5.0 (Windows U
  Windows NT 5.1 en-us rv1.9.0.5)
  Gecko/2008120123 Firefox/3.0.5\r\n --context
  header )'
• end

14
Important Planning Considerations
Section 5 of 5

• Proper Product Selection Sizing Key to
  Performance
• Research Underlying HW Technology SW
  Integration
• Datasheet Figures not Enough, Check Independent
  Testing Lab Certification for Real-World
  Performance
• Ex NSS Labs Report on the FortiGate 3810A
  NGFW States Sustained 270Mbps Throughput with
  all Security Services Enabled
• Check Quality of Security Services Included in
  NGFW
• (ICSA Labs Certification for IPS, Firewall,
  AntiMalware, etc)
• Avoid Single Point of Failure by Clustering
• Decide whether to Fail Open or Closed
• (Balance Availability need with
  Confidentiality Integrity Need)

15
Summary

• Statistics Demonstrate Improvement Needed in
  Current State of Intrusion Detection Response
• NGFWs Can be Leveraged to Significantly Improve
  Intrusion Detection Response Times
• Including Bot Intrusions
• Planning Deployment Critical to Reap Rewards
• Paper in SANS Reading Room Includes More Info
• http//www.sans.org/reading_room/whitepapers/firew
  alls/intrusion_
• detection_and_response_leveraging_next_generation_
  firewall_techn
• ology_33053 or search on NGFW in SANS site