SlideShare a Scribd company logo

Top risks in using NIPS - Brighttalk - July 2010

Download as PPT, PDF
EQS Group
EQS Group

Marco Ermini, Network Security Manager will discuss top risks in using Network Intrusion Detection and Prevention.

1 of 16
Top risks associated in implementing Network Intrusion Prevention Systems Marco Ermini Vodafone Technology – Information Services / ICT Security department 8th July, 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
How can this help you? What is and is not about – but it can help for This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – but we will gain some instrument useful for that > …discussing if you need a NIPS or not, or which other technology do you need > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - that will do the job! > I assume you need and want NIPS, or you already have NIPS, and you want to be aware of the rop risks associated with… – …selection – …configuration – …deployment – …management What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is speaking? ho This is not a bio… W are you listening to me? – 1/ hy 2 > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic – and holistic – view about this technology > Yes, I have been under real attacks. And not just once! And I am aware of risks > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  (for what that matters, this never happens…) 3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is this for? ho Why do you care? W are you listening to me? – 2/ hy 2 > You are a security or network engineer, and need to… – be aware of the risks associated with this deployment – are thinking/need to deploy NIPS into your networks > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand risks associated with NIPS This is meant to be an interactive presentation. You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W are the top risk categories with NIPS? 1/ hat 2 There are both intrinsic risks and mistakes W are the common mistakes with NIPS? hat > They are deployed in the wrong place in the network > No monitoring or ineffective monitoring – no one is there around that can access and use them when it is needed > There is no tuning – they are deployed and then forgot – Are running the “suggested” or “default” rule sets from the supplier – No protection because of fear of false positives – Too aggressive protection causes false positives – A new one coming: thinking it is enough to send events to a SIEM > Are confused with NIDS (detection) – I know IDS + I know Firewalls = I know NIPS? Wrong… > Not having operational procedures for their management and set up 5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W are the top risk categories with NIPS? 2/ hat 2 There are both intrinsic risks and mistakes W are the intrinsic risks with NIPS? hat > Think they are a “transparent wire” on the network – wrong: they do interfere with network traffic > They are not optimised because of lack of knowledge and skills of managers/technicians/consultants > They are not optimised because lack of knowledge of the inner networks and applications they are defending > There are false expectations about the technology – it is assumed they are invincible and/or protect against “0-days attacks” or DDoS – you are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto-learn”?) – they are deployed even when other technologies (DAM, WAF, etc.) would be more appropriate > Signature or normalisation behaviour are often not testable 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Compulsory checklist for NIPS deployment If you don’t do that, you are doomed > Do not plan on the fact that they can’t be bypassed. In many cases, they will be. – Ever heard of “TSL/SSL”, “event horizon” and “inspect 512 bytes only”? > Do not plan on the fact that they cannot be detected. They often can be. > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS, and update their signatures > You need to continually follow and profile the design of your network, applications, business > They will not protect you against real 0-days or DDoS (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (i.e., cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production > You need to spend money if you want a good product 7 Presentation title in footer Version steps, you better avoid the risk and don’t deploy January 3, 2013 Confidentiality level on title master If you are not prepared for those number on title master Department on title master
W can I have from NIPS? hat What does my company need? I can use NIPS for… > Mitigate and prevent specific attacks. For the rest, you need to integrate with other tools – Will not protect against all of the web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement with other tools – 100% protection is not realistic, 0-days and DDoS protection are (mostly) marketing > As an effective tool for immediate reaction to threats – They are in-line, ready and conceived to be used to react to attacks > Enforce company policies – Security is a process, not a product (Bruce Schneier). NIPS must be part of the process – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls – CISO/CSO position: job security comes first – packet loss in not an option > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master They can be an effective tool if understood and used wisely
Border deployment best practices Border edges of the Data Centre/border routers > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/VPN/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon – or add latency (“network tarpiting”) > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies and requirements > They can apply traffic policing/shaping – Probably the best tool against P2P/Skype/etc. > Fine-Tuning is difficult and management of it can turn to nightmare > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances, discuss fragmentation/flooding attacks with vendor > Remain realistic: they will add latency and will be bypassed 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Inner deployment best practices Protection of the services > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? – Web Application protection (HTML/JavaScript/IFRAME attacks, SQL Injection, CSS, …) > They can sit around in the network (more typical for NIDS deployment) – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a specific profile – can hook to VPN concentrators > What is your policy? – I want to prevent everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? > Which signatures to use? Generic, vulnerability based, exploit based? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Determine which signatures you want in place How to evaluate and tune your rule set > Three main kinds of signatures – Generic – standard pattern matching – easy to evade – usually shellcodes/dumb behaviour (brute force login attempts, non standard port usage,…) – often will trigger on unsecure but “corporate accepted” behaviours (login as root,...) – need to tune thresholds/trigger points – Vector based –more advanced pattern – less easy to evade, less prone to false positives – protection against a v ulne ra bility , not an e x p lo it – needs more powerful and “smart” engine, and a performing device – network latency… – Exploit based – protection against a specific attack – trivial to evade – minimum false positives – link cleaning against “script kiddies” > Establish your baseline for a specific environment/sensor > Tune the other normalisation or behavioural parameters based on the applications 11 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master you have Department on title master
Baseline rule set tuning and deployment Measure security improvements (or worsening…) Suggestion for a best practice > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release of a software or a brand new service for the public “goes live”! > Monitor - for a couple of hours thereafter – inside the maintenance window for “immediate” issues – customer-facing services blocked? > Monitor - for a couple of days thereafter – for “slow on-set” issues – administrative access, less often used services > Have a roll-back plan available – for the maintenance window and “slow on-set” issues > Create a periodic report over the differences within the baseline – Intelligence reports are preferred by CISO/CSO – but you need a tool to specify – If you prefer: a report about attacks mitigated/prevented/observed > Make the report visible to the upper management Something changes in the service/ network? Repeat the process! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Monitoring Don’t forget them! > Monitor against profiles/rule sets that are useful – You need to have a network diagram/map of your networks and services – You need to profile – the services you are protecting – the traffic of your networks – After this, you need then to tailor your rule sets again and repeat the process > Attention to outsourced managed SOC: some uses statistical tools on which I have concerns > There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing > You need correlation with other tools – anti viruses, firewalls, NIDS, network scanners… > You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS, and processes and procedures to act in case of incident Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Measure effectiveness Because you have to renew your contracts sooner or later  > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not blindly believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Correlation and SOC Effective security 24X7X365 Some best practices > Do not import all of your events into your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your network architecture and applications > The policies/rule sets you deployed on the NIPS have an impact on what you get! – Sometimes you pay the SEM/SIM license or the outsourced SOC by the number of events you are sending them! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? > Forensic importance – but balance with event database’s growth and disk space Again and again: remain focused on making them an useful tool! 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Thank you. Any question? 16 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
Ben Rothke
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
David C. Petty
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
Shah Sheikh
 
A review of anomaly based intrusions detection in multi tier web applications
A review of anomaly based intrusions detection in multi tier web applicationsA review of anomaly based intrusions detection in multi tier web applications
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
Ben Rothke
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
David C. Petty
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
Shah Sheikh
 
A review of anomaly based intrusions detection in multi tier web applications
A review of anomaly based intrusions detection in multi tier web applicationsA review of anomaly based intrusions detection in multi tier web applications
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
Barry Greene
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
Ricardo Resnik
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
Ian Sommerville
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
SnapComms
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
IJNSA Journal
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
Seema Sheth-Voss
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
Dedi Dwianto
 
Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2
Mike Miller
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
Denim Group
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
Ian Sommerville
 
Network Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentNetwork Security in a Virtualized Environment
Network Security in a Virtualized Environment
LiveAction Next Generation Network Management Software
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
terriert
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
Dtex Systems
 

More Related Content

What's hot

Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
Barry Greene
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
Ricardo Resnik
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
Ian Sommerville
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
SnapComms
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
IJNSA Journal
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
Seema Sheth-Voss
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
Dedi Dwianto
 
Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2
Mike Miller
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
Denim Group
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
Ian Sommerville
 
Network Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentNetwork Security in a Virtualized Environment
Network Security in a Virtualized Environment
LiveAction Next Generation Network Management Software
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
terriert
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 

What's hot (19)

Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
 
Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
Network Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentNetwork Security in a Virtualized Environment
Network Security in a Virtualized Environment
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 

Similar to Top risks in using NIPS - Brighttalk - July 2010

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
Dtex Systems
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
Meg Weber
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
IJNSA Journal
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
University of maryland infa 620 homework help
University of maryland infa 620 homework helpUniversity of maryland infa 620 homework help
University of maryland infa 620 homework help
Olivia Fournier
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
Faisal Yahya
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
William Kiss
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
Nadia BENCHIKHA
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
Cristian Calderon
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
Paul-Charife Allen
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t h
WilheminaRossi174
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 

Similar to Top risks in using NIPS - Brighttalk - July 2010 (20)

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
University of maryland infa 620 homework help
University of maryland infa 620 homework helpUniversity of maryland infa 620 homework help
University of maryland infa 620 homework help
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t h
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 

More from EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
EQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
EQS Group
 

More from EQS Group (6)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 

Top risks in using NIPS - Brighttalk - July 2010

  • 1. Top risks associated in implementing Network Intrusion Prevention Systems Marco Ermini Vodafone Technology – Information Services / ICT Security department 8th July, 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • 2. How can this help you? What is and is not about – but it can help for This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – but we will gain some instrument useful for that > …discussing if you need a NIPS or not, or which other technology do you need > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - that will do the job! > I assume you need and want NIPS, or you already have NIPS, and you want to be aware of the rop risks associated with… – …selection – …configuration – …deployment – …management What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 3. W is speaking? ho This is not a bio… W are you listening to me? – 1/ hy 2 > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic – and holistic – view about this technology > Yes, I have been under real attacks. And not just once! And I am aware of risks > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  (for what that matters, this never happens…) 3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 4. W is this for? ho Why do you care? W are you listening to me? – 2/ hy 2 > You are a security or network engineer, and need to… – be aware of the risks associated with this deployment – are thinking/need to deploy NIPS into your networks > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand risks associated with NIPS This is meant to be an interactive presentation. You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 5. W are the top risk categories with NIPS? 1/ hat 2 There are both intrinsic risks and mistakes W are the common mistakes with NIPS? hat > They are deployed in the wrong place in the network > No monitoring or ineffective monitoring – no one is there around that can access and use them when it is needed > There is no tuning – they are deployed and then forgot – Are running the “suggested” or “default” rule sets from the supplier – No protection because of fear of false positives – Too aggressive protection causes false positives – A new one coming: thinking it is enough to send events to a SIEM > Are confused with NIDS (detection) – I know IDS + I know Firewalls = I know NIPS? Wrong… > Not having operational procedures for their management and set up 5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 6. W are the top risk categories with NIPS? 2/ hat 2 There are both intrinsic risks and mistakes W are the intrinsic risks with NIPS? hat > Think they are a “transparent wire” on the network – wrong: they do interfere with network traffic > They are not optimised because of lack of knowledge and skills of managers/technicians/consultants > They are not optimised because lack of knowledge of the inner networks and applications they are defending > There are false expectations about the technology – it is assumed they are invincible and/or protect against “0-days attacks” or DDoS – you are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto-learn”?) – they are deployed even when other technologies (DAM, WAF, etc.) would be more appropriate > Signature or normalisation behaviour are often not testable 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 7. Compulsory checklist for NIPS deployment If you don’t do that, you are doomed > Do not plan on the fact that they can’t be bypassed. In many cases, they will be. – Ever heard of “TSL/SSL”, “event horizon” and “inspect 512 bytes only”? > Do not plan on the fact that they cannot be detected. They often can be. > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS, and update their signatures > You need to continually follow and profile the design of your network, applications, business > They will not protect you against real 0-days or DDoS (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (i.e., cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production > You need to spend money if you want a good product 7 Presentation title in footer Version steps, you better avoid the risk and don’t deploy January 3, 2013 Confidentiality level on title master If you are not prepared for those number on title master Department on title master
  • 8. W can I have from NIPS? hat What does my company need? I can use NIPS for… > Mitigate and prevent specific attacks. For the rest, you need to integrate with other tools – Will not protect against all of the web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement with other tools – 100% protection is not realistic, 0-days and DDoS protection are (mostly) marketing > As an effective tool for immediate reaction to threats – They are in-line, ready and conceived to be used to react to attacks > Enforce company policies – Security is a process, not a product (Bruce Schneier). NIPS must be part of the process – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls – CISO/CSO position: job security comes first – packet loss in not an option > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master They can be an effective tool if understood and used wisely
  • 9. Border deployment best practices Border edges of the Data Centre/border routers > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/VPN/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon – or add latency (“network tarpiting”) > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies and requirements > They can apply traffic policing/shaping – Probably the best tool against P2P/Skype/etc. > Fine-Tuning is difficult and management of it can turn to nightmare > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances, discuss fragmentation/flooding attacks with vendor > Remain realistic: they will add latency and will be bypassed 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 10. Inner deployment best practices Protection of the services > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? – Web Application protection (HTML/JavaScript/IFRAME attacks, SQL Injection, CSS, …) > They can sit around in the network (more typical for NIDS deployment) – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a specific profile – can hook to VPN concentrators > What is your policy? – I want to prevent everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? > Which signatures to use? Generic, vulnerability based, exploit based? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 11. Determine which signatures you want in place How to evaluate and tune your rule set > Three main kinds of signatures – Generic – standard pattern matching – easy to evade – usually shellcodes/dumb behaviour (brute force login attempts, non standard port usage,…) – often will trigger on unsecure but “corporate accepted” behaviours (login as root,...) – need to tune thresholds/trigger points – Vector based –more advanced pattern – less easy to evade, less prone to false positives – protection against a v ulne ra bility , not an e x p lo it – needs more powerful and “smart” engine, and a performing device – network latency… – Exploit based – protection against a specific attack – trivial to evade – minimum false positives – link cleaning against “script kiddies” > Establish your baseline for a specific environment/sensor > Tune the other normalisation or behavioural parameters based on the applications 11 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master you have Department on title master
  • 12. Baseline rule set tuning and deployment Measure security improvements (or worsening…) Suggestion for a best practice > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release of a software or a brand new service for the public “goes live”! > Monitor - for a couple of hours thereafter – inside the maintenance window for “immediate” issues – customer-facing services blocked? > Monitor - for a couple of days thereafter – for “slow on-set” issues – administrative access, less often used services > Have a roll-back plan available – for the maintenance window and “slow on-set” issues > Create a periodic report over the differences within the baseline – Intelligence reports are preferred by CISO/CSO – but you need a tool to specify – If you prefer: a report about attacks mitigated/prevented/observed > Make the report visible to the upper management Something changes in the service/ network? Repeat the process! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 13. Monitoring Don’t forget them! > Monitor against profiles/rule sets that are useful – You need to have a network diagram/map of your networks and services – You need to profile – the services you are protecting – the traffic of your networks – After this, you need then to tailor your rule sets again and repeat the process > Attention to outsourced managed SOC: some uses statistical tools on which I have concerns > There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing > You need correlation with other tools – anti viruses, firewalls, NIDS, network scanners… > You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS, and processes and procedures to act in case of incident Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 14. Measure effectiveness Because you have to renew your contracts sooner or later  > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not blindly believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 15. Correlation and SOC Effective security 24X7X365 Some best practices > Do not import all of your events into your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your network architecture and applications > The policies/rule sets you deployed on the NIPS have an impact on what you get! – Sometimes you pay the SEM/SIM license or the outsourced SOC by the number of events you are sending them! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? > Forensic importance – but balance with event database’s growth and disk space Again and again: remain focused on making them an useful tool! 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 16. Thank you. Any question? 16 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Editor's Notes

  1. - Monitoring – Security Operation Centre - Tuning – avoid false positives If they are enabled, they are ignored because too many false positives - NIDS are born to report, NIPS are born to kill. NIDS in paranoid mode causes many false positives, NIPS kill the network or your event DB - NIPS add latency and false positives - NIPS interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping – they can also be detected, for instance through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity
  2. - Monitoring – Security Operation Centre - Tuning – avoid false positives If they are enabled, they are ignored because too many false positives - NIDS are born to report, NIPS are born to kill. NIDS in paranoid mode causes many false positives, NIPS kill the network or your event DB - NIPS add latency and false positives - NIPS interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping – they can also be detected, for instance through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity
  3. - Coordination with firewall teams - Latency calculations - NIPS can be detected because they interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping, or through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity - HW costs: FGPA/ASICs are expensive, multi-core technology is very useful, network processors
  4. Communicate with firewalls – bad idea Detection mechanism should be at around 90% to optimise for traffic speed/minimum latency DDoS vs flash-crowd ISN number generation for SYNcookies for DoS protection – limited capabilities – firewall more adequate place Security is a process but you still need a brain
  5. Performance impact: latency – VoIP cannot afford it, will inspect the whole HTTP session and delay the last packet (fragmentation?) Fragmentation and syn attacks – flooding attacks: incomplete handshakes, pending established sessions, smurf (reflection), anomalies, incorrect values and checksums, fragmentation – trivial techniques, but difficult to respond, especially on asymmetric traffic and in a stateful way Consider bypass switches for deployment Fine tuning possible if protection of few similar services, almost impossible for hundreds/thousands of servers, rarely possible for each network parameter, to be checked against every new patch/upgrade
  6. Consider bypass switches Three kind of signatures – generic (detect standard patterns, basic behavioral), vulnerability (vector) based, Exploit based (most accurate)
  7. How to measure security improvements (or worsening) Three kind of signatures – generic (NULL/NOP sleds, thresholds/trigger tuning), Vulnerability (vector) based, Exploit based (most accurate)
  8. How to measure security improvements (or worsening) Three kind of signatures – generic (basic behavioral), Vulnerability (vector) based, Exploit based (most accurate)
  9. Statistical tools on NIPS events are worthless, if they are not correlated with the actual services in place – need to have a network and services map Security concern of letting security events go out of the company
  10. SEM/SIM tool have no forensic relevance, but the policies deployed determine if the payload is saved in the event DB