Intrusion Detection and Prevention in Telecommunications Networks

Transcription

1 Intrusion Detection and Prevention in Telecommunications Networks Tietoturvatapahtuma 2010, Helsinki February 11 Gabriel Waller, Head of Product Security Nokia Siemens Networks For Tietoturvatapahtuma usage 1 Nokia Siemens Networks/ G Waller

2 Intrusion Detection and Prevention in Telecommunications Networks Security assets and objectives of Network Operators to protect their networks from hackers, criminal assault, espionage, etc. Intrusion Detection and Prevention Systems (IDPS) Categories, methods, tasks My network is my castle addressing threats with existing solutions Feasibility, pros and cons Recommendations to keep telecommunications networks safe For Tietoturvatapahtuma usage 2 Nokia Siemens Networks

3 Generic operator network architecture Network Security Design User Network Gateway AAA System Legal Interception Subscriber Data Payment Application Server Network Internet Gateway Internet End Users Data to be protected Stored (subscriber data, payment data, customer base) Transmitted (service requests, service responses, calls) IT network knowledge, security measures Legal interception data Architectural elements to be protected AAA (exposed) Data storage (can compromise stored data) Operator services (not vital, but numerous) Gateways (can compromise transmitted data) 3 Nokia Siemens Networks

4 Reconnaissance Eg. port scans internal or external Potential security problems in operator networks Acquisition transmitted data (eavesdropping) stored data (data theft) systems (vulnerabilities, backdoors) abuse of insider access Modification communication parties (impersonation) communication protocols (interception evasion) communication data (man-in-the-middle) stored data (forgery, destruction) Denial of service (DoS) Network DoS (saturation), targeted DoS (flood, exploit) system DoS (exploiting vulnerabilities, backdoors) Hardening alone is not enough zero day exploit new types of attacks For Tietoturvatapahtuma usage 4 Nokia Siemens Networks

5 Intrusion Detection and Prevention Systems (IDPS) Definitions Intrusion Incident Response IDS, IPS, IDPS Fail-Open, Fail-Closed Advantages Extra layer of protection Doesn t need extensive integration Reliable analysis of insecure systems Disadvantages Extra layer of complexity Relative high number of false positives False sense of security 5 Nokia Siemens Networks

6 Intrusion methods and their evasion IDPS Types Network, host, protocol Autonomous, semi-automated Independent, cooperative Adaptive, static IDPS evasion methods IDPS Methods Signature based Anomaly based Stateful protocol analysis Exploit detection 6 Nokia Siemens Networks

7 Responding to intrusions IPS response classes Diverting input Sandboxing On-the-fly hardening Connection severing Blocking access Disabling subsystems Restarting system (Aggressive defense) IPS approaches preventive immediate delayed 7 Nokia Siemens Networks

8 Addressing threats in operator networks via IDPS Reconnaissance Eg. port scans internal or external Acquisition transmitted data stored data systems abuse of insider access Network-based IDPS are better against reconnaissance, impersonation, DoS Signature-based IDPS better against static threats (exploit, DoS) Modification communication parties communication protocols communication data stored data Denial of service Network DoS targeted DoS system DoS Host-based IDPS superior for protecting against attacks directly on the host (backdoors, data modification) Anomaly detectors dynamic threats (privilege abuse, impersonation, man-inthe-middle attacks) 8 Nokia Siemens Networks

9 Snapshot on COTS IDPS products Common off the shelf Products COTS StillSecure StrataGuard (NIDS) Fortinet FortiGate (NIDS) Juniper IDP (NIDS) IBM Proventia (NIDS) McAfee NSP (NIDS/HIDS) Characteristics of COTS IDPS Have good throughput Employ a variety of detection/ prevention methods Rely on vendor signature updates Are not very customizable hundreds of ID(P)S appliances 9 Nokia Siemens Networks

10 Snapshot on FOSS IDPS products Free Open Source Software FOSS Snort (NIDS) The signature-based IDPS; signatures require paid subscription Aimed to detect specific vulnerabilities Bro (NIDS) Signatures more generic than Snort; limited anomaly detection Supports and needs heavy customization OSSEC (HIDS) Hybrid; analyzes logs with signatureand anomaly-based rules Can monitor file integrity and presence of rootkits Vigilante (ED) Research prototype Characteristics of FOSS IDPS Are more flexible Are not optimized to good throughput Generally no company behind the maintenance 10 Nokia Siemens Networks

11 Minimize the attack surface via other means Decide which app-level protocols are worthwhile to analyze Define when to use fail-open (pass-through)/ fail-closed (inline) IDPS Denial of Service DoS detection is vital Commercial Off-The-Shelf vs. Free Open Source Software Combine different IDPS for best coverage 11 Nokia Siemens Networks

12 Q & A 12 Nokia Siemens Networks