Network Security: Firewall, VPN, IDS/IPS, SIEM

Similar documents
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

SIEM FOR BEGINNERS Everything You Wanted to Know About

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Chapter 9. Firewalls

CSE 565 Computer Security Fall 2018

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Unit 4: Firewalls (I)

Chapter 8 roadmap. Network Security

COMPUTER NETWORK SECURITY

CSC Network Security

Computer Network Vulnerabilities

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Computer Security and Privacy

Network Defenses 21 JANUARY KAMI VANIEA 1

Simple and Powerful Security for PCI DSS

Top 10 use cases of HP ArcSight Logger

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

CyberP3i Course Module Series

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Security Information & Event Management (SIEM)

FairWarning Mapping to PCI DSS 3.0, Requirement 10

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Network Security. Thierry Sans

Indicate whether the statement is true or false.

Optimizing Security for Situational Awareness

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Why Firewalls? Firewall Characteristics

Compare Security Analytics Solutions

Reinvent Your 2013 Security Management Strategy

HP Instant Support Enterprise Edition (ISEE) Security overview

Un SOC avanzato per una efficace risposta al cybercrime

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

RSA NetWitness Suite Respond in Minutes, Not Months

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Not your Father s SIEM

Security

HP High-End Firewalls

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Network Defenses 21 JANUARY KAMI VANIEA 1

Total Security Management PCI DSS Compliance Guide

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Skybox Security Vulnerability Management Survey 2012

ASA/PIX Security Appliance

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Network Defenses KAMI VANIEA 1

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

IC32E - Pre-Instructional Survey

Firewall Configuration and Management Policy

Introduction to Network Discovery and Identity

Dynamic Datacenter Security Solidex, November 2009

Snort: The World s Most Widely Deployed IPS Technology

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Overview Intrusion Detection Systems and Practices

The Future of Threat Prevention

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Network Control, Con t

CSC 4900 Computer Networks: Security Protocols (2)

Introduction to Network Discovery and Identity

Securing CS-MARS C H A P T E R

ISO27001 Preparing your business with Snare

Implementing Firewall Technologies

Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Internet Security: Firewall

20-CS Cyber Defense Overview Fall, Network Basics

Configuring attack detection and prevention 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

NETWORK THREATS DEMAN

Security Assessment Checklist

Network Security. Course notes. Version

Training UNIFIED SECURITY. Signature based packet analysis

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

HikCentral V.1.1.x for Windows Hardening Guide

Scrutinizer Flow Analytics

Intrusion Detection Systems

Protection of Communication Infrastructures

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

IBM Security QRadar SIEM Version Getting Started Guide

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Configuring attack detection and prevention 1

Transcription:

Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or users from accessing a private network and/or a single computer 1 2 What is a Firewall? Hardware vs. Software Firewalls A firewall : Acts as a security gateway between two networks Tracks and controls network communications Decides whether to pass, reject, encrypt, or log communications (Access Control) Block Allow traffic Traffic from to Hardware Firewalls Protect an entire network Implemented on the router level Usually more expensive, harder to configure Software Firewalls Protect a single computer Usually less expensive, easier to configure Corporate Site 3 4 1

Evolution of Firewalls Packet Filter Application Proxy Stateful Inspection Packets examined at the network layer Useful first line of defense - commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers Packet Filter Stage of Evolution 5 6 Packet Filter How to Configure a Packet Filter Simplest of components Uses transport-layer information only IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Examples DNS uses port 53 No incoming port 53 packets except known trusted servers Start with a security policy Specify allowable packets in terms of logical expressions on packet fields Rewrite expressions in syntax supported by your vendor General rules - least privilege All that is not expressly permitted is prohibited If you do not need it, eliminate it 7 8 2

Packet Filter Configuration - 1 Packet Filter Configuration - 2 Every ruleset is followed by an implicit rule reading like this. action src port dest port flags comment block * * * * * default Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT is to be blocked. action src port dest por t flags comment block SPIGOT * * * * We don t trust these site allow * * OUR-GW 25 * Connection to our SMTP port Example 2: Now suppose that we want to implement the policy any inside host can send mail to the outside. 9 10 Packet Filter Configuration - 3 Packet Filter Configuration - 4 action src port dest por t flags comment allow * * * 25 * Connection to outside SMTP port Our defined restriction is based solely on the destination s port number. With this rule, an enemy can access any internal machines on port 25 from an outside machine. What can be a better solution? This solution allows calls from any port on an inside machine, and will direct them to port 25 on an outside machine. So why is it wrong? 11 12 3

Packet Filter Configuration - 5 action src port dest por t flags comment allow {our hosts} * * 25 * Connection to outside SMTP port allow * 25 * * ACK SMTP replies The first rule restricts that only inside machines can access to outside machines on port 25. In second rule, the ACK signifies that the packet is part of an ongoing conversation. Packets without ACK are connection establishment messages, which are only permited from internal hosts by the first rule. With the second rule, outside hosts can send back packets to inside hosts on port 25. Application Gateway or Proxy Packets examined at the application layer Application/Content filtering possible - prevent FTP put commands, for example Modest performance Scalability limited 13 14 Stateful Inspection Address Translation (NAT) Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point 192.172.1.1-192.172.1.254 Internal IP Addresses Corporate LAN 219.22.165.1 Public IP Address(es) Converts a network s illegal IP addresses to legal or public IP addresses Hides the true addresses of individual hosts, protecting them from attack Allows more devices to be connected to the network INSPECT Engine Dynamic State Dynamic Tables State Dynamic Tables State Tables 15 16 4

Firewall Deployment Corporate Gateway Internal Segment Gateway Protect sensitive segments (Finance, HR, Product Development) Provide second layer of defense Ensure protection against internal attacks and misuse Corporate Site Human Resources Public Servers Demilitarized Zone (Publicly-accessible servers) Internal Segment Gateway What is a VPN? A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality Acme Corp Site 2 Acme Corp Acme Site Corp 1 VPN VPN 17 18 Types of VPNs Types of VPNs Corporate Site Remote Access VPN Provides access to internal corporate network over the Reduces long distance, modem bank, and technical support costs PAP,CHAP,RADIUS Corporate Site Remote Access VPN Site-to-Site VPN Connects multiple offices over Reduces dependencies on frame relay and leased lines Branch Office 19 20 5

Types of VPNs Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Corporate Site Remote Access VPN Site-to-Site VPN Database Server Provides business partners access to critical information (leads, sales tools, etc) Reduces transaction and operational costs Extranet VPN Client/Server VPN Protects sensitive internal communications LAN clients LAN clients with sensitive data Partner #2 Partner #1 21 22 Overview of IDS/IPS Intrusion A set of actions aimed at compromising the security goals (confidentiality, integrity, availability of a computing/networking resource) Intrusion detection The process of identifying and responding to intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing responsive actions throughout the network. Overview of IDS/IPS Intrusion detection system (IDS) A system that performs automatically the process of intrusion detection. Intrusion prevention system (IPS) A system that has an ambition to both detect intrusions and manage responsive actions. Technically, an IPS contains an IDS and combines it with preventive measures (firewall, antivirus, vulnerability assessment) that are often implemented in hardware. 23 24 6

Components of Intrusion Detection System system activities are observable Detection Models Audit Data Preprocessor Audit Records Activity Data Detection Engine Alarms normal and intrusive activities have distinct evidence Intrusion Detection Approaches Modeling Features: evidences extracted from audit data Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: -based or Host-based based: monitor network traffic Host based: monitor computer processes Decision Table Decision Engine Action/Report 25 26 Security Information and Event Management (SIEM) LMS - Log Management System a system that collects and store Log Files (from Operating Systems,, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. SLM /SEM Security Log/Event Management an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. SIM Security Information Management - an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. SEC - Security Event Correlation To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. SIEM Security Information and Event Management SIEM is the All of the Above option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We ll use the term SIEM for the rest of this presentation Background on Components Router Switch (L2 & L3) Servers (Application, Database, etc.) Firewall Demilitarized Zone (DMZ) Virtual Private IPS/IDS 27 28 7

Defense in Depth Typical Corporate Environment 29 30 Log Management Log Management Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). LM covers log collection, centralized aggregation, long-term retention, log analysis (in real-time and in bulk after storage) as well as log search and reporting. 31 32 8

Log Management Challenges Analyzing Logs for Relevant Security Intelligence Centralizing Log Collection Meeting IT Compliance Requirements Conducting Effective Root Cause Analysis Making Log Data More Meaningful Tracking Suspicious User Behavior Introduction to SIEM The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005. Describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). 33 34 Key Objectives Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence SIEM vs LM Functionality Security Information and Event Management (SIEM) Log collection Collect security relevant logs + context data Log preprocessing Parsing, normalization, categorization, enrichment Log Management (LM) Collect all logs Indexing, parsing or none Log retention Retail parsed and normalized data Retain raw log data Reporting Security focused reporting Broad use reporting Analysis Alerting and notification Other features Correlation, threat scoring, event prioritization Advanced security focused reporting Incident management, analyst workflow, context analysis, etc. Full text analysis, tagging Simple alerting on all logs High scalability of collection and storage 35 36 9

A SIEM Scenario SIEM Process Flow Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports 38 Typical Working of an SIEM Solution SIEM Architecture System Inputs Event Data Operating Systems Devices Databases Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence Data Collection Normalization SIEM Correlation Logic/Rules Aggregation System Outputs 39 Analysis Reports Real Time Monitoring 40 10

Typical Features of SIEM Context 41 42 Adding Context How a Log File is Generated in your Examples of context Add geo-location information Get information from DNS servers Get User details(full Name, Job Title& Description) Add context aids in identifying Access from foreign locations Suspect data transfer 43 11

The Beauty of Log Correlation Log Correlation is the difference between: 14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22 and An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office Why is SIEM Necessary? Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don t suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements 46 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback