brksec-2004
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200414344_04_2008_c2 2
Monitoring and Mitigating Threats
BRKSEC-2004
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200414344_04_2008_c2
Overview
Mitigation and Prevention
Monitoring and Identification
IPS Capabilities
Case Studies
Advanced Topics
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-200414344_04_2008_c2
How Computers and Networks Are Owned
Service vulnerabilities (IIS, Apache, SMB)
Application vulnerabilities (XSS)
Denial of Service Flooding
Spoofed (smurf, syn-flood)
Non-spoofed rate
Packet conformance vulnerabilities
Client side application vulnerabilities
Configuration vulnerabilities (weak passwords, lack of encryption, etc.)
Spoofing Prevention
Packet Conformance
User Education
Application Inspection
IPS Capabilities
Access Control
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-200414344_04_2008_c2
There Is No Silver Bullet
ACLs are most effective when the service is not required and are only effective between boundaries where they are deployed which is usually a Layer 3 interface
IPS only mitigates when it is configured to (which is seldom)
AV detection is not 100% (~85% with samples taken from honeypots)
All new technologies introduce potential vulnerabilities in themselves
Complexity introduces errors Source: Virtual Honeypots
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-200414344_04_2008_c2
Know Your Enemy: Anatomy of an Attack
Target
12
3
45
Probe
Penetrate
Persist
Propagate
Paralyze
Ping addressesScan portsPassive probingGuess user accountsPhishing and Social Engineering
Mail attachmentsBuffer overflowsActiveX controlsNetwork installsCompressed messagesGuess Backdoors
Create new filesModify existing filesWeaken registry security settingsInstall new servicesRegister trap doors
Mail copy of attackWeb connectionIRCFTPInfect file sharesDelete files
Modify filesDrill security holeCrash computerDenial of serviceSteal secrets
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-200414344_04_2008_c2
Lots of Threads Slow
System
Pick New Addresses
and Spread to New Victim
Execute Script to
Download Code
Buffer Overflow
in IIS
Scan for IIS
Code Red 2001
Lots of Packets Slow
Network
Pick New Addresses
and Spread to New Victim
N/A
Buffer Overflow in SQL and MSDE
N/A
Slammer 2003
Delete Registry Keys
and Files, Terminate Processes
Start FTP and TFTP
Services, Look for
Addresses and Spread to
New Victim
Create Executables
and Edit Registry, Download
Code
Buffer Overflow in
Upnp Service
Scan for MS Directory Services
Zotob 2005
Worm Spreads
Look for Addresses
And Spread to New Victim
Execute Payload to Download
Code
Buffer Overflow in
RPC Service
Scan or Endpoint Mapper Query
MS RPC DNS 0day 2007
Worm Spreads
Worm Spreads
Lots of Processes
Slow SystemParalyze
Open Address Book
and Email Copies
Open Address Book
and Email Copies
Look for Addresses
and Spread to New Victim
Propagate
Create Executables
and Edit Registry
Create Executables
and Edit Registry
Execute Script to
Download Code
Persist
Arrive as Email
Attachment
Arrive as Email
Attachment
Buffer Overflow in Fingerd
Penetrate
N/AN/AScan for FingerdProbe
MyDoom 2004
Love Bug 2000Morris 1988
Worm/Virus: Exploit Comparison (~20 Yrs)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-200414344_04_2008_c2
Defense-in-Depth Strategy (DIDS)
Layering security defenses reduces threat exposure and reduces window of opportunity for miscreants
Apply appropriate controls closest to the victim and miscreant
Any defense mechanism may fail, be bypassed, or defeated
Embrace multiple protection methods that complement each other
8
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-200414344_04_2008_c2
Mitigation and Prevention
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-200414344_04_2008_c2
Mitigation
Access Control
Spoofing Prevention
Packet Conformance
Application Inspection
Flexible Packet Matching
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-200414344_04_2008_c2
Access Control
Highly effective deterrent to enforced boundary for Layer 3 and Layer 4 traffic
Not effective when services/applications are required by potentially malicious users
Classification ACLs aid in identification
Default deny ingress/egress will prevent a lot
Filter as precisely as possibleSource and destination (Layer 3 and Layer 4)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-200414344_04_2008_c2
ACL Cisco IOS vs. Firewall
syn, fin, ack, psh, urg,rst
Keywords 12.3(4)TVerified by DefaultTCP Flags
ttl Keyword 12.4(2)Tttl-evasion-protection
via MPFTTL Filtering
option Keyword 12.3(4)TDrop IP Options by defaultIP Option Filtering
Use of establishedKeywordACLs Have StateState
fragments on ACLs and ipvirtual-reassembly
under interface configuration
Virtual Reassembly using fragment chainIP Fragmentation
Cisco IOSASA, PIX, and FWSMFeature
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-200414344_04_2008_c2
Utilizing Cisco IOS ACL Capabilities !Router(config)#ip access-list extended tACL!!–- Deny loose source routed packets!Router(config-ext-nacl)#deny ip any any option lsr!!–- Deny fragmented packets!Router(config-ext-nacl)#deny ip any any fragments!!–- Deny TCP packets with SYN and FIN flags set!Router(config-ext-nacl)#deny tcp any any match-all +syn +fin!!–- Deny packets with TTL values less than 5!Router(config-ext-nacl)#deny ip any any ttl lt 5!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-200414344_04_2008_c2
Layer 2 Access Control !!-- Create ACL default permitip access-list extended VACL-MATCH-ANYpermit ip any any
!!-- Create ACL match portsip access-list extended VACL-MATCH-PORTSpermit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139
!!-- Create VLAN Access Map for VACL policyvlan access-map VACL 10 match ip address VACL-MATCH-PORTSaction drop
!vlan access-map VACL 20match ip address VACL-MATCH-ANYaction forward
!!-- Apply and enable VACL for usevlan filter VACL vlan 100!!!-- Port ACLip access-list extended <acl-name>permit <protocol> <source-address> <source-port> <destination-address>
<destination-port>!interface <type> <slot/port>switchport mode accessswitchport access vlan <vlan_number>ip access-group <acl-name> in
!
Port ACL
VLAN Access Control List
Permit ACE Rules to Classify Traffic
Set Action to Drop
Apply VACL for Use
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-200414344_04_2008_c2
Modular and Phase-Based ACL Policy
1. Anti-Spoofing
2. Anti-Bogon (Source)
3. Infrastructure Permit
4. Explicit Deny Specific Layer 3
5. Explicit Deny Specific Layer 4
6. Incident Response and Countermeasure
7. Explicit Permit Layer 3 (Good Traffic)
8. Explicit Permit Layer 3 (Good Traffic)
9. Explicit Deny
Rarely Changes
Sometimes Changes
Sometimes Changes
Changes Everyday
Sometimes Changes
Rarely Changes
Rarely Changes
Rarely Changes
Sometimes Changes
Hybrid Permit/Deny
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-200414344_04_2008_c2
Known, Unknown, and Undesirable Trafficip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- Output Truncated -----
500 deny tcp any any eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any any eq 139 !-- NetBIOS Session Service
520 deny tcp any any eq 445 !-- Microsoft DS, and Zotob
530 deny udp any any eq 445 !-- SMB vulns
540 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
550 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
560 deny tcp any any range 6660 6669 !-- IRC traffic
570 deny tcp any any eq 7000 !-- IRC traffic
----- Output Truncated -----
600 deny udp any any eq 1025 !-- MS RPC and LSA exploit traffic
610 deny tcp any any eq 5000 !-- UPnP Buffer Overflow exploit traffic
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-200414344_04_2008_c2
Access Control References
ASA 8.0 Identifying Traffic with Access Listshttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html
Transit Access Control Lists: Filtering at Your Edgehttp://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Configuring Network Security with ACLshttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html
Protecting Your Core: Infrastructure Protection Access Control Lists
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200414344_04_2008_c2
Spoofing Prevention
Minimize attacks that require spoofingSyn Flood Smurf Attack
Attack trace back simplified Multiple features exist
Access Control Lists (ACLs)Unicast Reverse Path Forwarding (Unicast RPF)TCP Intercept (SYN Cookies) IP Source Guard (IPSG)*DHCP Snooping*
*Detailed information about Layer 2 security is available in BRKSEC-2002
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-200414344_04_2008_c2
Unicast Reverse Path Forwarding
Which Mode to Deploy: Strict or Loose?Strict for symmetrical flows
Loose for asymmetrical flows
Effectively drop packets that lack a verifiable IP source address
Not 100% effective – however, through proper deployment Unicast RPF can protect against most Layer 3 spoofed packets
Tuning for Unicast RPF is provided through ACLs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-200414344_04_2008_c2
Strict Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via rx(deprecated syntax: ip verify unicast reverse-path)
Sy D data
int 1int 2
int 3
FIBDest PathS int 1Sy int 2Sz null0
x
sourceIP != rx int?
Sy
D data
FIBDest PathSx int 1Sy int 2Sz null0
int 1int 2
int 3
Sx D data Sx D data
sourceIP = rx int?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-200414344_04_2008_c2
Loose Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via any
Sz D data
FIBDest PathSx int 1Sy int 2Sz null0
int 1int 2
int 3 int 1int 2
int 3
FIBDest PathS int 1Sy int 2Sz ???
Sy D data Sy D data
x
Sz
D data
sourceIP = any int? sourceIP != any int?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-200414344_04_2008_c2
Enterprise: 192.168.0.0/16
ISP
LAN192.168.1/24
LAN192.168.2/24
LAN192.168.3/24
Block Entering Source = Own Networkaccess-list 101 deny ip 192.168.0.0 0.0. 255.255 anyaccess-list 101 permit ip any any
orip verify unicast source reachable-via rx allow-default
Block Sources That Do Not Belong to Subnetaccess-list 102 permit ip 192.168.X.0 0.0.0.255 anyaccess-list 102 deny ip any any
orip verify unicast source reachable-via rx
Block Leaving Source != Own Networkaccess-list 102 permit ip 192.168.0.0 0.0.255.255 anyaccess-list 102 deny ip any any
orip verify unicast source reachable-via rx
Address Spoofing Prevention in the Enterprise
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-200414344_04_2008_c2
Configuring Spoofing Features !-- Unicast RPF must have CEF enabledip cef!interface <interface>ip verify unicast source reachable-via <mode>
!!--Anti-Spoofing ACLip access-list extended ACL-ANTISPOOF-INdeny ip 10.0.0.0 0.255.255.255 anydeny ip 192.168.0.0 0.0.255.255 any
!interface <interface>ip access-group ACL-ANTISPOOF-IN in
!!--Configuring DHCP Snoopingip dhcp snoopingip dhcp snooping vlan <vlan-range>
!!--IPSG which requires DHCP snoopinginterface <interface-id>ip verify source
!!– Configuring Port Securityinterface <interface>switchportswitchport mode accessswitchport port-securityswitchport port-security mac-address stickyswitchport port-security maximum <number>switchport port-security violation <violation-mode>
!
Layer 3 Spoofing Prevention
Layer 2 Spoofing Prevention
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-200414344_04_2008_c2
SYN Cookie Packet FlowClient
(Source)SYN
(SrcIP=192.168.1.1;seq=x)
SYN ACK(seq=cookie;ack=x+1)
ACK(seq=x+1;ack=cookie+1)
IP 192.168.1.1Is IP 192.168.1.1 Authenticated? NO
SYN(seq=y)
Is IP 192.168.1.1 Authenticated ? YES
DATAACK
(seq=y+1;ack=z+1)DATA
ACK(seq=y+1;ack=z+1)
SYN ACK(seq=z;ack=y+1)
Generate unique cookie for IP 192.168.1.1
If cookie is valid,authenticate IP 192.168.1.1
DATA
Server(Destination)
Connection Established
IP 192.168.2.2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-200414344_04_2008_c2
TCP-Intercept !!-- Using Modular Policy Framework (MPF)!-- which is available on ASA and PIXaccess-list management permit tcp any 192.168.131.0 255.255.255.0!class-map connection-limitmatch access-list management!policy-map spoof-protectclass connection-limit!!-- Setting limit to one forces all connections to be validated!set connection embryonic-conn-max 1
!service-policy spoof-protect interface outside!!-- Static NAT, this will map the inside IP address of!-- 192.168.131.10 to the outside IP address 192.0.2.10!-- and will create an embryonic connection limit of 1static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1!!–- Static Identify NAT, ie: No Address Translationstatic (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 tcp 0 1!
Using MPF
Static NAT
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-200414344_04_2008_c2
Spoofing References
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
http://www.cymru.com/Documents/tracking-spoofed.html
http://www.cymru.com/Documents/bogon-dd.html
Understanding Unicast Reverse Path Forwarding
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-200414344_04_2008_c2
Packet Conformance
Fragmentation overwrite, overlap, short, long (teardrop, jolt, evasion)
Nmap passive OS identification scanning
Source routing to evade access control or cause other vulnerabilities
Abnormal TCP flags, values, overwrite
Time-to-live (TTL) abnormalities
Several Attacks Use Fuzzed or Irregular Packet Fields to Identify Hosts or Exploit Vulnerabilities or Evade Detection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-200414344_04_2008_c2
Firewall Packet Conformance Virtual Fragmentation Reassembly: reassemble, perform consistency checks (overlap, overwrite, long, short) then forward
fragment chain command
Dropping packets with IP options present
Fuzzy TCP flags
TCP intercept (SYN Cookies)
ttl-evasion-protection in MPF (enabled by default)
TCP-MAP (TCP options, SYN data)
Accelerated Security Path (ASP) checks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-200414344_04_2008_c2
Firewall ASP Checks Firewall# capture drop type asp-drop ?-------------------- Output Truncated in Several Places --------------------fragment-reassembly-failed Fragment reassembly failedinvalid-ip-header Invalid IP headerinvalid-ip-length Invalid IP lengthinvalid-ip-option IP option dropinvalid-tcp-hdr-length Invalid TCP Lengthinvalid-udp-length Invalid UDP Lengthtcp-3whs-failed TCP failed 3 way handshaketcp-ack-syn-diff TCP ACK in SYNACK invalidtcp-bad-option-len Bad option length in TCPtcp-bad-option-list TCP option list invalidtcp-bad-sack-allow Bad TCP SACK ALLOW optiontcp-bad-winscale Bad TCP window scale valuetcp-data-past-fin TCP data send after FINtcp-discarded-ooo TCP ACK in 3 way handshake invalidtcp-invalid-ack TCP invalid ACKtcp-mss-exceeded TCP data exceeded MSStcp-not-syn First TCP packet not SYNtcp-reserved-set TCP reserved flags settcp-rst-syn-in-win TCP RST/SYN in windowtcp-rstfin-ooo TCP RST/FIN out of ordertcp-seq-past-win TCP packet SEQ past windowtcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalidtcp-syn-data TCP SYN with datatcp-syn-ooo TCP SYN on established conntcp-synack-data TCP SYNACK with datatcp-synack-ooo TCP SYNACK on established conntcp-winscale-no-syn TCP Window scale on non-SYN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-200414344_04_2008_c2
Cisco IOS Packet Conformance
ip options drop command
no ip source-route
Some of the checks can be accomplished through ACLs (such as IP options, TCP flags)
Router(config)# ip options drop
% Warning: RSVP and other protocols that use IP Options packets may not function as expected.
Router(config)# no ip source-routeRouter(config)#
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-200414344_04_2008_c2
Cisco IOS Packet Conformance (cont…)
Virtual Fragmentation Reassembly (VFR), 12.3(8)TAsymmetric traffic causes problemsip virtual-reassembly
Troubleshoot and verify VFR operationsdebug ip virtual-reassembly
show ip virtual-reassembly
Syslog: VFR-3-TINY_FRAGMENTS, VFR-3-OVERLAP_FRAGMENT, VFR-4_FRAG_TABLE_OVERFLOW, VFR-4_TOO_MANY_FRAGMENTS
!interface GigabitEthernet0/0ip address <address>ip virtual-reassembly [drop-fragments][max-fragments number] [max-
reassemblies number] [timeout seconds]!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-200414344_04_2008_c2
Application Layer Protocol Inspection
Feature on ASA, PIX, and FWSM security devices
Stateful deep packet inspection
Good for protocols that open secondary ports and use embedded IP addresses
Potential DoS vector due to performance implications
User defined policies
Response actions for undesirable traffic
Default inspection policy shown
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-200414344_04_2008_c2
Application Layer Protocol Inspection
Configuration requires: Class-map: Identifies the traffic that needs a specific type of control; class-maps have specific names which bind them to a policy-map
Policy-map: Describes the actions to be taken on the traffic described in the class-map; policy-maps have specific names which bind them to the service-policy
Service-policy: Describes where the traffic should be intercepted for control; only one service-policy can exist per interface; an additional service-policy called “global-service-policy,” is defined for traffic and general policy application; this policy applies to traffic on all interfaces
*Detailed information about Firewall Design and Deployment is available in BRKSEC-2020
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-200414344_04_2008_c2
Application Layer Protocol Inspection
Regex introduced in 7.2 provides ability to filter specific trafficNot available on FWSM
Firewall# show run all | include regex _default_regex _default_gator "Gator"regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"regex _default_shoutcast-tunneling-protocol "1"regex _default_http-tunnel "[/\\]HT_PortLog.aspx"regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"regex _default_gnu-http-tunnel_arg "crap"regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"regex _default_GoToMyPC-tunnel "machinekey"regex _default_windows-media-player-tunnel "NSPlayer"regex _default_yahoo-messenger "YMSG"regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"regex _default_firethru-tunnel_1 "firethru[.]com"
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-200414344_04_2008_c2
DNS Protocol Inspection Example
!Firewall(config)# regex domain1 "yahoo\.com“Firewall(config)# regex domain2 "cnn\.com"!Firewall(config)# class-map type regex match-any dns_filter_classFirewall(config-cmap)# match regex domain1Firewall(config-cmap)# match regex domain2!Firewall(config)# class-map type inspect dns dns_inspect_classFirewall(config-cmap)# match not header-flag QRFirewall(config-cmap)# match questionFirewall(config-cmap)# match domain-name regex class dns_filter_class!Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policyFirewall(config-pmap)# class dns_inspect_classFirewall(config-pmap-c)# drop log!Firewall(config-pmap-c)# class-map inspection_defaultFirewall(config-cmap)# match default-inspection-traffic!Firewall(config-cmap)# policy-map egress_policyFirewall(config-pmap)# class inspection_defaultFirewall(config-pmap-c)# inspect dns dns_inspect_policy!Firewall(config-pmap-c)# service-policy egress_policy interface inside!
Create Regex Match
Create Regex Class Map
Inspection Class Map
Perform Policy Map Action
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-200414344_04_2008_c2
DNS AppFW Protocol Inspection Example
Firewall(config)# no service-policy egress_policy interface inside
Firewall(config)# service-policy egress_policy interface inside
Disable and then Enable Service Policy which Inspects DNS Queries
[user@linux ~]# dig www.google.com
; <<>> DiG 9.5.0b3 <<>> www.google.com;; global options: f;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7
;; QUESTION SECTION:;www.google.com. IN A
;; ANSWER SECTION:www.google.com. 118837 IN CNAME www.l.google.com.www.l.google.com. 37 IN A 209.85.165.147www.l.google.com. 37 IN A 209.85.165.99www.l.google.com. 37 IN A 209.85.165.103www.l.google.com. 37 IN A 209.85.165.104
[user@linux ~]$[user@linux ~]$ dig www.google.com
; <<>> DiG 9.5.0b3 <<>> www.google.com;; global options: printcmd;; connection timed out; no servers could be reached[user@linux ~]$
DNS Resolver on Endpoints
Successful DNS Resolution
Failed DNS Resolution
DNS Resolution Fails After Service Policy is Enabled
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-200414344_04_2008_c2
Firewall Protocol Inspection References
ASA 8.0 MPF Guidehttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html
Applying Application Layer Protocol Inspectionhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-200414344_04_2008_c2
IOS Flexible Packet Matching
Performs stateless deep packet inspection providing more granular control than ACLS
Ability to deploy protection and prevention mechanisms closer to victim and miscreant
Protocol + Port + [String|Regex] Action
Some PHDF already exist to detect certain vulnerabilities or protocols (bittorrent and skype)
L2Header
L3Header
L4Header
Frame
Frame
First… Second… Payload… Payload… Payload…
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-200414344_04_2008_c2
Access Lists on Steroids
Flexible Packet Matching (FPM) performs deep packet inspection for containment and policy enforcement
Match protocol header fields and/or payload context
Layer 2 to 7 – bit/byte matching capability at any offset within the packet
User-defined filtering policies (traffic classifiers)Allows a choice of response actions
Adaptable to dynamically changing attack profilesRapid deployment of filtering policies (can leverage EEM for near realtime response to threats)
Ability to deploy protection and prevention mechanisms closer to victim and miscreant
L2Header
L3Header
L4Header
Frame
Frame
First… Second… Payload… Payload… Payload…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-200414344_04_2008_c2
FPM Capability Phasing
YesYesYesYesNoRegex MatchYesYesNoNoNoNested class-mapsYesYesYesYesNoNested Policies
YesNoNoNoNoMatch on Payload TLV Fields
YesYesNoNoNoDynamic Offset (Variable Header Length Support)
YesYesYesYesNoRelative Offset (Fixed Header Length Support)
YesYesYesYesNoRaw OffsetStreamFull Pkt256 Bytes256 Bytes44 BytesDepth of Inspection
UnlimitedUnlimited884No. of Match Criteria/ACEUnlimitedUnlimited32 classes32 classesUnlimitedNo. of ACEs per Interface
Phase 2 + DNS, SNMP, HTTP,
IPv6
Phase 1+ + GRE, IPSecPhase 1
IPv4, TCP, UDP, ICMP,
Ethernet
IPv4, TCP, UDP, ICMPProtocol Support
Full Pkt256 Bytes32 Bytes32 BytesNoMatch String Pattern Window
YesYesYesNoNoString Match
FPMPhase 3
FPM 12.4(15)T
FPMPhase 1+12.4(6)T1
FPMPhase 112.4(4)T
ACLFunctionality
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-200414344_04_2008_c2
FPM Policy for Slammer Packetsload protocol disk0:ip.phdf
load protocol disk0:udp.phdf
!
class-map type stack match-all ip_udp_class
description "match UDP over IP packets"
match field ip protocol eq 17 next udp
!
class-map type access-control match-all slammer_class
description "match on slammer packets"
match field udp dest-port eq 1434
match field ip length eq 404
match start udp payload-start offset 0 size 4 eq 0x04010101
match start udp payload-start offset 4 size 4 eq 0x01010101
match start udp payload-start offset 8 size 4 eq 0x01010101
match start udp payload-start offset 12 size 4 eq 0x01010101
match start udp payload-start offset 16 size 1 eq 0x01
!
policy-map type access-control fpm_udp_policy
description "policy for UDP based attacks"
class slammer_class
drop
log
!
policy-map type access-control fpm_policy
description "drop worms and malicious attacks"
class ip_udp_class
service-policy fpm_udp_policy
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Match UDP over IP Packets
Match Slammer Packets:UDP port 1434, Packet
Length 404bytes, and Regex
Policy for UDP-Based Attacks
Drop Worms and Malicious Attacks
Load PHDFs for IP and UDP
Apply and Enable FPM Policy
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-200414344_04_2008_c2
FPM Performance vs. Equivalent ACLs
Compare FPM to ACL Processor utilization percentTen FPM classes or equivalent ACL Matching on src/dst IP addr, src/dst TCP port, and TCP protocolTen TCP traffic streams, 50% of generated traffic matching7206VXR NPE-400, 128MB, 12.4(4)T
59%59%59%50%42%FPM 5th Match37%37%37%36%30%ACL 1st Match43%43%43%42%38%FPM 1st Match17%16%15%14%13%No Filter
39%
50%
41%
5,000 pps
39%39%39%32%ACL 10th Match50%50%50%42%FPM 10th Match41%40%39%32%ACL 5th Match
4,000 pps3,000 pps2,000 pps1,000 ppsFilter Type
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-200414344_04_2008_c2
FPM References Cisco IOS Flexible Packet Matching (FPM)
http://www.cisco.com/go/fpm
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
Flexible Packet Matching Deployment Guidehttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6_ns696_Networking_Solutions_White_Paper.html
Flexible Packet Matching Feature Guidehttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
Flexible Packet Matching XML Configurationhttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html
Getting Started with Cisco IOS Flexible Packet Matchinghttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.html
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-200414344_04_2008_c2
Monitoring and Identification
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-200414344_04_2008_c2
Monitoring
Syslog
NetFlow
Embedded Event Manager
CS-MARS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-200414344_04_2008_c2
Syslog Router# show logging | include 185Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55621) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55622) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55623) -> 192.168.150.77(139), 1 packet
Firewall# show logging | grep 5063b82fAug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/389 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/443 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/256 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/399 by access-group "OUTSIDE" [0x5063b82f, 0x0]
Router
Firewall
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-200414344_04_2008_c2
ACL Logging
ACL keyword log for Cisco IOS and Cisco ASA, FWSM and PIX
ACL keyword log-input for Cisco IOS
ip access-list log-update threshold threshold-in-msgs
logging rate-limit message-rate for Cisco IOS
Understanding Access Control List Logginghttp://www.cisco.com/web/about/security/intelligence/acl-logging.html
Identifying Incidents Using Firewall and Cisco IOS Router SyslogEvents
http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-200414344_04_2008_c2
NetFlow: Scalability
Packet capture is like a wiretap
NetFlow is like a phone bill
This level of granularity allows NetFlow to scale for very large amounts of traffic
We can learn a lot from studying the phone bill!
Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc.
NetFlow is a form of telemetry pushed from the routers/switches – each one can be a sensor
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-200414344_04_2008_c2
What Constitutes a Flow?
1. Inspect a packet’s seven key fields and identify the values
2. If the set of key field values is unique, create a new flow record or cache entry
3. When the flow terminates, export the flow to the collection/analysis system
NetFlowExport
PacketsReporting
NetFlow Key Fields
1
2
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-200414344_04_2008_c2
NetFlow Records and Key Fields
NetFlow maintains per-’conversation’ flow data in Flow Records in a cache on a NetFlow-enabled device, and optionally exports that flow data to a collection/ analysis system
It is a form of network telemetry which describes traffic conversations headed to/passing through a router
Key Fields
Key field values define a Flow Record
An attribute in the packet used to create a Flow Record
If the set of key field values is unique, a new flow is created
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-200414344_04_2008_c2
NetFlow CLI Output Router#show ip cache flowIP packet size distribution (126502449 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.009 .622 .036 .007 .008 .008 .004 .012 .000 .000 .004 .001 .002 .002 .007
------------------------- Output Truncated -----------------------Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 11403610 2.6 1 49 3.0 0.0 1.5TCP-FTP 6769 0.0 8 53 0.0 6.0 7.7TCP-FTPD 665 0.0 3334 889 0.5 54.0 0.4TCP-WWW 163728 0.0 13 750 0.5 4.2 9.2TCP-SMTP 8 0.0 1 46 0.0 0.0 10.2TCP-X 727 0.0 1 40 0.0 0.0 1.4TCP-BGP 9 0.0 1 45 0.0 0.0 10.5TCP-NNTP 8 0.0 1 46 0.0 0.0 10.0TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7TCP-other 49098543 11.4 2 263 23.7 0.0 1.4UDP-DNS 874082 0.2 1 58 0.2 0.0 15.4UDP-NTP 1127350 0.2 1 76 0.2 0.6 15.5UDP-TFTP 6 0.0 3 63 0.0 11.0 19.5UDP-other 996247 0.2 1 164 0.4 0.3 16.7ICMP 262111 0.0 8 47 0.5 13.4 21.2IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4GRE 694 0.0 1 50 0.0 0.0 15.4IP-other 2 0.0 2 20 0.0 0.1 15.7Total: 64004973 14.9 1 251 29.4 0.1 2.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsGi0/0 172.18.109.132 Gi0/1* 192.168.150.60 06 1A29 835D 2 Gi0/0 172.18.109.132 Gi0/1 192.168.150.60 06 1A29 835D 2 Gi0/1 192.168.132.44 Gi0/0* 10.89.245.149 11 007B 007B 1
TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7
IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-200414344_04_2008_c2
NetFlow Deployment Considerations
NetFlow should typically be enabled on all router interfaces where possible, it is useful for on-box troubleshooting via CLI as well as for export to analysis systems
Ingress and egress NetFlow are now supported. Analysis systems typically must be configured to understand which is in use, for purposes of directionality
1:1 NetFlow is useful for troubleshooting, forensics, traffic analysis, and behavioral/relational anomaly-detection
Sampled NetFlow is useful for traffic analysis and behavioral/ relational anomaly-detection. Sampling is typically used in high-volume traffic situations where 1:1 NetFlow Data Export (NDE) is impractical
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-200414344_04_2008_c2
Embedded Event Manager (EEM) Allows instrumentation of the Cisco IOS device and reactive capabilities that can be useful in improving security
Available since Cisco IOS Software versions 12.0(26)S and 12.3(4)T
Cisco IOS DocumentationEmbedded Event Manager 2.2
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html
White PaperEmbedded Event Manager in a Security Context
http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html
EEM Scripting Communityhttp://www.cisco.com/go/ciscobeyond
*Detailed information in BRKSEC-3007 Solving Security Challenges with Embedded Event Manager
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-200414344_04_2008_c2
EEM Example
Interface Input Queue Monitorhttp://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the IPv4 User Datagram Protocol Delivery Issue for IPv4/IPv6 Dual-Stack Routers
http://www.cisco.com/warp/public/707/cisco-amb-20080326-IPv4IPv6.shtml
Example Syslog Message: %HA_EM-7-LOG: system:/lib/tcl/eem_scripts_registered/interface-input-q.tcl: Interface GigabitEthernet0/0 input queue full. Input queue: 4001/4000 (size/max)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-200414344_04_2008_c2
CS-MARS Contextual Analysis Overview
Events: Raw messages sent to CS-MARS by reporting devices; examples include syslog, SNMP, NetFlow, and IPS signatures
Sessions: Correlated events
Incidents: Sessions matched against rules that are indicative of malicious behavior
Rules are used to perform logic on events which create sessions and possibly incidents
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-200414344_04_2008_c2
CS-MARS Rules
Over a specified time range events are correlated to become incidents
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-200414344_04_2008_c2
CS-MARS Rules in Action
Events from same source and destination IP addresses correlated within a timeframe to become an incident
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-200414344_04_2008_c2
Intrusion Detection and Prevention Capabilities
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-200414344_04_2008_c2
Intrusion Detection and Prevention
Cisco Security Agent
Cisco IPS
CSA/IPS Collaboration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-200414344_04_2008_c2
Preventing Endpoint Attacks Using CSA
All attacks perform certain behaviors for success, CSA allows you to defeat these actions using interceptors
0day and targeted attacksMay bypass or defeat other protection mechanisms that are deployed
0day Protection = Ability to stop malicious code without reconfiguration or update
Protects endpoints from being compromised since other protections may have failed
Limited number of “vectors” into a system, one or more of these behaviours must be used by all attacks
Stop the attack at one of these vectors, you prevent the whole attack (several opportunities exist, not just one)
Monitoring and controlling these behaviors prevents malicious activity
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-200414344_04_2008_c2
Preventing Execution
Cisco Security Agent (CSA) provides multiple interceptors for the detection and prevention of threats
Network
File System
Configuration
Execution Space
CSA is best utilized for preventing attacks targeting endpoint compromise
Do not forget about protection methods using your network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-200414344_04_2008_c2
Policy Rules Drive Interceptors
Traffic Marking
File Integrity Assurance
Wireless Policy Controls
Host Intrusion Detection
IPS and NAC Integration
Network Worm Prevention
Spyware and Malware Prevention
Distributed Firewall
Execution SpaceConfigurationFile
SystemNetworkSecurity Application
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-200414344_04_2008_c2
Intrusion Protection for the Network
Detect malicious payloads, perform behavioral analysis, anomaly detection, policy adjustments, and rapid threat response
Inline Protection or Promiscuous mode
Automatic Threat Prevention with IPS 6.x denies packets whose Risk Rating Value range is 90 – 100
Multivector protections at all points in the network, desktop, and server endpoints
Integration with Cisco CSA and Cisco Wireless Controller
01111110101010100001110001001111100100010001001000100010010111111010101010000111000100111110010001000100100010001001
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-200414344_04_2008_c2
Threat Rating
Risk Rating Thresholds Drive MitigationEvent
SeveritySignature
FidelityAttack
RelevancyAsset Value
of Target
How Urgent Is the Threat?
How Prone to False Positive?
Is Attack Relevant to Host Being Attacked?
How Critical Is this Destination Host?+
++
= Risk Rating
Result: Calibrated Risk Rating Enables Scalable Management of Sophisticated Threat Prevention Technologies
Drives Mitigation Policy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-200414344_04_2008_c2
Threat Rating
85
Attack 1:No Action Configured
Risk Rating = 85Threat Rating = 85 55
Threat Rating
Threat Rating:Dynamic adjustment of event Risk Rating based on success of response actionIf Response Action was applied, then Risk Rating is deprecated (TR < RR)If Response Action was not applied, then Risk Rating remains unchanged (TR = RR)
Benefit:Prioritizes alerts for Operator attentionOperator can focus incident response activities on those threats that have not been mitigated
Post-Policy Evaluation of Incident Urgency
Attack 2:Action ConfiguredAttack MitigatedRisk Rating = 85
Threat Rating = 55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-200414344_04_2008_c2
Event Action Overridesips6x# configure terminal
ips6x(config)# service event-action-rules rules0
ips6x(config-eve)# show settings
-----------------------------------------------
overrides (min: 0, max: 15, current: 3)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
override-item-status: Enabled <defaulted>
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------
action-to-add: produce-alert
-----------------------------------------------
override-item-status: Enabled <defaulted>
risk-rating-range: 0-35 default: 0-100
-----------------------------------------------
action-to-add: produce-verbose-alert
-----------------------------------------------
override-item-status: Enabled <defaulted>
risk-rating-range: 35-90 default: 0-100
-----------------------------------------------
Automatic Threat Prevention (IPS 6.x)
Write evIdsAlert to EventStore
Write evIdsAlert to EventStore with
triggerPacket
Global Overrides for All IPS Events
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-200414344_04_2008_c2
Reactions in Depth
Denied traffic is performed by a device inspecting flowsQuick and effective for all protocols
Shunned traffic is performed by an auxiliary deviceMitigate closer to the miscreant
Potential DoS vector is preventable utilizing never block or event action filters
Some time latency
TCP RST performed for connection-based traffic streams
Limited protocol coverage and adds RST packets to network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-200414344_04_2008_c2
IPS/CSA Collaboration Benefits
The IPS can automatically get endpoint posture information to use in calculating the threat rating making detection more accurate
Undisclosed or encrypted exploits not identified by the IPS likely are detected by CSA
CSA-MC can correlate data and create automated watch lists which can be forwarded to the IPS and automatically adjust the threat rating for events seen by addresses that are part of the watch list
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-200414344_04_2008_c2
Automation CSA/IPS CollaborationCSA MC Configuration IPS Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-200414344_04_2008_c2
Enhanced contextual analysis of endpoint
Ability to use CSA inputs to influence IPS actions
Correlation of information contained in CSA watch list
Host quarantining
CSA Watch List192.168.1.111
Elevate Risk RatingDeny 192.168.1.111
Management Console
Network IPS and Cisco Security Agent Collaboration
Service Provider
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-200414344_04_2008_c2
Automation CSA/IPS CollaborationevIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low originator:
hostId: ips6x appName: sensorApp appInstanceId: 388
time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT signature: description=TCP SYN Port Sweep id=3002 version=S2
subsigId: 0 marsCategory: Probe/PortSweep/Non-stealth
interfaceGroup: vs0 vlan: 0 participants:
attacker: addr: 192.168.1.111 locality=OUT port: 55852
target: addr: 192.168.2.222 locality=OUT port: 663 port: 33 port: 231 port: 564 port: 838 os: idSource=imported type=windows relevance=relevant
triggerPacket: <trucated>riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant
watchlist=25 threatRatingValue: 77 interface: ge0_0 protocol: tcp
Threat Rating Increased Due to Watch List
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-200414344_04_2008_c2
Case Study: MS-RPC-DNS (CVE 2007-1748)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-200414344_04_2008_c2
Microsoft RPC DNS 0-Day (CVE-2007-1748)
Victim
12
3
45
Probe
Penetrate
Persist [Exploit Dependent]
Propagate [Exploit Dependent]
Paralyze
Query RPC Endpoint Mapper on TCP/135 for vulnerable ports or scan TCP/1024-5000Guess user accounts on TCP/139 and 445
Deliver buffer overflow ports TCP/139 TCP/445 UDP/445 TCP 1024-5000
Download and copy malicious code to C:\U.exeCreate back door accessConnect to Command and Control on TCP port 8080 W32/Nirbot.worm!8
3E1220A
Exploit Specific
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-200414344_04_2008_c2
Mitigating the Vulnerability
ACLs Mitigation to L3 boundary where deployed, VLAN maps, Port ACLs for L2 access control if needed
If application is required ACLs provide no value to those allowed access
IPS Signatures Understand Application/Vulnerability better when application is required or ACLs do not suffice
Provides no mitigation unless directed to do so
Endpoint CSA or Patch Prevents Exploitation
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-200414344_04_2008_c2
Mitigation: Cisco IOS ACL (Modularized)ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
560 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
570 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
580 deny tcp any any range 6660 6669 !-- IRC traffic
590 deny tcp any any eq 7000 !-- IRC traffic
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-200414344_04_2008_c2
Mitigation: FW ACL (Modularized)Firewall# show access-list tACL
access-list tACL line 1 deny ip host 127.0.0.0 any
access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any
access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0
--------- Output Truncated -------
access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo
--------- Output Truncated -------
access-list tACL line 19 permit tcp any host 192.168.100.10 eq www
access-list tACL line 20 permit tcp any host 192.168.100.10 eq https
--------- Output Truncated -------
access-list tACL line 35 deny ip any any
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 445
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 1025
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-200414344_04_2008_c2
Mitigation: IPS Signature 5858 ips6x#show events alert | include id=5858
------------Output Truncated ----------
signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282
subsigId: 0
sigDetails: DNS Server RPC Interface Buffer Overflow
marsCategory: Penetrate/BufferOverflow/RPC
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.6.66
port: 1063
target:
addr: locality=IN 192.168.1.11
port: 1032
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
actions:
deniedPacket: true
riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 50
interface: ge0_0
protocol: tcp
Signature Description and ID
OS Identification/Relevancy
Risk Rating/Action/Threat Rating
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-200414344_04_2008_c2
Mitigation: CSA
Security Application Interceptors Prevent Code Execution in Many Cases
Must Be in Protect Mode to Prevent
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-200414344_04_2008_c2
Identification: ACL CountersFirewall# show access-list tACL
-------- Output Truncated ---------
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 (hitcnt=3)
access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0)
access-list tACL line 21 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=10)
access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000 (hitcnt=106)
Router#show access-lists ACCESS-LIST
Extended IP access list ACCESS-LIST
-------- Output Truncated -------------
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 (4 matches)
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445
530 deny udp any 192.168.100.0 0.0.0.255 eq 445
540 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 (96 matches)
Router ACL Counters
Firewall ACL Counters
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-200414344_04_2008_c2
Identification: Firewall Syslog Events
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35565 to 192.168.2.1/1025 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35566 to 192.168.2.1/1026 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35567 to 192.168.2.1/1027 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35568 to 192.168.2.1/1028 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35569 to 192.168.2.1/1029 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35570 to 192.168.2.1/1030 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35571 to 192.168.2.1/1031 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35572 to 192.168.2.1/1032 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35573 to 192.168.2.1/1033 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35574 to 192.168.2.1/1033 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35575 to 192.168.2.1/1032 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-200414344_04_2008_c2
Identification: IPS
Command and Control Bot Access [Persist and Propagate]Non-HTTP Traffic12674/0
SMB Authentication [Probe]SMB Null Login Attempt5577/0
SMB Authentication [Probe]SMB Login Successful with Guest5576/0
Detect SMB Authentication Attempts [Probe]SMB Authorization Failure5606/0
Detect TCP High Port Probe [Probe]TCP High Port Sweep3010/0
Detect VulnerabilityDNS Server RPC Interface Buffer Overflow5858/0-4
Attack PhaseDescriptionSignature ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-200414344_04_2008_c2
The Exploits
W32/Nirbot.worm!83E1220ADownload worm on random HTTP server port
Connect via IRC over port 8080
IRC servers include:
{blocked}.rofflewaffles.us
{blocked}.anti-viral.us
{blocked}.wayne.brady.gonna.have.to.{blocked}.us
Exploits are sort of like chasing your tail, but there are several patterns we can catch (this time) or ways in which these can be mitigated
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-200414344_04_2008_c2
Exploit Specific
Restricting outbound policy to a few good ports (80,443,53,25,21) will prevent IRC over 8080
Web filtering or using a proxy may prevent download of worm over HTTP
ACL for blacklisting IRC C&C servers
DNS blackholing for C&C servers (DNS resolution to 127.0.0.1)
Firewall application inspection on port 8080
Search transit device logs or NetFlow for IRC servers, C&C servers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-200414344_04_2008_c2
Exploit Specific: ASA HTTP Inspection
!access-list web-ports extended permit tcp any any eq 80access-list web-ports extended permit tcp any any eq 8080!class-map webportsmatch access-list web-ports
!policy-map type inspect http http-policyparametersprotocol-violation action drop-connection
!policy-map global_policyclass webportsinspect http http-policy
!service-policy global_policy global!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-200414344_04_2008_c2
References
Microsoft Security Advisory (935964), Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.cisco.com/warp/public/707/cisco-amb-20070413-ms-rpc-dns.shtml
Nirbot’s Latest Move: MS DNS Exploits [Arbor]http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-dns-exploits/
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-200414344_04_2008_c2
References (cont…)
W32.Rinbot.BC [Symantec]http://www.symantec.com/security_response/writeup.jsp?docid=2007-041701-3720-99&tabid=2
New Rinbot Scanning for Port 1025 DNS/RPC [SANS]http://www.isc.sans.org/diary.html?storyid=2643
W32/Delbot-AI [Sophos]http://www.sophos.com/security/analyses/viruses-and-spyware/w32delbotai.html
W32/Nirbot.worm!83E1220A [McAfee]http://vil.nai.com/vil/content/v_142025.htm
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKSEC-200414344_04_2008_c2
Case Study 2: MS08-001
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKSEC-200414344_04_2008_c2
Vulnerabilities
Windows Kernel TCP/IP IGMPv3 and MLDv2 Vulnerability –CVE-2007-0069
Remote Code Execution or Denial of Service utilizing crafted packets over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server 2003) or MLDv2/IPv6 (Windows Vista)
Windows Kernel TCP/IP ICMP Vulnerability – CVE-2007-0066
Denial of Service utilizing fragmented ICMP router advertisementpacket
Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKSEC-200414344_04_2008_c2
IGMPv3/MLDv2
RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236, IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710
Both protocols provide essentially the same multicast functionality
Not much information in the initial advisory however a miscreant could potentially get in the ballpark by looking at what features have been added between protocol versions
Routers will not forward multicast unless configured to do soWill forward LSRR and SSRR packets unless disabled
A working exploit could potentially own or DoS all hosts that are part of a multicast group on a local network
Encapsulation or social engineering could be used to traverse Layer 3 boundaries
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKSEC-200414344_04_2008_c2
ICMP Type 9 RFC 1256
A host never sends Type 9 messages (if obeying the RFC)
Valid destination addresses are 224.0.0.1 224.0.0.2 and 255.255.255.255
Therefore this is all link local, Layer 3 controls provide little benefit except in possible corner cases; preventing hosts from sending ICMP Type 9 messages at Layer 2 will mitigate the vulnerability
Since the vulnerability requires fragmentation, preventing fragmentation is an effective mitigation.
A miscreant could potentially encapsulate this message in something else such as loose source route to make the message appear as if it were from a router and to be able to perform the exploit form non local networks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKSEC-200414344_04_2008_c2
Mitigating the Vulnerability
Cisco IOS ACL’s fragmentation filtering, protocol filtering, options filteringLayer 2 preferred Features such as no ip source route, ip options drop
IPS Signatures 6224/0, 6755/0, and 2150/0 - Fragmented ICMP traffic (2150/0 is available via ip audit in ASA, FWSM, and PIX)Provides no mitigation unless directed to do so
ASA/FWSM/PIXDefault handling of IP options, drop packets with options presentfragment chain command
Endpoint Patch or Host Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKSEC-200414344_04_2008_c2
Mitigation: Cisco IOS Features and ACLs
Router(config)#no ip source-route
Router(config)#ip options drop
% Warning: RSVP and other protocols that use IP Options packets
may not function as expected.
----------
Router(config)#ip access-list extended tACL
Router(config-ext-nacl)#deny ip any any fragments
Router(config-ext-nacl)#deny icmp any any router-solicitation
Router(config-ext-nacl)#deny ip any any option lsr
Router(config-ext-nacl)#deny ip any any option ssr
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKSEC-200414344_04_2008_c2
Mitigation: Cisco IOS VACL!-- Create ACLs that match traffic. Action will be applied
!-- in VLAN map section.
!
ip access-list extended match-igmp-router
permit igmp host 192.168.100.1 any
!
ip access-list extended match-icmp-router
permit icmp host 192.168.100.1 any router-advertisement
!
ip access-list extended match-igmp-subnet
permit igmp 192.168.100.0 0.0.0.255 any
!
ip access-list extended match-icmp-subnet
permit icmp 192.168.100.0 0.0.0.255 any router-advertisement
!
ip access-list extended match-all-subnet
permit ip any any
!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKSEC-200414344_04_2008_c2
Mitigation: Cisco IOS VACL (cont…)
vlan access-map ms08-001 10
match ip address match-igmp-router
action forward
vlan access-map ms08-001 20
match ip address match-icmp-router
action forward
vlan access-map ms08-001 30
match ip address match-igmp-subnet
action drop
vlan access-map ms08-001 40
match ip address match-icmp-subnet
action drop
vlan access-map ms08-001 50
match ip address match-all-subnet
action forward
!
!-- Apply to VLAN 100
vlan filter ms08-001 vlan-list 100
Permit Router Interface to Send ICMP Anywhere
Permit Router to Send IGMP Anywhere
Drop IGMP for Rest of Subnet
Drop ICMP Type 9
Permit All Other Traffic
Apply to VLAN 100
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKSEC-200414344_04_2008_c2
Mitigation: ASA, FWSM, and PIX
!-- Fragment chain command can be used to prevent fragments from traversing
!-- through the firewall or specific interfaces
Firewall(config)#fragment chain 1 [interface_name]
!-- Cisco PIX security appliances, Cisco ASA adaptive security appliances, and
!-- (FWSMs) will, by default, drop all source-routed packets received on any
!-- interface and create an informational-level (severity 6) syslog message
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"
Effectively Denies All Fragments
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKSEC-200414344_04_2008_c2
Additional Mitigation and Monitoring
Layer 2 spoofing features such as IPSG and DHCP Snooping or Port Security
Check device configuration for allowing multicast
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKSEC-200414344_04_2008_c2
MS08-001 References
Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
MS08-001 (part 2) – The case of the Moderate ICMP mitigationshttp://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-the-moderate-icmp-mitigations.aspx
MS08-001 (part 3) – The case of the IGMP network criticalhttp://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx
MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-the-moderate-important-and-critical-network-vulnerabilities.aspx
MS08-001 - The case of the missing Windows Server 2003 attack vectorhttp://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-case-of-the-missing-Windows-Server-2003-attack-vector.aspx
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKSEC-200414344_04_2008_c2
MS08-001 References (cont…)
Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for January 2008
http://tools.cisco.com/security/center/viewAlert.x?alertId=14898
Cisco IntelliShield Vulnerability Alert ID 14854: Microsoft Windows Kernel IGMP and MLD Code Execution Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14854
Cisco IntelliShield Vulnerability Alert ID 14853: Microsoft Windows Kernel ICMP Router Discovery Protocol Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14853
Exploit for MS08-001 Demonstratedhttp://blogs.pcmag.com/securitywatch/2008/01/exploit_for_ms08001_demonstrat.php
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKSEC-200414344_04_2008_c2
Case Study 3: Storm Class Malware, CME711
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKSEC-200414344_04_2008_c2
Storm Malware, CME711
Victim
12
3
45
Probe [Exploit Dependent]
Penetrate [Exploit Dependent]
Persist [Exploit Dependent]
Propagate [Exploit Dependent]
Paralyze
Spam and Social Engineering convince user to download executable
Download malicious software to end host
Download software Join P2P network Open up UDP port on local host above 1024
Spam DDosUpdate
Exploit Specific
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKSEC-200414344_04_2008_c2
Malware in Action: CME711
1. BotHerder updates malcode on webtrap
2. Initiate new spam pointing to webtrap
3. User reads the spam and clicks link
4. User machine infected
BotHerder
Infected
1
2
3
4
Infected Webserver
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKSEC-200414344_04_2008_c2
Mitigating CME711
1. Break initial exploitation vector
2. Break infection vector
3. Break joining botnet
1
2
3
BotHerderInfected Webserver
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKSEC-200414344_04_2008_c2
Breaking the BotInitial Vector through Spam Message
User Education and Spam Filtering
Host downloads malware from webserverMitigate Vulnerabilities on host (Patch and Best Practices)Use AV or HIPS to prevent exploitationWeb content filter DNS blackholing
Host opens UDP port above 1024 and communicated with P2P network UDP 1024:65535 UDP 1024:65535
ACLs/FPM DNSSyslog analysis and NetFlow
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKSEC-200414344_04_2008_c2
Mitigation: ACLs
!-- Router
Router(config)#ip access-list extended tACL
!-- Deny UDP packets in Range 1024 - 65535
Router(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 range 1024 65535 any range 1024 65535
!-- Firewall Configuration
Firewall(config)# access-list storm-udp extended deny udp192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535
Router
Firewall
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
53
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKSEC-200414344_04_2008_c2
What About FPM?
The P2P traffic is encrypted with a simple key, works and is functional could changeSnort signatures from http://doc.emergingthreats.net/2007701
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;)alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”; dsize:25; content:”|10 a0d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)
Source: EmergingThreats.net
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKSEC-200414344_04_2008_c2
Mitigation: FPM for Encrypted Stormload protocol disk0:ip.phdf
load protocol disk0:udp.phdf
!
class-map type stack match-all ip_udp_class
description “match UDP over IP packets”
match field ip protocol eq 17 next udp
!
class-map type access-control match-all encrypted_storm
description “match encrypted storm, cme711 packets”
match field udp dest-port range 1024 65535
match field udp length eq 33
match start udp payload-start offset 0 size 2 eq 0x10a6
!
policy-map type access-control fpm_udp_policy
class encrypted_storm
drop
log
!
policy-map type access-control fpm_policy
class ip_udp_class
service-policy fpm_udp_policy
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Match UDP over IP Packets
Policy for UDP-Based Attacks
Drop Worms and Malicious Attacks
Load PHDFs for IP and UDP
Match Storm, CME711 Packets: UDP port
1024:65535, UDP+PayloadLength 33bytes, and Regex
Apply and Enable FPM Policy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKSEC-200414344_04_2008_c2
Mitigation: Deny Downloader via HTTP Inspectionregex exe_url ".*\.[Ee][Xx][Ee]"
! --Create Regex Class Map
class-map type regex match-any bad_urls
match regex exe_url
class-map type inspect http match-any http-urls
match request uri regex class bad_urls
class-map http-port
match port tcp eq www
!-- Create Policy Map, actions set to Drop and Log
policy-map type inspect http http-policy
parameters
protocol-violation action drop-connection
class http-urls
drop-connection log
!-- Apply and enabled “EXE Downloader” policy
policy-map global_policy
class http-port
inspect http http-policy
service-policy global_policy global
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKSEC-200414344_04_2008_c2
Mitigation: Deny Botnet Access via DNS Inspectionregex bad_domain1 “tibeam\.com“regex bad_domain2 “tushove\.com“regex bad_domain3 “kqfloat\.com“!class-map type regex match-any bad_domainsmatch regex domain1match regex domain2match regex domain3!class-map type inspect dns bad_domain_querymatch not header-flag QRmatch questionmatch domain-name regex class bad_domains!policy-map type inspect dns bad_domain_policyclass bad_domain_querydrop log!class-map inspection_defaultmatch default-inspection-traffic!policy-map egress_policyclass inspection_defaultinspect dns bad_domain_policy!service-policy egress_policy interface inside!
Domains from http://www.disog.org/text/storm-fastflux.txt
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKSEC-200414344_04_2008_c2
Identification
NetFlow or Syslog communication UDP 1024:65535 –UDP 1024:65535
NetFlow changes in behaviour during spamming or DDos
IPS signatures 5894/0 and 5894/1
ACL Counters
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKSEC-200414344_04_2008_c2
Storm Worm References
Storm Worm DDoS Attackhttp://www.secureworks.com/research/threats/view.html?threat=storm-worm
Storm (Worm) Peacomm Analysis http://www.cyber-ta.org/pubs/StormWorm/report/
Schneier on Securityhttp://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
April Storm’s Day Campaign http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/
Antirootkit.com blog http://www.antirootkit.com/blog/category/storm-worm/
The Evolution of Peacomm to "all-in-one" Trojanhttp://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evolution_of_peacomm_to_al.html
Known Storm Fast Flux Domains http://www.disog.org/text/storm-fastflux.txt
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKSEC-200414344_04_2008_c2
Advanced Topics
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKSEC-200414344_04_2008_c2
Test Yourself
Metasploit is an exploitation framework that provides lot of flexibility to test yourself – it’s very easy to test client and service exploits; more information is at www.metasploit.com
Scapy is a powerful packet manipulation program – requires some python knowledge but is useful for creating specific types of network traffic; more information is at http://www.secdev.org/projects/scapy/
>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)>>> x[1].frag=145>>> send(x)
17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length 120017:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP (1), length 28) 192.168.2.63 > 192.168.15.60: icmp
Changed the Fragment Offset
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
57
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113BRKSEC-200414344_04_2008_c2
Security = Moving Target
Metasploit ShikataGaNai encoder makes creating exploits using polymorphic shell code very simple; this means that simple string matches such as “0x90/0x90/0x90” are trivial to avoid
Metasploit meterpreter allows for relatively simple dll injection and command execution that is difficult to detect (leaves no new processes, files or network connections) on the compromised system
XT Bot utilized Dynamic Remote Settings Stub (DRSS) to hide communications; think a bot that uses stegonagraphy for communication
Fast Flux DNS for Botnet networks makes Botnet difficult to neutralize
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114BRKSEC-200414344_04_2008_c2
Deceptive Defense
Darknets and illegal IP space (dark space) monitoring provides ability to more easily identify outbreaks and aid in detecting probing that may fall under the normal radar
Honeypots low interaction: Deployed inside the network these help quickly identify compromised systems and miscreants; real world studies have shown a ratio of 1/1000 IP space is effective
Honeytokens: A purposefully set piece of information that should only be accessed by illegal activity
Source: Virtual Honeypots, pg. 308114
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
58
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115BRKSEC-200414344_04_2008_c2
Deceptive Defense Benefits
Low False Positive rateAttack already passes several characteristics of valid attacks such as illegal IP space, non-production hosts
Aid in 0-day detectionEasily identifies internal outbreaks Scalable, Nepenthes scales well, Honeyd can create large virtual networks
115
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116BRKSEC-200414344_04_2008_c2
Utilizing Low Interaction Honeypots to Increase Network Security?
IPS can be configured to perform an event action override when a pre-determined threshold has been met; these actions could be block address or deny attacker inline which can happen for a specified time frame
The IPS target value rating (TVR) can be used to increase the risk rating for events which happen targeting a specific host or subset of hosts
A low interaction Honeypot such as Nepenthes (http://nepenthes.mwcollect.org/) could be deployed in conjunction with an artificially inflated TVR to trigger event actions such as deny attacker inline to remove threats before they attack real systems
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
59
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117BRKSEC-200414344_04_2008_c2
Deceptive Defense in Action
IPS Sensor
Hosts Internet
Attacker
10.10.10.100
Low Interaction Honey Pot
192.168.100.10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118BRKSEC-200414344_04_2008_c2
Deceptive Defense Mitigating the Attack
Signature 3338/1 Windows LSASS RPC Overflow Base Risk Rating 75 (Severity = High, Fidelity = 75)Risk Rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR
Calculated for a Target Value Rating Set to HighASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100
Event Action Override 90–100 (Deny Attacker Inline/Request Block Host)
IPS Sensor
Hosts Internet
Attacker
10.10.10.100
Low Interaction Honey Pot
192.168.100.10
Attacker Blocked
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
60
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119BRKSEC-200414344_04_2008_c2
Deceptive Defense Caveats
Make sure host can not be used to launch attacks (block outgoing access from host)
Use common sense, the Honeynet project, http://www.honeynet.org/, has several research papers and presentations available
119
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120BRKSEC-200414344_04_2008_c2
Black Hole Filtering – Destination Based
Forwards packet to the bit bucket aka “Null0”
Only works on destination addresses
Destination based RTBH takes the destination offlineSelf-DoS yourself, miscreant wins
Good reactive mechanism for compromised endpoints
Traditionally used to “black hole” undesirable traffic
Foundation for other remote triggered response
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
61
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121BRKSEC-200414344_04_2008_c2
Black Hole Filtering – Source Based
Dropping on destination is very importantDropping on source is often what we really want
Requires Unicast RPF
Reacting using source address provides some interesting options
Stop the attack without taking the destination offline
Filter command and control servers
Filter (contain) infected end stations
Must be rapid and scalableLeverage pervasive BGP again
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122BRKSEC-200414344_04_2008_c2
Black Hole Filtering – Source Based
Advantages for using source-based filteringNo ACL UpdateNo change to device configurationDrops happen in the forwarding pathFrequently changes when attack profiles are dynamic
Weaknesses when using source-based filteringSource detection and enumerationAttack termination detection (reporting)Will drop all packets with source and destination on all triggered interfaces, regardless of actual intentRemember spoofing, don’t let the miscreant spoof the true source-based target and trick you into black holing themWhitelist important sites that should never be blocked
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
62
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123BRKSEC-200414344_04_2008_c2
Sinkhole Routers/Networks
Sinkholes are a topological security feature – think network honeypotRouter or workstation built to suck in traffic and assist in analyzing attacks (original use)Redirect attacks away from the victim – a working the attack on a router built to withstand the attackUsed to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or illegal IP space)Traffic is typically diverted via BGP route advertisements and policiesLeverage instrumentation in a controlled environment
Pull the traffic past analyzers/analysis tools
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124BRKSEC-200414344_04_2008_c2
Adaptive Control Technology
Threat Mitigation Service (TMS) is a framework for rapid network-wide distribution and response to threats
Near real time threat response
Threat Information Distribution Protocol (TIDP) transports messages containing abstract information about threats and suggested remedial actions
Threat Information Message (TIM)
Devices are provisioned with policies for enforcement of traffic and response actions
Access Control List
Traffic Redirection
Next Generation Rapid Threat Containment and Response
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
63
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125BRKSEC-200414344_04_2008_c2
Threat Information Distribution Protocol
TIM is distributed from TIDP Mitigation Service (TMS) controller to TIDP consumers
Threat Information Message identifies threat
TIM created in threat definition file using XML
Messages authenticated, encrypted, and have replay protection
Receiving devices configured with unique policiesDevice uses local policy to convert TIMs into dynamic policy enforcement
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126BRKSEC-200414344_04_2008_c2
Threat Containment Using ACT
TIDP is a protocol that allows for the quick distribution of information about network-based threatsAll TIDP-enabled nodes use the payload content according to their own configuration and translate it to enforce appropriate actions
Threat Information Distribution
Protocol
NMS/Syslog Server for Logging
TIM Generation
via CLI / SDM
TIDP Controller
Rules Engine Local to
Each Device
Intelligence Resides in End Point Devices
TIM *
TIM *
* TIM – Threat Information Message
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
64
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127BRKSEC-200414344_04_2008_c2
Automated Signature Extraction (ASE/DASE)
Dynamically extracts signatures for potential malware without need for human intervention
Utilizes a Sensor Collector architecture
Linux-based Collector and TIDP (TMS) for message exchange
Available in 12.4(15)T
Automatic Signature Extractionhttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/htautosg.html
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 128BRKSEC-200414344_04_2008_c2
Complementary Sessions
BRKSEC-2001: Emerging Threats
BRKSEC-2006: Inside the Perimeter: Six Steps to Improving Your Security Monitoring
BRKSEC-2002: Understanding and Preventing Layer 2 Attacks
BRKSEC-2020: Firewall Design and Deployment
BRKSEC-2030: Deploying Network-Based Intrusion Prevention Systems
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
65
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129BRKSEC-200414344_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 130BRKSEC-200414344_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press®
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
66
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131BRKSEC-200414344_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily
Receive 20 Passport points for each session evaluation you complete
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132BRKSEC-200414344_04_2008_c2