Posts Tagged ‘NG-IPS’

Beware Of The Red Dragon

December 7, 2011 Leave a comment

I have dedicated several posts to NG-IPS, the next step of the evolution in network security (or better to say context security). I have pointed out that one of the main features of this kind of devices is the capability to enforce Location Based security services. Now it is time to make some practical examples indicating how Geo Protection features may be helpful and why they are needed in this troubled days.

Few days ago I had the opportunity to analyze the data collected from a network security equipment, placed at the perimeter of an important Italian customer, with IPS engine turned on and Geo Protection feature enabled. I show here a brief summary of the collected data, that span approximatively a thirty days period ranging from 1 to 27 November 2011.

As you may easily notice, collected data show Geo Protection events undoubtedly at number one with 713,117 occurences. The enforced Geo Protection Policy blocked traffic from and to several “bad countries”. Just try to Guess which country was detected by the Geo Protection Policy with the highest rate of attacks? The top attack source report contains the answer to this question, but if yoy want I can suggest you a quick hint: one of the countries which appeared in the unwelcomed list of Geo Protection Policy was just China.

The top 5 attack sources generated together nearly 150,000 events. I was not that surprised when I looked up the IP Addresses (which I did not explicitly report on the graph) and realized that all of them came from China. These addresses were blocked a priori by Geo Protection.

The tabular report is also more explicit: 9 out of  10 sources at the top for the number of attacks, came from China whilst 1 was shown to be an internal address (revealed to be a misconfigured device generating bogus events). Together the 9 top sources generated nearly 260,000 on a total of 800,000 events collected from nearly 90,000 addresses.

As far as the impacted services are concerned, traditional protocols ranked at the first positions of the chart with some strange occurrences (TCP/0 or UDP/0 that might mean malformed packets or also the attempt to exploit old attacks targeting security devices). It is worthwhile to notice the presence of the well-known TCP port 1433 (MS-SQL).

Of course the attempts to exploit Microsoft Ports and (maybe) to harvest the network were detected by the geo protection engine as shown in the following table.

While I was analysing these data I could not help but think to the recent post by Brian Kerbs suggesting that the same attack perpetrated against RSA targeted more than 760 other organizations (almost 20 percent of the current Fortune 100 companies were on the alleged list). The same post indicated that the location of 299 (on more than 300) command and control networks used in these attacks were located in China.

Besides some concern regarding the Chinese Cyber Strategy, the parallelism suggested me that Geo Protection might provide a valuable support for thwarting APTs or, more in general, for thwarting attacks phoning home to C&C Server located in “bad” countries, provided that Geo Protection Service Database is constantly updated. Unfortunately I am afraid that attackers will not take so long to learn and enforce some workarounds using (un)secure compromised C&C servers in “good” (i.e. not classified by the Geo Protection) countries. In any case Geo Protection cannot be considered the only cure, but at the end this is the reason why NG-IPS are capable to enforce different algorithms to provide a context base security model.

Related articles

Moving Security Model From Content To Context

November 27, 2011 1 comment

In these days I visited several customers to talk about technology trends for 2012. With the occasion I decided to collect all the articles written in my blog concerning Advanced Persistent Threats and Related Technologies in a single, very short, presentation, and consequently uploaded it to SlideShare. Feel free to give it a look as a reference. My perception is that next year we will often hear talking about APTs and NG-IPS (and, more in general, about context-aware security Technologies).


Advanced Persistent Threats and Human Errors

November 20, 2011 1 comment

In these days many people are asking me what they can do to stop an Advanced Persistent Threat. Although security firms are running fast to develop new technologies to thwart these attack vectors (sophisticated SIEMs and a new breed of network security devices, the so called Next Generation IPSs), unfortunately I am afraid the answer is not so easy. I might spend thousands of words to figure out the answer, but I would not be able to give a better representation than this cartoon I found a couple of days ago in the Imperva Blog.

Intentional or unintentional the human error is always the first vector an Advanced Persistent Threat exploits to enter the organization: as a matter of fact all the APT attacks recorded in 2011 (and unluckily examples abound in the news), have a point in common: the initial gate which allowed the attack to enter, that is the user.

The last resounding example is not an exception to this rule: on Friday November, the 17th Norway’s National Security Authority (NSM) confirmed that systems associated with the country’s oil, gas, and energy sectors were hit with a cyber attack, resulting in a loss of sensitive information. If we look at the information available for this attack, it is really easy to find all the ingredients of a typical APT Attack: virus spread via malware-infected emails sent to “selected individuals”, sophisticated malware designed to avoid detection by anti-virus solutions, and, last but not least, sophisticated malware designed to steal information from the victim’s computer: documents, drawings, username and password.

So at the end which is the key to face an APT, before the technology itself is able to catch it? The answer (and the technology) spins around the user which is the first firewall, IPS, anomaly detector, who can stop an APT. Of course exactly like security devices must be configured to stop the intrusion attempts, analogously users must be configured educated not to accept virtual candies from strangers, hence acting as unintentional gates for the threats to enter the organizations. This often happens because of shallow behaviors or also because of behaviors in clear contrast with the internal policy (yes the infamous AUP). I use to say that security is a mindset, quite similar to distrust: you have it since you are naturally born with it, or you may simply be educated to embrace it.

Keep in mind the central role of the user inside the security process since 2012 will be the year of APTs… Would you ever buy (and heavily pay) an armored door for your home and give the key to people you do not trust?

Are You Ready For The Next Generation IPS?

October 27, 2011 1 comment

Advanced Persistent Threats are changing the information security paradigm and Next Generation IPS will probably be, together with SIEM, the new weapons in the hands of information security professionals for stopping this new category of threats that are proving to be the real nightmares for CISOs in this troubled 2011.

If you have just learned what a Next Generation Firewall is, you will probably be a little disappointed in knowing that it is not the last frontier of information security (as many security firms claim), instead the growing impact and influence of APTs, which are threats acting on different layers (user, network and applications), different timeframes and different portions of the network, are redesigning the network security paradigm, requiring additional intelligence at the perimeter, and shifting the game to a context-aware model in order to grant the holistic view that is necessary to stop them.

Traditional Firewall and IPS Technologies are rapidly shifting towards the Next Generation Firewall model, which is user aware and application aware. Unfortunately a Next-Gen Firewall is not enough to stop an APT, since, although focused on the application control, a NGF remains essentially user oriented, and consequently lacks the global vision necessary to stop a persistent threats acting on different layers besides user and application. At the same time traditional network security technologies (FW and IPS) are not enough since they are anchored to the old model: a Firewall enforces access control at the protocol level, which is useless for threats carried inside legitimate traffic, instead an IPS enforces a security model based on protocols and vulnerabilities, being completely unaware (and in certain sense blind unless complex integrations are put in place) of the context in terms of user activity, and user interaction with applications, directories, etc.

Now let us suppose to make a brand new information security recipe, taking the main features of a NGF (user awareness and application awareness), the main features of a Firewall (access control) and the main features of an IPS (protocol awareness and vulnerability awareness), blend them in a virtual pot and add a little bit of reputation (for instance obtained from a globally distributed network of sensors) and other features such as geo-location, application heuristics and, last but not least, an application anomaly detection engine (which is  completely different from a traditional protocol anomaly engine). You will obtain a new information security dish: the Next Generation IPS, a new class of devices that likely represents the near future of network security.

NG-IPSs are characterized by two main features:

  • They shift the enforcement of security policies from a content-based to a context-based model (where the context is defined by the interaction of user with applications);
  • They leverage new technologies such as reputation and geo-location to provide the holistic view necessary to stop APTs.

So what do we have to expect at the perimeter? The traditional Firewall and IPS (or UTMs) will likely be replaced by NG-IPS, while specific “vertical” security devices, such as Web Application Firewall will remain in place in strategic portion of the netowork (just in front of Web Farms) to protect specifically Web (read HTTP and HTTPS) applications. As you may see from the following table a NG-IPS encompasses all the features of the “old” technologies plus new features allowed by a growing adoption of Reputation and Cloud-Based services.

Since WAF will follow a parallel and co-existing walk, meanwhile I reccomend you to read my Q&A on Next-Gen and Web Application Firewall.

Related articles


Get every new post delivered to your Inbox.

Join 3,687 other followers