I have dedicated several posts to NG-IPS, the next step of the evolution in network security (or better to say context security). I have pointed out that one of the main features of this kind of devices is the capability to enforce Location Based security services. Now it is time to make some practical examples indicating how Geo Protection features may be helpful and why they are needed in this troubled days.
Few days ago I had the opportunity to analyze the data collected from a network security equipment, placed at the perimeter of an important Italian customer, with IPS engine turned on and Geo Protection feature enabled. I show here a brief summary of the collected data, that span approximatively a thirty days period ranging from 1 to 27 November 2011.
As you may easily notice, collected data show Geo Protection events undoubtedly at number one with 713,117 occurences. The enforced Geo Protection Policy blocked traffic from and to several “bad countries”. Just try to Guess which country was detected by the Geo Protection Policy with the highest rate of attacks? The top attack source report contains the answer to this question, but if yoy want I can suggest you a quick hint: one of the countries which appeared in the unwelcomed list of Geo Protection Policy was just China.
The top 5 attack sources generated together nearly 150,000 events. I was not that surprised when I looked up the IP Addresses (which I did not explicitly report on the graph) and realized that all of them came from China. These addresses were blocked a priori by Geo Protection.
The tabular report is also more explicit: 9 out of 10 sources at the top for the number of attacks, came from China whilst 1 was shown to be an internal address (revealed to be a misconfigured device generating bogus events). Together the 9 top sources generated nearly 260,000 on a total of 800,000 events collected from nearly 90,000 addresses.
As far as the impacted services are concerned, traditional protocols ranked at the first positions of the chart with some strange occurrences (TCP/0 or UDP/0 that might mean malformed packets or also the attempt to exploit old attacks targeting security devices). It is worthwhile to notice the presence of the well-known TCP port 1433 (MS-SQL).
While I was analysing these data I could not help but think to the recent post by Brian Kerbs suggesting that the same attack perpetrated against RSA targeted more than 760 other organizations (almost 20 percent of the current Fortune 100 companies were on the alleged list). The same post indicated that the location of 299 (on more than 300) command and control networks used in these attacks were located in China.
Besides some concern regarding the Chinese Cyber Strategy, the parallelism suggested me that Geo Protection might provide a valuable support for thwarting APTs or, more in general, for thwarting attacks phoning home to C&C Server located in “bad” countries, provided that Geo Protection Service Database is constantly updated. Unfortunately I am afraid that attackers will not take so long to learn and enforce some workarounds using (un)secure compromised C&C servers in “good” (i.e. not classified by the Geo Protection) countries. In any case Geo Protection cannot be considered the only cure, but at the end this is the reason why NG-IPS are capable to enforce different algorithms to provide a context base security model.
- The China Cyber Attacks Syndrome (paulsparrows.wordpress.com)
In these days I visited several customers to talk about technology trends for 2012. With the occasion I decided to collect all the articles written in my blog concerning Advanced Persistent Threats and Related Technologies in a single, very short, presentation, and consequently uploaded it to SlideShare. Feel free to give it a look as a reference. My perception is that next year we will often hear talking about APTs and NG-IPS (and, more in general, about context-aware security Technologies).
- Next-gen Context Aware Intrusion Prevention (blogs.gartner.com)
Advanced Persistent Threats are changing the information security paradigm and Next Generation IPS will probably be, together with SIEM, the new weapons in the hands of information security professionals for stopping this new category of threats that are proving to be the real nightmares for CISOs in this troubled 2011.
If you have just learned what a Next Generation Firewall is, you will probably be a little disappointed in knowing that it is not the last frontier of information security (as many security firms claim), instead the growing impact and influence of APTs, which are threats acting on different layers (user, network and applications), different timeframes and different portions of the network, are redesigning the network security paradigm, requiring additional intelligence at the perimeter, and shifting the game to a context-aware model in order to grant the holistic view that is necessary to stop them.
Now let us suppose to make a brand new information security recipe, taking the main features of a NGF (user awareness and application awareness), the main features of a Firewall (access control) and the main features of an IPS (protocol awareness and vulnerability awareness), blend them in a virtual pot and add a little bit of reputation (for instance obtained from a globally distributed network of sensors) and other features such as geo-location, application heuristics and, last but not least, an application anomaly detection engine (which is completely different from a traditional protocol anomaly engine). You will obtain a new information security dish: the Next Generation IPS, a new class of devices that likely represents the near future of network security.
NG-IPSs are characterized by two main features:
- They shift the enforcement of security policies from a content-based to a context-based model (where the context is defined by the interaction of user with applications);
- They leverage new technologies such as reputation and geo-location to provide the holistic view necessary to stop APTs.
So what do we have to expect at the perimeter? The traditional Firewall and IPS (or UTMs) will likely be replaced by NG-IPS, while specific “vertical” security devices, such as Web Application Firewall will remain in place in strategic portion of the netowork (just in front of Web Farms) to protect specifically Web (read HTTP and HTTPS) applications. As you may see from the following table a NG-IPS encompasses all the features of the “old” technologies plus new features allowed by a growing adoption of Reputation and Cloud-Based services.
Since WAF will follow a parallel and co-existing walk, meanwhile I reccomend you to read my Q&A on Next-Gen and Web Application Firewall.
- Next Generation Firewalls and Web Applications Firewall Q&A (paulsparrows.wordpress.com)