Archive for March 2008
…Challenging the black art of tuning.
Living things have a natural habitat, an environment where they thrive because it provides all that’s needed for their survival. The evolution, and more importantly extinction of species has shown us that once the habitat of a creature changes substantially, it must either adapt to its new surroundings or it can quickly become extinct.
The natural habitat of a network security device, such as a firewall or an intrusion prevention system is the modern enterprise network. From the outside this habitat looks to be volatile and hazardous where only the strongest technologies survive.
When an organisation is seeks to adopt a new security technology, they commonly go through a process of product selection based on a key criteria, for example.
Does the product meet business goals assigned to the project
Cost of ownership & return on investment
How well does the product integrate with the operating environment
How will it perform its function on our network rather than someone else’s
Integration questions and tests are particularly important as no two enterprise networks resemble each other, however one point that commonly gets overlooked is that the modern network rarely resembles itself a few months further along the line. How well security technologies deal with this rapid rate of change can be linked to how successful their deployment will be a few months along the line. Will the new device adapt as the environment changes? Alternatively, will it continue in a pointless attempt to enforce extinct policies that has no relevance to the state of the organisation as it is now.
When introduced to a new network, an Intrusion Prevention System needs to be configured for the environment, this is so the device can better understand the habitat it operates in and is therefore better equipped to detect or prevent intrusions. In the world of IPS this is known as the black art of tuning. A tuning process can be broken down into a couple of logical steps.
Deploying vulnerability based network attack detection or prevention capabilities for assets that require protection.
Mapping the organisations acceptable usage policy into the devices configuration.
Both of these steps provide their own challenges, for the initial configuration of a system and also it’s adaption as the network it protects evolves. Lets take a look at each one in turn and discuss methods that can employed to improve the accuracy of detection, speed of response, and adaption to the network as it and associated business goals change.
Vulnerability based attack detection and prevention.
IPS is commonly considered the current generation of network intrusion detection systems, the new kid on the block that has the ability to prevent the exploitation of network vulnerabilities or violations of acceptable use as well as alert to the presence of an attack. Deciding on what vulnerabilities the device needs to detect or protect from exploitation has traditionally been based on user input. It is assumed that the security or network team within an organization is aware of the assets and services offered by the network, and therefore in a position to decide what vulnerabilities the IPS should mitigate. Unfortunately I commonly find this assumption to be flawed.
Many organizations I speak to incorrectly believe that they have a unique problem. Not knowing what assets and services are operating on the network, and therefore not knowing what needs to be protected for which vulnerabilities. This is clearly not a unique issue as I run into it all the time, and the impact of this problem turns out to be high. Missed attacks or false alarms.
Here at Sourcefire we designed a technology back in 2003 that provides information to make this task much easier, we call it RNA – Real-time Network Awareness. RNA provides a map of what the protected network looks like right now, based on how assets and services behave or are accessed. This real-time network map provides good answers to key questions before and after security events occur.
Before an event.
What devices are currently on the protected network?
What services do these devices offer?
What vulnerabilities may exist on these systems?
What detection or prevention capabilities do I need to employ to best protect this network?
After an event.
Was the attack relevant to the device or service?
E.g. Would the target have been vulnerable to the attack. Was it an Apache attack against an IIS Webserver.
Following the attack, did the network or asset change in any way? 2E.g. Did a new service start, or a new client application communicate to the internet for the first time.
Having this real-time map of assets on the network allows us to quickly adapt to changes in the environment. For example, take the current running IPS policy, maybe one that is designed to protect public facing assets from known attacks and overlay it onto a map of what the network is right now. Are there any gaps in the defenses? Has a new service been deployed on the network without the security team being made aware of it?
Has the version of Apache been updated on our production systems? Therefore mitigating the risk of some attacks being successful.
This real-time, constantly adapting map of the network is the key component of enabling the IPS to evolve as its habitat changes. It prevents it from becoming a dinosaur and churning out useless extinct log data.
Monitoring and Enforcing an Acceptable Use
Detecting violations of the organizations acceptable usage policy at a network level is a commonly desired function of Intrusion Prevention. Although we instinctively think of Firewalls, IPS and other network access control devices preventing communications between specific computers and protocols, these communications most likely occur at the request of a user. A laptop for example is not intrinsically a malicious device as its functions are controlled by a user, so if an acceptable usage policy is violated through an instant messaging chat session, do we blame the device or the user?
Tracking down the sources of AUP violations can traditionally be tricky in dynamic environments, and as it happens these are the most common source of AUP violations. Large DHCP ranges are commonly associated with call centres or groups of office staff who will gladly whittle their work day away by abusing network resources. In these environments it can be hard to find something static to associate with an event to allow investigation. The IP address of the source has since changed, knowledge of the original MAC address has been lost due to the network topology, a user was “hot-desking”, the only static in this habitat is the person that violated policy. This is why it is important to associate these types of events with the user of the system at the time of the violation.
This unique combination of user and network awareness providing an up-to-date map of who is accessing what on the network is invaluable when it comes to actually enhancing the security. Network information has its most value at the time of discovery, constant discovery means providing constant value.
I am writing this while sitting in a hotel bar feeling way over-dressed for an occasion. I have just arrived at the Black Hat Europe 2008 conference in Amsterdam, and after being in meetings earlier today, haven’t yet had time to put on some more “relaxed” clothing to fit in with everyone else around me.
Sipping my Heineken, obviously served the continental way (thats with a quantity of head that instinctively makes you check for a measurement line), I was trying to catch up on email when I came to notice another overlooked parallel between IPS deployment design and the real world. Ditching the over-spilling inbox, I felt compelled to write about it.
A common challenge I encounter when working with organizations to help design intrusion monitoring and prevention strategies, is one of balancing unrealistic objectives with all too realistic budgets. I guess that there’s no shock there as its a far from a new problem, however I find that for me it becomes less frustrating once I manage to get a few important concepts across to the client.
Before I meet with those who are in possession of the organizational and technical information required to help deploy an IPS, it’s common for one of my “sales-guys” to say in an upbeat way “Don’t worry Leon, this design won’t take you long, they emailed me a network diagram! I have already half-specced the solution myself!”, The look in their eyes as they rub their hands together is one of elation as they count and re-count how much their design will cost.
I find that there is commonly an all-or-nothing approach unique to network security, this forces people to rarely see a middle ground of achievability. This is probably best manifested when I see the infamous network diagram, now modified to include an IPS appliance on every network link on the page. I don’t want to poke fun solely at my sales-guys for the occasional over optimistic deployment idea, I see similar designs from other network security venders all the time.
I have never been shown a network diagram that allows me to immediately design a decent IPS deployment. People think of a network IPS as its name suggests, a network device, however the function it provides operates at network, service, application and organizational levels. The normal network map that I initially get shown is one of routers, switches, firewall’s etc, it never presents me with worthwhile information about business objectives, how data is designed to move around the ether. Where do critical business services exist and barriers of trust drawn?
The all-or-nothing approach to device placement commonly results in a great number inline devices between every link that you can find, it costs a bucket load of cash and probably wont actually meet a goal of substantially improving security.
So, you may wondering what the parallel is that I felt compelled to write about, so lets jump a little closer to the point. When you plan an IPS deployment, don’t start off with the unobtainable “all-or-nothing” approach. Start with a plan that reflects network data flow as of now, and then try to meet achievable objectives that have been formally defined. This process also indirectly addresses the below common objections I hear against IDS and IPS as a technology.
“To do this right, I need to place down way to many devices. Too much cost in purchasing, and management effort”
“I cant put IPS everywhere so what’s the point of monitoring at all”.
The bar that I am sitting in has somewhere in the region of sixty people, they are all going about their business, chatting away and enjoying many creatively poured glasses of Heineken. It is impossible for me to monitor what everyone is discussing, especially without interruption, but is it impossible for me, a single monitoring point, to overhear something valuable?
I wasn’t purposely trying to eavesdrop, but I couldn’t help but overhear an interesting conversation coming from the table next to me. The details of what was said is irrelevant for my point, but now that I have heard it I feel that I’m in a much better situation that I was before. I can use this newly found knowledge to be more intelligent about things. This is just the same as using the intelligence provided from a single network security monitoring device, we just need to make sure that we understand the scope of what it provides.
In the UK we are famously big users of Closed Circuit Television (CCTV), it provides an immensely valuable resource of audit data and crime detection. It is impossible to monitor the whole country with CCTV as the cost of cameras and the required of management effort grows beyond a line of what is worth-while. This line of what can be achieved and managed is also visible at an organizational level, It is unlikely that your whole office is monitored with CCTV, but there may well be a camera or two above important doors.
In just the same way that I can over hear a conversation or a well placed CCTV camera can record an interesting event, strategic placement and planning of a network monitoring device can provide data about specific assets that concern the user. A network IPS is essentially an access control device, and assuming you select a good one, extremely flexible. Operation of these devices fall into one of two camps, Detective controls, like a CCTV camera and preventative controls, like an automatic door. As you can imagine, the most valuable deployments provide a mix of these two controls at relevant locations.
Remember that if you decide to operate the network without audit and detective controls in place, you will never discover anything. With a good design that can actually deliver achievable, protection and monitoring in specific areas, this gives you one hell of a better chance to protect your organization than leaving your head stuck in the sand monitoring nothing.