Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
8Activity

Table Of Contents

Agenda
Network Security is a System
Threat Education and Awareness
Type of Threats that Affect You
Remember Collateral Damage!
How Computers and Networks Are Owned
There Is NOSilver Bullet
Know Your Enemy: Anatomy of an Attack
Worm/Virus: Exploit Comparison (20 Years)
Defence-in-Depth Strategy (DIDS)
Mitigation
Access Control
ACL Cisco IOS vs. Firewall
UtilisingCisco IOS ACL Capabilities
Layer 2 Access Control
Modular and Phase-Based ACL Policy
Filter Shields = Phase-Based Modules
Known, Unknown, & Undesirable Traffic
Access Control References
Spoofing Prevention
Unicast Reverse Path Forwarding
Strict Mode Unicast RPF
Loose Mode Unicast RPF
Address Spoofing Prevention in the Enterprise
Configuring Spoofing Features
SYN Cookie Packet Flow
TCP-Intercept
Spoofing References
Packet Conformance
Firewall Packet Conformance
Firewall ASP Checks
Cisco IOS Packet Conformance
Cisco IOS Packet Conformance (Cont.)
Application Layer Protocol Inspection
Required Policy Components
DNS Protocol Inspection Example
DNS AppFW Protocol Inspection Example
Firewall Protocol Inspection References
Super ACL –Access Lists on Steroids
FPM Delivery Mechanism
FPM Policy for IOS NHRP Vulnerability
FPM Policy for WPAD.DAT HTTP Request
FPM Policy for SNMP v1 and SNMP v3
FPM Policy for Slammer Packets
FPM References
Monitoring
Configuring Syslog on a Router
Uses of Syslogs
What Are Modifiable Syslog Levels?
How to Create Modifiable Syslog Levels
Logging Debugs to Syslog
ACL Logging
Access Control List Syslog Correlation
ACL Logging References
NetFlow: Listening to the Network
What Constitutes a Flow?
Version 5: Most Commonly Used
NetFlow Open Source Tools
Embedded Event Manager (EEM)
EEM Example
CS-MARS Contextual Analysis Overview
CS-MARS Rules
CS-MARS Rules in Action
Intrusion Detection and Prevention
Preventing Endpoint Attacks Using CSA
Preventing Execution
Policy Rules Drive Interceptors
Intrusion Protection for the Network
Risk Rating Thresholds Drive Mitigation
Threat Rating
Event Action Overrides
IPS Mitigations and Responses
IPS/CSA Collaboration Benefits
Network IPS and Cisco Security Agent Collaboration
Reacting with BGP
Black Hole Filtering –Destination Based
Using Remote Triggered Blackhole
Step 1–Prepare All Routers with Trigger
Step 2–Prepare the Trigger Router
Step 2 –Trigger Router Configuration
Step 3–Activate the Blackhole
RTBH Mitigation in Action
Source-Based RTBH –Drop At the Edge
What If I Can’t Deploy RTBH?
UtilisingInternal RTBH Deployment
Microsoft Server Service, MS08-067
Conficker a.k.a. Downadup and MS08-067
Conficker a.k.a. Downadup and MS08-067(Cont.)
Mitigation: CSA
Mitigation: Cisco IOS ACL (Modularized)
Detection: ACL Counters
Detection: Firewall Syslog Events
Detection: IPS
References
References (Cont.)
Key Take Aways
Recommended Reading
Complete Your Online Session Evaluation
Meet the Expert
Strive for Operational Simplicity
Threat and Attack Models
Threat and Attack Models (cont.)
FPM Monitoring
FPM Capability Phasing
FPM Performance vs. Equivalent ACLs
Debug ICMP Trace
NetFlow Versions
Adaptive Control Technology
Threat Information Distribution Protocol
Threat Containment Using ACT
Automated Signature Extraction (ASE/DASE)
Deceptive Defence
Deceptive DefenceBenefits
UtilisingLow Interaction Honeypotsto Increase Network Security?
Deceptive Defencein Action
Deceptive DefenceMitigating the Attack
Deceptive DefenceCaveats
Remotely Triggered Blackhole
Step 1—Prepare All Routers with Trigger
Sinkhole Routers/Networks
BGP Sinkhole Trigger
Example—BGP Sinkhole Triggers
Preventing Vulnerability Exploitation
IPS Signature, 6988/0
Detection Vulnerability Exploitation
References (Cont.)
Vulnerabilities
IGMPv3/MLDv2
ICMP Type 9 RFC 1256
Mitigating the Vulnerability
Mitigation: Cisco IOS Features and ACLs
Mitigation: Cisco IOS VACL
Mitigation: Cisco IOS VACL (Cont.)
Mitigation: ASA and FWSM
Additional Mitigation and Monitoring
MS08-001 References
MS08-001 References (Cont.)
Storm Malware, CME711
Malware in Action: CME711
Mitigating CME711
Breaking the Bot
Mitigation: ACLs
What About FPM?
Mitigation: FPM for Encrypted Storm
Mitigation: Deny Downloader via HTTP Inspection
Mitigation: Deny Botnet Access via DNS Inspection
Identification
Storm Worm References
Microsoft DNS Server RPC Interface
Mitigation: Cisco IOS ACL (Modularised)
Mitigation: FW ACL (Modularised)
Mitigation: IPS Signature 5858
Identification: ACL Counters
Identification: Firewall Syslog Events
Identification: IPS
The Exploits
Exploit Specific
Exploit Specific: ASA HTTP Inspection
0 of .
Results for:
No results containing your search query
P. 1
BRKSEC-2004 Monitoring, Mitigating, And Handling Threats

BRKSEC-2004 Monitoring, Mitigating, And Handling Threats

Ratings: (0)|Views: 559 |Likes:
Published by HighFreak1c

More info:

Published by: HighFreak1c on Jun 18, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/27/2011

pdf

text

original

You're Reading a Free Preview
Pages 5 to 64 are not shown in this preview.
You're Reading a Free Preview
Pages 69 to 90 are not shown in this preview.
You're Reading a Free Preview
Pages 95 to 141 are not shown in this preview.
You're Reading a Free Preview
Pages 146 to 150 are not shown in this preview.
You're Reading a Free Preview
Pages 155 to 217 are not shown in this preview.

Activity (8)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Lotus Perfaction liked this
doejane10 liked this
Hai Nguyen Phu liked this
emi0202 liked this
daver2tarleton liked this
jbiro liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->