Monitoring and Mitigating Threats

BRKSEC-2004

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

1

Overview
Mitigation and Prevention Monitoring and Identification IPS Capabilities Case Studies Advanced Topics

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

How Computers and Networks Are Owned
Service vulnerabilities (IIS, Apache, SMB) Application vulnerabilities (XSS) Denial of Service
Flooding Spoofed (smurf, syn-flood) Non-spoofed rate Packet conformance vulnerabilities

Access Control

Application Inspection IPS Capabilities Spoofing Prevention Packet Conformance

Client side application vulnerabilities

User Education Configuration vulnerabilities (weak passwords, lack of encryption, etc.)

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2

There Is No Silver Bullet
ACLs are most effective when the service is not required and are only effective between boundaries where they are deployed which is usually a Layer 3 interface IPS only mitigates when it is configured to (which is seldom) AV detection is not 100% (~85% with samples taken from honeypots) All new technologies introduce potential vulnerabilities in themselves Complexity introduces errors
Source: Virtual Honeypots
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

5

Know Your Enemy: Anatomy of an Attack
Ping addresses Scan ports Passive probing Guess user accounts Phishing and Social Engineering Mail attachments Buffer overflows ActiveX controls Network installs Compressed messages Guess Backdoors Create new files Modify existing files Weaken registry security settings Install new services Register trap doors

1 Target 5

Probe

2 3 4

Penetrate Persist Propagate

Paralyze

Delete files Modify files Drill security hole Crash computer Denial of service Steal secrets
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Mail copy of attack Web connection IRC FTP Infect file shares

6

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

3

Worm/Virus: Exploit Comparison (~20 Yrs)
Morris 1988 Scan for Fingerd Buffer Overflow in Fingerd Execute Script to Download Code Love Bug 2000 N/A Code Red 2001 Scan for IIS Slammer 2003 N/A Buffer Overflow in SQL and MSDE MyDoom 2004 N/A Zotob 2005 Scan for MS Directory Services Buffer Overflow in Upnp Service Create Executables and Edit Registry, Download Code MS RPC DNS 0day 2007 Scan or Endpoint Mapper Query Buffer Overflow in RPC Service Execute Payload to Download Code Probe

Penetrate

Arrive as Email Attachment Create Executables and Edit Registry

Buffer Overflow in IIS Execute Script to Download Code

Arrive as Email Attachment Create Executables and Edit Registry

Persist

N/A

Look for Open Pick New Pick New Open Addresses Address Book Addresses Addresses Address Book Propagate and Spread to and Email and Spread to and Spread to and Email New Victim Copies New Victim New Victim Copies

Start FTP and TFTP Look for Services, Addresses Look for And Spread Addresses to New Victim and Spread to New Victim Delete Registry Keys and Files, Terminate Processes Worm Spreads

Paralyze

Lots of Processes Slow System

Worm Spreads

Lots of Lots of Threads Slow Packets Slow System Network

Worm Spreads

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

7

Defense-in-Depth Strategy (DIDS)
Layering security defenses reduces threat exposure and reduces window of opportunity for miscreants Apply appropriate controls closest to the victim and miscreant Any defense mechanism may fail, be bypassed, or defeated Embrace multiple protection methods that complement each other

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

4

Mitigation and Prevention

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Mitigation
Access Control Spoofing Prevention Packet Conformance Application Inspection Flexible Packet Matching

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

5

Access Control
Highly effective deterrent to enforced boundary for Layer 3 and Layer 4 traffic Not effective when services/applications are required by potentially malicious users Classification ACLs aid in identification Default deny ingress/egress will prevent a lot Filter as precisely as possible
Source and destination (Layer 3 and Layer 4)

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

ACL Cisco IOS vs. Firewall
Feature ASA, PIX, and FWSM Virtual Reassembly using fragment chain Cisco IOS fragments on ACLs and ip virtual-reassembly under interface configuration Use of established Keyword option Keyword 12.3(4)T

IP Fragmentation

State IP Option Filtering TTL Filtering

ACLs Have State

Drop IP Options by default ttl-evasionprotection via MPF Verified by Default

ttl Keyword 12.4(2)T

TCP Flags

syn, fin, ack, psh, urg, rst Keywords 12.3(4)T

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

6

Utilizing Cisco IOS ACL Capabilities
! Router(config)#ip access-list extended tACL ! !–- Deny loose source routed packets ! Router(config-ext-nacl)#deny ip any any option lsr ! !–- Deny fragmented packets ! Router(config-ext-nacl)#deny ip any any fragments ! !–- Deny TCP packets with SYN and FIN flags set ! Router(config-ext-nacl)#deny tcp any any match-all +syn +fin ! !–- Deny packets with TTL values less than 5 ! Router(config-ext-nacl)#deny ip any any ttl lt 5 !

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Layer 2 Access Control
! !-- Create ACL default permit

VLAN Access Control List Permit ACE Rules to Classify Traffic

ip access-list extended VACL-MATCH-ANY permit ip any any
! !-- Create ACL match ports

ip access-list extended VACL-MATCH-PORTS permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445 permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139
! !-- Create VLAN Access Map for VACL policy

vlan access-map VACL 10 match ip address VACL-MATCH-PORTS action drop
!

Set Action to Drop

vlan access-map VACL 20 match ip address VACL-MATCH-ANY action forward
! !-- Apply and enable VACL for use

vlan filter VACL vlan 100
! ! !-- Port ACL

Apply VACL for Use Port ACL

ip access-list extended <acl-name> permit <protocol> <source-address> <source-port> <destination-address> <destination-port>
!

interface <type> <slot/port> switchport mode access switchport access vlan <vlan_number> ip access-group <acl-name> in
!
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

7

Modular and Phase-Based ACL Policy
Hybrid Permit/Deny
1. Anti-Spoofing 2. Anti-Bogon (Source) 3. Infrastructure Permit 4. Explicit Deny Specific Layer 3 5. Explicit Deny Specific Layer 4 6. Incident Response and Countermeasure 7. Explicit Permit Layer 3 (Good Traffic) 8. Explicit Permit Layer 3 (Good Traffic) 9. Explicit Deny
Rarely Changes Rarely Changes Rarely Changes Sometimes Changes Sometimes Changes Changes Everyday Sometimes Changes Sometimes Changes Rarely Changes

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Known, Unknown, and Undesirable Traffic
ip access-list extended ACCESS-LIST 200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src) 210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst) 220 deny ip 192.0.2.0 0.0.0.255 any 230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (src) !-- Deny Test-Net netblock (dst)

240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src) 250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst) ----- Output Truncated ----500 deny tcp any any eq 135 510 deny tcp any any eq 139 520 deny tcp any any eq 445 530 deny udp any any eq 445 540 deny tcp any any eq 4444 550 deny udp any any eq 1434 560 deny tcp any any range 6660 6669 570 deny tcp any any eq 7000 !-- MS RPC Endpoint Mapper !-- NetBIOS Session Service !-- Microsoft DS, and Zotob !-- SMB vulns !-- Metasploit Reverse Shell !-- MS SQL, Sapphire/Slammer Worm !-- IRC traffic !-- IRC traffic ----- Output Truncated ----600 deny udp any any eq 1025 610 deny tcp any any eq 5000 !-- MS RPC and LSA exploit traffic !-- UPnP Buffer Overflow exploit traffic

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

8

Access Control References
ASA 8.0 Identifying Traffic with Access Lists
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati on/guide/traffic.html

Transit Access Control Lists: Filtering at Your Edge
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_whit e_paper09186a00801afc76.shtml

Configuring Network Security with ACLs
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/soft ware/release/12.2_40_se/configuration/guide/swacl.html

Protecting Your Core: Infrastructure Protection Access Control Lists
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_whit e_paper09186a00801a1a55.shtml
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

Spoofing Prevention
Minimize attacks that require spoofing
Syn Flood Smurf Attack

Attack trace back simplified Multiple features exist
Access Control Lists (ACLs) Unicast Reverse Path Forwarding (Unicast RPF) TCP Intercept (SYN Cookies) IP Source Guard (IPSG)* DHCP Snooping*

*Detailed information about Layer 2 security is available in BRKSEC-2002
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

9

Unicast Reverse Path Forwarding
Which Mode to Deploy: Strict or Loose?
Strict for symmetrical flows Loose for asymmetrical flows

Effectively drop packets that lack a verifiable IP source address Not 100% effective – however, through proper deployment Unicast RPF can protect against most Layer 3 spoofed packets Tuning for Unicast RPF is provided through ACLs

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Strict Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via rx (deprecated syntax: ip verify unicast reverse-path)

int 2 int 1 Sx D data
FIB Dest Sx Sy Sz Path int 1 int 2 null0

int 2 int 3 int 1 Sy D data
FIB Dest Sx Sy Sz Path int 1 int 2 null0

int 3
Sy

Sx D data

ata D d

sourceIP = rx int?

sourceIP != rx int?

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

10

Loose Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via any

int 2 int 1 Sy D data
FIB Dest Sx Sy Sz Path int 1 int 2 null0

int 2 int 3 int 1 Sz D data
FIB Dest Sx Sy Sz Path int 1 int 2 ???

int 3
Sz

Sy D data

ata D d

sourceIP = any int?

sourceIP != any int?

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Address Spoofing Prevention in the Enterprise
Enterprise: 192.168.0.0/16
Block Leaving Source != Own Network
access-list 102 permit ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip any any or ip verify unicast source reachable-via rx

LAN
192.168.1/24

ISP

LAN
192.168.2/24

LAN
192.168.3/24 Block Entering Source = Own Network
access-list 101 deny ip 192.168.0.0 0.0. 255.255 any access-list 101 permit ip any any or ip verify unicast source reachable-via rx allow-default

Block Sources That Do Not Belong to Subnet
access-list 102 permit ip 192.168.X.0 0.0.0.255 any access-list 102 deny ip any any or ip verify unicast source reachable-via rx

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

11

Configuring Spoofing Features
!-- Unicast RPF must have CEF enabled Layer ip cef ! interface <interface> ip verify unicast source reachable-via <mode> ! !--Anti-Spoofing ACL ip access-list extended ACL-ANTISPOOF-IN deny ip 10.0.0.0 0.255.255.255 any deny ip 192.168.0.0 0.0.255.255 any ! interface <interface> ip access-group ACL-ANTISPOOF-IN in ! !--Configuring DHCP Snooping Layer ip dhcp snooping ip dhcp snooping vlan <vlan-range> ! !--IPSG which requires DHCP snooping interface <interface-id> ip verify source ! !– Configuring Port Security interface <interface> switchport switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security maximum <number> switchport port-security violation <violation-mode> !
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

3 Spoofing Prevention

2 Spoofing Prevention

23

SYN Cookie Packet Flow
Client (Source)
IP 192.168.1.1
(SrcIP=192

Server (Destination)
SYN
.168.1.1;se q=x)

IP 192.168.2.2 Is IP 192.168.1.1 Authenticated? NO Generate unique cookie for IP 192.168.1.1 If cookie is valid, authenticate IP 192.168.1.1 Is IP 192.168.1.1 Authenticated ? YES

ie;ack=x+1) (seq=cook (seq=x+1;a ck=cookie

SYN ACK ACK

+1)

Connection Established

SYN
(seq=y)

SYN ACK
(seq=z;ack=y+1)

(seq=y+1;a ck

ACK

DATA

=z+1)

(seq=y+1;a ck

ACK

DATA
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

DATA

=z+1)

24

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

12

TCP-Intercept
! Using MPF !-- Using Modular Policy Framework (MPF) !-- which is available on ASA and PIX access-list management permit tcp any 192.168.131.0 255.255.255.0 ! class-map connection-limit match access-list management ! policy-map spoof-protect class connection-limit ! !-- Setting limit to one forces all connections to be validated ! set connection embryonic-conn-max 1 ! service-policy spoof-protect interface outside Static NAT ! !-- Static NAT, this will map the inside IP address of !-- 192.168.131.10 to the outside IP address 192.0.2.10 !-- and will create an embryonic connection limit of 1 static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1 ! !–- Static Identify NAT, ie: No Address Translation static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 tcp 0 1 !
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Spoofing References
Understanding Unicast Reverse Path Forwarding http://www.cisco.com/web/about/security/intelligence/un icast-rpf.html http://www.cymru.com/Documents/trackingspoofed.html http://www.cymru.com/Documents/bogon-dd.html

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13

Packet Conformance
Several Attacks Use Fuzzed or Irregular Packet Fields to Identify Hosts or Exploit Vulnerabilities or Evade Detection Fragmentation overwrite, overlap, short, long (teardrop, jolt, evasion) Nmap passive OS identification scanning Source routing to evade access control or cause other vulnerabilities Abnormal TCP flags, values, overwrite Time-to-live (TTL) abnormalities

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Firewall Packet Conformance
Virtual Fragmentation Reassembly: reassemble, perform consistency checks (overlap, overwrite, long, short) then forward fragment chain command Dropping packets with IP options present Fuzzy TCP flags TCP intercept (SYN Cookies) ttl-evasion-protection in MPF (enabled by default) TCP-MAP (TCP options, SYN data) Accelerated Security Path (ASP) checks
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

14

Firewall ASP Checks
Firewall# capture drop type asp-drop ? -------------------- Output Truncated in Several Places -------------------fragment-reassembly-failed Fragment reassembly failed invalid-ip-header Invalid IP header invalid-ip-length Invalid IP length invalid-ip-option IP option drop invalid-tcp-hdr-length Invalid TCP Length invalid-udp-length Invalid UDP Length tcp-3whs-failed TCP failed 3 way handshake tcp-ack-syn-diff TCP ACK in SYNACK invalid tcp-bad-option-len Bad option length in TCP tcp-bad-option-list TCP option list invalid tcp-bad-sack-allow Bad TCP SACK ALLOW option tcp-bad-winscale Bad TCP window scale value tcp-data-past-fin TCP data send after FIN tcp-discarded-ooo TCP ACK in 3 way handshake invalid tcp-invalid-ack TCP invalid ACK tcp-mss-exceeded TCP data exceeded MSS tcp-not-syn First TCP packet not SYN tcp-reserved-set TCP reserved flags set tcp-rst-syn-in-win TCP RST/SYN in window tcp-rstfin-ooo TCP RST/FIN out of order tcp-seq-past-win TCP packet SEQ past window tcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalid tcp-syn-data TCP SYN with data tcp-syn-ooo TCP SYN on established conn tcp-synack-data TCP SYNACK with data tcp-synack-ooo TCP SYNACK on established conn tcp-winscale-no-syn TCP Window scale on non-SYN

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Cisco IOS Packet Conformance
ip options drop command no ip source-route
Router(config)# ip options drop % Warning: RSVP and other protocols that use IP Options packets may not function as expected. Router(config)# no ip source-route Router(config)#

Some of the checks can be accomplished through ACLs (such as IP options, TCP flags)
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

15

Cisco IOS Packet Conformance (cont…)
Virtual Fragmentation Reassembly (VFR), 12.3(8)T
Asymmetric traffic causes problems ip virtual-reassembly
! interface GigabitEthernet0/0 ip address <address> ip virtual-reassembly [drop-fragments][max-fragments number] [maxreassemblies number] [timeout seconds] !

Troubleshoot and verify VFR operations
debug ip virtual-reassembly show ip virtual-reassembly

Syslog: VFR-3-TINY_FRAGMENTS, VFR-3-OVERLAP_FRAGMENT, VFR-4_FRAG_TABLE_OVERFLOW, VFR-4_TOO_MANY_FRAGMENTS

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Application Layer Protocol Inspection
Feature on ASA, PIX, and FWSM security devices Stateful deep packet inspection
Good for protocols that open secondary ports and use embedded IP addresses Potential DoS vector due to performance implications
class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global
32

User defined policies Response actions for undesirable traffic Default inspection policy shown
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

16

Application Layer Protocol Inspection
Configuration requires:
Class-map: Identifies the traffic that needs a specific type of control; class-maps have specific names which bind them to a policy-map Policy-map: Describes the actions to be taken on the traffic described in the class-map; policy-maps have specific names which bind them to the service-policy Service-policy: Describes where the traffic should be intercepted for control; only one service-policy can exist per interface; an additional service-policy called “global-service-policy,” is defined for traffic and general policy application; this policy applies to traffic on all interfaces

*Detailed information about Firewall Design and Deployment is available in BRKSEC-2020
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

Application Layer Protocol Inspection
Regex introduced in 7.2 provides ability to filter specific traffic
Not available on FWSM
Firewall# show run all | include regex _default_ regex _default_gator "Gator" regex _default_firethru-tunnel_2 "[/\]cgi[-]bin[/\]proxy" regex _default_shoutcast-tunneling-protocol "1" regex _default_http-tunnel "[/\]HT_PortLog.aspx" regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA][nN][eE][tT][wW][oO][rR][kK]" regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\][Xx][-][Mm][Ss][Nn][][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]" regex _default_GoToMyPC-tunnel_2 "[/\]erc[/\]Poll" regex _default_gnu-http-tunnel_uri "[/\]index[.]html" regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]" regex _default_gnu-http-tunnel_arg "crap" regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]" regex _default_GoToMyPC-tunnel "machinekey" regex _default_windows-media-player-tunnel "NSPlayer" regex _default_yahoo-messenger "YMSG" regex _default_httport-tunnel "photo[.]exectech[-]va[.]com" regex _default_firethru-tunnel_1 "firethru[.]com"

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

17

DNS Protocol Inspection Example
! Create Regex Match Firewall(config)# regex domain1 "yahoo\.com“ Firewall(config)# regex domain2 "cnn\.com" ! Firewall(config)# class-map type regex match-any dns_filter_class Firewall(config-cmap)# match regex domain1 Create Regex Class Map Firewall(config-cmap)# match regex domain2 ! Firewall(config)# class-map type inspect dns dns_inspect_class Firewall(config-cmap)# match not header-flag QR Inspection Class Map Firewall(config-cmap)# match question Firewall(config-cmap)# match domain-name regex class dns_filter_class ! Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policy Firewall(config-pmap)# class dns_inspect_class Firewall(config-pmap-c)# drop log Perform Policy Map Action ! Firewall(config-pmap-c)# class-map inspection_default Firewall(config-cmap)# match default-inspection-traffic ! Firewall(config-cmap)# policy-map egress_policy Firewall(config-pmap)# class inspection_default Firewall(config-pmap-c)# inspect dns dns_inspect_policy ! Firewall(config-pmap-c)# service-policy egress_policy interface inside !

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

DNS AppFW Protocol Inspection Example
DNS Resolution Fails After Service Policy is Enabled
Disable and then Enable Service Policy which Inspects DNS Queries
Firewall(config)# no service-policy egress_policy interface inside

Firewall(config)# service-policy egress_policy interface inside [user@linux ~]# dig www.google.com

DNS Resolver on Endpoints

; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: f ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7 ;; QUESTION SECTION: ;www.google.com. ;; ANSWER SECTION: www.google.com. www.l.google.com. www.l.google.com. www.l.google.com. www.l.google.com. 118837 37 37 37 37 IN IN IN IN IN

Successful DNS Resolution
IN CNAME A A A A A www.l.google.com. 209.85.165.147 209.85.165.99 209.85.165.103 209.85.165.104

[user@linux ~]$ [user@linux ~]$ dig www.google.com ; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: printcmd ;; connection timed out; no servers could be reached [user@linux ~]$
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Failed DNS Resolution
36

BRKSEC-2004 14344_04_2008_c2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

18

Firewall Protocol Inspection References
ASA 8.0 MPF Guide
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati on/guide/mpc.html

Applying Application Layer Protocol Inspection
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati on/guide/inspect.html

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

IOS Flexible Packet Matching
Performs stateless deep packet inspection providing more granular control than ACLS Ability to deploy protection and prevention mechanisms closer to victim and miscreant
Protocol + Port + [String|Regex] Action Some PHDF already exist to detect certain vulnerabilities or protocols (bittorrent and skype)
Frame Frame L2 Header L3 Header L4 Header First… Second… Payload… Payload… Payload…

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

19

Access Lists on Steroids
Frame Frame L2 Header L3 Header L4 Header First… Second… Payload… Payload… Payload…

Flexible Packet Matching (FPM) performs deep packet inspection for containment and policy enforcement
Match protocol header fields and/or payload context Layer 2 to 7 – bit/byte matching capability at any offset within the packet

User-defined filtering policies (traffic classifiers)
Allows a choice of response actions

Adaptable to dynamically changing attack profiles
Rapid deployment of filtering policies (can leverage EEM for near realtime response to threats)

Ability to deploy protection and prevention mechanisms closer to victim and miscreant
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

FPM Capability Phasing
Functionality No. of ACEs per Interface No. of Match Criteria/ACE Depth of Inspection Raw Offset Relative Offset (Fixed Header Length Support) Dynamic Offset (Variable Header Length Support) Match on Payload TLV Fields Nested Policies Nested class-maps Regex Match String Match Match String Pattern Window Protocol Support ACL Unlimited 4 44 Bytes No No No No No No No No No IPv4, TCP, UDP, ICMP FPM Phase 1 12.4(4)T 32 classes 8 256 Bytes Yes Yes No No Yes No Yes No 32 Bytes IPv4, TCP, UDP, ICMP, Ethernet FPM Phase 1+ 12.4(6)T1 32 classes 8 256 Bytes Yes Yes No No Yes No Yes Yes 32 Bytes Phase 1 FPM 12.4(15)T Unlimited Unlimited Full Pkt Yes Yes Yes No Yes Yes Yes Yes 256 Bytes Phase 1+ + GRE, IPSec FPM Phase 3 Unlimited Unlimited Stream Yes Yes Yes Yes Yes Yes Yes Yes Full Pkt Phase 2 + DNS, SNMP, HTTP, IPv6
40

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

20

FPM Policy for Slammer Packets
load protocol disk0:ip.phdf load protocol disk0:udp.phdf ! class-map type stack match-all ip_udp_class description "match UDP over IP packets" match field ip protocol eq 17 next udp ! class-map type access-control match-all slammer_class description "match on slammer packets" match field udp dest-port eq 1434 match field ip length eq 404 match start udp payload-start offset 0 size 4 eq 0x04010101 match start udp payload-start offset 4 size 4 eq 0x01010101 match start udp payload-start offset 8 size 4 eq 0x01010101 match start udp payload-start offset 12 size 4 eq 0x01010101 match start udp payload-start offset 16 size 1 eq 0x01 ! policy-map type access-control fpm_udp_policy description "policy for UDP based attacks" class slammer_class drop log ! policy-map type access-control fpm_policy description "drop worms and malicious attacks" class ip_udp_class service-policy fpm_udp_policy ! interface GigabitEthernet 0/1 service-policy type access-control input fpm_policy

Load PHDFs for IP and UDP Match UDP over IP Packets

Match Slammer Packets: UDP port 1434, Packet Length 404bytes, and Regex

Policy for UDP-Based Attacks

Drop Worms and Malicious Attacks

Apply and Enable FPM Policy
41

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

FPM Performance vs. Equivalent ACLs
Compare FPM to ACL Processor utilization percent Ten FPM classes or equivalent ACL Matching on src/dst IP addr, src/dst TCP port, and TCP protocol Ten TCP traffic streams, 50% of generated traffic matching 7206VXR NPE-400, 128MB, 12.4(4)T
Filter Type No Filter FPM 1st Match ACL 1st Match FPM 5th Match ACL 5th Match FPM
BRKSEC-2004 14344_04_2008_c2

1,000 pps 13% 38% 30% 42% 32% 42% 32%

2,000 pps 14% 42% 36% 50% 39% 50% 39%

3,000 pps 15% 43% 37% 59% 40% 50% 39%

4,000 pps 16% 43% 37% 59% 41% 50% 39%

5,000 pps 17% 43% 37% 59% 41% 50% 39%
42

10th

Match

ACL 10th Match

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

21

FPM References
Cisco IOS Flexible Packet Matching (FPM)
http://www.cisco.com/go/fpm http://www.cisco.com/cgi-bin/tablebuild.pl/fpm

Flexible Packet Matching Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6 723/prod_white_paper0900aecd803936f6_ns696_Networking_Solution s_White_Paper.html

Flexible Packet Matching Feature Guide
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html

Flexible Packet Matching XML Configuration
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html

Getting Started with Cisco IOS Flexible Packet Matching
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6 723/prod_white_paper0900aecd80633b0a.html
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

Monitoring and Identification

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

22

Monitoring
Syslog NetFlow Embedded Event Manager CS-MARS

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Syslog
Router# show logging | include 185 Router Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55621) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55622) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55623) -> 192.168.150.77(139), 1 packet

Firewall# show logging | grep 5063b82f Aug 29 2007 11:14:55: %ASA-4-106023: Deny inside:192.168.150.77/389 by access-group Aug 29 2007 11:14:55: %ASA-4-106023: Deny inside:192.168.150.77/443 by access-group Aug 29 2007 11:14:55: %ASA-4-106023: Deny inside:192.168.150.77/256 by access-group Aug 29 2007 11:14:55: %ASA-4-106023: Deny inside:192.168.150.77/399 by access-group

Firewall
tcp src outside:192.168.208.63/35746 "OUTSIDE" [0x5063b82f, 0x0] tcp src outside:192.168.208.63/35746 "OUTSIDE" [0x5063b82f, 0x0] tcp src outside:192.168.208.63/35746 "OUTSIDE" [0x5063b82f, 0x0] tcp src outside:192.168.208.63/35746 "OUTSIDE" [0x5063b82f, 0x0] dst dst dst dst

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

46

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

23

ACL Logging
ACL keyword log for Cisco IOS and Cisco ASA, FWSM and PIX ACL keyword log-input for Cisco IOS ip access-list log-update threshold threshold-inmsgs logging rate-limit message-rate for Cisco IOS Understanding Access Control List Logging
http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events
http://www.cisco.com/web/about/security/intelligence/identify-incidentsvia-syslog.html

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

NetFlow: Scalability
Packet capture is like a wiretap NetFlow is like a phone bill This level of granularity allows NetFlow to scale for very large amounts of traffic
We can learn a lot from studying the phone bill! Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc. NetFlow is a form of telemetry pushed from the routers/switches – each one can be a sensor

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

24

What Constitutes a Flow?

1

NetFlow Key Fields

2

3 Reporting
1. Inspect a packet’s seven key fields and identify the values 2. If the set of key field values is unique, create a new flow record or cache entry 3. When the flow terminates, export the flow to the collection/analysis system
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

NetFlow Export Packets

49

NetFlow Records and Key Fields
NetFlow maintains per-’conversation’ flow data in Flow Records in a cache on a NetFlow-enabled device, and optionally exports that flow data to a collection/ analysis system It is a form of network telemetry which describes traffic conversations headed to/passing through a router
Key Fields Key field values define a Flow Record An attribute in the packet used to create a Flow Record If the set of key field values is unique, a new flow is created

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

25

NetFlow CLI Output
Router#show ip cache flow IP packet size distribution (126502449 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .009 .622 .036 .007 .008 .008 .004 .012 .000 .000 .004 .001 .002 .002 .007 ------------------------- Output Truncated ----------------------Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 11403610 2.6 1 49 3.0 0.0 1.5 TCP-FTP 6769 0.0 8 53 0.0 6.0 7.7 TCP-FTPD 665 0.0 3334 889 0.5 54.0 0.4 TCP-WWW 163728 0.0 13 750 0.5 4.2 9.2 TCP-SMTP 8 0.0 1 46 0.0 0.0 10.2 TCP-X 727 0.0 1 40 0.0 0.0 1.4 TCP-BGP 9 0.0 1 45 0.0 0.0 10.5 TCP-NNTP 8 0.0 1 46 0.0 0.0 10.0 TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7 TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7 TCP-other 49098543 11.4 2 263 23.7 0.0 1.4 UDP-DNS 874082 0.2 1 58 0.2 0.0 15.4 UDP-NTP 1127350 0.2 1 76 0.2 0.6 15.5 UDP-TFTP 6 0.0 3 63 0.0 11.0 19.5 UDP-other 996247 0.2 1 164 0.4 0.3 16.7 ICMP 262111 0.0 8 47 0.5 13.4 21.2 IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4 IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4 GRE 694 0.0 1 50 0.0 0.0 15.4 IP-other 2 0.0 2 20 0.0 0.1 15.7 Total: 64004973 14.9 1 251 29.4 0.1 2.2 SrcIf Gi0/0 Gi0/0 Gi0/1
BRKSEC-2004 14344_04_2008_c2

SrcIPaddress 172.18.109.132 172.18.109.132 192.168.132.44
© 2008 Cisco Systems, Inc. All rights reserved.

DstIf Gi0/1* Gi0/1 Gi0/0*
Cisco Public

DstIPaddress 192.168.150.60 192.168.150.60 10.89.245.149

Pr 06 06 11

SrcP 1A29 1A29 007B

DstP 835D 835D 007B

Pkts 2 2 1
51

NetFlow Deployment Considerations
NetFlow should typically be enabled on all router interfaces where possible, it is useful for on-box troubleshooting via CLI as well as for export to analysis systems Ingress and egress NetFlow are now supported. Analysis systems typically must be configured to understand which is in use, for purposes of directionality 1:1 NetFlow is useful for troubleshooting, forensics, traffic analysis, and behavioral/relational anomaly-detection Sampled NetFlow is useful for traffic analysis and behavioral/ relational anomaly-detection. Sampling is typically used in highvolume traffic situations where 1:1 NetFlow Data Export (NDE) is impractical

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

26

Embedded Event Manager (EEM)
Allows instrumentation of the Cisco IOS device and reactive capabilities that can be useful in improving security Available since Cisco IOS Software versions 12.0(26)S and 12.3(4)T Cisco IOS Documentation
Embedded Event Manager 2.2 http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html

White Paper
Embedded Event Manager in a Security Context http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html

EEM Scripting Community
http://www.cisco.com/go/ciscobeyond
*Detailed information in BRKSEC-3007 Solving Security Challenges with Embedded Event Manager
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

53

EEM Example
Interface Input Queue Monitor
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=scri pt&scriptId=981

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the IPv4 User Datagram Protocol Delivery Issue for IPv4/IPv6 Dual-Stack Routers
http://www.cisco.com/warp/public/707/cisco-amb-20080326IPv4IPv6.shtml

Example Syslog Message: %HA_EM-7-LOG:
system:/lib/tcl/eem_scripts_registered/interface-input-q.tcl: Interface GigabitEthernet0/0 input queue full. Input queue: 4001/4000 (size/max)
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

27

CS-MARS Contextual Analysis Overview
Events: Raw messages sent to CS-MARS by reporting devices; examples include syslog, SNMP, NetFlow, and IPS signatures Sessions: Correlated events Incidents: Sessions matched against rules that are indicative of malicious behavior Rules are used to perform logic on events which create sessions and possibly incidents

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

CS-MARS Rules
Over a specified time range events are correlated to become incidents

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

28

CS-MARS Rules in Action
Events from same source and destination IP addresses correlated within a timeframe to become an incident

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Intrusion Detection and Prevention Capabilities

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

29

Intrusion Detection and Prevention
Cisco Security Agent Cisco IPS CSA/IPS Collaboration

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Preventing Endpoint Attacks Using CSA
All attacks perform certain behaviors for success, CSA allows you to defeat these actions using interceptors 0day and targeted attacks
May bypass or defeat other protection mechanisms that are deployed

0day Protection = Ability to stop malicious code without reconfiguration or update
Protects endpoints from being compromised since other protections may have failed

Limited number of “vectors” into a system, one or more of these behaviours must be used by all attacks
Stop the attack at one of these vectors, you prevent the whole attack (several opportunities exist, not just one)

Monitoring and controlling these behaviors prevents malicious activity
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

60

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

30

Preventing Execution
Cisco Security Agent (CSA) provides multiple interceptors for the detection and prevention of threats
Network File System Configuration Execution Space

CSA is best utilized for preventing attacks targeting endpoint compromise Do not forget about protection methods using your network

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Policy Rules Drive Interceptors
Security Application Distributed Firewall Host Intrusion Detection Spyware and Malware Prevention Network Worm Prevention File Integrity Assurance Wireless Policy Controls Traffic Marking IPS and NAC Integration Network File System Configuration Execution Space

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

31

Intrusion Protection for the Network
0111111010101010000111000100111110010001000100100010001001

Detect malicious payloads, perform behavioral analysis, anomaly detection, policy adjustments, and rapid threat response Inline Protection or Promiscuous mode Automatic Threat Prevention with IPS 6.x denies packets whose Risk Rating Value range is 90 – 100 Multivector protections at all points in the network, desktop, and server endpoints
Integration with Cisco CSA and Cisco Wireless Controller
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

Risk Rating Thresholds Drive Mitigation
Event Severity Signature Fidelity Attack Relevancy Asset Value of Target
How Urgent Is the Threat?

+ + +

How Prone to False Positive? Is Attack Relevant to Host Being Attacked? How Critical Is this Destination Host?

BRKSEC-2004 14344_04_2008_c2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

Threat Rating

= Risk Rating

Drives Mitigation Policy

Result: Calibrated Risk Rating Enables Scalable Management of Sophisticated Threat Prevention Technologies
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

32

Threat Rating
Post-Policy Evaluation of Incident Urgency

85

Threat Rating

Threat Rating:
Dynamic adjustment of event Risk Rating based on success of response action If Response Action was applied, then Risk Rating is deprecated (TR < RR) If Response Action was not applied, then Risk Rating remains unchanged (TR = RR)

Attack 1:
No Action Configured Risk Rating = 85 Threat Rating = 85

55

Attack 2:
Action Configured Attack Mitigated Risk Rating = 85 Threat Rating = 55

Benefit:
Prioritizes alerts for Operator attention Operator can focus incident response activities on those threats that have not been mitigated
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

65

Event Action Overrides
ips6x# configure terminal ips6x(config)# service event-action-rules rules0 ips6x(config-eve)# show settings ----------------------------------------------overrides (min: 0, max: 15, current: 3) ----------------------------------------------<protected entry> action-to-add: deny-packet-inline <defaulted> ----------------------------------------------override-item-status: Enabled <defaulted> risk-rating-range: 90-100 <defaulted> ----------------------------------------------action-to-add: produce-alert ----------------------------------------------override-item-status: Enabled <defaulted> risk-rating-range: 0-35 default: 0-100 ----------------------------------------------action-to-add: produce-verbose-alert ----------------------------------------------override-item-status: Enabled <defaulted> risk-rating-range: 35-90 default: 0-100 -----------------------------------------------

Global Overrides for All IPS Events

Automatic Threat Prevention (IPS 6.x) Write evIdsAlert to EventStore Write evIdsAlert to EventStore with triggerPacket
66

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

33

Reactions in Depth
Denied traffic is performed by a device inspecting flows
Quick and effective for all protocols

Shunned traffic is performed by an auxiliary device
Mitigate closer to the miscreant Potential DoS vector is preventable utilizing never block or event action filters Some time latency

TCP RST performed for connection-based traffic streams
Limited protocol coverage and adds RST packets to network

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

IPS/CSA Collaboration Benefits
The IPS can automatically get endpoint posture information to use in calculating the threat rating making detection more accurate Undisclosed or encrypted exploits not identified by the IPS likely are detected by CSA CSA-MC can correlate data and create automated watch lists which can be forwarded to the IPS and automatically adjust the threat rating for events seen by addresses that are part of the watch list

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

34

Automation CSA/IPS Collaboration
CSA MC Configuration IPS Configuration

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Network IPS and Cisco Security Agent Collaboration
Enhanced contextual analysis of endpoint Ability to use CSA inputs to influence IPS actions Correlation of information contained in CSA watch list Host quarantining
Management Console

CSA Watch List 192.168.1.111 Service Provider

Elevate Risk Rating Deny 192.168.1.111

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

35

Automation CSA/IPS Collaboration
evIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low originator: hostId: ips6x appName: sensorApp appInstanceId: 388 time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT signature: description=TCP SYN Port Sweep id=3002 version=S2 subsigId: 0 marsCategory: Probe/PortSweep/Non-stealth interfaceGroup: vs0 vlan: 0 participants: attacker: addr: 192.168.1.111 locality=OUT port: 55852 target: addr: 192.168.2.222 locality=OUT port: 663 port: 33 Threat Rating Increased Due to Watch List port: 231 port: 564 port: 838 os: idSource=imported type=windows relevance=relevant triggerPacket: <trucated> riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant watchlist=25 threatRatingValue: 77 interface: ge0_0 protocol: tcp
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

71

Case Study: MS-RPC-DNS (CVE 2007-1748)

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

36

Microsoft RPC DNS 0-Day (CVE-2007-1748)
Query RPC Endpoint Mapper on TCP/135 for vulnerable ports or scan TCP/1024-5000 Guess user accounts on TCP/139 and 445

1 Victim 5

Probe

Deliver buffer overflow ports TCP/139 TCP/445 UDP/445 TCP 1024-5000 Download and copy malicious code to C:\U.exe Create back door access Connect to Command and Control on TCP port 8080

2 3 4

Penetrate Persist [Exploit Dependent] Propagate [Exploit Dependent] W32/Nirbot.worm!8 3E1220A

Paralyze

Exploit Specific

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

Mitigating the Vulnerability
ACLs
Mitigation to L3 boundary where deployed, VLAN maps, Port ACLs for L2 access control if needed If application is required ACLs provide no value to those allowed access

IPS Signatures
Understand Application/Vulnerability better when application is required or ACLs do not suffice Provides no mitigation unless directed to do so

Endpoint CSA or Patch
Prevents Exploitation
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

37

Mitigation: Cisco IOS ACL (Modularized)
ip access-list extended ACCESS-LIST 200 deny ip 127.0.0.0 0.255.255.255 any 210 deny ip any 127.0.0.0 0.255.255.255 220 deny ip 192.0.2.0 0.0.0.255 any 230 deny ip any 192.0.2.0 0.0.0.255 240 deny ip 169.254.0.0 0.0.255.255 any 250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Loopback netblock (src) !-- Deny Loopback netblock (dst) !-- Deny Test-Net netblock (src) !-- Deny Test-Net netblock (dst) !-- Deny Link Local netblock (src) !-- Deny Link Local netblock (dst)

----- MS RPC 0-day ACEs ----500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 530 deny udp any 192.168.100.0 0.0.0.255 eq 445 540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC Endpoint Mapper !-- NetBIOS Session Service !-- Microsoft DS, and Zotob !-- SMB vulns !-- MS RPC and LSA exploit traffic, !-- and RinBot scanning for hosts !-- that are vulnerable 550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 560 deny tcp any any eq 4444 570 deny udp any any eq 1434 580 deny tcp any any range 6660 6669 590 deny tcp any any eq 7000
BRKSEC-2004 14344_04_2008_c2

!-- MS RPC DNS 0-day scans

!-- Metasploit Reverse Shell !-- MS SQL, Sapphire/Slammer Worm !-- IRC traffic !-- IRC traffic
75

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Mitigation: FW ACL (Modularized)
Firewall# show access-list tACL access-list tACL line 1 deny ip host 127.0.0.0 any access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0 --------- Output Truncated ------access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo --------- Output Truncated ------access-list tACL line 19 permit tcp any host 192.168.100.10 eq www access-list tACL line 20 permit tcp any host 192.168.100.10 eq https --------- Output Truncated ------access-list tACL line 35 deny ip any any

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445 access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 445 access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 1025 access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

76

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

38

Mitigation: IPS Signature 5858
ips6x#show events alert | include id=5858 ------------Output Truncated ---------signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282 subsigId: 0 sigDetails: DNS Server RPC Interface Buffer Overflow marsCategory: Penetrate/BufferOverflow/RPC interfaceGroup: vs0 Signature Description and ID vlan: 0 participants: attacker: addr: locality=OUT 192.168.6.66 port: 1063 target: OS Identification/Relevancy addr: locality=IN 192.168.1.11 port: 1032 os: idSource=learned type=windows-nt-2k-xp relevance=relevant actions: Risk Rating/Action/Threat Rating deniedPacket: true riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant threatRatingValue: 50 interface: ge0_0 protocol: tcp
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

77

Mitigation: CSA
Security Application Interceptors Prevent Code Execution in Many Cases Must Be in Protect Mode to Prevent

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

39

Identification: ACL Counters
Firewall# show access-list tACL -------- Output Truncated --------access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 (hitcnt=3) access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0) access-list tACL line 21 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=10) access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000 (hitcnt=106)

Router#show access-lists ACCESS-LIST Extended IP access list ACCESS-LIST -------- Output Truncated ------------500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 (4 matches) 510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 530 deny udp any 192.168.100.0 0.0.0.255 eq 445

Firewall ACL Counters

Router ACL Counters

540 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 (96 matches)

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

Identification: Firewall Syslog Events
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35565 to 192.168.2.1/1025 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35566 to 192.168.2.1/1026 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35567 to 192.168.2.1/1027 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35568 to 192.168.2.1/1028 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35569 to 192.168.2.1/1029 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35570 to 192.168.2.1/1030 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35571 to 192.168.2.1/1031 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35572 to 192.168.2.1/1032 flags SYN on interface outside May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35573 to 192.168.2.1/1033 flags SYN on interface outside May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35574 to 192.168.2.1/1033 flags SYN on interface outside May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35575 to 192.168.2.1/1032 flags SYN on interface outside May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

40

Identification: IPS
Signature ID 5858/0-4 3010/0 5606/0 5576/0 5577/0 12674/0 Description DNS Server RPC Interface Buffer Overflow TCP High Port Sweep SMB Authorization Failure SMB Login Successful with Guest SMB Null Login Attempt Non-HTTP Traffic Attack Phase Detect Vulnerability Detect TCP High Port Probe [Probe] Detect SMB Authentication Attempts [Probe] SMB Authentication [Probe] SMB Authentication [Probe] Command and Control Bot Access [Persist and Propagate]

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

The Exploits
W32/Nirbot.worm!83E1220A
Download worm on random HTTP server port Connect via IRC over port 8080 IRC servers include: {blocked}.rofflewaffles.us {blocked}.anti-viral.us {blocked}.wayne.brady.gonna.have.to.{blocked}.us

Exploits are sort of like chasing your tail, but there are several patterns we can catch (this time) or ways in which these can be mitigated

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

82

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

41

Exploit Specific
Restricting outbound policy to a few good ports (80,443,53,25,21) will prevent IRC over 8080 Web filtering or using a proxy may prevent download of worm over HTTP ACL for blacklisting IRC C&C servers DNS blackholing for C&C servers (DNS resolution to 127.0.0.1) Firewall application inspection on port 8080 Search transit device logs or NetFlow for IRC servers, C&C servers
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Exploit Specific: ASA HTTP Inspection
! access-list web-ports extended permit tcp any any eq 80 access-list web-ports extended permit tcp any any eq 8080 ! class-map webports match access-list web-ports ! policy-map type inspect http http-policy parameters protocol-violation action drop-connection ! policy-map global_policy class webports inspect http http-policy ! service-policy global_policy global !

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

42

References
Microsoft Security Advisory (935964), Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.cisco.com/warp/public/707/cisco-amb-20070413-ms-rpcdns.shtml

Nirbot’s Latest Move: MS DNS Exploits [Arbor]
http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-dnsexploits/

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

References (cont…)
W32.Rinbot.BC [Symantec]
http://www.symantec.com/security_response/writeup.jsp?docid=2007041701-3720-99&tabid=2

New Rinbot Scanning for Port 1025 DNS/RPC [SANS]
http://www.isc.sans.org/diary.html?storyid=2643

W32/Delbot-AI [Sophos]
http://www.sophos.com/security/analyses/viruses-andspyware/w32delbotai.html

W32/Nirbot.worm!83E1220A [McAfee]
http://vil.nai.com/vil/content/v_142025.htm

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

86

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

43

Case Study 2: MS08-001

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

Vulnerabilities
Windows Kernel TCP/IP IGMPv3 and MLDv2 Vulnerability – CVE-2007-0069
Remote Code Execution or Denial of Service utilizing crafted packets over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server 2003) or MLDv2/IPv6 (Windows Vista)

Windows Kernel TCP/IP ICMP Vulnerability – CVE-20070066
Denial of Service utilizing fragmented ICMP router advertisement packet

Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

44

IGMPv3/MLDv2
RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236, IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710 Both protocols provide essentially the same multicast functionality Not much information in the initial advisory however a miscreant could potentially get in the ballpark by looking at what features have been added between protocol versions Routers will not forward multicast unless configured to do so
Will forward LSRR and SSRR packets unless disabled

A working exploit could potentially own or DoS all hosts that are part of a multicast group on a local network Encapsulation or social engineering could be used to traverse Layer 3 boundaries
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

89

ICMP Type 9 RFC 1256
A host never sends Type 9 messages (if obeying the RFC) Valid destination addresses are 224.0.0.1 224.0.0.2 and 255.255.255.255 Therefore this is all link local, Layer 3 controls provide little benefit except in possible corner cases; preventing hosts from sending ICMP Type 9 messages at Layer 2 will mitigate the vulnerability Since the vulnerability requires fragmentation, preventing fragmentation is an effective mitigation. A miscreant could potentially encapsulate this message in something else such as loose source route to make the message appear as if it were from a router and to be able to perform the exploit form non local networks
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

90

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

45

Mitigating the Vulnerability
Cisco IOS
ACL’s fragmentation filtering, protocol filtering, options filtering Layer 2 preferred Features such as no ip source route, ip options drop

IPS Signatures
6224/0, 6755/0, and 2150/0 - Fragmented ICMP traffic (2150/0 is available via ip audit in ASA, FWSM, and PIX) Provides no mitigation unless directed to do so

ASA/FWSM/PIX
Default handling of IP options, drop packets with options present fragment chain command

Endpoint Patch or Host Firewall

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Mitigation: Cisco IOS Features and ACLs
Router(config)#no ip source-route Router(config)#ip options drop

% Warning: RSVP and other protocols that use IP Options packets may not function as expected. ----------

Router(config)#ip access-list extended tACL Router(config-ext-nacl)#deny ip any any fragments Router(config-ext-nacl)#deny icmp any any router-solicitation Router(config-ext-nacl)#deny ip any any option lsr Router(config-ext-nacl)#deny ip any any option ssr

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

46

Mitigation: Cisco IOS VACL
!-- Create ACLs that match traffic. Action will be applied !-- in VLAN map section. ! ip access-list extended match-igmp-router permit igmp host 192.168.100.1 any ! ip access-list extended match-icmp-router permit icmp host 192.168.100.1 any router-advertisement ! ip access-list extended match-igmp-subnet permit igmp 192.168.100.0 0.0.0.255 any ! ip access-list extended match-icmp-subnet permit icmp 192.168.100.0 0.0.0.255 any router-advertisement ! ip access-list extended match-all-subnet permit ip any any !

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

Mitigation: Cisco IOS VACL (cont…)
vlan access-map ms08-001 10 match ip address match-igmp-router action forward vlan access-map ms08-001 20 match ip address match-icmp-router action forward vlan access-map ms08-001 30 match ip address match-igmp-subnet action drop vlan access-map ms08-001 40 match ip address match-icmp-subnet action drop vlan access-map ms08-001 50 match ip address match-all-subnet action forward ! !-- Apply to VLAN 100 vlan filter ms08-001 vlan-list 100

Permit Router to Send IGMP Anywhere

Permit Router Interface to Send ICMP Anywhere

Drop IGMP for Rest of Subnet

Drop ICMP Type 9

Permit All Other Traffic

Apply to VLAN 100

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

94

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

47

Mitigation: ASA, FWSM, and PIX
!-- Fragment chain command can be used to prevent fragments from traversing !-- through the firewall or specific interfaces Firewall(config)#fragment chain 1 [interface_name]

Effectively Denies All Fragments
!-- Cisco PIX security appliances, Cisco ASA adaptive security appliances, and !-- (FWSMs) will, by default, drop all source-routed packets received on any !-- interface and create an informational-level (severity 6) syslog message

106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing" 106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Additional Mitigation and Monitoring
Layer 2 spoofing features such as IPSG and DHCP Snooping or Port Security Check device configuration for allowing multicast

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

96

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

48

MS08-001 References
Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx

MS08-001 (part 2) – The case of the Moderate ICMP mitigations
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-ofthe-moderate-icmp-mitigations.aspx

MS08-001 (part 3) – The case of the IGMP network critical
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-ofthe-igmp-network-critical.aspx

MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-themoderate-important-and-critical-network-vulnerabilities.aspx

MS08-001 - The case of the missing Windows Server 2003 attack vector
http://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-Thecase-of-the-missing-Windows-Server-2003-attack-vector.aspx
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

97

MS08-001 References (cont…)
Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for January 2008
http://tools.cisco.com/security/center/viewAlert.x?alertId=14898

Cisco IntelliShield Vulnerability Alert ID 14854: Microsoft Windows Kernel IGMP and MLD Code Execution Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14854

Cisco IntelliShield Vulnerability Alert ID 14853: Microsoft Windows Kernel ICMP Router Discovery Protocol Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14853

Exploit for MS08-001 Demonstrated
http://blogs.pcmag.com/securitywatch/2008/01/exploit_for_ms08001_d emonstrat.php
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

98

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

49

Case Study 3: Storm Class Malware, CME711

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

Storm Malware, CME711
Spam and Social Engineering convince user to download executable

Download malicious software to end host

1 Victim 5

Probe [Exploit Dependent]

2 3 4

Penetrate [Exploit Dependent] Persist [Exploit Dependent] Propagate [Exploit Dependent] Spam DDos Update Download software Join P2P network Open up UDP port on local host above 1024

Paralyze

Exploit Specific

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

50

Malware in Action: CME711
Infected Webserver

1

BotHerder

2

1. BotHerder updates malcode on webtrap 2. Initiate new spam pointing to webtrap 3. User reads the spam and clicks link 4. User machine infected
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4 3 Infected

101

Mitigating CME711
Infected Webserver BotHerder

2
1. Break initial exploitation vector 2. Break infection vector 3. Break joining botnet

1

3

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

51

Breaking the Bot
Initial Vector through Spam Message
User Education and Spam Filtering

Host downloads malware from webserver
Mitigate Vulnerabilities on host (Patch and Best Practices) Use AV or HIPS to prevent exploitation Web content filter DNS blackholing

Host opens UDP port above 1024 and communicated with P2P network UDP 1024:65535 UDP 1024:65535
ACLs/FPM DNS Syslog analysis and NetFlow
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

103

Mitigation: ACLs
!-- Router Router(config)#ip access-list extended tACL !-- Deny UDP packets in Range 1024 - 65535 Router(config-ext-nacl)#deny udp 192.168.2.0 65535 any range 1024 65535 0.0.0.255 range 1024 Router

Firewall !-- Firewall Configuration Firewall(config)# access-list storm-udp extended deny udp 192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

104

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

52

What About FPM?
The P2P traffic is encrypted with a simple key, works and is functional could change Snort signatures from http://doc.emergingthreats.net/2007701
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”; dsize:25; content:”|10 a0 d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)

Source: EmergingThreats.net
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

105

Mitigation: FPM for Encrypted Storm
load protocol disk0:ip.phdf load protocol disk0:udp.phdf ! class-map type stack match-all ip_udp_class description “match UDP over IP packets” match field ip protocol eq 17 next udp ! class-map type access-control match-all encrypted_storm description “match encrypted storm, cme711 packets” match field udp dest-port range 1024 65535 match field udp length eq 33 match start udp payload-start offset 0 size 2 eq 0x10a6 ! policy-map type access-control fpm_udp_policy class encrypted_storm drop log ! policy-map type access-control fpm_policy class ip_udp_class service-policy fpm_udp_policy ! interface GigabitEthernet 0/1 service-policy type access-control input fpm_policy

Load PHDFs for IP and UDP Match UDP over IP Packets

Match Storm, CME711 Packets: UDP port 1024:65535, UDP+Payload Length 33bytes, and Regex Policy for UDP-Based Attacks

Drop Worms and Malicious Attacks

Apply and Enable FPM Policy

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

106

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

53

Mitigation: Deny Downloader via HTTP Inspection
regex exe_url ".*\.[Ee][Xx][Ee]" ! --Create Regex Class Map class-map type regex match-any bad_urls match regex exe_url class-map type inspect http match-any http-urls match request uri regex class bad_urls class-map http-port match port tcp eq www !-- Create Policy Map, actions set to Drop and Log policy-map type inspect http http-policy parameters protocol-violation action drop-connection class http-urls drop-connection log !-- Apply and enabled “EXE Downloader” policy policy-map global_policy class http-port inspect http http-policy service-policy global_policy global
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

107

Mitigation: Deny Botnet Access via DNS Inspection
regex bad_domain1 “tibeam\.com“ Domains from regex bad_domain2 “tushove\.com“ http://www.disog.org/text/storm-fastflux.txt regex bad_domain3 “kqfloat\.com“ ! class-map type regex match-any bad_domains match regex domain1 match regex domain2 match regex domain3 ! class-map type inspect dns bad_domain_query match not header-flag QR match question match domain-name regex class bad_domains ! policy-map type inspect dns bad_domain_policy class bad_domain_query drop log ! class-map inspection_default match default-inspection-traffic ! policy-map egress_policy class inspection_default inspect dns bad_domain_policy ! service-policy egress_policy interface inside !
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

108

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

54

Identification
NetFlow or Syslog communication UDP 1024:65535 – UDP 1024:65535 NetFlow changes in behaviour during spamming or DDos IPS signatures 5894/0 and 5894/1 ACL Counters

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

Storm Worm References
Storm Worm DDoS Attack
http://www.secureworks.com/research/threats/view.html?threat=storm-worm

Storm (Worm) Peacomm Analysis
http://www.cyber-ta.org/pubs/StormWorm/report/

Schneier on Security
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

April Storm’s Day Campaign
http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/

Antirootkit.com blog
http://www.antirootkit.com/blog/category/storm-worm/

The Evolution of Peacomm to "all-in-one" Trojan
http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evolution_of_ peacomm_to_al.html

Known Storm Fast Flux Domains
http://www.disog.org/text/storm-fastflux.txt
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

110

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

55

Advanced Topics

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

Test Yourself
Metasploit is an exploitation framework that provides lot of flexibility to test yourself – it’s very easy to test client and service exploits; more information is at www.metasploit.com Scapy is a powerful packet manipulation program – requires some python knowledge but is useful for creating specific types of network traffic; more information is at http://www.secdev.org/projects/scapy/

>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200) >>> x[1].frag=145 >>> send(x) Changed the Fragment Offset 17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length 1200 17:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp 17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp 17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP (1), length 28) 192.168.2.63 > 192.168.15.60: icmp

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

56

Security = Moving Target
Metasploit ShikataGaNai encoder makes creating exploits using polymorphic shell code very simple; this means that simple string matches such as “0x90/0x90/0x90” are trivial to avoid Metasploit meterpreter allows for relatively simple dll injection and command execution that is difficult to detect (leaves no new processes, files or network connections) on the compromised system XT Bot utilized Dynamic Remote Settings Stub (DRSS) to hide communications; think a bot that uses stegonagraphy for communication Fast Flux DNS for Botnet networks makes Botnet difficult to neutralize
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

113

Deceptive Defense
Darknets and illegal IP space (dark space) monitoring provides ability to more easily identify outbreaks and aid in detecting probing that may fall under the normal radar Honeypots low interaction: Deployed inside the network these help quickly identify compromised systems and miscreants; real world studies have shown a ratio of 1/1000 IP space is effective Honeytokens: A purposefully set piece of information that should only be accessed by illegal activity

Source: Virtual Honeypots, pg. 308
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

114

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

57

Deceptive Defense Benefits
Low False Positive rate
Attack already passes several characteristics of valid attacks such as illegal IP space, non-production hosts

Aid in 0-day detection Easily identifies internal outbreaks Scalable, Nepenthes scales well, Honeyd can create large virtual networks

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

Utilizing Low Interaction Honeypots to Increase Network Security?
IPS can be configured to perform an event action override when a pre-determined threshold has been met; these actions could be block address or deny attacker inline which can happen for a specified time frame The IPS target value rating (TVR) can be used to increase the risk rating for events which happen targeting a specific host or subset of hosts A low interaction Honeypot such as Nepenthes (http://nepenthes.mwcollect.org/) could be deployed in conjunction with an artificially inflated TVR to trigger event actions such as deny attacker inline to remove threats before they attack real systems
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

116

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

58

Deceptive Defense in Action

Internet
Hosts Attacker 10.10.10.100
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

Low Interaction Honey Pot 192.168.100.10

IPS Sensor
Cisco Public

117

Deceptive Defense Mitigating the Attack
Signature 3338/1 Windows LSASS RPC Overflow Base Risk Rating 75 (Severity = High, Fidelity = 75) Risk Rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR Calculated for a Target Value Rating Set to High ASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100 Event Action Override 90–100 (Deny Attacker Inline/Request Block Host)
Attacker Blocked

Internet
Hosts Attacker 10.10.10.100
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

Low Interaction Honey Pot 192.168.100.10

IPS Sensor
Cisco Public

118

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

59

Deceptive Defense Caveats
Make sure host can not be used to launch attacks (block outgoing access from host) Use common sense, the Honeynet project, http://www.honeynet.org/, has several research papers and presentations available

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

119

Black Hole Filtering – Destination Based
Forwards packet to the bit bucket aka “Null0” Only works on destination addresses Destination based RTBH takes the destination offline
Self-DoS yourself, miscreant wins Good reactive mechanism for compromised endpoints

Traditionally used to “black hole” undesirable traffic Foundation for other remote triggered response

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

120

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

60

Black Hole Filtering – Source Based
Dropping on destination is very important
Dropping on source is often what we really want

Requires Unicast RPF Reacting using source address provides some interesting options
Stop the attack without taking the destination offline Filter command and control servers Filter (contain) infected end stations

Must be rapid and scalable
Leverage pervasive BGP again
BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

121

Black Hole Filtering – Source Based
Advantages for using source-based filtering
No ACL Update No change to device configuration Drops happen in the forwarding path Frequently changes when attack profiles are dynamic

Weaknesses when using source-based filtering
Source detection and enumeration Attack termination detection (reporting) Will drop all packets with source and destination on all triggered interfaces, regardless of actual intent Remember spoofing, don’t let the miscreant spoof the true source-based target and trick you into black holing them Whitelist important sites that should never be blocked
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

122

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

61

Sinkhole Routers/Networks
Sinkholes are a topological security feature – think network honeypot Router or workstation built to suck in traffic and assist in analyzing attacks (original use) Redirect attacks away from the victim – a working the attack on a router built to withstand the attack Used to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or illegal IP space) Traffic is typically diverted via BGP route advertisements and policies Leverage instrumentation in a controlled environment
Pull the traffic past analyzers/analysis tools
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

123

Adaptive Control Technology
Next Generation Rapid Threat Containment and Response
Threat Mitigation Service (TMS) is a framework for rapid network-wide distribution and response to threats
Near real time threat response

Threat Information Distribution Protocol (TIDP) transports messages containing abstract information about threats and suggested remedial actions
Threat Information Message (TIM)

Devices are provisioned with policies for enforcement of traffic and response actions
Access Control List Traffic Redirection

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

124

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

62

Threat Information Distribution Protocol
TIM is distributed from TIDP Mitigation Service (TMS) controller to TIDP consumers
Threat Information Message identifies threat TIM created in threat definition file using XML

Messages authenticated, encrypted, and have replay protection Receiving devices configured with unique policies
Device uses local policy to convert TIMs into dynamic policy enforcement

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

125

Threat Containment Using ACT
TIDP is a protocol that allows for the quick distribution of information about network-based threats All TIDP-enabled nodes use the payload content according to their own configuration and translate it to enforce appropriate actions
NMS/Syslog Server for Logging Rules Engine Local to Each Device

TIM *

Threat Information Distribution Protocol

TIDP TIM Controller Generation via CLI / SDM
* TIM – Threat Information Message
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

TIM *

Intelligence Resides in End Point Devices

126

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

63

Automated Signature Extraction (ASE/DASE)
Dynamically extracts signatures for potential malware without need for human intervention Utilizes a Sensor Collector architecture

Linux-based Collector and TIDP (TMS) for message exchange Available in 12.4(15)T Automatic Signature Extraction
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/htautosg.html

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

127

Complementary Sessions
BRKSEC-2001: BRKSEC-2006: BRKSEC-2002: BRKSEC-2020: BRKSEC-2030: Emerging Threats Inside the Perimeter: Six Steps to Improving Your Security Monitoring Understanding and Preventing Layer 2 Attacks Firewall Design and Deployment Deploying Network-Based Intrusion Prevention Systems

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

128

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

64

Q and A

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

129

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press® Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSEC-2004 14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

130

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

65

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily Receive 20 Passport points for each session evaluation you complete Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

131

BRKSEC-2004 14344_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

132

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

66