Sekiur My Thoughts

In an age were applications are quickly moving to the web, security threats increase the risks of a breach causing economic damage and loss of reputation to businesses.

No longer is it viable to have a firewall protecting internal resources from the outside world without knowing and inspecting the legitimate traffic coming into the network, which hackers take advantage of by climbing the OSI layer were 1st generation firewalls were not protecting.

The OSI layer is an abstract definition for layered communications between computers, starting at the bottom of the layer with the physical wire and moving to to the 7th layer called the application layer.

The first firewalls on the scene allowed the network administrator to protect up to the 3rd and 4th layer which are named the Network and Transport layers, by restricting access to certain to an IP address from a range of IP addresses or restricting access to a server only on port TCP 80 in the case of a web server.

Application aware firewalls soon surfaced but the horse power required to break down the packets for analysis and reconstruct them to send them to their destination was not there, taking a big hit on the performance of the link and even then only a few widely used applications (http, ftp, etc.) were available to perform inspection on.

A different device to address this shortfall was introduced and named IDS (Intrusion Detection System) allowing the detection of malicious attempts to access computer systems.

Later IDS (Intrusion Detection System) were able to send control signals to firewalls and routers to actively block attacks and were often used in conjunction with Honeypots which deflected attempts at unauthorized use of the systems it was protecting.

Intrusion Detection Systems (IDS) work by classifying traffic as either normal or anomalous based on rules and in order to create these rules the system must be taught to recognise normal traffic activity using artificial intelligence techniques. Once these systems were taught using neural networks or usage of the system adhering to a strict mathematical model, any traffic deviating from the norm would flagged as an attack.

This proved to be problematic with the introduction of new variables into the system/network like new applications or services that could potentially trigger a Denial of Service (DoS) by making an unwanted change to the firewall. Additionally IDS (Intrusion Detection System) would not be in-line with the firewall but rather out of band adding latency to the process handling attacks.

The IDS (Intrusion Detection System) required two major and critical areas of improvement which included moving beyond the anomaly detection to add vulnerability-based signatures and the capability to work at wire speeds to enable in-line deployment.

Vulnerability-based signatures was a way for security vendors to work proactively with software vendors in finding and patching vulnerabilities before the bad guys did, thus releasing updates to blocked specific attacks to systems which may have not been patched yet.

A device that blocked attacks and let everything else through was born and coined Intrusion Prevention System (IPS).

An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.

As with any inline device, the reliability and availability is of utmost importance. This is mostly addressed by a bypass feature allowing fail-open for copper ports should the device fail.

Market leaders in this space are Cisco Systems, Juniper Networks, McAfee, IBM (ISS), 3Com (Tipping Point) and Sourcefire.

So how do today’s available solutions stack up in the real world? A recent study of 170 randomly selected enterprises compares the results of real customers who use Cisco, IBM ISS, McAfee, Sourcefire, or TippingPoint in live network environments. The vendors were evaluated across eight key measures in three primary categories, including:

1. In Band Blocking: To block unwanted traffic in real time, IPS’s must be placed in-band rather than off a tap or mirror port. Only in-band devices can provide real-time, deep inspection of data packets at layers 2 through 7.
2. Filter Effectiveness: At the heart of the effectiveness of any IPS solution is how many attacks its filters can block.
3. Ease of Use: Network operators are less likely to deploy Intrusion Prevention Systems across the expanse of their networks if the solution is hard to set up and manage.

The real data are in on how leading IPS solutions perform in the real world. Tipping Point scores highest – often by large margins – on each key performance and manageability measure. The Tipping Point IPS provides superior protection against evolving network attacks – and continues to provide timely protection as new forms of attacks emerge.

The Tipping Point 210E provides 200 megabits per seconds of aggregate bandwidth with a typical latency of less than 1 millisecond while providing 10 x 10/100/1000 Ethernet copper ports divided into 5 segments in a little over 1-U package.

Initial configuration is performed by connecting via a console cable to the appliance and setting several parameters using a setup wizard. The management server running a custom version of Fedora also will need to be configured with network and user information.

Management of the appliance is done via an installable program which has 7 major components:

Events: Allows the monitoring of event based on a wide range of criteria including filters, filter taxonomy, network and segments as well as threshold filters.

Reports: Existing templates allow the quick generation of reports on attacks, performance protection, rate limit, device traffic and traffic threshold amongst others. Customized reports can be saved and scheduled for particular times and configured to be delivered via e-mail in a variety of formats including PDF, HTML and Excel. [Download not found]

Profiles: The IPS appliance comes preset with a default profile which contains how the appliance will handle the traffic coming through its segments. All 5 segments can have a different profile making it very easy to apply a policy to a network segment and a completely different one for another network segment or even to protect a certain host.

The filters are categorized as Application Protection, Infrastructure Protection, Performance Protection and Traffic Management.

A large number of filters are set to Block/Notify under Application Protection and Infrastructure Protection leaving the action taken by the other 2 categories to be determined by the Corporate security policy.

Quarantine: This allows the IPS to block particular IP addresses or networks for a particular time. Extremely customizable.

Devices: Provides the ability to manage multiple IPS appliances from one management console providing the capability to push policies, software updates and upgrades, and digital vaccines at the click of a button.

Admin: This allows the management of users and configuration of the management server.

Dashboard: A customizable window into protection and performance metrics provided by the IPS – Intrusion Protection System.

I was surprised to see the small amount of hacking attempts across 4 class ‘C’ networks of public IP addresses coming to the conclusion that the stateful inspection firewall in place was inspecting traffic allowed on certain protocols and thus filtering many of the attacks. Traffic not inspected by the firewall was filtered by the Tipping Point 210E appliance.

A side benefit of using this appliance after customizing the profile for the Application Protection – Spyware category was detecting spyware installed on the network and it being blocked from transmitting data outside the corporate network.

Related articles by Zemanta

• Juniper Networks Positioned in Leaders Quadrant of Leading Analyst Firm’s Magic Quadrant for Network Intrusion Prevention System Appliances (it-sideways.com)
• Cybercriminals in the Cloud (mycompuquest.blogspot.com)
• Report: IT not scrimping on security during recession (arstechnica.com)
• Cisco bakes software security into new Linksys routers (arstechnica.com)
• Security Jeopardy (stillsecureafteralltheseyears.com)
• CIOs: Your networks have already been compromised (macworld.com)
• Where Does The IPS Go? (phoneboy.com)

A great tool I ran across to protect your server from random password attacks which I have been receiving recently from China.

Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful attempts to access the server and then it updates the IPtables rules to reject those IP addresses for a period of time which is defined by you. It can also be configured to notify you if once these events occur.

Its no high-end Intrusion Prevention System, but it does the job.

Fail2ban comes preconfigured to detect and block attacks to ports 22 (ssh), 25 (SMTP) and 80 (http). Instructions on installing on CentOS are detailed below as well as adding functionality for ProFTPD.

I love package management as opposed to compiling because its clean and easy to maintain, so we will need to subscribe to repositories to install Fail2ban.

* Update the system

yum update

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install Fail2ban

yum install fail2ban

* Configure Fail2ban by editing and adding to /etc/fail2ban.conf

maxfailures = 3 (the default is 5)

ignoreip = 127.0.0.1 <the_server_IP> <network_you_want_excluded/24>

* Enable E-Mail Notification

[MAIL]
# Option:  enabled
# Notes.:  enable mail notification when banning an IP address.
# Values:  [true | false]  Default:  false
#
enabled = true

to = <your_email_address>

* Add ProFTPD functionality

[proftpd]
enabled = true
logfile = /var/log/secure
fwstart = iptables -N fail2ban-proftpd
iptables -I INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
fwend = iptables -D INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd
fwcheck = iptables -L INPUT | grep -q fail2ban-proftpd
fwban = iptables -I fail2ban-proftpd 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-proftpd -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = Maximum login attempts|no such user found|Failed password

* Set it to startup automatically with the system

chkconfig –levels 235 fail2ban on

* Start Fail2ban and walk away

/etc/init.d/fail2ban start

Related articles by Zemanta

• Security scans with OpenVAS (linux.com)
• Monitor your network with GroundWork Monitor Community Edition (linux.com)
• LogRhythm: Analysis and Search of Log Files (arnoldit.com)
• IT security market still growing (channelweb.co.uk)
• Access remote network services with SSH tools (linux.com)
• Getting Rid of SSH or SFTP Delay (britg.com)