You are on page 1of 66

Monitoring and

Mitigating Threats

BRKSEC-2004

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1
Presentation_ID.scr
Overview

ƒ Mitigation and Prevention
ƒ Monitoring and Identification
ƒ IPS Capabilities
ƒ Case Studies
ƒ Advanced Topics

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

How Computers and Networks Are Owned
ƒ Service vulnerabilities (IIS, Apache, SMB) Access Control
ƒ Application vulnerabilities (XSS)
ƒ Denial of Service Application Inspection
Flooding IPS Capabilities
Spoofed (smurf, syn-flood)
Non-spoofed rate
Spoofing Prevention
Packet conformance vulnerabilities Packet Conformance
ƒ Client side application vulnerabilities User Education
ƒ Configuration vulnerabilities (weak passwords,
lack of encryption, etc.)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2
Presentation_ID.scr
There Is No Silver Bullet

ƒ ACLs are most effective when the service is not
required and are only effective between boundaries
where they are deployed which is usually a Layer
3 interface
ƒ IPS only mitigates when it is configured to (which
is seldom)
ƒ AV detection is not 100% (~85% with samples taken
from honeypots)
ƒ All new technologies introduce potential vulnerabilities
in themselves
ƒ Complexity introduces errors
Source: Virtual Honeypots
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Know Your Enemy: Anatomy of an Attack
ƒ Ping addresses
ƒ Scan ports
ƒ Passive probing
ƒ Guess user accounts
ƒ Phishing and
Social Engineering
ƒ Mail attachments
ƒ Buffer overflows
Probe ƒ ActiveX controls
1 ƒ Network installs
2 Penetrate ƒ Compressed messages
ƒ Guess Backdoors
Target 3 Persist
ƒ Create new files
ƒ Modify existing files
4 Propagate ƒ Weaken registry security settings
ƒ Mail copy of attack
5 ƒ Web connection ƒ Install new services
Paralyze
ƒ Register trap doors
ƒ IRC
ƒ FTP
ƒ Delete files ƒ Infect file shares
ƒ Modify files
ƒ Drill security hole
ƒ Crash computer
ƒ Denial of service
ƒ Steal secrets
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3
Presentation_ID.scr
Worm/Virus: Exploit Comparison (~20 Yrs)
Love Bug Code Red Slammer MyDoom Zotob MS RPC DNS
Morris 1988
2000 2001 2003 2004 2005 0day 2007
Scan or
Scan for MS
Scan for Endpoint
Probe N/A Scan for IIS N/A N/A Directory
Fingerd Mapper
Services
Query
Buffer
Buffer Arrive as Buffer Arrive as Buffer Buffer
Overflow in
Penetrate Overflow Email Overflow Email Overflow in Overflow in
SQL and
in Fingerd Attachment in IIS Attachment Upnp Service RPC Service
MSDE
Create
Execute Create Execute Create Executables Execute
Script to Executables Script to Executables and Edit Payload to
Persist N/A
Download and Edit Download and Edit Registry, Download
Code Registry Code Registry Download Code
Code
Start FTP and
TFTP
Look for Open Pick New Pick New Open Look for
Services,
Addresses Address Book Addresses Addresses Address Book Addresses
Propagate Look for
and Spread to and Email and Spread to and Spread to and Email And Spread
Addresses
New Victim Copies New Victim New Victim Copies to New Victim
and Spread to
New Victim
Delete
Lots of Lots of Lots of Registry Keys
Worm Worm Worm
Paralyze Processes Threads Slow Packets Slow and Files,
Spreads Spreads Spreads
Slow System System Network Terminate
Processes
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Defense-in-Depth Strategy (DIDS)
ƒ Layering security defenses
reduces threat exposure and
reduces window of opportunity
for miscreants
ƒ Apply appropriate controls
closest to the victim and
miscreant
ƒ Any defense mechanism may
fail, be bypassed, or defeated
ƒ Embrace multiple protection
methods that complement
each other

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4
Presentation_ID.scr
Mitigation and
Prevention

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Mitigation

ƒ Access Control
ƒ Spoofing Prevention
ƒ Packet Conformance
ƒ Application Inspection
ƒ Flexible Packet Matching

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5
Presentation_ID.scr
Access Control

ƒ Highly effective deterrent to enforced boundary for
Layer 3 and Layer 4 traffic
ƒ Not effective when services/applications are required
by potentially malicious users
ƒ Classification ACLs aid in identification
ƒ Default deny ingress/egress will prevent a lot
ƒ Filter as precisely as possible
Source and destination (Layer 3 and Layer 4)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

ACL Cisco IOS vs. Firewall
Feature ASA, PIX, and FWSM Cisco IOS

fragments on ACLs and ip
Virtual Reassembly using
IP Fragmentation fragment chain
virtual-reassembly
under interface configuration

Use of established
State ACLs Have State
Keyword

IP Option option Keyword 12.3(4)T
Drop IP Options by default
Filtering

ttl-evasion-
TTL Filtering protection ttl Keyword 12.4(2)T
via MPF

syn, fin, ack, psh, urg,
TCP Flags Verified by Default rst
Keywords 12.3(4)T

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6
Presentation_ID.scr
Utilizing Cisco IOS ACL Capabilities
!
Router(config)#ip access-list extended tACL
!
!–- Deny loose source routed packets
!
Router(config-ext-nacl)#deny ip any any option lsr
!
!–- Deny fragmented packets
!
Router(config-ext-nacl)#deny ip any any fragments
!
!–- Deny TCP packets with SYN and FIN flags set
!
Router(config-ext-nacl)#deny tcp any any match-all +syn +fin
!
!–- Deny packets with TTL values less than 5
!
Router(config-ext-nacl)#deny ip any any ttl lt 5
!

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Layer 2 Access Control
!
!-- Create ACL default permit
VLAN Access Control List
ip access-list extended VACL-MATCH-ANY
permit ip any any
! Permit ACE Rules
!-- Create ACL match ports to Classify Traffic
ip access-list extended VACL-MATCH-PORTS
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139
!
!-- Create VLAN Access Map for VACL policy
vlan access-map VACL 10
match ip address VACL-MATCH-PORTS Set Action to Drop
action drop
!
vlan access-map VACL 20
match ip address VACL-MATCH-ANY
action forward
!
!-- Apply and enable VACL for use
vlan filter VACL vlan 100
Apply VACL for Use
!
!
!-- Port ACL
ip access-list extended <acl-name>
Port ACL
permit <protocol> <source-address> <source-port> <destination-address>
<destination-port>
!
interface <type> <slot/port>
switchport mode access
switchport access vlan <vlan_number>
ip access-group <acl-name> in
!
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7
Presentation_ID.scr
Modular and Phase-Based ACL Policy
Hybrid Permit/Deny
1. Anti-Spoofing Rarely Changes
2. Anti-Bogon (Source) Rarely Changes
3. Infrastructure Permit Rarely Changes
4. Explicit Deny Specific Layer 3 Sometimes Changes
5. Explicit Deny Specific Layer 4 Sometimes Changes

6. Incident Response and Countermeasure Changes Everyday

7. Explicit Permit Layer 3 (Good Traffic) Sometimes Changes

8. Explicit Permit Layer 3 (Good Traffic) Sometimes Changes

9. Explicit Deny Rarely Changes

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Known, Unknown, and Undesirable Traffic
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- Output Truncated -----
500 deny tcp any any eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any any eq 139 !-- NetBIOS Session Service
520 deny tcp any any eq 445 !-- Microsoft DS, and Zotob
530 deny udp any any eq 445 !-- SMB vulns
540 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
550 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
560 deny tcp any any range 6660 6669 !-- IRC traffic
570 deny tcp any any eq 7000 !-- IRC traffic
----- Output Truncated -----
600 deny udp any any eq 1025 !-- MS RPC and LSA exploit traffic
610 deny tcp any any eq 5000 !-- UPnP Buffer Overflow exploit traffic

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8
Presentation_ID.scr
Access Control References

ƒ ASA 8.0 Identifying Traffic with Access Lists
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati
on/guide/traffic.html
ƒ Transit Access Control Lists: Filtering at Your Edge
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_whit
e_paper09186a00801afc76.shtml
ƒ Configuring Network Security with ACLs
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/soft
ware/release/12.2_40_se/configuration/guide/swacl.html
ƒ Protecting Your Core: Infrastructure Protection Access
Control Lists
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_whit
e_paper09186a00801a1a55.shtml
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Spoofing Prevention

ƒ Minimize attacks that require spoofing
Syn Flood
Smurf Attack
ƒ Attack trace back simplified
ƒ Multiple features exist
Access Control Lists (ACLs)
Unicast Reverse Path Forwarding (Unicast RPF)
TCP Intercept (SYN Cookies)
IP Source Guard (IPSG)*
DHCP Snooping*

*Detailed information about Layer 2 security is available in BRKSEC-2002
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9
Presentation_ID.scr
Unicast Reverse Path Forwarding

ƒ Which Mode to Deploy: Strict or Loose?
Strict for symmetrical flows
Loose for asymmetrical flows

ƒ Effectively drop packets that lack a verifiable IP
source address
ƒ Not 100% effective – however, through proper
deployment Unicast RPF can protect against most
Layer 3 spoofed packets
ƒ Tuning for Unicast RPF is provided through ACLs

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Strict Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via rx
(deprecated syntax: ip verify unicast reverse-path)

int 2 int 2
int 1 int 3 int 1 int 3
Sx D data Sx D data Sy D data
Sy
D d

FIB FIB
ata

Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sz null0

sourceIP = rx int?
9 sourceIP != rx int?
8
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10
Presentation_ID.scr
Loose Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via any

int 2 int 2
int 1 int 3 int 1 int 3
Sy D data Sy D data Sz D data

Sz
D d
FIB FIB

ata
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sz ???

sourceIP = any int?
9 sourceIP != any int?
8
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Address Spoofing Prevention in the Enterprise
Enterprise: 192.168.0.0/16
Block Leaving Source != Own Network
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx
LAN
192.168.1/24

LAN
ISP 192.168.2/24

LAN
192.168.3/24
Block Entering Source = Own Network
access-list 101 deny ip 192.168.0.0 0.0. 255.255 any
access-list 101 permit ip any any Block Sources That Do Not Belong to Subnet
or access-list 102 permit ip 192.168.X.0 0.0.0.255 any
ip verify unicast source reachable-via rx allow-default access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11
Presentation_ID.scr
Configuring Spoofing Features
!-- Unicast RPF must have CEF enabled
ip cef Layer 3 Spoofing Prevention
!
interface <interface>
ip verify unicast source reachable-via <mode>
!
!--Anti-Spoofing ACL
ip access-list extended ACL-ANTISPOOF-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
interface <interface>
ip access-group ACL-ANTISPOOF-IN in
!
!--Configuring DHCP Snooping
ip dhcp snooping
Layer 2 Spoofing Prevention
ip dhcp snooping vlan <vlan-range>
!
!--IPSG which requires DHCP snooping
interface <interface-id>
ip verify source
!
!– Configuring Port Security
interface <interface>
switchport
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum <number>
switchport port-security violation <violation-mode>
!
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

SYN Cookie Packet Flow
Client Server
(Source) (Destination)
IP 192.168.1.1 SYN IP 192.168.2.2
(SrcIP=192 Is IP 192.168.1.1
.168.1.1;se
q=x) Authenticated? NO

SYN ACK
Generate unique cookie
for IP 192.168.1.1
ie;ack=x+1)
(seq=cook
ACK
(seq=x+1;a If cookie is valid,
ck=cookie
+1)
authenticate IP 192.168.1.1

Is IP 192.168.1.1
Connection Authenticated ? YES
Established SYN
(seq=y)

SYN ACK
(seq=z;ack=y+1)

ACK
(seq=y+1;a ACK
ck =z+1)
DATA (seq=y+1;a
ck =z+1)
DATA
DATA
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12
Presentation_ID.scr
TCP-Intercept
! Using MPF
!-- Using Modular Policy Framework (MPF)
!-- which is available on ASA and PIX
access-list management permit tcp any 192.168.131.0 255.255.255.0
!
class-map connection-limit
match access-list management
!
policy-map spoof-protect
class connection-limit
!
!-- Setting limit to one forces all connections to be validated
!
set connection embryonic-conn-max 1
!
service-policy spoof-protect interface outside Static NAT
!
!-- Static NAT, this will map the inside IP address of
!-- 192.168.131.10 to the outside IP address 192.0.2.10
!-- and will create an embryonic connection limit of 1
static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1
!
!–- Static Identify NAT, ie: No Address Translation
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
tcp 0 1
!

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Spoofing References
Understanding Unicast Reverse Path Forwarding
ƒ http://www.cisco.com/web/about/security/intelligence/un
icast-rpf.html
ƒ http://www.cymru.com/Documents/tracking-
spoofed.html
ƒ http://www.cymru.com/Documents/bogon-dd.html

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13
Presentation_ID.scr
Packet Conformance
Several Attacks Use Fuzzed or Irregular Packet
Fields to Identify Hosts or Exploit Vulnerabilities
or Evade Detection
ƒ Fragmentation overwrite, overlap, short, long (teardrop,
jolt, evasion)
ƒ Nmap passive OS identification scanning
ƒ Source routing to evade access control or cause other
vulnerabilities
ƒ Abnormal TCP flags, values, overwrite
ƒ Time-to-live (TTL) abnormalities

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Firewall Packet Conformance
ƒ Virtual Fragmentation Reassembly: reassemble,
perform consistency checks (overlap, overwrite, long,
short) then forward
ƒ fragment chain command
ƒ Dropping packets with IP options present
ƒ Fuzzy TCP flags
ƒ TCP intercept (SYN Cookies)
ƒ ttl-evasion-protection in MPF (enabled by
default)
ƒ TCP-MAP (TCP options, SYN data)
ƒ Accelerated Security Path (ASP) checks
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14
Presentation_ID.scr
Firewall ASP Checks
Firewall# capture drop type asp-drop ?
-------------------- Output Truncated in Several Places --------------------
fragment-reassembly-failed Fragment reassembly failed
invalid-ip-header Invalid IP header
invalid-ip-length Invalid IP length
invalid-ip-option IP option drop
invalid-tcp-hdr-length Invalid TCP Length
invalid-udp-length Invalid UDP Length
tcp-3whs-failed TCP failed 3 way handshake
tcp-ack-syn-diff TCP ACK in SYNACK invalid
tcp-bad-option-len Bad option length in TCP
tcp-bad-option-list TCP option list invalid
tcp-bad-sack-allow Bad TCP SACK ALLOW option
tcp-bad-winscale Bad TCP window scale value
tcp-data-past-fin TCP data send after FIN
tcp-discarded-ooo TCP ACK in 3 way handshake invalid
tcp-invalid-ack TCP invalid ACK
tcp-mss-exceeded TCP data exceeded MSS
tcp-not-syn First TCP packet not SYN
tcp-reserved-set TCP reserved flags set
tcp-rst-syn-in-win TCP RST/SYN in window
tcp-rstfin-ooo TCP RST/FIN out of order
tcp-seq-past-win TCP packet SEQ past window
tcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalid
tcp-syn-data TCP SYN with data
tcp-syn-ooo TCP SYN on established conn
tcp-synack-data TCP SYNACK with data
tcp-synack-ooo TCP SYNACK on established conn
tcp-winscale-no-syn TCP Window scale on non-SYN

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Cisco IOS Packet Conformance
ƒ ip options drop command
ƒ no ip source-route

Router(config)# ip options drop

% Warning: RSVP and other protocols that use IP Options
packets may not function as expected.

Router(config)# no ip source-route
Router(config)#

ƒ Some of the checks can be accomplished through
ACLs (such as IP options, TCP flags)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15
Presentation_ID.scr
Cisco IOS Packet Conformance (cont…)

ƒ Virtual Fragmentation Reassembly (VFR), 12.3(8)T
Asymmetric traffic causes problems
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address <address>
ip virtual-reassembly [drop-fragments][max-fragments number] [max-
reassemblies number] [timeout seconds]
!

ƒ Troubleshoot and verify VFR operations
debug ip virtual-reassembly
show ip virtual-reassembly
Syslog: VFR-3-TINY_FRAGMENTS, VFR-3-OVERLAP_FRAGMENT,
VFR-4_FRAG_TABLE_OVERFLOW, VFR-4_TOO_MANY_FRAGMENTS

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Application Layer Protocol Inspection
class-map inspection_default
ƒ Feature on ASA, PIX, and match default-inspection-traffic
FWSM security devices policy-map type inspect dns preset_dns_map
parameters
ƒ Stateful deep packet message-length maximum 512
inspection policy-map global_policy
class inspection_default
Good for protocols that open inspect dns preset_dns_map
secondary ports and use inspect ftp
embedded IP addresses inspect h323 h225
Potential DoS vector due inspect h323 ras
inspect rsh
to performance implications
inspect rtsp
ƒ User defined policies inspect esmtp
inspect sqlnet
ƒ Response actions for inspect skinny
inspect sunrpc
undesirable traffic
inspect xdmcp

ƒ Default inspection inspect sip
inspect netbios
policy shown inspect tftp
service-policy global_policy global
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16
Presentation_ID.scr
Application Layer Protocol Inspection

Configuration requires:
ƒ Class-map: Identifies the traffic that needs a specific type of
control; class-maps have specific names which bind them to a
policy-map
ƒ Policy-map: Describes the actions to be taken on the traffic
described in the class-map; policy-maps have specific names
which bind them to the service-policy
ƒ Service-policy: Describes where the traffic should be intercepted
for control; only one service-policy can exist per interface; an
additional service-policy called “global-service-policy,” is defined
for traffic and general policy application; this policy applies to traffic
on all interfaces

*Detailed information about Firewall Design and Deployment is available in BRKSEC-2020
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Application Layer Protocol Inspection
ƒ Regex introduced in 7.2 provides ability to filter specific traffic
Not available on FWSM
Firewall# show run all | include regex _default_
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-
[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger
"[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-
][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger
"[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17
Presentation_ID.scr
DNS Protocol Inspection Example
! Create Regex Match
Firewall(config)# regex domain1 "yahoo\.com“
Firewall(config)# regex domain2 "cnn\.com"
!
Firewall(config)# class-map type regex match-any dns_filter_class
Firewall(config-cmap)# match regex domain1
Firewall(config-cmap)# match regex domain2 Create Regex Class Map
!
Firewall(config)# class-map type inspect dns dns_inspect_class
Firewall(config-cmap)# match not header-flag QR
Firewall(config-cmap)# match question
Inspection Class Map
Firewall(config-cmap)# match domain-name regex class dns_filter_class
!
Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policy
Firewall(config-pmap)# class dns_inspect_class
Firewall(config-pmap-c)# drop log Perform Policy Map Action
!
Firewall(config-pmap-c)# class-map inspection_default
Firewall(config-cmap)# match default-inspection-traffic
!
Firewall(config-cmap)# policy-map egress_policy
Firewall(config-pmap)# class inspection_default
Firewall(config-pmap-c)# inspect dns dns_inspect_policy
!
Firewall(config-pmap-c)# service-policy egress_policy interface inside
!

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

DNS AppFW Protocol Inspection Example
DNS Resolution Fails After Service Policy is Enabled
Disable and then Enable Service Policy which Inspects DNS Queries
Firewall(config)# no service-policy egress_policy interface inside

Firewall(config)# service-policy egress_policy interface inside

[user@linux ~]# dig www.google.com DNS Resolver on Endpoints
; <<>> DiG 9.5.0b3 <<>> www.google.com
;; global options: f
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION: Successful DNS Resolution
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 118837 IN CNAME www.l.google.com.
www.l.google.com. 37 IN A 209.85.165.147
www.l.google.com. 37 IN A 209.85.165.99
www.l.google.com. 37 IN A 209.85.165.103
www.l.google.com. 37 IN A 209.85.165.104

[user@linux ~]$
[user@linux ~]$ dig www.google.com

; <<>> DiG 9.5.0b3 <<>> www.google.com Failed DNS Resolution
;; global options: printcmd
;; connection timed out; no servers could be reached
[user@linux ~]$
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18
Presentation_ID.scr
Firewall Protocol Inspection References

ƒ ASA 8.0 MPF Guide
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati
on/guide/mpc.html

ƒ Applying Application Layer Protocol Inspection
http://www.cisco.com/en/US/docs/security/asa/asa80/configurati
on/guide/inspect.html

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

IOS Flexible Packet Matching

ƒ Performs stateless deep packet inspection providing
more granular control than ACLS
ƒ Ability to deploy protection and prevention mechanisms
closer to victim and miscreant
Protocol + Port + [String|Regex] ¼ Action
Some PHDF already exist to detect certain vulnerabilities or
protocols (bittorrent and skype)
Frame

Frame

L2 L3 L4 First… Second… Payload… Payload… Payload…
Header Header Header

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19
Presentation_ID.scr
Access Lists on Steroids
Frame

Frame
L2 L3 L4 First… Second… Payload… Payload… Payload…
Header Header Header

ƒ Flexible Packet Matching (FPM) performs deep packet inspection
for containment and policy enforcement
Match protocol header fields and/or payload context
Layer 2 to 7 – bit/byte matching capability at any offset within the packet

ƒ User-defined filtering policies (traffic classifiers)
Allows a choice of response actions

ƒ Adaptable to dynamically changing attack profiles
Rapid deployment of filtering policies (can leverage EEM for near realtime
response to threats)

ƒ Ability to deploy protection and prevention mechanisms closer
to victim and miscreant
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

FPM Capability Phasing
FPM FPM
FPM FPM
Functionality ACL Phase 1 Phase 1+
12.4(15)T Phase 3
12.4(4)T 12.4(6)T1
No. of ACEs per Interface Unlimited 32 classes 32 classes Unlimited Unlimited
No. of Match Criteria/ACE 4 8 8 Unlimited Unlimited
Depth of Inspection 44 Bytes 256 Bytes 256 Bytes Full Pkt Stream
Raw Offset No Yes Yes Yes Yes
Relative Offset (Fixed
No Yes Yes Yes Yes
Header Length Support)
Dynamic Offset (Variable
No No No Yes Yes
Header Length Support)
Match on Payload
No No No No Yes
TLV Fields
Nested Policies No Yes Yes Yes Yes
Nested class-maps No No No Yes Yes
Regex Match No Yes Yes Yes Yes
String Match No No Yes Yes Yes
Match String Pattern
No 32 Bytes 32 Bytes 256 Bytes Full Pkt
Window
IPv4, TCP, Phase 2 + DNS,
IPv4, TCP, Phase 1+ +
Protocol Support UDP, ICMP, Phase 1 SNMP, HTTP,
UDP, ICMP GRE, IPSec
Ethernet IPv6

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20
Presentation_ID.scr
FPM Policy for Slammer Packets
load protocol disk0:ip.phdf
load protocol disk0:udp.phdf
Load PHDFs for IP and UDP
!
class-map type stack match-all ip_udp_class
description "match UDP over IP packets" Match UDP over IP Packets
match field ip protocol eq 17 next udp
!
class-map type access-control match-all slammer_class
description "match on slammer packets"
match field udp dest-port eq 1434 Match Slammer Packets:
match field ip length eq 404 UDP port 1434, Packet
match start udp payload-start offset 0 size 4 eq 0x04010101
match start udp payload-start offset 4 size 4 eq 0x01010101
Length 404bytes, and Regex
match start udp payload-start offset 8 size 4 eq 0x01010101
match start udp payload-start offset 12 size 4 eq 0x01010101
match start udp payload-start offset 16 size 1 eq 0x01
!
policy-map type access-control fpm_udp_policy
description "policy for UDP based attacks"
class slammer_class Policy for UDP-Based Attacks
drop
log
!
policy-map type access-control fpm_policy
description "drop worms and malicious attacks"
class ip_udp_class
Drop Worms and Malicious Attacks
service-policy fpm_udp_policy
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Apply and Enable FPM Policy
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

FPM Performance vs. Equivalent ACLs
ƒ Compare FPM to ACL Processor utilization percent
ƒ Ten FPM classes or equivalent ACL
ƒ Matching on src/dst IP addr, src/dst TCP port, and TCP protocol
ƒ Ten TCP traffic streams, 50% of generated traffic matching
ƒ 7206VXR NPE-400, 128MB, 12.4(4)T

Filter Type 1,000 pps 2,000 pps 3,000 pps 4,000 pps 5,000 pps
No Filter 13% 14% 15% 16% 17%
FPM 1st Match 38% 42% 43% 43% 43%
ACL 1st Match 30% 36% 37% 37% 37%
FPM 5th Match 42% 50% 59% 59% 59%
ACL 5th Match 32% 39% 40% 41% 41%
FPM 10th Match 42% 50% 50% 50% 50%
ACL 10th Match 32% 39% 39% 39% 39%
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21
Presentation_ID.scr
FPM References
ƒ Cisco IOS Flexible Packet Matching (FPM)
http://www.cisco.com/go/fpm
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
ƒ Flexible Packet Matching Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd803936f6_ns696_Networking_Solution
s_White_Paper.html
ƒ Flexible Packet Matching Feature Guide
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
ƒ Flexible Packet Matching XML Configuration
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html
ƒ Getting Started with Cisco IOS Flexible Packet Matching
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd80633b0a.html
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Monitoring and
Identification

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22
Presentation_ID.scr
Monitoring

ƒ Syslog
ƒ NetFlow
ƒ Embedded Event Manager
ƒ CS-MARS

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Syslog
Router# show logging | include 185
Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp Router
192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55621) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55622) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55623) -> 192.168.150.77(139), 1 packet

Firewall# show logging | grep 5063b82f
Firewall
Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst
inside:192.168.150.77/389 by access-group "OUTSIDE" [0x5063b82f, 0x0]
Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst
inside:192.168.150.77/443 by access-group "OUTSIDE" [0x5063b82f, 0x0]
Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst
inside:192.168.150.77/256 by access-group "OUTSIDE" [0x5063b82f, 0x0]
Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst
inside:192.168.150.77/399 by access-group "OUTSIDE" [0x5063b82f, 0x0]

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23
Presentation_ID.scr
ACL Logging
ƒ ACL keyword log for Cisco IOS and Cisco ASA, FWSM and PIX
ƒ ACL keyword log-input for Cisco IOS
ƒ ip access-list log-update threshold threshold-in-
msgs
ƒ logging rate-limit message-rate for Cisco IOS
ƒ Understanding Access Control List Logging
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
ƒ Identifying Incidents Using Firewall and Cisco IOS Router Syslog
Events
http://www.cisco.com/web/about/security/intelligence/identify-incidents-
via-syslog.html

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

NetFlow: Scalability

ƒ Packet capture is like a wiretap
ƒ NetFlow is like a phone bill
ƒ This level of granularity allows NetFlow to scale
for very large amounts of traffic
We can learn a lot from studying the phone bill!
Who’s talking to whom, over what protocols and ports,
for how long, at what speed, for what duration, etc.
NetFlow is a form of telemetry pushed from the
routers/switches – each one can be a sensor

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24
Presentation_ID.scr
What Constitutes a Flow?

1

NetFlow 2
Key Fields

3 NetFlow
Export
Reporting Packets

1. Inspect a packet’s seven key fields and identify the values
2. If the set of key field values is unique, create a new flow
record or cache entry
3. When the flow terminates, export the flow to the
collection/analysis system
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

NetFlow Records and Key Fields

ƒ NetFlow maintains per-’conversation’ flow data in
Flow Records in a cache on a NetFlow-enabled device,
and optionally exports that flow data to a collection/
analysis system
ƒ It is a form of network telemetry which describes traffic
conversations headed to/passing through a router
Key Fields
Key field values define a Flow Record
An attribute in the packet used to create a Flow Record
If the set of key field values is unique, a new flow is created

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25
Presentation_ID.scr
NetFlow CLI Output
Router#show ip cache flow
IP packet size distribution (126502449 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.009 .622 .036 .007 .008 .008 .004 .012 .000 .000 .004 .001 .002 .002 .007
------------------------- Output Truncated -----------------------
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 11403610 2.6 1 49 3.0 0.0 1.5
TCP-FTP 6769 0.0 8 53 0.0 6.0 7.7
TCP-FTPD 665 0.0 3334 889 0.5 54.0 0.4
TCP-WWW 163728 0.0 13 750 0.5 4.2 9.2
TCP-SMTP 8 0.0 1 46 0.0 0.0 10.2
TCP-X 727 0.0 1 40 0.0 0.0 1.4
TCP-BGP 9 0.0 1 45 0.0 0.0 10.5
TCP-NNTP 8 0.0 1 46 0.0 0.0 10.0
TCP-Frag
TCP-Frag 70399
70399 0.0
0.0 11 688
688 0.0
0.0 0.0
0.0 22.7
22.7
TCP-other 49098543 11.4 2 263 23.7 0.0 1.4
UDP-DNS 874082 0.2 1 58 0.2 0.0 15.4
UDP-NTP 1127350 0.2 1 76 0.2 0.6 15.5
UDP-TFTP 6 0.0 3 63 0.0 11.0 19.5
UDP-other 996247 0.2 1 164 0.4 0.3 16.7
ICMP 262111 0.0 8 47 0.5 13.4 21.2
IPv6INIP
IPv6INIP 15
15 0.0
0.0 11 1132
1132 0.0
0.0 0.0
0.0 15.4
15.4
GRE 694 0.0 1 50 0.0 0.0 15.4
IP-other 2 0.0 2 20 0.0 0.1 15.7
Total: 64004973 14.9 1 251 29.4 0.1 2.2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0 172.18.109.132 Gi0/1* 192.168.150.60 06 1A29 835D 2
Gi0/0 172.18.109.132 Gi0/1 192.168.150.60 06 1A29 835D 2
Gi0/1 192.168.132.44 Gi0/0* 10.89.245.149 11 007B 007B 1
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

NetFlow Deployment Considerations
ƒ NetFlow should typically be enabled on all router interfaces where
possible, it is useful for on-box troubleshooting via CLI as well as
for export to analysis systems
ƒ Ingress and egress NetFlow are now supported. Analysis systems
typically must be configured to understand which is in use, for
purposes of directionality
ƒ 1:1 NetFlow is useful for troubleshooting, forensics, traffic analysis,
and behavioral/relational anomaly-detection
ƒ Sampled NetFlow is useful for traffic analysis and behavioral/
relational anomaly-detection. Sampling is typically used in high-
volume traffic situations where 1:1 NetFlow Data Export (NDE)
is impractical

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26
Presentation_ID.scr
Embedded Event Manager (EEM)
ƒ Allows instrumentation of the Cisco IOS device and reactive
capabilities that can be useful in improving security
ƒ Available since Cisco IOS Software versions 12.0(26)S
and 12.3(4)T
ƒ Cisco IOS Documentation
Embedded Event Manager 2.2
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html

ƒ White Paper
Embedded Event Manager in a Security Context
http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html

ƒ EEM Scripting Community
http://www.cisco.com/go/ciscobeyond

*Detailed information in BRKSEC-3007 Solving Security Challenges with Embedded Event Manager
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

EEM Example
ƒ Interface Input Queue Monitor
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=scri
pt&scriptId=981

ƒ Cisco Applied Mitigation Bulletin: Identifying
and Mitigating Exploitation of the IPv4 User
Datagram Protocol Delivery Issue for IPv4/IPv6
Dual-Stack Routers
http://www.cisco.com/warp/public/707/cisco-amb-20080326-
IPv4IPv6.shtml

ƒ Example Syslog Message: %HA_EM-7-LOG:
system:/lib/tcl/eem_scripts_registered/interface-input-q.tcl:
Interface GigabitEthernet0/0 input queue full. Input queue:
4001/4000 (size/max)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27
Presentation_ID.scr
CS-MARS Contextual Analysis Overview

ƒ Events: Raw messages sent to CS-MARS by
reporting devices; examples include syslog, SNMP,
NetFlow,
and IPS signatures
ƒ Sessions: Correlated events
ƒ Incidents: Sessions matched against rules that are
indicative of malicious behavior
ƒ Rules are used to perform logic on events which
create sessions and possibly incidents

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

CS-MARS Rules

ƒ Over a specified time range events are correlated to
become incidents

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28
Presentation_ID.scr
CS-MARS Rules in Action

ƒ Events from same source and destination IP addresses
correlated within a timeframe to become an incident

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Intrusion Detection and
Prevention Capabilities

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29
Presentation_ID.scr
Intrusion Detection and Prevention

ƒ Cisco Security Agent
ƒ Cisco IPS
ƒ CSA/IPS Collaboration

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

Preventing Endpoint Attacks Using CSA
ƒ All attacks perform certain behaviors for success, CSA allows
you to defeat these actions using interceptors
ƒ 0day and targeted attacks
May bypass or defeat other protection mechanisms that are deployed

ƒ 0day Protection = Ability to stop malicious code without
reconfiguration or update
Protects endpoints from being compromised since other protections
may have failed

ƒ Limited number of “vectors” into a system, one or more of these
behaviours must be used by all attacks
Stop the attack at one of these vectors, you prevent the whole attack
(several opportunities exist, not just one)

ƒ Monitoring and controlling these behaviors prevents
malicious activity
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30
Presentation_ID.scr
Preventing Execution
ƒ Cisco Security Agent (CSA)
provides multiple interceptors
for the detection and
prevention of threats
Network
File System
Configuration
Execution Space

ƒ CSA is best utilized for
preventing attacks targeting
endpoint compromise
ƒ Do not forget about protection
methods using your network

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Policy Rules Drive Interceptors

File Execution
Security Application Network Configuration
System Space
Distributed Firewall 9
Host Intrusion Detection 9 9 9
Spyware and Malware
Prevention 9 9 9
Network Worm Prevention 9 9
File Integrity Assurance 9 9
Wireless Policy Controls 9 9
Traffic Marking 9
IPS and NAC Integration 9

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31
Presentation_ID.scr
Intrusion Protection for the Network

0111111010101010000111000100111110010001000100100010001001

ƒ Detect malicious payloads, perform behavioral analysis, anomaly
detection, policy adjustments, and rapid threat response
ƒ Inline Protection or Promiscuous mode
ƒ Automatic Threat Prevention with IPS 6.x denies packets whose
Risk Rating Value range is 90 – 100
ƒ Multivector protections at all points in the network, desktop, and
server endpoints
Integration with Cisco CSA and Cisco Wireless Controller

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Risk Rating Thresholds Drive Mitigation
Event How Urgent Is
Severity the Threat?

Signature How Prone to
Fidelity + False Positive?

Attack Is Attack Relevant to
+
Threat Rating

Relevancy Host Being Attacked?

Asset Value How Critical Is this
of Target + Destination Host?

= Risk Rating Drives Mitigation
Policy

Result: Calibrated Risk Rating Enables
Scalable Management of Sophisticated
Threat Prevention Technologies
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32
Presentation_ID.scr
Threat Rating
Post-Policy Evaluation of Incident Urgency

85

Threat Rating
Threat Rating: Attack 1:
ƒ Dynamic adjustment of event Risk Rating No Action Configured
based on success of response action Risk Rating = 85
Threat Rating = 85
55
ƒ If Response Action was applied, then Risk
Rating is deprecated (TR < RR)
ƒ If Response Action was not applied, then
Risk Rating remains unchanged (TR = RR)
Attack 2:
Benefit: Action Configured
ƒ Prioritizes alerts for Operator attention Attack Mitigated
ƒ Operator can focus incident response Risk Rating = 85
activities on those threats that have not Threat Rating = 55
been mitigated
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Event Action Overrides
ips6x# configure terminal
ips6x(config)# service event-action-rules rules0 Global Overrides for
ips6x(config-eve)# show settings
-----------------------------------------------
All IPS Events
overrides (min: 0, max: 15, current: 3)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
Automatic Threat
override-item-status: Enabled <defaulted> Prevention (IPS 6.x)
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------
action-to-add: produce-alert
----------------------------------------------- Write evIdsAlert to
override-item-status: Enabled <defaulted>
risk-rating-range: 0-35 default: 0-100
EventStore
-----------------------------------------------
action-to-add: produce-verbose-alert
-----------------------------------------------
Write evIdsAlert to
override-item-status: Enabled <defaulted> EventStore with
risk-rating-range: 35-90 default: 0-100
-----------------------------------------------
triggerPacket
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33
Presentation_ID.scr
Reactions in Depth

ƒ Denied traffic is performed by a device inspecting flows
Quick and effective for all protocols

ƒ Shunned traffic is performed by an auxiliary device
Mitigate closer to the miscreant
Potential DoS vector is preventable utilizing never block or
event action filters
Some time latency

ƒ TCP RST performed for connection-based
traffic streams
Limited protocol coverage and adds RST packets to network

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

IPS/CSA Collaboration Benefits

ƒ The IPS can automatically get endpoint posture
information to use in calculating the threat rating
making detection more accurate
ƒ Undisclosed or encrypted exploits not identified by
the IPS likely are detected by CSA
ƒ CSA-MC can correlate data and create automated
watch lists which can be forwarded to the IPS and
automatically adjust the threat rating for events seen
by addresses that are part of the watch list

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved. 34
Presentation_ID.scr
Automation CSA/IPS Collaboration
CSA MC Configuration IPS Configuration

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

Network IPS and Cisco Security
Agent Collaboration
ƒ Enhanced contextual analysis of endpoint
ƒ Ability to use CSA inputs to influence IPS actions
ƒ Correlation of information contained in CSA watch list
ƒ Host quarantining Management
Console

CSA Watch List
192.168.1.111

Service
Provider

Elevate Risk Rating
Deny 192.168.1.111

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved. 35
Presentation_ID.scr
Automation CSA/IPS Collaboration
evIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low
originator:
hostId: ips6x
appName: sensorApp
appInstanceId: 388
time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT
signature: description=TCP SYN Port Sweep id=3002 version=S2
subsigId: 0
marsCategory: Probe/PortSweep/Non-stealth
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.1.111 locality=OUT
port: 55852
target:
addr: 192.168.2.222 locality=OUT
port: 663
port: 33
port: 231 Threat Rating Increased Due to Watch List
port: 564
port: 838
os: idSource=imported type=windows relevance=relevant
triggerPacket: <trucated>
riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant
watchlist=25
threatRatingValue: 77
interface: ge0_0
protocol: tcp
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

Case Study:
MS-RPC-DNS
(CVE 2007-1748)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved. 36
Presentation_ID.scr
Microsoft RPC DNS 0-Day (CVE-2007-1748)
ƒ Query RPC Endpoint
Mapper on TCP/135 for
vulnerable ports or scan
TCP/1024-5000
ƒ Guess user accounts on
TCP/139 and 445

ƒ Deliver buffer overflow
Probe ports TCP/139 TCP/445
1 UDP/445 TCP 1024-5000

2 Penetrate
ƒ Download and copy malicious
code to C:\U.exe
Victim 3 Persist [Exploit Dependent]
ƒ Create back door access
4 Propagate [Exploit Dependent] ƒ Connect to Command and
ƒ W32/Nirbot.worm!8 Control on TCP port 8080
5 3E1220A
Paralyze

Exploit Specific

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

Mitigating the Vulnerability

ƒ ACLs
Mitigation to L3 boundary where deployed, VLAN maps,
Port ACLs for L2 access control if needed
If application is required ACLs provide no value to those
allowed access

ƒ IPS Signatures
Understand Application/Vulnerability better when application
is required or ACLs do not suffice
Provides no mitigation unless directed to do so

ƒ Endpoint CSA or Patch
Prevents Exploitation

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved. 37
Presentation_ID.scr
Mitigation: Cisco IOS ACL (Modularized)
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
560 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
570 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
580 deny tcp any any range 6660 6669 !-- IRC traffic
590 deny tcp any any eq 7000 !-- IRC traffic

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

Mitigation: FW ACL (Modularized)
Firewall# show access-list tACL
access-list tACL line 1 deny ip host 127.0.0.0 any
access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any
access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0
--------- Output Truncated -------
access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo
--------- Output Truncated -------
access-list tACL line 19 permit tcp any host 192.168.100.10 eq www
access-list tACL line 20 permit tcp any host 192.168.100.10 eq https
--------- Output Truncated -------
access-list tACL line 35 deny ip any any

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 445
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 1025
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved. 38
Presentation_ID.scr
Mitigation: IPS Signature 5858
ips6x#show events alert | include id=5858
------------Output Truncated ----------
signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282
subsigId: 0
sigDetails: DNS Server RPC Interface Buffer Overflow
marsCategory: Penetrate/BufferOverflow/RPC
interfaceGroup: vs0
vlan: 0
Signature Description and ID
participants:
attacker:
addr: locality=OUT 192.168.6.66
port: 1063
target: OS Identification/Relevancy
addr: locality=IN 192.168.1.11
port: 1032
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
actions:
deniedPacket: true
Risk Rating/Action/Threat Rating
riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 50
interface: ge0_0
protocol: tcp
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

Mitigation: CSA

Security Application Interceptors
Prevent Code Execution in Many Cases
Must Be in Protect Mode to Prevent

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved. 39
Presentation_ID.scr
Identification: ACL Counters
Firewall# show access-list tACL
-------- Output Truncated ---------
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 (hitcnt=3)
access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
(hitcnt=0)
access-list tACL line 21 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=10)
access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000
(hitcnt=106)

Router#show access-lists ACCESS-LIST
Firewall ACL Counters
Extended IP access list ACCESS-LIST
-------- Output Truncated -------------
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 (4 matches)
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 Router ACL Counters
530 deny udp any 192.168.100.0 0.0.0.255 eq 445
540 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 (96 matches)

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

Identification: Firewall Syslog Events
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35565 to 192.168.2.1/1025 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35566 to 192.168.2.1/1026 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35567 to 192.168.2.1/1027 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35568 to 192.168.2.1/1028 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35569 to 192.168.2.1/1029 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35570 to 192.168.2.1/1030 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35571 to 192.168.2.1/1031 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35572 to 192.168.2.1/1032 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35573 to 192.168.2.1/1033 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35574 to 192.168.2.1/1033 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35575 to 192.168.2.1/1032 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved. 40
Presentation_ID.scr
Identification: IPS

Signature ID Description Attack Phase

DNS Server RPC Interface
5858/0-4 Detect Vulnerability
Buffer Overflow
Detect TCP High
3010/0 TCP High Port Sweep
Port Probe [Probe]
Detect SMB Authentication
5606/0 SMB Authorization Failure
Attempts [Probe]
SMB Login Successful
5576/0 SMB Authentication [Probe]
with Guest

5577/0 SMB Null Login Attempt SMB Authentication [Probe]

Command and Control Bot
12674/0 Non-HTTP Traffic
Access [Persist and Propagate]

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

The Exploits

ƒ W32/Nirbot.worm!83E1220A
Download worm on random HTTP server port
Connect via IRC over port 8080
IRC servers include:
{blocked}.rofflewaffles.us
{blocked}.anti-viral.us
{blocked}.wayne.brady.gonna.have.to.{blocked}.us

ƒ Exploits are sort of like chasing your tail, but there are
several patterns we can catch (this time) or ways in
which these can be mitigated

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved. 41
Presentation_ID.scr
Exploit Specific

ƒ Restricting outbound policy to a few good ports
(80,443,53,25,21) will prevent IRC over 8080
ƒ Web filtering or using a proxy may prevent download
of worm over HTTP
ƒ ACL for blacklisting IRC C&C servers
ƒ DNS blackholing for C&C servers (DNS resolution to
127.0.0.1)
ƒ Firewall application inspection on port 8080
ƒ Search transit device logs or NetFlow for IRC servers,
C&C servers

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

Exploit Specific: ASA HTTP Inspection
!
access-list web-ports extended permit tcp any any eq 80
access-list web-ports extended permit tcp any any eq 8080
!
class-map webports
match access-list web-ports
!
policy-map type inspect http http-policy
parameters
protocol-violation action drop-connection
!
policy-map global_policy
class webports
inspect http http-policy
!
service-policy global_policy global
!

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved. 42
Presentation_ID.scr
References
ƒ Microsoft Security Advisory (935964), Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
ƒ Cisco Applied Mitigation Bulletin: Identifying and Mitigating
Exploitation of the Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote
Code Execution
http://www.cisco.com/warp/public/707/cisco-amb-20070413-ms-rpc-
dns.shtml
ƒ Nirbot’s Latest Move: MS DNS Exploits [Arbor]
http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-dns-
exploits/

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

References (cont…)
ƒ W32.Rinbot.BC [Symantec]
http://www.symantec.com/security_response/writeup.jsp?docid=2007-
041701-3720-99&tabid=2
ƒ New Rinbot Scanning for Port 1025 DNS/RPC [SANS]
http://www.isc.sans.org/diary.html?storyid=2643
ƒ W32/Delbot-AI [Sophos]
http://www.sophos.com/security/analyses/viruses-and-
spyware/w32delbotai.html
ƒ W32/Nirbot.worm!83E1220A [McAfee]
http://vil.nai.com/vil/content/v_142025.htm

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved. 43
Presentation_ID.scr
Case Study 2:
MS08-001

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

Vulnerabilities
ƒ Windows Kernel TCP/IP IGMPv3 and MLDv2 Vulnerability –
CVE-2007-0069
Remote Code Execution or Denial of Service utilizing crafted packets
over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server
2003) or MLDv2/IPv6 (Windows Vista)

ƒ Windows Kernel TCP/IP ICMP Vulnerability – CVE-2007-
0066
Denial of Service utilizing fragmented ICMP router advertisement
packet

ƒ Microsoft Security Bulletin MS08-001: Critical Vulnerabilities
in Windows TCP/IP Could Allow Remote Code Execution
(941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved. 44
Presentation_ID.scr
IGMPv3/MLDv2
ƒ RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236,
IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710
ƒ Both protocols provide essentially the same multicast
functionality
ƒ Not much information in the initial advisory however a
miscreant could potentially get in the ballpark by looking at
what features have been added between protocol versions
ƒ Routers will not forward multicast unless configured to do so
Will forward LSRR and SSRR packets unless disabled
ƒ A working exploit could potentially own or DoS all hosts that
are part of a multicast group on a local network
ƒ Encapsulation or social engineering could be used to
traverse Layer 3 boundaries
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

ICMP Type 9 RFC 1256
ƒ A host never sends Type 9 messages (if obeying the RFC)
ƒ Valid destination addresses are 224.0.0.1 224.0.0.2 and
255.255.255.255
ƒ Therefore this is all link local, Layer 3 controls provide little
benefit except in possible corner cases; preventing hosts
from sending ICMP Type 9 messages at Layer 2 will mitigate
the vulnerability
ƒ Since the vulnerability requires fragmentation, preventing
fragmentation is an effective mitigation.
ƒ A miscreant could potentially encapsulate this message in
something else such as loose source route to make the
message appear as if it were from a router and to be able to
perform the exploit form non local networks
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved. 45
Presentation_ID.scr
Mitigating the Vulnerability
ƒ Cisco IOS
ACL’s fragmentation filtering, protocol filtering, options filtering
Layer 2 preferred
Features such as no ip source route, ip options drop
ƒ IPS Signatures
6224/0, 6755/0, and 2150/0 - Fragmented ICMP traffic (2150/0 is
available
via ip audit in ASA, FWSM, and PIX)
Provides no mitigation unless directed to do so
ƒ ASA/FWSM/PIX
Default handling of IP options, drop packets with options present
fragment chain command
ƒ Endpoint Patch or Host Firewall

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Mitigation: Cisco IOS Features and ACLs
Router(config)#no ip source-route
Router(config)#ip options drop

% Warning: RSVP and other protocols that use IP Options packets
may not function as expected.
----------

Router(config)#ip access-list extended tACL
Router(config-ext-nacl)#deny ip any any fragments
Router(config-ext-nacl)#deny icmp any any router-solicitation
Router(config-ext-nacl)#deny ip any any option lsr
Router(config-ext-nacl)#deny ip any any option ssr

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved. 46
Presentation_ID.scr
Mitigation: Cisco IOS VACL
!-- Create ACLs that match traffic. Action will be applied
!-- in VLAN map section.
!
ip access-list extended match-igmp-router
permit igmp host 192.168.100.1 any
!
ip access-list extended match-icmp-router
permit icmp host 192.168.100.1 any router-advertisement
!
ip access-list extended match-igmp-subnet
permit igmp 192.168.100.0 0.0.0.255 any
!
ip access-list extended match-icmp-subnet
permit icmp 192.168.100.0 0.0.0.255 any router-advertisement
!
ip access-list extended match-all-subnet
permit ip any any
!

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Mitigation: Cisco IOS VACL (cont…)
vlan access-map ms08-001 10
Permit Router to Send IGMP Anywhere
match ip address match-igmp-router
action forward
vlan access-map ms08-001 20
Permit Router Interface to Send ICMP Anywhere
match ip address match-icmp-router
action forward
vlan access-map ms08-001 30
Drop IGMP for Rest of Subnet
match ip address match-igmp-subnet
action drop
vlan access-map ms08-001 40
Drop ICMP Type 9
match ip address match-icmp-subnet
action drop
vlan access-map ms08-001 50
Permit All Other Traffic
match ip address match-all-subnet
action forward
!
!-- Apply to VLAN 100
Apply to VLAN 100
vlan filter ms08-001 vlan-list 100

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved. 47
Presentation_ID.scr
Mitigation: ASA, FWSM, and PIX
!-- Fragment chain command can be used to prevent fragments from traversing
!-- through the firewall or specific interfaces
Firewall(config)#fragment chain 1 [interface_name]

Effectively Denies All Fragments

!-- Cisco PIX security appliances, Cisco ASA adaptive security appliances, and
!-- (FWSMs) will, by default, drop all source-routed packets received on any
!-- interface and create an informational-level (severity 6) syslog message
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Additional Mitigation and Monitoring

ƒ Layer 2 spoofing features such as IPSG and DHCP
Snooping or Port Security
ƒ Check device configuration for allowing multicast

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved. 48
Presentation_ID.scr
MS08-001 References
ƒ Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows
TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
ƒ MS08-001 (part 2) – The case of the Moderate ICMP mitigations
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-
the-moderate-icmp-mitigations.aspx
ƒ MS08-001 (part 3) – The case of the IGMP network critical
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-
the-igmp-network-critical.aspx
ƒ MS08-001 - The case of the Moderate, Important, and Critical network
vulnerabilities
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-the-
moderate-important-and-critical-network-vulnerabilities.aspx
ƒ MS08-001 - The case of the missing Windows Server 2003 attack vector
http://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-
case-of-the-missing-Windows-Server-2003-attack-vector.aspx

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

MS08-001 References (cont…)
ƒ Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for
January 2008
http://tools.cisco.com/security/center/viewAlert.x?alertId=14898
ƒ Cisco IntelliShield Vulnerability Alert ID 14854: Microsoft Windows
Kernel IGMP and MLD Code Execution Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14854
ƒ Cisco IntelliShield Vulnerability Alert ID 14853: Microsoft Windows
Kernel ICMP Router Discovery Protocol Denial of Service
Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14853
ƒ Exploit for MS08-001 Demonstrated
http://blogs.pcmag.com/securitywatch/2008/01/exploit_for_ms08001_d
emonstrat.php

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved. 49
Presentation_ID.scr
Case Study 3:
Storm Class
Malware, CME711

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

Storm Malware, CME711
ƒ Spam and Social
Engineering convince
user to download
executable

ƒ Download malicious
software to end host
Probe [Exploit Dependent]
1
2 Penetrate [Exploit Dependent]
ƒ Download software
Victim 3 Persist [Exploit Dependent] ƒ Join P2P network
ƒ Open up UDP port on local
4 Propagate [Exploit Dependent] host above 1024
ƒ Spam
5 ƒ DDos
Paralyze
ƒ Update

Exploit Specific

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved. 50
Presentation_ID.scr
Malware in Action: CME711
Infected BotHerder
Webserver 1

2

1. BotHerder updates 4
malcode on webtrap
2. Initiate new spam
pointing to webtrap 3
3. User reads the spam
and clicks link Infected
4. User machine infected

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Mitigating CME711
Infected BotHerder
Webserver

2
1. Break initial
exploitation vector 1
2. Break infection
vector
3. Break joining botnet 3

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved. 51
Presentation_ID.scr
Breaking the Bot
ƒ Initial Vector through Spam Message
User Education and Spam Filtering
ƒ Host downloads malware from webserver
Mitigate Vulnerabilities on host (Patch and Best Practices)
Use AV or HIPS to prevent exploitation
Web content filter
DNS blackholing
ƒ Host opens UDP port above 1024 and communicated
with P2P network UDP 1024:65535 ¼ UDP
1024:65535
ACLs/FPM
DNS
Syslog analysis and NetFlow
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

Mitigation: ACLs
!-- Router Router
Router(config)#ip access-list extended tACL
!-- Deny UDP packets in Range 1024 - 65535
Router(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 range 1024
65535 any range 1024 65535

Firewall
!-- Firewall Configuration
Firewall(config)# access-list storm-udp extended deny udp
192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2006, Cisco Systems, Inc. All rights reserved. 52
Presentation_ID.scr
What About FPM?
ƒ The P2P traffic is encrypted with a simple key, works and is
functional could change
ƒ Snort signatures from http://doc.emergingthreats.net/2007701
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)";
dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2,
seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)";
dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1,
seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”;
dsize:25; content:”|10 a0
d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src;
classtype:trojan-activity; sid:2007702; rev:1;)

Source: EmergingThreats.net
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

Mitigation: FPM for Encrypted Storm
load protocol disk0:ip.phdf
load protocol disk0:udp.phdf
Load PHDFs for IP and UDP
!
class-map type stack match-all ip_udp_class
description “match UDP over IP packets” Match UDP over IP Packets
match field ip protocol eq 17 next udp
!
class-map type access-control match-all encrypted_storm
description “match encrypted storm, cme711 packets” Match Storm, CME711
match field udp dest-port range 1024 65535 Packets: UDP port
match field udp length eq 33 1024:65535, UDP+Payload
match start udp payload-start offset 0 size 2 eq 0x10a6 Length 33bytes, and Regex
!
policy-map type access-control fpm_udp_policy
class encrypted_storm
Policy for UDP-Based Attacks
drop
log
!
policy-map type access-control fpm_policy
class ip_udp_class
service-policy fpm_udp_policy Drop Worms and Malicious Attacks
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Apply and Enable FPM Policy

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2006, Cisco Systems, Inc. All rights reserved. 53
Presentation_ID.scr
Mitigation: Deny Downloader via HTTP Inspection
regex exe_url ".*\.[Ee][Xx][Ee]"
! --Create Regex Class Map
class-map type regex match-any bad_urls
match regex exe_url
class-map type inspect http match-any http-urls
match request uri regex class bad_urls
class-map http-port
match port tcp eq www
!-- Create Policy Map, actions set to Drop and Log
policy-map type inspect http http-policy
parameters
protocol-violation action drop-connection
class http-urls
drop-connection log
!-- Apply and enabled “EXE Downloader” policy
policy-map global_policy
class http-port
inspect http http-policy
service-policy global_policy global

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Mitigation: Deny Botnet Access via DNS Inspection
regex bad_domain1 “tibeam\.com“ Domains from
regex bad_domain2 “tushove\.com“ http://www.disog.org/text/storm-fastflux.txt
regex bad_domain3 “kqfloat\.com“
!
class-map type regex match-any bad_domains
match regex domain1
match regex domain2
match regex domain3
!
class-map type inspect dns bad_domain_query
match not header-flag QR
match question
match domain-name regex class bad_domains
!
policy-map type inspect dns bad_domain_policy
class bad_domain_query
drop log
!
class-map inspection_default
match default-inspection-traffic
!
policy-map egress_policy
class inspection_default
inspect dns bad_domain_policy
!
service-policy egress_policy interface inside
!
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2006, Cisco Systems, Inc. All rights reserved. 54
Presentation_ID.scr
Identification

ƒ NetFlow or Syslog communication UDP 1024:65535 –
UDP 1024:65535
ƒ NetFlow changes in behaviour during spamming
or DDos
ƒ IPS signatures 5894/0 and 5894/1
ƒ ACL Counters

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

Storm Worm References
ƒ Storm Worm DDoS Attack
http://www.secureworks.com/research/threats/view.html?threat=storm-worm

ƒ Storm (Worm) Peacomm Analysis
http://www.cyber-ta.org/pubs/StormWorm/report/

ƒ Schneier on Security
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

ƒ April Storm’s Day Campaign
http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/

ƒ Antirootkit.com blog
http://www.antirootkit.com/blog/category/storm-worm/

ƒ The Evolution of Peacomm to "all-in-one" Trojan
http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evolution_of_
peacomm_to_al.html

ƒ Known Storm Fast Flux Domains
http://www.disog.org/text/storm-fastflux.txt
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2006, Cisco Systems, Inc. All rights reserved. 55
Presentation_ID.scr
Advanced Topics

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

Test Yourself
ƒ Metasploit is an exploitation framework that provides lot of flexibility to
test yourself – it’s very easy to test client and service exploits; more
information is at www.metasploit.com
ƒ Scapy is a powerful packet manipulation program – requires some python
knowledge but is useful for creating specific types of network traffic; more
information is at http://www.secdev.org/projects/scapy/

>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)
>>> x[1].frag=145
>>> send(x) Changed the Fragment Offset

17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length
1200
17:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP
(1), length 28) 192.168.2.63 > 192.168.15.60: icmp

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112

© 2006, Cisco Systems, Inc. All rights reserved. 56
Presentation_ID.scr
Security = Moving Target
ƒ Metasploit ShikataGaNai encoder makes creating exploits
using polymorphic shell code very simple; this means that
simple string matches such as “0x90/0x90/0x90” are trivial
to avoid
ƒ Metasploit meterpreter allows for relatively simple dll
injection and command execution that is difficult to detect
(leaves no new processes, files or network connections) on
the compromised system
ƒ XT Bot utilized Dynamic Remote Settings Stub (DRSS) to
hide communications; think a bot that uses stegonagraphy
for communication
ƒ Fast Flux DNS for Botnet networks makes Botnet difficult
to neutralize
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113

Deceptive Defense
ƒ Darknets and illegal IP space (dark space) monitoring
provides ability to more easily identify outbreaks and aid in
detecting probing that may fall under the normal radar
ƒ Honeypots low interaction: Deployed
inside the network these help quickly
identify compromised systems and
miscreants; real world studies have
shown a ratio of 1/1000 IP space
is effective
ƒ Honeytokens: A purposefully set
piece of information that should
only be accessed by illegal activity

Source: Virtual Honeypots, pg. 308
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114

© 2006, Cisco Systems, Inc. All rights reserved. 57
Presentation_ID.scr
Deceptive Defense Benefits

ƒ Low False Positive rate
Attack already passes several characteristics of valid attacks
such as illegal IP space, non-production hosts
ƒ Aid in 0-day detection
ƒ Easily identifies internal outbreaks
ƒ Scalable, Nepenthes scales
well, Honeyd can create large
virtual networks

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115

Utilizing Low Interaction Honeypots to
Increase Network Security?

ƒ IPS can be configured to perform an event action
override when a pre-determined threshold has been
met; these actions could be block address or deny
attacker inline which can happen for a specified
time frame
ƒ The IPS target value rating (TVR) can be used to
increase the risk rating for events which happen
targeting a specific host or subset of hosts
ƒ A low interaction Honeypot such as Nepenthes
(http://nepenthes.mwcollect.org/) could be deployed in
conjunction with an artificially inflated TVR to trigger
event actions such as deny attacker inline to remove
threats before they attack real systems
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116

© 2006, Cisco Systems, Inc. All rights reserved. 58
Presentation_ID.scr
Deceptive Defense in Action

Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10

Attacker
10.10.10.100 IPS Sensor

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117

Deceptive Defense Mitigating the Attack
ƒ Signature 3338/1 Windows LSASS RPC Overflow
Base Risk Rating 75 (Severity = High, Fidelity = 75)
Risk Rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR
ƒ Calculated for a Target Value Rating Set to High
ASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100
ƒ Event Action Override 90–100 (Deny Attacker Inline/Request
Block Host)

Attacker Blocked
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10

Attacker
10.10.10.100 IPS Sensor

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118

© 2006, Cisco Systems, Inc. All rights reserved. 59
Presentation_ID.scr
Deceptive Defense Caveats

ƒ Make sure host can not be used to launch attacks
(block outgoing access from host)
ƒ Use common sense, the Honeynet
project, http://www.honeynet.org/,
has several research papers and
presentations available

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119

Black Hole Filtering – Destination Based

ƒ Forwards packet to the bit bucket aka “Null0”
ƒ Only works on destination addresses
ƒ Destination based RTBH takes the destination offline
Self-DoS yourself, miscreant wins
Good reactive mechanism for compromised endpoints

ƒ Traditionally used to “black hole” undesirable traffic
ƒ Foundation for other remote triggered response

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120

© 2006, Cisco Systems, Inc. All rights reserved. 60
Presentation_ID.scr
Black Hole Filtering – Source Based

ƒ Dropping on destination is very important
Dropping on source is often what we really want

ƒ Requires Unicast RPF
ƒ Reacting using source address provides some
interesting options
Stop the attack without taking the destination offline
Filter command and control servers
Filter (contain) infected end stations

ƒ Must be rapid and scalable
Leverage pervasive BGP again

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121

Black Hole Filtering – Source Based
ƒ Advantages for using source-based filtering
No ACL Update
No change to device configuration
Drops happen in the forwarding path
Frequently changes when attack profiles are dynamic
ƒ Weaknesses when using source-based filtering
Source detection and enumeration
Attack termination detection (reporting)
Will drop all packets with source and destination on all
triggered interfaces, regardless of actual intent
Remember spoofing, don’t let the miscreant spoof the true
source-based target and trick you into black holing them
Whitelist important sites that should never be blocked
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122

© 2006, Cisco Systems, Inc. All rights reserved. 61
Presentation_ID.scr
Sinkhole Routers/Networks
ƒ Sinkholes are a topological security feature – think
network honeypot
ƒ Router or workstation built to suck in traffic and
assist in analyzing attacks (original use)
ƒ Redirect attacks away from the victim – a working
the attack on a router built to withstand the attack
ƒ Used to monitor attack noise, scans, data from
misconfiguration and other activity (via the
advertisement of default or illegal IP space)
ƒ Traffic is typically diverted via BGP route
advertisements and policies
ƒ Leverage instrumentation in a controlled environment
Pull the traffic past analyzers/analysis tools
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123

Adaptive Control Technology
Next Generation Rapid Threat Containment and Response
ƒ Threat Mitigation Service (TMS) is a framework for rapid
network-wide distribution and response to threats
Near real time threat response

ƒ Threat Information Distribution Protocol (TIDP) transports
messages containing abstract information about threats
and suggested remedial actions
Threat Information Message (TIM)

ƒ Devices are provisioned with policies for enforcement of
traffic and response actions
Access Control List
Traffic Redirection

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124

© 2006, Cisco Systems, Inc. All rights reserved. 62
Presentation_ID.scr
Threat Information Distribution Protocol

ƒ TIM is distributed from TIDP Mitigation Service (TMS)
controller to TIDP consumers
Threat Information Message identifies threat
TIM created in threat definition file using XML

ƒ Messages authenticated, encrypted, and have
replay protection
ƒ Receiving devices configured with unique policies
Device uses local policy to convert TIMs into dynamic
policy enforcement

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125

Threat Containment Using ACT

ƒ TIDP is a protocol that allows for the quick distribution
of information about network-based threats
ƒ All TIDP-enabled nodes use the payload content
according to their own configuration and translate it
to enforce appropriate actions
NMS/Syslog
Server for
Logging Rules Engine
TIM * Threat Local to
Information Each Device
Distribution
Protocol
TIDP
TIM Controller
Generation Intelligence Resides in
via CLI / SDM TIM *
End Point Devices
* TIM – Threat Information Message
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126

© 2006, Cisco Systems, Inc. All rights reserved. 63
Presentation_ID.scr
Automated Signature Extraction
(ASE/DASE)
ƒ Dynamically extracts signatures for potential
malware without need for human intervention
ƒ Utilizes a Sensor ¼ Collector architecture
ƒ Linux-based Collector and TIDP (TMS) for
message exchange
ƒ Available in 12.4(15)T
ƒ Automatic Signature Extraction
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/htautosg.html

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127

Complementary Sessions

ƒ BRKSEC-2001: Emerging Threats
ƒ BRKSEC-2006: Inside the Perimeter: Six Steps to
Improving Your Security Monitoring
ƒ BRKSEC-2002: Understanding and Preventing
Layer 2 Attacks
ƒ BRKSEC-2020: Firewall Design and Deployment
ƒ BRKSEC-2030: Deploying Network-Based Intrusion
Prevention Systems

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 128

© 2006, Cisco Systems, Inc. All rights reserved. 64
Presentation_ID.scr
Q and A

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129

Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press®
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 130

© 2006, Cisco Systems, Inc. All rights reserved. 65
Presentation_ID.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com.

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131

BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132

© 2006, Cisco Systems, Inc. All rights reserved. 66
Presentation_ID.scr