SourceFire-下一代防火墙
- 格式:pdf
- 大小:1.54 MB
- 文档页数:30
SourceFire NGIPS on the Cyber RangeAgenda•The New Security Model •Sourcefire Under the Hood •Introduction to eStreamer •Sourcefire within Cyber Range •DemoThe New Security ModelBEFOREDiscoverEnforceHardenAFTERScopeContainRemediateAttack ContinuumNetwork Endpoint Mobile Virtual CloudDetectBlockDefendDURINGPoint in Time ContinuousCovering The Entire Attack ContinuumVisibility and ContextFirewall NGFWNAC + Identity ServicesVPN UTMNGIPS Web Security Email SecurityAdvanced Malware Protection Network Behavior AnalysisBEFOREDiscover Enforce HardenAFTERScope Contain RemediateAttack ContinuumDetect Block DefendDURINGStrategic ImperativesNetwork-Integrated,Broad Sensor Base,Context and AutomationContinuous Advanced ThreatProtection, Cloud-BasedSecurity IntelligenceAgile and Open Platforms,Built for Scale, ConsistentControl, Management Network Endpoint Mobile Virtual Cloud Visibility-Driven Threat-Focused Platform-BasedSourcefire Under The HoodLife Of A PacketSoftware Inspection & ControlHardware AccelerationInterfaceNetworking Pre-Filtering Access ControlDrop / Inspect / Fwd DecisionIPS AnalysisSourcefire CloudDetection CapabilitiesFireSIGHTAppIDFiles L2/L3 Discovery Events – Hosts, Users, OS, Services, Vulnerabilities Server, Client and Web Apps File Types, File Transfers Connection Logs, Flows SnortIDS/IPS Events – Snort Rule IDsSnort Rule UpdatesVulnerability Updates, OS Definitions Application Definitions, App DetectorsMalware Cloud Lookups (AMP),Sandbox, Trajectories Security Intelligence IP Reputation, URLCategory UpdatesPolicy Constructs•NGIPS– content inspection •FireSIGHT– context awareness •Security Intelligence - blacklistcontrol•Comprehensive access control –By network zone, VLAN, IP, port,protocol, application, user, URL, Geo •Seamlessly integrated–With IPS policies–File control policies–Malware policiesIPS PolicyFile policyMalware policy ControlledtrafficSwitching, RoutingVPN, High AvailabilityURL awarenessSecurity IntelligenceIP Geo-locationFirewall PolicyEvent Types•Connection Events – Source, Destination, Port, User, URL, App, Proto, User •Discovery Events – OS, Client App, Service, Server, Usernames •Intrusion Events – Snort Rule ID, Impact, Source, Destination, Packet Level •File Events – Filename, File Type, Direction, Client App, Protocol •Correlation Events – White List / Black List compliance•Security Intelligence Events – IP Reputation•Malware Events – Malware Cloud Lookups, FireAMP Endpoint events •Network File Trajectories – Tracking of Files as they traverse the networkContext through FireSIGHT •FireSIGHT discovers Host,Application and User information inreal-time, continuously, passively •Derives a worst-case VulnerabilityMap of the monitored Network •Correlates all Intrusion Events toan Impact of the attack against the target•Drastically reduces FalsePositives, eliminates FalseNegativesCorrelating Weak Signals Into Indicators Of CompromiseYour NetworkDNS to malware sitedetected by Security IntelligenceCNC Traffic detected by Snort RuleMalware File Download detected by MalwareCloud LookupMalware Propagation detected by Snort RuleInbound Attack Site detected by Sec. Intel.CorrelateWeak Signals into Indicators of CompromiseIntroduction To eStreamerWhat Is eStreamer? •eStreamer is a documented API for streaming data fromSourcefire systems to third-party SIM / SIEM systems •Sends rich information to the SIM / SIEM in the target’s native format instead of having to parse Syslog.•Established via TCP SSL / port 8302•Allows for Data Requests and Server ResponsesSSL- enabled connection SSL HandshakeSession EstablishmentData Requests Data message streamingInactivity HandlingSession TerminationData eStreamer Provides•eStreamer Provides:–Intrusion Data–Intrusion Metadata–Packet Data–Flow / Connection Events –Network Discovery Events –Impact Alarm Events–Host and User Information –Compliance Policy Events –Malware Events–File Inspection Event–Rule Documentation •10 message types:–Null message: Keep alive, flow control.–Error message: For closed connections. –Event stream message: data request from client to server.–Event data message: data from server toclient.–Host data request message: profile hostdata request from client to server.–Single Host data message–Multiple Host data message–Streaming request–Streaming Information–Message BundleNew Splunk Integration•Powerful eStreamer Client and Dashboard developed by Sourcefire Labs •Sourcefire’s 5.2.x SDK / Splunk 6.x support•Client supports broad range of event types•Correlation and White List Events•Impact Flag Alerts•Intrusion Events•Intrusion Event Extra Data•Malware Events•File Events•Connection Logs•Intrusion Event Packet Data•Download a single package on /downloads •Splunk Enterprise 3.0 TA Available on Splunk AppsSourcefire Within Cyber RangeSensor PlacementSplunk AnalyticsInside HostInside HostInside HostCyber Threat DefenseWeb Security Appliance Email Security ApplianceIdentity ServicesEngineFCFlow CollectorSMC StealthWatch Management NetFlow AVC TrustSecSourecefire IPS ASA IPSASA FirewallPrime InfrastructureSIOWireless SecurityActive Policies•Access Control Policy–Passively deployed IDS with full inspection–Monitor Security Intelligence•Intrusion Policy–Drop when inline OFF–Multiple policy layers for per-year CVE detection control–Malware detection layer–Adaptive Profiles•Files Policy–Detect all detectable file types in both directions–Conduct Malware Cloud Lookup on Executable Files Types and PDFs •Discovery Policy–Detect Hosts, Operating Systems, Appliances and Users within the $HOME_NETWhat Information Sourcefire gives to Splunkrec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australiaEvent Typerec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australiarec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN"sec_zone_egress=N/A connection_second=1391989666 connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australia Connection Detailsrec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australiaGeolocationrec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104 src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy"user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australiaWas it Blocked?rec_type=400 rec_type_simple="IPS EVENT" event_sec=1391989666event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control"iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666connection_instance_id=1 connection_counter=30151src_ip_country="korea - north" dest_ip_country=australiaImpact to Destinationrec_type=400 rec_type_simple="IPS EVENT " event_sec=1391989666 event_usec=729045 sensor=10.67.34.71 event_id=47198 msg="MALWARE-OTHER SQL Slammer worm propagation attempt inbound " sid=28555 gid=1 rev=1 class_desc="A Network Trojan was Detected" class=trojan-activity priority=high src_ip=175.45.176.86 dest_ip=36.37.38.104 src_port=10507 dest_port=1434 ip_proto=UDP impact_flag=67 impact=1 blocked=No mpls_label=0 vlan_id=0 ids_policy="Cisco CR IPS Policy" user=Unknown web_app=Unknown client_app="MS SQL client" app_proto="MS SQL" fw_rule="Default Allow" fw_policy="Default Access Control" iface_ingress=eth1 iface_egress=N/A sec_zone_ingress="Physical LAN" sec_zone_egress=N/A connection_second=1391989666 connection_instance_id=1 connection_counter=30151 src_ip_country="korea - north" dest_ip_country=australiaEvent TypeConnection Details Geolocation Impact to Destination Was it Blocked? Impact 1 Intrusion that wasn't blocked, from North Korea on 172.45.176.86 targeting a vulnerable host on 36.37.38.104 which is in my physical LAN using the Inbound SQL Slammer propagation attack.rec_type=502 rec_type_simple="FILELOG MALWARE EVENT " event_sec=1391989651 sensor=10.67.34.71 connection_instance=2 connection_counter=33679 connection_time=1391989643 src_ip=202.61.97.206 dest_ip=103.0.2.8 disposition=Malware action="Malware Cloud Lookup" detection=W32.BA20FB84FA-100.SBX.VIOC sha256=ba20fb84fa436fa6582cb33f83ce436b317b5cee5c871917fc73e4a2dde6dd 5e file_type=MSEXE file_name=oiDaT.EXE file_size=15874 direction=Upload app_proto=SMTP user=Unknown uri="" signature="" src_port=28046 dest_port=25 ip_proto=TCP policy=e46a348e-518f-11e3-b2c0-ea89ee83f3b6 src_ip_country=mongolia dest_ip_country=australia web_app=Unknown client_app="SMTP client"Event TypeConnection Details Geolocation Malware Detection File Details ClientApplicationDemoQ&A。