Introduction to IPS and

TippingPoint

A 10,000 foot view

 Objectives

> Be able to describe Intrusion Prevention (IPS)

> Compare and contrast IPS technology to Firewall and IDS technology
> Understand the TippingPoint solution, architecture and features
> Understand the Digital Vaccine process
> Describe the basic architecture and deployment of the IPS

2
 Definition of Information Security

“the protection of information systems against unauthorized access

to or modifications of information, whether in storage, processing
or transit, and against denial of service to authorized users or the
provision of service to authorized users, including those measures
necessary to detect, document, and counter such threats.”

definition from the U.S. National Information Systems Security

Glossary

3
 Yesterday - déjà vu!

Oct. 1972, the “Anderson Report” report described “buffer

overflows” as a proven penetration method and ways to avoid them.
— This report also recommended
> better software design practices,
> better programming languages,
> the creation of a “security kernel”, and
> the implementation of Edsger Dijkstra’s structured programming
techniques.

http://seclab.cs.ucdavis.edu/projects/history/seminal.html

4
 Have we learned? Increasing Vulnerabilities

CERT Vulnerabilities

4500 4,129
• Total vulnerabilities > 17,946
4000
• Severe vulnerabilities in
3500 widely deployed products
3000 increasing
2500
2,437
2000

1500

1000
1,090
500
417
0
1994 1996 1998 2000 2002 2004

# vulnerabilities x # systems = insurmountable task

5
 Increasing Number of Attacks

CERT Incidents

160000

140000 • Total incidents almost 320,000

• Doubling each year
120000
• 137,529 in 2003
100000 (an average of 2645 per week)
80000

60000

40000

20000

0
1985 1990 1995 2000 2005

CERT Note: An incident may involve one site or hundreds (or even thousands) of
sites. Also some incidents may involve ongoing activity for long periods of time

6
 Evolution of LAN Security – The Firewall

WAN Edge LAN Edge LAN Core LAN Distribution LAN Access
Avg. BW = Avg. BW = 10Mbps Avg. BW = 100Mbps Avg. BW = 10Mbps Avg. BW = 10Mbps
FT1 –
DS3/OC3

HUB

Extranet

Private WAN L2 Users

Switch

Internet
HUB

1,000’s of Network Elements

DMZ
Web
FTP - Single Security Broadcast Domain
SMTP
DNS - Segmentation of Public DMZ 7
 What about Firewalls?

> A firewall blocks traffic to ports (UDP or TCP) that are not offering
public services.
— They offer little or no protection against attacks involving known
allowed services such as SMB, HTTP, SMTP, IM, P2P, Spyware, Phishing
— Don’t protect against internal threats: VPN, Wireless, Traveling Users,
consultants, guests
> Many different firewall offerings with different features –
— Generally speaking all firewalls will inspect and take action on a packet
traveling from one network interface to another.
— Vendor specific firewall features –
> Layer3/4 stateful connection tracking and filtering
> Network address translation
> Virtual private network termination, IPSEC, etc.
> SSL

8
 Evolution of LAN Security – IDS

WAN Edge LAN Edge LAN Core LAN Distribution LAN Access
Avg. BW = Avg. BW = 100Mbps Avg. BW = 1Gbps Avg. BW = 100Mbps Avg. BW = 100Mbps
N x 1.54Mbps
N x 45.3 Mbps
ALERT!
IDS

L2
ALERT! Switch
Extranet
IDS

ALERT!
Private WAN
IDS
L3
Switch Users
Internet

L2
Switch

1,000’s of Network Elements

DMZ
Web
FTP - Single Security Broadcast Domain with Public DMZ segment
SMTP
DNS
- IDS for InfoSec Forensics & Audit
9
 What about Intrusion Detection Systems (IDS)?

> By design, an IDS detects malicious traffic

> Listens to traffic promiscuously
> Monitors packets on a network and alerts on “possible
suspicious activity.”
— Capable of detecting many types of network attacks.
> Lots of false positives by design
> Since it’s not having to block traffic by definition, the signatures can be
“looser”, thus generating false positives.
> This generates more alert traffic and therefore, more work for administrator
> Must chase each IDS alert and perform cleanup after each compromise.
– See “The boy who cried wolf”
— Does nothing to “counter” attacks.
TippingPoint Customer Quote:
“IDS tells you what gun, and caliber bullet you were shot with. But it does
nothing to stop the bullet.”
10
 A Need for Better Security

> New security demands exceed IT

capacity
— Increasing rate of new
vulnerabilities
— Decreasing time to patch them,
comprehensive patching is near
Security impossible
Risk Gap — Walk-in worms, e-mail attacks
— Rogue applications “stealing” IT
resources
s
and — Making undesirable security
em decisions (Ex: delaying SP2
y D rollout)
t
curi > Traditional tools can’t help:
Se
— Perimeter firewalls are porous
(e.g. allow port 80) and can’t
handle the core
IT Security Capacity — IDS Technology has become
overwhelmed
Time, Business Growth — Not all end-points under IT control

The need for a new approach to network security has

become evident! The new approach is Intrusion Prevention
11
 IPS’ Primary Goal – Block Malicious Traffic

External Attackers Web Services DMZ

• Industrial Spies
• Gov’t Spies
• Terrorists
The IPS blocks DNS FTP HTTP

SNMP SMB Telnet

• Cyber Thieves
• Pranksters
malicious traffic based
on filter settings. Applications

IBM DB2 MS SQL

Internal Attackers
• Disgruntled Employees
• Dishonest Employees
Operating Systems
Good traffic passes through
Some traffic is rate-limited –
P2P for example

Infrastructure
Valid User &
Application Wireless
Traffic

12
 What about intrusion prevention?

> Patch at the Network Level by taking the IDS “idea” and adding the
ability to block a detected attack
> Requirements:
— Function inline with switch like speed, reliability, and performance –
Low Latency, Highly available
— Be both a network device and a security device
— NO False Positives
— Real time filter updates with zero downtime
— Flexible architecture that can provide multiple types of filtering and
evolve with the changing attack spectrum
— Automatic Protection – As little tuning as possible

Note: You cannot just add blocking ability to an IDS. Fundamental

architecture changes need to be made. This is a completely new
“animal.”
13
 2003 – TippingPoint ships Intrusion Prevention System (IPS)

> The TippingPoint IPS system is built upon TippingPoint's Threat Suppression Engine (TSE)
— a specialized hardware intrusion engine using:
> state-of-the-art network processor technology (ASIC)
> TippingPoint custom code (FPGA)

> The TSE is a line-speed, hardware engine that contains performs:

— IP de-fragmentation
— TCP flow reassembly
— Statistical analysis
— Traffic shaping
— Flow blocking
— Flow state tracking
— Application-layer parsing of over 170 network protocols
> The IPS leverages the breakthrough scalability and performance of the TSE to detect:
— vulnerability attacks/exploits
— reconnaissance
— protocol anomalies
— statistical traffic anomalies
— distributed denial of service attacks
— Additionally:
> block or rate-limit traffic from unauthorized applications such as peer-to-peer file sharing
> Apply security policy filters

14
 TippingPoint Architecture

Alerts

Filters Event Generation Database

Exception Trigger Verification

Sweeps

Floods
Scans

Threat Block
Rules Verification 6

Software Statistics Management Rules Match Benign

Hardware
Session State Packet
Content Trigger Flow
Connection Header
Matching Result Control
Table Processing
1. Connection Validation
1 2 4 5 7
2. Hdr Pre-processing /Pkt Validation
3. Stream Reassembly Drop Drop Packet & Flow Drop
4. Stream Content Inspection Reassembly
5. Trigger Result 3
6. Threat Verification
7. Traffic Management
15
 TippingPoint Product Line

50 Mbps 100 Mbps 200 Mbps 400 Mbps

1x10/100/1000 1x10/100/1000 2x10/100/1000 4x10/100/1000
Copper Copper Copper Copper/Fiber

1.2 Gbps 2.0 Gbps 5.0 Gbps Security

4x10/100/1000 4x10/100/1000 4x10/100/1000 Management
Copper/Fiber Copper/Fiber Copper/Fiber System

Key Points
> 50 and 100E are software-only devices (no Network Processors or FPGAs)
> 100E and 5000E – series platforms provide Advanced DDoS
> # of Segments vary from box to box – 1 on 50/100E, 2 on 200, and 4 on 400+
> Throughput is the total TSE throughput, so take into account traffic flowing both directions

16
 Digital Vaccine - Automatic Protection

> Digital Vaccine

— Our term for new filter updates.
> “An inoculation for your network.”
— Weekly updates (sometimes more often when circumstances arise.)
— Out of Box Protection via “Recommended Setting” for all filters
> For Example: Dangerous attacks are set to block by default
— New updates automatically downloaded from the TippingPoint Threat
Management Center
— No network down time – Filter updates happen in real-time

17
 Filter Updates with TippingPoint’s Digital Vaccine Service

• SANS
• CERT
Raw Intelligence • Vendor Advisories
Feeds •
•
Bugtraq
VulnWatch
• PacketStorm
• Securiteam
• ZeroDay Initiative
( www.zerodayinitiative.com )*

@RISK
Digital Vaccine Vulnerability Analysis Weekly Report
Automatically
Delivered to
Customers

Vaccine Creation

Scalable distribution network using

Akamai’s 9,700 servers in 56 countries

18
 SANS @RISK Report

> “The @RISK e-mail newsletter provides analysis and remediation

information about newly discovered critical vulnerabilities that require
immediate action.”
> “Part I, Critical Vulnerabilities is compiled by the security team at
TippingPoint as a by-product of that company's continuous effort to ensure
that its intrusion prevention products effectively block exploits using known
vulnerabilities.”
> “TippingPoint's analysis is complemented by input from a council of security
managers from twelve large organizations who confidentially share with
SANS the specific actions they have taken to protect their systems.”
> GET THIS NEWSLETTER!!!
— The SANS @RISK newsletter is available for free at:
http://www.sans.org/newsletters/risk/

19
 Summary

> Intrusion Prevention

— Based on the notion of blocking
— Finely tuned signatures, no false positives
— Complimentary to Firewall
— Replacement for IDS
> TippingPoint IPS
— Inline, layer-2 device, Flexible Deployment
— Wide range of devices
> Low end (50 Meg, SW-based, single segment)
> High end (5 Gig, HW based, 4 segments)
> Digital Vaccine service
> Automatic
> Recommended settings
> Weekly updates
20