Document No. HUAWEI NIP IPS&IDS Technical White Paper. Issue V1.0. Date Huawei Technologies Co., Ltd.

Please download to get full document.

View again

of 25
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report

Government & Politics


Views: 12 | Pages: 25

Extension: PDF | Download: 0

Related documents
Document No. HUAWEI NIP IPS&IDS Technical White Paper Issue V1.0 Date Huawei Technologies Co., Ltd. Contents 1 Internet Security Trend Traditional Security Products Disadvantages
Document No. HUAWEI NIP IPS&IDS Technical White Paper Issue V1.0 Date Huawei Technologies Co., Ltd. Contents 1 Internet Security Trend Traditional Security Products Disadvantages of Firewalls Disadvantages of Traditional IPS Products Evaluating and Selecting IPS Products Network Intelligent Protection Advanced Threat Prevention at the Application Layer Virtual Patch Client Protection Protection for Infected Systems Protocol Anomaly Detection Protocol Sensing DDoS Attack Prevention Advanced Application Identification and Control Flexible Application Traffic Control Improved Network Visualization Simple Installment and Usage Plug-and-Play Flexible Update Modes Multi-Layer High Availability Core Technology of the NIP Advanced Processing Architecture Vulnerability-based Signatures Web 2.0-oriented Protection DPI Technology Advanced Protection Technologies Against DDoS Attacks Dynamic Traffic Baseline Source IP Address Verification Based on Layer-Four Protocols Source IP Address Verification Based on Layer-Seven Protocols Defense Against Abnormal Sessions Behavior Analysis Technology Worldwide Response Centers Flexible Deployment Comprehensive Protection to Internet Access of Enterprises Combined Deployment of the IPS and IDS Asymmetrical Traffic Deployment Conclusion Huawei Confidential Page 2 of 35 1 Internet Security Trend With rapid development of the Internet, security threats faced by enterprises and individual users become increasingly serious. As complex software systems are increasingly installed on many servers, a large number of vulnerabilities are emerging. Common users can easily grasp various computer technologies to quickly find software vulnerabilities. Internet enterprises lack effective measures to protect their networks from various security threats. As a result, security threats such as hacker attacks, worm viruses, Trojan horse programs, backdoor programs, and spyware, especially mixed threats, are widely spread. Enterprises would suffer from great economic loss if their confidential data is thieved, interpolated, or corrupted. With rapid growth of network applications such as social networks, online videos, and microblogs, Internet users are also exposed to massive potential attacks due to client vulnerabilities. Driven by benefits, attackers hack into common users' private information such as credit cards and accounts. Each enterprises, servers, and common users are exposed to massive security threats. In 2009, Symantec Corporation detected and recorded a total of 4814 vulnerabilities. In 2010, the number reached In these two years, the number of vulnerability-affected vendors grew from 734 to 1914 with an increase of 161%, and serious vulnerabilities increased from 11 to 76 with a higher increase rate. 191 vulnerabilities were found in Google Chrome. The data shows that threats are increasing and network security becomes a top priority. Figure 1-1 shows the top five vulnerabilities in 2008 and Figure 1-1 Top five vulnerabilities in 2008 and 2009 Among the top five vulnerabilities, the top one vulnerabilities are in Windows and the others are in clients especially browsers and plug-ins. In the past, most intrusion prevention systems (IPS) protect only servers. Nowadays, even amateur hackers can easily launch attacks using various Web-based attack tools. In 2010, Web-based attacks increased by 93% compared with that in Huawei Confidential Page 3 of 35 For network security devices in the open system interconnection (OSI) model, network threats exist at layer 7 (the application layer) and emerging threats have penetrated layer 8 (the content layer). Advanced network security products are required to protect layer 2 to layer 7 and detect potential threats at the content layer Huawei Confidential Page 4 of 35 2 Traditional Security Products 2.1 Disadvantages of Firewalls Firewalls play an indispensable role in network security but cannot defend against new network security threats. A firewall mainly controls access, allowing the access of traffic that complies with security policies. An advanced firewall may detect protocol robustness. Massive emerging attacks penetrate the application layer or content layer but attacked networks still run properly. As a result, firewalls cannot detect these attacks. Firewalls are designed for rapid access control but even advanced state-based firewalls cannot prevent ever-changing threats. To defend against these threats, enterprises require firewalls as well as responsive IPS products. 2.2 Disadvantages of Traditional IPS Products Traditional IPSs are enhanced security products. Traditional IPSs can be deployed at intranet egresses or on major servers to provide proactive defense in real time. They correctly detect traffic anomalies of layer 2 to layer 7 and prevent malicious traffic especially at the application layer. The implementation process of traditional IPSs is as follows: 1. Capture packets on networks. 2. Reassemble IP packets at the IP layer. 3. Reassemble packets (including TCP traffic reassembly) at the transport layer. 4. Match the packets with the signature database. 5. Take actions based on the features if the packets match features in the signature database. Traditional IPSs could efficiently prevent network threats in the past. With ever-changing network threats, traditional IPSs cannot satisfy new requirements on network security. Possible causes are as follows: False positive Traditional IPS products evolve from intrusion detection systems (IDS) and therefore they inherit most signature databases from the IDS devices. False positive easily occurs because the network deployment and functions of the IPS device are different from those of the IDS device. To ensure normal service running, users allow only default signatures to prevent a few threats during IPS deployment on live networks or disable the signatures that generate false positive after IPS deployment Huawei Confidential Page 5 of 35 With development of IT technologies, users and network administrators expect an intelligent plug-and-play IPS product. This device enables users to enable all defense functions without affecting running applications on live networks. Evasion techniques Traditional IPSs (including advanced IPS products) mainly identify the following evasion techniques: 1. IP packet fragmentation and TCP traffic segmentation 2. RPC packet fragmentation 3. URL obfuscation 4. Evasion based on File Transfer Protocol (FTP) commands Traditional IPSs' anti-evasion technologies cannot prevent emerging serious threats that are widely spread. New network threats aim at new HTTP applications. These threats include the top 10 Web application threats listed by the Open Web Application Security Project (OWASP) in 2010 and top 10 serious Web-based attacks. Traditional anti-evasion technologies cannot prevent these threats because attackers can easily evade detection by using new attack methods. New anti-evasion technologies are designed for the content layer based on traditional IPS technologies. These anti-evasion technologies can counteract advanced URL obfuscation, HTTP BASE64 coding, HTML random placeholder, Javascript obfuscation, HTTP chunked transmission, HTTP content compression, and HTTP header obfuscation. Abuse of intranet traffic With wide use of P2P technologies and Web applications, network traffic abuse becomes another threat to the intranet. It may affect the working efficiency of staff and even interrupt major businesses of enterprises. IPS products need to visualize network traffic and control traffic usage of each user to prevent traffic abuse. Threats to Web 2.0 and clients Traditional IPS products detect only threats such as worms, spyware, and server software vulnerabilities. Some IPS products allow all traffic to clients, and most threats such as drive-by downloads, social engineering attacks, and customer data theft are contained in the traffic. The NSS Lab and International Chinese Statistical Association (ICSA) start to keep an eye on threats to clients. Traditional IPS products cannot protect Web 2.0 and clients from emerging threats. Web application protection Emerging Web 2.0 applications such as virtualization, social communities, and social networks are popular among users. Protecting Web applications becomes a top priority. Imagine the loss suffered by users if popular application services such as microblog networks or Facebook are intruded. In April 2011, the packet switched network (PSN) of Sony was attacked and private information (including massive credit card accounts) of millions of users was thieved. Then, the websites including the movie website and music website owned by Sony suffered from structured query language (SQL) injection. As a result, Sony bore a total loss of 100 million U.S. dollars Huawei Confidential Page 6 of 35 Currently, patches are installed in a timely manner on operating systems and server software, which effectively prevents traditional vulnerability attacks. New attack technologies such as SQL injection and XSS aim at Web applications. These threats are ranked top among the Web application threats listed by the OWASP. Traditional IPS products fail to provide or provides weak capability of Web application protection. 2.3 Evaluating and Selecting IPS Products Applications that require protection: Before purchasing IPS products, determine the scenarios and applications that require protection. For example, determine whether the server requires protection so that the staff do not suffer from Internet attacks. After determining the scenario to be protected, determine the specific applications to be protected, for example, to protect the mail server and the Web server, or to avoid distributed denial of service (DDoS) attacks. In addition, check the current traffic of the network to be protected and the possible increase of the traffic within the service life of the IPS products. After determining applications to be protected, evaluate an IPS product from the following aspects: Engine capability The engine must be application-aware and content-aware instead of just a modified Snort. You do not need to manually specify TCP ports for HTTP traffic, because an intelligent engine can identify applications and their contents. The engine can implement vulnerability-based signatures. The engine must be of high performance. Do not use the packet throughput to measure the performance of IPS products because the packet throughput cannot demonstrate the capability of handling abundant traffic content on live networks. The HTTP-based performance indicator is more useful to express the product performance than the packet throughput. Signature database quality Evaluate the quality of a signature database from the following aspects: False-positive rate Though false positives of the signature database cannot be tested, you can view the default configurations of the product to check whether sufficient signatures are enabled and work in blocking mode. If only limited signatures are enabled, the vendor is not confident of its signature database or the performance of the signature database may be easily affected. Update frequency Query the update records on the vendor's website. Generally, the signature database of an IPS product is updated at least once a week because new vulnerabilities and patches are generated every week. Deployment simplicity Usually, users are concerned about time and product maintenance cost. Therefore, a qualified IPS product is plug-and-play and easy to be deployed Huawei Confidential Page 7 of 35 Users require that the IPS product be used immediately after deployment. No adjusting, commissioning, or complicated management software is required. High availability (HA) Except the duplicate power supply and BYPASS interface capability at the physical layer, users usually do not pay attention to the overall manufacturing performance and the quality system. Generally, IPS vendors do not develop hardware. They purchase the hardware from third-party vendors, where the quality system is uncontrollable. In this case, the quality of the IPS products is not guaranteed. In conclusion, vendors that can develop hardware and are familiar with the carrier-class reliability design are recommended. These vendors will not sacrifice the hardware reliability because of the high cost or incapability of hardware design Huawei Confidential Page 8 of 35 3 Network Intelligent Protection The Network Intelligent Protection (NIP) is a new IPS product that has basic functions of traditional IPS products and the capability of coping with new threats. 3.1 Advanced Threat Prevention at the Application Layer Virtual Patch Client Protection The NIP supports the security prevention against various threats, and provides the most advanced prevention capability to cope with the latest threats from the Internet. In addition, it covers a wider range than a common IPS. The NIP provides a virtual patch by blocking attacks aimed at system vulnerabilities. Prevention of basic system vulnerabilities A vulnerability refers to the flaw or weakness in software that may result in intrusion attacks after being exploited or discovered by a hacker. The vulnerability may result in the following threats: running applications sent by the hacker, downloading files automatically from the Internet, executing local applications, and damaging applications. Basic system vulnerabilities refer to the vulnerabilities of the basic operating system services or mainstream server software. Basic system vulnerabilities, especially vulnerabilities that can be controlled remotely, greatly threaten the server security. As technologies develop, security patches are installed on the operating system and server software in a timely manner, alleviating problems resulted from basic system vulnerabilities. However, coping with threats from basic system vulnerabilities is the basic function of an IPS product. The vulnerability-based signature technology is used to protect the most common vulnerabilities that are attacked. Basic system vulnerabilities are usually found in the operating systems and software of the Microsoft, such as LSASS and MS-RPC DCOM applications. They are attacked or exploited for transmission by various worms and malware, such as W32.Downadup and Conficker. Drive-by download prevention The drive-by download is subtle. If the network is running properly, the computer automatically downloads executable data from the Internet without being noticed. The drive-by download is one of the most severe intrusions on the live network. Mainstream websites are targets of drive-by download attacks. The NIP uses the virtual patch technology to protect browsers and plug-ins from drive-by downloads. Drive-by downloads use the advanced obfuscation technology with well-designed attacks. Therefore, the NIP uses advanced anti-evasion technologies to detect drive-by downloads Huawei Confidential Page 9 of 35 Spoofing application prevention Hackers exploit vulnerabilities to intrude operating systems and application software, and other methods such as social engineering to cheat users into implementing unexpected operations. The social engineering spoofing includes attacks of misleading applications and rogue security software. The NIP of Huawei supports the network signature rules for detecting and preventing misleading applications. Common misleading applications are listed as follows: False codec: Audios and videos of different formats can be played using corresponding players and versions. To play a video or audio file in a certain format, users must download or upgrade the required player software to decode and play the binary file. Malware developers usually use the video and audio files on pornographic websites or video teaching materials as a disguise. The related video introduction and the Play button are displayed on the page. When users click the Play button, a message is displayed indicating that a codec must be downloaded and installed. However, the malware is downloaded when users click Download. False secure scanning website: Various false secure scanning websites can be found on the live network. When a user visits a false secure scanning website, an alarm window is displayed, indicating that the user's host is intruded or has security threats. The user is required to download and install the software to remove the threats. The NIP of Huawei has detected numerous false secure scanning websites. Spyware and adware detection The NIP can detect the spyware and adware to alleviate security threats to enterprises. Enterprises prefer IPS products that can detect the spyware and adware although spyware and adware may not spread among intranet hosts. Alarms for the spyware and adware can be ignored if the security strategy of an enterprise permits Protection for Infected Systems Various polymorphic viruses are generated rapidly, challenging traditional antivirus software. The NIP is for auxiliary virus detection. When the virus program on an infected host attempts to upgrade or download other malware from the Internet to further control the infected host, the NIP uses related signatures to detect the communication packets and report the infected host. After detecting the virus alarm of the host, the NIP uses the latest antivirus software to scan the infected host and remove viruses Protocol Anomaly Detection Protocol anomaly detection is a basic intrusion detection method. Application weakness and inadequate preparation for protocol anomalies are targets of attacks. Hackers send non-standard communication data or communication data of buffer overflow to the server to control or destroy the server. The NIP detects the anomalies in various protocols and identifies intrusions aimed at the server and the client. The NIP analyzes the protocol in depth to detect behaviors that are against the RFC rule, overlong fields, inappropriate protocol interaction sequence, and abnormal protocol parameters. The protocol anomaly detection involves more than 30 common protocols, such as HTTP, SMTP, FTP, POP3, IMAP4, MSRPC, NETBIOS, SMB, MS_SQL, TELNET, IRC, and DNS Huawei Confidential Page 10 of 35 3.1.5 Protocol Sensing Unlike other IPS products, the NIP considers files at the content layer such as XML and PDF files as a protocol. The NIP can detect buffer anomaly attacks and script attacks in files by considering abnormal file structures as protocol anomalies. The NIP has a core engine in which a protocol and file identification mechanism is embedded, and therefore identifies files and scans for threats simultaneously. The NIP can detect threats on infrequently used ports, for example, HTTP attacks on port The NIP can analyze and identify the following protocols: ICMP, HTTP, DNS, BGP, FINGER, FTP, GOPHER, HTTPS, IDENT, IMAP, IRC, LDAP, MSSQL, MSSQL_RESOLVER, NBTSS, NETBIOS_DCE_PM, NETBIOS_NS, NETBIOS_DGM, NNTP, NTP, POP2, POP3, SMB, SMTP, SNMP, SSH, TELNET, TFTP, OVERNET, RFB, MDNS, DHCP, and SIP The NIP can also identify the following P2P and IM protocols: QQ, OSCAR, EDONKEY, EMULE, XMPP, FASTTRACK_KAZAA, FASTTRACK_GROKSTER, FASTTRACK_IMESH, YAHOO_MESSENGER, and MSN_MESSENGER 3.2 DDoS Attack Prevention The denial of service (DoS) attack is to make computers or network resources unavailable. The DoS attack is characterized by difficult prevention, huge destruction, easy initiation, difficult trace, and wide damage range. A DDoS attack occurs when massive hosts on different networks are controlled to initiate one or multiple DoS attacks. DDoS attacks cause larger destruction. The DDoS combines multiple computers to attack one or more targets by using the Client/Server structure so that the DoS attack is enhanced. Generally, attackers steal an account to install the DDoS master control program on a computer. The control program communicates with numerous proxies installed on Internet computers at a preset time and instructs
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!