Network Intrusion Prevention

Network-based intrusion prevention is a key component of defense in depth and the ASA/PIX Security Appliance. The purpose of this technology is to recognize and stop attacks when they flow through the appliance. The ASA/PIX version 7 operating system implements two basic forms of network intrusion prevention; one is signature-based, and the other is behavior-based and is called application firewall features.

Signature-based intrusion prevention is similar to the way that antivirus software works on a host. The prevention device looks for a sequence of bytes on the network that matches an attack string; if the string matches, the device can either drop the traffic or report the attack to a logging server. Using the application firewall features, the ASA/PIX version 7 operating system can enforce strict protocol usage, which will protect you against unwanted software such as unencrypted personal messenger services, peer-to-peer file sharing, or software that might tunnel traffic other than web traffic through the HTTP protocol. You can determine the action the security appliance should take if this traffic is encountered. You have the following options:

• Drop traffic.

• Report the event to syslog.

• Drop traffic and report the event to syslog.

• Reset the connection.

• Reset the connection and report the event to syslog.

• Take no action.

Part of the application-based firewall includes user-defined rules. For example, if you know that the longest URL on your web server is 50 bytes, you might want to create a rule that tells the security appliance that any request coming in greater that 50 bytes might be an attack. When the security appliance enforces this rule, it will drop or report traffic that violates this rule depending on how you set it up. You have the same choice of event actions in the previous list if a user-defined rule is triggered.

The ASA/PIX Security Appliance uses signature-based prevention. It's up to the discretion of the security administrator whether traffic will be dropped or only reported.

The signatures used in the ASA/PIX Security Appliance are common attacks and relatively easy to identify, so in this book, we are dropping traffic. In some NIPS implementations where more complex signatures are used, you might not want to drop traffic, because an alarm might not represent an actual attack. We might not want to drop attacks at the security appliance for two reasons:

• If the security appliance has a heavy traffic load, intrusion prevention might take up additional cycles and slow down network throughput.

• If there is a chance that the security appliance might drop valid traffic. (This is called a false positive.)

Host Intrusion Prevention

Host intrusion prevention is the final layer of defense in depth. Simply stated, attacks (usually day-zero attacks) might get past the other defensive layers; therefore, an agent on the host must stop the attack on the host or server. CSA is designed for this type of use.

CSA is security software that can recognize when software is acting badly on a host and stop that software from doing damage and stop the host from getting infected with the malicious software.

Automated Host Hardening

CSA modifies system registries to turn off unneeded services and ensures that basic administration functions are operative.

System Behavior Rules Engine

The behavior rules engine stops bad behavior on the system. This behavior includes code being executed from the stack, which is one of the main ways that hackers break into systems. This behavior engine also stops writes to the registry and to key directories on a system. Hackers use all of these methods when attempting to run or install their software on a victim's system, and so CSA can stop many common attacks just with this rule.

Chapter 10, “Deploying Host Intrusion Prevention,” discusses the rules engines in greater detail.

Firewall Rules Engine

CSA has a fully functional firewall engine that behaves similarly to a personal firewall (but is more powerful). It can filter unwanted traffic and ensure that the host running the agent can't start an outbound connection, which might indicate that an attack is in process.

The CSA firewall capability includes a rule called Net Shield, which is capable of fooling traditional scanning tools that determine the operating system of a host or server. These scanning tools rely on certain header bits and the timing of packets to determine whether the host they are scanning is a Linux host or Microsoft Windows host. Net Shield randomly alters these bits, returning false information to those tools so that they give the attacker false information about the makeup of the network.

Application Rules Engine

The CSA application rules engine enforces proper behavior for applications to mitigate any attacks against application vulnerabilities. For example, a browser has a fairly narrow range of functions, such as the following:

• Browse and update websites using HTTP

• Browse and update using SSL or HTTPS

• Write logs to certain directories

• Run ActiveX and Java in certain contexts

Several actions, if taken by a web browser, indicate that a vulnerability of a browser is being exploited. A well-behaving browser would never do any of the following:

• Copy cmd.exe to a different name or different location

• Execute any applications

• Install applications

• Write to the registry

• Write to the system directory

When CSA detects this type of behavior, it kills the process and stops the attack that is in process.

Global Correlation Engine

CSA also has a powerful feature that can identify attacking machines that might be trying to scan or attack your hosts and stop traffic from those machines. This feature is called the global event correlation engine.

The global event correlation engine is effective in stopping what has become known as the low and slow scan. Global correlation is also effective in stopping virus or worm propagation.

Each time an event is generated by the CSA agent, the agent sends the information to the CSA Management Console (CSA MC). The CSA MC can then make decisions based on repeated attack or malicious behavior events (such as a scan present on the network). After the malicious behavior is recognized, CSA creates a rule to defend against this behavior and makes the new rule available for all the host in the network that are running CSA.

CSA in Action

Take a practical look at how CSA stops attacks. (As mentioned previously, Chapter 10 examines in more detail how CSA mitigates attacks.) Use the attack paradigm discussed in Chapter 1 that illustrates how attackers break into a host or server. Table 2-1 maps the attack phase, attack action, and CSA mitigation engine.

Table 2-1. CSA in Action

Attack Phase	Attack Action	CSA Mitigation Engine
Probe	Scan ports	Global event correlation, firewall engine
	Guess passwords	n/a
	Ping addresses	Global event correlation, firewall engine
	Guess mail users	n/a
Penetrate	Mail attachments	Application engine
	Buffer overflows	Behavior engine
	ActiveX controls	Application engine, behavior engine
	Network installs	Application engine, behavior engine
	Compressed messages	Application engine, behavior engine
	Back doors	Application engine, behavior engine
Persist	Create new files	Application engine, behavior engine
	Modify existing files	Application engine, behavior engine
	Weaken registry settings	Application engine, behavior engine
	Install new services	Application engine, behavior engine
	Register trap doors	Application engine, behavior engine
Propagate	Mail copy of attack	Application engine, behavior engine
	Web connection	Application engine, firewall engine
	IRC	Firewall engine
	FTP	Firewall engine
	Infect file shares	Behavior engine, firewall engine
Paralyze	Delete files	Application engine, behavior engine
	Modify files	Application engine, behavior engine
	Denial of service	Application engine, behavior engine, firewall engine
	Crash computer	Application engine, behavior engine, firewall engine
	Steal secrets	Application engine, behavior engine, firewall engine