"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

---

CISCO THREAT DEFENSE SYSTEM GUIDE
How to Provide Effective Worm Mitigation

Contributed by Cisco Systems, Inc.

Introduction

The network today is a critical business asset. It not only allows the smooth running of business applications, it also enables the easy delivery of data, voice, and video. As a result, companies are increasingly concerned with keeping their network running and applications online while protecting one of their most critical assets — their information. In order to protect your business, you need to protect your network.

In recent years, not only has the number of network and computer attacks been on the rise, but also the level of complexity and sophistication with which they strike. The most commonplace and perhaps most damaging of these attacks are called “worms.”

Worms

Worms are malicious programs written to exploit vulnerabilities within an operating system or environment. The infected host becomes crippled and from there the worm gains access to other systems, leaving behind a trail of other crippled —  and many times altogether inoperable — hosts. The worm travels rapidly, affecting all neighboring systems of the initially infected host.

Examples of destructive worms include NIMDA, Code Red, SQL Slammer, Blaster Worm, and the MyDoom virus (refer to
SAFE: Worm Attacks as well as SAFE: Nimda, Code Red and Slammer for more information on those worms).

How Worms Propagate Throughout the Network

Worms are among the biggest security challenges to business productivity today. In order to protect your network from these threats, your security system must be able to protect against both known and unknown attacks. This calls for an integrated security solution that is both flexible and pervasive, providing collaboration between networking and security services, and comprehensive coverage from your network to your endpoints (servers and computers).

Cisco Systems® understands these challenges that its customers face and empowers them to safely engage in business by providing best-in-class security solutions. Instead of just providing point products that set only a base level of security, Cisco® meets all the requirements needed to protect your network by embedding security throughout the network and integrating security services in all its products. As a result, Cisco customers enjoy greater security as a transparent, scalable, and manageable aspect of their business infrastructure.

The Cisco Threat Defense System (TDS)

The system provides:

• Collaboration between security services and network services—Cisco enhances security by helping enable network services such as quality of service (QoS) to work transparently with existing security services.

• Flexible and customizable deployment — Cisco integrates security in all its devices, helping customers take advantage of their investment in existing routers and switches. Cisco provides the broadest set of security technology available from any single vendor, allowing organizations to deploy their choice of security technologies.

• End-to-end coverage — Cisco believes that security should be deployed everywhere on the network, from PCs and servers to LANs, WANs, and branch offices. This scenario provides the depth of defense necessary to protect all of the organization’s most vital assets from threats both internal and external.

Cisco Threat Defense System Technologies

The Cisco Threat Defense System comprises layers of protection throughout the network. The first line of defense against attacks is controlling the levels of access to your network. Firewalls such as the Cisco PIX® Firewall Security Appliance, the Cisco Firewall Services Module for the Cisco Catalyst® 6500, and Cisco IOS® Software Advanced Security should be employed to keep out unwanted traffic.

Network-based intrusion detection products such as the Cisco IDS 4200 Series Intrusion Detection System sensors, Cisco Catalyst 6500 Intrusion Detection System (IDSM)-2 Services Module, and the Cisco IDS Module for Cisco access routers help survey activity across your network. They monitor for any unusual or unexpected activity. In addition, Cisco also has built intelligence in products you may already have in your network. These key security features are found in the Cisco Catalyst switch series, content engines, and Cisco IOS Software-based routers.

Most importantly, to help protect your system at the host level, Cisco offers an endpoint protection product, Cisco Security Agent. Cisco Security Agent protects against worm attacks on both server and desktop systems, and because of its anomaly-based intelligence, it protects against future unknown attacks as well.

Table 1. Cisco Threat Defense Technologies and Products

 
To help ensure that Cisco TDS deployment is successful, the company also offers Cisco Advanced Services security consulting services to help you plan, design, implement, and optimize your Cisco TDS solution. Supporting the complete lifecycle of the network, Cisco engineers can help you successfully plan, design, and manage the integration of network intrusion detection sensors, host protection systems, firewall devices, security management solutions, and technologies such as IP Security (IPSec), VPNs, and QoS.

Defending Against Worm Attacks and Propagation

The Cisco TDS offers a practical solution against the security threats that worms pose to networks today. Because worms typically invade an environment in a multi-phased approach, this layered structure is an effective way to protect networks from these threats.

The Issues:

To understand how to mitigate the problem, we must examine how a worm damages a network. Worm and virus attacks can exploit multiple vulnerabilities concurrently. The Cisco SAFE Worm Mitigation paper discusses the best-practices methodology needed when facing a worm attack. Six steps are involved, using the NSP-SEC Mitigation Methodology. These steps follow (in order): preparation, identification, classification, traceback, reaction, and post-mortem. The reaction phase can be further broken down into containment, inoculation, quarantine, and treatment.

NSP-SEC Incident Response

1. Preparation
2. Identification
3. Classification
4. Traceback
5. Reaction
6. Post-mortem

Reaction Phase (expanded)
1. Containment
2. Inoculation
3. Quarantine
4. Treatment

Responding to a Security Incident

The Cisco Threat Defense System applies to the reaction stage of the NSP-SEC Incident Response. When dealing with worm attacks, the Cisco Threat Defense System can inoculate, quarantine, and treat your network against damage.

Using Endpoint Protection on Servers and Desktop Systems

Cisco Security Agent

Cisco Security Agent is an anomaly-based detection day-zero technology that mitigates both known and unknown attacks, including worms, before they can harm your system. Cisco Security Agent intercepts application resource requests to the operating system, allowing it to make real-time “allow” and “deny” decisions in accordance with the predefined security policy. In the case of MSBlaster, Cisco Security Agent responded based upon the anomalous behavior of the operating system.

The default Cisco Security Agent 4.0 server and desktop policies stopped successful execution of MS Blaster as well as malicious worms before that, including Code Red, Nimda, and Slammer.

• On Windows-based servers, the default server policy prevents the SVCHOST from attempting to execute CMD.exe. This prevents the exploit shell code from running.

• On desktop systems, the default desktop policy prevents the SVCHOST from accepting a connection on port 4444. Additional protection is provided because the default policy prevents applications from executing CMD.exe.

Because of the sensitive nature of the SVCHOST process in the proper operation of Windows, the Cisco Security Agent detects the overflow but does not terminate the SVCHOST process. Instead, Cisco Security Agent prevents the host from being exploited byterminating the CMD.exe process that the buffer overflow in the SVCHOST process creates because of the exploit. This day-zero technology requires no updates. Cisco Security Agent does not have the same challenge that applying system patches does. As a result, Cisco Security Agent is significantly easier and less obtrusive to install on running systems, and customers are less likely to require system interruptions or reboots. Administrators should use a network security scanner to identify those systems that are running critical services, and install Cisco Security Agent on those systems. To mitigate future network attacks beyond remoteprocedure call (RPC) Distributed Component Object Model (DCOM), Cisco Security Agent should be installed on all critical servers.

For configuration information, refer to the following URL:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps5057/index.html

Deploying Network-Based Intrusion Detection System to Detect Worm Activity Cisco NIDS

The Cisco NIDS operates by using a variety of methods to detect attacks on a network level. When an attack is detected, the sensor notifies an operator that an attack is under way. The operator then can take corrective action to prevent subsequent attacks. Cisco NIDS appliances also feature policing mechanisms such as shunning (port blocking) and TCP reset.

Cisco Threat Response provides intelligent investigation of the information surveyed by Cisco NIDS appliances. This management application performs a Layer 2 analysis on the targeted host to determine the impact of the attack. This information is quickly provided so that the operator can determine the overall threat of the attack to the network environment.

In the scenario of the NIMDA worm, the Cisco IDS system generates five events when the worm traverses the network from host to host:

• WWW WinNT cmd.exe Access (SigID 5081)

• IIS CGI Double Decode (SigID 5124)

• WWW IIS Unicode Attack (SigID 5114)

• IIS Dot Dot Execute Attack (SigID 3215)

• IIS Dot Dot Crash Attack (SigID 3216)

Attack detection triggers the Cisco NIDS to send an alarm and then take a preconfigured action. At this point the Cisco NIDS can perform either shunning or TCP resets. During shunning, the upstream access-control device blocks any further access from the IP address of the attacking system. TCP resets tear down the TCP connection by sending a fabricated reset that appears to be from the receiving device to the attacking device. Both of these methods prevent the worm from successfully compromising a server because multiple packets are required to infect and attack a host. These features protect against multi-packet attacks.

As soon as the Cisco IDS sensor reports the attack, the Cisco Threat Response application performs an analysis on the target host. Cisco Threat Response determines the impact of the attack based on gathered information about the operating system and services running on the target host, such as type, version, and patch levels. The Layer 2 analysis provides the support necessary to decide whether or not to remove the host from service.

For details about how to properly configure Cisco IDS to deal with worm attacks, refer to the following URL:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/index.html

Using Access Control to Restrict Worm Traffic

Cisco Firewall Solutions:

Cisco Catalyst 6500 Firewall Services Module, Cisco PIX Security Appliances,, Cisco IOS Software Advanced Security) Stateful firewalls provide a proactive way to mitigate worms in addition to other types of attacks. The stateful inspection engine can control connection attempts at a more granular level by validating proper protocol adherence. For example, this filtering can be used to allow only inbound connections to a Web server and at the same time not allow that Web server to initiate outbound connections, thus limiting the ability of the worm to self-propagate. This is particularly applicable for DMZ Web server deployments. As discussed in SAFE: A Security Blueprint [from Cisco] for Enterprise Networks, your Web servers do not need to establish outbound connections. It would be unusual for the Web server to need access to surf the Web. In most cases, Web servers only need to respond to incoming HTTP requests. Firewalls also can limit the number of permitted inbound connections to a server so that the server is not overwhelmed. In the case of Blaster, this setup blocks excessive inbound exploitation connection attempts when the maximum allowed number is reached.

Ingress filtering is typically carried out by access control on the network perimeter. It is used to block access to hosts and services that should not be publicly available. For instance, it is best practice to deny incoming connection requests to hosts or networking devices unless those hosts or devices are actively participating in providing a publicly accessible service. As it pertains to a worm attack, incoming HTTP connections are blocked from accessing any possibly exploitable user systems or nonpublicly available Web servers. These same filters, however, should allow access to a publicly available Web presence or e-commerce servers. Ideally, the public servers are under tight administrative control and have the latest patches. Ingress filtering blocks the exploitation attempts of targeted user systems.

Egress filtering also is carried out by access control on the network perimeter. This filtering refers to blocking outbound traffic access of a local host. Devices that do not need outbound Internet access, which can be most of the networking devices in your network or Web servers that serve only the internal environment, should not be allowed to initiate outbound connections. As this pertains to worm attacks, if a device is compromised it will not be able to infect an external network because the traffic will be intercepted and dropped at the network perimeter.

Additional layers of egress filtering in the network besides at the WAN edge also can be used to prevent an infected public Web server (or its entire segment in the case of a Web farm) from infecting private internal servers that are protected by the edge ingress filtering. For more information about access control and filtering, refer to SAFE Blueprint white papers.

Using Sinkhole Routers to Identify Infected Systems

Cisco IOS Software Advanced Security Features

Setting up a sinkhole router will assist in determining which systems in your environment are infected when the Cisco NIDS is not available. This scenario works by using addresses not yet allocated that worm attacks will inadvertently attempt to exploit. The sinkhole router advertises these networks locally (only), and any attempts at reaching them are then routed to the router. When received, they can be logged and discarded. The results of the logs provide a list of infected hosts.

Using NBAR

Cisco IOS Software Advanced Security Features

NBAR is a classification engine in Cisco IOS Software that can recognize a wide variety of application level protocols, including HTTP, through URL or Multipurpose Internet Mail Extensions (MIME) type and protocols that use dynamic port assignments. After the traffic has been classified by NBAR, appropriate QoS policies can be applied to the traffic classes. NBAR recognizes the CRv1 and CRv2 URL request but not the Code-Red II URL request, for instance, because Code-Red II spreads the GET request over multiple packets and NBAR today inspects only the first packet. Unlike NIDS, NBAR can immediately classify the CRv1 and CRv2 traffic and drop the packet before it reaches the server. NBAR can be used inbound and outbound to mitigate the effects of Code-Red and other similar worms.

For more information about NBAR, refer to:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm

Using URL Filtering

Cisco IOS Software Advanced Security Features

Cisco now supports two URL filtering server vendor implementations: WebSense Inc. and Secure Computing’s N2H2. Destination policy management is based on predetermined policy for a specific user or groups of users. Before the router queries the server, it can maintain two locally configured permit or deny tables. These tables are location or URLs (strings, wildcards) where all users are always permitted access; alternatively, they can be locations where no users can ever receive access permission. If no entries or matches are found, the router checks its local cache to determine if the request has been made at an earlier time. If so, it studies the results.

This process is transparent and the user perceives no network delay.

URL filtering delivers the following benefits:

• Protection against malicious programs — N2H2 and WebSense both categorize URLs (that is, MPEG Layer 3 [MP3] freeware and  shareware). This reduces the risk of nonstandard or malicious programs, such as worms, from entering the network.

• Reduction of misuse of company resources — URL categorization allows network administrators, corporate managers, and government agencies to restrict and control Internet access, based on multiple factors, including e-mail address and user ID.

Use Private VLANs to Protect Critical End Systems Within a VLAN

Cisco Catalyst Switch Security Features

Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Typically,private VLANs are deployed so that the hosts on a given segment can communicate only with their default gateway and not the other hosts on the network. For instance, if a worm compromises a Web server, it cannot initiate infection attempts to other Web servers in the same VLAN, even though they exist in the same network segment. This access control, carried out by assigning hosts to either an isolated port or a community port, is an effective way to mitigate the effects of a single, compromised host. Isolated ports can communicate only with promiscuous ports (typically the router). Community ports can communicate with the promiscuous port and other ports in the same community.

For more information about private VLANs, refer to:

http://www.cisco.com/warp/public/473/90.shtml

Cisco Threat Defense System Management

CiscoWorks VPN/Security Management Solution

The flagship integrated security management solution from Cisco, CiscoWorks VMS is an integral part of the SAFE Blueprint from Cisco for network security. CiscoWorks VMS protects the productivity and reduces operating costs for enterprises by combining Web-based tools for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, and network IDS and endpoint security. CiscoWorks VMS delivers the industry's first robust and scalable foundation and feature set that addresses the needs of small and large-scale VPN and security deployments. Today's business challenges and resulting security deployments require more scalability than merely supporting a large number of devices. Many customers have limited staffing, yet are asked to manage a myriad of security devices. These customers must manage the security and network infrastructure; frequently update many remote devices; implement change control and auditing when multiple organizations are involved in defining and deploying policies; enhance security without adding more headcount; or roll out remote access VPNs to all employees and monitor the VPN service.

Complete SAFE Blueprint Coverage

To completely manage a SAFE Blueprint environment, a network management solution must manage SAFE Blueprint
infrastructure components, support features based upon an appliance or Cisco IOS Software, and support a range of management functions. CiscoWorks VMS is uniquely able to scale across SAFE Blueprint components, including firewalls, VPNs, and network and host-based IDSs. CiscoWorks VMS also takes advantage of Cisco Secure Access Control Server (ACS) by using a common ACS logon. CiscoWorks VMS can manage a feature set through an appliance, for example, the Cisco PIX Firewall, or through the Cisco IOS Software. Scalable management also involves more than configuring devices. CiscoWorks VMS provides the complete range of management with features to configure, monitor, and troubleshoot the network.

Scalable Foundation

CiscoWorks VMS implements a foundation with a consistent user experience, making it easier to scale management to manydevices. CiscoWorks VMS provides users with a consistent GUI, workflow, ACS logon, roles definition, platforms, database engine, installation, and more. An industry-leading feature of this foundation is the CiscoWorks VMS Auto Update feature, which allows numerous devices to be updated easily and quickly. CiscoWorks VMS Auto Update helps enable devices — even remote and dynamically addressed devices — to periodically "call home" to an update server and "pull" the most current security configurations or Cisco PIX operating system. CiscoWorks VMS Auto Update is required to effectively scale remote-office firewall deployments across intermittent links or dynamic addresses. Prior policy-updating methods relied on a "push" model. Although this model works for known devices, it does not work for remote devices with unknown addresses or devices that are not always active. Without auto update, a more manual process is required to update each remote device. The auto update feature provides a dramatic scalability improvement for organizations that want to deploy devices with many remote and local locations. In addition to easier and faster policy updates, CiscoWorks VMS Auto Update also provides consistent policy deployments.

Enterprise Operational Integration

CiscoWorks VMS helps organizations easily integrate management into their operations. One operational need is to replicate policies to multiple locations. The CiscoWorks VMS Smart Rules hierarchy addresses this need by helping administrators define device groups and implement policy inheritance. For example, an administrator can define a device group for the New York sales office and deploy that same policy to all other sales offices quickly and consistently. The CiscoWorks VMS Command and Control Workflow feature provides change control and auditing, and is particularly important for customers who have separate groups for network and security operations. The solution includes processes for generating, approving, and deploying configurations. This can help security operations to define and approve new policies. Network operations can later deploy the new policies during their regular maintenance window. An audit of the changes can be maintained.

Centralized Role-Based Access Control

Role-based access control (RBAC) enables organizations to scale access privileges. CiscoWorks VMS conveniently uses a commonACS logon for users, administrators, devices, and applications. CiscoWorks VMS helps enable different groups to have different access rights across different devices and applications.

Integrated Infrastructure Management

Scalability requires management of multiple components — not just firewalls, but also VPNs, network- and host-based IDSs, routers, and switches. CiscoWorks VMS manages not only the security infrastructure, but also the network infrastructure. Customers benefit from being able to manage these components from one solution. Integrated monitoring is also required to see the larger picture.

CiscoWorks VMS provides integrated monitoring of Cisco PIX Security Appliance, and Cisco IOS Software syslogs, and events from network- and host-based IDSs, along with event correlation.

CiscoWorks VMS Functions

CiscoWorks VMS is launched from the CiscoWorks dashboard and is organized into several functional areas:

• Firewall management

• CiscoWorks VMS Auto Update Server

• IDS management, network- and host-based

• VPN router management

• Security monitoring

• VPN monitoring

• Operational management

These functional areas supply multifaceted scalability by offering features such as a consistent user experience, auto update, command and control workflow, and RBAC.

Firewall Management

CiscoWorks VMS helps enable the large-scale deployment of Cisco PIX firewalls by providing the following features:

• Smart Rules hierarchy and inheritance

• User-defined device and customer groups, including nesting

• Global role-based access with administrative privileges per device and customer groups with other CiscoWorks products and Cisco Secure ACS

• Mandatory and default device settings inheritance

• Workflow deployment to device, directory, or CiscoWorks VMS Auto Update Server

• Design similar to that of Cisco PIX Device Manager but with scalability to thousands of Cisco PIX firewalls

• Integration with other CiscoWorks network management software

• Complete SAFE Blueprint coverage for centralized management of Cisco PIX firewalls, including access control

• VPN, IDS, and authentication, authorization, and accounting (AAA)

CiscoWorks VMS Smart Rules is an innovative feature that allows common information, including access rules and settings, to be inherited for all firewalls in a device or customer group. Smart Rules allows a user to define common rules once, resulting in reduced configuration time, fewer administrative errors, and higher device scalability. Using Smart Rules, a user can configure a common rule such as allowing all HTTP traffic once, and the user can apply this rule globally to all firewalls. Smart Rules can also be defined on a device or customer group basis.

For specific information about the firewall management functions of CiscoWorks VMS, refer to:

http://www.cisco.com/en/US/products/sw/cscowork/ps3992/index.html

CiscoWorks Auto Update Server for Firewall Management

CiscoWorks VMS introduces the industry’s first firewall auto update server that allows users to implement a "pull" model for security and Cisco PIX operating system management. CiscoWorks VMS Auto Update Server permits remote firewall networks with unprecedented scalability. The auto update server allows Cisco PIX firewalls to both periodically and automatically contact the update server for any security configuration, Cisco PIX operating system, and Cisco PIX Device Manager updates. The CiscoWorks VMS Auto Update Server supports the following features:

• Security management of remote Cisco PIX firewalls that use DHCP

• Automated Cisco PIX operating system distribution to groups of Cisco PIX firewalls

• Automated Cisco PIX Device Manager updates to remote firewalls

• Configuration verification at periodic intervals

• Automated replacement of inaccurate or tampered configurations

• New firewalls configured at "boot time"

The CiscoWorks VMS Auto Update Server is an indispensable component of any large-scale remote Cisco PIX firewall deployment.

The auto update server is an easy-to-use solution to automatically update all remote or local firewalls with new operating system releases. Cisco is the industry's first vendor to provide this pull model of security policy and operating system management. For specific information about the CiscoWorks VMS Auto Update Server component of CiscoWorks VMS, refer to:

http://www.cisco.com/en/US/products/sw/cscowork/ps3993/index.html

NIDS Management

Administrators can use CiscoWorks VMS to configure network and switch IDS sensors. Many sensors can be configured quickly using group profiles. Additionally, a more powerful signature management feature is included to increase the accuracy and specificity of detection. Prominent features include the following:

• Easy-to-use Web-based interface

• Wizards that lead users through common management tasks

• Access to the Network Security Database (NSDB), which provides meaningful information about alarms for users without IDS security expertise

• Ability to define a hierarchy of sensors containing groups and subgroups, and the ability to configure multiple sensors concurrently using group profiles

• Support for several hundred sensor deployments from each console

• Use of a robust relational database to store a high volume of data

For specific information about the NIDS management functions of CiscoWorks VMS, refer to:

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/index.html

Cisco Security Agent Management

The Management Center for Cisco Security Agents provides all management functions for all agents in a centralized manner, from the CiscoWorks VMS platform. Its role-based, Web browser “manage-from-anywhere” access makes it easy for administrators to create agent software distribution packages, create or modify security policies, monitor alerts, or generate reports. Because it ships with more than 20 fully configured default policies, administrators will find it easy to deploy thousands of agents across the enterprise. The manager also allows customers to deploy agents in “IDS mode,” where activity is alerted but not blocked.

The Management Center for Cisco Security Agents offers simple but powerful customization capabilities such as a tuning wizard, allowing administrators to quickly fit default policies to their environment. Administrators can easily modify rules or create entirely new rules to meet custom needs and requirements. To aid audit compliance requirements, an “explain rules” feature prints out a description of what specified rules or policies do.

Agents are deployed to servers and desktops directly from the Management Center for Cisco Security Agents, and are controlled and updated from this manager. Each agent operates autonomously—if communications with the manager is not possible (for example, if a remote laptop user has not yet connected through the VPN), the agent continues to enforce the security policy. All security alerts are cached by the agent and uploaded to the manager when communications are restored.

Cisco also offers the add-on Cisco Security Agent Profiler, a snap-in application for the Management Center for Cisco Security Agents that provides a comprehensive data analysis and policy creation tool for custom applications and environments. The profiler analyzes actual application behavior to create custom policies that allow customers to protect any application, even extremely complex ones that have been highly customized to an individual customer’s environment.

Security Monitoring CiscoWorks VMS provides integrated monitoring to reduce the number of security monitoring consoles, reduce the number of events to monitor, and provide a broader view of security status.

• Integrated monitoring is used to capture, store, view, correlate, and report on events from many of the devices in the SAFE Blueprint such as Cisco network IDSs, switch IDSs, host IDSs, firewalls, and routers.

• Event correlation is used to identify attacks that are not easily recognizable from a single event. A flexible notification scheme and automated responses to critical events also aid in quick action.

• The event viewer can read both real-time and historical events.

• Events are color-coded and administrators can quickly isolate problems. Administrators also can define thresholds and time periods when rules can be triggered to provide notification.

• On-demand and scheduled reports facilitate ongoing monitoring.

For specific information about the security monitoring component of CiscoWorks VMS, refer to:

http://www.cisco.com/en/US/products/sw/cscowork/ps3991/index.html

Visit the Authors Web Site