程序代写 COMP4337/9337: Securing Fixed and Wireless Networks

COMP4337/9337: Securing Fixed and Wireless Networks
Operational Security: Firewalls and IDS Lecturer:

• Firewall

Copyright By PowCoder代写 加微信 powcoder

– Stateless
– Stateful
– Application level gateways • IDS
– Host Based
– Network based • Snort

Secure System
The only system which is truly secure is the one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, surrounded by nerve gas and very highly paid armed guards
Even then I would not stake my life on it.
– Dr Eugene Spafford, Purdue University

Secure System

• Internet connectivity is essential but is vulnerable to threats
• Use firewall as a “Perimeter Defense” in part of a comprehensive security policy
• A firewall is a control point for monitoring and implementing access policies
– Interconnectsnetworkswithdifferenttrusts

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others
administered network
trusted “good guys”
public Internet
untrusted “bad guys”

Firewalls: Why?
• Prevent denial of service attacks
– SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
• Prevent illegal modification/access of internal data
– e.g., attacker replaces CIA’s homepage with something
• Allow only authorized access to inside network – set of authenticated users/hosts
• Manage access for authorized users
– which user is allowed to access what type of services
outside of the intranet

• Three types of firewalls: – Stateless packet filters – Stateful packet filters – Application gateways

Stateless Packet Filters
Should arriving packet be allowed in? Departing packet let out?
• Internal network connected to the Internet via router firewall
• Firewall filters packet-by-packet, decision to forward/drop packet based on:
– sourceIPaddress,destinationIPaddress
– TCP/UDPsourceanddestinationportnumbers – ICMPmessagetype
– TCPflagbits(SYN,ACK,FIN)

Stateless Packet Filtering: Example
• Example 1: block incoming and outgoing datagrams with IP protocol field = 17, and with either source or dest port = 23
– result: all incoming, outgoing UDP flows and telnet connections are blocked
• Example 2: block inbound TCP segments with SYN = 1 & ACK = 0.
– result: prevents external clients from making TCP connections with internal clients

Stateless packet filtering: more examples
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP address, port 80 (or HTTP ports)
No incoming TCP connections, except those for institution’s public Web server only.
Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80
Prevent your network from being used for a smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255/16).
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic

Access Control Lists (ACL)
ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs [222.22/16 is the home network]
source address
outside of 222.22/16
outside of 222.22/16
dest address
outside of 222.22/16
outside of 222.22/16
222.22A/1llo6w
s DNS to op
Allows Web Surfing to internal users
source port

Access Control Lists
Two default policies:
• Discard/Deny – prohibit unless explicitly permitted
– more conservative, controlled, services only added on
case to case basis
• Forward/Allow – permit unless explicitly prohibited
– Easier to manage but less secure

Quiz on Stateless Packet Filter
135.5.22/24
public Internet
administered network
[* means wild card/any]
source address
dest address
source port
222.22/1 6
135.5.22. 11/24
135.5.22/ 24

Stateful Packet Filtering
• stateless packet filter: heavy handed tool
– admits packets that “make no sense,” e.g., source port = 80,
ACK bit set, even though no TCP connection has been initiated
source address
dest address
source port
outside of 222.22/16
• stateful packet filter: track status of every connection
– track TCP connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “makes sense”
– timeout inactive connections at firewall: no longer admit packets

Stateful Packet Filtering
• ACL augmented to check connection state table before admitting packet for the rule
source address
dest address
source port
check conxion
outside of 222.22/16
outside of 222.22/16
outside of 222.22/16
outside of 222.22/16

Stateful Packet Filtering
• ACL rule
source address
dest address
source port
outside of 222.22/16
• Connection table
source address
dest address
source port
222.22.2.2
199.1.205.1
222.22.22.77
203.77.5.55
Packet arrives: Source IP 199.5.5.20, Source port 80, ACK = 1, Destination IP=222.22.2.2, Destination port = 36500
No existing connection found in Connection table: Reject the packet

Application Gateways
• Firewalls only read packet headers
• What if you want to allow user based access instead of host
based (using IP addresses)?
– Requires user authentication
– This is beyond the capability of stateless/stateful filters
• Application layer is involved
– overhead more than inspecting packets at the network and transport layers

An application specific filter
– Example: allow select internal users to telnet outside
AG prompts for username/passwords
host-to-gateway telnet session
Application Gateways
application gateway
router and filter
gateway-to-remote host telnet session
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to dest
host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating from gateway.

Host based Firewalls
• A software module to secure an individual host
• Available in many OS and often used in servers
• Can tailor filtering rules to match the host environment
• Independent of the network topology
• Provides additional layer of protection

Firewall Configurations
• DMZ: De Militarized Zone that hosts organisation’s external facing services
• Outside router only advertises servers in the DMZ 21

Limitations of firewalls/gateways
• IP spoofing: router can’t • know if data “really”
filters often use all or nothing policy for UDP
comes from claimed source
• if multiple app’s. need special treatment, each has own app. gateway
• client software must know how to contact gateway.
– e.g., must set IP address of proxy in Web browser
• tradeoff: degree of communication with outside world, level of security
• many highly protected sites still suffer from attacks

Intrusion detection systems
• Packet filtering:
– operates on TCP/IP headers only
– no correlation check among sessions
• IDS: intrusion detection system
– deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings)
– examine correlation among multiple packets • port scanning
• network mapping
• DoS attack

Intrusion detection systems
multiple IDSs: different types of checking at different locations
internal network
Dual firewall
IDS Web sensors server FTP
DNS server

Intrusion detection systems
• Intrusion [RFC 2828 Internet Security Glossary]
– A security event or a combination of security events in which an intruder gains or attempts to gain, access to a system (or system resources) without having authorization to do so
– Intruder may be from outside the network or a legitimate user of the network
– Intruder attacks range from gentle (just looking around) to the serious (reading privileged data, perform un-authorized modifications, disrupt services etc.)
• Intrusion detection
– A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an un-authorized manner

Intrusion detection systems
• Denial of service
– Attempts to crash a service or machine, overload network
links, CPU, or fill up the disk, e.g. by sending lots of packets
• Port Scanning
– Intruder sends packets to a list of ports trying to find open vulnerable ports. Next step could be to deliver malicious code at a vulnerable port
• Securing remote shell privileges
– Intruder opens a shell on the victim machine, allowing
arbitrary code execution
• Network mapping
• Worms, viruses, trojans
• OS vulnerabilities attacks

Intrusion Techniques
• Target identification and information gathering – OSINT (Open Source Intelligence)
• Gaining Access
– Vulnerability identification
– Acquire passwords (guess or brute force) – Install reverse shell
• Privilege Escalation
– Exercise access rights of owner

Intrusion Techniques
• Motivated by thrill of access and status
– hacking community a strong meritocracy
– status is determined by level of competence
• Benign intruders might be tolerable
– do consume resources and may slow performance – can’t know in advance whether benign or malign
• Awareness led to establishment of Computer Emergency Response Teams (CERTs)
– collect / disseminate vulnerability info / responses – hackers also have access to CERT reports

Elements of Intrusion Detection
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct evidence
• Components of intrusion detection systems: – From an algorithmic perspective:
• Features – capture intrusion evidences
• Models – piece evidences together
– From a system architecture perspective:
• Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

Components of Intrusion Detection
system activities are observable
Detection Models
Decision Table
Audit Records
Activity Data
Audit Data Preprocessor
Detection Engine
normal and intrusive activities have distinct evidence
Action/Report
Decision Engine

Elements of Intrusion Detection
– Recording of all security relevant events of a supervised
– Collects the input for intrusion detection module
• Audit data delivers information on: – Who accessed?
– When, where and how?
– Who’s and which resource?
• Audit data requires integrity protection
– Attacker can wipe out traces of malicious behavior

Intrusion Detection Approaches
• Features: evidences extracted from audit data
• Analysis approach: piecing the evidences together – Misuse detection (a.k.a. signature-based)
– Anomaly detection (a.k.a. statistical-based)

Signature based IDS
• Uses predefined proper (or bad) set of rules and patterns – Event audit analysis reveals signatures for known past
• ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets as an attack
• Mostly based on Pattern Matching systems
– An IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack (for example, the “phf” in “GET /cgi- bin/phf ?”)

Signature based IDS
pattern matching
Intrusion Patterns:
Sequences of system calls, patterns of network traffic, etc.
activities
Example: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”
Can’t detect new attacks

Signature based IDS
Drawbacks:
• Requires prior knowledge of potential attacks and only work if the attack signature is in the database
• Signature database requires continuous updating
• Higher rate of “false negative” with outdated database

Anomaly based IDS
• Consider normal/expected behavior of legitimate users over a period of time; apply statistical tests to detect intruder
• Intruder unlikely to mimic the behavior pattern of the legitimate user
– Profile based (time/duration/IP for login)
– Threshold based (various events such as %age of ICMP
• An attack scenario needs not to be defined a priori

Anomaly Detection
45. 22.5 0.
Process size
probable intrusion
activity measures
Page Fault
• Define a profile describing normal behavior, then detect deviations
normal profile abnormal

Anomaly Detection
• Relatively high “false positive” rates
– Anomalies could be just new normal activities
– Anomalies caused by other elements faults e.g., router misconfigurations
• Privacy of users
– Collecting specific user patterns – Work related and personal habits
• ”false negative”, if a normal behavior pattern matches an attack pattern

IDS Deployment
• Network based
– Monitor network traffic
• Host based
– Monitor single host activity and computer processes
– Permits combined analysis of system events and network traffic

Host based IDS
• Specialized software to monitor system activity for detecting suspicious behavior
– Log all relevant system events (e.g., file/device accesses)
– Monitor shell commands and system calls executed by
user applications and system programs
– Pay a price in performance if every system call is filtered
• Problems:
– User dependent: install/update IDS on all user machines!
– If attacker takes over machine, can tamper with IDS binaries and modify audit logs
– Only local view of the attack 40

Network IDS
• NIDS monitors traffic at selected points on a network – In near real-time to detect intrusion patterns
• Deploying sensors at strategic locations – Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual connection
– Look into the packet payload for malicious code
• Limitations
– Cannot execute the payload or do any code analysis – Record and process huge amount of traffic
– Easily defeated by encryption

4. Special IDS to provide additional protection
for critical systems
3. protect major backbones; monitor internal/external attacks
2. monitor filtered
NIDS Deployment
1. monitor and documents unfiltered packets;
internal network 3
Dual firewall
more work to do
DNS server
sensors server FTP

Wireless IDS
• Wireless inherent characteristics provide the relative ease of accessing (and injecting) network communications
– Each frame is broadcasted
• On the other hand, there are complexities involved in
monitoring wireless communications
– 2 common frequency bands (5GHz and 2.4GHz) – Several channels within each band
• A wireless sensor can monitor a single channel at a time
– A sensor will miss malicious activity occurring on other
channels when it is monitoring one particular channel
– Attacker can launch attack simultaneously on two different channels

Wireless IDS
• Wireless sensors normally perform channel scanning
– They can monitor each channel a few times per second
§ Attacker can attack in short bursts on un-scanned channels
– Each sensor sees only a fraction of the activity on each channel
§ Forensics data is incomplete
• Wireless IDS can use specialized hardware with multiple
radios and antennas
• The actual range of the wireless sensor depends on the surrounding facilities, location of people within the facility and other changing characteristics

• An open source light weight IDS
– Real time packet capture and rules analysis – Can work in inline or passive modes
• Components: – Decoder
– Detector – Logger – Alerter

SNORT Rules
• use a simple, flexible rule definition language
• each rule consists of a fixed header and zero or more options
action protocol SIP Sport