COMP4337/9337: Securing Fixed and Wireless Networks
Operational Security: Firewalls and IDS Lecturer:
• Firewall
Copyright By PowCoder代写 加微信 powcoder
– Stateless
– Stateful
– Application level gateways • IDS
– Host Based
– Network based • Snort
Secure System
The only system which is truly secure is the one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, surrounded by nerve gas and very highly paid armed guards
Even then I would not stake my life on it.
– Dr Eugene Spafford, Purdue University
Secure System
• Internet connectivity is essential but is vulnerable to threats
• Use firewall as a “Perimeter Defense” in part of a comprehensive security policy
• A firewall is a control point for monitoring and implementing access policies
– Interconnectsnetworkswithdifferenttrusts
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others
administered network
trusted “good guys”
public Internet
untrusted “bad guys”
Firewalls: Why?
• Prevent denial of service attacks
– SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
• Prevent illegal modification/access of internal data
– e.g., attacker replaces CIA’s homepage with something
• Allow only authorized access to inside network – set of authenticated users/hosts
• Manage access for authorized users
– which user is allowed to access what type of services
outside of the intranet
• Three types of firewalls: – Stateless packet filters – Stateful packet filters – Application gateways
Stateless Packet Filters
Should arriving packet be allowed in? Departing packet let out?
• Internal network connected to the Internet via router firewall
• Firewall filters packet-by-packet, decision to forward/drop packet based on:
– sourceIPaddress,destinationIPaddress
– TCP/UDPsourceanddestinationportnumbers – ICMPmessagetype
– TCPflagbits(SYN,ACK,FIN)
Stateless Packet Filtering: Example
• Example 1: block incoming and outgoing datagrams with IP protocol field = 17, and with either source or dest port = 23
– result: all incoming, outgoing UDP flows and telnet connections are blocked
• Example 2: block inbound TCP segments with SYN = 1 & ACK = 0.
– result: prevents external clients from making TCP connections with internal clients
Stateless packet filtering: more examples
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP address, port 80 (or HTTP ports)
No incoming TCP connections, except those for institution’s public Web server only.
Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80
Prevent your network from being used for a smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255/16).
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic
Access Control Lists (ACL)
ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs [222.22/16 is the home network]
source address
outside of 222.22/16
outside of 222.22/16
dest address
outside of 222.22/16
outside of 222.22/16
222.22A/1llo6w
s DNS to op
Allows Web Surfing to internal users
source port
Access Control Lists
Two default policies:
• Discard/Deny – prohibit unless explicitly permitted
– more conservative, controlled, services only added on
case to case basis
• Forward/Allow – permit unless explicitly prohibited
– Easier to manage but less secure
Quiz on Stateless Packet Filter
135.5.22/24
public Internet
administered network
[* means wild card/any]
source address
dest address
source port
222.22/1 6
135.5.22. 11/24
135.5.22/ 24
Stateful Packet Filtering
• stateless packet filter: heavy handed tool
– admits packets that “make no sense,” e.g., source port = 80,
ACK bit set, even though no TCP connection has been initiated
source address
dest address
source port
outside of 222.22/16
• stateful packet filter: track status of every connection
– track TCP connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “makes sense”
– timeout inactive connections at firewall: no longer admit packets
Stateful Packet Filtering
• ACL augmented to check connection state table before admitting packet for the rule
source address
dest address
source port
check conxion
outside of 222.22/16
outside of 222.22/16
outside of 222.22/16
outside of 222.22/16
Stateful Packet Filtering
• ACL rule
source address
dest address
source port
outside of 222.22/16
• Connection table
source address
dest address
source port
222.22.2.2
199.1.205.1
222.22.22.77
203.77.5.55
Packet arrives: Source IP 199.5.5.20, Source port 80, ACK = 1, Destination IP=222.22.2.2, Destination port = 36500
No existing connection found in Connection table: Reject the packet
Application Gateways
• Firewalls only read packet headers
• What if you want to allow user based access instead of host
based (using IP addresses)?
– Requires user authentication
– This is beyond the capability of stateless/stateful filters
• Application layer is involved
– overhead more than inspecting packets at the network and transport layers
An application specific filter
– Example: allow select internal users to telnet outside
AG prompts for username/passwords
host-to-gateway telnet session
Application Gateways
application gateway
router and filter
gateway-to-remote host telnet session
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to dest
host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating from gateway.
Host based Firewalls
• A software module to secure an individual host
• Available in many OS and often used in servers
• Can tailor filtering rules to match the host environment
• Independent of the network topology
• Provides additional layer of protection
Firewall Configurations
• DMZ: De Militarized Zone that hosts organisation’s external facing services
• Outside router only advertises servers in the DMZ 21
Limitations of firewalls/gateways
• IP spoofing: router can’t • know if data “really”
filters often use all or nothing policy for UDP
comes from claimed source
• if multiple app’s. need special treatment, each has own app. gateway
• client software must know how to contact gateway.
– e.g., must set IP address of proxy in Web browser
• tradeoff: degree of communication with outside world, level of security
• many highly protected sites still suffer from attacks
Intrusion detection systems
• Packet filtering:
– operates on TCP/IP headers only
– no correlation check among sessions
• IDS: intrusion detection system
– deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings)
– examine correlation among multiple packets • port scanning
• network mapping
• DoS attack
Intrusion detection systems
multiple IDSs: different types of checking at different locations
internal network
Dual firewall
IDS Web sensors server FTP
DNS server
Intrusion detection systems
• Intrusion [RFC 2828 Internet Security Glossary]
– A security event or a combination of security events in which an intruder gains or attempts to gain, access to a system (or system resources) without having authorization to do so
– Intruder may be from outside the network or a legitimate user of the network
– Intruder attacks range from gentle (just looking around) to the serious (reading privileged data, perform un-authorized modifications, disrupt services etc.)
• Intrusion detection
– A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an un-authorized manner
Intrusion detection systems
• Denial of service
– Attempts to crash a service or machine, overload network
links, CPU, or fill up the disk, e.g. by sending lots of packets
• Port Scanning
– Intruder sends packets to a list of ports trying to find open vulnerable ports. Next step could be to deliver malicious code at a vulnerable port
• Securing remote shell privileges
– Intruder opens a shell on the victim machine, allowing
arbitrary code execution
• Network mapping
• Worms, viruses, trojans
• OS vulnerabilities attacks
Intrusion Techniques
• Target identification and information gathering – OSINT (Open Source Intelligence)
• Gaining Access
– Vulnerability identification
– Acquire passwords (guess or brute force) – Install reverse shell
• Privilege Escalation
– Exercise access rights of owner
Intrusion Techniques
• Motivated by thrill of access and status
– hacking community a strong meritocracy
– status is determined by level of competence
• Benign intruders might be tolerable
– do consume resources and may slow performance – can’t know in advance whether benign or malign
• Awareness led to establishment of Computer Emergency Response Teams (CERTs)
– collect / disseminate vulnerability info / responses – hackers also have access to CERT reports
Elements of Intrusion Detection
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct evidence
• Components of intrusion detection systems: – From an algorithmic perspective:
• Features – capture intrusion evidences
• Models – piece evidences together
– From a system architecture perspective:
• Various components: audit data processor, knowledge base, decision engine, alarm generation and responses
Components of Intrusion Detection
system activities are observable
Detection Models
Decision Table
Audit Records
Activity Data
Audit Data Preprocessor
Detection Engine
normal and intrusive activities have distinct evidence
Action/Report
Decision Engine
Elements of Intrusion Detection
– Recording of all security relevant events of a supervised
– Collects the input for intrusion detection module
• Audit data delivers information on: – Who accessed?
– When, where and how?
– Who’s and which resource?
• Audit data requires integrity protection
– Attacker can wipe out traces of malicious behavior
Intrusion Detection Approaches
• Features: evidences extracted from audit data
• Analysis approach: piecing the evidences together – Misuse detection (a.k.a. signature-based)
– Anomaly detection (a.k.a. statistical-based)
Signature based IDS
• Uses predefined proper (or bad) set of rules and patterns – Event audit analysis reveals signatures for known past
• ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets as an attack
• Mostly based on Pattern Matching systems
– An IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack (for example, the “phf” in “GET /cgi- bin/phf ?”)
Signature based IDS
pattern matching
Intrusion Patterns:
Sequences of system calls, patterns of network traffic, etc.
activities
Example: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”
Can’t detect new attacks
Signature based IDS
Drawbacks:
• Requires prior knowledge of potential attacks and only work if the attack signature is in the database
• Signature database requires continuous updating
• Higher rate of “false negative” with outdated database
Anomaly based IDS
• Consider normal/expected behavior of legitimate users over a period of time; apply statistical tests to detect intruder
• Intruder unlikely to mimic the behavior pattern of the legitimate user
– Profile based (time/duration/IP for login)
– Threshold based (various events such as %age of ICMP
• An attack scenario needs not to be defined a priori
Anomaly Detection
45. 22.5 0.
Process size
probable intrusion
activity measures
Page Fault
• Define a profile describing normal behavior, then detect deviations
normal profile abnormal
Anomaly Detection
• Relatively high “false positive” rates
– Anomalies could be just new normal activities
– Anomalies caused by other elements faults e.g., router misconfigurations
• Privacy of users
– Collecting specific user patterns – Work related and personal habits
• ”false negative”, if a normal behavior pattern matches an attack pattern
IDS Deployment
• Network based
– Monitor network traffic
• Host based
– Monitor single host activity and computer processes
– Permits combined analysis of system events and network traffic
Host based IDS
• Specialized software to monitor system activity for detecting suspicious behavior
– Log all relevant system events (e.g., file/device accesses)
– Monitor shell commands and system calls executed by
user applications and system programs
– Pay a price in performance if every system call is filtered
• Problems:
– User dependent: install/update IDS on all user machines!
– If attacker takes over machine, can tamper with IDS binaries and modify audit logs
– Only local view of the attack 40
Network IDS
• NIDS monitors traffic at selected points on a network – In near real-time to detect intrusion patterns
• Deploying sensors at strategic locations – Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual connection
– Look into the packet payload for malicious code
• Limitations
– Cannot execute the payload or do any code analysis – Record and process huge amount of traffic
– Easily defeated by encryption
4. Special IDS to provide additional protection
for critical systems
3. protect major backbones; monitor internal/external attacks
2. monitor filtered
NIDS Deployment
1. monitor and documents unfiltered packets;
internal network 3
Dual firewall
more work to do
DNS server
sensors server FTP
Wireless IDS
• Wireless inherent characteristics provide the relative ease of accessing (and injecting) network communications
– Each frame is broadcasted
• On the other hand, there are complexities involved in
monitoring wireless communications
– 2 common frequency bands (5GHz and 2.4GHz) – Several channels within each band
• A wireless sensor can monitor a single channel at a time
– A sensor will miss malicious activity occurring on other
channels when it is monitoring one particular channel
– Attacker can launch attack simultaneously on two different channels
Wireless IDS
• Wireless sensors normally perform channel scanning
– They can monitor each channel a few times per second
§ Attacker can attack in short bursts on un-scanned channels
– Each sensor sees only a fraction of the activity on each channel
§ Forensics data is incomplete
• Wireless IDS can use specialized hardware with multiple
radios and antennas
• The actual range of the wireless sensor depends on the surrounding facilities, location of people within the facility and other changing characteristics
• An open source light weight IDS
– Real time packet capture and rules analysis – Can work in inline or passive modes
• Components: – Decoder
– Detector – Logger – Alerter
SNORT Rules
• use a simple, flexible rule definition language
• each rule consists of a fixed header and zero or more options
action protocol SIP Sport
Description
Generate an alert using the selected alert method, and then log the packet.
Log the packet.
Ignore the packet.
Drop the packet and log.
Drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
Silently drop the packet but do not log.
• Last three actions only in inline mode
• Protocols supported : TCP, UDP, IP & ICMP
• Direction -> & < >
ocase Ignore case. Nocase modifies the previous content keyword in the rule.
msg Defines the message to be sent when a packet generates an event.
reference Defines a link to an external attack identification system, which provides additional
information.
classtype Indicates what type of attack the packet attempted. sid Signature ID for the rule
content Enables Snort to perform a case-sensitive search for specific content (text and/or binary) in the packet payload.
depth Specifies how far into a packet Snort should search for the specified pattern. Depth modifies the previous content keyword in the rule.
offset Specifies where to start searching for a pattern within a packet. Offset modifies the previous content keyword in the rule.
non-payload
ttl Check the IP time-to-live value. This option was intended for use in the detection of traceroute attempts.
id Check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.
dsize Test the packet payload size. This may be used to check for abnormally sized packets. In many cases, it is useful for detecting buffer overflows.
flags Test the TCP flags for specified settings.
seq Look for a specific TCP header sequence number.
post-detection
logto Log packets matching the rule to the specified filename.
session Extract user data from TCP Sessions. There are many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful.
SNORT Rule Options (subset)
SNORT Rules
log udp any any -> 192.168.1.0/24 1:1024
Log UDP traffic with any source IP any source port and destination is any IP within 192.168.1.0/24 and destination port any port less than and equal to 1024
alert tcp any any -> any any (flags: SF; msg: “Possible SYN FIN scan”;)
Alert if both SYN and FIN flags set at the same time
alert tcp any any -> any any (msg:”Possible exploit”; content:”|90|”; offset:40; depth:75; dsize: >6000;)
Alert for NOP instructions between bytes 40 and 75 of the data portion of a packet and payload size is > 6000 bytes.
Reading list
Kurose Ross, Computer Networking: A Top-Down Approach, Chapter 8 CyBoK Network Security Knowledge Area
https://www.cybok.org/media/downloads/Network_Security_KA_- _Issue_1.0_January_2019.pdf
Firewall Best Practices
https://www.net.in.tum.de/fileadmin/TUM/NET/NET-2016-09-1/NET-2016- 09-1_01.pdf
NIST Guide to Intrusion Detection and Prevention Systems
https://csrc.nist.gov/publications/detail/sp/800-94/final
Snort Manual
http://manual-snort-org.s3-website-us-east-1.amazonaws.com
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com