Sie sind auf Seite 1von 48

8/18/2010

Chapter 6

1.
Legitimate hosts send innocent packets.
Attackers send attack packets.

2.
Ingress packets come into a site.
Egress packets go out from a site.

2
Copyright Pearson Prentice-Hall 2010

1
8/18/2010

Firewalls drop and log


provable attack packets

3
Copyright Pearson Prentice-Hall 2010

Firewalls do not drop packets unless


they are provably attack packets.
This means that some attack packets
that are not provably attack packets
get through the firewall.

4
Copyright Pearson Prentice-Hall 2010

2
8/18/2010

 The Problem
◦ If a firewall cannot filter all of the traffic passing
through it, it drops packets it cannot process
◦ This is secure because it prevents attack packets
from getting through
◦ But it creates a self-inflicted denial-of-service
attack by dropping legitimate traffic

5
Copyright Pearson Prentice-Hall 2010

 Firewall Capacity
◦ Firewalls must have the capacity to handle the
incoming traffic volume
◦ Some can handle normal traffic but cannot handle
traffic during heavy attacks!
◦ They must be able to handle incoming traffic at
wire speed—the maximum speed of data coming
into each port

6
Copyright Pearson Prentice-Hall 2010

3
8/18/2010

 Performance – must have sufficient processing


capacity and RAM to process all packets.

 Packets that do not get processed must be


dropped.

 Two factors drive performance requirement

1. Volume of traffic to be filter

2. Complexity of filtering

 Ensuring adequate performance – Check log file


everyday

6-2: The Danger of Traffic Overload

Complexity
Performance
of Filtering:
Requirements
Number of
Filtering
Rules,
Complexity
If a firewall cannot inspect packets
Of rules, etc.
fast enough, it will drop unchecked
packets rather than pass them

Traffic Volume (Packets per Second)

4
8/18/2010

 Processing Power Is Increasing Rapidly


◦ As processing power increases, more sophisticated
filtering methods should become possible
◦ We can even have unified threat management
(UTM), in which a single firewall can use many
forms of filtering, including antivirus filtering and
even spam filtering. (Traditional firewalls do not do
these types of application-level malware filtering)
◦ However, increasing traffic is soaking up much of
this increasing processing power

9
Copyright Pearson Prentice-Hall 2010

 Firewall Filtering Mechanisms


◦ There are many types
◦ We will focus most heavily on the most important
firewall filtering method, stateful packet inspection
(SPI)
◦ Single firewalls can use multiple filtering
mechanisms, most commonly, SPI with other
secondary filtering mechanisms

10
Copyright Pearson Prentice-Hall 2010

5
8/18/2010

11

 Static Packet Filtering


◦ This was the earliest firewall filtering mechanism
◦ Limits
 Examines packets one at a time, in isolation
 Only looks at some internet and transport headers
 Consequently, unable to stop many types of
attacks

12
Copyright Pearson Prentice-Hall 2010

6
8/18/2010

Static Packet Filter Firewall


Corporate Network The Internet
Permit IP-H TCP-H Application Message
(Pass)

IP-H UDP-H Application Message

Deny
(Drop) IP-H ICMP-H ICMP Message

Log Static Only IP, TCP, UDP and ICMP


File Packet Headers Examined
Filter
Firewall

Static Packet Filter Firewall


Corporate Network The Internet
Permit IP-H TCP-H Application Message
(Pass)

IP-H UDP-H Application Message

Deny
(Drop) IP-H ICMP-H ICMP Message

Static Arriving Packets


Log
Packet Examined One at a Time, in Isolation;
File
Filter This Misses Many Attacks
Firewall

7
8/18/2010

 Inspects Packets One at a Time, in Isolation


◦ If it receives a packet containing a SYN/ACK
segment, this may be a legitimate response to an
internally initiated SYN segment
 The firewall must pass packets containing these
segments, or internally initiated communications
cannot exist

15
Copyright Pearson Prentice-Hall 2010

 Inspects Packets One at a Time, in Isolation


◦ However, this SYN/ACK segment could be an
external attack
 It could be sent to elicit an RST segment
confirming that there is a victim at the IP address
to which the SYN/ACK segment is sent
 A static packet filtering firewall cannot stop this
attack

16
Copyright Pearson Prentice-Hall 2010

8
8/18/2010

 However, Static Packet Filtering Can Stop


Certain Attacks Very Efficiently
◦ Incoming ICMP Echo packets and other scanning
probe packets
◦ Outgoing responses to scanning probe packets
◦ Packets with spoofed IP addresses (e.g., incoming
packets with the source IP addresses of hosts inside
the firm)
◦ Packets that have nonsensical field settings —such
as a TCP segment with both the SYN and FIN bits set

17
Copyright Pearson Prentice-Hall 2010

 Market Status
◦ No longer used as the main filtering mechanism for
border firewalls
◦ May be used as a secondary filtering mechanism on
main border firewalls

18
Copyright Pearson Prentice-Hall 2010

9
8/18/2010

 Market Status
◦ Also may be implemented in border routers, which
lie between the Internet and the firewall
 Stops simple, high-volume attacks to reduce the
load on the main border firewall

19
Copyright Pearson Prentice-Hall 2010

20

10
8/18/2010

 Connections have distinct states or stages


 Different states are subject to different
attacks
 Stateful firewalls use different filtering rules
for different states

Connection Ongoing Connection


Opening Communication Closing
State State State

21
Copyright Pearson Prentice-Hall 2010

22
Copyright Pearson Prentice-Hall 2010

11
8/18/2010

23
Copyright Pearson Prentice-Hall 2010

 Default Behavior

◦ Permit connections initiated by an internal host

◦ Deny connections initiated by an external host

◦ Can change default behavior with ACL

Automatically Accept Connection Attempt

Router Internet

Automatically Deny Connection Attempt

12
8/18/2010

25
Copyright Pearson Prentice-Hall 2010

26
Copyright Pearson Prentice-Hall 2010

13
8/18/2010

 Static Packet Filter Firewalls are Stateless

◦ Filter one packet at a time, in isolation

◦ If a TCP SYN/ACK segment is sent, cannot tell if there


was a previous SYN to open a connection

◦ But stateful firewalls can

Stateful Firewall
1.
2.
Spoofed
Check Attacker
Internal TCP SYN/ACK Segment
Connection Table: Spoofing
Client PC From: 10.5.3.4.:80
No Connection External
60.55.33.12 To: 60.55.33.12:64640
Match: Drop Webserver
10.5.3.4
Connection Table

Internal Internal External External


Type Status
IP Port IP Port

TCP 60.55.33.12 62600 123.80.5.34 80 OK


UDP 60.55.33.12 63206 222.8.33.4 69 OK

14
8/18/2010

 Static Packet Filter Firewalls are Stateless

◦ Filter one packet at a time, in isolation

◦ Cannot deal with port-switching applications

◦ But stateful firewalls can

2.
To Establish
1. Connection 3.
TCP SYN Segment TCP SYN Segment
From: 60.55.33.12:62600 From: 60.55.33.12:62600
To: 123.80.5.34:21 To: 123.80.5.34:21

Internal
Client PC External
Stateful Firewall
60.55.33.12 FTP Server
123.80.5.34
State Table
Internal Internal External External
Type Status
IP Port IP Port
Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK

15
8/18/2010

6. 4.
TCP SYN/ACK Segment Stateful TCP SYN/ACK Segment External
Internal From: 123.80.5.34:21 Firewall From: 123.80.5.34:21 FTP
Client PC To: 60.55.33.12:62600 5. To: 60.55.33.12:62600 Server
60.55.33.12 Use Ports 20 To Allow, Use Ports 20 123.80.5.34
and 55336 for Establish and 55336 for
Data Transfers Second Data Transfers
Connection

State Table Internal Internal External External


Type Status
IP Port IP Port
Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK

Step 5 TCP 60.55.33.12 55336 123.80.5.34 20 OK

Port Primary Application


Protocol*

20 TCP FTP Data Traffic


21 TCP FTP Supervisory Connection
22 TCP Secure Shell (SSH)
23 TCP Telnet
25 TCP Simple Mail Transfer Protocol (SMTP)
53 TCP Domain Name System (DNS)

*In many cases, both TCP and UDP can be used by an application. In
such cases, the same port number is used for both. Typically,
however, the use of either TCP or UDP will be predominant.

32
Copyright Pearson Prentice-Hall 2010

16
8/18/2010

Port Primary Application


Protocol

69 UDP Trivial File Transfer Protocol (TFTP)


80 TCP Hypertext Transfer Protocol (HTTP)
110 TCP Post Office Protocol (POP)
135- TCP NETBIOS service for peer-to-peer file sharing in older
139 versions of Windows

143 TCP Internet Message Access Protocol (IMAP)


161 UDP Simple Network Management Protocol (SNMP)
443 TCP HTTP over SSL/TLS

33
Copyright Pearson Prentice-Hall 2010

 Access Control List Operation


◦ An ACL is a series of rules for allowing or disallowing
connections
◦ The rules are executed in order, beginning with the
first
 If a rule DOES NOT apply to the connection-
opening attempt, the firewall goes to the next ACL
rule
 If the rule DOES apply, the firewall follows the rule,
no further rules are executed
◦ If the firewall reaches the last rule in the ACL, it
follows that rule
34
Copyright Pearson Prentice-Hall 2010

17
8/18/2010

 Ingress ACL’s Purpose


◦ The default behavior is to drop all attempts to open
a connection from the outside
◦ All ACL rules except for the last give exceptions to
the default behavior under specified circumstances
◦ The last rule applies the default behavior to all
connection-opening attempts that are not allowed
by earlier rules are executed by this last rule

35
Copyright Pearson Prentice-Hall 2010

Access Control List (ACLs)

 1. If source IP address = 10.*.*.*, DENY [private IP


address range]

 2. If source IP address = 172.16.*.* to 172.31.*.*,


DENY [private IP address range]

 3. If source IP address = 192.168.*.*, DENY [private IP


address range]

 4. If source IP address = 60.40.*.*, DENY [firm’s


internal address range]

18
8/18/2010

Access Control List (ACLs)

 5. If source IP address = 1.2.3.4, DENY [black-holed


address of attacker]

 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack


packet]

 7. If destination IP address = 60.47.3.9 AND TCP


destination port=80 OR 443, PASS [connection to a
public webserver]

 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a


connection from the outside]

Access Control List (ACLs)

 9. If TCP destination port = 20, DENY [FTP data


connection]

 10. If TCP destination port = 21, DENY [FTP supervisory


control connection]

 11. If TCP destination port = 23, DENY [Telnet data


connection]

 12. If TCP destination port = 135 through 139, DENY


[NetBIOS connection for clients]

19
8/18/2010

Access Control List (ACLs)

 13. If TCP destination port = 513, DENY [UNIX rlogin


without password]

 14. If TCP destination port = 514, DENY [UNIX rsh


launch shell without login]

 15. If TCP destination port = 22, DENY [SSH for secure


login, but some versions are insecure]

 16. If UDP destination port=69, DENY [Trivial File


Transfer Protocol; no login necessary]

 17. If ICMP Type = 0, PASS [allow incoming echo reply


messages]

 DENY ALL

 DENY ALL
◦ Last rule
◦ Drops any packets not specifically permitted
by earlier rules

20
8/18/2010

 Low Cost
◦ Most packets are not part of packet-opening
attempts
◦ These can be handled very simply and therefore
inexpensively
◦ Connection-opening attempt packets are more
expensive process but are rare

41
Copyright Pearson Prentice-Hall 2010

 Safety
◦ Attacks other than application-level attacks usually
fail to get through SPI firewalls
◦ In addition, SPI firewalls can use other forms of
filtering when needed

42
Copyright Pearson Prentice-Hall 2010

21
8/18/2010

 Dominance
◦ The combination of high safety and low cost makes
SPI firewalls extremely popular
◦ Nearly all main border firewalls today use stateful
packet inspection

43
Copyright Pearson Prentice-Hall 2010

44

22
8/18/2010

45
Copyright Pearson Prentice-Hall 2010

 Sniffers on the Internet cannot learn internal IP addresses


and port numbers

◦ Only learn the translated address and port number

 By themselves, provide a great deal of protection against


attacks

◦ External attackers cannot create a connection to an


internal computers

23
8/18/2010

47

48
Copyright Pearson Prentice-Hall 2010

24
8/18/2010

49
Copyright Pearson Prentice-Hall 2010

Topic Application Stateful Remarks


Proxy Packet
Firewalls Inspection
Firewalls
Can examine Always As an Extra
application layer Feature
content

Capabilities for Somewhat Somewhat


application layer More Less
content filtering

50
Copyright Pearson Prentice-Hall 2010

25
8/18/2010

Topic Application Stateful Remarks


Proxy Packet
Firewalls Inspection
Firewalls
Uses Relay Yes No Maintaining two
Operation with connections is highly
two processing intensive.
connections Cannot support many
per client/server pairs.
client/server Consequently,
pair? application proxy
firewalls cannot be used
as main border firewalls
Speed Slow Fast

51
Copyright Pearson Prentice-Hall 2010

Intrusion Detection Systems and


Intrusion Prevention Systems

52

26
8/18/2010

 Perspective
◦ Growing processing power made stateful packet
inspection possible
◦ Now, growing processing power is making a new
firewall filtering method attractive
◦ Intrusion prevention systems (IPSs)

53
Copyright Pearson Prentice-Hall 2010

 Intrusion Detection Systems (IDSs)


◦ Firewalls drop provable attack packets only
◦ Intrusion detection systems (IDSs) look for
suspicious traffic
 Cannot drop because the packet is merely
suspicious
◦ Sends an alarm message if the attack appears to be
serious

54
Copyright Pearson Prentice-Hall 2010

27
8/18/2010

 Intrusion Detection Systems (IDSs)


◦ Problem: Too many false positives (false alarms)
 Alarms are ignored or the system is discontinued
 Can reduce false positives by tuning the IDSs
 Eliminate inapplicable rules, such as a Unix rule in
an all-Windows company
 Reduce the number of rules allowed to generate
alarms
 Most alarms will still be false alarms

55
Copyright Pearson Prentice-Hall 2010

 Intrusion Detection Systems (IDSs)


◦ Problem: Heavy processing requirements because
of sophisticated filtering
 Deep packet inspection
 Looks at application content and transport and
internet headers
 Packet stream analysis
 Looks at patterns across a series of packets
 Often, patterns cannot be seen unless many
packets are examined

56
Copyright Pearson Prentice-Hall 2010

28
8/18/2010

 Intrusion Prevention Systems (IPSs)


◦ Use IDS filtering mechanisms
◦ Application-specific integrated circuits (ASICs)
provide the needed processing power

57
Copyright Pearson Prentice-Hall 2010

 Intrusion Prevention Systems (IPSs)


◦ Attack confidence identification spectrum
 Somewhat likely
 Very likely
 Provable
◦ Firm may allow firewall to stop traffic at the high
end of the attack confidence spectrum
◦ Firm decides which attacks to stop
◦ This allows it to manage its risks
58
Copyright Pearson Prentice-Hall 2010

29
8/18/2010

 Possible Actions
◦ Drop packets
 Risky for suspicious traffic even with high
confidence
◦ Bandwidth limitation for certain types of traffic
 Limit to a certain percentage of all traffic
 Less risky than dropping packets
 Useful when confidence is lower

59
Copyright Pearson Prentice-Hall 2010

60

30
8/18/2010

 Traditional Firewalls Do Not Do Antivirus Filtering


 They Pass Files Needing Filtering to an Antivirus Server

61
Copyright Pearson Prentice-Hall 2010

 Unified Threat Management (UTM) Firewalls


Go Beyond Traditional Firewall Filtering
◦ SPI
◦ Antivirus Filtering
◦ VPNs
◦ DoS Protection
◦ NAT

62
Copyright Pearson Prentice-Hall 2010

31
8/18/2010

63

 Introduction

◦ Attack on availability

◦ Act of vandalism

1. Single-Message DoS Attacks

◦ Crash a host with a single attack packet

◦ Examples: Ping-of-Death, Teardrop, and LAND

◦ Send unusual combination for which developers did not test

32
8/18/2010

2. Flooding Denial-of-Service Attacks

i. SYN flooding

 Try to open many connections with SYN


segments
 Victim must prepare to work with many
connections
 Victim crashes if runs out of resources; at
least slows down
 More expensive for the victim than the
attacker

Denial-of-Service (DoS) Attacks


2. Flooding Denial-of-Service Attacks
i. SYN flooding

SYN SYN SYN SYN SYN

Attacker Sends Flood of SYN Segments


Victim Sets Aside Resources for Each Victim
Attacker Crashes or Victim Becomes Too Overloaded
to Respond to the SYNs from Legitimate Victim
1.34.150.37
Uses 60.168.47.47

33
8/18/2010

2. Flooding Denial-of-Service Attacks


ii. Smurf flooding “Innocent” Firm

Echo

Attacker 4.
2.
1.34.150.37 Echo
Router with
Replies
Broadcasting
1. Enabled
Single ICMP Echo Message
Source IP: 60.168.47.47
(Victim) Destination IP:
Broadcast 3.
Broadcast
Victim Echo
60.168.47.47 Message

2. Flooding Denial-of-Service Attacks


ii. Distributed DoS flooding Zombie
Attack Attack
Command Attack Packet
Command

Attacker Victim 60.168.47.47


1.34.150.37 Handler
Attack Packet
Attack
Command

Attack
Command
Zombie

Attack Packet
Attack
Command

Handler Zombie

34
8/18/2010

 Stopping DoS Attacks

◦ Ingress filtering to stop attack packets

◦ Limited ability of ingress filtering because link to ISP


might become overloaded

◦ Egress filtering by attacker’s company or ISP

◦ Requires cooperating from attacker’s company or ISP

◦ Requires a community response; victim cannot do it


alone

 Perspective
◦ Done by most main border firewalls
◦ DOS attacks are easy to detect but difficult to stop
because their traffic looks like legitimate packets

70
Copyright Pearson Prentice-Hall 2010

35
8/18/2010

SYN

SYN/
 TCP Half-
Half-Opening ACK
Attacks
No ACK
◦ Attacks SYN
 Attacker sends a TCP SYN
segment to a port
 The application program sends back a SYN/ACK
segment and sets aside resources
 The attacker never sends back an ACK, so the
victim keeps the resources reserved
 The victim soon runs out of resources and crashes
or can no longer serve legitimate traffic
71
Copyright Pearson Prentice-Hall 2010

SYN

SYN/
 TCP Half-
Half- ACK
Opening Attacks
No ACK
◦ Defenses
 Firewall intercepts the SYN from an external host
 Firewall sends back an SYN/ACK without passing
the segment on to the target host
 Only if the firewall receives a timely ACK does it
send the original SYN the destination host

72
Copyright Pearson Prentice-Hall 2010

36
8/18/2010

 Rate Limiting
◦ Set a limit on all traffic to a server—
both legitimate and DoS packets
◦ Keeps the entire network from being overloaded
◦ Not perfect—does not protect the target server or
allow legitimate traffic

73
Copyright Pearson Prentice-Hall 2010

 DoS Protection Is a Community Problem


◦ If an organization’s access line to the Internet
becomes overloaded, it cannot solve the problem
itself
◦ Its ISP or other upstream agencies must help

74
Copyright Pearson Prentice-Hall 2010

37
8/18/2010

75

A Firm Has Many Firewalls:


Screening border routers
Main border firewalls
Internal firewalls
Host firewalls on clients and servers
The Firewall Architecture Describes
how These Firewalls Work Together

76
Copyright Pearson Prentice-Hall 2010

38
8/18/2010

 DMZs Use Tri-


Tri-Homed Internal Border
Main Firewalls Network Router

◦ One subnet to the


border router DMZ

◦ One subnet to the DMZ (accessible to the outside


world)
◦ One subnet to the internal network
 Access from the internal subnet to the Internet is
nonexistent or minimal
 Access from the internal subnet to the DMZ is also
strongly controlled
77
Copyright Pearson Prentice-Hall 2010

 Demilitarized Zone (DMZ)


◦ Subnet for servers and application proxy firewalls
accessible via the Internet (Figure 6-22)
◦ Hosts in the DMZ must be especially hardened
because they will be accessible to attackers on the
Internet

78
Copyright Pearson Prentice-Hall 2010

39
8/18/2010

 Hosts in the DMZ


◦ Public servers (public webservers, FTP servers, etc.)
◦ Application proxy firewalls to require all Internet
traffic to pass through the DMZ
◦ External DNS server that knows only host names in
the DMZ

79
Copyright Pearson Prentice-Hall 2010

80

40
8/18/2010

 Firewalls Are Ineffective Without Planning and


Ongoing Management

 Defining Firewall Policies


◦ Policies are high-level statements about what to do
◦ E.g., HTTP connections from the Internet may only
go to servers in the DMZ

81
Copyright Pearson Prentice-Hall 2010

 Defining Firewall Policies


◦ Policies are more comprehensible than actual
firewall rules
◦ There may be multiple ways to implement a policy
 Defining policies instead of specific rules gives
implementers freedom to choose the best way to
implement a policy

82
Copyright Pearson Prentice-Hall 2010

41
8/18/2010

 Implementation
◦ Firewall hardening
 Firewall appliances are hardened at the factory
 Vendors sell software plus a server with a pre-
hardened operating system
 Firewall software on a general-purpose computer
requires the most on-site hardening

83
Copyright Pearson Prentice-Hall 2010

 Implementation
◦ Central firewall management systems (Figure 6-24)
 Creates a policy database
 Changes policies into ACL rules Firewall
Administrator
 Sends ACL rules out to
individual firewalls Policy Policy
Server

ACL Rule
ACL Rule

84
Copyright Pearson Prentice-Hall 2010

42
8/18/2010

Policy Source Destination Service Action Track Firewalls

1 Internal DNS UDP dns Pass None All


Servers
2 External Internal TCP http Drop Log All
3 External DMZ TCP http Pass None Border
webserver
4 Internal External TCP http Pass Log Border
5 Internal External ICMP Drop None Border
6 Internal Mail Server TCP smtp Authenticate Log if Central
Fail
7 Marketing Plans TCP http Authenticate Alert if Marketing
Server Fail
8 Any Plans TCP http Drop Log Marketing
Server
9 Any Any Any Drop Log All

85
Copyright Pearson Prentice-Hall 2010

 Implementation
◦ Vulnerability testing after configuration
 There will be problems
 Tests, like firewall configuration, should be based
on policies

86
Copyright Pearson Prentice-Hall 2010

43
8/18/2010

 Implementation
◦ Change authorization and management
 Limit the number of people who can make change
requests
 Limit the number of authorizers even more
 Require requesters and authorizers to be different
people
 Implement the rule in the most restrictive way
possible —
 To pass the least number of packets

87
Copyright Pearson Prentice-Hall 2010

 Implementation
◦ Change authorization and management
 Document all changes carefully
 Do vulnerability testing after every change
 The change should work
 All previous behaviors should still work (regression
testing)

 Audit changes frequently


 Focus especially on asking if each change opens the
firewall in the most restrictive way possible

88
Copyright Pearson Prentice-Hall 2010

44
8/18/2010

 Implementation
◦ Reading the firewall logs
 Should be done daily
or more frequently
 The most labor-intensive part of firewall
management
 Strategy is to find unusual traffic patterns
 Top ten source IP addresses whose packets were dropped
 Number of DNS failures today versus in an average day

 Attackers can be black holed (have their packets


dropped)
89
Copyright Pearson Prentice-Hall 2010

Death of the Perimeter


The Need for Anomaly Detection

90

45
8/18/2010

 Protecting the Perimeter Is No Longer Possible


◦ There are too many ways to get through the perimeter

 Avoiding the Border Firewall


◦ Internal attackers are inside the firewall already
◦ Compromised internal hosts are inside the firewall
◦ Wireless LAN drive-by hackers enter through access
points that are inside the site
◦ Home notebooks, mobile phones, and media brought
into the site
◦ Internal firewalls can address some of these threats

91
Copyright Pearson Prentice-Hall 2010

 Extending the Perimeter


◦ Remote employees must be given access
◦ Consultants, outsourcers, customers, suppliers, and
other subsidiaries must be given access
◦ Essentially, all of these tend to use VPNs to make
external parties “internal” to your site

92
Copyright Pearson Prentice-Hall 2010

46
8/18/2010

 Most Filtering Methods Use Attack Signature


Detection
◦ Each attack has a signature
◦ This attack signature is discovered
◦ The attack signature is added to the firewall
◦ But zero-day attacks are attacks without warning,
occur before a signature is developed
◦ Signature defense cannot stop zero-day attacks

93
Copyright Pearson Prentice-Hall 2010

 Anomaly Detection
◦ Detects an unusual pattern indicating a possible
attack
◦ This is difficult, so there are many false positives
◦ Shrinking time needed to define signatures
◦ Anomaly detection is necessary in today’s firewalls

94
Copyright Pearson Prentice-Hall 2010

47
8/18/2010

95

48

Das könnte Ihnen auch gefallen