Beruflich Dokumente
Kultur Dokumente
detection systems
Bencsáth Boldizsár
Outline
Firewalls
Intrusion detection systems (IDS)
2
Introduction
– A firewall is a system or group of systems that enforces
an access control policy between networks
– Mostly the goal is to protect TCP/IP networks
– Other possible firewalls: between applications on a
windows environment, java card firewalls, etc.
– Functions:
• Blocking traffic
• Permitting traffic
• Enabling secure remote connections (VPN)
• Logging traffic
• Content filtering (blocking): viruses, attacks
• Network management purposes (screening the traffic etc.)
Introduction
3
Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP
commands can be filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With
firewalling we minimize the accessible points and we are
making it more difficult to deploy an attack
– we can make it more difficult to exploit the vulnerability:
E.g. with tftp denied it is more difficult to send files to
the internet after an attack
– we can separate the network to subnetworks: an
intrusion will not compromise our whole system, just a
Introduction
subnetwork/server
4
A firewall is not good for…
- Stopping information flow/leakage:
Data can be leaked out even through DNS
applications or e.g. HTTP tunnels. It is
very hard to protect against covert
channels.
- Complete protection against intrusions:
A single open port can be used to gain
privileged access
An application proxy might not stop
attacking through badly formed
parameters, etc.
An industry spy can use the telefax to
Introduction
transport secrets…
5
Packet filtering – disable access to
unwanted services
Port
9/tcp
State
open
Service
discard
Port State Service
13/tcp open daytime 21/tcp open ftp
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet 22/tcp open ssh
25/tcp open smtp
37/tcp open time
79/tcp
80/tcp
open
open
finger
http
25/tcp open smtp
109/tcp open pop-2
110/tcp open
139/tcp open
pop-3
netbios-ssn
80/tcp open http
143/tcp open imap2
515/tcp open printer
587/tcp open submission 110/tcp open pop-3
1723/tcp open pptp
3128/tcp open squid-http
143/tcp open imap2
6
Packet filtering
Filtering based on network layer of the IP stack
Filtering rules described in rule base
Default permit / default deny design
Most routers have packet filtering capabilities
A good packet filter…
-Permits connections to really-needed services
-Also filters internal access – Most of the intrusions come from
employees
-Detects anomalies – TCP packet without SYN handshake etc.
-Filters out all the services what we do not use currently (not
only those we don’t want to show)
-Hides internal network elements and architecture (NAT)
-Filters services available to internal hosts (e.g. filter out
streaming)
Introduction
Main problem:
Stateless? Stateful? How?
7
Packet filtering
Packet filtering rules mostly based on:
IP protocol (UDP, TCP, …)
Source IP address
Destination IP address
Source/Destination port (socket)
Connection state (TCP: SYN, RST,
established,… or e.g. FTP states)
(rate control)
(filter rules based on time schedule –
no streaming before 8 p.m.)
incoming/outgoing interface
Introduction
etc.
8
Application gateway
Higher security
9
Packet filter vs. Application
gateway
:text-rid (61463)
:windows-color (green) ) )
– Graphical tools / ruleset generators help 11
Architecture / Basic
router
Internet
12
Internal network
Elements
Dual-homed gateway
single-homed gateway
13
Internal network
Packet filter only – screening
router
router
Internet
Can be a single
screening router
packet filter
Architecture
14
Internal network
Packet filter with bastion host
router
Internet
packet filter
15
Internal network
Packet filter with bastion host
router
Internet
packet filter
16
Internal network
Packet filter with bastion host,
DMZ, internal pf
many different
router topologies can be
considered
Internet packet filter
17
Internal network
Platform and other parameters
- Price
18
Commercial & free products
19
Personal firewalls
– Every single host on the Internet is a target
– Most users do not use tight security (no updates,
bad passwords, no security settings)
– Attacked clients might become zombies for a DoS
attack or a relay for spams and other attacks
– They need some protection
– Personal firewalls are mostly simple packet
filters
– Drop incoming service requests (my windows pc
is not a file server)
– Alert on (anomalous) outgoing requests
– Can protect against trojans / information leakage
Personal firewalls
20
Intrusion detection systems
– Intrusion detection:
detecting inappropriate, incorrect, or
anomalous activity
21
IDS Categories
In-Kernel vs. Userspace
Distributed vs. Atomic
Host-based vs. Network-based
Statistical vs. Signature Detection
Active vs. Passive
Proactive vs. Retroactive
Flat vs. Hierarchial
(Justin Lundy)
IDS
22
Host-based IDS
Checking log files for traces of attacks
Checking the condition of processes
Looking for anomalies of the authentication
system ( Why is X logging in from Thailand?
Why is Z logging in during the weekend?)
Checking the fingerprints of the installed
binaries (Operating system integrity)
Checking for malicious user code – possible
hacker tools, rootkits
Version (and critical security hole) checking
Checking for invalid www request URLs in
web server’s log files
Personal firewall?
…
IDS
23
Network based IDS
On a single network element (near the firewall)
or can be distributed: more agents are
distributed on the network and a central server
makes the decision
Problem: Encrypted traffic cannot be analyzed
(traffic analysis, timing only)
Signature filters: looks for various signatures.
Usual attacks possess some kind of signature
that identifies them
– problem: large number of possible signatures – high
traffic rate (~GBps lines) – large number of dropped
packets – less accurate result
– problem: signatures has to be known. Regular updates
needed and much work to generate “good” signatures
– problem: polymorphic attack: One might change the
attack scenario so that the signature will not match
24
Anomaly detection
Mostly on statistical basis
Detects statistically exceptional events
Learning: Watching activity during ‘normal’ state
and storing patterns (who logs in, what is the
origin, when, etc.)
Experience shows that 90% of attacks can be
considered as protocol usage anomalies.
Does not require signatures (except what it learns)
We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it
needs much work.
A non-RFC compilant client is not always an
attacker – we need flexibility
25
CIDF
– Model: Common Intrusion Detection
Framework
intrusion detection components can be
reused in other systems
interface & communication protocols
– Architecture
• Event generators (colloquially "E-boxes")
• Event analyzers ("A-boxes")
• Event databases ("D-boxes")
• Response units ("R-boxes")
IDS
26