Transcript Defensive Technology

Cyberdefense Technologies
Firewalls
Intrusion detection
And beyond
1
Defensive Strategy
• Deceive the attacker
• Frustrate the attacker
• Resist the attacker
• Recognize and Respond to the attacker
2
Security Desires
• Logging of successful connections,
rejected packets and suspected attacks
• Immunity to Denial of Service attacks
• Protection against information gathering
probes
3
Defenses against DOS
• The best defense against DDos attacks is to
prevent initial system compromises
• However, even vigilant hosts can become
targets because of lesser prepared, less
security aware hosts
• It is difficult to specifically defend against
becoming the ultimate target of a DDos attack
but protection against being used as a
daemon or master system is more easily
attainable
4
Ingress Filtering
• Ingress filtering manages the flow of traffic as
it enters a network under your administrative
control
• Servers are typically the only machines that
need to accept inbound connections from the
public Internet
• Ingress filtering can be performed at the
border to prohibit externally initiated inbound
connections to non-authorized services
5
Egress Filtering
• Egress filtering manages the flow of
traffic as it leaves a network under your
administrative control
• Egress filtering from sources like
university campuses can make a
difference
• Egress filtering alone does not provide a
complete solution to the problem
6
Firewalls
• Defensive “middle ground” between public
and protected network
• The demands from a firewall can differ
significantly
• An internal network, where a balance has to
be found between what can come in and out,
a website publicly accessible or a virtual
Private Network pose very different problems
7
Firewalls are for policy control
• They permit a site’s
administrator to set
a policy on external
access
• Just as file
permissions enforce
an internal security
policy, a firewall can
enforce an external
security policy
8
Firewall Technologies
• Network Address Translation (NAT)
• Most use packet filtering rules to
determine packet access
• Some use “stateful inspection” to
manage connections
• Some application proxy support
– A few allow custom proxy creation *BONUS*
9
Static Packet Filtering
• Uses information in Packet headers:
– Destination IP address
– Source IP subnet
– Destination service Port
• Information compared with Access Control List (ACL)
• Flag (TCP): stop Anything with SYN=1, but
port scanners can choose to have
ACK=1,FIN=1, all other flags set to 0…
– Flag Not an option with UDP
10
Example Attack
Internet router is
blocking
tcp/udp ports 135139
Firewall allows only
outbound http (80)
and smtp (25) traffic
Hacker’s Objective: Gain control of
internal NT server from Internet
11
Dynamic Packet Filtering
(Stateful Inspection)
• Acts on the same principle as Static
Packet Filtering, but maintains a
connection or “state” table in order to
monitor communication session
• Less easy to abuse
• Filtering hard to configure to full
satisfaction and reduces router’s
performance
12
Problems with Firewalls
• Conventional firewalls rely on the notions of restricted
topology and control entry points to function
– Everyone on one side of the firewall is to be trusted
– Anyone on the other side is potentially an enemy
• “extranets” can allow outsiders to reach the “inside”
of the firewall
• Some machines need more access to the outside
than do others
• End-to-end encryption: firewalls generally do not
have the necessary keys to inspect traffic
• Log review, software currency, … (high maintenance)
13
Distributed Firewalls
• In such a scheme, policy is still centrally
defined; enforcement, however, takes
place on each endpoint
• Helps control trust issues
14
Distributed Firewalls
15
Distributed Client/Server
16
What are Honeypots?
• Honeypots are one of the methods used
in intrusion detection
• Setup a "decoy" system
–
–
–
–
Non-hardened operating system
Appears to have several vulnerabilities
Similar configuration to production
Fake content
• Deceive intruder for alert and study
17
18
Attracting Blackhats
• What do you do to attract blackhats to
your Honeypot?
– Absolutely nothing, that is the scary part. You
have to sit back and wait.
– The blackhat community is extremely
aggressive, you would be surprised at what they
will find.
19
Honeypot as attack host
• Once compromised, can't the bad guys
use one of your honeypots to attack
someone else?
• That risk exists !
• use several layers of access control devices that limit
and control what type of outbound connections are
allowed, and how many
20
The Honeynet project
• Distributed team of security experts
• Hardware to capture and analyze
intruder activity
• Evolving honeypot technology and
attack analysis
21
What’s wrong with honeypots?
• The insurance model will not allow you to
take unnecessary risks without a substantial
increase in premium
• Risk management says that honey pots
increase risk for demonstrably invalid reasons
• You can learn more by using better
instrumentation
• Transient effectiveness
22
Transient Effectiveness
• The threat reality is that most attackers are
morons and will attack with DoS if denied real
access
• Honey pots must be kept up to date but in
general aren’t
• Honey pots must act like the host operating
system
• Fix current problems rather than generating
new ones
23
Too many hosts to secure
• Virtually all operating systems and network devices
are insecure out of the box
– This must change
• Operating systems maintained by normal users must
be set to take care of themselves by default
• Growth of the net will be the single largest factor as
to why there are so many vulnerable systems
• It is unrealistic to assume that the net will ever be
safe
24
Where does IDS fit?
• IDS are useful as an additional layer of
defense, no more
• IDS are not helpful when advanced attackers
are attacking you with new attacks
• Two major types today: network IDS (snort)
and host IDS (AIDE, log watcher, etc)
• Missing IDS type: application IDS
• High false alarm rates (wasted admin time)
25
IDS and Policy
• Security Policy is the
first step (defining what
is acceptable and what
is being defended)
• Notification
– Who, how fast?
• Response Coordination
26
Jane did
a port
sweep!
NMAP
27
IDS Implementation Map
Honeypot
(Deception System)
Generic Server
(Host-Based ID)
(Snort 2.0)
Internet
Filtering
Router
(Perimeter Logs)
Firewall
(Perimeter
Logs)
Statistical IDS
(Snort)
Network IDS
(Snort)
28
Detection Engine
• Rules form “signatures”
• Modular detection elements are combined to
form these signatures
• Wide range of detection capabilities
– Stealth scans, OS fingerprinting, buffer overflows, back
doors, CGI exploits, etc.
• Rules system is very flexible, and creation of
new rules is relatively simple
29
Learning More
• www.snort.org
– Writing Snort Rules
• www.snort.org/snort_rules.html
– FAQ, USAGE file, README file, man page
– Snort mailing lists
• Books
– Intrusion Detection: An Analysts Handbook by Northcutt
– Intrusion Signatures and Analysis by Northcutt
– The Practical Intrusion Detection Handbook by Paul Proctor
30
But What Slips Through?
• Signatures based on traffic model
– Attacks stay with same source IP set
• Signature assume fixed characteristics
– Packets involving attack stay with similar
content
• Signature assume obvious distinction
from legitimate traffic
– What is legitimate is never malicious
31
How do We Catch the Slips?
• Non-signature based collection
– Short-term (hours, max) packet collection, rotating ->
libpcap
– Medium-term (weeks, max) headers+content summary
-> expanded flow
– Long-term (years) headers+sizes -> flow
• Privacy concerns
• Efficiency concerns
• Sampling concerns
32
What can You Do with Just
Flows?
• Indicative, not probative
• Time-series, with departures
– DDoS ramp-up
– Scanning: worms/virus
• Threashold violations
– Spam vs. email
– Streaming media vs. web browsing
• Locality violations
– Malware beaconing
– Worms/virus
– Spyware
33
Automated Response
• Ongoing work
• Local indicators fused to alert
• Firewalls/IDS exchange intrusion
information
– IODEF standard
• Dynamically alter firewall rules
• Dynamically alter routing tables to
reconfigure network
34
Layered Architecture
35
Layered Defenses
Source: Shawn Butler, Security
Attribute Evaluation Method
Goal 8
Goal 1
Frustrate
Deceive
Recognize
Goal 2
Goal 7
Respond
Goal 3
Goal 6
Goal 5
Goal 4
36