Transcript Security Lab

Intrusion Protection
Mark Shtern
Protection systems
•
•
•
•
Firewalls
Intrusion detection and protection systems
Honeypots
System Auditing
Firewall Types
• Network
– Packet filters
– Proxy servers
– State-full inspection
– Can be hardware-based or software-based
• Application
– Packet filters
– State-full inspection
Packet filtering Firewalls
• Permits or denies packets based on socket
pairs
• Packet filters operate at layer 4 of the OSI
model
• Defined packet filters are applied to examine
traffic attempting to enter or attempting to
exit an interface
• Packet filters do not maintain state
Proxy Server Firewalls
• Clients configured to use a proxy server
package
• The proxy server completes client requests on
behalf of the requesting clients, if permitted
Proxy Server Types
• Circuit-level proxy servers only understand the
socket portion of a request (IP address, port
number, and protocol)
• Application-level proxy servers also
understand the internal commands for each
type of application
– for example, can recognize FTP commands for
PUT, GET, MPUT, MGET, and so on
State-full Inspection Firewalls
• Generally permits all outbound sessions initiated
by internal clients (unless an ACL imposes
restrictions)
– a state table entry is created for each allowed
connection
• Allows return traffic belonging to the same
session
• Generally denies all inbound sessions initiated by
external clients (unless an ACL allows exceptions)
– a state table entry is created for each allowed
connection
State-full Inspection Firewalls
• State table entries track:
– source and destination IP addresses
– source and destination port numbers
– protocol
– TCP sequence numbers and acknowledgment
numbers
– TCP session state
• SYN Received, SYN-ACK Sent, Established
Examples of Firewall
• Network
– Firestarter
– Windows Firewall
• Application
– Mod_evasive
– Mod_security_common
Intrusion Detection Systems
• An IDS detects attempts at network intrusion
– Host-based or network-based sensors collect data
for local analysis or uploading to a centralized
analysis engine
– When intrusion is detected a log entry or alert can
be generated
Detection methods
• Signature analysis
– discernable pattern of a previously seen attack
– network scans, port scans, malicious payloads
• Statistical anomaly
– unusual usage patterns
– log on at unusual hours, uncharacteristically high usage of
a protocol
• Protocol anomaly
– an undefined or non-standard use of a protocol
– IP header Protocol field value greater than 137
– TCP header Urgent field set to non-zero value with URG
flag set to zero
IDS types
• Network-based
– Monitors entire network
– NIC operates in promiscuous mode
– Complicated sniffers that check all packets against
signatures
• Host-based
– Protects only the host system on which it resides
– Network card operates in non-promiscuous mode
Intrusion Prevention Systems
• An IDS receives a copy of network traffic for
analysis and reporting
– malicious packets reach their targets
– analysis and reporting is after the fact
• An IPS is a pass-through device inline with the
traffic
– detected malicious packets are dropped at the IPS
and do not reach their intended targets
Snort
•
•
•
•
Intrusion protection and prevention system
Rules-based detection engine
Network sniffer
Snort runs on various operating systems and
hardware platforms, including many UNIX
systems and Windows
• Large default rule set (several thousand)
Snort Modes
• Packet Sniffer Mode
– In Packet Sniffer Mode Snort acts like tcpdump and is used
for testing.
– Type “snort –v” at command prompt to start snort in
sniffer mode
– Other switches
• -d displays application layer -e displays data link layer
• Packet Logger Mode
– Same as Packet Sniffing Mode but it also logs the output.
– Type “snort –dev –l /var/log/snort” where –l is switch for
logging and /var/log/snort is directory to save output.
Snort Modes
• Intrusion Detection Mode
– In this mode snort applies signature rules on all
captured packets
– If packet matches rules, it is logged or an alert is
generated
Writing Snort Rules
•
•
•
•
•
•
Figure out what is "bad"
Capture traffic that includes the "bad" stuff
Learn the protocol
Figure out why the "bad stuff" is bad
Write a rule
Test the rule
Rule Format - basic rule
• alert tcp 10.1.1.1 any -> 10.1.1.2 80
(msg:"foo"; content:"bar";)
Rule Format
• alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo";
content:"bar";)
• Actions
• alert log pass activate dynamic drop sdrop
• Acceptable protocols:
– TCP , UDP, ICMP, IP
• Direction
– ->, <>
• Body
– msg, content etc
Honeypot
• A monitored decoy to lure attackers away
from critical resources
– simulates various OSs and application servers
• A tool to analyze an attacker’s methods and
other characteristics
Honeypot Modes
• Research mode
– collecting data on attacker motivations, attack trends,
and emerging threats
• Production mode
– to prevent, detect, and respond to attacks
– impeding scans
– diverting an attacker to the honeypot rather than
critical files
– capturing polymorphic code
– acquiring attack signatures
– providing attack information for analysis
Honeypot Software
• Labrea
• Honeyd
Legal issues
• An organization may be liable if its honeypot is
used to launch attacks against another
network
• Attacker might claim entrapment if
apprehended through use of a honeypot
– Never explicitly invite interaction with the
honeypot
Auditing
• Logs are the primary record keepers of system
and network activity
– Basis for fast recovery when service is modified
illegally
– Basis for tracking the break-in
System logs
• Windows
– Application, System and Security
• Linux
– Syslogs files /var/logs/*
Problem in Managing Logs
•
•
•
•
No periodical review
The log files may be modified by intrusion
Log size constraint
Failure to collect critical information
Audit tools
• Syslog – log collection system
• Audit – subsystem in Linux kernel that
generates audit record (auditctl, ausearch,
aureport )
• Logwatch – log analysis system
• Lire - log analyzer system