Transcript 投影片 1 - 中正大學

Network Security
授課老師: 鄭伯炤 (Bo Cheng)
中正大學通訊系
Tel: 05-272-0411 Ext 33512
Email: [email protected]
We Are in Dangerous Zone!
CERT: Computer Emergency Response Team
http://www.cert.org/
• Insider
• Outsider
• Unstructured
• Structured
http://www.andrew.cmu.edu/course/95-753/lectures/MooreTalkCERT-combined.pdf
What Is Network Security?
• Confidentiality: The property that information
is not made available or disclosed to any
unauthorized system entity
• Integrity: The property that data has not been
changed, destroyed, or lost in an unauthorized
or accidental manner.
• Availability: services must be accessible and
available to users
Confidentiality
ftp://ftp.rfc-editor.org/in-notes/rfc2828.txt
Availability
Integrity
Network
Security
Confidentiality Enabler
• AAA
– Authentication: The process of verifying an identity claimed by
or for a system entity.
– Authorization: A right or a permission that is granted to a system
entity to access a system resource.
– Accounting: Ensures the actions of a system entity be traced
uniquely to that entity, which can be held responsible for its
actions.
• Encryption
– Cryptographic transformation of data (called "plaintext") into a
form (called "ciphertext") that conceals the data's original
meaning to prevent it from being known or used.
Plaintext
Encrypt
Decrypt
Ciphertext
Plaintext
Attack Motivations, Phases and Goals
Data manipulation
System access
Elevated privileges
Denial of Service
Analyze Information & Prepare Attacks
• Service in use
• Known OS/Application vulnerability
• Known network protocol security weakness
• Network topology
• Revenge
• Political activism
• Financial gain
Actual Attack
 Network Compromise
 DoS/DDoS Attack
• Bandwidth consumption
• Host resource starvation
Collect Information
• Public data source
• Scanning and probing
Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses
Author: Ed Skoudis; Publisher: Prentice Hall; ISBN 0130332739
Tools, Tools, Tools
Network Scanning
Reconnaissance
•Telnet
•Nmap
•Hping2
•Netcat
•ICMP: Ping and Traceroute
•Nslookup
•Whois
•ARIN
•Dig
•Target Web Site
•Others
Penetration Tool
“Penetration Studies – A Technical Overview”
http://www.sans.org/rr/papers/index.php?id=267
Vulnerability Assessment
•Nessus
•SARA
GSEC SANS GIAC Certification: Security Essentials Toolkit
Author: Eric Cole et al. ISBN 0789727749
Hacker vs. Cracker
• Cracker (怪客): Someone who tries to break the security of,
and gain access to, someone else's system without being
invited to do so.
– 怪客注重於入侵、破壞與偷取資料，在網路上恣意的攻擊別人。
– 網路上流傳著不少Crack程式(常被誤稱為“駭客軟體”)，都是
被怪客們惡意釋出，擾亂網路上的秩序。
– 大眾媒體所指的駭客其實就是指這些擁有高度知識的怪客。
• Hacker (駭客): Someone with a strong interest in computers,
who enjoys learning about them and experimenting with them.
– 不會故意毀壞他人主機中的資料。
– 駭客入侵電腦的目的，只為證實防護安全上的漏洞確實存在。
且在入侵之後，會寄出一封E-mail給該網站擁有最高權限的管
理者，告知管理者該漏洞的所在。
http://www.trendmicro.com/tw/products/desktop/gatelock/use/hackers.htm
Dollar Amount of Losses in 2003
The total annual losses reported
in the 2003 survey were $201,797,340.
Source: CSI/FBI 2003 Computer Crime and Security Survey
Denial of Service (DoS)
• The prevention of authorized access to a system
resource or the delaying of system operations and
functions (by RFC2828).
– IETF: The Internet Engineering Task Force
– RFC: Request for Comments
• Modes of Attack
http://www.cert.org/tech_tips/denial_of_service.html
– Consumption of Scarce Resources
– Destruction of Alteration of Configuration Information
– Physical Destruction or Alteration of Network Components
Building Security Perimeter
• The boundary of the domain in which a security
policy or security architecture applies (by RFC2828)
• Components
– Firewall
– Virtual Private Network (VPN)
– Intrusion Detection System (IDS)
• Defense in depth
– Multiple layers of protection to prevent and mitigate
security accidents, an event that involves a security
violation.
Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual
Private Networks (VPN's), Routers, and Intrusion Detection Systems
Author: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent
Frederick, et al.; ISBN 0735712328
Firewall
• An gateway that restricts data communication
traffic to and from one of the connected
networks (the one said to be "inside" the
firewall) and thus protects that network's
system resources against threats from the
other network (the one that is said to be
"outside" the firewall).
• Access Control List (ACL): A mechanism that
implements access control for a system
resource by enumerating the identities of the
system entities that are permitted to access the
resource.
Outside
ACL
Inside
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
Intrusion Detection System (IDS)
• A security service that monitors and analyzes system
events for the purpose of finding, and providing realtime or near real- time warning of, attempts to access
system resources in an unauthorized manner.
(RFC2828)
• Types of IDS:
– Host-based: operate on information collected from
within an individual computer system.
– Network-based: listen on a network segment or switch
and detect attacks by capturing and analyzing network
packets.
http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf
Virtual Private Network (VPN)
• The VPN is a data network connection that makes use
of the public communication infrastructure, but
maintains privacy through the use of a tunneling
protocol and security procedures.
Branch Office
Business Partners
Internet
HQ
http://www.computerassets.com/downloads/Why_VPN.doc
Net, Net and Net
• Intranet: VPN facilitates secure communications
between a company's internal departments and its
branch offices.
• Extranet: Extranet VPNs between a company and its
strategic partners, customers and suppliers require an
open, standards-based solution to ensure
interoperability with the various solutions that the
business partners might implement.
• Internet: A global and public network connecting
millions of computers.
Financial Losses in 2002
$Million
100% security is impossible;
Security can only mitigate, but
not eliminate
200
150
 Firewall
 AAA
 VPN
 Anti-virus
Intrusion Detection
100
50
0
Theft of proprietary Info
System Penetration by outsider
Financial Fraud
Virus
Sabotage of Network
Insider abuse of Net access
DoS
Laptop theft
Source 2002 CSI/FBI Survey
RADIUS: Remote Authentication Dial-In User Service
Authentication: "Are you who you say you are?"
Authorization: "Can you do that?"
Accounting: "What did you do?"
IPSec vs. SSL
• IPSec (Internet Protocol Security)
– Tunnel between the two endpoints
– Works on the Network Layer of the OSI Model- without an association to
any specific application.
– When connected on an IPSec VPN the client computer is “virtually” a full
member of the corporate network- able to see and potentially access the
entire network
– The majority of IPSec VPN solutions require third-party hardware and / or
software
• SSL
– A common protocol and most web browsers have SSL capabilities built in.
– More precise access control
– Only work for web-based applications and possible to web-enable
applications
Hacking Techniques
Attack Motivations, Phases and Goals
Data manipulation
System access
Elevated privileges
Deny of Service
Analyze Information & Prepare Attacks
• Service in use
• Known OS/Application vulnerability
• Known network protocol security weakness
• Network topology
• Revenge
• Political activism
• Financial gain
Actual Attack
 Network Compromise
 DoS/DDoS Attack
• Bandwidth consumption
• Host resource starvation
Collect Information
• Public data source
• Scanning and probing
Tools, Tools, Tools
Network Scanning
Reconnaissance
•Telnet
•Nmap
•Hping2
•Netcat
•ICMP: Ping and Traceroute
•Nslookup
•Whois
•ARIN
•Dig
•Target Web Site
•Others
Penetration Tool
Vulnerability Assessment
•Nessus
•SARA
Collect Information
• Public data source
• Scanning and probing
Whois Database
• Contain data elements regarding Internet
addresses, domain names, and individual
contacts
• domain name uniquely
ARIN
• American Registry for Internet Numbers
• Gather information about who owns particular
IP address ranges, given company or domain
names
DNS
• A hierarchical database
Root DNS Servers (start point)
com DNS Servers
net DNS Servers
abc.com DNS Servers
The DNS hierarchy
org DNS Servers
DNS Resolve
ROOT
DNS SERVER
www.abc.com
referral to abc.com
LOCAL
DNS SERVER
com
DNS SERVER
www.abc.com = 10.11.12.13
CLIENT
A recursive search to resolve a domain name
abc.com
DNS SERVER
Some DNS Record Type
Record Type Name
Purpose
Example Record Format
Address
(A Record)
Maps a domain name to a
specific IP address
www 1D IN A 10.1.1.1
Host Information
(HINFO Record)
Identifies the host system type
www 1D IN HINFO
Solaris8
Mail Exchanger
(MX record)
Identifies a mail system
accepting mail for the giver
domain
@ 1D IN MX 10
mail.abc.com
Name Server
(NS Record)
Identifies the DNS servers
associated with a giver domain
@ 1D IN NS
nameserver.abc.com
Text (TXT Record)
Associates an arbitrary text
string with the domain name
System1 IN TXT “This is
a cool system”
nslookup
IP 反查 domain name
Return
fromfrom
localremote
DNS cache
Return
DNS cache
Zone Transfer
A split DNS
EXTERNAL
DNS
INTERNET
DMZ
INTERNAL
DNS
INTERNAL
NETWORK
INTERNAL
SYSTEM
DMZ
• DMZ stands for De-Militarized Zone. The DMZ
setting allows the server that provides public
resources (Ex. Web or FTP) to map public IP
addresses for Internet users to use in a Broadband
sharing router environment.
INTERNET
DMZ
Internal
Network
DMZ system
,such as Web, Mail,
DNS and FTP
Allowed
Forbidden
Collect Information
• Public data source
• Scanning and probing
Network Mapping
•
Map out your network infrastructure
–
–
•
Mapping and scanning your Internet gateway,
including DMZ systems, such as Web, mail, FTP, and
DNS
Mapping and scanning your internal network
Techniques
–
–
Finding live hosts
Tracing your network topology
Finding Live Hosts
• Two methods
– ICMP ping
• Ping all possible addresses to determine which ones have
active hosts
• Ping, using an ICMP Echo Request packet
– Alive, sending an ICMP Echo Reply message
– Otherwise, nothing is listening at that address
– TCP/UDP packet
• If block incoming ICMP
• send a TCP or UDP packet to a port, such as TCP port 80
Traceroute
TTL = 1
Time exceeded
TTL = 2
Time exceeded
Using traceroute to discover the path from source to destination
Cheops
Defenses against Network Mapping
• Filter
– IN: Firewalls and packet-filtering capabilities of your
routers
– OUT: Stop ICMP Time Exceeded messages leaving
your network
• Blocking
–
–
–
–
Block incoming ICMP messages at gateway
Ping Web server? Maybe
Ping DMZ database server? Probably not
Ping internal network hosts? Definitely not
Using port scanners
• Analyzing which ports are open
– To know the purpose of each system
– To learn potential entryways into system
• TCP/IP stack has 65,535 TCP/UDP ports
• “well-known” port numbers
– TCP port 80
– RFC 1700
• Nmap @ www.insecure.org/Nmap
Nmap
• What type of packets does the scanning system
send
– TCP Connect, TCP SYN, TCP FIN, …
Types of Nmap Scans
• Legitimate TCP connections established using a
three-way handshake
SYN with ISNA
ACK ISNA and SYN with ISNB
ACK ISNB
ALICE
Connection
The TCP three-way handshake
BOB
TCP Header
Bit: 0
4
10
16
Source port
31
Destination port
20 octets
Sequence number
Acknowledgement number
Data
offset
Reserved
U A P R S F
R C S S Y I
G K H T N N
Checksum
Window
Urgent pointer
Options + padding
The Polite Scan: TCP Connect
• Completes the three-way handshake, and then
gracefully tears down the connection using
FIN packets
• If closed
– No SYN-ACK returned
– Receive either no response, a RESET packet, or an
ICMP Port Unreachable
• Easy to detect
A Little Stealthier: TCP SYN Scan
• TCP SYN scans
– Sending a SYN to each target port
– If open, a SYN-ACK response
– Sends a RESET packet, aborting the connection
• Referred to as “half-open” scans
• Two benefits
– The end system Not record the connection, however,
routers or firewalls do
– Its speed
Other Scans: Violate the Protocol Spec.
• TCP FIN scan
– A FIN packet to tear down the connection, but no
connections are set up!!
• Xmas Tree scan
– Sends packets with the FIN, URG, and PUSH code
bits set
• Null scan
– Sends packets with no code bits set
TCP ACK Scans
SYN
SYN-ACK
SYN
Packet
Filter
Device
Allow outgoing traffic
and the established
responses
Block incoming traffic
if the SYN packet is set
EXTERNAL
NETWORK
INTERNAL
NETWORK
Allowing outgoing sessions (and responses),
while blocking incoming session initiation
TCP ACK Scans (cont.)
ACK dest port 1024
ACK dest port 1025
ACK dest port 1026
RESET
Aha! I know port 1026 is
open through the firewall
EXTERNAL
NETWORK
Packet
Filter
Device
INTERNAL
NETWORK
Vulnerability Scanning Tools
• What’s vulnerability scanner
• Types of vulnerabilities
– Common configuration errors
– Default configuration weaknesses
– Well-known system vulnerabilities
Vulnerability Scanning Tools (cont.)
User
Configuration
Tool
Scanning
Engine
Vulnerability
Database
Knowledge
Base of Current
Active Scan
Results
Repository
& Report
Generation
A generic vulnerability scanner
TARGETS
Nessus
• Nessus Plug-ins categories:
–
–
–
–
–
–
–
–
–
–
–
Finger abuses
Windows
Backdoors
Gain a shell remotely
CGI abuses
Remote file access
RPC
Firewalls
FTP
SMTP
……
The Nessus Architecture
• Client-server architecture
– Client: user configuration tool and a results repository/report
generation tool
– Server: vulnerabilities database, a knowledge base of the current
active scan, and a scanning engine
• Supports strong authentication, based on public key encryption
• Supports strong encryption based on the twofish and ripemd
algorithms
• The advantage of the client-server architecture
• The most common use: running on a single machine
Gaining Access Using Application
and Operating System Attacks
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
What is a Stack-Based Buffer Overflow?
The Make up of a Buffer Overflow
Application Layer IDS Evasion for Buffer
Overflow
• K2 released ADMutate
A buffer overflows
exploit
ADMutate
A new exploit
• polymorphism
– For NOPs
• Substitute a bunch of functionally equivalent statements for
the NOPs
– For the machine language code
• Applies the XOR to the code to combine it with a randomly
generated key
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
Password Attacks
• Guessing Default Passwords
• Password Guessing through Login Scription
• Password cracking
Let’s Crack Those Passwords!
• Stealing the encrypted passwords and trying to
recover the clear-text password
– Dictionary
– Brute-force cracking
– hybrid
•Create a password guess
•Encrypt the guess
•Compare encrypted guess with
encrypted value from the stolen
password file
•If match, you’ve got the password!
Else, loop back to the top.
Password cracking is really just a loop.
Tools Cracking Passwords
• Cracking Windows NT/2000 Passwords Using
L0phtCrack (LC4)
– http://www.atstake.com/products/lc/
• Cracking UNIX-like and Windows-based
Passwords Using John the Ripper
– http://www.openwall.com/john/
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
Account Harvesting
• Account harvesting’s concept
– Different error message for an incorrect userID
than for an incorrect password
• Lock out user accounts?
– Yes, DoS attack
– No, password guessing across the network
Yellow-orange
IAmRyan
241230
Gaining Access Using Network
Attacks
Sniffer
• A sniffer grab anything sent across the LAN
• What type of data can a sniffer capture?
– Anything, but encrypted
– An attacker must have an account
• Island hopping attack
Island hopping attack
LAN
Some of the most interesting sniffers
• Passive sniffing
– Snort, a freeware sniffer and network-based IDS,
available at www.snort.org
– Sniffit, freeware running on a variety of UNIX
flavors, available at
reptile.rug.ac.be/~coder/sniffit/sniffit.html
• Active sniffing
– Dsniff, a free suite of tools built around a sniffer
running on variations of UNIX, available at
www.monkey.org/~dugsong/dsniff
Sniffing through a Hub: Passive Sniffing
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
Active Sniffing: Sniffing through a Switch
and Other Cool Goodies
• Switched Ethernet does not broadcast
– Looks at the MAC address
• Active sniffing tool: Dsniff
Blah, blah, blah
SWITCH
SWITCHED ETHERNET
Advanced sniffing attacks
• Foiling Switches with Spoofed ARP Messages
• Remapping DNS names to redirect network
connections
• Sniffing SSL and SSH connections
Foiling Switches with Spoofed ARP
Messages(1)
Victim’s traffic
isn’t sent to
attacker
Blah, blah, blah
THE
OUTSIDE
WORLD
SWITCH
CLIENT
MACHINE
DEFAULT
ROUTER
A switched LAN prevents an attacker from passively sniffing traffic
Foiling Switches with Spoofed ARP
Messages(2)
1 Configure IP Forwarding to
send packets to the default
router for the LAN and activates
the Dsniff program
2 Send fake ARP
response to remap default
router IP address to
attacker’s MAC address.
SWITCH
CLIENT
MACHINE
Router’s IP
Attacker’s
Router’s MAC
MAC
3 Victim sends
traffic destined for
the outside world.
Based on poisoned
ARP table entry,
traffic is really sent
to the attacker’s
MAC address.
4 Sniff the traffic from the link.
5 Packets are forwarded
from attacker’s machine to
the actual default router for
delivery to the outside
world.
THE
OUTSIDE
WORLD
DEFAULT
ROUTER
Arpspoof redirects traffic, allowing the attacker to sniff a switched LAN
Sniffing and Spoofing DNS
1 Attacker activates
dnsspoof program
Attacker quickly sends fake DNS
response with any IP address the
attacker wants the victim to use:
www.skoudisstuff.com =
10.1.1.56
Attacker sniffs DNS request
from the line.
SWITCH
CLIENT
MACHINE
Victim tries to
resolve a
name using
DNS
Victim now surfs
to attacker’s site
instead of desired
destination.
www.skoudisstuff.com
,the desired
destination at
10.22.12.41
DEFAULT
ROUTER
THE
OUTSIDE
WORLD
Attacker’s machine at 10.1.1.56
Sniffing an HTTPS connection using
dsniff’s person-in-the-middle attack
2 Dnsspoof sends fake DNS
response with the IP address
of the machine running
webmitm (10.1.2.3)
www.edsbank.com
3 Victim establishes
SSL connection, not
knowing attacker is
proxying connection
1 Attacker activates dnsspoof
and webmitm programs
IP address
= 10.1.2.3
4 Webmitm proxies the https connection,
establishing an https connection to the
server and sending the attacker’s own
certificate to the client
LAN
5 Victim now
access
the desired
server,
but all traffic is
viewable by
attacker using
webmitm as a
proxy
www.skoudisstuff.comt
he desired destination
at 10.22.12.41
DEFAULT
ROUTER
THE
OUTSIDE
WORLD
IP address 10.22.12.41
IP Address Spoofing
• Changing or disguising the source IP address
– Not want to have their actions traced back
– Helps attackers undermine various applications
• IP Address Spoofing
– Flavor 1: Simply Changing the IP Address
– Flavor 2: Undermining UNIX r-Commands
– Flavor 3: Spoofing with Source Routing
Simply Changing the IP Address
EVE
SYN (A, ISNA)
ACK (A, ISNA) SYN (B, ISNB)
RESET !!!
ALICE
BOB
Spoofing with Source Routing 1/2
• Let the attacker get responses
• Allows the source machine sending a packet to
specify the path it will take on the network
• Two kinds of source routing
– Loose source routing
– Strict source routing
• Reference: RFC 791
IP Options
Class Number Length
Description
0
0
0
0
0
0
1
2
3
7
0
0
11
Var
Var
End of Options
No op
Security
Loose Source Routing
Record Route
0
0
2
8
9
4
4
Var
Var
Stream ID (obsolete)
Strict Source Routing
Internet Time-Stamp
Spoofing with Source Routing 2/2
PACKET
EVE
PACKET
Route:
1. Alice
2. Eve
3. Bob
Packet Contents
Route:
1. Alice
2. Eve
3. Bob
Packet Contents
ALICE
Spoofing attack using
source routing.
BOB
IP Spoofing Defense
• Implement “anti-spoof” packet filters
– Both incoming (ingress) and outgoing (egress)
• Not allow source-routed packets through
network gateways
IP Spoofing Defense
NETWORK A
FILTERING
DEVICE
Dropped
Anti-spoof filters.
NETWORK B
Packet with
IP source address
on Network A
Session Hijacking 1/3
• A marriage of sniffing
and spoofing
• Seeing packets, but also
monitoring the TCP
sequence numbers
• Sniffing, then injecting
spoofed traffic
Alice telnet
NETWORK
Alice
BOB
“Hi, I’m
Alice”
EVE
A network-based session hijacking scenario.
Session Hijacking 2/3
• Session hijacking tools
– Hunt, network-based
– Dsniff’s sshmitm tool
– Juggernaut, network-based
– TTYWatcher, host-based
– TTYSnoop, host-based
Session Hijacking 3/3
ACK ACK ACK ACK
NETWORK
Alice
BOB
Packets with increasing
sequence numbers
EVE
An ACK storm triggered by session hijacking.
Session Hijacking with Hunt 1/3
• Hunt
– Network-based session-hijacking tool
– Runs on Linux
– Allows to view a bunch of sessions, and select a
particular one to hijack
– Inject a command or two into the session stream,
resulting in an ACK storm
– How to prevent an ACK storm?
• ARP spoofing
– Sends unsolicited ARPs, known as “gratuitous packets”
– Most system devour, overwriting the IP-to-MAC address
mapping in their ARP tables
Session Hijacking with Hunt 2/3
IP = a.b.c.d
MAC = AA.AA.AA.AA.AA.AA
IP = w.x.y.z
MAC = BB.BB.BB.BB.BB.BB
“ARP
w.x.y.z is at
DD.DD.DD.DD.DD.DD”
IP = Anything
MAC = CC.CC.CC.CC.CC.CC
“ARP
a.b.c.d is at
EE.EE.EE.EE.EE.EE”
Session Hijacking with Hunt 3/3
IP = e.f.g.h
MAC = GG.GG.GG.GG.GG.GG
IP = i.j.k.l
MAC = HH.HH.HH.HH.HH.HH
IP = w.x.y.z
MAC = BB.BB.BB.BB.BB.BB
IP = a.b.c.d
MAC = AA.AA.AA.AA.AA.AA
“ARP
i.j.k.l is at
II.II.II.II.II.II”
“ARP
e.f.g.h is at
JJ.JJ.JJ.JJ.JJ.JJ”
IP = Anything
MAC = CC.CC.CC.CC.CC.CC
Netcat: A General Purpose Network Tool
• Swiss Army knife
of network tools
• two modes
– Client mode: nc
– Listen mode: nc –
l
– Supports source
routing
SYSTEM RUNNING NETCAT
Input from
a file
NETCAT
IN CLIENT
MODE
Output sent
across the network to any
TCP or UDP port
on any system.
SYSTEM RUNNING NETCAT
Input received
from the network
on any TCP or
UDP port.
NETCAT
IN LISTEN
MODE
Input from
a file
Netcat for File Transfer
• Pushing
– Destination machine receiving file
• $nc –l –p 1234 > [file]
– Source machine sending file
• $nc [remote_machine] 1234 < [file]
SOURCE
Send to TCP
port X
DESTINATION
Input from NETCAT
a file
IN CLIENT
MODE
NETCAT
IN LISTEM
MODE
Listen
on port X
Output to
a file
Netcat for File Transfer
• Pulling
– Source machine, offering file for transfer
• $nc –l –p 1234 < [file]
– Destination machine, pulling file
• $nc [remote_machine] 1234 > [file]
SOURCE
Listen
on port X
Input from NETCAT
a file
IN LISTEN
MODE
Connect
to port X
DESTINATION
NETCAT
IN CLIENT
MODE
Dumps file
across network
Receives file
from network
Output to
a file
Netcat for Port Scanning
• Supports only standard, “vanilla” port scans,
which complete the TCP three-way handshake
• $ echo QUIT | nc –v –w 3 [target_machine] [startport] - [endport]
Netcat for Vulnerability Scanning
• Used as a limited vulnerability scanning tool
• Write various scripts that implement vulnerability
checks
• The UNIX version of Netcat ships with several shell
scripts, including
–
–
–
–
RPC
NFS
Weak trust relationships
Bad passwords
• Limited compared to Nessus
Relaying Traffic with Netcat
Send
NC
output
LISTENER to input
NC
CLIENT
Send
NC
output
LISTENER to input
NC
CLIENT
Relaying Traffic with Netcat
DMZ
SYSTEM COMPROMIZED
BY ATTACKER
Listen
on UDP
port 53
NETCAT
CLIENT
OUTSIDE
Send
NC
output
LISTENER to input
NC
CLIENT
Originate
on TCP
port 25
No traffic allowed from outside to inside.
NETCAT LISTENER ON
DNS traffic (UDP 53) allowed from outside to DMZ.
INTERNAL SYSTEM
SMTP traffic (TCP 25) allowed from DMZ to inside.
INSIDE
Introduction to DoS
STOPPING SERVICES
Process killing
System reconfiguring
LOCALLY Process crashing
EXHAUSTING RESOURCES
Forking processes to fill
the process table
Filling up the whole file
system
ATTACK IS
LAUNCHED…
Malformed packet attacks Packet floods, (e.g., SYN
(e.g., Land, Teardrop, etc.) Flood, Smurf, Distributed
REMOTELY
Denial of Service
Denial-of-Service attack categories
Stopping Local Services
• Using a local account, stopping valuable
processes that make up services
– Shut down the inetd process
• Methods for stopping local services:
– Process killing
– System reconfiguration
– Process crashing
• A nasty example: the logic bomb
– Logic bomb extortion threats
Locally Exhausting Resources
• When resources are exhausted, the system
grind to a halt, preventing legitimate access
• Methods for exhausting local resources
– Filling up the process table
– Filling up the file system
– Sending outbound traffic that fills up the
communications link
Remotely Stopping Services
• Remote DoS attacks more prevalent
• Exploit an error in the TCP/IP stack
Exploit Name
Overview of How It Works
Susceptible Platforms
Land
Sends a spoofed packet, where the source IP
address is the same as the destination IP address,
and the source port is the same as the destination
port, The target receives a packet that appears to be
leaving the same port that it is arriving on, at the
same time on the same machine. Older TCP/IP
stacks get confused at this unexpected event and
crash
A large number of platforms,
including Windows systems,
various UNIX types, routers,
printers, etc.
Latierra
A relative of Land, which sends multiple Land-type
packets to multiple ports simultaneously
A large number of platforms,
including Windows systems,
various UNIX types, routers,
printers, etc.
Remotely Stopping Services
Exploit Name
Overview of How It Works
Susceptible Platforms
Ping of Death
Sends an oversized ping packet. Older TCP/IP stacks
cannot properly handle a ping packet greater than 64
kilobytes, and crash when one arrives.
Numerous systems, including
Windows, many UNIX variants,
printers, etc.
Jolt2
Sends a stream of packet fragments, none of which
have a fragment offset of zero. Therefore, none of the
fragments looks like the first one in the series. As
long as the stream of fragments is being sent,
rebuilding these bogus fragments consumes all
processor capacity on the target machine.
Windows 95, 98, NT, and 2000
Teardrop, Newtear,
Bonk, Syndrop
Various tools that send overlapping IP packet
fragments. The fragment offset values in the packet
headers are set to incorrect values, so that the
fragments do not align properly when reassembled.
Some TCP/IP stacks crash when they receive such
overlapping fragments.
Windows 95, 98, and NT and
Linux machines.
Winnuke
Sends garbage data to an open file sharing port (TCP
port 139) on a Windows machine. When data arrives
on the port that is not formatted in legitimate Server
Message Block (SMB) protocol, the system crashes.
Windows 95 and NT.
Remotely Exhausting Resources
• Using a flood of packets
– SYN floods
– Smurf attacks
– Distributed DoS attacks, DDoS
SYN Flood
• Three-way handshake
• The TCP/IP stack allocates a small piece of
memory on its connection queue
– To remember the initial sequence number
• Two ways
– To fill the connection queue with half-open
connections
– Just fill the entire communications link
SYN Flood
EVE
SYN (ISNA)
SYN-ACK
RESET!!!
BOB
ALICE
Connection queue
freed up upon
receiving RESET
packet.
SYN(X1,ISNx)
SYN(X2,ISNx)
SYN(X3,ISNx)
EVE
BOB
SYN-ACK
SYN cookies (Linux Kernel)
ISNB is a function of the source IP address,
destination IP address, port numbers, and
a secret seed. Bob doesn’t remember
ISNB, or store any information about the
half-open connection in the queue.
SYN(A, ISNA)
SYN(B, ISNB) ACK(A, ISNA)
ACK(B, ISNB)
ALICE
BOB
When the ACK (B, ISNB) arrives, Bob
applies the same function to the ACK packet
to check if the value of ISNB is legitimate.
If this is a valid ISNB, the connection is
established.
Bob will never store information
in the connection queue for these
SYNs; Instead, Bob sends
SYN(B, ISNB) ACK(X, ISNx)
EVE sends spoofed packets from X
EVE
Smurf Attacks
• Also known as directed broadcast attacks
• Router converts the IP broadcast message to a
MAC broadcast message using a MAC address
of FF:FF:FF:FF:FF:FF
– Every machine read the message and send a
respone
Smurf Attacks
UG
H!
Broadcast ping
spoofed from
w.x.y.z
Responses!
w.x.y.z
SMURF AMPLIFIER
DDoS Architecture
• First, tack over a large number of victim
machine, referred to as “zombies”
• Install the zombie software on the systems
– The component of the DDoS tool
• The attacker uses a special client tool to
interact with the zombies
A DDoS Attack:Tribe Flood Network 2000
CLIENT
UGH!
ZOMBIE
ZOMBIE
ATTACKER
WITH NETCAT
CLIENT
ZOMBIE
ZOMBIE
ZOMBIE
VICTIM
TFN2K, a Powerful DDoS Tool
• Attack types including:
–
–
–
–
–
–
Targa
UDP Flood
SYN Flood
ICMP Flood
Smurf Attack
“Mix” Attack-UDP, SYN, and ICMP Floods
TFN2K, a Powerful DDoS Tool
• Features
– Authentication using an encrypted password
– All packets from the client to the zombies are sent using
an ICMP Echo Reply packet
•
•
•
•
ICMP Echo Replies allowed into many network
No port number associated with ICMP
Finding the attacker is very difficult
The client machine included a encrypted file indicating the IP
addresses of all of the zombies under its control
• Allows the attacker to run a single arbitrary command
simultaneously on all zombies
Maintaining Access: Trojans,
Backdoors, and Rootkits
Backdoors
• Allow an attacker to access a machine using an
alternative entry method
• To bypass the front door
• When Attackers Collide
– Attacker closes security holes, and installs
backdoor
– Backdoor security controls even stronger than
standard system security controls, possibly using
SSH
Backdoors Melded into Trojan Horses
Type of Trojan
Horse Backdoor
Characteristics
Analogy
Example Tools
Application-level
Trojan Horse
Backdoor
A separate
application runs
on the system,
giving the attacker
backdoor access.
An attacker adds poison
to your soup. A foreign
entity is added into the
existing system by the
attacker.
• Back Orifice 2000
Traditional
RootKits
Critical operating
system
components are
replaced or
modified by the
attacker to create
backdoors and
hide on the system
An attacker replaces the
potatoes in your soup
with modified potatoes
that are poisonous. The
existing components of
the system are modified
by the attacker.
•Linux RootKit5 for
Linux
•T0rnKit for Linux,
Solaris
•Other, platformspecific RootKits for
SunOS, AIX, SCO,
Solaris, etc.
–(BO2K)
•Sub7
•Hack-a-tack
•QAZ
Backdoors Melded into Trojan Horses
(cont.)
Type of Trojan
Horse Backdoor
Kernel-level
RootKits
Characteristics
Analogy
Example Tools
The operating
system kernel itself
is modified to foster
backdoor access
and allow the
attacker to hide.
An attacker replaces your
tongue with a modified,
poison tongue so that you
cannot detect their
deviousness by looking at
the soup. The very organs
you eat with are modified
to poison you.
• Knark for Linux
•Adore for Linux
•Plasmoid’s Solaris
Kernel-Level RootKit
•Windows NT RootKit
Application-Level
•
•
•
•
Add a separate application to a system
Mostly developed for Windows platforms
RootKits are more popular in the UNIX world
EX. Back Orifice 2000 (BO2K)
Backdoor
Client
Backdoor
Server
NETWORK
(Internet, intranet, etc.)
Remote access and control
ATTACKER
VICTIM
Traditional RootKits
• Replace critical operating system executables
• Traditionally focused on UNIX systems
• NT/2000 RootKits replace Dynamic Link
Libraries
Comparison
EVIL BACKDOOR
System
Executables
Remain
intact
Login
With
Backdoor
Good
Login
Good
PS
Good
ifconfig
KERNEL
Trojan
PS
KERNEL
Trojan
ifconfig
System
Executables
Are altered to
Include
Backdoor and
Other stealth
capabilities
Comparing Application-Level Trojan horse backdoors with traditional RootKits
What Do Traditional RootKits Do?
• RootKits depend on the attacker already
having root access
• A RootKit is a suite of tools that allow the
attacker to maintain root-level access by
implementing a backdoor
/bin/login Replacement
• Authentication
• A RootKit replaces /bin/login with a
modified version that includes a backdoor
password
Traditional RootKits
• Linux RootKit 5 (lrk5)
– Targeting Linux systems
• t0rnkit
– Targeting Linux and Solaris systems
Nastiest:
Kernel-Level RootKits
• The kernel is the fundamental, underlying part
of the OS
Trojan
Login
Trojan
PS
KERNEL
Trojan
ifconfig
Good
Good
Login
PS
KERNEL
Good
Good
Ifconfig
tripwire
TROJAN KERNEL
MODULE
What They can Do…
• The Power of Execution Redirection
– Most Kernel-level RootKits include a capability to do execution redirection
– Bait-and-switch
– /bin/login -> /bin/backdoorlogin
• File Hiding
– Kernel-level RootKits support file hiding
– Implemented in the kernel
• Process Hiding
– Hiding processes, such as a Netcat backdoor
• Network Hiding
– netstat
– Masking particular network port usage
– Nmap
How to Implement Kernel-Level RootKits
• Loadable Kernel Modules
• Many kernel-level RootKits are implemented
as LKMs
•insmod knark.o
Some Examples of Kernel-Level RootKits
• Knark, a Linux Kernel-Level RootKit
–
–
–
–
Remote execution
Promiscuous mode hiding
Taskhacking
Real-ttime process hiding
•Kill -31 process_id
– Kernel-module hiding
• Knark package includes a separate module called
modhide
Some Examples of Kernel-Level RootKits
• Adore, Another Linux Kernel-Level RootKit
• Plasmoid’s Solaris Loadable Kernel Module
RootKit
• Windows NT Kernel-Level RootKit by
RootKit.com
– www.rootkit.com
– A patch
Network Compromise & Denial of
Service
Extranet
Poor Service Configuration:
e.g., DNS, Mail, FTP and Web
DDoS: Client  Handler  Agent  Victim
e.g., Trinoo and Tribe Flood Network
Intranet
Internal System
33%
Application hole
Physical Access
Host Resource Starvation:
e.g., SYN flood
Internet
Backdoors
74%
12%
Remote Access
Bandwidth Consumption:
e.g., SMURF and Fraggle
Protocol Weakness: ARP, ICMP
Authentication:
Password Crackers
Out-of-Bounds Attack:
e.g., Ping of Death and IP fragment attack
Hackers Beware
Author: Eric Cole; ISBN 0735710090
Mail spam
• Unsolicited Commercial E-mail (UCE) — Junk e-mail
– usually annoying but harmless commercial advertising.
• But …
– Spread a computer virus
– Dangerous when it is a fraud.
– Illegal when a chain letter involves the U.S. Postal Service
• IDC predicts that a growing glut of spam
– daily volume of e-mail from 31 billion messages 2002 to 60
billion in 2006.
• 寄信者為了不被抓到都會使用假的 E-mail address 及利用
其它單位的 mail server 作為 relay 來送信。
History of Spam
• Nothing with Hormel product, SPAM (SPiced hAM).
• Monty Python's sketch:
– A restaurant that serves SPAM with every meal.
– A particular customer tries to order a meal without SPAM.
– A side table of SPAM-loving Vikings
• When they hear the word SPAM they would joyously sing a
song about their love for SPAM.
• The song quietly started of with the words, " SPAM, SPAM,
SPAM, SPAM, SPAM..." The Vikings would sing the song,
rising in volume and drowning out other conversations.
– During the 2.5 minute sketch, the word SPAM would be used more
than 100 times.
– The analogy of unwanted messages drowning out normal Internet
communications.
http://notebook.ifas.ufl.edu/spam/
React to Mail spam
•當教育部收到國內外的抗議
信件時會將信件轉給十二個
區域網路中心的管理者或相
關人員處理， 並限制該主機
連接學術網路骨幹。
•在得到 mail server 管理者處
理並改善的回信後，再行解
除限制， ( 依據台灣學術網
路技術小組 第五十三次會議
記錄 )。
各區網中心處理檢舉Spam Mail信箱
台灣大學
政治大學
中央大學
交通大學
中興大學
中正大學
成功大學
中山大學
花蓮師院
東華大學
台東師院
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Source: http://140.111.1.22/tanet/spam.html
惡性程式（Malicious Code）
• 『惡性程式』則泛指所有不懷好意的程式
碼，包括電腦病毒(Viruses)、特洛伊木馬程
式(Trojan)、電腦蠕蟲(Worm)。
*Analysis by Symantec Security Response using data from Symantec Security Response, IDC, & ICSA; 2002 estimated
**Source: CERT
毒!毒!毒!
發生年份
2003
2003
病毒名稱
Blast
疾風病毒
SQL Slammer
SQL警戒
2002 Klez求職信
2001
Code Red
紅色警戒
2001 Nimda 娜妲
歷史意義
損失金額 （以
美金計算）
首個利用公佈不到一個月的微
統計中
軟漏洞犯案的病毒
首個攻擊 SQL 伺服器的病毒
10 億美金
首個歷經一年的變種病毒，依
90 億美金
然造成全球大感染。
首個駭客型病毒，因不斷搜尋
26.2 億美金
IIS Server 而導致網路交通異常
首個利用多重途徑途徑癱瘓網
路的駭客型病毒，包含：電子 6.35 億美金
郵件、IIS 伺服器、網上鄰居。
感染電腦數目 （與產能損
失）
電腦受攻擊數目：
超過100萬(截至目前為止)
電腦受攻擊數目：
超過100萬
電腦受攻擊數目：600萬
電腦受攻擊數目：100萬
清除病毒花費：11億
電腦受攻擊數目：超過800萬
http://www.trendmicro.com/tw/about/news/pr/archive/2003/pr030827.htm
救命, 我.中毒了
What Is Viruses (電腦病毒 )?
Virus
• A hidden, self-replicating section of computer
software, usually malicious logic, that propagates by
infecting--i.e., inserting a copy of itself into and
becoming part of--another program (RFC 2828).
• A virus cannot run by itself; it requires that its host
program be run to make the virus active.
• When does it bomb?
– 這就和病毒的寫作者如何設計程式有關，並不屬於電腦病毒的
特性。
• “PETER-2”:在每年2月27日會提3個問题，答錯則將HD加
密。
• “黑色星期五”在逢13日的星期五發作
What Is Trojan Horse (特洛伊木馬程)?
A computer program that
appears to have a useful
function, but also has a
hidden and potentially
malicious function that
evades security
mechanisms, sometimes by
exploiting legitimate
authorizations of a system
entity that invokes the
program.
Rootkit
Backdoor
特洛伊木馬程式就不像電
腦病毒一樣會感染其他檔案
What Is Worm (電腦蠕蟲)?
• A computer program that can run independently, can
propagate a complete working version of itself onto
other hosts on a network, and may consume computer
resources destructively.
• 但『本尊』會複制出很多『分身』，然後像蠕蟲
般在電腦網路中爬行，從一台電腦爬到另外一台
電腦
• 最常用的方法是透過區域網路（LAN）、網際網
路（Internet）或是 E-mail 來散佈自己。著名的電
腦蠕蟲『VBS_LOVELETTER』就是一個例子。
Viruses, Worm and Trojan Horse
感染其他檔案
被動散播自己
主動散播自己
造成程式增加數目
破壞能力
對企業的影響性
電腦病毒
特洛伊木馬程式
O
X
O
O
X
X
一般隨電腦使
用率提高，受
不增加
染感檔案數目
則增加
視寫作者而定 視寫作者而定
中
低
電腦蠕蟲
X
X
O
視網路連結狀況
而定，連結範圍
愈廣，散佈的數
目多
X
高
Source: http://www.trendmicro.com/tw/security/general/guide/overview/guide01.htm
Anti-Virus Management
• 不使用及安裝來路不明的軟體、磁碟片、
光碟片與Internet下載的檔案
• 務必安裝防毒軟體
– 記得更新病毒碼才能夠防止新病毒入侵。
– 定期掃描系統是否有中毒
• 注意病毒新知
– OS系統本身與軟體應用程式安全漏洞
– 查詢相關網站修補系統的安全漏洞
• 定期做好資料備份
Risk Management
VPN
Firewall
Risk Management
IDS
Risk Assessment
Risk Mitigation
Threat, Vulnerability and Asset
Risk Mitigation Action Points
Security Management
• ISO/IEC7799-1:2000 (Part 1)
– a standard code of practice and can be regarded as a
comprehensive catalogue of good security things to do.
•
BS7799-2:2002 (Part 2)
– a standard specification for an Information Security Management
Systems (ISMS).
– Senior Management monitor and control their security, minimizing
the residual business risk and ensuring that security continues to
fulfill corporate, customer and legal requirements.
– Scope, ISMS Policy, Risk assessment, Risk management/Risk
treatment, Select control objectives and controls, Statement of
Applicability (SOA), Risk Treatment Plan
http://www.gammassl.co.uk/bs7799/works.html
http://www.fisc.com.tw/news/MAZ/30/p4a.asp
Guidelines on Firewalls
Building Internet Firewalls
Application
Presentation
Session
Application Proxy
Transport
Stateful Inspection
Network
Data Link
Physical
Packet Filter
Packet Filter Firewalls
• Access control based upon several pieces of information
contained in a network packet:
– The source address of the packet
– The destination address of the packet
– The type of traffic:
• the specific network protocol being used to communicate between the source
and destination systems or devices (e.g., ICMP)
– Possibly some characteristics of the Layer 4 communications
sessions, such as the source and destination ports of the sessions
• Interface of the router the packet came from and which
interface of the router the packet is destined for
– this is useful for routers with 3 or more network interfaces.
Boundary Routers
• The packet filter, referred to
as a boundary router, can
block certain attacks,
possibly filter un-wanted
protocols, perform simple
access control, and then
pass the traffic onto other
fire-walls that examine
higher layers of the OSI
stack.
Packet Filter used as Boundary Router
Basic Weaknesses Associated with Packet
Filters
• Do not examine upper-layer data
– Cannot prevent attacks that employ application-specific vulnerabilities or
functions.
• Limited information available to the firewall
– Logging functionality present in packet filter firewalls is limited.
• Do not support advanced user authentication schemes.
• Network protocol weakness
– Vulnerable to TCP/IP specification and protocol stack, such as network layer
address spoofing.
• Small number of variables used in access control decisions
– Susceptible to security breaches caused by improper configurations.
• But …
– Consequently, packet filter firewalls are very suitable for high-speed
environments where logging and user authentication with network resources
are not important.
Packet Filter Rulesets
• Actions:
– Accept
– Deny
– Discard
• By default:
– Any type of access from the inside to the outside is
allowed.
– No access originating from the outside to the inside is
allowed except for SMTP and HTTP.
• SMTP and HTTP servers are positioned “behind” the firewall.
Stateful Inspection Firewalls
• More secure
– Tracks client ports individually rather than opening
all high-numbered ports for external access.
• Useful or applicable only within TCP/IP
network infrastructures.
• Representing a superset of packet filter
firewall functionality.
Application-Proxy Gateway Firewalls
• Combine lower layer access control with upper layer
(Layer 7 . Application Layer) functionality.
• For Example: Web Proxy
• In addition to the ruleset, include authentication of
each individual network user:
–
–
–
–
User ID and Password Authentication,
Hardware or Software Token Authentication,
Source Address Authentication, and
Biometric Authentication.
Dedicated Proxy Servers
• Are useful for web and email content scanning
–
–
–
–
–
–
–
–
Java applet or application filtering
ActiveX control filtering
JavaScript filtering,
Blocking specific Multipurpose Internet Multimedia
Extensions (MIME) types . for
example, .application/msword. for Microsoft Word
documents
Virus scanning and removal,
Macro virus scanning, filtering, and removal,
Application-specific commands, for example, blocking
the HTTP .delete. command, and
User-specific controls, including blocking certain
content types for certain users.
Dedicated Proxy Servers Deployments
Network Address Translation
• Developed in response to two major issues:
– Hiding the network-addressing schema present behind a
firewall environment.
– The depletion of the IP address space has caused some
organizations to use NAT for mapping non-routable IP
addresses to a smaller set of legal addresses, according to
RFC 1918.
• 10.0.0.0 to 10.255.255.255 (Class A)
• 172.16.0.0 to 172.31.255.255 (Class B)
• 192.168.0.0 to 192.168.255.255 (Class C)
• Accomplished in three fashions:
– Static Network Address Translation
– Port Address Translation (PAT)
IANA-allocated, Non-Internet routable
IP address
IP address
Public
Private
American Registry for Internet Numbers (ARIN)
Address Class
A
B
C
Network Address Range
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
recommend non-routable IP for home networks
Static Network Address Translation
Each internal system on the private network has a
corresponding external, routable IP address associated with it.
PAT
Personal Firewalls/Personal Firewall
Appliances
• Personal Firewall:
– Installed on the system it is meant to protect;
– Usually do not offer protection to other systems or
resources
• Personal Firewall Appliance:
– Usually run on specialized hardware and integrate some
other form of network infrastructure components
•
•
•
•
•
•
•
Cable Modem WAN Routing,
LAN Routing (dynamic routing support),
Network hub,
Network switch,
DHCP (Dynamic Host Configuration Protocol) server,
Network management (SNMP) agent, and
Application-proxy agents.
DMZ (DeMilitarized Zone)
• A DMZ is your frontline when protecting valuables
from direct exposure to an untrusted environment.
– "A network added between a protected network and an
external network in order to provide an additional layer
of security.“
• A DMZ is sometimes called a "Perimeter network" or
a "Three-homed perimeter network."
• A DMZ is a glowing example of the Defense-inDepth principle.
Defense-in-Depth
• The Defense-in-Depth principle states that no
one thing, no two things, will ever provide
total security.
• It states that the only way for a system to be
reasonably secured is to consider every aspect
of the systems existence and secure them all.
• A DMZ is a step towards defense in depth
because it adds an extra layer of security
beyond that of a single perimeter.
Design DMZ
• Start by asking yourself
–
–
–
–
what do I want to protect? Or
what is most valuable to me?
what is the entrance point into this system? Or
what is my front door?
• If there are more than one entrance to your system
such as an Internet connection and dial-up
connections
– have two different DMZ’s.
– Have different configurations for each of those access
types.
DMZ Networks
A DMZ Firewall Environment
Service Leg DMZ Configuration
Domain Name Service (DNS)
Split DNS example
Placement of Servers in Firewall
Environments
Summary Example Firewall Environment
Firewall Ruleset: Blocking Traffics
•
•
•
•
•
•
•
•
•
Inbound traffic from a non-authenticated source system with a destination address
of the firewall system itself.
Inbound traffic with a source address indicating that the packet originated on a
network behind the firewall.
Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.
Inbound or Outbound traffic from a system using a source address that falls within
the address ranges set aside in RFC 1918 as being reserved for private networks.
Inbound traffic from a non-authenticated source system containing SNMP (Simple
Network Management Protocol) traffic.
Inbound traffic containing IP Source Routing information.
Inbound or Outbound network traffic containing a source or destination address of
127.0.0.1 (localhost).
Inbound or Outbound network traffic containing a source or destination address of
0.0.0.0.
Inbound or Outbound traffic containing directed broadcast addresses.
Inbound
FW
Outbound
• Compromise the confidentiality, integrity, availability,
• Bypass the security mechanisms of a computer or network
Network Intrusion Detection
Systems
IDS History
http://www.securityfocus.com/infocus/1514
Types of IDS (Information Source)
Operate on information (e.g., log or
Host (HID) OS system call) collected from
within an individual computer
system.
Uses a module, coupled with the
application, to extract the desired
information and monitor transactions
Application-Integrated (AIID)
Application (AID)
Network (NID)
Capture and analyze all
network packets
Operate on application
transactions log
e.g., Entercept Web Server Edition
Monitor packets to/from
Network-Node (NNID)
a specific node
http://www.networkintrusion.co.uk/ids.htm
Complement IDS Tools
Create a baseline and
apply a message digest
(cryptographic hash) to
key files and then
checking the files
periodically
When the IDS detects
attackers, it seamlessly
transfers then to a special
padded cell host
Determine whether a
network or host is vulnerable
to known attacks
File Integrity
Checkers
Vulnerability
Assessment
Honey Pot
Padded Cell
A system/resource
designed to be attractive
to potential attacker
Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml
IDS Life Cycle
Setting up the current generation of IDSs requires a
substantial time investment to ensure they'll flag only
suspicious traffic and leave everything else alone.
www.nwfusion.com/techinsider/2002/0624security1.html
• Signature Updating
• Writing Signature
Testing
• Accuracy
• Resource Usage
• Stress
Vulnerability Assessment
Configuration
Tuning
Installation
• Information Collecting
• Filtering and Correlation
• Traffic Analysis
IDS Market Forecast (I)
Source: IDC, 2001
IDS Market Forecast (II)
Source: IDC, 2001
When Firewall Meets IDS
Firewall
An gateway that restricts data
communication traffic to and from
one of the connected networks
(the one said to be "inside" the
firewall) and thus protects that
network's system resources
against threats from the other
network (the one that is said to be
"outside" the firewall).
• Access Control
• NAT
• Prevent the attacks
• Validate firewall configuration
• Detect attacks but firewalls allow them
to pass through (such as attacks against
web servers).
• Seize insider hacking
IDS
A security service that monitors
and analyzes system events for
the purpose of finding, and
providing real-time or near
real- time warning of, attempts
to access system resources in an
unauthorized manner
NIDS Deployments
•See all outside attacks to help forensic analysis
Internet
1
•Identify DMZ related attacks
•Spot outside attacks penetrate the network's perimeter
•Avoid outside attacks to IDS itself
•Highlight external firewall problems with the policy/performance
•Pinpoint compromised server via outgoing traffic
External firewall
2
DMZ
•Increase the possibility to recognize attacks.
•Detect attacks from insider or authorized
users within the security perimeter.
Mode:
3
•Tap
•SPAN (Mirror)
•Port Clustering
•In-Line
Network Backbones
Critical Subnets
4
•Observe attacks on critical
systems and resources
•Provide cost effective
solutions
IDS Balancer
Network
Internet
•Toplayer’s IDS Balancer
•Radware FireProof
GigaBit SX Tap
Fiber Tap
IDS Balancer
•Availability
•Scalability
•ROI
•Cost-effective (reduce sensors
while increasing intrusion coverage)
Detection Engine Analysis
Simple Pattern Matching
Traffic Anomalies
Protocol Anomalies
String Matching Weaknesses
Stateful Signatures
Backdoor Detection
The Detection Results
False Positive
• Annoy
• Crying wolf
• Tuning
• Prevention?
True Negative
True Positive
• Wire-speed performance
• Mis-configuration
• Poor detection engine
• IDS Evasion
False Negative
IDS Responses After Detection
Intrusion Detection Working Group
•IDMEF - Message Exchange Format
Alarms/
Notifications
Passive
Responses
Active
Responses
XML-based alert format among IDS components
•IDXP - Exchange Protocol
Communication protocol for exchanging IDMEF messages
Generate SNMP trap
SNMP
Integration
Support SNMP Manager (e.g., HP
OV) and MIB (e.g., iss.mib trap)
Take Action Against
the Intruder
Retaliation: Information warfare
Injecting TCP reset packets
Collect additional
information
Change the
Environment
Reconfiguring routers/firewalls (e.g., via FW1 OPSEC) to block packets based on IP
address, network ports, protocols, or services
Source: NIST
Check Point - Open Platform for Secure
Enterprise Connectivity (OPSEC)
TCP/UDP Port
Name
Short description
FW1_cvp
Check Point OPSEC Content Vectoring Protocol - Protocol used
for communication between FWM and AntiVirus Server
18182 /tcp
FW1_ufp
Check Point OPSEC URL Filtering Protocol - Protocol used for
communication between FWM and Server for Content Control
(e.g. Web Content)
18183 /tcp
FW1_sam
Check Point OPSEC Suspicious Activity Monitor API - Protocol
e.g. for Block Intruder between MM and FWM
18184 /tcp
FW1_lea
Check Point OPSEC Log Export API - Protocol for exporting
logs from MM
18185 /tcp
FW1_omi
Check Point OPSEC Objects Management Interface - Protocol
used by applications having access to the ruleset saved at MM
18187 /tcp
FW1_ela
Check Point Event Logging API - Protocol used by applications
delivering logs to MM
18207 /tcp
FW1_pslo
gon
Check Point Policy Server Logon protocol - Protocol used for
download of Desktop Security from PS to SCl
18181 /tcp
NFR and RealSecure support FW-1_sam and FW1_ela
NIDS Market Predictions: Head to
Head
• Intrusion detection market jumped 29.2 per cent year on year
(firewall/virtual private network security appliance market increased 7.5
per cent).
• In contrast to statements that intrusion detection software is dead, the
growth in intrusion detection appliances show that many organizations
still see the value in monitoring their networks
• Could reached $2 billion in 2005, up from $486 million in 2000.
1000
230
800
600
400
200
0
491
571
634
688
327
70
2002
2003
IPS Revenue
•IDS market will grow 43 per cent to $149m by 2004
• IDS is dead, long live IPS
•IDS revenue will hit $1.1bn by 2006,
2004
2005
IDS Revenue
• By year end 2004, advances in non-signature based intrusion detection
technology will enable network-based intrusion prevention to replace 50%
of established IDS deployments and capture 75% of new deployments.
• By end of 2003, 90% of IDS deployments will fail when false positives are not
reduced by 50%.
http://www.vnunet.com/News/1143747
http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf
Gateway IDS (GIDS) and Host Intrusion
Prevention (HIP)
Company
Inadvertently block
legitimate traffic
Company
Website
Entercept Security Technologies
www.entercept.com
Harris STAT Neutralizer
www.statonline.com
Okena StormWatch and StormFront
www.okena.com
Sana Security
www.sanasecurity.com
Linux IDS
www.lids.org
Website
Captus Networks
www.captusnetworks.com
Cisco Systems IDS
www.cisco.com
ForeScout ActiveScout
www.forescout.com
RealSecure Network Protection
www.iss.net
Intruvert Networks
www.intruvert.com
NetScreen Technologies IDP
www.netscreen.com
Snort Hogwash
http://hogwash.sourceforge.net
TippingPoint Technologies
UnityOne
www.tippingpoint.com
Ineffective against denial-ofservice attacks
http://www.cio.com/archive/061503/et_article.html
OneSecure  Netscreen
Okena  Cisco
Entercept and Intruvert  Network Associates