Transcript 3_firewall_m

Ch 3
Firewall and Perimeter
Security
Contents
• Firewall
– packet-filter firewall: filters at the network or transport
layer
– proxy firewall: filters at the application layer
• NAT
– solve the problem of IP address limitation
– provide load balance and redundancy
• IDS
– active detection to monitor the network status
– three methods: signature, statistical and integrity
– four types: host, network, applications and integrity
• Honeypots
– a décor to attract hackers
What is a firewall?
• A firewall, is a “router, or several routers or
access servers, designed as a buffer between
any connected public networks and private
network.
Protecting Network using Firewall - 1
• Security protocol cannot prevent malicious
people from sending harmful message to a
system
– A firewall is a device (usually a router or
computer) installed between internal network
and the Internet
– Some large companies with a lot of sensitive
information also install firewall within their
intranet to protect these types of the network
resource from unauthorized employee.
Protecting Network using Firewall - 2
Some modern firewall has additional
features:
• network address translation (NAT)
• encryption in data transmission, e.g. VPN
• use strong authentication techniques to
authenticate users/ports
• anti-virus features
• easy to use GUI
Requirements of firewall
• Efficient access control (easy to use
access control list (ACL), such as GUI
interface)
• Filtering of vulnerable protocols (based on
types of protocols)
• Network monitoring
• Simple management (features such as
GUI, web-based, SNMP enabled)
Firewall classification
• A firewall is usually classified into two classes
– packet-filter firewall
• also known as screen router or screening filter
• forward and block packets based on information
in the network layer and transport layer headers:
source, destination, IP address, source and
destination port, type of protocol (TCP or UDP)
– proxy-based firewall
• also known as application gateway
• forward and block packets based on the
contents of the messages (I.e. at application
level traffic)
Packet-filter firewall - 1
• is a router that uses a filtering table to decide which
packet must be discard (not forward)
• operate at network layer (or transport layer)
Packet-filter firewall - 2
Example of packet filter rules:
– incoming packet from 131.34.0.0 are blocked
– incoming packet destined for any internal
TELNET (port 23) are blocked
– incoming packets destined to internal host
194.78.20.8 are blocked (this host for internal
use)
– outgoing packets destined for an HTTP server
(port 80) are blocked. (i.e. does not want
employees to browser the Internet)
Packet Filtering Firewall - 1
• Two main types:
– Standard or Stateless packet filtering
• Also known as first generation firewall
• Operates at either the Network or Transport
layer.
• Most packet filters used the values of the
following header field to determine what to
pass or not
–Protocol type, IP address, TCP/UDP port,
Fragment number
Standard packet filtering
• Packet filters make decisions based on
packet header information.
• Access decisions are based on source
and destination addresses, source and
destination port numbers, protocol types,
and possibly flags within the header
themselves.
• They does not look at the actual payload.
Packet Filtering Firewall - 2
• Stateful inspection packet filters
– known as dynamic packet filtering
– filter rules are set up based on policy rule and
state of the protocol
– For example:
– do not allow any services through the firewall
except:
• Services they’re programmed to allow
• Connections that they already maintained in
their state tables.
Stateful inspection packet filter
Pros and Cons of Packet Filter
Pros
• Scalable (Simple)
• Provides high performance (High speed)
• Application dependent
Cons
• Does not look into the packet pass the header.
• Low security relative to other firewall types
• Difficulties in setting up the packet filter rules
correctly
• Lack of support for authentication
Stateful Multilevel Inspection - 1
• First implemented by CheckPoint under the
name “Stateful Multilevel Inspection”.
• Stateful Rules are protocol-specific, keeping
track of the context of a session (not just its
state).
• The greatest addition that stateful multilevel
filtering provides to dynamic filtering is the
ability to maintain application state, not just
connection state.
Stateful Multilevel Inspection - 2
• This allows filtering rules to differentiate between
the various connectionless protocols (like UDP,
NFS and RPC), which were previously immune
to management by static filtering and were not
uniquely identified by dynamic filtering
• Application state allows a previously
authenticated user to create new connections
without reauthorizing, whereas connection state
just maintains that authorization for the duration
of a single session.
Proxy-based firewall
• Application Level firewall
– Make high-level connections at application layer
• for example
– Policy on access web-pages: Only Internet users who
had established business relationships with the
company can have access; access by other users
must be blocked.
– packet-filter firewall is not feasible because it cannot
distinguish between different packet. Selection must
be done at applications level (i.e. URL)
• proxy work on behalf of internal hosts to
complete the connection between internal and
external hosts.
Proxy-based firewall (2)
• A variants of proxy is called circuit gateway
– creates a new connection between itself and the remote
host
• Proxy stand in for outbound connection attempts to servers
and then make the request to the actual target server on
behalf of the client. When the server returns data, the
proxy transmits that data to the client.
• Application proxies don’t necessary to be run on firewalls
appliances.
– it is a high-end servers (or cluster of servers)
• Usually Internet client applications (Browser) require to
setup to talk to the proxy.
Proxy-based firewall (3)
Application gateway creates an
illusion
Additional Firewall Components
• Authentication
– Allows users on the public network to prove their identity
to the firewall in order to gain access to the private
network from external locations.
• to filter unauthorized users
– function as an NAS (network access server)
• Encrypted Tunnels
– tunneling is also called encapsulation, it is a major
building block of Virtual Private Networking (VPN)
– Tunneling establishes a secure connection between two
private networks over a public medium like the Internet.
• allows physically separated networks to use the Internet
rather than leased-line connections to communicate.
• VPN firewall is usually work in pairs
Limitations of Firewall
• Even with the use of Proxy firewalls, it is
still unable to control the content
transferred across the network boundaries
satisfactorily.
• Firewalls are extremely vulnerable to
insider attacks and covert channels
• Firewalls can become bottlenecks of traffic
• If a firewall is compromised, the protected
network is extremely vulnerable
Security Strategies in firewall
• Least privilege
– every element of the firewalls system should have only the
privileges that are needed to carry out its tasks
• Defense in depth
– security mechanisms should be redundant, should use different
approaches (e.g. from different vendors), and should be able to
back up each other.
• Controlled access
– the protected network should have a well-defined access point
that forces attackers to use a narrow channel, which you can
monitor and control
• Fail-safe & fail-over
– Fail-safe: a malfunctioning of a subsystem may affect
functionality but should not lose security.
– Fail-over: the task can taken over by another firewall.
Firewall Philosophies
• Default Permit:
– “Not Expressly Prohibited” is Permitted
– Used in “open” environments (e.g., ISP and
some universities)
– Difficult to manage
• Default Deny:
– “Not Expressly Permitted” is Prohibited
– used in environment with higher security
– May be too restrictive in some environments
Factors to consider for choosing firewall
• Performance
– Firewall is usually the bottle neck of network traffics. The
performance is usually the prime concerns. Stateful
inspection filter is the trend as it’s good cost-performance
ratio is better.
• Scalability
– scale adapted to size of company and corporate security
policy. Usually, firewall vendor provide modules for client to
upgrade according to their needs
• Compatibility
– work seamlessly with firewall products from different vendors
• Network management support
– easy installation and compatible with network management
protocol
Examples of Firewall Configurations - 1
• In practical implementations, a firewall is
usually a combination of packet filters and
application (or circuit) gateways.
Examples of Firewall Configurations - 2
Examples of Firewall Configurations - 2
• Screened host firewall, Single-homed bastion
• A firewall set up consists of two parts
• The packet filter ensures that the incoming traffic
is allowed only if it is destined for the application
gateway, and it also ensures that the outgoing
traffic is allowed only if it is originating from the
application gateway.
• The application gateway performs authentication
and proxy functions.
Examples of Firewall Configurations - 3
• This configuration increases the security of the
network by performing checks at both packet
and application levels.
• One big disadvantage here is that the internal
users are connected to the application gateway,
as well as to the packet filter.
• If the packet filter security its compromised, then
the whole internal network is exposed to the
attacker.
Examples of Firewall Configurations - 4
Examples of Firewall Configurations - 5
Screened host firewall, Dual-homed bastion
• Direct connections between the internal hosts
and the packet filter are avoided.
• Instead, the packet filter connects only
• to the application gateway, which, in turn, has a
separate connection with the internal hosts.
• Therefore, now even if the packet filter is
successfully attacked, only the application
gateway is visible to the attacker.
• The internal hosts are protected.
Examples of Firewall Configurations - 6
Examples of Firewall Configurations - 7
Screened subnet firewall
• It offers the highest security
• Two packet filters are used
• There are three levels of security for an
attacker to break into.
Bastion Host
• The bastion host sits on the internal network.
– It is the machine that will be accessed by all
entities trying to access or leave the network.
– It is the only system on the internal network that
hosts on the Internet can open connections to (for
example, to deliver incoming email).
– If the bastion host is compromised, the internal
network is wide open to attack from this bastion
host
– The bastion host thus needs to maintain a high
level of host security.
Demilitarized Zone (DMZ) - 1
• Another firewall features is provision of DMZ
• DMZ - Demilitarized Zone:
– Firewall configuration that allows an
organization to securely host its public servers
and also protect its internal network at the same
time.
– DMZ is simply a network segment that is located
between the protected and the unprotected
networks.
General DMZ rules - 1
General DMZ rules - 2
• Allow external users to access the
appropriate services on DMZ systems.
• DMZ systems should be severely
restricted from accessing internal systems.
• Internal uses can access the DMZ or
external network as policy allows
• No external users may access the internal
system.
Demilitarized Zone (DMZ) - 2
Recap
• Two type of firewall
– packet filter firewall
• stateless and stateful inspection
– proxy firewall:
• application level
• not allow client to go directly, must go thru’ a proxy which has
rules
• Three basic configuration examples:
– Screened host firewall, Single-homed bastion
– Screened host firewall, Dual-homed bastion
– Screened subnet
• A modern firewall usually have three interfaces:
trusted, DMZ and untrusted
NAT Explained - 1
• NAT hides internal IP addresses by converting all internal
host addresses to the address of the firewall as packets are
routed through the firewall.
• NAT is also called IP masquerading.
– Translates the IP addresses of internal hosts to hide
them from outside monitoring.
• Originally implemented to make more IP addresses
available to private networks.
NAT Explained (2)
• The firewall then retransmits the data payload of the
internal host from its own address using a translation
table to keep track of which sockets on the exterior
interface equate to which sockets on the interior
interface.
• To the Internet, all the traffic on your network appears
to be coming from one extremely busy computer.
NAT Process - in details
NAT Modes - 1
• Four primary modes of NAT:
– Dynamic Translation (also called Automatic, Hide
Mode or IP Masquerade)
• Wherein a large group of internal clients share
a single or small group of internal IP addresses
for the purpose of hiding their identities or
expanding the internal network address space.
– Static Translation (also called Port Forwarding)
• Wherein a specific internal network resource
(usually a server) has a fixed translation that
never changes. Static NAT is required to make
internal hosts available for connections from
external hosts.
NAT Modes - 2
– Loading Balancing Translation
• Wherein a single IP address and port is
translated to a pool of identically configured
servers so that a single public address can
be served by a number of servers.
– Network Redundancy Translation
• Wherein multiple Internet connections are
attached to a single NAT firewall and clients
requests are routed through an Internet
connection based on load and availability.
NAT used in ISP
• A large group
of internal
clients share a
single or small
group of
internal IP
addresses for
the purpose of
hiding their
identities or
expanding the
internal
network
address space.
Loading Balancing Translation
• A single IP
address and
port is
translated to a
pool of
identically
configured
servers so
that a single
public
address can
be served by a
number of
servers.
Hacking through NAT - 1
• Static translation does not protect the internal
host.
– Static translation merely replaces port
information on a one-to-one basis.
– This affords no protection to statically
translated hosts
– Hacking attacks will be just as efficiently
translated as any valid connection attempt.
• Solution: Reduce the number of attack to one,
and then to use application proxy software or
other application based security measures.
Hacking through NAT - 2
• If the client establishes the connection, a return
connection exists.
• Even if hackers can’t get inside our network, you
can’t prevent your users form going to the
hackers.
– Forged email with a Web site link, a Trojan horse, or a
seductive content Web site can entice your users to
attach to a machine whose purpose is to glean
information about your network.
• Solution: Higher-level, application-specific
proxies are once again the solution.
Firewall Products
Cisco PIX firewall - 1
• The Cisco PIX firewall series
– a high-performance, enterprise-class firewall
product line within the Cisco firewall family.
– with integrated hardware and software
– delivers high security and network performance
– scalable to meet different customer
requirements
• Product
– PIX 525 & PIX 520 - for large enterprise
– PIX 515 - for medium size company
– PIX 506 - for SOHO
Cisco PIX firewall - 2
• The PIX firewalls provide
–stateful inspection firewall
–IPsec and L2TP/PPTP-based VPNs
–content filtering capabilities (limited)
–integrated intrusion detection
capabilities
Adaptive Security Algorithm (ASA)
• Adaptive Security Algorithm (ASA) is the
foundation on which the PIX Firewall is built.
• It defines how PIX examines traffic passing
through it and applies various rules to it.
• The basic concept behind ASA is to keep track
of the various connections being formed from
the networks behind the PIX to the public
network.
• Information keep tracking include:
– IP packet source and destination information
– TCP sequence numbers and additional TCP flags
– UDP packet flow and timers
Rule to restrict information flow
in a PIX firewall
• Data traveling from a more secure interface to a less
interface (from high to low)
– A translation (either static or dynamic) is required to allow
traffic from a higher security to a lower security interface.
• Data traveling from a less secure interface to a more
secure interface (from low to high)
– A conduit or an access list is required to permit the
desired traffic. That is, traffic is not allowed unless allowed
by the conduit command or access list
• Data traveling from two interfaces with the same
security level
– No traffic flows between two interfaces with the same
security level.
Rule to restrict information flow
in a PIX firewall
PIX commands
• There are six basic commands in Cisco PIX:
–
–
–
–
nameif – assign a name to an interface
interface – interface configuration
ip address command – assign IP address
nat command – network address translation
command to define the trusted source address to be
translated (two variants: nat : dynamic NAT and static:
static NAT)
– global – The global command defines a pool of global
addresses. The global addresses in the pool provide
an IP address for each outbound connection, and for
those inbound connections resulting from outbound
connections.
– route – define static route
Examples of PIX commands to setup
NAT and packet filter
Allow only external connected to web server at DMZ
nameif ethernet0 outside security0
nameif ehternet1 inside secuirty100
naemif ethernet2 dmz security50
Interface ethernet0 auto
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
/* for NAT: allow NAT to all inside, map to 10-254. set one static addr
192.168.1.10 to 10.1.1.10*/
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0
static (inside, outside) 192.168.1.10 10.1.1.10
/* for packet filter: allow all external network to web server */
access-list 80 permit TCP any host 172.16.1.2
access group 80 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Intrusion Detection
Traditional Security Approach
• The disciplines of computer security
address three fundamental needs:
– Prevention
– Detection
– Response
• Traditional response to security
risks
– a series of preventive measures
design to keep out unauthorized
people
• Firewall only concentrated on
perimeter defense!
– it is only part of the defense in
computer security
Intrusion Detection Approach
• Problem with perimeter defenses (use
firewall only) is that most of the losses
are attributable to insiders!
• IDS provides damage assessment and
threat identification capabilities just like
their physical counterparts
– the video cameras => IDS sensors
• Intrusion detection tools are not only
prevention devices, it is for detection
– IDS is also an excellent deterrent.
What are IDS?
• IDS are dedicated appliances or software-based
components that monitor network traffic or
individual computer activity with the goals of
–
–
–
–
Identifying malicious actions
Resource misuse
Attempts to gain unauthorized access
Attacks
• Note with IDS, you still need firewalls, anti-virus
software, security policies, and other types of
control.
Capabilities of an IDS
• Event log analysis for insider threat detection
• Security configuration management
• Network traffic analysis for perimeter threat
detection
• File integrity checking
• Three main classes of analysis in IDS:
– signature analysis
– statistical analysis
– integrity analysis
Signature Analysis
• Look for specific attacks against known weak points of a
system. These attacks can be detected by watching for certain
actions (certain pattern of action) being performed on certain
objects.
• IDS performs signature analysis on the information it obtains.
– Signature analysis is pattern matching of system setting
and user activities against a database of known attacks.
– require an updated list of signature file (e.g. once every 2
weeks released by CERN etc)
• Comparisons with anti-virus software
– anti-virus to scan hostile pattern from memory and files
(hard-disk)
– IDS is to scan hostile pattern within a network
Statistical Intrusion Analysis
• Based on observations of deviations
from normal system usage.
• Method:
– Require to measure a baseline of
statistics:
• CPU utilization and network usage
• User logins and its pattern (i.e.
time-of-day)
• File activity and so on (file type and
size and time)
– Alert administrator regarding any
deviation from this baseline.
Integrity Analysis
• Integrity analysis reveals whether a file or
object has been altered. Such analysis
often uses strong cryptographic hash
algorithms to determine whether anything
has been modified.
– e.g. if an attacker adds a user to a Linux
system, the hash of the /etc/password file
will change, alerting the administrator that
the file has been modified.
– e.g. Tripwire: digest are generated as a
series markers. System can check all files
again with the designated digest to check
any modification. Unexpected change signify
possible intrusion.
– Tripwire is an open-source project of Purdue
University (www.tripwire.org)
Characteristics of a Good IDS
•
•
•
•
•
Run continually without supervision.
Be fault-tolerant.
Do not use excessive system resources.
Able to observe deviation from normal behavior.
Able to cope with changing system behavior over
time. As new applications are added, the system
profile will change automatically, and the IDS must
be able to adapt.
• Be accurate (0% false positive and 0% false
negative).
• Be customizable.
• Be current (i.e. signature files and baseline data
are up-to-date)
Errors in IDS - 1
• False Positives
– occurs when the IDS classifies
an action as anomalous (a
possible intrusion) when it is
actually a legitimate action.
– if too many false positives are
generated, people will begin to
ignore the output of the system,
which might lead to an actually
intrusion being detected but
ignored.
– problem: very difficult and often
cannot totally eliminated.
output
FRR
reject
FAR
accept
input quality
(biometrics / IDS)
poor
good
Errors in IDS - 2
• False Negatives
– occurs when an intrusive action has taken
place, but the IDS allows it to pass as an nonintrusive behavior.
– problem: Extremely dangerous
– false negative subversion occurs when an
intruder modifies the operation of the IDS to
force false negatives to occur.
Categories of Intrusion Detection
• Several categories of IDS
exists in the market
– NIDS - Network Intrusion
Detection System (typical)
– HIDS - Host Intrusion
Detection System
– Application Intrusion
Detection System
– Integrity Intrusion Detection
(not yet popular)
• e.g. Tripwire
NIDS - 1
• Network-based IDS can be hardware appliances
or software application installed on a computer
system.
• NIC works in promiscuous mode and collects
and monitors network traffic for malicious activity.
• There are sensors placed in the network
segment that are to be monitored , typical
strategic locations are: DMZ, behind firewall,
database server’s subnet etc
• These sensors are all connected to a central
management console.
• The traffic is then analyzed.
NIDS - 2
• NIDS are mostly signature-based.
• A set of attack signatures are built into the
systems
• These signatures are compared against
the traffic on the network.
• The NIC card that monitors the network in
placed in “stealthy” mode so that it does
not have an IP address and does not
respond to probes such as a ping.
NIDS - 3
Advantages include
• Lower cost of ownership (one IDS for
whole networks)
• The NIDS can be completely hidden on
the network so that an attacker will not
know that s/he is being monitored.
NIDS - 4
Disadvantages include:
• The NIDS can only alarm if the traffic matches
signatures
• The NIDS cannot determine if the attack was
successful
• The NIDS cannot examine traffic that is
encrypted
• Switched network require special configurations
• Unable to handle high-speed networks
HIDS - 1
• Host-based IDS is a system of sensors that are
loaded onto various servers within an
organization and controlled by some central
manager.
• HIDS sensors watch the events associated with
the server on which they are loaded.
• The HIDS sensor can determine whether an
attack was successful or not since the attack
was on the same platform as the sensors.
HIDS - 2
• The five basic types of HIDS sensors:
• Log analyzers – looks for log entries that may indicate a
security event.
• Signature-based sensors – analyze incoming traffic
and compare them with a set of built-in security event
signatures
• System call analyzers – examine an application’s
system calls, analyze the action and compared it to a
database of signatures.
• Application behavior analyzers – the sensor examines
an application’s system calls to see if it is allowed to
perform such action.
• File integrity checkers – check for changes in files.
HIDS - 3
Advantages:
– Verifies success or failure of an attack
– Monitor specific system activities
– Detect attacks that network-based systems
miss
– Well-suited for encrypted and switched
environments
– Requires no additional hardware
– Lower cost of entry (for system with fewer
number of hosts)
HIDS - 4
Disadvantages
• Network activity is not visible to host-based
sensors
• Running audit mechanisms can use additional
resources
• When audit trails are used as data sources, they
can take up significant storage
• Host-based sensors must be platform specific
• Management and deployment very difficult in
large network
Designing Intrusion
Detection Systems
• Monitoring security through IDS requires a
combination of:
– good sensor placement
– well designed sensor behaviour,
– appropriate sensor configuration,
– regular tuning and
– a sound strategy for event response.
Application Intrusion Detection
• Collects information at the application level.
– E.g. Logs generated by database management
software, Web servers, and firewalls. Sensors placed
in the application collected and analyze information.
• Not very popular at the moment
– But it is expected in the coming years the focus on
security will shift from network to server/application
level.
• Strength
– High degree of control
• Weakness
– Too many applications to support
– Covers only one component at a time
Popular IDS Products
• RealSecure
– www.iss.net/securing_e-business/security_products/intrusion _detection/
• Cisco Secure IDS
– www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/
• Network ICE
– www.networkice.com
• Snort
– www.snort.org
SNORT
•
•
•
•
•
•
•
•
Light weight Network IDS
Packet capture /logger: real-time traffic analysis
Content search: detect attacks and probes
Support rule language
Detection engine with modular plug-ins
Real-time alerting capacity
Support Linux and Windows
Syslog features
– logging network data in Tcpdump format
– use WinPopup message to window client
SNORT (2)
• 4 major engines
–
–
–
–
packet capture / decode engine
rules parsing and detection engine
logging engine
plug-ins & preprocessing handling engine
• 3 modes
– sniffing mode:
• snort -v
• snort -vd
• snort -vde
<= verbose to show header
<= verbose to show header and data content
<= same as above, with describe details
– logging mode
• snort –v –l ./log –h 192.168.1.0/24
• snort –v –l ..\log –h 192.168.1.0/24
<= for Linux
<=for PC
– IDS mode
• snort –v –l ./log –h 192.168.1.0/24 –c snort.conf
• snort –v –l ..\log –h 192.168.1.0/24 –c ..\etc\snort.conf
snort.conf - 1
• To tune the performance of the NIDS
• Five sections
– network and configuration variables
• var HOME_NET 10.120.25.135
• var HOME_NET [10.10.10.20, 192.168.1.23,
172,16.30.25]
• var HOME_NET 10.10.10.0/24
• var EXTERNAL_NET !HOME_NET
• var ORACLE_PORTS 1512
snort.conf - 2
decoder and detection engine
configuration
• alert user if a packet has strange size, strange
option, or uncommon setting
• these are not necessary attacks and may
generate large amount of false positive, use the
following to disable, for example
– config disable_decode_alerts
– config disable_tcpopt_experimental_alerts
snort.conf - 3
preprocessor configuration
• output configuration: control o/p format that
works with 3rd party software
• output alert_syslog: host=10.10.10.100
LOG_AUTH LOG_ALERT
• output database: <log | alert>, <database
type>, <parameter list>
• file inclusions : include rule sets
preprocessor of SNORT - 1
• functions of preprocessor
– normalize traffic to ensure data packet
can be watch by Snort
– provide self-defense against attacks that
may confuse or overwhelm an NIDS
sensor
– extend Snort’s ability to detect network
anomalies (enhance the rule sets)
preprocessor of SNORT - 2
examples of preprocessor
• flow - watches all traffic and keeps track of
connections between machines. When a new
unique flow is detected, the information is
hashed and stored in a memory-resident table
• frag2 - allow data fragment to be reassembled
so that snort can see a “big picture”
• examples
– preprocessor flow: stats_interval 0 hash 2
– perprocessor frag
– other preprocessors: stream4, stream4_reassemble,
HTTP_inspect, rpc_decode, bo, telnet decode, flowportscan, arpspoof, perfmonitor
Typical rules in SNORT
• Rule header
• action field: alert, log or pass
–
–
–
–
protocol field: ip, tcp, udp, icmp
rule field : src ip, src port, direction, dest ip, dest, port
e.g. alert tcp [64.147.128.0/19] 21:23 -> $HOME_NET any
e.g. log tcp $EXTERNAL_NET any -> $ $HOME_NET any (msg:
“SCAN SYN FIN”, flags:SF; reference: arachnids, 198; classtype:
attempted-recod; sid:624; rev:1;)
•
•
•
•
•
•
msg option : specify the type of attack
flags option: look for field of packet header (e.g. Syn, Fin)
reference: indicate where information can be found
class type option: category of attack
sid type option: signature ID
rev type option: rule revision number
– simplest rule
• alert tcp any any -> any any
pre-defined rules
• Snort come with a wide variety of rules
• here are some examples
– attack-responses.rules
– backdoor.rules : detect traffic generated by backdoor
connections such as netbus
– dos.rules: detects traffic generated by known dos
attacks, such as IGMP and teardrop attack
– ddos.rules: alerts on traffic generated by well-down
attacks such as trin00 and shaft. It can be noisy as it
look for specific words in payload
– dns.rules: alerts on attacks against DNS servers
Components of a typical SNORT system - 1
• Snort sensors (the most important!!)
– installed at strategic network locations
– internal network, DMZ, and external network (sometimes)
– snort only alert in log file
• use tail -f to watch the log file, not very interactive
• ACID : Analysis Console for Intrusion Databases
– project developed by Roman Danyliw at US CERT
coordination center
– PHP based web application act as the front end of help to
manage the alerts generated by multiple IDS sensors
– generate trend, search based upon time, address, alert
type, priority, classification and sensor
Components of a typical SNORT
system - 2
• MySQL: database server to store alerts
and ready for analysis and inspection
• Web Server: for hosting ACID web-based
console that usually connected to a
database
• Web Browser: for user interface
• Remote admin software to update sensor
rules (optional)
Components of a typical SNORT system
IPS: Intrusion prevention system
• A new class of security tool
– place more focus on prevention
• concepts & prevention strategies
– host-based memory and process protection
• kill process that appears malicious, or when it try to execute
a buffer overflow (e.g. anti-spyware)
– session interception
• terminate a TCP session by sending RST packet to tear
down connection, also known as session sniping
– gateway intrusion detection
• modify ACL to block hostile traffic automatically
• e.g. SnortSAM
Honeypot - 1
• Honeypot is a tool used commonly for network
security
– for computer crime forensic
– it is a decoy IDS, part of the company resource
waiting to be probed, attacked, or compromised.
– it can be a decoy service, decoy host (I.e
Honeypot) or decoy network (Honeynet)
– They don't fix a single problem, instead they can
help in prevention, detection, or information
gathering.
Honeypot - 2
• Honeypots are closely monitored network
decoys serving several purposes:
– distract hackers from more valuable machines
on a network
– provide early warning about new attack and
exploitation trends
– allow in-depth examination of adversaries
during and after exploitation of a honeypot.
• Honeypot should be highly secure and
isolated by the rest of the network.
Summary - 1
• Firewall
– modern FW: packet filter, proxy, NAT, VPN
– packet-filter firewall: filters at the network or
transport layer
• stateless inspection (static packet filter)
• stateful inspection (dynamic packet filter)
– proxy firewall: filters at the application layer
(many rules can be applied)
• usually work with proxy servers to provide
large hard-disk storage for content cache.
Summary - 2
• NAT
– solve the problem of IP address limitation
– provide load balance and redundancy
– Foure modes: Dynamic Translation (IP
Masquerade), Static Translation (Port Forwarding),
Loading Balancing Translation and Network
Redundancy Translation
• IDS
– active detection to monitor the network status
– three methods: signature, statistical and integrity
– four types: network, host, applications and
integrity