Lab 12A: Intrusion Detection System (IDS)

Download Report

Transcript Lab 12A: Intrusion Detection System (IDS)

Intrusion Detection System
(IDS)
Outlines
•
•
•
Host-base IDS – Tripewire
Network IDS – Snort
How to defeat an IDS
1
Intrusion Detection System (IDS)
Host-base IDS – Tripewire
Tripwire is a very popular system integrity
checker, a utility that compares properties
of designated files and directories against
information stored in a previously
generated database. Any changes to these
files are flagged and logged, including
those that were added or deleted,with
optional email and pager reporting. Support
files (databases, reports, etc.) are
cryptographically signed.
2
Intrusion Detection System (IDS)
Host-base IDS – Tripewire
Lab 7: install tripewire IDS to monitor
the the integrity of the data of your
hosts
3
Intrusion Detection System (IDS)
Network IDS – Snort
Snort is a lightweight network intrusion detection
system, capable of performing real-time traffic
analysis and packet logging on IP
networks. It can perform protocol analysis,
content searching/matching and can be used to
detect a variety of attacks and probes, such as
buffer overflows, stealth port scans, CGI attacks,
SMB probes, OS fingerprinting attempts, and
much more
4
Intrusion Detection System (IDS)
Network IDS – Snort
Snort uses a flexible rules language to describe
traffic that it should collect or pass, as well as a
detection engine that utilizes a modular plugin
architecture. Snort has a real-time alerting
capability as well, incorporating alerting
mechanisms for syslog, a user specified file, a
UNIX socket, or WinPopup messages to Windows
clients using Samba's smbclient.
5
Intrusion Detection System (IDS)
Network IDS – Snort
Snort has three primary uses. It can be used as a
straight packet sniffer like tcpdump(1), a packet
logger (useful for network traffic debugging, etc),
or as a full blown network intrusion detection
system.
6
Intrusion Detection System (IDS)
Network IDS – Snort
snort is a very flexible tool. You can customize the
rulesets to suit your needs. We have just give you
a very simple introduction in this workshop. For
more details of rule setting, you should go to
http://www.snort.org/docs/writing_rules/
7
Intrusion Detection System (IDS)
Network IDS – Snort
Lab7: Install a snort IDS on your host and use
nessus network scanner to test your snort
IDS
8
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Insert packets that the end-point server will ignore
but picked up by IDS as vaild packets. An attacker
can use insertion attacks to defeat signature
analysis, allowing her to slip attacks past an IDS.
9
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
E.G.
The signature of the php attack may be
something like ``GET /cgi-bin/phf?''. We may
insert extra packets such the IDS detect the
packets as
``GET /cgi-bin/pleasedontdetecttthisforme?'' while
the end-point server still read as
``GET /cgi-bin/phf?''
10
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
11
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Techniques:
•
Using Invalid Sequence no.
Most IDS do not check sequence no. Invalid
sequence no. packets are reject by endpoint servers but may be picked up by these
IDS
12
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Techniques:
•
Using incorrect TCP checksum.
Most IDS do not check TCP checksums.
Incorrect TCP checksum packets are reject
by end-point servers but may be picked up
by these IDS
13
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Techniques:
•
Using incorrect TCP checksum.
Most IDS do not check TCP checksums.
Incorrect TCP checksum packets are reject
by end-point servers but may be picked up
by these IDS
14
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Techniques:
•
Using short TTL.
If the IDS sit on the network have many hops away
from the end-point servers, short TTL packets will be
dropped before they reach the end-point servers. We
can just tune the insert packet TTL such that they can
pass the IDS but are dropped before the end-point
servers.
15
Intrusion Detection System (IDS)
How to defeat a Network IDS
I.
Insertion Attack
Techniques:
•
Using short TTL
16
Intrusion Detection System (IDS)
How to defeat a Network IDS
II.
Evasion Attack
An end-system can accept a packet that an IDS
rejects. An IDS that mistakenly rejects such a
packet misses its contents entirely.
E.G.
The packets of ``GET /cgi-bin/phf?''may show as
``GET /gin/f'' in IDS detection
17
Intrusion Detection System (IDS)
How to defeat a Network IDS
II.
Evasion Attack
18
Intrusion Detection System (IDS)
How to defeat a Network IDS
II.
Evasion Attack
Techniques
•
Some IDS can only keep track of one
host/port connection at a time. Flood the
target port with non-existent SNY packet first
so that these IDS ignore our real connection
afterwards
19
Intrusion Detection System (IDS)
How to defeat a Network IDS
II.
Evasion Attack
Techniques
•
IP Fragmentation
Sending out fragment packets out of order
Some IDS assume the fragment packets
arrive in order. They just reassemble the
data as soon as the marked final fragment
arrives. Sending out fragment packets out of
order may fool these IDS
20
Intrusion Detection System (IDS)
How to defeat a Network IDS
II. Evasion Attack
Techniques
•
Sending overlapping fragment packets
There may be a gap between the IDS and
end-point server handling overlapping
fragment. If the IDS does not handle
overlapping fragments in a manner
consistent with the systems it watches, it
may, given a stream of fragments,
reassemble a completely different packet
than an end system in receipt of the same
fragments.
21
Firewall
Outlines
•
•
•
•
Variations on Firewall Architecture
Setting up network layer Firewalls
Firewall log
Setting private network with NAT
22
Firewall
Firewall
In brief, a firewall is typically the first line of defense for
any Internet-connected network. What a firewall does
and how it behaves depends on what level it operates on.
(Those familiar with the OSI model will understand this.)
Firewalls generally operate at the network layer (IP), or
the application layer, such as HTTP proxies.
23
Firewall
Firewall
24
Lab 12B: Firewall
Firewall
Those firewalls at the network layer are often called
screening routers. A screening router examines the IP
header on each incoming (and possibly outgoing)
datagram and determines whether or not it should pass.
It makes this determination by comparing key fields such
as the source and destination addresses to the policy set
by the administrator. Most screening routers will also
examine the packet at the next layer (the transport layer),
which allows you to create policies based on TCP or
UDP port, or ICMP type and code.
25
Firewall
Firewall
Firewalls at the application layer are called gateways or
proxies, and are designed to understand protocols at this
level, such as HTTP or telnet. Application gateways are
useful because they can offer very high level control over
traffic, and so they are in some ways more secure than
screening routers. For example, an application gateway
may choose to filter all HTTP POST commands. Most
importantly, gateways can maintain logging specific to
application layer protocols. A paranoid (and privacyignorant) company may choose to have all mail pass
through a gateway to log the To, From, and Subject fields
of the header, for instance.
26
Firewall
Variations on Firewall Architecture
A.
B.
C.
D.
E.
Single layer firewall architecture
Two layer firewall architecture
Merged interior and exterior firewall architecture
Two layer firewall architecture with two internal
network
Two layer firewall architecture with merged
bastion host and exterior firewall
27
Firewall
Bastion host
A system exposed to the Internet that is expected to
come under thorough attack. The term contrasts those
hosts that are inside a firewall's protection.
DMZ (Demilitarized Zone)
In firewalls, a DMZ is an area that is mostly public to
the Internet. This is where a companies web, e-mail,
and DNS servers are located. A DMZ often has some
limited protection, but since it is very exposed to the
Internet, the assumption is that the machines in the
zone will eventually be compromised. Therefore, the
machines often have as little connectivity to the
private network as any other machine from the
28
Internet.
Firewall
Type A: Single layer firewall architecture
29
Lab 12B: Firewall
Type B: Two layer firewall architecture
30
Firewall
Type C: Merged interior and exterior firewall
architecture
31
Firewall
Type D: Two layer firewall architecture with two internal
network
32
Firewall
Type E: Two layer firewall architecture with merged bastion
host and exterior firewall
33
Firewall
Lab 8: Deploy firewall on your host
using ipchains
34
Firewall
Linux firewall log
All the traffic going through the firewall is part of a
connection. A connection consists of the pair of IP
addresses that are talking to each other, as well a pair
of port numbers. The destination port number often
indicates the type of service being connected to.
When a firewall blocks a connection, it will save the
destination port number to its logfile.
35
Firewall
Linux firewall log
Here is an example:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
1.
`input' is the chain which contained the rule which
matched the packet, causing the log message.
2.
`DENY' is what the rule said to do to the packet. If this is
`-' then the rule didn't effect the packet at all (an
accounting rule).
3.
`eth0' is the interface name. Because this was the input
chain, it means that the packet came in `eth0'.
4.
`PROTO=17' means that the packet was protocol 17. A
list of protocol numbers is given in `/etc/protocols'. The
most common are 1 (ICMP), 6 (TCP) and 17 (UDP). 36
Firewall
Linux firewall log
Here is an example:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
5.
`192.168.2.1' means that the packet's source IP address
was 192.168.2.1.
6.
`:53' means that the source port was port 53. Looking in
`/etc/services' shows that this is the `domain' port (ie. this
is probably an DNS reply). For UDP and TCP, this
number is the source port. For ICMP, it's the ICMP type.
For others, it will be 65535.
7.
`192.168.1.1' is the destination IP address.
37
Firewall
Linux firewall log
Here is an example:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
8.
`:1025' means that the destination port was 1025. For
UDP and TCP, this number is the destination port. For
ICMP, it's the ICMP code. For others, it will be 65535.
9.
`L=34' means that packet was a total of 34 bytes long.
10. `S=0x00' means the Type of Service field (divide by 4 to
get the Type of Service as used by ipchains).
11. `I=18' is the IP ID.
38
Firewall
Linux firewall log
Here is an example:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
12. `F=0x0000' is the 16-bit fragment offset plus flags. A
value starting with `0x4' or `0x5' means that the Don't
Fragment bit is set. `0x2' or `0x3' means the `More
Fragments' bit is set; expect more fragments after this.
The rest of the number is the offset of this fragment,
divided by 8.
39
Firewall
Linux firewall log
Here is an example:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
13. `T=254' is the Time To Live of the packet. One is
subtracted from this value for every hop, and it usually
starts at 15 or 255.
14. `(#5)' there may be a final number in brackets on more
recent kernels (perhaps after 2.2.9). This is the rule
number which caused the packet log.
40
Firewall
Linux firewall log
Here is another example:
Feb 26 11:15:56 iegatea0 kernel: Packet log: input
DENY eth0 PROTO=6 200.223.111.242:1956
137.189.97.67:25 L=60 S=0x60 I=59731 F=0x4000 T=42
SYN (#77)
The TCP SYN packet of the SMTP (port 25) access to
the host 137.189.97.67 from the host 200.223.111.242
client port 1956 was blocked by the ipchains rule #77
41
Firewall
Linux firewall log
Port numbers are divided into three ranges:
1. The Well Known Ports are those from 0 through 1023.
These are tightly bound to services, and usually traffic
on this port clearly indicates the protocol for that
service. For example, port 80 virtually always
indicates HTTP traffic.
2. The Registered Ports are those from 1024 through
49151. These are loosely bound to services, which
means that while there are numerous services
"bound" to these ports, these ports are likewise used
for many other purposes. For example, most systems
start handing out dynamic ports starting around 1024.
42
Firewall
Linux firewall log
Port numbers are divided into three ranges:
3. The Dynamic and/or Private Ports are those from
49152 through 65535. In theory, no service should be
assigned to these ports.
In reality, machines start assigning "dynamic" ports
starting at 1024. We also see strangeness, such as Sun
starting their RPC ports at 32768.
For a complete complete list of port info, you may refer
http://www.iana.org/assignments/port-numbers
43
Firewall
Setting private network with IP Masquerade
IP Masquerade is a networking function in Linux similar
to the one-to-many (1:Many) NAT (Network Address
Translation) servers found in many commercial firewalls
and network routers.
44
Firewall
Setting private network with IP Masquerade
MASQ allows a set of machines to invisibly access the
Internet via the MASQ gateway. To other machines on
the Internet, the outgoing traffic will appear to be from
the IP MASQ Linux server itself. In addition to the added
functionality, IP Masquerade provides the foundation to
create a HEAVILY secured networking environment. With
a well built firewall, breaking the security of a well
configured masquerading system and internal LAN
should be considerably difficult to accomplish.
45
Firewall
Setting private network with IP Masquerade
46
Firewall
Setting private network with IP Masquerade
EG.
/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ
This setting will allow all the clients in the private network
192.168.0.0/16 to have IP masquerade in Linux
Masquerade gateway
47
Firewall
Setting private network with iptable NAT
Linux iptable provides two different types of NAT: Source
NAT (SNAT) and Destination NAT (DNAT).
• Source NAT is when you alter the source address
of the first packet: ie. you are changing where the
connection is coming from. Masquerading is a
specialized form of SNAT.
• Destination NAT is when you alter the destination
address of the first packet: ie. you are changing
where the connection is going to. Port forwarding,
load sharing, and transparent proxying are all forms
of DNAT.
48
Firewall
Setting private network with iptable NAT
Example of source NAT:
## Change source addresses to 1.2.3.4. #
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
Example of destination NAT:
## Change destination addresses to 5.6.7.8 #
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8
49
Network Address Translation (NAT)
10.42.6.9
35.9.20.20
NAT
Client
Server
(Linux calls it masquerading)
50
NAT Pro/Con
• Pro
– Enforces control over outbound connections
– Dynamic translation is more restrictive
changed mapping increases attack difficulty
– Conceals internal configuration
• Con
– Dynamic translation requires maintaining state
(how long to keep connection open?)
– Interferes with some encryption schemes
– Dynamic translation interferes with logging
– Dynamic translation of ports can interfere with filtering
51
Firewall
Your network
Evil Hackers
52
• Firewalls mitigate risk
• Block many threats
• They have vulnerabilities
53
Firewalls can be your connection to the
Internet. As a prerequisite to this course
you already know about networking, but it
is worthwhile to look at the interface to the
Internet with respect to security.
54
Typical Network Stack
•
•
•
•
Application Layer (FTP, HTTP, SSH, etc.)
Transport Layer (TCP, UDP, ICMP)
Internet Layer (IP)
Network Access Layer (Ethernet, FDDI, etc.)
(If you have a Novel or AppleShare network, the IP layer will be different.)
(Carrier Pigeon Network Layer: RFC1149 on 1 April 1990
defines the Avian Transport Protocol)
55
Packet Organization
Each layer’s packet organization has a
header and data fields.
Each layer treats the information it gets from
the layer above it as data,
i.e. every layer adds a header.
56
Encapsulation
Application (FTP, HTTP, …)
Data
Header
Transport (TCP,UDP,…)
Header
Internet (IP)
Header
Network (Ethernet)
57
Ethernet Layer
• Header:
– Packet Type, e.g. IP
– Source Address
Original source or last router on path
– Destination Address
• Final destination or next router
• Maybe multicast or broadcast
– Addresses are Media Access Control (MAC)
• Data is an IP packet
58
IP Layer
• Header
– IP Source Address, e.g. 35.9.20.20
– IP Destination Address
– IP Protocol Type, e.g. TCP, UDP, ICMP
• Data: TCP packet (or UDP, etc.)
• Fragmentation
If (network max packet size < IP max size)
split data into multiple packets (fragments)
59
TCP Layer
• Header
– TCP Source Port (2-bytes)
– TCP Destination Port
– TCP Flags: designates packet type
• ACK, SYN, etc.
• Data: application data, e.g. FTP data
60
Multicast or Broadcast Source
• Legitimate use:
DHCP request uses a broadcast source since it
doesn’t have a valid address
• Illegitimate use:
sending a broadcast source to a single
destination will prompt a broadcast reply
allowing you to use the destination as a
broadcast source
• Since DHCP isn’t external (normally),
block broadcast source
61
IP Fragmentation
Prevent fragmentation with
path MTU discovery
– Maximum Transmission Unit (MTU)
– Send message with “don’t fragment” set
If (error returned), decrease size
else increase size
62
Packet Filters & Fragmentation
• Solution: packet filter only first packet and
let non-first packets through
If you drop the first, a higher level protocol
(TCP) will invalidate the rest.
• Problem #1: destination holds non-first
packets waiting for the missing one (until
timeout) resulting in
Denial of Service!
63
Packet Filter & Fragmentation
• Problem #2: attacker carefully constructs
overlapping fragments so that non-first
packets contain useful information.
Overlapping fragments may be
reassembled into invalid packets causing
the OS to crash.
64
Packet Filter & Fragmentation
• Problem #3: Attacker can get information
to otherwise blocked ports by having valid
TCP packets in non-first fragments which
slip through.
65
Packet Filter & Fragmentation
Solutions
• Fragment reassembly before filtering
Time consuming
• Reject all non-first fragments
May reject otherwise good connections,
but they will retransmit.
• Increased use of MTU is reducing
fragmentation
66
TCP
TCP is reliable because it guarantees to
the application layer:
– Provide data in order it was sent
– Provide all data sent
– Will not provide duplicates
It will kill a connection before violating any.
67
Blocking TCP
• To block a TCP connection,
simply block the first packet.
• The first packet is unique: ACK is not set
– “start-of-connection” packet
• Can enforce a policy of only allowing
connections to external servers,
i.e. deny external connection requests to
internal servers
68
TCP Options
• Common TCP Options:
– ACK (acknowledgement)
– SYN (synchronize)
– RST (reset)
– FIN (finish)
• 3-way handshake uses ACK & SYN
• RST & FIN are used to close connections
69
TCP Options
Firewalls use ACK and RST
– ACK indicates first packet of connection
– RST tells people to “shut up”
without providing a useful error message
70
TCP Sequence Numbers
• Sequence numbers allow reconstruction of
correct order of packets
• Supposed to begin with a random number,
but often is not random—vulnerability!
• How to hijack a TCP connection?
71
Hijacking a TCP Connection
Attackers needs
• Ability to forge TCP/IP packets.
• Initial sequence number
• Knowledge that a TCP connection has started
(but not the ability to see it)
• When the TCP connection started
• Ability to redirect responses to you
OR continue the conversation without responses
to you while achieving your goal
Thought to be too hard, but exists in the wild.
72
UDP
Since UDP does not guarantee reliability
there is no uniquely identifiable first packet
73
ICMP
Examples
– Echo Request: send by ping
– Echo Response
– Time exceeded (really hops exceeded)
– Destination unreachable
– Redirect (router redirected a packet and is
telling the sender that a better way exists)
74
ICMP
“Destination Unreachable” has codes
to indicate reason
The relevant ones are
“Fragmentation Needed” and
“Don’t Fragment”
used for path MTU discovery
Desirable to drop all other “unreachable” replies
since they provide useful information to
scanners.
Most firewalls do not allow discrimination on
ICMP reason.
75
ICMP Attacks
• ICMP packets should be very small—large
one indicate a problem so filter out large
ones.
• For example, echo packets allow padding
which could contain data.
Not useful for cracking, but could be used
to maintain a connection to a
compromised site.
76
IP over IP
• Encapsulating IP over IP
– Encrypted traffic
– Mobile IP (movement with fixed IP)
– Burying protocol
• Multicast over non-supporting networks
• IPv6 over IPv4
– VPN: virtual private networks
• Problem: cannot see “actual” IP packet
(encrypted) or may not look at it
77
Low-level attacks
• Port scanning
– Send SYN without ACK;
receives SYN if open or RST if not
– Send FIN
• “all options on” = Christmas tree (lights it up)
• “all options off” = null
• Either can crash a weak TCP/IP stack
78
Low-level Attacks
IP Spoofing:
Apparent problem: reply not sent to attacker
– Attacker can intercept reply
– Attacker doesn’t care to see it (e.g. DoS)
– Attacker doesn’t want reply: smurf attack
redirects response to attack while multiplying
replies with broadcast source
79
Packet Filtering Pro/Con
• Pro
– One filter can protect an entire network
– Simple filtering is efficient
– Widely available
• Con
– Not perfect: hard to configure and test
– Reduces router performance
– Some security policies cannot be enforced,
e.g. block a user
80
Three main categories of firewalls
• Network layer firewalls. An example would
be iptables.
• Application layer firewalls. An example
would be TCP Wrappers.
• Application firewalls. An example would be
restricting ftp services through
/etc/ftpaccess file
81
Network layer firewalls
• operate at a (relatively) low level of the TCP/IP protocol
stack as IP-packet filters, not allowing packets to pass
through the firewall unless they match the rules. The
firewall administrator may define the rules; or default
built-in rules may apply (as in some inflexible firewall
systems).
• A more permissive setup could allow any packet to pass
the filter as long as it does not match one or more
"negative-rules", or "deny rules". Today network firewalls
are built into most computer operating systems and
network appliances.
• Modern firewalls can filter traffic based on many packet
attributes like source IP address, source port, destination
IP address or port, destination service like WWW or FTP.
They can filter based on protocols, TTL values, netblock
of originator, domain name of the source, and many
82
other attributes.
Application-layer firewalls
• work on the application level of the TCP/IP stack (i.e., all
browser traffic, or all telnet or ftp traffic), and may
intercept all packets traveling to or from an application.
They block other packets (usually dropping them without
acknowledgement to the sender). In principle, application
firewalls can prevent all unwanted outside traffic from
reaching protected machines.
• By inspecting all packets for improper content, firewalls
can even prevent the spread of the likes of viruses. In
practice, however, this becomes so complex and so
difficult to attempt (given the variety of applications and
the diversity of content each may allow in its packet
traffic) that comprehensive firewall design does not
generally attempt this approach.
• The XML firewall exemplifies a more recent kind of
application-layer firewall.
83
A proxy device
• (running either on dedicated hardware or as software on
a general-purpose machine) may act as a firewall by
responding to input packets (connection requests, for
example) in the manner of an application, whilst blocking
other packets.
• Proxies make tampering with an internal system from the
external network more difficult and misuse of one
internal system would not necessarily cause a security
breach exploitable from outside the firewall (as long as
the application proxy remains intact and properly
configured). Conversely, intruders may hijack a publiclyreachable system and use it as a proxy for their own
purposes; the proxy then masquerades as that system to
other internal machines. While use of internal address
spaces enhances security, crackers may still employ
methods such as IP spoofing to attempt to pass packets
to a target network..
84