Transcript Chapter 9

Guide to Network Defense
and Countermeasures
Chapter 9
1
Chapter 9 - Intrusion Detection:
Preventative Measures





Explain the benefits of the Common
Vulnerabilities and Exposures (CVE) standard
Understand why logging network traffic is an
integral part of intrusion detection
Analyze intrusion signatures so that you can
block unauthorized access to resources
Identify suspicious events when they are
captured by an intrusion detection device
Develop filters so that you can take a proactive
approach to intrusion detection
2
Common Vulnerabilities
and Exposures (CVE)

CVE enables security devices (router,
firewall, IDS) to share information about
attacks and other vulnerabilities so they can
work together


CVE enables hardware and security devices that
support it to draw from the same databases of
vulnerabilities, which are all presented in the same
standard format
If an IDS that supports CVE transmits an alarm
message, the attack signature will be compared to
the report of current vulnerabilities to see if an attack
3
has actually occurred
4
Common Vulnerabilities
and Exposures (CVE)

Scanning CVE vulnerability descriptions



CVE vulnerabilities can be viewed online and can
even be downloaded
The CVE list is not a vulnerabilities database that
can be used with an IDS system; it is simply an
informational tool, its listings are brief, and it refers
to listings in other databases
CVE references contain: the name of the
vulnerability; a short description; and references to
the event in other databases
5
6
Logging and Intrusion Detection

Network security devices generate
substantial amounts of log file information
over time



The task of analyzing log data manually becomes
virtually impossible, so this can be automated by the
installation of log analysis software
A shareware program called ZoneLog is designed to
analyze the log file information compiled from the
firewall ZoneAlarm; the data is color coded to help in
determining which ones are possible attacks
Snort is an IDS program, common to UNIX/Linux,
that creates log files organized by IP address
7
8
9
Analyzing Intrusion Signatures


Signature analysis is the practice of
assessing TCP/IP communications to
determine whether they are legitimate or
suspicious
Suspicious packets fall into these categories:


Bad header information - packets that contain
malformed header data, where IP or port data is
affected; packet alteration commonly occurs here
Suspicious data payload - packets may contain
payload text that reveals hacker tactics and/or
known attack information
10
11
Analyzing Intrusion Signatures

Suspicious packets (cont.):


Single-packet attacks can be completed by sending
a single network packet from client to host; no
connection is required when one packet is sent like
this; if IP Options settings are manipulated, a server
can be forced to freeze or provide data to a hacker
Multiple-packet attacks require a series of packets to
be received and executed in order for the attack to
be completed; these attacks, also called composite
attacks, are especially difficult to detect; DoS attacks
are an example of a composite attack
12
13
Analyzing Intrusion Signatures

Capturing packets is an effective way to
become familiar with their contents




Studying packets helps you better understand
signatures, since the two are close in format
The goal is to begin to identify features that tell you
what type of connection is underway and whether
the attack is legitimate or suspicious
Packet sniffers monitor network device traffic; they
capture information about each detected packet
Two examples of packet capture software: Ethereal
for Windows and Linux; The IDS program Snort
14
15
16
17
18
Analyzing Intrusion Signatures

To recognize suspicious traffic signatures,
first learn to recognize normal traffic
signatures



One aspect of normal TCP signatures that is easiest
to identify is the use of TCP flags (SYN, ACK, PSH,
URG, RST, FIN, the numbers 1 and 2)
The placement and use of these flags is very definite
and strictly defined; deviations from normal usage
mean that the communication is suspicious
The SYN flag appears at the beginning of a
connection, the FIN flag at the end; it is suspicious if
both of these flags appear in the same packet
19
Analyzing Intrusion Signatures

Normal traffic signatures (cont.):


Ping signatures reveal an extensive amount about
the systems involved in ICMP echo requests; the
type of computers involved (their OS) can be
determined from the Time to Live, the IP length, the
datagram length, and certain payload characters
FTP signatures of a normal connection between a
client and an FTP server includes a three-way
handshake; three separate packets contain different
TCP flags that enable you to track the connection; in
particular, if the MSS option is seen in an ACK or
ACK/PSH packet, the packet could be falsified
20
21
22
23
24
Analyzing Intrusion Signatures

Normal traffic signatures (cont.):

WWW signatures consist of packets that are sent
back and forth from a Web browser to a Web server
as a connection is made; a signature of a normal
handshake between two Web browsers consists of a
sequence of packets that are distinguished by their
TCP flags: the first packet has the SYN flag set, the
second packet has the ACK flag set, the ACK flag is
exchanged to acknowledge that a connection has
been made, the PSH flag is used along with the ACK
flag that data is going to be pushed (sent) from a
buffer
25
26
Analyzing Intrusion Signatures

Categories of suspicious traffic signatures:




Informational - may not be malicious itself, but could
be used to verify a successful attack
Reconnaissance - may represent an attempt to gain
information about a network as a prelude to attack
Unauthorized access - may be caused by someone
who has gained unauthorized access to the system
and is attempting to retrieve data from it
Denial of Service - may be part of an attempt to slow
or halt all connections on a network device, such as
a Web server or mail server
27
Analyzing Intrusion Signatures

Suspicious traffic signatures (cont.):


Ping sweeps involves sending a series of ICMP
Echo Request packets in a range of IP addresses;
this is one method of determining the location of a
host in order to gain network access; the ping sweep
does not cause harm to the network, but the IP
address should be noted to track further activity
Port scans are attempts to connect to a computer’s
ports to see if any are active and listening; hackers
perform once they’ve obtained the IP address; port
scans typically include a SYN packet sent to each
port on an IP address, one after the other
28
29
30
Analyzing Intrusion Signatures

Suspicious traffic signatures (cont.):


Random back door scans involve finding an
undocumented or unauthorized opening (such as a
port) through which a computer, program, or other
resource can be accessed
One type of port scan probes a computer to see if
any ports are open and listening that are used by
well-known Trojan horses, which are programs that
seem harmless but can cause harm to a computer
or its files; each sent SYN packet attempts to
contact a different port used by a Trojan horse
31
32
33
34
Analyzing Intrusion Signatures

Suspicious traffic signatures (cont.):


Specific Trojan scans reflect the fact that port scans
can be performed in several ways: vanilla scans are
where all of the ports from 0 to 65,535 are probed in
succession; strobe scans are where a hacker only
scans ports that are used by specific programs, in
an attempt to see if such a program is present and
can be utilized
Port 31337 is used by The Back Orifice Trojan
horse, as well as the Trojans ADM worm, Back Fire,
and BlitzNet
35
36
Analyzing Intrusion Signatures

Suspicious traffic signatures (cont.):


Nmap is a program that is a popular tool for
scanning networks; Nmap enables hackers to send
packets that circumvent the normal three-way
handshakes performed by two computers that
establish a connection; an example of this type of
scan is the FIN scan
Nmap enables a hacker to send packets for which
an IDS might not be configured to send an alarm,
especially if there is no rule to trigger an alarm when
a certain combination of TCP flags is seen
37
38
Identifying Suspicious Events


Once an IDS transmits an alarm, you should
look for suspicious characteristics and events
Packet header discrepancies seen in TCP, IP,
ICMP, or UDP headers can provide warnings


Falsified IP address alarms could indicate that a
network device has been misconfigured or is
malfunctioning; or it could indicate IP spoofing
A port number could be falsified if the source or
destination port in a TCP or UDP header is set to 0;
protocol numbers could be falsified if they are set to
134 or greater
39
Identifying Suspicious Events

Packet header discrepancies (cont.):





Illegal TCP flags are one of the most obvious ways
to detect an abnormal packet signature
Common misuses of the SYN and FIN flags: having
both flags together in a packet; packets containing a
FIN flag by itself; SYN only packets containing data
Another misuse of flags involves a null packet, which
is a packet that has no flags set
TCP or IP options present in packets can be attacks
Fragmentation abuses can occur when a large
number of fragmented packets are encountered
40
Identifying Suspicious Events

Advanced IDS attacks involve those that are
especially complex, such as:



Polymorphic buffer overflow attacks change their
code so that the do not match the known signatures
used by many IDS systems; once they reach their
intended target, they reassemble into original form
Path obfuscation involves altering the directory path
statement in a packet payload by adding forward
slashes; this keeps signatures from matching
CGI scripts - a series of packets is sent to a series of
well-known Common Gateway Interface scripts
41
Identifying Suspicious Events


Remote Procedure Call (RPC) is a standard
set of communication rules that allow one
computer to request a service from another
RPC-related events that should trigger
alarms:



RPC dump - a target host receives an RPC dump
request, which is a request to report the presence
and port usage of any RPC services
RPC set spoof - a target host receives and RPC set
request from a source IP address of 127.x.x.x
RPC NFS sweep - a target host receives a series of42
requests for the NFS program
Developing IDS Filter Rules

Respond to IDS alarms by adjusting packet
filtering rules, and creating rules on the IDS



Configure an IDS to take action (not just alert) as
part of its rules when detecting suspicious packages
Rule actions add another layer of network defense;
rule actions are alert, log, pass, activate (which
alerts, but also creates a rule to cover subsequent
logging), dynamic (enables logging of subsequent
packages when a particular packet is detected)
Rule data applies to the rule after a signature match
occurs; it includes protocols, source and destination
IP addresses, port number, direction of traffic
43
Developing IDS Filter Rules

Adjusting packet filtering rules (cont.):



Rule options allow rules to become quite granular;
options follow rule data in the rule specification
Rule options cause specific actions: ttl matches on
Time to Live; id matches on fragment ID number;
flags match to specific TCP flags; ack matches the
ACK flag; content matches on a defined data
payload string; logto causes data to be logged to a
specified file name instead of the default log files
The rule base for an IDS is different from the packet
filter rule base and will help you analyze what traffic
is getting through the filter
44
Chapter Summary

This chapter discussed how to prevent intrusions
by understanding how to interpret the signatures
of both normal and abnormal network traffic. By
being able to recognize the characteristics of a
possible intrusion, you gain the ability to read log
files and alert messages and react to them
effectively. You can adjust filter rules to reduce
the number of false alarms you receive from your
IDS. More importantly, you are able to prevent
intrusions before they occur or keep intrusions
that are already underway from causing
excessive damage
45
Chapter Summary

It is important to have your network security
hardware and software work cooperatively by
being able to share information. A standard
called the Common Vulnerabilities and
Exposures (CVE) enables IDS systems, firewalls,
and other devices to share attack signatures and
information about network vulnerabilities so they
can better protect a network. A list of current
vulnerabilities is maintained as an online
database by MITRE, and you can use the list to
update your own CVE database and learn about
new attacks
46
Chapter Summary

Examination and analysis of the log files
complied by your IDS and other devices can help
tell you whether remote computers are scanning
your network as a prelude to an attack. However,
reviewing the log files manually can be tedious
and time consuming. A log file analysis program
automates the process and helps you identify
which external hosts have been attempting to
gain unauthorized access. The log files can also
reveal patterns of access attempts that may
represent intrusion attempts
47
Chapter Summary

The analysis of intrusion signatures is an integral
aspect of intrusion prevention. A signature is a
set of characteristics such as IP address, port
numbers, TCP flags, and options. Normal traffic
makes valid use of such settings. Note that
possible intrusions are marked by invalid settings
that are sometimes unable to interpret and that
are allowed to pass through the internal network.
Those invalid settings include bad header
information, suspicious contents in the payload of
packets, IP options settings, and a succession of
packets such as a Denial of Service attempt
48
Chapter Summary

You can set up the freeware IDS Snort as a packet
sniffer so that you can capture packets and study
their contents. Parts of a packet header indicate
whether a Windows or Linux system is being used.
The TCP flags are used in sequence to create a
normal three-way handshake between two
computers. By learning how normal traffic signatures
look, you are able to identify suspicious signatures.
Monitor suspicious events such as ping sweeps, port
scans, random back door scans, and scans for
specific Trojan horse programs. The characteristics of
packets crafted with with the popular network
mapping tool Nmap were also discussed
49
Chapter Summary

You can identify a variety of other suspicious
network events. These include orphaned
packets, Land attacks, LocalHost Source Spoofs,
falsified protocol number, and illegal combination
of TCP flags
50
Chapter Summary

Advanced IDS attacks are especially difficult to
detect. Certain complex attacks called
polymorphic buffer overflow attacks can be
altered so they don’t match a known intrusion
signature and elude the IDS. Others use
confusing path names or other keywords in the
data payload. Still others attempt to connect with
and abuse common CGI scripts that may be
present, or remote procedure calls that also
enable remote users to access services
51
Chapter Summary

IDS devices can have their own set of filter rules,
like packet filtering routers and firewalls. You can
configure a set of rules to send alert messages if
ICMP packets or other suspicious packets pass
through a packet filter on the perimeter of the
network and reach the IDS. Such rules can also
be configured to log events or a range of
subsequent packets. Rule options such as
messages that can be associated with suspicious
events can greatly assist you in interpreting log
files and determining how to react to attack
attempts
52