Transcript 投影片 1

Network Security (II)
授課老師: 鄭伯炤
Office: Dept. of Communication Rm #112
Tel: X33512
Email: [email protected]
Information Networking Security and Assurance Lab
National Chung Cheng University
Building Internet Firewalls
Application
Presentation
Session
Application Proxy
Transport
Stateful Inspection
Network
Data Link
Physical
Packet Filter
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
2
Packet Filter Firewalls
 Access control based upon several pieces of information
contained in a network packet:
 The source address of the packet
 The destination address of the packet
 The type of traffic:
 the specific network protocol being used to communicate between the
source and destination systems or devices (e.g., ICMP)
 Possibly some characteristics of the Layer 4 communications sessions,
such as the source and destination ports of the sessions
 Interface of the router the packet came from and which
interface of the router the packet is destined for
 this is useful for routers with 3 or more network interfaces.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
3
Boundary Routers
 The packet filter, referred to
as a boundary router, can
block certain attacks,
possibly filter un-wanted
protocols, perform simple
access control, and then
pass the traffic onto other
fire-walls that examine
higher layers of the OSI
stack.
Packet Filter used as Boundary Router
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
4
Basic Weaknesses Associated with Packet
Filters
 Do not examine upper-layer data
 Cannot prevent attacks that employ application-specific vulnerabilities or
functions.
 Limited information available to the firewall
 Logging functionality present in packet filter firewalls is limited.
 Do not support advanced user authentication schemes.
 Network protocol weakness
 Vulnerable to TCP/IP specification and protocol stack, such as network layer
address spoofing.
 Small number of variables used in access control decisions
 Susceptible to security breaches caused by improper configurations.
 But …
 Consequently, packet filter firewalls are very suitable for high-speed
environments where logging and user authentication with network resources
are not important.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
5
Packet Filter Rulesets
 Actions:
Accept
Deny
Discard
 By default:
Any type of access from the inside to the outside is allowed.
No access originating from the outside to the inside is allowed
except for SMTP and HTTP.
 SMTP and HTTP servers are positioned “behind” the firewall.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
6
Stateful Inspection Firewalls
More secure
Tracks client ports individually rather than opening all
high-numbered ports for external access.
Useful or applicable only within TCP/IP
network infrastructures.
Representing a superset of packet filter
firewall functionality.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
7
Application-Proxy Gateway Firewalls
 Combine lower layer access control with upper layer
(Layer 7 . Application Layer) functionality.
 For Example: Web Proxy
 In addition to the ruleset, include authentication of
each individual network user:




User ID and Password Authentication,
Hardware or Software Token Authentication,
Source Address Authentication, and
Biometric Authentication.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
8
Dedicated Proxy Servers
 Are useful for web and email content scanning
Java applet or application filtering
ActiveX control filtering
JavaScript filtering,
Blocking specific Multipurpose Internet Multimedia
Extensions (MIME) types . for example, .application/msword.
for Microsoft Word documents
Virus scanning and removal,
Macro virus scanning, filtering, and removal,
Application-specific commands, for example, blocking the
HTTP .delete. command, and
User-specific controls, including blocking certain content
types for certain users.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
9
Dedicated Proxy Servers Deployments
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
10
Network Address Translation
Developed in response to two major issues:
 Hiding the network-addressing schema present behind a firewall
environment.
 The depletion of the IP address space has caused some
organizations to use NAT for mapping non-routable IP addresses
to a smaller set of legal addresses, according to RFC 1918.
 10.0.0.0 to 10.255.255.255 (Class A)
 172.16.0.0 to 172.31.255.255 (Class B)
 192.168.0.0 to 192.168.255.255 (Class C)
Accomplished in three fashions:
Static Network Address Translation
Port Address Translation (PAT)
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
11
IANA-allocated, Non-Internet routable
IP address
IP address
Public
Private
American Registry for Internet Numbers (ARIN)
Address Class
A
B
C
Network Address Range
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
recommend non-routable IP for home networks
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
12
Static Network Address Translation
Each internal system on the private network has a
corresponding
external, routable IP address associated with it.
Network Security
Information
Networking
Class Security and Assurance Lab
National Chung Cheng University
13
PAT
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
14
Personal Firewalls/Personal Firewall
Appliances
 Personal Firewall:
Installed on the system it is meant to protect;
Usually do not offer protection to other systems or resources
 Personal Firewall Appliance:
Usually run on specialized hardware and integrate some other
form of network infrastructure components
 Cable Modem WAN Routing,
 LAN Routing (dynamic routing support),
 Network hub,
 Network switch,
 DHCP (Dynamic Host Configuration Protocol) server,
 Network management (SNMP) agent, and
 Application-proxy agents.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
15
DMZ (DeMilitarized Zone)
 A DMZ is your frontline when protecting valuables
from direct exposure to an untrusted environment.
"A network added between a protected network and an
external network in order to provide an additional layer of
security.“
 A DMZ is sometimes called a "Perimeter network" or
a "Three-homed perimeter network."
 A DMZ is a glowing example of the Defense-inDepth principle.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
16
Defense-in-Depth
The Defense-in-Depth principle states that no
one thing, no two things, will ever provide
total security.
It states that the only way for a system to be
reasonably secured is to consider every aspect
of the systems existence and secure them all.
A DMZ is a step towards defense in depth
because it adds an extra layer of security
beyond that of a single perimeter.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
17
Design DMZ
 Start by asking yourself
what do I want to protect? Or
what is most valuable to me?
what is the entrance point into this system? Or
what is my front door?
 If there are more than one entrance to your system
such as an Internet connection and dial-up
connections
have two different DMZ’s.
Have different configurations for each of those access types.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
18
DMZ Networks
Service Leg DMZ Configuration
A DMZ Firewall Environment
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
19
Domain Name Service (DNS)
Split DNS example
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
20
Placement of Servers in Firewall
Environments
Summary Example Firewall Environment
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
21
Firewall Ruleset: Blocking Traffics
 Inbound traffic from a non-authenticated source system with a destination address
of the firewall system itself.
 Inbound traffic with a source address indicating that the packet originated on a
network behind the firewall.
 Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.
 Inbound or Outbound traffic from a system using a source address that falls within
the address ranges set aside in RFC 1918 as being reserved for private networks.
 Inbound traffic from a non-authenticated source system containing SNMP (Simple
Network Management Protocol) traffic.
 Inbound traffic containing IP Source Routing information.
 Inbound or Outbound network traffic containing a source or destination address of
127.0.0.1 (localhost).
 Inbound or Outbound network traffic containing a source or destination address of
0.0.0.0.
 Inbound or Outbound traffic containing directed broadcast addresses.
Inbound
FW
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
Outbound
22
• Compromise the confidentiality, integrity, availability,
• Bypass the security mechanisms of a computer or network
Network Intrusion Detection
Systems
Bo Cheng (鄭伯炤)
Email:[email protected],tw
Tel: 05-272-0411 Ext. 33512
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS History
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
http://www.securityfocus.com/infocus/1514
24
Types of IDS (Information Source)
Operate on information (e.g., log or
Host (HID) OS system call) collected from
within an individual computer
system.
Uses a module, coupled with the
application, to extract the desired
information and monitor transactions
Application-Integrated (AIID)
Application (AID)
Network (NID)
Capture and analyze all
network packets
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
Operate on application
transactions log
e.g., Entercept Web Server Edition
Monitor packets to/from
Network-Node (NNID)
a specific node
http://www.networkintrusion.co.uk/ids.htm25
Complement IDS Tools
Create a baseline and
apply a message digest
(cryptographic hash) to
key files and then
checking the files
periodically
When the IDS detects
attackers, it seamlessly
transfers then to a special
padded cell host
Determine whether a
network or host is vulnerable
to known attacks
File Integrity
Checkers
Vulnerability
Assessment
Honey Pot
Padded Cell
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
A system/resource
designed to be attractive
to potential attacker
Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml
26
IDS Life Cycle
Setting up the current generation of IDSs requires a
substantial time investment to ensure they'll flag only
suspicious traffic and leave everything else alone.
www.nwfusion.com/techinsider/2002/0624security1.html
• Signature Updating
• Writing Signature
Testing
• Accuracy
• Resource Usage
• Stress
Vulnerability Assessment
Configuration
Tuning
Installation
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
• Information Collecting
• Filtering and Correlation
• Traffic Analysis
27
IDS Market Forecast (I)
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
Source: IDC, 2001
28
IDS Market Forecast (II)
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
Source: IDC, 2001
29
When Firewall Meets IDS
Firewall
An gateway that restricts data
communication traffic to and from
one of the connected networks
(the one said to be "inside" the
firewall) and thus protects that
network's system resources
against threats from the other
network (the one that is said to be
"outside" the firewall).
• Access Control
• NAT
• Prevent the attacks
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
• Validate firewall configuration
• Detect attacks but firewalls allow them
to pass through (such as attacks against
web servers).
• Seize insider hacking
IDS
A security service that monitors
and analyzes system events for
the purpose of finding, and
providing real-time or near
real- time warning of, attempts
to access system resources in an
unauthorized manner
30
NIDS Deployments
•See all outside attacks to help forensic analysis
Internet
1
•Identify DMZ related attacks
•Spot outside attacks penetrate the network's perimeter
•Avoid outside attacks to IDS itself
•Highlight external firewall problems with the policy/performance
•Pinpoint compromised server via outgoing traffic
External firewall
2
DMZ
•Increase the possibility to recognize attacks.
•Detect attacks from insider or authorized
users within the security perimeter.
Mode:
•Tap
3
4
•SPAN (Mirror)
Network Backbones
•Port Clustering
•In-Line
Critical Subnets
Network Security
Information
Networking
Class Security and Assurance Lab
National Chung Cheng University
•Observe attacks on critical
systems and resources
•Provide cost effective
solutions
31
Detection Engine Analysis
Simple Pattern Matching
Traffic Anomalies
Protocol Anomalies
String Matching Weaknesses
Stateful Signatures
Backdoor Detection
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
32
The Detection Results
False Positive
• Annoy
• Crying wolf
• Tuning
• Prevention?
True Negative
True Positive
• Wire-speed performance
• Mis-configuration
• Poor detection engine
• IDS Evasion
False Negative
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
33
IDS Responses After Detection
Intrusion Detection Working Group
•IDMEF - Message Exchange Format
Alarms/
Notifications
Passive
Responses
Active
Responses
•IDXP - Exchange Protocol
Communication protocol for exchanging IDMEF messages
Generate SNMP trap
SNMP
Integration
Support SNMP Manager (e.g., HP
OV) and MIB (e.g., iss.mib trap)
Take Action Against
the Intruder
Retaliation: Information warfare
Injecting TCP reset packets
Collect additional
information
Change the
Environment
Network Security
Information
Networking
Class Security and Assurance Lab
National Chung Cheng University
XML-based alert format among IDS components
Reconfiguring routers/firewalls (e.g., via FW1 OPSEC) to block packets based on IP
address, network ports, protocols, or services
Source: NIST
34
Check Point - Open Platform for Secure
Enterprise Connectivity (OPSEC)
TCP/UDP Port
Name
Short description
FW1_cvp
Check Point OPSEC Content Vectoring Protocol - Protocol used
for communication between FWM and AntiVirus Server
18182 /tcp
FW1_ufp
Check Point OPSEC URL Filtering Protocol - Protocol used for
communication between FWM and Server for Content Control
(e.g. Web Content)
18183 /tcp
FW1_sam
Check Point OPSEC Suspicious Activity Monitor API - Protocol
e.g. for Block Intruder between MM and FWM
18184 /tcp
FW1_lea
Check Point OPSEC Log Export API - Protocol for exporting
logs from MM
18185 /tcp
FW1_omi
Check Point OPSEC Objects Management Interface - Protocol
used by applications having access to the ruleset saved at MM
18187 /tcp
FW1_ela
Check Point Event Logging API - Protocol used by applications
delivering logs to MM
18207 /tcp
FW1_pslo
gon
Check Point Policy Server Logon protocol - Protocol used for
download of Desktop Security from PS to SCl
18181 /tcp
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
NFR and RealSecure support FW-1_sam and FW1_ela
35
Gateway IDS (GIDS) and Host Intrusion
Prevention (HIP)
Company
Inadvertently block
legitimate traffic
Company
Website
Entercept Security Technologies
www.entercept.com
Harris STAT Neutralizer
www.statonline.com
Okena StormWatch and StormFront
www.okena.com
Sana Security
www.sanasecurity.com
Linux IDS
www.lids.org
Website
Captus Networks
www.captusnetworks.com
Cisco Systems IDS
www.cisco.com
ForeScout ActiveScout
www.forescout.com
RealSecure Network Protection
www.iss.net
Intruvert Networks
www.intruvert.com
NetScreen Technologies IDP
www.netscreen.com
Snort Hogwash
http://hogwash.sourceforge.net
TippingPoint Technologies
UnityOne
www.tippingpoint.com
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
Ineffective against denial-ofservice attacks
http://www.cio.com/archive/061503/et_article.html
OneSecure  Netscreen
Okena  Cisco
Entercept and Intruvert  Network Associates
36
NIDS Market Predictions: Head to Head
• Intrusion detection market jumped 29.2 per cent year on year
(firewall/virtual private network security appliance market increased 7.5
per cent).
• In contrast to statements that intrusion detection software is dead, the
growth in intrusion detection appliances show that many organizations
still see the value in monitoring their networks
• Could reached $2 billion in 2005, up from $486 million in 2000.
1000
600
400
200
0
•IDS market will grow 43 per cent to $149m by 2004
•IDS revenue will hit $1.1bn by 2006,
230
800
491
571
634
688
327
70
2002
2003
IPS Revenue
2004
2005
IDS Revenue
• IDS is dead, long live IPS
• By year end 2004, advances in non-signature based intrusion detection
technology will enable network-based intrusion prevention to replace 50%
of established IDS deployments and capture 75% of new deployments.
• By end of 2003, 90% of IDS deployments will fail when false positives are not
reduced by 50%.
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
http://www.vnunet.com/News/1143747
http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf
37
IDS Balancer
Network
Internet
•Toplayer’s IDS Balancer
•Radware FireProof
GigaBit SX Tap
Fiber Tap
IDS Balancer
•Availability
•Scalability
•ROI
•Cost-effective (reduce sensors
while increasing intrusion coverage)
Information
Network
Security
Networking
Class Security and Assurance Lab
National Chung Cheng University
38