1 / 98

Chapter 14: Intrusion Prevention & Detection Attack classifications: 1. Network scans - attacks intended to identi

Chapter 14: Intrusion Prevention & Detection Attack classifications: 1. Network scans - attacks intended to identify networks, hosts, and available service - identifies potential targets. 2. Vulnerability scans - attacks intended to identify network, host, and

alexavier
Download Presentation

Chapter 14: Intrusion Prevention & Detection Attack classifications: 1. Network scans - attacks intended to identi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 14: Intrusion Prevention & Detection Attack classifications: 1. Network scans - attacks intended to identify networks, hosts, and available service - identifies potential targets. 2. Vulnerability scans - attacks intended to identify network, host, and services that are susceptible to specific attacks - reduces the target list to systems with known (to the attacker) weaknesses. 3. Password disclosure - attacks intended to reveal passwords - from guessing to social engineering to cracking. 4. Sniffing - attacks that listen to network traffic with the intent of picking up usernames, passwords, credit card numbers, etc. 5. Denial of Service - attacks that deny or limit legitimate users ability to access a network or a host computer. 6. Penetration - attacks intended to gain control of a network or computer. Chapter 14 Intrusion Prevention & Detection

  2. Attack Data from NIST - 1998 Based on 237 Attacks Statistic: 29% were launched from Windows hosts. Point: An expensive Unix box is not needed (especially true with Linux becoming widely available on Intel desktops - expect increases!) Statistic: 20% of attacks remotely penetrated network elements Point: A significant number are successful. Statistic: 3% enabled Web sites to attack visitors to the site. Point: Visiting web sites can be hazardous. Statistic: 5% of the attacks are effective against routers and firewalls. Point: These were primarily DoS attacks rather than penetration attacks, but indicate the fragility of the infrastructure. Statistic: 4% were vulnerability scans. Point: Vulnerability scanners are being used to find holes. Enterprises better consider using them as well. Chapter 14 Intrusion Prevention & Detection

  3. Dealing with Attacks 1. Prevention - Resist attacks by understanding and correcting vulnerabilities. 2. Detection - Recognize events that might compromise security (intrusions). These can be pre-during-post-attack events. 3. Response - Recover and restore to mitigate the event - from blocking a suspect event to completely re-building a compromised system. Where do we apply the measures? Two places: 1. On the network 2. On the host (server/workstation) Chapter 14 Intrusion Prevention & Detection

  4. Prevention 1. Patching - Maintain most current patch levels. 2. Services - Remove all unnecessary services. 2. Virus detection - Install commercial packages at server and/or host. 3. Firewalls - Block undesirable traffic. 4. Password Crackers - Use the real thing to test your passwords. 5. Encryption - Especially of clear text passwords. 6. Vulnerability Scanners - Designed to detect known holes. 7. Configuration Management - Get it right, then keep it right. 8. War Dialing - Scans telephones for answering modems. 9. Security Advisories - From CERT & others. 10. Intrusion Detection - Specific signatures. 11. Network Discovery Tools - Map your own network. 12. Incident Response - Process to invoke on an incident. 13. Security Policy - Underlying rule set - basis for everything else. 14. Denial of Service Testing - How would you do? Chapter 14 Intrusion Prevention & Detection

  5. Patch to Current Revision Levels One of the first rules of good security practice is to ensure that systems are patched to eliminate all known exploits (for which patches are available of course – means you are exposed to new exploits). Find them by observing the CERT warnings or bulletins and visiting the vendor’s web site. Be careful in upgrades that the upgrade does not undo the fix provided by a previously installed patch - happens all too often. Important to test systems following patching to ensure the patch does not break applications and to run vulnerability scans to ensure the hole is closed. Chapter 14 Intrusion Prevention & Detection

  6. Remove Unnecessary Services Another foundation principle is to remove all non-essential network services. OS distributions contain a large suite of network services. They are often installed - enabled and take explicit action to disable. To often, users are unaware of services installed on their system and are not, in fact cannot, be expected to be effective technical security specialists. Some are, but they are the exception rather than the rule. This condition is not likely to change and makes vulnerability scanning an even more important capability to implement. Chapter 14 Intrusion Prevention & Detection

  7. Example Unnecessary Services – Cisco Routers NSA lists 17 unneeded or rarely needed services and many are enabled by default. For example: IP source routing – Packets specify their own routes – disable. IP unreachable notification – response helps bad guys – disable. IP mask reply – another aid to mapping a network – disable. SNMP – has many vulnerabilities – disable or restrict access. DNS – router can resolve DNS addresses – disable or restrict. Finger – User name lookup – disable. HTTP Server – web interface – disable or restrict access. IP directed Broadcast – can flood a network – disable. Source: Router Security Configuration Guide, National Security Agency http://nsa2.www.conxion.com Chapter 14 Intrusion Prevention & Detection

  8. Virus Detection and Eradication Can be done in 3 places: At firewall At server (e.g., on the e-mail servers) At user workstation At least two out of the three should be considered. 1. User workstation is essential as long as there is a media path to the workstation that can circumvent the firewall or mail server. 2. At either the firewall or mail server to cover those cases where users do not keep local profiles up dated. In past 18 months, some 22,000 viruses were rejected at the PNNL firewall. Chapter 14 Intrusion Prevention & Detection

  9. Firewalls Purpose: Prevents unwanted traffic from entering or leaving an enterprise network or system and permits allowed traffic to pass. Implication: All systems intended to be protected must reside behind the firewall - corollary - all traffic must go through the firewall. Controls traffic passing between a trusted and un-trusted environment. Control is based on policy and implemented by rules that enforce policy. Firewalls may protect a single system (e.g., a personal firewall), an entire enterprise network, or selected network segments. Chapter 14 Intrusion Prevention & Detection

  10. Firewall Placement - Single Enterprise Firewall Chapter 14 Intrusion Prevention & Detection

  11. Firewall Placement - Multiple Enterprise Firewall Chapter 14 Intrusion Prevention & Detection

  12. Firewall Placement - Personal (host) Firewall Chapter 14 Intrusion Prevention & Detection

  13. Firewall Protection 1. Filters In/Out-bound packets based on source/destination address, protocols (source/destination ports), or patterns of behavior (state). 2. Blocks traffic according to policy-based rules. 3. Hides information - host names, addresses, network topology, etc. 4. Monitors and logs in/out-bound traffic 5. Analyzes traffic for known attack signatures. 6. Alarms and/or alerts system administrators. 7. Implements cryptographic services: Authentication Encryption Integrity Chapter 14 Intrusion Prevention & Detection

  14. Types of Firewalls Multiple possible types: 1. Firewall per system on the network (possible, but overkill). 2. Packet filtering routers (firewall functions in border router). 3. Bastion host (a single system proxies all traffic). 4. Stateful Inspection firewalls. 5. Proxy firewalls. 6. Circuit relays (e.g., SOCKs) Chapter 14 Intrusion Prevention & Detection

  15. Firewall Per System Could put a firewall on every system. Viable for small or special cases (e.g., access from remote locations - portables while on travel, DSL/Cable enabled home systems) Unattractive for medium - large scale enterprises: Cost (initial and on-going maintenance) Lack of central management for configuration control Users not generally knowledgeable enough to configure However, it appears that the host model will become increasingly important and more widely used – pushing security out to the hosts. Chapter 14 Intrusion Prevention & Detection

  16. Packet Filtering Routers Intersections between networks are controlled by routers - given an input packet, the router examines the packet header and selects the output path based on the destination address contained in the packet. Routers can: Forward the packet (e.g., to the next router or an attached host) Reply to the packet (e.g., an ICMP request or an error) Drop the packet Log decisions they make for each packet Decisions are made based on a rule set associated with its internal routing table. Since the router examines every packet header, it has the capability to filter packets based on any information contained in the header. Chapter 14 Intrusion Prevention & Detection

  17. Packet Filtering Routers A filtering router is often placed at the internet access point. Typically filters are based on 1)source address, 2) destination address, 3) protocol (specifies higher level protocol being used – main ones are UDP, TCP, ICMP), and source/destination ports. Filter rule examples: 1. Drop all inbound ICMP packets (prohibited by network policy). 2. Drop all inbound packets if source addresses is an interior address (this cannot be a legal address coming inbound - is spoofed) 3. Drop all outbound packets to certain sites (e.g., porn sites) 4. Drop all outbound packets if source address in not a legal interior address - is spoofed - typical of denial of service attacks originating inside the network. Chapter 14 Intrusion Prevention & Detection

  18. Packet Filtering Routers Packet filtering is an effective way to avoid some attacks, but does not provide protection against others. This is because some attacks can only be detected by maintaining state information (i.e., packet-to-packet memory that gives context). For example, a filtering router would typically not recognize a FIN scan/probe since it would not know that there were no previous packets associated with a FIN packet. If state information were available, it would be easy to recognize that there was no session associated with the FIN, therefore, it is an inappropriate packet and should be dropped. Chapter 14 Intrusion Prevention & Detection

  19. Packet Filtering Routers - Plus and Minus + Filters are supported in all commercial routers. + Low cost (is built in, only requires memory & cpu time). + transparent to applications. + Fast - little impact on performance. - No state information (this packet only - no context). - Hard to configure (several hundred rules are common). - Limited logging and alerting capability. - Routers don’t screen the networks they protect (hosts are visible). - Hard to manage (user interface, reporting is relatively primitive). Good idea to apply filtering rules to routers at network entrance, but typically this is not enough - valuable, but not sufficient. Chapter 14 Intrusion Prevention & Detection

  20. Bastion Host Chapter 14 Intrusion Prevention & Detection

  21. Bastion Host Older technology - the way it was done in the past. Main idea - Bastion host acts like a relay or proxy between the Internet and the protected network - isolates traffic. Works Ok for connectionless services (e.g., mail, news), but is not good for interactive services, like Telnet. Does not scale very well. PNNL used one in the past. To get to the Internet, a user logged into the Bastion host and launched services from the Bastion host - for a few users, was Ok, but didn’t scale No longer widely used. Chapter 14 Intrusion Prevention & Detection

  22. Stateful Inspection Firewalls Implement a state machine on the firewall. That is, a machine where the next state is a function of : 1) the present state, and 2) current inputs. Consequently, the next state can be predicted. If the prediction leads to an unsafe state, the packet can be dropped. For example, consider the case for ftp. Ftp is a file transfer protocol that allows external users to access and transfer files. It also allows internal users to access external ftp sites and download files. In each case there is 2-way data flow: Protected Network Request Response Request Response Chapter 14 Intrusion Prevention & Detection

  23. Stateful Inspection Firewalls Without state, it is impossible for a device in the network path to determine the difference between an in-bound request seeking an outbound response and an inbound response that results from an outbound request. We often want to enable out-bound requests and their in-bound responses, while denying an in-bound request. By maintaining state, a firewall can associate the out-bound request to a later in-bound response and allow it. It also knows if an in-bound request packet has no corresponding out-bound request and denies it. The rules for a firewall are determined by the enterprise policy that identifies allowable behavior for packets entering and leaving the network. Chapter 14 Intrusion Prevention & Detection

  24. Firewall Policy Implementation Given a set of policies, create a rule set that implements the policies. Three primary considerations: 1. The types of services and sessions that are allowed across the firewall - provided by the protected network. 2. The policy requirements for cryptographic services. 3. The topology of the network being protected (i.e., the configuration of the network being protected). Each of these will influence the rule set implemented on the firewall. Chapter 14 Intrusion Prevention & Detection

  25. Firewall Rules – Typical Content Structure 1. Rule number - specifies the order in which the firewall tests and enforces the specified rules. 2. Source - specifies the allowable source addresses for the rule. 3. Destination - specifies the allowable destination addresses for the rule. 4. Service - specifies the protocol covered by the rule. 5. Action - specifies the action to take. 6. Tracking - specifies logging and alerting action for the rule. 7. Device - specifies the devices the rule applies to. 8. Time - specifies the time period for which the rule applies. The source and destination addresses specify the origin and ultimate destination of a particular packet for the service specified. Actions include: Accept; reject and notify; drop with no notify; authenticate the client; encrypt; decrypt. Chapter 14 Intrusion Prevention & Detection

  26. An Example Rule Set No. Source Dest Service Action Track Install On Time Any smtp http http Encrypt ftp http: filter http: scan Any Any Drop Accept Accept Accept Encrypt Client auth Drop Accept Accept Drop Long Short Short Short Short Long Short Short Short Long Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Any Any Any Any Any Any Any Any Any Any 1 2 3 4 5 6 7 8 9 10 Any Any Any Any loc_net rem_net Any loc_net rem_net loc_net rem_net loc_net Any F/W e-mail web web pool rem_net loc_net loc_net Any Any Any Any Chapter 14 Intrusion Prevention & Detection

  27. Rule Definitions 1. Stealth rule - blocks all traffic destined for the firewall itself - intended to make the firewall invisible. 2. In-bound e-mail allowed to pass. elsewhere - possible on the mail server or at the desktop. 3. Primary external web site and allows access from anywhere - public. 4. More web servers and allows load balancing between the servers. 5. VPN rule that does firewall to firewall encryption to/from a local or remote network. 6. Requires client authentication for ftp traffic. 7. Rejects out-bound traffic to web servers specified in the filter. 8. All arriving traffic is subject to scanning for viruses. 9. Allows all out-bound traffic not restricted by a higher numbered rule. 10. Default rule - all else is prohibited. Chapter 14 Intrusion Prevention & Detection

  28. Firewall Components Hardware is typically a relatively high performance server. Inspection Engine - examines packets Packet parser - looks at header fields State table - maintains state informaiton Compares packet and current state to rule set Accepts/rejects packets Creates log entries Database Rule set Network objects, users, servers Audit log files Chapter 14 Intrusion Prevention & Detection

  29. Firewall Components (more) Interface Policy editor - rules creation System status Log viewer Services Client, user, session, application, authentication Network Address Translation - hides internal addresses Control & monitor local firewalls - may be more than one Firewall load balancing - including hot failover Chapter 14 Intrusion Prevention & Detection

  30. Proxy Firewalls Also called application gateways - makes decisions based on application information contained in the packet. Like any proxy, the firewall isolates requests from services and the proxy firewall satisfies the request instead of forwarding the request. Requires a proxy per application - commonly available for widely used applications (e.g., http, ftp, mail, telenet, etc.). Other proxies require special design and programming. + Better security is possible since proxy is at application level. - Each application requires a separate proxy - Limited scalability - Performance is the biggest problem - cpu intensive Chapter 14 Intrusion Prevention & Detection

  31. Proxy Firewalls Client Real Server Perceived Connection User External Host Actual Connect Proxy Server Actual Connect Chapter 14 Intrusion Prevention & Detection

  32. Remote Access Servers (RAS) Provides protected remote access services for dial-up, dedicated, or Internet connections - also find this capability in some firewalls. Two most common standards are: Remote Access Dial-In User Services (RADIUS) Terminal Access Controller Access Control System (TACACS) Components: Central server for authentication & authorization and is separated from actual communications path for performance Authenticates to a server located on the internal network Uses standard protocols (rfc 2058-RADIUS, 1492-TACACS) Chapter 14 Intrusion Prevention & Detection

  33. Remote Access Servers (RAS) Support multiple authentication methods: Clear-text passwords - not a good idea One-time passwords - like S/key Two-Factor tokens (e.g., Smart cards) Support standards-based authorization (following authentication): (but these use clear-text passwords) Password Authorization Protocol (PAP) Challenge Handshake Authorization Protocol (CHAP) Widely used. Chapter 14 Intrusion Prevention & Detection

  34. Password Crackers Passwords can be created by end-users and/or by an automatic password generating system. If end users create them, you depend on users behaving according to policy and have no automatic way to enforce strong passwords. Scanners are important if users generate passwords. It is not always possible to use automated generators. There must be some mechanism that forces the user to enter a password before accessing the network or system resources. Windows and newer Macs support network logon, Unix doesn’t. In any case, it is useful to test real passwords with real cracking tools widely available on the Internet. Chapter 14 Intrusion Prevention & Detection

  35. Eliminate Reusable Passwords A good practice, but difficult to implement in the real world. For example, most database systems include an internal log-in process that is part of the database management system. In most cases, this process does not support one-time or encrypted passwords. Ideally, the database should support internal passwords or the option to call a password moderator - some external server that performs the authentication independent of the application and simply returns a pass/fail response. Chapter 14 Intrusion Prevention & Detection

  36. Use of Encryption Use encryption for the storage and transmission of sensitive information. This is particularly important for portable devices that are easily lost or stolen (e.g., laptops, PDAs). Encrypt passwords sent over a network – better yet, use one-time passwords as suggested in the previous slide. Chapter 14 Intrusion Prevention & Detection

  37. Employ Vulnerability Scanners Discussed earlier. Chapter 14 Intrusion Prevention & Detection

  38. Employ Configuration Management Every organization should establish a configuration management policy. Vulnerabilities are often re-introduced when software components (operating systems, applications, services, utilities, etc.) are upgraded or modified). One form of a policy would be to require a vulnerability scan following system changes. Chapter 14 Intrusion Prevention & Detection

  39. War Dialing Most computers can be equipped with modems and modems can be configured for auto-answer - can provide a path around an enterprise firewall or protected remote access system. Auto-answer means a user can dial-up the modem and establish a remote connection that provides full access (e.g., a remote shell). A war dialer is an attack tool that automatically dials a programmed block of telephone numbers. On answer, the attacker listens for a modem connection. If a modem is detected, the war dialer attempts to log in to the machine, often with success. Chapter 14 Intrusion Prevention & Detection

  40. War Dialing Tools - The Hackers Choice-Scan (THC-Scan): Dials user selected blocks of numbers (linear/random options). Automatically detects modem speed, data bits, parity, and stop bits. Attempts to determine the operating system of victim. Tries default/unprotected passwords of common remote access packages (e.g., PC-Anywhere) Security response: Policy that Auto-answer modems be disabled. If necessary, protect auto-answer modems with strong authentication. Scan the enterprise network from outside on a regular basis. Chapter 14 Intrusion Prevention & Detection

  41. Track Security Advisories Chapter 14 Intrusion Prevention & Detection

  42. Intrusion Detection A technology in its infancy, little is automated, much left to the hard work of manually digging through reams of data - but a high priority. Purpose: Detect attacks/penetration - the obvious reason. Recover from successful attacks (need to know what has to be fixed). Damage assessment (how bad - # of systems, etc.). Despite limitations, detection in depth (layered) is the best course. Level 0 - System Logs - audit trail approach Level 1 - Firewall detection and alert - audit trail + threshold Level 2 - Host detection - anomaly detection Level 3 - Dedicated Intrusion detection System - misuse detection Combinations of the above are often used. Chapter 14 Intrusion Prevention & Detection

  43. Intrusion Detection - Definitions Taxonomy of methods - based on the source of intrusion data: Host-based - data from a single host computer Multi-host-based - data from multiple hosts Network-based - data based on content of network packets Combinations – host & network methods Intrusion detection models: Anomaly-analysis - activity different from the norm or expected behavior of a system - usually host-based Signature-based - activity that corresponds to known intrusion signatures and/or system vulnerabilities - usually network-based Protocol-based – activity that cooresponds to known intrusion signatures – like signature, but more in-depth analysis Chapter 14 Intrusion Prevention & Detection

  44. Intrusion Detection - Characteristics of Effective Systems 1. The IDS runs continuously without human intervention. 2. The IDS resists subversion - self monitoring or hiding. 3. Minimal overhead - unobtrusive low performance penalty. 4. Difficult to fool Few false positives - doesn’t cry wolf Few false negatives - doesn’t miss bad guys 5. Easy to use - install, configure, operate. 6. Products frequently updated with latest information (like virus problem) Few, if any, products have all these characteristics – in most cases they don’t even come close. This is a very immature technology area! Chapter 14 Intrusion Prevention & Detection

  45. Intrusion Detection One of the issues is where to set priorities. First detection is often possible at external network router and/or firewall - good case for more diligence here. Some attacks are very obvious - half-open SYN port scan for one IP address over a range of port numbers. Some are not - same scan over several days with spoofed port and IP addresses - usually below the firewall detection threshold - called the low and slow scan - only requires patience on the part of the attacker - still can get all the data. This only illustrates the difficulty for the IDS designer. Chapter 14 Intrusion Prevention & Detection

  46. Intrusion Detection - Logs Logs - technically easy - socially difficult (who wants to look at logs?). Logs exist at many levels - router, firewall, server, workstation (NT). Trouble is logs are highly variable in content, format, and viewing - in most cases they are not well formatted or easy to use. In addition, logs can be erased by the attacker following a successful intrusion. Serious logs should be written to non-erasable media (CD) or hidden (non-standard names and/or locations). Log retention is also problematic since logs become large very quickly and can consume lots of storage space. We have needed to go back over a year in the logs in a couple of cases to detect the onset of a scan that became an attack and later an exploit. Chapter 14 Intrusion Prevention & Detection

  47. Intrusion Detection - Firewall • Easily Detected: • Port Scans -- many connect attempts on a wide variety of ports • Service scans -- many connect attempts on a single destination • port but many machines (frequently every address in the • network address space). • Example Firewall Log Date/Time Act Pro Source Dest IP SrcPort DstPort Reason * / * drop tcp 195.68.23.180 172.16.101.37 18162 sunrpc rule 17 * / * drop tcp 195.68.23.180 172.16.101.38 18163 sunrpc rule 17 * / * drop tcp 195.68.23.180 172.16.101.39 18164 sunrpc rule 17 * / * drop tcp 195.68.23.180 172.16.101.40 18165 sunrpc rule 17 * / * drop tcp 195.68.23.180 172.16.101.61 18210 sunrpc rule 17 Chapter 14 Intrusion Prevention & Detection

  48. Intrusion Detection - Firewall Harder to detect: Low and slow attacks with spoofed IP & port addresses Reverse connection attacks - like XDM XDM is an X-Windows display manger that accesses a server to provide display and negotiates port numbers This means users can send outbound traffic on any port and opens up the possibility of an attacker having compromised an internal XDM server and then use it attack you when you log in It is a good idea to deny and log all attempts to use outbound ports except for known protocols to avoid hijacked sessions. Chapter 14 Intrusion Prevention & Detection

  49. Intrusion Detection - Host Most prominent method is anomaly detection that compares observed activity to expected normal usage patterns based on organizational policy (rules) and historical statistical data. For example: Threshold monitoring: # failed login attempts/time, # logins at unusual times (e.g., day of the week, hour of the day). User profiling: specific behavior of a user Resource profiling: accounts used, servers used, protocols, executables used (e.g., Word, Excel, Powerpoint) Main idea is to develop a pattern of use and on a significant deviation increase logging and set alerts. Very difficult to do well - not widely used. Chapter 14 Intrusion Prevention & Detection

  50. Intrusion Detection - Network By far, the most common method - many COTS packages Current issue – pattern search versus protocol analysis Pattern search is based on pure signature detection - a database of signature strings is created and an analysis engine is used to examine the traffic and search for offending signatures – like virus scanning. Protocol analysis digs deeper by parsing the traffic string by protocol and Then looking for offending signatures. Both have problems, but tradeoffs include: complexity versus speed false positives versus missed events Chapter 14 Intrusion Prevention & Detection

More Related