Intrusion detection system ids
Download
1 / 84

Intrusion Detection System (IDS) - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

Intrusion Detection System (IDS). Outlines Host-base IDS – Tripewire Network IDS – Snort How to defeat an IDS. Intrusion Detection System (IDS). Host-base IDS – Tripewire

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Intrusion Detection System (IDS)' - ella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intrusion detection system ids
Intrusion Detection System (IDS)

Outlines

  • Host-base IDS – Tripewire

  • Network IDS – Snort

  • How to defeat an IDS


Intrusion detection system ids1
Intrusion Detection System (IDS)

Host-base IDS – Tripewire

Tripwire is a very popular system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted,with optional email and pager reporting. Support files (databases, reports, etc.) are cryptographically signed.


Intrusion detection system ids2
Intrusion Detection System (IDS)

Host-base IDS – Tripewire

Lab 7: install tripewire IDS to monitor the the integrity of the data of your hosts


Intrusion detection system ids3
Intrusion Detection System (IDS)

Network IDS – Snort

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more


Intrusion detection system ids4
Intrusion Detection System (IDS)

Network IDS – Snort

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.


Intrusion detection system ids5
Intrusion Detection System (IDS)

Network IDS – Snort

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.


Intrusion detection system ids6
Intrusion Detection System (IDS)

Network IDS – Snort

snort is a very flexible tool. You can customize the rulesets to suit your needs. We have just give you a very simple introduction in this workshop. For more details of rule setting, you should go to http://www.snort.org/docs/writing_rules/


Intrusion detection system ids7
Intrusion Detection System (IDS)

Network IDS – Snort

Lab7: Install a snort IDS on your host and use nessus network scanner to test your snort IDS


Intrusion detection system ids8
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Insert packets that the end-point server will ignore but picked up by IDS as vaild packets. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.


Intrusion detection system ids9
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    E.G.The signature of the php attack may be something like ``GET /cgi-bin/phf?''. We may insert extra packets such the IDS detect the packets as

    ``GET /cgi-bin/pleasedontdetecttthisforme?'' while the end-point server still read as

    ``GET /cgi-bin/phf?''


Intrusion detection system ids10
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack


Intrusion detection system ids11
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Techniques:

    • Using Invalid Sequence no. Most IDS do not check sequence no. Invalid sequence no. packets are reject by end-point servers but may be picked up by these IDS


Intrusion detection system ids12
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Techniques:

    • Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS


Intrusion detection system ids13
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Techniques:

    • Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS


Intrusion detection system ids14
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Techniques:

    • Using short TTL.If the IDS sit on the network have many hops away from the end-point servers, short TTL packets will be dropped before they reach the end-point servers. We can just tune the insert packet TTL such that they can pass the IDS but are dropped before the end-point servers.


Intrusion detection system ids15
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Insertion Attack

    Techniques:

    • Using short TTL


Intrusion detection system ids16
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Evasion Attack

    An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely.

    E.G.The packets of ``GET /cgi-bin/phf?''may show as ``GET /gin/f'' in IDS detection


Intrusion detection system ids17
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Evasion Attack


Intrusion detection system ids18
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Evasion Attack

    Techniques

    • Some IDS can only keep track of one host/port connection at a time. Flood the target port with non-existent SNY packet first so that these IDS ignore our real connection afterwards


Intrusion detection system ids19
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Evasion Attack

    Techniques

    • IP Fragmentation

      Sending out fragment packets out of orderSome IDS assume the fragment packets arrive in order. They just reassemble the data as soon as the marked final fragment arrives. Sending out fragment packets out of order may fool these IDS


Intrusion detection system ids20
Intrusion Detection System (IDS)

How to defeat a Network IDS

  • Evasion Attack

    Techniques

    • Sending overlapping fragment packetsThere may be a gap between the IDS and end-point server handling overlapping fragment. If the IDS does not handle overlapping fragments in a manner consistent with the systems it watches, it may, given a stream of fragments, reassemble a completely different packet than an end system in receipt of the same fragments.


Firewall
Firewall

Outlines

  • Variations on Firewall Architecture

  • Setting up network layer Firewalls

  • Firewall log

  • Setting private network with NAT


Firewall1
Firewall

Firewall

In brief, a firewall is typically the first line of defense for any Internet-connected network. What a firewall does and how it behaves depends on what level it operates on. (Those familiar with the OSI model will understand this.) Firewalls generally operate at the network layer (IP), or the application layer, such as HTTP proxies.


Firewall2
Firewall

Firewall


Lab 12b firewall
Lab 12B: Firewall

Firewall

Those firewalls at the network layer are often called screening routers. A screening router examines the IP header on each incoming (and possibly outgoing) datagram and determines whether or not it should pass. It makes this determination by comparing key fields such as the source and destination addresses to the policy set by the administrator. Most screening routers will also examine the packet at the next layer (the transport layer), which allows you to create policies based on TCP or UDP port, or ICMP type and code.


Firewall3
Firewall

Firewall

Firewalls at the application layer are called gateways or proxies, and are designed to understand protocols at this level, such as HTTP or telnet. Application gateways are useful because they can offer very high level control over traffic, and so they are in some ways more secure than screening routers. For example, an application gateway may choose to filter all HTTP POST commands. Most importantly, gateways can maintain logging specific to application layer protocols. A paranoid (and privacy-ignorant) company may choose to have all mail pass through a gateway to log the To, From, and Subject fields of the header, for instance.


Firewall4
Firewall

Variations on Firewall Architecture

  • Single layer firewall architecture

  • Two layer firewall architecture

  • Merged interior and exterior firewall architecture

  • Two layer firewall architecture with two internal network

  • Two layer firewall architecture with merged bastion host and exterior firewall


Firewall5
Firewall

Bastion host

A system exposed to the Internet that is expected to come under thorough attack. The term contrasts those hosts that are inside a firewall's protection.

DMZ (Demilitarized Zone)

In firewalls, a DMZ is an area that is mostly public to the Internet. This is where a companies web, e-mail, and DNS servers are located. A DMZ often has some limited protection, but since it is very exposed to the Internet, the assumption is that the machines in the zone will eventually be compromised. Therefore, the machines often have as little connectivity to the private network as any other machine from the Internet.


Firewall6
Firewall

Type A: Single layer firewall architecture


Lab 12b firewall1
Lab 12B: Firewall

Type B: Two layer firewall architecture


Firewall7
Firewall

Type C: Merged interior and exterior firewall architecture


Firewall8
Firewall

Type D: Two layer firewall architecture with two internal network


Firewall9
Firewall

Type E: Two layer firewall architecture with merged bastion host and exterior firewall


Firewall10
Firewall

Lab 8: Deploy firewall on your host using ipchains


Firewall11
Firewall

Linux firewall log

All the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile.


Firewall12
Firewall

Linux firewall log

Here is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

  • `input' is the chain which contained the rule which matched the packet, causing the log message.

  • `DENY' is what the rule said to do to the packet. If this is `-' then the rule didn't effect the packet at all (an accounting rule).

  • `eth0' is the interface name. Because this was the input chain, it means that the packet came in `eth0'.

  • `PROTO=17' means that the packet was protocol 17. A list of protocol numbers is given in `/etc/protocols'. The most common are 1 (ICMP), 6 (TCP) and 17 (UDP).


Firewall13
Firewall

Linux firewall log

Here is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

  • `192.168.2.1' means that the packet's source IP address was 192.168.2.1.

  • `:53' means that the source port was port 53. Looking in `/etc/services' shows that this is the `domain' port (ie. this is probably an DNS reply). For UDP and TCP, this number is the source port. For ICMP, it's the ICMP type. For others, it will be 65535.

  • `192.168.1.1' is the destination IP address.


Firewall14
Firewall

Linux firewall log

Here is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

  • `:1025' means that the destination port was 1025. For UDP and TCP, this number is the destination port. For ICMP, it's the ICMP code. For others, it will be 65535.

  • `L=34' means that packet was a total of 34 bytes long.

  • `S=0x00' means the Type of Service field (divide by 4 to get the Type of Service as used by ipchains).

  • `I=18' is the IP ID.


Firewall15
Firewall

Linux firewall log

Here is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

  • `F=0x0000' is the 16-bit fragment offset plus flags. A value starting with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2' or `0x3' means the `More Fragments' bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8.


Firewall16
Firewall

Linux firewall log

Here is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

  • `T=254' is the Time To Live of the packet. One is subtracted from this value for every hop, and it usually starts at 15 or 255.

  • `(#5)' there may be a final number in brackets on more recent kernels (perhaps after 2.2.9). This is the rule number which caused the packet log.


Firewall17
Firewall

Linux firewall log

Here is another example:

Feb 26 11:15:56 iegatea0 kernel: Packet log: input DENY eth0 PROTO=6 200.223.111.242:1956 137.189.97.67:25 L=60 S=0x60 I=59731 F=0x4000 T=42 SYN (#77)

The TCP SYN packet of the SMTP (port 25) access to the host 137.189.97.67 from the host 200.223.111.242 client port 1956 was blocked by the ipchains rule #77


Firewall18
Firewall

Linux firewall log

Port numbers are divided into three ranges:

  • The Well Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic.

  • The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes. For example, most systems start handing out dynamic ports starting around 1024.


Firewall19
Firewall

Linux firewall log

Port numbers are divided into three ranges:

  • The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.

    In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768.

    For a complete complete list of port info, you may refer

    http://www.iana.org/assignments/port-numbers


Firewall20
Firewall

Setting private network with IP Masquerade

IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers.


Firewall21
Firewall

Setting private network with IP Masquerade

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a HEAVILY secured networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish.


Firewall22
Firewall

Setting private network with IP Masquerade


Firewall23
Firewall

Setting private network with IP Masquerade

EG.

/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ

This setting will allow all the clients in the private network 192.168.0.0/16 to have IP masquerade in Linux Masquerade gateway


Firewall24
Firewall

Setting private network with iptable NAT

Linux iptable provides two different types of NAT: Source NAT (SNAT) and Destination NAT (DNAT).

  • Source NAT is when you alter the source address of the first packet: ie. you are changing where the connection is coming from. Masquerading is a specialized form of SNAT.

  • Destination NAT is when you alter the destination address of the first packet: ie. you are changing where the connection is going to. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.


Firewall25
Firewall

Setting private network with iptable NAT

Example of source NAT:

## Change source addresses to 1.2.3.4. #

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

Example of destination NAT:

## Change destination addresses to 5.6.7.8 #

iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8


Network address translation nat
Network Address Translation (NAT)

(Linux calls it masquerading)

10.42.6.9

35.9.20.20

NAT

Client

Server


Nat pro con
NAT Pro/Con

  • Pro

    • Enforces control over outbound connections

    • Dynamic translation is more restrictivechanged mapping increases attack difficulty

    • Conceals internal configuration

  • Con

    • Dynamic translation requires maintaining state (how long to keep connection open?)

    • Interferes with some encryption schemes

    • Dynamic translation interferes with logging

    • Dynamic translation of ports can interfere with filtering


Firewall

Your network

Evil Hackers



Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.


Typical network stack
Typical Network Stack prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Application Layer (FTP, HTTP, SSH, etc.)

  • Transport Layer (TCP, UDP, ICMP)

  • Internet Layer (IP)

  • Network Access Layer (Ethernet, FDDI, etc.)

    (If you have a Novel or AppleShare network, the IP layer will be different.)

    (Carrier Pigeon Network Layer: RFC1149 on 1 April 1990 defines the Avian Transport Protocol)


Packet organization
Packet Organization prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Each layer’s packet organization has a header and data fields.

Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.


Encapsulation
Encapsulation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Application (FTP, HTTP, …)

Data

Header

Transport (TCP,UDP,…)

Header

Internet (IP)

Header

Network (Ethernet)


Ethernet layer
Ethernet Layer prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Header:

    • Packet Type, e.g. IP

    • Source Address

      Original source or last router on path

    • Destination Address

      • Final destination or next router

      • Maybe multicast or broadcast

    • Addresses are Media Access Control (MAC)

  • Data is an IP packet


Ip layer
IP Layer prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Header

    • IP Source Address, e.g. 35.9.20.20

    • IP Destination Address

    • IP Protocol Type, e.g. TCP, UDP, ICMP

  • Data: TCP packet (or UDP, etc.)

  • FragmentationIf (network max packet size < IP max size) split data into multiple packets (fragments)


Tcp layer
TCP Layer prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Header

    • TCP Source Port (2-bytes)

    • TCP Destination Port

    • TCP Flags: designates packet type

      • ACK, SYN, etc.

  • Data: application data, e.g. FTP data


Multicast or broadcast source
Multicast or Broadcast Source prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address

  • Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source

  • Since DHCP isn’t external (normally), block broadcast source


Ip fragmentation
IP Fragmentation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Prevent fragmentation withpath MTU discovery

  • Maximum Transmission Unit (MTU)

  • Send message with “don’t fragment” set

    If (error returned), decrease sizeelse increase size


Packet filters fragmentation
Packet Filters & Fragmentation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Solution: packet filter only first packet and let non-first packets throughIf you drop the first, a higher level protocol (TCP) will invalidate the rest.

  • Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting inDenial of Service!


Packet filter fragmentation
Packet Filter & Fragmentation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information.Overlapping fragments may be reassembled into invalid packets causing the OS to crash.


Packet filter fragmentation1
Packet Filter & Fragmentation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.


Packet filter fragmentation2
Packet Filter & Fragmentation prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Solutions

  • Fragment reassembly before filtering

    Time consuming

  • Reject all non-first fragments

    May reject otherwise good connections, but they will retransmit.

  • Increased use of MTU is reducing fragmentation


TCP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

TCP is reliable because it guarantees to the application layer:

  • Provide data in order it was sent

  • Provide all data sent

  • Will not provide duplicates

    It will kill a connection before violating any.


Blocking tcp
Blocking TCP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • To block a TCP connection, simply block the first packet.

  • The first packet is unique: ACK is not set

    • “start-of-connection” packet

  • Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers


Tcp options
TCP Options prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Common TCP Options:

    • ACK (acknowledgement)

    • SYN (synchronize)

    • RST (reset)

    • FIN (finish)

  • 3-way handshake uses ACK & SYN

  • RST & FIN are used to close connections


Tcp options1
TCP Options prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Firewalls use ACK and RST

  • ACK indicates first packet of connection

  • RST tells people to “shut up”without providing a useful error message


Tcp sequence numbers
TCP Sequence Numbers prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Sequence numbers allow reconstruction of correct order of packets

  • Supposed to begin with a random number, but often is not random—vulnerability!

  • How to hijack a TCP connection?


Hijacking a tcp connection
Hijacking a TCP Connection prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Attackers needs

  • Ability to forge TCP/IP packets.

  • Initial sequence number

  • Knowledge that a TCP connection has started (but not the ability to see it)

  • When the TCP connection started

  • Ability to redirect responses to you OR continue the conversation without responses to you while achieving your goal

    Thought to be too hard, but exists in the wild.


UDP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Since UDP does not guarantee reliability there is no uniquely identifiable first packet


ICMP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Examples

  • Echo Request: send by ping

  • Echo Response

  • Time exceeded (really hops exceeded)

  • Destination unreachable

  • Redirect (router redirected a packet and is telling the sender that a better way exists)


ICMP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

“Destination Unreachable” has codesto indicate reason

The relevant ones are

“Fragmentation Needed” and

“Don’t Fragment”

used for path MTU discovery

Desirable to drop all other “unreachable” replies since they provide useful information to scanners.

Most firewalls do not allow discrimination on ICMP reason.


Icmp attacks
ICMP Attacks prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • ICMP packets should be very small—large one indicate a problem so filter out large ones.

  • For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.


Ip over ip
IP over IP prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Encapsulating IP over IP

    • Encrypted traffic

    • Mobile IP (movement with fixed IP)

    • Burying protocol

      • Multicast over non-supporting networks

      • IPv6 over IPv4

    • VPN: virtual private networks

  • Problem: cannot see “actual” IP packet (encrypted) or may not look at it


Low level attacks
Low-level attacks prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Port scanning

    • Send SYN without ACK; receives SYN if open or RST if not

    • Send FIN

      • “all options on” = Christmas tree (lights it up)

      • “all options off” = null

      • Either can crash a weak TCP/IP stack


Low level attacks1
Low-level Attacks prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

IP Spoofing: Apparent problem: reply not sent to attacker

  • Attacker can intercept reply

  • Attacker doesn’t care to see it (e.g. DoS)

  • Attacker doesn’t want reply: smurf attackredirects response to attack while multiplying replies with broadcast source


Packet filtering pro con
Packet Filtering Pro/Con prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Pro

    • One filter can protect an entire network

    • Simple filtering is efficient

    • Widely available

  • Con

    • Not perfect: hard to configure and test

    • Reduces router performance

    • Some security policies cannot be enforced, e.g. block a user


Three main categories of firewalls
Three main categories of firewalls prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • Network layer firewalls. An example would be iptables.

  • Application layer firewalls. An example would be TCP Wrappers.

  • Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file


Network layer firewalls
Network prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security. layer firewalls

  • operate at a (relatively) low level of the TCP/IPprotocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).

  • A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules". Today network firewalls are built into most computer operating systems and network appliances.

  • Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.


Application layer firewalls
Application-layer firewalls prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

  • By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

  • The XML firewall exemplifies a more recent kind of application-layer firewall.


A proxy device
A proxy device prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

  • (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

  • Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network..


ad