1.36k likes | 1.49k Views
Chapter 14: Intrusion Prevention Objective: Prevent Attacks from being successful! Attack classifications: Network scans - attacks intended to identify networks, hosts, and available service - identifies all potential targets. Vulnerability scans - attacks intended to identify
 
                
                E N D
Chapter 14: Intrusion Prevention Objective: Prevent Attacks from being successful! Attack classifications: Network scans - attacks intended to identify networks, hosts, and available service - identifies all potential targets. Vulnerability scans - attacks intended to identify networks, hosts, and services that are susceptible to specific attacks - reduces the target list to systems with known (to the attacker) weaknesses. Password disclosure - attacks intended to reveal passwords - from guessing to social engineering to cracking. Chapter 14 Intrusion Prevention
Chapter 14: Intrusion Prevention Sniffing - attacks that listen to network/system traffic with the intent of picking up usernames, passwords, credit card numbers, etc. Denial of Service - attacks that deny or limit legitimate users ability to access a network or a host computer. Penetration - attacks intended to gain control of a network or computer. Chapter 14 Intrusion Prevention
Attack Data from NIST - 1998 (237 Attacks) Statistic: 29% were launched from Windows hosts. Point: An expensive Unix box is not needed (especially true with Linux now widely available on Intel desktops – expect increases!) Statistic: 20% of attacks remotely penetrated network elements and/or systems. Point: A significant number are successful. Statistic: 3% enabled Web sites to attack visitors to the site. Point: Visiting web sites can be hazardous. Chapter 14 Intrusion Prevention
Attack Data from NIST - 1998 (237 Attacks) Statistic: 5% of attacks are effective against routers and firewalls. Point: These were primarily DoS attacks rather than penetration attacks, but indicate the fragility of the infrastructure. Statistic: 4% were vulnerability scans. Point: Vulnerability scanners are being used to find holes. Enterprises better consider using them as well. The numbers would be worse today. Chapter 14 Intrusion Prevention
Dealing with Attacks – Big Picture Prevention: Resist attacks by understanding and correcting vulnerabilities. Detection: Recognize events that might compromise security (scans, probes, intrusions). These can be pre-during-post-attack events. Response: Recover and restore to mitigate the event - from blocking a suspect event to re-building a compromised system. Where do we apply the measures? On the network/host. Chapter 14 Intrusion Prevention
Prevention Patching: Maintain most current patch levels. Services: Remove all unnecessary services. Virus detection: Use commercial packages at server and/or host. Firewalls: Block undesirable traffic. Password Crackers: Use the real thing to test your passwords. Encryption:Especially of clear text passwords. Vulnerability Scanners: Designed to detect known holes. Chapter 14 Intrusion Prevention
Prevention Configuration Management: Get it right, then keep it right. War Dialing: Scans telephones for answering modems. Security Advisories: From CERT & others. Intrusion Detection: Specific signatures. Network Discovery Tools: Map your own network. Incident Response: Process to invoke on an incident. Security Policy: Underlying rule set - basis for everything else. Denial of Service Testing: - How would you do? Chapter 14 Intrusion Prevention
Patch to Current Revision Levels One of the first rules of good security practice is to ensure that systems are patched to eliminate all known exploits (for which patches are available – limits exposure to new (zero-day) exploits). Find them by observing the CERT warnings or bulletins and/or visiting the vendor’s web site (or using automatic updates). Be careful in upgrades that the upgrade does not undo the fix provided by a previously installed patch. Chapter 14 Intrusion Prevention
Patch to Current Revision Levels Important to test systems following patching to ensure the patch does not break applications and to run vulnerability scans to ensure the hole is closed. Difficult to do in the past, but getting better: Automatic updates (e.g., Microsoft) Corporate updates (Microsoft SUS/WUS) No reboot capability coming Rollback coming Chapter 14 Intrusion Prevention
Remove Unnecessary Services Remove all non-essential network services. OS distributions contain a large suite of network services. They are often installed enabled and take explicit action to disable. To often, users are unaware of services installed on their system and cannot be expected to be effective technical security specialists. Some are, but they are the exception rather than the rule. This condition is not likely to change so vulnerability scanning an important capability to implement. Chapter 14 Intrusion Prevention
Example Unnecessary Services – Cisco Routers NSA lists 17 unneeded or rarely needed services and many are enabled by default. Disable: IP source routing – Packets specify their own routes. IP unreachable notification – response helps bad guys. IP mask reply – another aid to mapping a network. Finger – User name lookup. IP directed Broadcast – can flood a network. Chapter 14 Intrusion Prevention
Example Unnecessary Services – Cisco Routers Either disable or restrict access: SNMP – has many vulnerabilities – best bet is console only access. DNS – router can resolve cached DNS addresses . HTTP Server – web interface – don’t let a router run this interface without strong authentication. Source: Router Security Configuration Guide, National Security Agency at http://nsa2.www.conxion.com Chapter 14 Intrusion Prevention
Virus Detection and Eradication Do at: Firewall, server (e.g., e-mail servers), and on user workstation (at least 2 out of 3) User workstation is essential due to media path to it that circumvents a firewall or mail server. The firewall or mail server covers cases where users do not keep local profiles up dated. In past 18 months, some 22,000 viruses were rejected at the PNNL network perimeter. Chapter 14 Intrusion Prevention
Firewalls – A General Introduction Purpose: Controls the flow of traffic between networks that have different security policies (e.g., between an enterprise network and Internet or between a home computer and an enterprise network. Prevents unwanted traffic from entering or leaving and permits allowable traffic to pass. Implication: Systems intended to be protected must reside behind the firewall - corollary - all traffic must go through the firewall. Control is based on policy and implemented by rules that enforce policy. Chapter 14 Intrusion Prevention
Firewalls – Fundamentals Firewall technologies are differentiated by the layer of the TCP/IP or OSI/ISO model where they operate. Recall the TCP/IP layered model with 5 layers: Layer 5 Examples e-mail, web services Application Transport (TCP) 4 TCP port sessions Network (IP) 3 IP addressing Data Link (MAC ) 2 Ethernet addressing 1 Physical Chapter 14 Intrusion Prevention
TCP/IP – Recap Layered Functions Layer 1: Describes the physical wires, connectors, and signaling methods between physical devices. Layer 2: Responsible for delivering packets between end points on a Local Area Network (e.g., Ethernet). Layer 3: Responsible for delivering packets between network addresses on a Wide Area Network (e.g., the Internet). Layer 4: Responsible for identifying specific applications (ports) and for establishing, maintaining, and closing communications sessions between ports. Layer 5: is the end-application layer (e.g., e-mail, web services). Chapter 14 Intrusion Prevention
Firewall Placement - Single Enterprise Firewall Chapter 14 Intrusion Prevention
Firewall Placement - Multiple Enterprise Firewall Chapter 14 Intrusion Prevention
Firewall Placement - Personal (host) Firewall Chapter 14 Intrusion Prevention
Firewall Protection Filters In/Out-bound packets based on source/destination address, protocols (source/destination ports), or patterns of behavior (state). Blocks traffic according to policy-based rules. Hides information - host names, addresses, network topology, etc. Monitors and logs in/out-bound traffic. Chapter 14 Intrusion Prevention
Firewall Protection Analyzes traffic for known attack signatures. Alarms and/or alerts system administrators. Can implement cryptographic services: Authentication Encryption Integrity Chapter 14 Intrusion Prevention
Types of Firewalls – Multiple Types Firewall per system on the network. Packet filtering routers (firewall in border router). Bastion host (a single system proxies all traffic). Stateful Inspection firewalls. Application proxy firewalls. Network Address Translation (NAT). Chapter 14 Intrusion Prevention
Firewall Per System Mainly for special cases (e.g., remote access like portables on travel, DSL/Cable enabled home systems). Unattractive for medium - large scale enterprises: Cost (initial and on-going maintenance) Lack central management for configuration control Users have problems configuring This model will become increasingly important and more widely used – pushing security out to the hosts. Chapter 14 Intrusion Prevention
Packet Filtering Routers Intersections between networks are controlled by routers – given an input packet, the router examines the packet header and selects an output path based on the destination address in the packet. Routing actions include: Forward the packet to next router or an attached host). Reply to the packet (e.g., reply to an ICMP request). Drop the packet and reply (replies allowed). Drop the packet (replies not allowed). Log decisions made for each packet. Chapter 14 Intrusion Prevention
Packet Filtering Routers Decisions are made based on a rule set associated with a router’s internal routing table. Rules reflect policy of the network that the router is Protecting. Since the router examines every packet header, it has the capability to filter packets based on any information contained in the packet header. Chapter 14 Intrusion Prevention
Packet Filtering Routers – IP Stack Placement Application Transport (TCP) Packet filters typically cover layer 3 and part of layer 4. Network (IP) Ethernet (MAC) Physical Chapter 14 Intrusion Prevention
Packet Filtering Routers A filtering router implements a list of rules. Rule base: Source or destination address, Next layer protocol (main ones are UDP, TCP, ICMP), Source/destination ports (in TCP layer), and Other header fields (e.g., whether fragmented, etc.). Rules are tested and actions are taken for each rule. Chapter 14 Intrusion Prevention
Packet Filtering Routers -Typical Rules Drop all inbound ICMP packets (network policy). Drop all inbound packets if source addresses is an interior address (not a legal inbound address - spoofed). Drop all outbound packets to certain sites (like porn). Drop all outbound packets if source address in not a legal interior address - is spoofed - typical of denial of service attacks aimed at Internet, but originating inside the network. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule Table Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule Format Each row is a rule and columns specifies the rule: Rule number (60-100 common). Source/Destination address Source/Destination port Action Reason Rules are processed in order. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule #1 For any source address with destination address equal to 130.68.1.0 (the IP address of the firewall) and any port: Drop the packet (deny) No external communication to the firewall is allowed. Called the stealth rule. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 2 For source address 130.68.1.0 (the IP address of the firewall) and any destination or any port: Drop the packet (deny) Firewall is not allowed to make external connections. Firewalls have no business making external connections. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 3 For any source address and destination address 130.68.x.x (the address block of the internal network) and any source port and destination ports >1024: Allow the packet (permit) Allows incoming packets in response to outgoing packets. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 4 For source address 130.68.x.x (the address block of the internal network), any destination address and any source/destination ports: Allow the packet (permit) Allows all outbound packets. Internal users have no outbound restrictions. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 5 For any source address and destination address = 130.68.1.2 and any source port, and destination port = SMTP Allow the packet (permit) Allows inbound E-mail directed to the e-mail server (i.e., e-mail server is at IP 130.68.1.2). No inbound e-mail restrictions. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 6 For any source address and destination address = 130.68.1.3 and any source port, and destination port = HTTP. Allow the packet (permit) Allows inbound web access directed to the public web Server at IP 130.68.1.3). No inbound web restrictions. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Rule # 7 For any source address and any destination address and any source port, and any destination port. Drop the packet (deny) Drops everything else. Called the default deny rule. Chapter 14 Intrusion Prevention
Packet Filtering Routers – Policy The previous rules reflect the policies that governs the behavior of the network. That is: Internal users are allowed unrestricted outbound access. Rule 4 allows out-bound connections and rule 3 allows responses to such connections at high ports (i.e., > 1023). The only services provided to the Internet is for e-mail and web services (rules 5 & 6 allow this traffic). The firewall can allow or restrict traffic in both directions (e.g., certain address like gambling sites could be blocked). Chapter 14 Intrusion Prevention
Packet Filtering Routers Packet filtering firewalls can eliminate some attacks, but do not protect against others. For example: A filtering router would not recognize a FIN scan since it would not know that there were no previous packets associated with a FIN packet. If state information were available, it would be easy to recognize that there was no session associated with the FIN, so it is an inappropriate packet and should be dropped. Chapter 14 Intrusion Prevention
Packet Filtering Routers – No State Since filtering router’s do not maintain state, they have only a limited view of the transport layer and cannot Fully protect the network. Many attacks can only be detected by a full examination of the transport layer packet header and maintaining state information (i.e., packet-to-packet memory that gives context). Chapter 14 Intrusion Prevention
Packet Filtering Routers - Plus and Minus + Filtering is supported in all commercial routers. + Low cost (is built in, only requires memory & cpu time). + Fast, transparent to applications, small performance hit. - No state information (this packet only - no context). - Hard to configure (several hundred rules are common). - Limited logging and alerting capability. - Hard to manage (primitive user interface, reporting). Good idea to apply filtering rules to external router, but this is usually not enough - valuable, but not sufficient. Chapter 14 Intrusion Prevention
Bastion Host Chapter 14 Intrusion Prevention
Bastion Host – Old Technology Main idea - Bastion host is a relay or proxy between the Internet and the protected network - isolates traffic. Works Ok for connectionless services (e.g., mail, news), but is not good for interactive services, like Telnet. Does not scale well. To get to the Internet, users log into the Bastion and launch services from it - for a few users, this is Ok, but it doesn’t scale well. No longer widely used. Chapter 14 Intrusion Prevention
Stateful Inspection Firewalls Maintaining state expands the scope of analysis of the network stack beyond the transport layer. That is, the scope that can be covered is: Application Stateful inspection firewalls, cover layer 3 and 4 and part of layer 5. Transport (TCP) Network (IP) Ethernet (MAC) Physical Chapter 14 Intrusion Prevention
Stateful Inspection Firewalls State machines remember packet sequences. If the sequence leads an unsafe state, packets can be dropped. Consider ftp, that allows external users to access and transfer files. It also allows internal users to download files from external ftp sites. ftp uses 2-way data flow: Protected Network Request In-bound request, Out-bound response. Out-bound request, In-bound response. Response Request Response Chapter 14 Intrusion Prevention
Stateful Inspection Firewalls Without state, it is impossible for a device in the network path to determine the difference between an in-bound request seeking an outbound response and an inbound response that results from an outbound request. Policy may allow an out-bound request/in-bound response pair. Riskier are in-bound requests/out-bound responses pairs. How do we tell the difference? Maintain state. Chapter 14 Intrusion Prevention
Stateful Inspection Firewalls Maintaining state: Allows the association of out-bound requests to later in-bound responses and allow it. If an in-bound packet has no corresponding out-bound request it should be denied. Firewall rules are determined by the enterprise policy that identifies allowable behavior for packets entering and leaving the network. Chapter 14 Intrusion Prevention
Firewall Policy Implementation • Given a set of policies, create a, implementing rule set. • Three primary considerations: • Types of services and sessions that are allowed across • the network boundary. • The policy requirements for cryptographic services. • The topology of the network being protected (i.e., the • configuration of the network being protected). • These influence the rule set implemented on the firewall. Chapter 14 Intrusion Prevention
Stateful Firewall Rules – Typical Data Structure • Similar to filtering router rules, more comprehensive. • Rule number - specifies the order in which the firewall • tests and enforces the specified rules. • 2. Source - allowable source addresses for the rule. • 3. Destination - allowable destination addresses. • 4. Service - the protocol covered by the rule. • 5. Action – packet action to take. • 6. Tracking - logging and alerting action for the rule. • 7. Device - specifies the devices the rule applies to. • 8. Time - the time period for which the rule applies. Chapter 14 Intrusion Prevention
Firewall Rules – Typical Data Structure Actions include: Accept/Allow, Reject/deny and notify, Drop/deny (no notify) Require a specific additional action: authenticate the client, encrypt; decrypt, scan for viruses, test address against bad list, etc. Chapter 14 Intrusion Prevention