1 / 27

Intrusion Protection

Intrusion Protection. Mark Shtern. Protection systems. Firewalls Intrusion detection and protection systems Honeypots System Auditing. Firewall Types. Network Packet filters Proxy servers State-full inspection Can be hardware-based or software-based Application Packet filters

livvy
Download Presentation

Intrusion Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Protection Mark Shtern

  2. Protection systems • Firewalls • Intrusion detection and protection systems • Honeypots • System Auditing

  3. Firewall Types • Network • Packet filters • Proxy servers • State-full inspection • Can be hardware-based or software-based • Application • Packet filters • State-full inspection

  4. Packet filtering Firewalls • Permits or denies packets based on socket pairs • Packet filters operate at layer 4 of the OSI model • Defined packet filters are applied to examine traffic attempting to enter or attempting to exit an interface • Packet filters do not maintain state

  5. Proxy Server Firewalls • Clients configured to use a proxy server package • The proxy server completes client requests on behalf of the requesting clients, if permitted

  6. Proxy Server Types • Circuit-level proxy servers only understand the socket portion of a request (IP address, port number, and protocol) • Application-level proxy servers also understand the internal commands for each type of application • for example, can recognize FTP commands for PUT, GET, MPUT, MGET, and so on

  7. State-full Inspection Firewalls • Generally permits all outbound sessions initiated by internal clients (unless an ACL imposes restrictions) • a state table entry is created for each allowed connection • Allows return traffic belonging to the same session • Generally denies all inbound sessions initiated by external clients (unless an ACL allows exceptions) • a state table entry is created for each allowed connection

  8. State-full Inspection Firewalls • State table entries track: • source and destination IP addresses • source and destination port numbers • protocol • TCP sequence numbers and acknowledgment numbers • TCP session state • SYN Received, SYN-ACK Sent, Established

  9. Examples of Firewall • Network • Firestarter • Windows Firewall • Application • Mod_evasive • Mod_security_common

  10. Intrusion Detection Systems • An IDS detects attempts at network intrusion • Host-based or network-based sensors collect data for local analysis or uploading to a centralized analysis engine • When intrusion is detected a log entry or alert can be generated

  11. Detection methods • Signature analysis • discernable pattern of a previously seen attack • network scans, port scans, malicious payloads • Statistical anomaly • unusual usage patterns • log on at unusual hours, uncharacteristically high usage of a protocol • Protocol anomaly • an undefined or non-standard use of a protocol • IP header Protocol field value greater than 137 • TCP header Urgent field set to non-zero value with URG flag set to zero

  12. IDS types • Network-based • Monitors entire network • NIC operates in promiscuous mode • Complicated sniffers that check all packets against signatures • Host-based • Protects only the host system on which it resides • Network card operates in non-promiscuous mode

  13. Intrusion Prevention Systems • An IDS receives a copy of network traffic for analysis and reporting • malicious packets reach their targets • analysis and reporting is after the fact • An IPS is a pass-through device inline with the traffic • detected malicious packets are dropped at the IPS and do not reach their intended targets

  14. Snort • Intrusion protection and prevention system • Rules-based detection engine • Network sniffer • Snort runs on various operating systems and hardware platforms, including many UNIX systems and Windows • Large default rule set (several thousand)

  15. Snort Modes • Packet Sniffer Mode • In Packet Sniffer Mode Snort acts like tcpdump and is used for testing. • Type “snort –v” at command prompt to start snort in sniffer mode • Other switches • -d displays application layer -e displays data link layer • Packet Logger Mode • Same as Packet Sniffing Mode but it also logs the output. • Type “snort –dev –l /var/log/snort” where –l is switch for logging and /var/log/snort is directory to save output.

  16. Snort Modes • Intrusion Detection Mode • In this mode snort applies signature rules on all captured packets • If packet matches rules, it is logged or an alert is generated

  17. Writing Snort Rules • Figure out what is "bad" • Capture traffic that includes the "bad" stuff • Learn the protocol • Figure out why the "bad stuff" is bad • Write a rule • Test the rule

  18. Rule Format - basic rule • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) 

  19. Rule Format • alerttcp10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)  • Actions    • alert log pass activate dynamic drop sdrop • Acceptable protocols: • TCP , UDP, ICMP, IP •  Direction • ->, <> • Body • msg, content etc

  20. Honeypot • A monitored decoy to lure attackers away from critical resources • simulates various OSs and application servers • A tool to analyze an attacker’s methods and other characteristics

  21. Honeypot Modes • Research mode • collecting data on attacker motivations, attack trends, and emerging threats • Production mode • to prevent, detect, and respond to attacks • impeding scans • diverting an attacker to the honeypot rather than critical files • capturing polymorphic code • acquiring attack signatures • providing attack information for analysis

  22. Honeypot Software • Labrea • Honeyd

  23. Legal issues • An organization may be liable if its honeypot is used to launch attacks against another network • Attacker might claim entrapment if apprehended through use of a honeypot • Never explicitly invite interaction with the honeypot

  24. Auditing • Logs are the primary record keepers of system and network activity • Basis for fast recovery when service is modified illegally • Basis for tracking the break-in

  25. System logs • Windows • Application, System and Security • Linux • Syslogs files /var/logs/*

  26. Problem in Managing Logs • No periodical review • The log files may be modified by intrusion • Log size constraint • Failure to collect critical information

  27. Audit tools • Syslog – log collection system • Audit – subsystem in Linux kernel that generates audit record (auditctl, ausearch, aureport ) • Logwatch – log analysis system • Lire - log analyzer system

More Related