firewalls and intrusion detection systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls and intrusion detection systems PowerPoint Presentation
Download Presentation
Firewalls and intrusion detection systems

Loading in 2 Seconds...

play fullscreen
1 / 26

Firewalls and intrusion detection systems - PowerPoint PPT Presentation


  • 288 Views
  • Uploaded on

Firewalls and intrusion detection systems . Bencs áth Boldizsár. Outline. Firewalls Intrusion detection systems (IDS). Introduction. A firewall is a system or group of systems that enforces an access control policy between networks Mostly the goal is to protect TCP/IP networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewalls and intrusion detection systems' - oshin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Firewalls
  • Intrusion detection systems (IDS)
introduction
Introduction
  • A firewall is a system or group of systems that enforces an access control policybetweennetworks
  • Mostly the goal is to protect TCP/IP networks
  • Other possible firewalls: between applications on a windows environment, java card firewalls, etc.
  • Functions:
    • Blocking traffic
    • Permitting traffic
    • Enabling secure remote connections (VPN)
    • Logging traffic
    • Content filtering (blocking): viruses, attacks
    • Network management purposes (screening the traffic etc.)

Introduction

main goals
Main goals

The main goal of firewalling is

  • to control unnecessary services, traffic
  • to hide our internal network topology and services
  • to protect against protocol errors (e.g. invalid SMTP commands can be filtered)
  • to enable logging
  • to control the activity of internal users
  • every accessible point is a possible security hole: With firewalling we minimize the accessible points and we are making it more difficult to deploy an attack
  • we can make it more difficult to exploit the vulnerability: E.g. with tftp denied it is more difficult to send files to the internet after an attack
  • we can separate the network to subnetworks: an intrusion will not compromise our whole system, just a subnetwork/server

Introduction

a firewall is not good for
A firewall is not good for…
  • Stopping information flow/leakage:

Data can be leaked out even through DNS applications or e.g. HTTP tunnels. It is very hard to protect against covert channels.

  • Complete protection against intrusions:

A single open port can be used to gain privileged access

An application proxy might not stop attacking through badly formed parameters, etc.

An industry spy can use the telefax to transport secrets…

Introduction

packet filtering disable access to unwanted services
Packet filtering – disable access to unwanted services

Port State Service

9/tcp open discard

13/tcp open daytime

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

79/tcp open finger

80/tcp open http

109/tcp open pop-2

110/tcp open pop-3

139/tcp open netbios-ssn

143/tcp open imap2

515/tcp open printer

587/tcp open submission

1723/tcp open pptp

3128/tcp open squid-http

Port State Service

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

110/tcp open pop-3

143/tcp open imap2

3128/tcp filtered squid-http

Introduction

packet filtering
Packet filtering
  • Filtering based on network layer of the IP stack
  • Filtering rules described in rule base
  • Default permit / default deny design
  • Most routers have packet filtering capabilities
  • A good packet filter…

-Permits connections to really-needed services

-Also filters internal access – Most of the intrusions come from employees

-Detects anomalies – TCP packet without SYN handshake etc.

-Filters out all the services what we do not use currently (not only those we don’t want to show)

-Hides internal network elements and architecture (NAT)

-Filters services available to internal hosts (e.g. filter out streaming)

Main problem:

Stateless? Stateful? How?

Introduction

packet filtering8
Packet filtering
  • Packet filtering rules mostly based on:
  • IP protocol (UDP, TCP, …)
  • Source IP address
  • Destination IP address
  • Source/Destination port (socket)
  • Connection state (TCP: SYN, RST, established,… or e.g. FTP states)
  • (rate control)
  • (filter rules based on time schedule – no streaming before 8 p.m.)
  • incoming/outgoing interface
  • etc.

Introduction

application gateway
Application gateway
  • Proxies rebuild the whole protocol (application layer gateway)
  • Needs to know the exact specification of the protocol we use
  • Can investigate the content of the flow
  • Can protect against protocol errors
  • More vulnerable to DoS
  • Can be more complicated to (internal) users (e.g. telnet proxy)
  • Lower performance
  • Higher security

Introduction

packet filter vs application gateway
Packet filter vs. Application gateway
  • Packet filtering without states is insecure
  • Stateful packet filtering is fast
  • Stateful packet filtering might not protect against some protocol errors
  • Application gateways are more sophisticated
  • Application gateways are (mostly) not transparent, so an internal webserver beyond an application gateway can not log who is downloading the page
  • Modern solutions mix the two methods.

Introduction

rule sets example
Rule sets - example
  • Linux iptables:

/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23

/sbin/iptables -A INPUT -j LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags SYN,ACK,FIN,RST SYN

/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 110

/sbin/iptables -A INPUT -j DROP -p tcp -d 0/0 -v --dport 3128

  • Checkpoint Firewall – text:

:rule-base ("##Standard" :rule (

:src ( : Any )

:dst ( : Any )

:services ( : Any )

:action ( : (accept

:type (accept)

:color ("Dark green")

:macro (RECORD_CONN)

:icon-name (icon-accept)

:text-rid (61463)

:windows-color (green) ) )

  • Graphical tools / ruleset generators help

Introduction

architecture basic
Architecture / Basic

router

Internet

„filters the traffic”

firewall

it can be a dual-homed gateway or

a simple packet filter –

screening router

Architecture

Internal network

elements
Elements

Dual-homed gateway

single-homed gateway

gateway: application level border element, e.g.: proxy server

Architecture

Internal network

packet filter only screening router
Packet filter only – screening router

router

Internet

Can be a single

screening router

packet filter

Architecture

Internal network

packet filter with bastion host
Packet filter with bastion host

router

Internet

packet filter

Bastion host, here:

a dual-homed gateway

== proxy server

== application level firewall

Architecture

Internal network

packet filter with bastion host16
Packet filter with bastion host

router

Internet

packet filter

Bastion host, here: a

proxy firewall

internal packet filter

Architecture

Internal network

packet filter with bastion host dmz internal pf
Packet filter with bastion host, DMZ, internal pf

many different

topologies can be

considered

router

Internet

packet filter

Bastion host, here: a

proxy firewall

?

Mail server

Web server

internal packet filter

DMZ

De-Militarized Zone

Architecture

Internal network

platform and other parameters
Platform and other parameters
  • Windows, Linux, Solaris, propriaty OS
  • Hardened operating system
  • With or without hardware
  • Working method (stateful inspection, application proxy)
  • No. of interfaces
  • Authentication methods
  • Maximum traffic
  • Ease of use
  • Price

Firewall - products

commercial free products
Commercial & free products
  • Iptables, netfilter packet filtering
  • Windows internal port filtering ( and IPSEC (policies), network sharing, routing, etc. )
  • Checkpoint Firewall (FW-1) Linux, Windows, Nokia
  • Cisco PIX
  • Symantec Enterprise Firewall ( <- Raptor )
  • Secure Computing Sidewinder (incl. Gauntlet)
  • Zorp (Balabit)
  • NAI Firewall (Gauntlet->Secure Co)
  • Evaluation: ICSA, Common Criteria, …

Firewall - products

personal firewalls
Personal firewalls
  • Every single host on the Internet is a target
  • Most users do not use tight security (no updates, bad passwords, no security settings)
  • Attacked clients might become zombies for a DoS attack or a relay for spams and other attacks
  • They need some protection
  • Personal firewalls are mostly simple packet filters
  • Drop incoming service requests (my windows pc is not a file server)
  • Alert on (anomalous) outgoing requests
  • Can protect against trojans / information leakage / privacy problems too
  • Can be integrated with virus protection

Personal firewalls

intrusion detection systems
Intrusion detection systems
  • Intrusion detection:

detecting inappropriate, incorrect, or anomalous activity

misuse detection != intrusion detection

Host-based: operates on a (single) host

Network-based: operates on network data flows (e.g. promiscuous mode network card on a dedicated host)

IDS

ids categories
IDS Categories
  • In-Kernel vs. Userspace
  • Distributed vs. Atomic
  • Host-based vs. Network-based
  • Statistical vs. Signature Detection
  • Active vs. Passive
  • Proactive vs. Retroactive
  • Flat vs. Hierarchial

(Justin Lundy)

IDS

host based ids
Host-based IDS
  • Checking log files for traces of attacks
  • Checking the condition of processes
  • Looking for anomalies of the authentication system ( Why is X logging in from Thailand? Why is Z logging in during the weekend?)
  • Checking the fingerprints of the installed binaries (Operating system integrity)
  • Checking for malicious user code – possible hacker tools, rootkits
  • Version (and critical security hole) checking
  • Checking for invalid www request URLs in web server’s log files
  • Personal firewall?

IDS

network based ids
Network based IDS
  • On a single network element (near the firewall) or can be distributed: more agents are distributed on the network and a central server makes the decision
  • Problem: Encrypted traffic cannot be analyzed (traffic analysis, timing only)
  • Signature filters: looks for various signatures. Usual attacks possess some kind of signature that identifies them
    • problem: large number of possible signatures – high traffic rate (~GBps lines) – large number of dropped packets – less accurate result
    • problem: signatures has to be known. Regular updates needed and much work to generate “good” signatures
    • problem: polymorphic attack: One might change the attack scenario so that the signature will not match
anomaly detection
Anomaly detection
  • Mostly on statistical basis
  • Detects statistically exceptional events
  • Learning: Watching activity during ‘normal’ state and storing patterns (who logs in, what is the origin, when, etc.)
  • Experience shows that 90% of attacks can be considered as protocol usage anomalies.
  • Does not require signatures (except what it learns)
  • We should carefully add knowledge about “normal” activity, such as RFC compilant state machines, it needs much work.
  • A non-RFC compilant client is not always an attacker – we need flexibility
slide26
CIDF
  • Model: Common Intrusion Detection Framework

intrusion detection components can be reused in other systems

interface & communication protocols

  • Architecture
    • Event generators (colloquially "E-boxes")
    • Event analyzers ("A-boxes")
    • Event databases ("D-boxes")
    • Response units ("R-boxes")

IDS