Ch 3 Firewall and Perimeter Security - PowerPoint PPT Presentation

1 / 96
About This Presentation
Title:

Ch 3 Firewall and Perimeter Security

Description:

... enterprise-class firewall product line within the Cisco firewall family. with integrated hardware and software ... Tripwire is an open-source project of ... – PowerPoint PPT presentation

Number of Views:773
Avg rating:3.0/5.0
Slides: 97
Provided by: alex58
Category:

less

Transcript and Presenter's Notes

Title: Ch 3 Firewall and Perimeter Security


1
Ch 3Firewall and Perimeter Security
2
Contents
  • Firewall
  • packet-filter firewall filters at the network or
    transport layer
  • proxy firewall filters at the application layer
  • NAT
  • solve the problem of IP address limitation
  • provide load balance and redundancy
  • IDS
  • active detection to monitor the network status
  • three methods signature, statistical and
    integrity
  • four types host, network, applications and
    integrity
  • Honeypots
  • a décor to attract hackers

3
What is a firewall?
  • A firewall, is a router, or several routers or
    access servers, designed as a buffer between any
    connected public networks and private network.

4
Protecting Network using Firewall - 1
  • Security protocol cannot prevent malicious people
    from sending harmful message to a system
  • A firewall is a device (usually a router or
    computer) installed between internal network and
    the Internet
  • Some large companies with a lot of sensitive
    information also install firewall within their
    intranet to protect these types of the network
    resource from unauthorized employee.

5
Protecting Network using Firewall - 2
  • Some modern firewall has additional features
  • network address translation (NAT)
  • encryption in data transmission, e.g. VPN
  • use strong authentication techniques to
    authenticate users/ports
  • anti-virus features
  • easy to use GUI

6
Requirements of firewall
  • Efficient access control (easy to use access
    control list (ACL), such as GUI interface)
  • Filtering of vulnerable protocols (based on types
    of protocols)
  • Network monitoring
  • Simple management (features such as GUI,
    web-based, SNMP enabled)

7
Firewall classification
  • A firewall is usually classified into two classes
  • packet-filter firewall
  • also known as screen router or screening filter
  • forward and block packets based on information in
    the network layer and transport layer headers
    source, destination, IP address, source and
    destination port, type of protocol (TCP or UDP)
  • proxy-based firewall
  • also known as application gateway
  • forward and block packets based on the contents
    of the messages (I.e. at application level
    traffic)

8
Packet-filter firewall - 1
  • is a router that uses a filtering table to decide
    which packet must be discard (not forward)
  • operate at network layer (or transport layer)

9
Packet-filter firewall - 2
  • Example of packet filter rules
  • incoming packet from 131.34.0.0 are blocked
  • incoming packet destined for any internal TELNET
    (port 23) are blocked
  • incoming packets destined to internal host
    194.78.20.8 are blocked (this host for internal
    use)
  • outgoing packets destined for an HTTP server
    (port 80) are blocked. (i.e. does not want
    employees to browser the Internet)

10
Packet Filtering Firewall - 1
  • Two main types
  • Standard or Stateless packet filtering
  • Also known as first generation firewall
  • Operates at either the Network or Transport
    layer.
  • Most packet filters used the values of the
    following header field to determine what to pass
    or not
  • Protocol type, IP address, TCP/UDP port, Fragment
    number

11
Standard packet filtering
  • Packet filters make decisions based on packet
    header information.
  • Access decisions are based on source and
    destination addresses, source and destination
    port numbers, protocol types, and possibly flags
    within the header themselves.
  • They does not look at the actual payload.

12
Packet Filtering Firewall - 2
  • Stateful inspection packet filters
  • known as dynamic packet filtering
  • filter rules are set up based on policy rule and
    state of the protocol
  • For example
  • do not allow any services through the firewall
    except
  • Services theyre programmed to allow
  • Connections that they already maintained in their
    state tables.

13
Stateful inspection packet filter
14
Pros and Cons of Packet Filter
  • Pros
  • Scalable (Simple)
  • Provides high performance (High speed)
  • Application dependent
  • Cons
  • Does not look into the packet pass the header.
  • Low security relative to other firewall types
  • Difficulties in setting up the packet filter
    rules correctly
  • Lack of support for authentication

15
Stateful Multilevel Inspection - 1
  • First implemented by CheckPoint under the name
    Stateful Multilevel Inspection.
  • Stateful Rules are protocol-specific, keeping
    track of the context of a session (not just its
    state).
  • The greatest addition that stateful multilevel
    filtering provides to dynamic filtering is the
    ability to maintain application state, not just
    connection state.

16
Stateful Multilevel Inspection - 2
  • This allows filtering rules to differentiate
    between the various connectionless protocols
    (like UDP, NFS and RPC), which were previously
    immune to management by static filtering and were
    not uniquely identified by dynamic filtering
  • Application state allows a previously
    authenticated user to create new connections
    without reauthorizing, whereas connection state
    just maintains that authorization for the
    duration of a single session.

17
Proxy-based firewall
  • Application Level firewall
  • Make high-level connections at application layer
  • for example
  • Policy on access web-pages Only Internet users
    who had established business relationships with
    the company can have access access by other
    users must be blocked.
  • packet-filter firewall is not feasible because it
    cannot distinguish between different packet.
    Selection must be done at applications level
    (i.e. URL)
  • proxy work on behalf of internal hosts to
    complete the connection between internal and
    external hosts.

18
Proxy-based firewall (2)
  • A variants of proxy is called circuit gateway
  • creates a new connection between itself and the
    remote host
  • Proxy stand in for outbound connection attempts
    to servers and then make the request to the
    actual target server on behalf of the client.
    When the server returns data, the proxy transmits
    that data to the client.
  • Application proxies dont necessary to be run on
    firewalls appliances.
  • it is a high-end servers (or cluster of servers)
  • Usually Internet client applications (Browser)
    require to setup to talk to the proxy.

19
Proxy-based firewall (3)
20
Application gateway creates an illusion
21
Additional Firewall Components
  • Authentication
  • Allows users on the public network to prove their
    identity to the firewall in order to gain access
    to the private network from external locations.
  • to filter unauthorized users
  • function as an NAS (network access server)
  • Encrypted Tunnels
  • tunneling is also called encapsulation, it is a
    major building block of Virtual Private
    Networking (VPN)
  • Tunneling establishes a secure connection between
    two private networks over a public medium like
    the Internet.
  • allows physically separated networks to use the
    Internet rather than leased-line connections to
    communicate.
  • VPN firewall is usually work in pairs

22
Limitations of Firewall
  • Even with the use of Proxy firewalls, it is still
    unable to control the content transferred across
    the network boundaries satisfactorily.
  • Firewalls are extremely vulnerable to insider
    attacks and covert channels
  • Firewalls can become bottlenecks of traffic
  • If a firewall is compromised, the protected
    network is extremely vulnerable

23
Security Strategies in firewall
  • Least privilege
  • every element of the firewalls system should have
    only the privileges that are needed to carry out
    its tasks
  • Defense in depth
  • security mechanisms should be redundant, should
    use different approaches (e.g. from different
    vendors), and should be able to back up each
    other.
  • Controlled access
  • the protected network should have a well-defined
    access point that forces attackers to use a
    narrow channel, which you can monitor and control
  • Fail-safe fail-over
  • Fail-safe a malfunctioning of a subsystem may
    affect functionality but should not lose
    security.
  • Fail-over the task can taken over by another
    firewall.

24
Firewall Philosophies
  • Default Permit
  • Not Expressly Prohibited is Permitted
  • Used in open environments (e.g., ISP and some
    universities)
  • Difficult to manage
  • Default Deny
  • Not Expressly Permitted is Prohibited
  • used in environment with higher security
  • May be too restrictive in some environments

25
Factors to consider for choosing firewall
  • Performance
  • Firewall is usually the bottle neck of network
    traffics. The performance is usually the prime
    concerns. Stateful inspection filter is the trend
    as its good cost-performance ratio is better.
  • Scalability
  • scale adapted to size of company and corporate
    security policy. Usually, firewall vendor provide
    modules for client to upgrade according to their
    needs
  • Compatibility
  • work seamlessly with firewall products from
    different vendors
  • Network management support
  • easy installation and compatible with network
    management protocol

26
Examples of Firewall Configurations - 1
  • In practical implementations, a firewall is
    usually a combination of packet filters and
    application (or circuit) gateways.

27
Examples of Firewall Configurations - 2
28
Examples of Firewall Configurations - 2
  • Screened host firewall, Single-homed bastion
  • A firewall set up consists of two parts
  • The packet filter ensures that the incoming
    traffic is allowed only if it is destined for the
    application gateway, and it also ensures that the
    outgoing traffic is allowed only if it is
    originating from the application gateway.
  • The application gateway performs authentication
    and proxy functions.

29
Examples of Firewall Configurations - 3
  • This configuration increases the security of the
    network by performing checks at both packet and
    application levels.
  • One big disadvantage here is that the internal
    users are connected to the application gateway,
    as well as to the packet filter.
  • If the packet filter security its compromised,
    then the whole internal network is exposed to the
    attacker.

30
Examples of Firewall Configurations - 4
31
Examples of Firewall Configurations - 5
  • Screened host firewall, Dual-homed bastion
  • Direct connections between the internal hosts and
    the packet filter are avoided.
  • Instead, the packet filter connects only
  • to the application gateway, which, in turn, has a
    separate connection with the internal hosts.
  • Therefore, now even if the packet filter is
    successfully attacked, only the application
    gateway is visible to the attacker.
  • The internal hosts are protected.

32
Examples of Firewall Configurations - 6
33
Examples of Firewall Configurations - 7
  • Screened subnet firewall
  • It offers the highest security
  • Two packet filters are used
  • There are three levels of security for an
    attacker to break into.

34
Bastion Host
  • The bastion host sits on the internal network.
  • It is the machine that will be accessed by all
    entities trying to access or leave the network.
  • It is the only system on the internal network
    that hosts on the Internet can open connections
    to (for example, to deliver incoming email).
  • If the bastion host is compromised, the internal
    network is wide open to attack from this bastion
    host
  • The bastion host thus needs to maintain a high
    level of host security.

35
Demilitarized Zone (DMZ) - 1
  • Another firewall features is provision of DMZ
  • DMZ - Demilitarized Zone
  • Firewall configuration that allows an
    organization to securely host its public servers
    and also protect its internal network at the same
    time.
  • DMZ is simply a network segment that is located
    between the protected and the unprotected
    networks.

36
General DMZ rules - 1
37
General DMZ rules - 2
  • Allow external users to access the appropriate
    services on DMZ systems.
  • DMZ systems should be severely restricted from
    accessing internal systems.
  • Internal uses can access the DMZ or external
    network as policy allows
  • No external users may access the internal system.

38
Demilitarized Zone (DMZ) - 2
39
Recap
  • Two type of firewall
  • packet filter firewall
  • stateless and stateful inspection
  • proxy firewall
  • application level
  • not allow client to go directly, must go thru a
    proxy which has rules
  • Three basic configuration examples
  • Screened host firewall, Single-homed bastion
  • Screened host firewall, Dual-homed bastion
  • Screened subnet
  • A modern firewall usually have three interfaces
    trusted, DMZ and untrusted

40
NAT Explained - 1
  • NAT hides internal IP addresses by converting all
    internal host addresses to the address of the
    firewall as packets are routed through the
    firewall.
  • NAT is also called IP masquerading.
  • Translates the IP addresses of internal hosts to
    hide them from outside monitoring.
  • Originally implemented to make more IP addresses
    available to private networks.

41
NAT Explained (2)
  • The firewall then retransmits the data payload of
    the internal host from its own address using a
    translation table to keep track of which sockets
    on the exterior interface equate to which sockets
    on the interior interface.
  • To the Internet, all the traffic on your network
    appears to be coming from one extremely busy
    computer.

42
NAT Process - in details
43
NAT Modes - 1
  • Four primary modes of NAT
  • Dynamic Translation (also called Automatic, Hide
    Mode or IP Masquerade)
  • Wherein a large group of internal clients share a
    single or small group of internal IP addresses
    for the purpose of hiding their identities or
    expanding the internal network address space.
  • Static Translation (also called Port Forwarding)
  • Wherein a specific internal network resource
    (usually a server) has a fixed translation that
    never changes. Static NAT is required to make
    internal hosts available for connections from
    external hosts.

44
NAT Modes - 2
  • Loading Balancing Translation
  • Wherein a single IP address and port is
    translated to a pool of identically configured
    servers so that a single public address can be
    served by a number of servers.
  • Network Redundancy Translation
  • Wherein multiple Internet connections are
    attached to a single NAT firewall and clients
    requests are routed through an Internet
    connection based on load and availability.

45
NAT used in ISP
  • A large group of internal clients share a single
    or small group of internal IP addresses for the
    purpose of hiding their identities or expanding
    the internal network address space.

46
Loading Balancing Translation
  • A single IP address and port is translated to a
    pool of identically configured servers so that a
    single public address can be served by a number
    of servers.

47
Hacking through NAT - 1
  • Static translation does not protect the internal
    host.
  • Static translation merely replaces port
    information on a one-to-one basis.
  • This affords no protection to statically
    translated hosts
  • Hacking attacks will be just as efficiently
    translated as any valid connection attempt.
  • Solution Reduce the number of attack to one, and
    then to use application proxy software or other
    application based security measures.

48
Hacking through NAT - 2
  • If the client establishes the connection, a
    return connection exists.
  • Even if hackers cant get inside our network, you
    cant prevent your users form going to the
    hackers.
  • Forged email with a Web site link, a Trojan
    horse, or a seductive content Web site can entice
    your users to attach to a machine whose purpose
    is to glean information about your network.
  • Solution Higher-level, application-specific
    proxies are once again the solution.

49
Firewall Products
50
Cisco PIX firewall - 1
  • The Cisco PIX firewall series
  • a high-performance, enterprise-class firewall
    product line within the Cisco firewall family.
  • with integrated hardware and software
  • delivers high security and network performance
  • scalable to meet different customer requirements
  • Product
  • PIX 525 PIX 520 - for large enterprise
  • PIX 515 - for medium size company
  • PIX 506 - for SOHO

51
Cisco PIX firewall - 2
  • The PIX firewalls provide
  • stateful inspection firewall
  • IPsec and L2TP/PPTP-based VPNs
  • content filtering capabilities (limited)
  • integrated intrusion detection capabilities

52
Adaptive Security Algorithm (ASA)
  • Adaptive Security Algorithm (ASA) is the
    foundation on which the PIX Firewall is built.
  • It defines how PIX examines traffic passing
    through it and applies various rules to it.
  • The basic concept behind ASA is to keep track of
    the various connections being formed from the
    networks behind the PIX to the public network.
  • Information keep tracking include
  • IP packet source and destination information
  • TCP sequence numbers and additional TCP flags
  • UDP packet flow and timers

53
Rule to restrict information flow in a PIX
firewall
  • Data traveling from a more secure interface to a
    less interface (from high to low)
  • A translation (either static or dynamic) is
    required to allow traffic from a higher security
    to a lower security interface.
  • Data traveling from a less secure interface to a
    more secure interface (from low to high)
  • A conduit or an access list is required to permit
    the desired traffic. That is, traffic is not
    allowed unless allowed by the conduit command or
    access list
  • Data traveling from two interfaces with the same
    security level
  • No traffic flows between two interfaces with the
    same security level.

54
Rule to restrict information flow in a PIX
firewall
55
PIX commands
  • There are six basic commands in Cisco PIX
  • nameif assign a name to an interface
  • interface interface configuration
  • ip address command assign IP address
  • nat command network address translation command
    to define the trusted source address to be
    translated (two variants nat dynamic NAT and
    static static NAT)
  • global The global command defines a pool of
    global addresses. The global addresses in the
    pool provide an IP address for each outbound
    connection, and for those inbound connections
    resulting from outbound connections.
  • route define static route

56
Examples of PIX commands to setup NAT and packet
filter
  • Allow only external connected to web server at
    DMZ
  • nameif ethernet0 outside security0
  • nameif ehternet1 inside secuirty100
  • naemif ethernet2 dmz security50
  • Interface ethernet0 auto
  • ip address outside 192.168.1.2 255.255.255.0
  • ip address inside 10.0.0.1 255.255.255.0
  • ip address dmz 172.16.1.1 255.255.255.0
  •  
  • / for NAT allow NAT to all inside, map to
    10-254. set one static addr 192.168.1.10 to
    10.1.1.10/
  • nat (inside) 1 0.0.0.0 0.0.0.0
  • global (outside) 1 192.168.1.10-192.168.1.254
    netmask 255.255.255.0
  • static (inside, outside) 192.168.1.10 10.1.1.10
  •  
  • / for packet filter allow all external network
    to web server /
  • access-list 80 permit TCP any host 172.16.1.2
  • access group 80 in interface outside
  • route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

57
Intrusion Detection
58
Traditional Security Approach
  • The disciplines of computer security address
    three fundamental needs
  • Prevention
  • Detection
  • Response
  • Traditional response to security risks
  • a series of preventive measures design to keep
    out unauthorized people
  • Firewall only concentrated on perimeter defense!
  • it is only part of the defense in computer
    security

59
Intrusion Detection Approach
  • Problem with perimeter defenses (use firewall
    only) is that most of the losses are attributable
    to insiders!
  • IDS provides damage assessment and threat
    identification capabilities just like their
    physical counterparts
  • the video cameras gt IDS sensors
  • Intrusion detection tools are not only prevention
    devices, it is for detection
  • IDS is also an excellent deterrent.

60
What are IDS?
  • IDS are dedicated appliances or software-based
    components that monitor network traffic or
    individual computer activity with the goals of
  • Identifying malicious actions
  • Resource misuse
  • Attempts to gain unauthorized access
  • Attacks
  • Note with IDS, you still need firewalls,
    anti-virus software, security policies, and other
    types of control.

61
Capabilities of an IDS
  • Event log analysis for insider threat detection
  • Security configuration management
  • Network traffic analysis for perimeter threat
    detection
  • File integrity checking
  • Three main classes of analysis in IDS
  • signature analysis
  • statistical analysis
  • integrity analysis

62
Signature Analysis
  • Look for specific attacks against known weak
    points of a system. These attacks can be detected
    by watching for certain actions (certain pattern
    of action) being performed on certain objects.
  • IDS performs signature analysis on the
    information it obtains.
  • Signature analysis is pattern matching of system
    setting and user activities against a database of
    known attacks.
  • require an updated list of signature file (e.g.
    once every 2 weeks released by CERN etc)
  • Comparisons with anti-virus software
  • anti-virus to scan hostile pattern from memory
    and files (hard-disk)
  • IDS is to scan hostile pattern within a network

63
Statistical Intrusion Analysis
  • Based on observations of deviations from normal
    system usage.
  • Method
  • Require to measure a baseline of statistics
  • CPU utilization and network usage
  • User logins and its pattern (i.e. time-of-day)
  • File activity and so on (file type and size and
    time)
  • Alert administrator regarding any deviation from
    this baseline.

64
Integrity Analysis
  • Integrity analysis reveals whether a file or
    object has been altered. Such analysis often uses
    strong cryptographic hash algorithms to determine
    whether anything has been modified.
  • e.g. if an attacker adds a user to a Linux
    system, the hash of the /etc/password file will
    change, alerting the administrator that the file
    has been modified.
  • e.g. Tripwire digest are generated as a series
    markers. System can check all files again with
    the designated digest to check any modification.
    Unexpected change signify possible intrusion.
  • Tripwire is an open-source project of Purdue
    University (www.tripwire.org)

65
Characteristics of a Good IDS
  • Run continually without supervision.
  • Be fault-tolerant.
  • Do not use excessive system resources.
  • Able to observe deviation from normal behavior.
  • Able to cope with changing system behavior over
    time. As new applications are added, the system
    profile will change automatically, and the IDS
    must be able to adapt.
  • Be accurate (0 false positive and 0 false
    negative).
  • Be customizable.
  • Be current (i.e. signature files and baseline
    data are up-to-date)

66
Errors in IDS - 1
  • False Positives
  • occurs when the IDS classifies an action as
    anomalous (a possible intrusion) when it is
    actually a legitimate action.
  • if too many false positives are generated, people
    will begin to ignore the output of the system,
    which might lead to an actually intrusion being
    detected but ignored.
  • problem very difficult and often cannot totally
    eliminated.

output
FRR
reject
FAR
accept
input quality (biometrics / IDS) poor good
67
Errors in IDS - 2
  • False Negatives
  • occurs when an intrusive action has taken place,
    but the IDS allows it to pass as an non-intrusive
    behavior.
  • problem Extremely dangerous
  • false negative subversion occurs when an intruder
    modifies the operation of the IDS to force false
    negatives to occur.

68
Categories of Intrusion Detection
  • Several categories of IDS exists in the market
  • NIDS - Network Intrusion Detection System
    (typical)
  • HIDS - Host Intrusion Detection System
  • Application Intrusion Detection System
  • Integrity Intrusion Detection (not yet popular)
  • e.g. Tripwire

69
NIDS - 1
  • Network-based IDS can be hardware appliances or
    software application installed on a computer
    system.
  • NIC works in promiscuous mode and collects and
    monitors network traffic for malicious activity.
  • There are sensors placed in the network segment
    that are to be monitored , typical strategic
    locations are DMZ, behind firewall, database
    servers subnet etc
  • These sensors are all connected to a central
    management console.
  • The traffic is then analyzed.

70
NIDS - 2
  • NIDS are mostly signature-based.
  • A set of attack signatures are built into the
    systems
  • These signatures are compared against the traffic
    on the network.
  • The NIC card that monitors the network in placed
    in stealthy mode so that it does not have an IP
    address and does not respond to probes such as a
    ping.

71
NIDS - 3
  • Advantages include
  • Lower cost of ownership (one IDS for whole
    networks)
  • The NIDS can be completely hidden on the network
    so that an attacker will not know that s/he is
    being monitored.

72
NIDS - 4
  • Disadvantages include
  • The NIDS can only alarm if the traffic matches
    signatures
  • The NIDS cannot determine if the attack was
    successful
  • The NIDS cannot examine traffic that is encrypted
  • Switched network require special configurations
  • Unable to handle high-speed networks

73
HIDS - 1
  • Host-based IDS is a system of sensors that are
    loaded onto various servers within an
    organization and controlled by some central
    manager.
  • HIDS sensors watch the events associated with the
    server on which they are loaded.
  • The HIDS sensor can determine whether an attack
    was successful or not since the attack was on the
    same platform as the sensors.

74
HIDS - 2
  • The five basic types of HIDS sensors
  • Log analyzers looks for log entries that may
    indicate a security event.
  • Signature-based sensors analyze incoming
    traffic and compare them with a set of built-in
    security event signatures
  • System call analyzers examine an applications
    system calls, analyze the action and compared it
    to a database of signatures.
  • Application behavior analyzers the sensor
    examines an applications system calls to see if
    it is allowed to perform such action.
  • File integrity checkers check for changes in
    files.

75
HIDS - 3
  • Advantages
  • Verifies success or failure of an attack
  • Monitor specific system activities
  • Detect attacks that network-based systems miss
  • Well-suited for encrypted and switched
    environments
  • Requires no additional hardware
  • Lower cost of entry (for system with fewer number
    of hosts)

76
HIDS - 4
  • Disadvantages
  • Network activity is not visible to host-based
    sensors
  • Running audit mechanisms can use additional
    resources
  • When audit trails are used as data sources, they
    can take up significant storage
  • Host-based sensors must be platform specific
  • Management and deployment very difficult in large
    network

77
Designing IntrusionDetection Systems
  • Monitoring security through IDS requires a
    combination of
  • good sensor placement
  • well designed sensor behaviour,
  • appropriate sensor configuration,
  • regular tuning and
  • a sound strategy for event response.

78
Application Intrusion Detection
  • Collects information at the application level.
  • E.g. Logs generated by database management
    software, Web servers, and firewalls. Sensors
    placed in the application collected and analyze
    information.
  • Not very popular at the moment
  • But it is expected in the coming years the focus
    on security will shift from network to
    server/application level.
  • Strength
  • High degree of control
  • Weakness
  • Too many applications to support
  • Covers only one component at a time

79
Popular IDS Products
  • RealSecure
  • www.iss.net/securing_e-business/security_products/
    intrusion _detection/
  • Cisco Secure IDS
  • www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/
  • Network ICE
  • www.networkice.com
  • Snort
  • www.snort.org

80
SNORT
  • Light weight Network IDS
  • Packet capture /logger real-time traffic
    analysis
  • Content search detect attacks and probes
  • Support rule language
  • Detection engine with modular plug-ins
  • Real-time alerting capacity
  • Support Linux and Windows
  • Syslog features
  • logging network data in Tcpdump format
  • use WinPopup message to window client

81
SNORT (2)
  • 4 major engines
  • packet capture / decode engine
  • rules parsing and detection engine
  • logging engine
  • plug-ins preprocessing handling engine
  • 3 modes
  • sniffing mode
  • snort -v lt verbose to show header
  • snort -vd lt verbose to show header and data
    content
  • snort -vde lt same as above, with describe
    details
  • logging mode
  • snort v l ./log h 192.168.1.0/24 lt for Linux
  • snort v l ..\log h 192.168.1.0/24 ltfor PC
  • IDS mode
  • snort v l ./log h 192.168.1.0/24 c snort.conf
  • snort v l ..\log h 192.168.1.0/24 c
    ..\etc\snort.conf

82
snort.conf - 1
  • To tune the performance of the NIDS
  • Five sections
  • network and configuration variables
  • var HOME_NET 10.120.25.135
  • var HOME_NET 10.10.10.20, 192.168.1.23,
    172,16.30.25
  • var HOME_NET 10.10.10.0/24
  • var EXTERNAL_NET !HOME_NET
  • var ORACLE_PORTS 1512

83
snort.conf - 2
  • decoder and detection engine configuration
  • alert user if a packet has strange size, strange
    option, or uncommon setting
  • these are not necessary attacks and may generate
    large amount of false positive, use the following
    to disable, for example
  • config disable_decode_alerts
  • config disable_tcpopt_experimental_alerts

84
snort.conf - 3
  • preprocessor configuration
  • output configuration control o/p format that
    works with 3rd party software
  • output alert_syslog host10.10.10.100 LOG_AUTH
    LOG_ALERT
  • output database ltlog alertgt, ltdatabase typegt,
    ltparameter listgt
  • file inclusions include rule sets

85
preprocessor of SNORT - 1
  • functions of preprocessor
  • normalize traffic to ensure data packet can be
    watch by Snort
  • provide self-defense against attacks that may
    confuse or overwhelm an NIDS sensor
  • extend Snorts ability to detect network
    anomalies (enhance the rule sets)

86
preprocessor of SNORT - 2
  • examples of preprocessor
  • flow - watches all traffic and keeps track of
    connections between machines. When a new unique
    flow is detected, the information is hashed and
    stored in a memory-resident table
  • frag2 - allow data fragment to be reassembled so
    that snort can see a big picture
  • examples
  • preprocessor flow stats_interval 0 hash 2
  • perprocessor frag
  • other preprocessors stream4, stream4_reassemble,
    HTTP_inspect, rpc_decode, bo, telnet decode,
    flow-portscan, arpspoof, perfmonitor

87
Typical rules in SNORT
  • Rule header
  • action field alert, log or pass
  • protocol field ip, tcp, udp, icmp
  • rule field src ip, src port, direction, dest
    ip, dest, port
  • e.g. alert tcp 64.147.128.0/19 2123 -gt
    HOME_NET any
  • e.g. log tcp EXTERNAL_NET any -gt HOME_NET any
    (msg SCAN SYN FIN, flagsSF reference
    arachnids, 198 classtype attempted-recod
    sid624 rev1)
  • msg option specify the type of attack
  • flags option look for field of packet header
    (e.g. Syn, Fin)
  • reference indicate where information can be
    found
  • class type option category of attack
  • sid type option signature ID
  • rev type option rule revision number
  • simplest rule
  • alert tcp any any -gt any any

88
pre-defined rules
  • Snort come with a wide variety of rules
  • here are some examples
  • attack-responses.rules
  • backdoor.rules detect traffic generated by
    backdoor connections such as netbus
  • dos.rules detects traffic generated by known dos
    attacks, such as IGMP and teardrop attack
  • ddos.rules alerts on traffic generated by
    well-down attacks such as trin00 and shaft. It
    can be noisy as it look for specific words in
    payload
  • dns.rules alerts on attacks against DNS servers

89
Components of a typical SNORT system - 1
  • Snort sensors (the most important!!)
  • installed at strategic network locations
  • internal network, DMZ, and external network
    (sometimes)
  • snort only alert in log file
  • use tail -f to watch the log file, not very
    interactive
  • ACID Analysis Console for Intrusion Databases
  • project developed by Roman Danyliw at US CERT
    coordination center
  • PHP based web application act as the front end of
    help to manage the alerts generated by multiple
    IDS sensors
  • generate trend, search based upon time, address,
    alert type, priority, classification and sensor

90
Components of a typical SNORT system - 2
  • MySQL database server to store alerts and ready
    for analysis and inspection
  • Web Server for hosting ACID web-based console
    that usually connected to a database
  • Web Browser for user interface
  • Remote admin software to update sensor rules
    (optional)

91
Components of a typical SNORT system
92
IPS Intrusion prevention system
  • A new class of security tool
  • place more focus on prevention
  • concepts prevention strategies
  • host-based memory and process protection
  • kill process that appears malicious, or when it
    try to execute a buffer overflow (e.g.
    anti-spyware)
  • session interception
  • terminate a TCP session by sending RST packet to
    tear down connection, also known as session
    sniping
  • gateway intrusion detection
  • modify ACL to block hostile traffic automatically
  • e.g. SnortSAM

93
Honeypot - 1
  • Honeypot is a tool used commonly for network
    security
  • for computer crime forensic
  • it is a decoy IDS, part of the company resource
    waiting to be probed, attacked, or compromised.
  • it can be a decoy service, decoy host (I.e
    Honeypot) or decoy network (Honeynet)
  • They don't fix a single problem, instead they can
    help in prevention, detection, or information
    gathering.

94
Honeypot - 2
  • Honeypots are closely monitored network decoys
    serving several purposes
  • distract hackers from more valuable machines on a
    network
  • provide early warning about new attack and
    exploitation trends
  • allow in-depth examination of adversaries during
    and after exploitation of a honeypot.
  • Honeypot should be highly secure and isolated by
    the rest of the network.

95
Summary - 1
  • Firewall
  • modern FW packet filter, proxy, NAT, VPN
  • packet-filter firewall filters at the network or
    transport layer
  • stateless inspection (static packet filter)
  • stateful inspection (dynamic packet filter)
  • proxy firewall filters at the application layer
    (many rules can be applied)
  • usually work with proxy servers to provide large
    hard-disk storage for content cache.

96
Summary - 2
  • NAT
  • solve the problem of IP address limitation
  • provide load balance and redundancy
  • Foure modes Dynamic Translation (IP Masquerade),
    Static Translation (Port Forwarding), Loading
    Balancing Translation and Network Redundancy
    Translation
  • IDS
  • active detection to monitor the network status
  • three methods signature, statistical and
    integrity
  • four types network, host, applications and
    integrity
Write a Comment
User Comments (0)
About PowerShow.com