Topics
1. Firewalls
2. Virtual Private Networks
3. Intrusion Detection and Prevention
4. Honeypots
What is a Firewall?
A software or hardware component that
restricts network communication between
two computers or networks.
In buildings, a firewall is a fireproof wall
that restricts the spread of a fire.
Network firewall prevents threats from
spreading from one network to another.
Internet Firewalls
Many organizations/individuals deploy a firewall
to restrict access to their network from Internet.
What is a Firewall? (2)
A mechanism to enforce security policy
– Choke point that traffic has to flow through.
– ACLs on a host/network level.
Policy Decisions:
– What traffic should be allowed into network?
• Integrity: protect integrity of internal systems. • Availability: protection from DOS attacks.
– What traffic should be allowed out?
Types of Firewalls
Packet Filters (Stateless)
– If individual packet matches rules, then either accept or drop it.
Stateful Filters
– Maintains records of all connections, so that – It can accept/deny entire TCP or UDP session.
Application Layer Firewalls
– A proxy server that relays byte streams from client to server and vice versa.
Stateless Firewalls
A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it
treats each packet attempting to travel through it in isolation without considering packets that it has processed previously.
Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Client Server Firewall
Packet Filtering Information
Forward or drop packets based on TCP/IP header
information, most often:
– IP source and destination addresses – Protocol (ICMP, TCP, or UDP)
– TCP/UDP source and destination ports – TCP Flags, especially SYN and ACK – ICMP message type
Dual-homed hosts also make decisions based on:
– Network interface the packet arrived on.
Stateful Firewalls
Allow only requested TCP connections:
Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1
Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker (blocked) 128.34.78.55 76.120.54.101 Server Firewall
Firewall Deployment
Gateway Router
– Filtering at interface between networks allows
control via a choke point.
– Can filter spoofed IP addresses.
Host
– Filter packets on each individual computer.
– How to manage thousands of packet filters?
Ingress/Egress Filtering
Block spoofed IP addresses
Ingress Filtering
Drop packets arriving on external interface
whose source IP addresses claims to be from
internal network.
Egress Filtering
Drop packets arriving on internal interface
whose source IP address is not from internal
network.
Packet Filtering Summary
Advantages:
– One packet filter can protect an entire network – Efficient (requires little CPU)
– Supported by most routers
Disadvantages:
– Difficult to configure correctly
• Must consider rule set in its entirety – Difficult to test completely
– Performance penalty for complex rulesets
• Stateful packet filtering much more expensive – Enforces ACLs at layer 3 + 4, without knowing any
Proxy Servers
Proxy host relays Transport/App connections
– Client makes connection to proxy.
– Proxy forwards connection to server.
Proxy can provide multiple security features:
– Access Control
– Authentication
– Logging
Example: SOCKS v5
Socks Server
Socks Client Library
– Clients must be linked against library.
– Library offers replacements for UNIX network
socket system calls.
User Authentication Protocols
– Cleartext username/password.
– GSS-API authentication.
Application Layer Firewalls
Application layer rules
– HTTP: URLs, headers, etc.
– SMTP: spam statistics
More complex
– Only 2
16ports, but
Single Firewall
Simplest type of firewall—one host acts as a
Firewall Limitations
Cannot protect from internal attacks
– May be able to limit access with internal
firewalls to a segment of your network.
Cannot protect you from user error
– Users will still run trojan horses that make it
past your AV scanner.
Firewall mechanism may not precisely
enforce your security policy.
Tunneling
Tunneling:
Encapsulation of one network protocol
in another protocol
– Carrier Protocol: protocol used by network through which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data
– Passenger Protocol: protocol that carries original data
Can be used to encrypt connections or provider other
security features not available to passenger protocol.
Tunneling vs. Eavesdropping
Tunnel over ssh or SSL to offer encryption of packets.
Server Client
Encapsulating protocol
(does end-to-end encryption and decryption)
TCP/IP TCP/IP
Untrusted Internet
IPSec
IPSec defines a set of protocols to provide
confidentiality and authenticity for IP packets
Each protocol can operate in one of two modes,
transport mode
or
tunnel mode.
– In
transport mode,
additional IPsec header
information is inserted before the data of the
original packet, and only the payload of the packet
is encrypted or authenticated.
– In
tunnel mode
, a new packet is constructed with
IPsec header information, and the entire original
packet, including its header, is encapsulated as the
payload of the new packet.
Virtual Private Network (VPN)
Two or more computers or networks connected
by a private tunnel through a public network
(typically the Internet.)
Requirements:
– Confidentiality: encryption
– Integrity: MACs, sequencing, timestamps
Firewall Interactions
– Tunnels can bypass firewall
Types of VPNs
Remote access VPNs allow authorized clients to access a
private network that is referred to as an intranet.
– For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet
itself.
– To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating
communication.
Site-to-site VPN solutions are designed to provide a secure
bridge between two or more physically distant networks.
Models of Intrusion Detection
1. Anomaly detection
– What is usual, is known. – What is unusual, is bad. – Statistical IDS.
– Need to update profile so that it matches current usual activities on systems.
2. Misuse detection
– What is bad is known.
– Look for what is bad, hope it doesn’t change. – Rule based IDS.
Possible Alarm Outcomes
Intrusion Attack No Intrusion Attack
Alarm Sounded
No Alarm Sounded
Base-Rate Fallacy
• Difficult to create IDS with high true-positive
rate and a low false-negative rate.
• If the number of actual intrusions is relatively
small compared to the amount of data being
analyzed, then the effectiveness of an intrusion
detection system can be reduced.
• In particular, the effectiveness of some IDSs
can be misinterpreted due to a statistical error
known as the
base-rate fallacy.
• This type of error occurs when the probability
of some conditional event is assessed without
considering the “base rate” of that event.
Base-Rate Fallacy Example
Example case
– IDS 99% accurate, 1% false positives or negatives – IDS generates 1,000,100 log entries.
– Base rate is 100 malicious events of 1,000,100 examined.
Results
– Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.
– Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!
– Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms.
IDS Components
Untrusted Internet IDS Manager IDS Sensor router router router IDS Sensor FirewallIDS Architecture
An IDS is essentially a sophisticated audit system
– Sensors gathers data for analysis from hosts or network. – Manager analyzes data obtained from sensors according
to its internal rules.
– Notifier acts on manager results.
• May simply notify security officer.
• May reconfigure sensors or manager to alter collection, analysis methods.
Intrusion Prevention Systems
What else can you do with IDS alerts?
– Identify attack
before
it completes.
– Prevent it from completing.
How to prevent attacks?
– Directly: IPS drops packets, kills TCP sessions.
– Indirectly: IPS modifies firewall rules.
Is IPS a good idea?
IPS Deployment Types
Inline IPS Intranet Non-Inline Intranet IPSActive Responses by Network Layer
Data Link
: Shut down a switch port. Only useful
for local intrusions. Rate limit switch ports.
Network
: Block a particular IP address.
– Inline: can perform blocking itself. – Non-inline: send request to firewall.
Transport
: Send TCP RST or ICMP messages to
sender and target to tear down TCP sessions.
Application
: Inline IPS can modify application data
to be harmless: /bin/sh -> /ben/sh
Honeypots and Honeynets
Honeypot
: a system designed solely for intruders to
attack in order to accomplish one or more of the
following goals. Also known as a
honeynet
.
1. Detect intrusions with very few false positives, since legitimate users have no reason to access honeypot. 2. Monitor attacker activities to determine targeted
assets, origin, motivation, capabilities, etc.
3. Waste intruder time attacking honeypot, so that defender has time to respond to incident.
Low Interaction Honeypots
honeyd
: responds to probes on a set of unused IP
addresses via shell scripts that can return banners for
simple scans like nmap –sV.
nepenthes
: emulates vulnerable Windows services
to collect exploits and malware.
Dionaea
: scriptable honeypot designed to be able to
emulate wide variety of vulnerable services to collect
exploits and malware.
Fakenet
: simulates DNS, HTTP, HTTPS to
dynamically analyze malware. Returns reasonable
responses to malware requests.
Medium Interaction Honeypots
Kippo is a medium interaction ssh honeypot
designed to log brute force attacks and attacker shell
commands. Inspired by Kojoney, a LI ssh honeypot.
– Fake filesystem with the ability to add/remove files. – Possibility of adding fake file contents so the attacker
can 'cat' files such as /etc/passwd. Only minimal file contents are included.
– Saves files downloaded with wget for later inspection – Deception: ssh pretends to connect, apt-get pretends to
High Interaction Honeypots
Honeywall sets up tools for HI honeypots.
– Environment simulation: virtual machines configured
with appropriate tools for the next three tasks.
– Data control: firewalling tools to limit attacker
activities to avoid damaging other systems.
– Data collection: network (snort) and keystroke loggers
(Sebek kernel module).
– Data analysis: tools to extract relevant data from
Client Honeypots
Honeymonkey
– Microsoft Research project.
– Network of VMs running IE crawling the web
in search of malicious sites that attempt to
exploit browsers and distribute malware.
– Multiple versions of Windows and IE used.
Thug
– Low interaction client honeypot.
Honeytokens
A
honeytoken
is data that is designed solely for
attackers to abuse. Any access to the data is an
indication of unauthorized use.
– Attempts to download honeytoken files or database records can be identified by NIDS.
– Medical record systems will sometimes create fake records for celebrities and politicians.
– Mailing lists may contain email addresses published
nowhere else that point to accounts that accept mail and record sender information.
– Maps contain fake streets, towns, or islands to identify when competitors copy the map.
Key Points
1. Firewalls
– Packet filtering (stateless) – Stateful firewalls
– Proxy servers
– Application layer firewalls
2. Firewall Architectures
– Positioning on network – DMZ architectures
3. Virtual Private Networks
– Tunneling Protocols: carrier, encapsulating, passenger – Virtual Private Networks
Key Points (2)
4. Models of IDS:
– Anomaly detection: unexpected events (statistical IDS.) – Misuse detection: violations of policy (rule-based IDS).
5. IPS
– Stop intrusions, but what about false positives?
– Inline vs. non-inline: how do prevention techniques differ?
6. Honeypots deceive attackers
1. Identify intrusions with low false positive rates.
2. Learn more about intrusions, esp. with HI honeypots. 3. Interaction levels: low, medium, high
References
1. William Cheswick, Steven Bellovin, and Avriel Rubin,
Firewalls and Internet Security, 2nd edition, 2003.
2. Simson Garfinkel, Gene Spafford, and Alan Schwartz,
Practical UNIX and Internet Security, 3rd edition,
O’Reilly & Associates, 2003.
3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.
4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
5. Elizabeth Zwicky, Brent Chapman, Simon Cooper,
Building Internet Firewalls, 2nd edition, O’Reilly &