PERIMETER SECURITY Dr. Andy Wu BCIS 4630 Fundamentals of IT Security

Overview Firewalls –Three major types of firewalls Packet filter Stateful inspection NAT –Demilitarized Zones (DMZs) Intrusion detection systems (IDSes) –Host-based vs. network-based 2

Firewalls A device that filters traffic between a protected or “inside” network and a less trustworthy or “outside” network. Can be implemented as hardware or software. Usually runs on a dedicated device because performance is critical. It works based on a series of rules that define what traffic is permissible and what traffic is to be blocked or denied (for both directions). 3

Packet Filtering Firewalls Use lines of text called “rules” that define what packets should be allowed or denied, e.g., –Any packets coming from the network should be denied. –No ICMP traffic should be allowed. –All traffic through Port 80 should be allowed. The filtering is based on Layer 3 information. Make decision based on IP header information only. Do not keep track of the state of a connection. 4

Firewall Rulebases Rulebase is used to provide the definition of what traffic is allowable and what is not. Most firewalls have good user interfaces to support rule definition. General syntax is similar to: from to Some firewalls have advanced functionality to supplement the basic fields above. 5

6

Cisco Firewall Rules line 1 permit tcp any host eq www –line 1 is line number in the rule set –permit is the action to take –tcp is the transport-layer protocol the packet uses –any is the source IP address –host is the particular destination host –eq www is the port number (translated) Allows TCP packets coming from any host and any port to Port 80 on the host

Cisco Firewall Rules line 4 permit ip host –line 3 is line number in the rule set –permit is the action to take –ip is the network-layer protocol the packet uses – are the source IP address and subnet mask –host is the particular destination host Allows IP packets from any host in the network to get to the host

Stateful Inspection A common approach to foil detection by firewalls is to break packets involved in an attack into multiple packets so that the firewall cannot detect it based on a single packet. If a firewall can track all packets belonging to a session, it has a better chance at detecting an attack. Whereas packet filters only looks into Layer 3 header, stateful inspection firewalls also checks Layer 4 information. 9

Stateful Inspection Firewalls They maintain a state table of sessions. When a stateful firewall receives a packet, it first searches its state table to see whether a connection has already been established and whether this packet was requested. –If a packet arrives with no record of its being part of legitimate session, the firewall will block access by dropping it. Stateful firewalls work at Layers 3 and 4. Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked. 10

Network Address Translation (NAT) NAT translates between two addressing schemes, public and private. This permits enterprises to use the non-routable private IP address space internally and reduce the number of external IP addresses used across the Internet. When outside, i.e. Internet-based resources are needed, NAT is required to assign the internal hosts valid external IP addresses so that they can establish connections to those resources. Typically, a pool of external IP addresses is used by the NAT firewall, with the firewall keeping track of which internal address is using which external address at any given time. 11

Demilitarized Zone (DMZ) 12 DMZ

Demilitarized Zone (DMZ) A buffer zone between the Internet, where no controls exist, and the inner secure network, where an organization has security policies in place. The idea behind the use of the DMZ topology is to force a user to make at least one hop in the DMZ before accessing information inside the trusted network. To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ. –The area between these firewalls is accessible from either the inner secure network or the Internet. –The firewalls are specifically designed to prevent access across the DMZ directly from the Internet to the inner secure network. 13

DMZ As Layered Security Protection Different zones provide layers of defense: –Successive zones are guarded by firewalls enforcing ever increasingly strict security policies. –The outer firewall provides less protection than the inner firewall does. Accessibility is inversely related to the level of protection. –The DMZ is less protected but more accessible to users on the Internet. –The inner network is more protected but not readily accessible to external users. It is difficult to provide complete protection and unfettered access at the same time. –Trade-offs between access and security are handled through zones. 14

Servers in the DMZ Servers typically placed in the DMZ include Web servers, FTP servers, remote access service (RAS) servers, mail servers, etc. Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ. –All the standard servers used in the trusted network, as well as the routers and the switches that connect these machines together, should be behind the inner firewall. Special attention should be given to the security settings of the network devices placed in the DMZ. –They should be considered compromised to unauthorized use. –Still, efforts should be made to harden servers in the DMZ. 15

Intrusion Detection An intrusion is any use or attempted use of a system that exceeds authentication limits. Intrusions are similar to incidents. –An incident does not necessarily involve an active system or network device, an intrusion does. An intrusion detection system (IDS) is software/hardware that monitors activity on the system or network. –And delivers an alert if it notices suspicious activity. 16

Snort Configuration Behaviors of Snort is controlled by a configuration file (as defined by the –c command line switch) that is loaded when Snort is started. In this file, we can define: –What constitute external networks (the EXTERNAL_NET variable) –What is considered the internal network (the HOME_NET variable) –Where to find rules files if Snort is instructed to use them (the RULE_PATH variable) 17

Snort Rules alert tcp any any -> / (content:"| a5| ";msg:"mountd access";) –alert specifies the action to take –tcp specifies the protocol –any any specifies the source network and port – /24 specifies the destination network –111 specifies the port –content specifies the value of a payload –msg specifies the message to send 18

Snort Rules If a packet –comes from a network as defined by the EXTERNAL_NET variable, regardless of the source port (any), –goes to a host in the “home” network as defined by the HOME_NET variable, regardless of the destination port (any), –and the F, P, and U bits are on (12 meaning if we want to detect a SYN packet regardless of what are in the 2 reserved bits) Then raise an alert with the message “Xmas Scan”. 19

False Responses There is no way for an IDS to know the true intent behind an activity and determine whether or not it is benign or hostile. –Thus, the IDS can react only as it has been programmed. False positive – An IDS matches a pattern and generates an alarm for benign traffic. False negative – Hostile activity does not match an IDS signature and, therefore, goes undetected. 20 Intrusion OccurredIntrusion Not Occurred IDS AlertsOKFalse Positive IDS Does not AlertFalse NegativeOK

Main Categories of IDSs Host-Based IDS (HIDS) –Concerned only with activity on an individual system and usually has no visibility into the activity on the network or systems around it. Network-Based IDS (NIDS) –Has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems. 21

Host-Based IDS Examines log files, audit trails, and network traffic coming in to or leaving a specific host. –Operates in real time, looking for activity as it occurs. –Operates in batch mode, looking for activity on a periodic basis. They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system. Host-based systems use local system resources to operate. 22

HIDS Focus - Log Files A HIDS searches the log files or audit trails from the local OS for hostile actions or misuse activities, e.g., –Logins at odd hours –Login authentication failures –Adding new user accounts –Modification or access of critical system files –Modification or removal of binary files (executables) –Starting or stopping processes –Privilege escalation –Using certain programs 23

HIDS Pros and Cons The advantages of host-based IDSs include: –Operating system-specific and more detailed. –Reduced false positive rates. –Examination of data after decryption. –Application specific. –Can determine an alarm’s impact on the protected system. Reduces the number of alarms generated. Before deployment, weigh the disadvantages of this technology: –One HIDS per system watched. –High cost of ownership and maintenance. –Uses local system resources. –Focused view; Cannot relate to activity around it. –A locally logged IDS may be compromised or disabled. 24

Network-Based IDS A network IDS (NIDS) examines network traffic as it passes by. –Bits and bytes traveling through cables interconnecting the systems. –It must be able to analyze traffic by protocol, type, amount, source, destination, content, and traffic already seen. –The analysis must happen quickly. The IDS must be able to handle traffic at whatever speed the network operates to be effective. 25

NIDS Focus – Network Traffic An NIDS analyzes traffic patterns to detect activities that represent hostile actions or misuse. –Denial-of-Service attacks –Port scans or sweeps –Malicious content in the data payload of a packet or packets –Vulnerability scanning –Trojans, viruses, or worms –Tunneling –Brute-force attacks 26

NIDS Pros and Cons NIDS advantages –Takes fewer systems to provide IDS coverage. –Lower deployment, maintenance, and upgrade costs. –Has visibility into all network traffic and can correlate attacks among multiple systems. NIDS disadvantages –Ineffective when traffic is encrypted. –Cannot see traffic that does not cross it. –Must be able to handle high volumes of traffic. –It does not know about activity on the hosts themselves. 27

Misuse (Signature) Detection Model The IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed. –This is the more efficient model. Does not need to learn what “normal” behavior is. Generates an alarm whenever a pattern is successfully matched. –The greatest weakness of a misuse model is its reliance on a predefined signature base. Any activity that the misuse-based IDS does not have a signature for will go undetected. 28

Anomaly Detection Model The intrusion detection system must know what “normal” behavior on the host or network being protected really is. –Once the “normal” behavior baseline is established, the IDS can then identify deviations from the norm, which are further scrutinized to determine if that activity is malicious. Building the profile of normal activity is usually done by the IDS. –This is done with some input from security administrators, and can take days or months. 29

Anomaly Detection Model The IDS must be flexible enough to account for things such as new systems, new users, and movement of information resources, while being sensitive enough to detect abnormal traffic. An anomaly-based system is not restricted to a specific signature set and is far more likely to identify a new exploit or attack tool that would go unnoticed by a traditional IDS. Most anomaly-based systems suffer from high false positives, especially during the “break-in” period while it is learning the network. 30