Download presentation
Presentation is loading. Please wait.
1
Intrusion Detection System (IDS)
Outlines Host-base IDS – Tripewire Network IDS – Snort How to defeat an IDS
2
Intrusion Detection System (IDS)
Host-base IDS – Tripewire Tripwire is a very popular system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted,with optional and pager reporting. Support files (databases, reports, etc.) are cryptographically signed.
3
Intrusion Detection System (IDS)
Host-base IDS – Tripewire Lab 7: install tripewire IDS to monitor the the integrity of the data of your hosts
4
Intrusion Detection System (IDS)
Network IDS – Snort Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more
5
Intrusion Detection System (IDS)
Network IDS – Snort Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
6
Intrusion Detection System (IDS)
Network IDS – Snort Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.
7
Intrusion Detection System (IDS)
Network IDS – Snort snort is a very flexible tool. You can customize the rulesets to suit your needs. We have just give you a very simple introduction in this workshop. For more details of rule setting, you should go to
8
Intrusion Detection System (IDS)
Network IDS – Snort Lab7: Install a snort IDS on your host and use nessus network scanner to test your snort IDS
9
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Insert packets that the end-point server will ignore but picked up by IDS as vaild packets. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.
10
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack E.G. The signature of the php attack may be something like ``GET /cgi-bin/phf?''. We may insert extra packets such the IDS detect the packets as ``GET /cgi-bin/pleasedontdetecttthisforme?'' while the end-point server still read as ``GET /cgi-bin/phf?''
11
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack
12
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Techniques: Using Invalid Sequence no. Most IDS do not check sequence no. Invalid sequence no. packets are reject by end-point servers but may be picked up by these IDS
13
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Techniques: Using incorrect TCP checksum. Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS
14
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Techniques: Using incorrect TCP checksum. Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS
15
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Techniques: Using short TTL. If the IDS sit on the network have many hops away from the end-point servers, short TTL packets will be dropped before they reach the end-point servers. We can just tune the insert packet TTL such that they can pass the IDS but are dropped before the end-point servers.
16
Intrusion Detection System (IDS)
How to defeat a Network IDS Insertion Attack Techniques: Using short TTL
17
Intrusion Detection System (IDS)
How to defeat a Network IDS Evasion Attack An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely. E.G. The packets of ``GET /cgi-bin/phf?''may show as ``GET /gin/f'' in IDS detection
18
Intrusion Detection System (IDS)
How to defeat a Network IDS Evasion Attack
19
Intrusion Detection System (IDS)
How to defeat a Network IDS Evasion Attack Techniques Some IDS can only keep track of one host/port connection at a time. Flood the target port with non-existent SNY packet first so that these IDS ignore our real connection afterwards
20
Intrusion Detection System (IDS)
How to defeat a Network IDS Evasion Attack Techniques IP Fragmentation Sending out fragment packets out of order Some IDS assume the fragment packets arrive in order. They just reassemble the data as soon as the marked final fragment arrives. Sending out fragment packets out of order may fool these IDS
21
Intrusion Detection System (IDS)
How to defeat a Network IDS Evasion Attack Techniques Sending overlapping fragment packets There may be a gap between the IDS and end-point server handling overlapping fragment. If the IDS does not handle overlapping fragments in a manner consistent with the systems it watches, it may, given a stream of fragments, reassemble a completely different packet than an end system in receipt of the same fragments.
22
Firewall Outlines Variations on Firewall Architecture
Setting up network layer Firewalls Firewall log Setting private network with NAT
23
Firewall Firewall In brief, a firewall is typically the first line of defense for any Internet-connected network. What a firewall does and how it behaves depends on what level it operates on. (Those familiar with the OSI model will understand this.) Firewalls generally operate at the network layer (IP), or the application layer, such as HTTP proxies.
24
Firewall Firewall
25
Lab 12B: Firewall Firewall
Those firewalls at the network layer are often called screening routers. A screening router examines the IP header on each incoming (and possibly outgoing) datagram and determines whether or not it should pass. It makes this determination by comparing key fields such as the source and destination addresses to the policy set by the administrator. Most screening routers will also examine the packet at the next layer (the transport layer), which allows you to create policies based on TCP or UDP port, or ICMP type and code.
26
Firewall Firewall Firewalls at the application layer are called gateways or proxies, and are designed to understand protocols at this level, such as HTTP or telnet. Application gateways are useful because they can offer very high level control over traffic, and so they are in some ways more secure than screening routers. For example, an application gateway may choose to filter all HTTP POST commands. Most importantly, gateways can maintain logging specific to application layer protocols. A paranoid (and privacy-ignorant) company may choose to have all mail pass through a gateway to log the To, From, and Subject fields of the header, for instance.
27
Variations on Firewall Architecture
Single layer firewall architecture Two layer firewall architecture Merged interior and exterior firewall architecture Two layer firewall architecture with two internal network Two layer firewall architecture with merged bastion host and exterior firewall
28
Firewall Bastion host A system exposed to the Internet that is expected to come under thorough attack. The term contrasts those hosts that are inside a firewall's protection. DMZ (Demilitarized Zone) In firewalls, a DMZ is an area that is mostly public to the Internet. This is where a companies web, , and DNS servers are located. A DMZ often has some limited protection, but since it is very exposed to the Internet, the assumption is that the machines in the zone will eventually be compromised. Therefore, the machines often have as little connectivity to the private network as any other machine from the Internet.
29
Firewall Type A: Single layer firewall architecture
30
Lab 12B: Firewall Type B: Two layer firewall architecture
31
Firewall Type C: Merged interior and exterior firewall architecture
32
Firewall Type D: Two layer firewall architecture with two internal network
33
Firewall Type E: Two layer firewall architecture with merged bastion host and exterior firewall
34
Firewall Lab 8: Deploy firewall on your host using ipchains
35
Firewall Linux firewall log
All the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile.
36
Firewall Linux firewall log Here is an example:
Packet log: input DENY eth0 PROTO= : :1025 L=34 S=0x00 I=18 F=0x0000 T=254 `input' is the chain which contained the rule which matched the packet, causing the log message. `DENY' is what the rule said to do to the packet. If this is `-' then the rule didn't effect the packet at all (an accounting rule). `eth0' is the interface name. Because this was the input chain, it means that the packet came in `eth0'. `PROTO=17' means that the packet was protocol 17. A list of protocol numbers is given in `/etc/protocols'. The most common are 1 (ICMP), 6 (TCP) and 17 (UDP).
37
Firewall Linux firewall log Here is an example:
Packet log: input DENY eth0 PROTO= : :1025 L=34 S=0x00 I=18 F=0x0000 T=254 ` ' means that the packet's source IP address was `:53' means that the source port was port 53. Looking in `/etc/services' shows that this is the `domain' port (ie. this is probably an DNS reply). For UDP and TCP, this number is the source port. For ICMP, it's the ICMP type. For others, it will be ` ' is the destination IP address.
38
Firewall Linux firewall log Here is an example:
Packet log: input DENY eth0 PROTO= : :1025 L=34 S=0x00 I=18 F=0x0000 T=254 `:1025' means that the destination port was For UDP and TCP, this number is the destination port. For ICMP, it's the ICMP code. For others, it will be `L=34' means that packet was a total of 34 bytes long. `S=0x00' means the Type of Service field (divide by 4 to get the Type of Service as used by ipchains). `I=18' is the IP ID.
39
Firewall Linux firewall log Here is an example:
Packet log: input DENY eth0 PROTO= : :1025 L=34 S=0x00 I=18 F=0x0000 T=254 `F=0x0000' is the 16-bit fragment offset plus flags. A value starting with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2' or `0x3' means the `More Fragments' bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8.
40
Firewall Linux firewall log Here is an example:
Packet log: input DENY eth0 PROTO= : :1025 L=34 S=0x00 I=18 F=0x0000 T=254 `T=254' is the Time To Live of the packet. One is subtracted from this value for every hop, and it usually starts at 15 or 255. `(#5)' there may be a final number in brackets on more recent kernels (perhaps after 2.2.9). This is the rule number which caused the packet log.
41
Firewall Linux firewall log Here is another example:
Feb 26 11:15:56 iegatea0 kernel: Packet log: input DENY eth0 PROTO= : :25 L=60 S=0x60 I=59731 F=0x4000 T=42 SYN (#77) The TCP SYN packet of the SMTP (port 25) access to the host from the host client port 1956 was blocked by the ipchains rule #77
42
Firewall Linux firewall log
Port numbers are divided into three ranges: The Well Known Ports are those from 0 through These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic. The Registered Ports are those from 1024 through These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes. For example, most systems start handing out dynamic ports starting around 1024.
43
Firewall Linux firewall log
Port numbers are divided into three ranges: The Dynamic and/or Private Ports are those from through In theory, no service should be assigned to these ports. In reality, machines start assigning "dynamic" ports starting at We also see strangeness, such as Sun starting their RPC ports at For a complete complete list of port info, you may refer
44
Firewall Setting private network with IP Masquerade
IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers.
45
Firewall Setting private network with IP Masquerade
MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a HEAVILY secured networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish.
46
Firewall Setting private network with IP Masquerade
47
Firewall Setting private network with IP Masquerade EG.
/sbin/ipchains -A forward -s /16 -j MASQ This setting will allow all the clients in the private network /16 to have IP masquerade in Linux Masquerade gateway
48
Firewall Setting private network with iptable NAT
Linux iptable provides two different types of NAT: Source NAT (SNAT) and Destination NAT (DNAT). Source NAT is when you alter the source address of the first packet: ie. you are changing where the connection is coming from. Masquerading is a specialized form of SNAT. Destination NAT is when you alter the destination address of the first packet: ie. you are changing where the connection is going to. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
49
Firewall Setting private network with iptable NAT
Example of source NAT: ## Change source addresses to # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to Example of destination NAT: ## Change destination addresses to # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to
50
Network Address Translation (NAT)
NAT Client Server (Linux calls it masquerading)
51
NAT Pro/Con Pro Con Enforces control over outbound connections
Dynamic translation is more restrictive changed mapping increases attack difficulty Conceals internal configuration Con Dynamic translation requires maintaining state (how long to keep connection open?) Interferes with some encryption schemes Dynamic translation interferes with logging Dynamic translation of ports can interfere with filtering
52
Firewall Your network Evil Hackers
53
Firewalls mitigate risk
Block many threats They have vulnerabilities
54
Firewalls can be your connection to the Internet
Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.
55
Typical Network Stack Application Layer (FTP, HTTP, SSH, etc.)
Transport Layer (TCP, UDP, ICMP) Internet Layer (IP) Network Access Layer (Ethernet, FDDI, etc.) (If you have a Novel or AppleShare network, the IP layer will be different.) (Carrier Pigeon Network Layer: RFC1149 on 1 April defines the Avian Transport Protocol)
56
Packet Organization Each layer’s packet organization has a header and data fields. Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.
57
Encapsulation Application (FTP, HTTP, …) Transport (TCP,UDP,…)
Data Header Transport (TCP,UDP,…) Header Internet (IP) Header Network (Ethernet)
58
Ethernet Layer Header: Data is an IP packet Packet Type, e.g. IP
Source Address Original source or last router on path Destination Address Final destination or next router Maybe multicast or broadcast Addresses are Media Access Control (MAC) Data is an IP packet
59
IP Layer Header Data: TCP packet (or UDP, etc.)
IP Source Address, e.g IP Destination Address IP Protocol Type, e.g. TCP, UDP, ICMP Data: TCP packet (or UDP, etc.) Fragmentation If (network max packet size < IP max size) split data into multiple packets (fragments)
60
TCP Layer Header Data: application data, e.g. FTP data
TCP Source Port (2-bytes) TCP Destination Port TCP Flags: designates packet type ACK, SYN, etc. Data: application data, e.g. FTP data
61
Multicast or Broadcast Source
Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source Since DHCP isn’t external (normally), block broadcast source
62
IP Fragmentation Prevent fragmentation with path MTU discovery
Maximum Transmission Unit (MTU) Send message with “don’t fragment” set If (error returned), decrease size else increase size
63
Packet Filters & Fragmentation
Solution: packet filter only first packet and let non-first packets through If you drop the first, a higher level protocol (TCP) will invalidate the rest. Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting in Denial of Service!
64
Packet Filter & Fragmentation
Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information. Overlapping fragments may be reassembled into invalid packets causing the OS to crash.
65
Packet Filter & Fragmentation
Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.
66
Packet Filter & Fragmentation
Solutions Fragment reassembly before filtering Time consuming Reject all non-first fragments May reject otherwise good connections, but they will retransmit. Increased use of MTU is reducing fragmentation
67
TCP TCP is reliable because it guarantees to the application layer:
Provide data in order it was sent Provide all data sent Will not provide duplicates It will kill a connection before violating any.
68
Blocking TCP To block a TCP connection, simply block the first packet.
The first packet is unique: ACK is not set “start-of-connection” packet Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers
69
TCP Options Common TCP Options: 3-way handshake uses ACK & SYN
ACK (acknowledgement) SYN (synchronize) RST (reset) FIN (finish) 3-way handshake uses ACK & SYN RST & FIN are used to close connections
70
TCP Options Firewalls use ACK and RST
ACK indicates first packet of connection RST tells people to “shut up” without providing a useful error message
71
TCP Sequence Numbers Sequence numbers allow reconstruction of correct order of packets Supposed to begin with a random number, but often is not random—vulnerability! How to hijack a TCP connection?
72
Hijacking a TCP Connection
Attackers needs Ability to forge TCP/IP packets. Initial sequence number Knowledge that a TCP connection has started (but not the ability to see it) When the TCP connection started Ability to redirect responses to you OR continue the conversation without responses to you while achieving your goal Thought to be too hard, but exists in the wild.
73
UDP Since UDP does not guarantee reliability there is no uniquely identifiable first packet
74
ICMP Examples Echo Request: send by ping Echo Response
Time exceeded (really hops exceeded) Destination unreachable Redirect (router redirected a packet and is telling the sender that a better way exists)
75
ICMP “Destination Unreachable” has codes to indicate reason
The relevant ones are “Fragmentation Needed” and “Don’t Fragment” used for path MTU discovery Desirable to drop all other “unreachable” replies since they provide useful information to scanners. Most firewalls do not allow discrimination on ICMP reason.
76
ICMP Attacks ICMP packets should be very small—large one indicate a problem so filter out large ones. For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.
77
IP over IP Encapsulating IP over IP
Encrypted traffic Mobile IP (movement with fixed IP) Burying protocol Multicast over non-supporting networks IPv6 over IPv4 VPN: virtual private networks Problem: cannot see “actual” IP packet (encrypted) or may not look at it
78
Low-level attacks Port scanning
Send SYN without ACK; receives SYN if open or RST if not Send FIN “all options on” = Christmas tree (lights it up) “all options off” = null Either can crash a weak TCP/IP stack
79
Low-level Attacks IP Spoofing: Apparent problem: reply not sent to attacker Attacker can intercept reply Attacker doesn’t care to see it (e.g. DoS) Attacker doesn’t want reply: smurf attack redirects response to attack while multiplying replies with broadcast source
80
Packet Filtering Pro/Con
One filter can protect an entire network Simple filtering is efficient Widely available Con Not perfect: hard to configure and test Reduces router performance Some security policies cannot be enforced, e.g. block a user
81
Three main categories of firewalls
Network layer firewalls. An example would be iptables. Application layer firewalls. An example would be TCP Wrappers. Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file
82
Network layer firewalls
operate at a (relatively) low level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems). A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules". Today network firewalls are built into most computer operating systems and network appliances. Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.
83
Application-layer firewalls
work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach. The XML firewall exemplifies a more recent kind of application-layer firewall.
84
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets. Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network..
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.