Embed Size (px)
Citation preview
1
Firewall Architecture andIntrusion Detection Systems
Firewall Architecture Firewalls Architectural Platforms
Packet Filters/Screening Routers
Application Layer Firewalls
Proxy Gateways
Stateful Inspection Engines
Screened Subnets
Reactive / Conditional Firewalls
Two levels -
Application level firewalls operate at session, presentation and
application layers. Also calledbastion hosts or proxy firewall(LINUX, UNIX or Windows 2000)
Packet level firewalls
operate at network (IP) and transport(TCP) layers. Called screeningrouters or packet filters
Firewall Architecture
Physical
Data LinkNetwork
Transport
Session
Presentation
Application
Secure Internet Gateway
Firewall Architecture
UntrustedNetwork
DMZ
TrustedNetwork
Packet Filters/Screening Routers
Demilitarised Zone - DMZ
Firewall Architecture
UntrustedNetwork
TrustedNetwork
Optional (DMZ)Networks (1+)
Filtering based on - source IP address destination IP address TCP/UDP source port TCP/UDP destination port May block on specific ports,
hosts, networks, all externaladdresses, etc.
Packet Layer Firewalls
LAN Internet
Packet Filter/Screening Router
Physical
Data LinkNetwork
Transport
Session
Presentation
Application
2
Packet Layer Firewalls
Application
Presentation
Session
Transport
DataLink
Physical
DataLink
Physical
Router
Application
Presentation
Session
Transport
DataLink
Physical
Network Network
PROS
CONS Low Security
No Screening Above the NetworkLayer (No “State” or Application-Context Information)
Application Independence High Performance Scalability
Network
The following services are inherently vulnerable:
TFTP (port 69) X-Windows (ports 6000+, port 2000) rlogin, rsh, and rexec (ports 513, 514, and 512) Telnet (port 23), RPC (port 111) FTP (ports 20 and 21), SMTP (port 25) RIP (port 520), DNS (port 53) UUCP (port 540), NNTP (port 119) Gopher, HTTP (ports 70 and 80)
Policing Protocols
Advantages Information hiding
names of internal systems notknown to Internet users
Authentication and logging Cost effectiveness
authentication can be located atapplication gateway
Less-complex filtering rulesthan with packet filter
Only host whose name madeknown to outside systems
Application Layer Firewalls
Physical
Data LinkNetwork
Transport
Session
Presentation
Application Application
Presentation
Session
Transport
DataLink
Physical
Network
DataLink
Physical
Application
Presentation
Session
Transport
DataLink
Physical
Application-Layer Gateway(Proxy-Service)
Application Gateway
Application
Presentation
Session
Transport
Network Network
Telnet HTTPFTP
Poorer Performance Limited Application Support Poor Scalability
(Breaks the Client/Server Model)PROS
CONS Good Security
Full Application-Layer Awareness
Application firewall mediates traffic betweenprotected network and Internet a proxy service is an application which routes
IP traffic from one port to another (it breaksthe connection, cf stateful packet filter)
can provide user authentication, auditing, andlogging facilities
great improvement over packetfilters/screening routers
proxy software written for each service
Proxy Gateways
basic proxies available for - Telnet, FTP,HTTP, WWW etc
users on Internet can only see proxy proxy allows services for which proxy
application has been specified connection broken hence proxy will not
work for some services - eg VPN tunnels
Proxy Gateways contd...
3
Stateful Packet Filters Dynamic packet filtering Examines packet stream based upon
dynamic state tables Mandates storing of state information Usually implemented with support of entire
TCP/IP stack Examines:
content vector protocol Allows/denies packet based upon rules
appropriate for the TCP service
Application
Presentation
Session
Transport
DataLink
Physical
DataLink
Physical
Application
Presentation
Session
Transport
DataLink
Physical
Network Network
PROS
Stateful Packet Filters
Network
Presentation
Session
Transport
EngineINSPECT
Application
Good Security Full Application-Layer Awareness Transparency
DynamicState TablesDynamic
State Tables
Performance Mis-configuration
CONS
LAN
Firewall Internet
SCEND MAX
A SCEN D
Server
Most secure firewall architecture
Firewall & Public Services Server
Public Services
Screened Subnet
Trusted
Optional (DMZ)
Untrusted
X X
Screened subnet considered to be the mostsecure firewall architecture:
isolated network positioned between theexternal and internal networks
allows non-critical hosts (web servers,anonymous FTP sites) to be placed outsideinternal network
forces all traffic and services through firewall
provides source for encrypted tunnels
Screened Subnet Benefits
17
Reactive / Conditional Firewalls
Current firewall architectures: Packet filter Application proxy Stateful packet filters
All imply a static rule set (even if analysis and filteringengines are really powerful)
A reactive or conditional firewall will change / adapt itsrule set as a result of certain attack scenarios observedeither by an IDS or the firewall itself.
A reactive or conditional firewall can process multipleconnections (eg Nimda - 24,000!) 18
Reactive / Conditional Firewalls
4
19
Reactive / Conditional Firewalls
Some firewalls appear to change their rule set in theface of an attack - but results are very limited: Watchguard watches for attempted access to
services defined as sensitive and policy violations.When violation is detected, source is submitted to apreprocessor which discards all further packetsinvolving that host.
Checkpoint has an API which allows it to acceptfirewall rule modification from an external IDS.Should a compatible IDS detect an attack it couldmodify the firewall configuration to exclude theattacker.
20
Reactive / Conditional FirewallsAutoblockingleading toDenial ofServicecondition
21
Reactive / Conditional Firewalls
Some firewalls appear to change their rule set in theface of an attack - but results are very limited: Port Sentry monitors unused ports. Any attempt to
access such ports are indicative of port scanningattacks or other probes. On detection, the localfirewall/router configuration is modified to exclude thehost involved.
Guardian is a security program which operates byautomatically updating firewall rules based uponalerts generated by Snort and blocking all incomingdata from the IP address of the attacking machine
22
Reactive / Conditional Firewalls
Reactive / conditional firewalls allow considerableflexibility in implementing packet filtering rules andproxies, ranging from elegant support for excludingattackers, to the ability to define complex traffic, state-tracking systems and bandwidth management systems.
Various terms can be used to describe a firewall whichchanges its rules based upon external conditions. Suchterms include: conditional, adaptive, mutable, responsive or reactive
firewalls
Secure Multipart Internet Mail Encoding Secure Shell (Telnet, FTP etc) Point to Point Tunnelling Protocol Secure Electronic Transactions IP version 6 (IPv6) Secure Sockets Layer Encrypted Tunnelling
S/MIMESSHPPTPSETIPv6SSL/TLSIPSec
Secure Transactions on theInternet/Intranet
LAN - Ethernet, WAN-PPP ADSL,ISDN, Frame Relay, ATM
IPSecIPv4 and IPv6
TCP UDP
PPTP
FTP
T E L N E T
SNMP
SMTP
HTTP/HTTPS
BROWSER SE
T
S/M
IME
or P
GP
SSL/TLS
SSH
Hole in the (Fire)wall …..
Server Client
Firewall
Holes forHackers
5
Watchguard Technologies (Firebox 4500 System 5) Symantec Corp. (Symantec Enterprise Firewall v6.5.2) Stonesoft Corp. (Stonegate v17.0) SonicWall Inc. (SonicWall Tele3 v6.2) Secure Computing (Sidewinder v5.2) Global Technologies (GNAT Box v3.2) Network-1 Security Solutions (CyberwallPLUS v7.0) Cyberguard Corp. (CyberGuard KnightStar v5.0) Checkpoint Technologies (NG FW-1) Borderware Technologies (Firewall Server v6.5)
see also www.networkintrusion.co.uk
Firewall Vendors
26
Personal Firewall VendorsTiny Firewall (www.tinysoftware.com)BlackICE/Networkice (www.networkice.com)Norton (www.norton.com)SyGate (wwww.sygate.com)www.sygate.com/products/centrally_managed_personal_firewall.htm
Zone alarm (www.zonelabs.com) .. see on...IPCop (Linux) (www.ipcop.com)Smoothwall (Linux) (www.smoothwall.org)
last two loaded onto a gateway machineIPCop is an offshoot of SmoothwallSmoothwall can operate as a packet filtering IDS
27
Personal Firewall VendorsZone alarm (www.zonelabs.com) …..
Personal firewall with security settings of High,Medium, Low for both LAN and Internetconnections
Alerts occur during access to unauthorised port.ZoneAlarm advises what likely cause is and howindicative of an attack it is - hence acts as an IDS
Access is allowed/denied for programs on thehost PC to connect to the Internet
ZoneAlarm Pro $US50 for single user and$US1800 for 50 users
ZoneAlarm - free for home users 28
Intrusion Detection Systems
29
Sequence of related actions by a malicious adversary thatresults in occurrence of security threats to target computeror network
What is an Intrusion?
Indicators: Repetition of unusual behaviour Exploitation of known vulnerabilities Inconsistent packet sequences or routes Unexplained problems Suspicious traffic content
30
Major Reasons for Using Intrusion DetectionSystems are…..
To detect intruders, attacks, abuse... To detect probes To provide active network security To provide a means of deterrent To collect data on system behavior so as to
recover after intrusion To indirectly provide useful information
6
31
History of IDS Developments/Products
32
IDS Goals
• Differentiate normal from damaging actions
• Scalable
• Variety of network systems and architectures
• Adapts in response to new attacks
• Reports attacks in real-time
• Co-operates with other security mechanisms
33
IDS Goals
• Increase monitoring at suspicious points
• Protect against being attacked itself
• Function in face of network failure
• Minimal performance impact
• Generate audit information
• Reflect security policy of organisation
X34
IDS Architecture
35
IDS Architecture Components
• Sensors - data gathering for the IDS
• Monitors - process the collected data
• Resolver - determines appropriate responses
• Controller - configuration of components in a distributed
systemModern IDS apply these components in a cascadingfashion, ie - allowing higher level system overviews to begained as a user ascends through the tree
36
IDS Techniques
• Misuse Detection (M-IDS) - attempts to match
observed v expected behaviour (eg signature
analysis, Petri nets, state transition diagrams, genetic
algorithms)
• Anomaly Detection (A-IDS) - models expected
behaviour (eg statistical, expert systems, neural
networks)
7
37
IDS Techniques
• Location of Sensors - network-based (no processing
overheads and difficult to attack) or host-based
(performance impact but good data collection)
• Monitor Processing Patterns - real-time (cf. batch)
detection of significant benefit (performance issues)
• Distributed Correlation - simple interfaces (eg Shadow)
or hierarchical (eg GrIDS)
38
Capabilities of IDS
• Second level of defense if primary security fails
• Clear view and summary (eg Tripwire)
• Extracts information useful in tracking intrusions
• Identifies nature of abuse - (eg systems
modifications for later backdoor use)
• IDS logs as evidence in legal cases
39
Capabilities of IDS
• IDS can assist in detecting mis-configurations
• Combined with network security scanners, security
holes can be revealed - eg finding particular firewall
is vulnerable to certain attacks
• IDS can determine which resources are targeted
• New attacks every month - simplifies detection
• IDS works well with security policy
40
Limitations of IDS
• Reporting tool - cannot stop ongoing intrusions• Cannot trace intrusion with poor authentication• Can only trace intrusion to point of entry to system• Must be aware of security policy• Attackers may attack IDS systems• Depends upon seeing all traffic• Models event - systems react in different ways• Widely spread attacks may be ignored• New attacks continually being discovered• Scaling problems
41
Current Development in IDS
• Distributed and scalable IDS• Use of AI and pattern matching• Embedded IDS in network devices• Use in other areas - telephone / credit card systems• Adaptation to new technologies• Automatic recognition of new attacks (adaptive AI)• IDS which responds to attacks in progress• IDS standards/groups (eg CIDF, IDWG, IDSC ….)
42
IPS - Intrusion Prevention Systems
Current IDS systems “notify” but do not react Current Firewalls are mainly static rule based systems IPS implies a combination of IDS + Firewall
This can still be static although sophisticated in its filtering andanalysis engines
If this is the case - is it different from IDS+firewall? “Conditional or Reactive” firewalls imply:
IDS / IPS / Firewall with dynamic rules which adapt to specificattack scenarios
8
43
Intrusion Detection Systems and Products
• Manual Review Techniques
• Full-scale IDS may not always be appropriate:
• connect dummy service to ports (eg IMAP (143), SMB
(139), HTTP (80) - trigger script when attacked
• use log files and audit info to build critical log• use simple monitors such as NetMon and FileMon
44
Types of IDS Host-based (HIDS)
searches for mis-configurations and dangerous settings,unusual privileges etc
Network-based (NIDS) checks host security policies, dangerous or unnecessary
services HybridVary according to whether:
fixed/wirelesscommercial/freewareoperating system
45
Host-Based IDS
GFi LANgaurd SELM Windows Commercialhttp://www.gfi.com/lanselm/index.html
EMERALD eXpert-BSM Solaris Commercialhttp://www.sdl.sri.com/projects/emerald/releases/eXpert-BSM/
ISS BlackICE Windows Commercial http://blackice.iss.net
Symantec Host IDS Windows/Solaris Commercialhttp://enterprisesecurity.symantec.com/products
LIDS Linux GPL http://www.lids.org
GPL = General Public Licence
46
Network-Based IDS
AirDefense Guard (Wireless IDS) Hardware Commercial
www.airdefense.net/products/airdefense_ids.shtm NetDetector Solution Hardware Commercial
www.niksun.com/index.php?id=194 Network Flight Recorder Security Hardware Commercial
RealSecure Network Sensor Windows/Linux/Solaris/NokiaCommercial
Symantec ManHunt Solaris/Linux Commercial Shoki *nix GPL http://shoki.sourceforge.net Snort *nix GPL http://www.snort.org Sourcefire Intrusion MS Hardware Commercial
47
Hybrid IDS
Prelude *nix GPL http://www.prelude-ids.org RealSecure Network Sensor Windows/*nix Commercial
www.iss.net/products_services
[nix = UNIX compatible][GPL = Public License]
48
• Lightweight IDS system capable of performing real-time trafficanalysis and packet logging
• Can perform protocol analysis, content searching/matching.
• Can be used to detect a variety of attacks and probes, eg:• buffer overflows• stealth port scans• CGI attacks• SMB probes• OS fingerprinting attempts
Example NIDS: SNORT
9
49
• Snort has three primary uses. It can be used as:• a packet sniffer like tcpdump• a packet logger (useful for network traffic debugging, etc)• a full network intrusion detection system
• Snort/IDS operates from a script rule file applied to eachpacket monitored
• Provides specialised access to IP packets, egfragmentation bit checks
• Example rule:alert tcp any any -> 192.168.0.1/24 111 {content: “|00 01 86 A5|”;
msg: “mountd access”; }
Example IDS: SNORT
50
Host-based IDS for Windows and carries out extensive portanalysis
• Four levels: Paranoid, Nervous, Cautious, Trusting• Provides back-trace of intruders via NetBios• Uses signature files to detect known attacks• Real time network usage graph• Links to full protocol stack• http://blackice.iss.net
Example IDS: BlackIce
51
Example IDS: BlackIce Display
52
Example IDS: ZoneAlarm
ZoneAlarm (= Firewall + IDS)• www.zonelabs.com• Personal firewall with security settings of High, Medium, Low
for both LAN and Internet connections, and a mail attachmentcheck setting
• Alerts occur when access to an unauthorised port isattempted. ZoneAlarm advises what likely cause is and howindicative of an attack it is
• Access is allowed/denied for programs on the host PC toconnect to the Internet
• ZoneAlarm Pro $US50 for single user and $US1800 for 50users
• ZoneAlarm - free for home users
53
Tools Supporting Active Security
• Mapping Tools• System Scanning Tools• System Integrity Checkers• Honeytraps / Honeypots
54
IDS Support Tools - Mapping Tools
Network Mappers• Commercial and free tools available - nmap and Cheops-
NG• Carry out - DNS zone transfers, address/port scanning,
host requests, promiscuous monitoring• nmap sends variety of packets with illegal flags, ICMP
echos, fragmented packets etc to hosts and analysingresponses
• eg recognise Linux with kernels older than 2.0.35 byusing packet with SYN and illegal flags set
10
55
IDS Support Tools - Mapping Tools
Cheops *nix GPL (no longer supported)www.marko.net/cheops/
Cheops-NG *nix GPL http://cheops-ng.sourceforge.net/ nmap *nix/Windows GPL http://www.insecure.org/nmap
56
Tools used to detect and report onvulnerabilities in computer or network
Uses database of known vulnerabilities andattempts matching to these records
For an attacker these tools allow location ofpotential specific targets, egopen HTTP port with a known vulnerability
IDS Support Tools - System Scanning Tools
57
IDS Support Tools - System Scanning Tools
Core Impact Windows Commercial GFi LANguard NSS Windows Commercial/Freeware ISS Internet Scanner Commercial Nessus *nix GPL www.nessus.org Rapid7 NeXpose Linux/Windows Commercial Retina Windows Commercial
58
Detect anomalies which may indicate that data oncomputer has been tampered with
Cannot detect intruders until after intrusion and soare not real-time like IDSs
Stores hashed snapshot of file systems andcompares to current system state and reportsdiscrepancies
IDS Support Tools - System Integrity Checkers
59
Tripwire is best exampleCommonly support hashing algorithms, eg - MD4/5,
SHA, ITU CRC-16 and -32 signaturesReference database based upon initial trusted systemOnly reports changes already present in systemLast line of defence - system is already compromised!
IDS Support Tools - System Integrity Checkers
60
11
61
IDS Support Tools - System Integrity Checkers
Aide *nix GPL Chkrootkit *nix Open Source Integrit *nix GPL Ionx Data Sentinel Windows Commercial GFi LANguard SIM Windows Commercial/Freeware Osiris *nix Open Source Samhain *nix GPL Tripwire *nix/Windows Commercial and Open Source
62
IDS Support Tools - Honeytraps
Current IDS methodologies have shortcomings: problem recognising novel attacks
occurrence of false positives
reporting of attacks of no interest
Honeytrap system – simulated or real system that
exists for sole purpose of being attacked!
Looks and behaves like real system
Must not be launching pad
Must gather valuable information on attacker
63
IDS Support Tools - Honeytraps
Bait and Switch *nix BSD KeyFocus Sensor Windows Commercial NetBait Enterprise i386-based Commercial Symantec Decoy Server Solaris Commercial Verizon NetFacade *nix Commercial NFR Back Officer Friendly (designed to prevent Back
Orifice scans) Commercial but free trial
64
KFSensorHoneypot
Output
65
Common Intrusion Detection Framework (CIDF) Common protocols and interface standards (1999)
Intrusion Detection Working Group (IDWG) Produced 4 Internet Drafts (2002)
Open Security Evaluation Criteria (OSEC) Evaluation of and tests on products (2003)
Intrusion Detection Systems Consortium (IDSC) Vendor consortium promoting product adoption by defining
common terminology, integrity, standards
IDS Standards
66
Intrusion Detection Experiments
• Watchguard firewall used as testbed for Intrusion
Detection Analysis
• simulates small office network
• single public server
• limited set of machines on firewall’s trusted network
• unspecified number of machines on external network
12
67 68
Sample Firewall policy might be ….• Incoming FTP traffic allowed (via proxy) only if destined for
204.137.98.164 - public server located in optional network• Outgoing FTP traffic allowed without restriction• Incoming HTTP traffic allowed (via proxy) only if destined for
204.137.98.165• Outgoing HTTP traffic allowed without restriction Incoming SMTP traffic
was allowed only to 177.209.49.31 (external firewall interface)• Outgoing SMTP traffic was allowed only from 177.209.0.25 (hypothetical
SMTP server on trusted network)• Configuration access to firewall allowed from internal networks• IP Masquerading was disabled• Port Autoblocking was disabled• All other ports and services were blocked
Intrusion Detection Case Study
69
1. Scan Web server (2) and IDS server (2) from Attack host (3)(all machines on a common network segment)
2. Scan Web server (1) and IDS server (1) from Attack host (3)(attack on optional from trusted network)
3. Scan Web server (2) and IDS server (2) from Attack host (2)(attack on trusted from optional network)
4. Scan Web server (1) and IDS server (1) from Attack host (1)(external attack on optional network)
5. Scan Web server (2) and IDS-server (2) from Attack host (1)(external attack on trusted network)
Intrusion Detection Case Study
70
• Scan 1 gives baseline of what attacks IDS tools are capableof recognising, and corresponds to an internal attack ontrusted network
• Scan 2 simulates internal attack against optional network
• Scan 3 simulates result if machine on optional network iscompromised and then attacks internal machines
• Scan 4 -very common case - external attacker attempts toaccess machines on optional network
• Scan 5 is same situation for trusted network
Intrusion Detection Case Study
71
Conclusions• IDS can highlight problems with Firewall configurations• Out-of-box configurations may be dangerous• Firewalls protect inaccessible machines well• Firewalls do not protect against application-level attacks• Firewalls are themselves vulnerable to attack• IDS tools can recognise many attacks• IDS tools have different detection sets• Network IDS recognise attacks from their area of coverage• Network scanning tools are susceptible to false readings• Firewalls offer minimal detection capabilities
Intrusion Detection Case Study
