Intrusion Detection System (IDS)

1

Intrusion Detection System (IDS)

Outlines• Host-base IDS – Tripewire• Network IDS – Snort• How to defeat an IDS

2

Intrusion Detection System (IDS)Host-base IDS – Tripewire

Tripwire is a very popular system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted,with optional email and pager reporting. Support files (databases, reports, etc.) are cryptographically signed.

3


Host-base IDS – Tripewire

Lab 7: install tripewire IDS to monitor the the integrity of the data of your hosts

4


Network IDS – SnortSnort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more

5


Network IDS – SnortSnort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

6


Network IDS – SnortSnort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

7


Network IDS – Snortsnort is a very flexible tool. You can customize the rulesets to suit your needs. We have just give you a very simple introduction in this workshop. For more details of rule setting, you should go to http://www.snort.org/docs/writing_rules/

http://www.snort.org/docs/writing_rules/

8


Network IDS – Snort

Lab7: Install a snort IDS on your host and use nessus network scanner to test your snort IDS

9


How to defeat a Network IDSI. Insertion Attack

Insert packets that the end-point server will ignore but picked up by IDS as vaild packets. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.

10



E.G.The signature of the php attack may be something like ``GET /cgi-bin/phf?''. We may insert extra packets such the IDS detect the packets as

``GET /cgi-bin/pleasedontdetecttthisforme?'' while the end-point server still read as

``GET /cgi-bin/phf?''

11



12



Techniques: • Using Invalid Sequence no.

Most IDS do not check sequence no. Invalid sequence no. packets are reject by end-point servers but may be picked up by these IDS

13



Techniques:

• Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS

14



Techniques:

• Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS

15



Techniques:

• Using short TTL.If the IDS sit on the network have many hops away from the end-point servers, short TTL packets will be dropped before they reach the end-point servers. We can just tune the insert packet TTL such that they can pass the IDS but are dropped before the end-point servers.

16


How to defeat a Network IDS

I. Insertion Attack Techniques:

• Using short TTL

17



II. Evasion Attack An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely.

E.G.The packets of ``GET /cgi-bin/phf?''may show as ``GET /gin/f'' in IDS detection

18



II. Evasion Attack

19



II. Evasion Attack Techniques • Some IDS can only keep track of one

host/port connection at a time. Flood the target port with non-existent SNY packet first so that these IDS ignore our real connection afterwards

20



II. Evasion Attack Techniques • IP Fragmentation

Sending out fragment packets out of orderSome IDS assume the fragment packets arrive in order. They just reassemble the data as soon as the marked final fragment arrives. Sending out fragment packets out of order may fool these IDS

21



II. Evasion Attack

Techniques • Sending overlapping fragment packets

There may be a gap between the IDS and end-point server handling overlapping fragment. If the IDS does not handle overlapping fragments in a manner consistent with the systems it watches, it may, given a stream of fragments, reassemble a completely different packet than an end system in receipt of the same fragments.

22

Firewall

Outlines• Variations on Firewall Architecture

• Setting up network layer Firewalls

• Firewall log

• Setting private network with NAT

23

Firewall

FirewallIn brief, a firewall is typically the first line of defense for any Internet-connected network. What a firewall does and how it behaves depends on what level it operates on. (Those familiar with the OSI model will understand this.) Firewalls generally operate at the network layer

(IP), or the application layer, such as HTTP proxies.

24

Firewall

Firewall

25

Lab 12B: Firewall

FirewallThose firewalls at the network layer are often called screening routers. A screening router examines the IP header on each incoming (and possibly outgoing) datagram and determines whether or not it should pass. It makes this determination by comparing key fields such as the source and destination addresses to the policy set by the administrator. Most screening routers will also examine the packet at the next layer (the transport layer), which allows you to create policies based on TCP or UDP port, or ICMP type and code.

26

Firewall

FirewallFirewalls at the application layer are called gateways or proxies, and are designed to understand protocols at this level, such as HTTP or telnet. Application gateways are useful because they can offer very high level control over traffic, and so they are in some ways more secure than screening routers. For example, an application gateway may choose to filter all HTTP POST commands. Most importantly, gateways can maintain logging specific to application layer protocols. A paranoid (and privacy-ignorant) company may choose to have all mail pass through a gateway to log the To, From, and Subject fields of the header, for instance.

27

Firewall

Variations on Firewall ArchitectureA. Single layer firewall architecture

B. Two layer firewall architecture

C. Merged interior and exterior firewall architecture

D. Two layer firewall architecture with two internal network

E. Two layer firewall architecture with merged bastion host and exterior firewall

28

Firewall

Bastion host

A system exposed to the Internet that is expected to come under thorough attack. The term contrasts those hosts that are inside a firewall's protection.

DMZ (Demilitarized Zone)

In firewalls, a DMZ is an area that is mostly public to the Internet. This is where a companies web, e-mail, and DNS servers are located. A DMZ often has some limited protection, but since it is very exposed to the Internet, the assumption is that the machines in the zone will eventually be compromised. Therefore, the machines often have as little connectivity to the private network as any other machine from the Internet.

29

FirewallType A: Single layer firewall architecture

30

Lab 12B: Firewall

Type B: Two layer firewall architecture

31

FirewallType C: Merged interior and exterior firewall architecture

32

FirewallType D: Two layer firewall architecture with two internal network

33

FirewallType E: Two layer firewall architecture with merged bastion host and

exterior firewall

34

Firewall

Lab 8: Deploy firewall on your host using ipchains

35

Firewall

Linux firewall logAll the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile.

36

Firewall

Linux firewall logHere is an example:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

1. ìnput' is the chain which contained the rule which matched the packet, causing the log message.

2. `DENY' is what the rule said to do to the packet. If this is `-' then the rule didn't effect the packet at all (an accounting rule).

3. èth0' is the interface name. Because this was the input chain, it means that the packet came in èth0'.

4. `PROTO=17' means that the packet was protocol 17. A list of protocol numbers is given in `/etc/protocols'. The most common are 1 (ICMP), 6 (TCP) and 17 (UDP).

37

Firewall

Linux firewall log

Here is an example:


5. `192.168.2.1' means that the packet's source IP address was 192.168.2.1.

6. `:53' means that the source port was port 53. Looking in `/etc/services' shows that this is the `domain' port (ie. this is probably an DNS reply). For UDP and TCP, this number is the source port. For ICMP, it's the ICMP type. For others, it will be 65535.

7. `192.168.1.1' is the destination IP address.

38

Firewall

Linux firewall log

Here is an example:


8. `:1025' means that the destination port was 1025. For UDP and TCP, this number is the destination port. For ICMP, it's the ICMP code. For others, it will be 65535.

9. `L=34' means that packet was a total of 34 bytes long.

10. `S=0x00' means the Type of Service field (divide by 4 to get the Type of Service as used by ipchains).

11. Ì=18' is the IP ID.

39

Firewall



12. `F=0x0000' is the 16-bit fragment offset plus flags. A value starting with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2' or `0x3' means the `More Fragments' bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8.

40

Firewall



13. `T=254' is the Time To Live of the packet. One is subtracted from this value for every hop, and it usually starts at 15 or 255.

14. `(#5)' there may be a final number in brackets on more recent kernels (perhaps after 2.2.9). This is the rule number which caused the packet log.

41

Firewall

Linux firewall logHere is another example:

Feb 26 11:15:56 iegatea0 kernel: Packet log: input DENY eth0 PROTO=6 200.223.111.242:1956 137.189.97.67:25 L=60 S=0x60 I=59731 F=0x4000 T=42 SYN (#77)

The TCP SYN packet of the SMTP (port 25) access to the host 137.189.97.67 from the host 200.223.111.242 client port 1956 was blocked by the ipchains rule #77

42

Firewall

Linux firewall logPort numbers are divided into three ranges:

1. The Well Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic.

2. The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes. For example, most systems start handing out dynamic ports starting around 1024.

43

Firewall

Linux firewall logPort numbers are divided into three ranges:

3. The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.

In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768.

For a complete complete list of port info, you may refer

http://www.iana.org/assignments/port-numbers

http://www.iana.org/assignments/port-numbers

44

Firewall

Setting private network with IP Masquerade

IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers.

45

Firewall

Setting private network with IP Masquerade

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a HEAVILY secured networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish.

46

FirewallSetting private network with IP Masquerade

47

FirewallSetting private network with IP Masquerade EG.

/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ

This setting will allow all the clients in the private network 192.168.0.0/16 to have IP masquerade in Linux Masquerade gateway

48

FirewallSetting private network with iptable NAT

Linux iptable provides two different types of NAT: Source NAT (SNAT) and Destination NAT (DNAT).

• Source NAT is when you alter the source address of the first packet: ie. you are changing where the connection is coming from. Masquerading is a specialized form of SNAT.

• Destination NAT is when you alter the destination address of the first packet: ie. you are changing where the connection is going to. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

49

FirewallSetting private network with iptable NATExample of source NAT:

## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

Example of destination NAT:

## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8

50

Network Address Translation (NAT)

(Linux calls it masquerading)

Server

NAT

10.42.6.9 35.9.20.20

Client

51

NAT Pro/Con• Pro

– Enforces control over outbound connections– Dynamic translation is more restrictive

changed mapping increases attack difficulty– Conceals internal configuration

• Con– Dynamic translation requires maintaining state

(how long to keep connection open?)– Interferes with some encryption schemes– Dynamic translation interferes with logging– Dynamic translation of ports can interfere with filtering

52

Evil Hackers

Firewall Your network

53

• Firewalls mitigate risk

• Block many threats

• They have vulnerabilities

54

Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

55

Typical Network Stack

• Application Layer (FTP, HTTP, SSH, etc.)

• Transport Layer (TCP, UDP, ICMP)

• Internet Layer (IP)

• Network Access Layer (Ethernet, FDDI, etc.)

(If you have a Novel or AppleShare network, the IP layer will be different.)

(Carrier Pigeon Network Layer: RFC1149 on 1 April 1990 defines the Avian Transport Protocol)

56

Packet Organization

Each layer’s packet organization has a header and data fields.

Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.

57

Encapsulation

Application (FTP, HTTP, …)

Transport (TCP,UDP,…)

Internet (IP)

Network (Ethernet)

Data

Header

Header

Header

58

Ethernet Layer• Header:

– Packet Type, e.g. IP– Source Address

Original source or last router on path

– Destination Address• Final destination or next router• Maybe multicast or broadcast

– Addresses are Media Access Control (MAC)

• Data is an IP packet

59

IP Layer

• Header– IP Source Address, e.g. 35.9.20.20– IP Destination Address– IP Protocol Type, e.g. TCP, UDP, ICMP

• Data: TCP packet (or UDP, etc.)• Fragmentation

If (network max packet size < IP max size) split data into multiple packets (fragments)

60

TCP Layer

• Header– TCP Source Port (2-bytes)– TCP Destination Port– TCP Flags: designates packet type

• ACK, SYN, etc.

• Data: application data, e.g. FTP data

61

Multicast or Broadcast Source

• Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address

• Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source

• Since DHCP isn’t external (normally), block broadcast source

62

IP Fragmentation

Prevent fragmentation withpath MTU discovery– Maximum Transmission Unit (MTU)– Send message with “don’t fragment” set

If (error returned), decrease sizeelse increase size

63

Packet Filters & Fragmentation

• Solution: packet filter only first packet and let non-first packets throughIf you drop the first, a higher level protocol (TCP) will invalidate the rest.

• Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting inDenial of Service!

64

Packet Filter & Fragmentation

• Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information.Overlapping fragments may be reassembled into invalid packets causing the OS to crash.

65


• Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.

66


Solutions• Fragment reassembly before filtering

Time consuming

• Reject all non-first fragmentsMay reject otherwise good connections,

but they will retransmit.

• Increased use of MTU is reducing fragmentation

67

TCP

TCP is reliable because it guarantees to the application layer:– Provide data in order it was sent– Provide all data sent– Will not provide duplicates

It will kill a connection before violating any.

68

Blocking TCP

• To block a TCP connection, simply block the first packet.

• The first packet is unique: ACK is not set– “start-of-connection” packet

• Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers

69

TCP Options

• Common TCP Options:– ACK (acknowledgement) – SYN (synchronize)– RST (reset)– FIN (finish)

• 3-way handshake uses ACK & SYN

• RST & FIN are used to close connections

70

TCP Options

Firewalls use ACK and RST– ACK indicates first packet of connection– RST tells people to “shut up”

without providing a useful error message

71

TCP Sequence Numbers

• Sequence numbers allow reconstruction of correct order of packets

• Supposed to begin with a random number, but often is not random—vulnerability!

• How to hijack a TCP connection?

72

Hijacking a TCP Connection

Attackers needs• Ability to forge TCP/IP packets.• Initial sequence number• Knowledge that a TCP connection has started

(but not the ability to see it)• When the TCP connection started• Ability to redirect responses to you

OR continue the conversation without responses to you while achieving your goal

Thought to be too hard, but exists in the wild.

73

UDP

Since UDP does not guarantee reliability there is no uniquely identifiable first packet

74

ICMP

Examples– Echo Request: send by ping– Echo Response– Time exceeded (really hops exceeded)– Destination unreachable– Redirect (router redirected a packet and is

telling the sender that a better way exists)

75

ICMP“Destination Unreachable” has codes

to indicate reasonThe relevant ones are

“Fragmentation Needed” and“Don’t Fragment”used for path MTU discovery

Desirable to drop all other “unreachable” replies since they provide useful information to scanners.

Most firewalls do not allow discrimination on ICMP reason.

76

ICMP Attacks

• ICMP packets should be very small—large one indicate a problem so filter out large ones.

• For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.

77

IP over IP

• Encapsulating IP over IP– Encrypted traffic– Mobile IP (movement with fixed IP)– Burying protocol

• Multicast over non-supporting networks• IPv6 over IPv4

– VPN: virtual private networks

• Problem: cannot see “actual” IP packet (encrypted) or may not look at it

78

Low-level attacks

• Port scanning– Send SYN without ACK;

receives SYN if open or RST if not– Send FIN

• “all options on” = Christmas tree (lights it up)• “all options off” = null• Either can crash a weak TCP/IP stack

79

Low-level Attacks

IP Spoofing: Apparent problem: reply not sent to attacker– Attacker can intercept reply– Attacker doesn’t care to see it (e.g. DoS)– Attacker doesn’t want reply: smurf attack

redirects response to attack while multiplying replies with broadcast source

80

Packet Filtering Pro/Con

• Pro– One filter can protect an entire network– Simple filtering is efficient– Widely available

• Con– Not perfect: hard to configure and test– Reduces router performance– Some security policies cannot be enforced,

e.g. block a user

81

Three main categories of firewalls

• Network layer firewalls. An example would be iptables.

• Application layer firewalls. An example would be TCP Wrappers.

• Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file

http://en.wikipedia.org/wiki/Network_layer_firewall

http://en.wikipedia.org/wiki/Iptables

http://en.wikipedia.org/wiki/Application_layer_firewall

82

Network layer firewalls

• operate at a (relatively) low level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The

firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).

• A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-

rules", or "deny rules". Today network firewalls are built into most computer operating systems and network appliances.

• Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP

address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of

originator, domain name of the source, and many other attributes.

83

Application-layer firewalls

• work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block

other packets (usually dropping them without acknowledgement to the sender). In principle, application

firewalls can prevent all unwanted outside traffic from reaching protected machines.

• By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice,

however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity

of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt

this approach.• The XML firewall exemplifies a more recent kind of

application-layer firewall.

84

A proxy device

• (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

• Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network..

Documents

Intrusion Detection System (IDS)