Intrusion Protection

Mark Shtern

Protection systems

• Firewalls• Intrusion detection and protection systems• Honeypots• System Auditing

Firewall Types

• Network– Packet filters– Proxy servers– State-full inspection– Can be hardware-based or software-based

• Application– Packet filters– State-full inspection

Packet filtering Firewalls

• Permits or denies packets based on socket pairs

• Packet filters operate at layer 4 of the OSI model

• Defined packet filters are applied to examine traffic attempting to enter or attempting to exit an interface

• Packet filters do not maintain state

Proxy Server Firewalls

• Clients configured to use a proxy server package

• The proxy server completes client requests on behalf of the requesting clients, if permitted

Proxy Server Types

• Circuit-level proxy servers only understand the socket portion of a request (IP address, port number, and protocol)

• Application-level proxy servers also understand the internal commands for each type of application– for example, can recognize FTP commands for

PUT, GET, MPUT, MGET, and so on

State-full Inspection Firewalls• Generally permits all outbound sessions initiated

by internal clients (unless an ACL imposes restrictions)– a state table entry is created for each allowed

connection• Allows return traffic belonging to the same

session• Generally denies all inbound sessions initiated by

external clients (unless an ACL allows exceptions)– a state table entry is created for each allowed

connection

State-full Inspection Firewalls

• State table entries track:– source and destination IP addresses– source and destination port numbers– protocol– TCP sequence numbers and acknowledgment

numbers– TCP session state

• SYN Received, SYN-ACK Sent, Established

Examples of Firewall

• Network– Firestarter– Windows Firewall

• Application – Mod_evasive– Mod_security_common

Intrusion Detection Systems

• An IDS detects attempts at network intrusion– Host-based or network-based sensors collect data

for local analysis or uploading to a centralized analysis engine

– When intrusion is detected a log entry or alert can be generated

Detection methods• Signature analysis

– discernable pattern of a previously seen attack– network scans, port scans, malicious payloads

• Statistical anomaly– unusual usage patterns– log on at unusual hours, uncharacteristically high usage of

a protocol• Protocol anomaly

– an undefined or non-standard use of a protocol– IP header Protocol field value greater than 137– TCP header Urgent field set to non-zero value with URG

flag set to zero

IDS types

• Network-based– Monitors entire network– NIC operates in promiscuous mode– Complicated sniffers that check all packets against

signatures

• Host-based– Protects only the host system on which it resides– Network card operates in non-promiscuous mode

Intrusion Prevention Systems

• An IDS receives a copy of network traffic for analysis and reporting– malicious packets reach their targets– analysis and reporting is after the fact

• An IPS is a pass-through device inline with the traffic– detected malicious packets are dropped at the IPS

and do not reach their intended targets

Snort

• Intrusion protection and prevention system• Rules-based detection engine • Network sniffer• Snort runs on various operating systems and

hardware platforms, including many UNIX systems and Windows

• Large default rule set (several thousand)

Snort Modes

• Packet Sniffer Mode– In Packet Sniffer Mode Snort acts like tcpdump and is used

for testing.– Type “snort –v” at command prompt to start snort in

sniffer mode– Other switches

• -d displays application layer -e displays data link layer

• Packet Logger Mode– Same as Packet Sniffing Mode but it also logs the output.– Type “snort –dev –l /var/log/snort” where –l is switch for

logging and /var/log/snort is directory to save output.

Snort Modes

• Intrusion Detection Mode– In this mode snort applies signature rules on all

captured packets– If packet matches rules, it is logged or an alert is

generated

Writing Snort Rules

• Figure out what is "bad" • Capture traffic that includes the "bad" stuff • Learn the protocol • Figure out why the "bad stuff" is bad• Write a rule • Test the rule

Rule Format - basic rule

• alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)

Rule Format• alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo";

content:"bar";) • Actions

• alert log pass activate dynamic drop sdrop • Acceptable protocols:

– TCP , UDP, ICMP, IP • Direction

– ->, <>• Body

– msg, content etc

Honeypot

• A monitored decoy to lure attackers away from critical resources– simulates various OSs and application servers

• A tool to analyze an attacker’s methods and other characteristics

Honeypot Modes• Research mode

– collecting data on attacker motivations, attack trends, and emerging threats

• Production mode– to prevent, detect, and respond to attacks– impeding scans– diverting an attacker to the honeypot rather than

critical files– capturing polymorphic code– acquiring attack signatures– providing attack information for analysis

Honeypot Software

• Labrea• Honeyd

Legal issues

• An organization may be liable if its honeypot is used to launch attacks against another network

• Attacker might claim entrapment if apprehended through use of a honeypot– Never explicitly invite interaction with the

honeypot

Auditing

• Logs are the primary record keepers of system and network activity– Basis for fast recovery when service is modified

illegally– Basis for tracking the break-in

System logs

• Windows– Application, System and Security

• Linux– Syslogs files /var/logs/*

Problem in Managing Logs

• No periodical review• The log files may be modified by intrusion• Log size constraint • Failure to collect critical information

Audit tools

• Syslog – log collection system• Audit – subsystem in Linux kernel that

generates audit record (auditctl, ausearch, aureport )

• Logwatch – log analysis system• Lire - log analyzer system