Embed Size (px)
Citation preview
Lab8:Firewalls&IntrusionDetec6onSystems
FengweiZhang
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 1
Firewall&IDS• Firewall
– Adeviceorapplica6onthatanalyzespacketheadersandenforcespolicybasedonprotocoltype,sourceaddress,des6na6onaddress,sourceport,anddes6na6onport.Packetsthatdonotmatchpolicyarerejected
• IntrusionDetec6onSystem(IDS)– Adeviceorapplica6onthatanalyzeswholepackets,bothheaderand
payload,lookingforknownevents.Whenaknowneventisdetected,alogmessageisgarneteddetailingtheevent
• IntrusionPreventSystem(IPS)– Adeviceorapplica6onthatanalyzeswholepackets,bothheaderand
payload,lookingforknownevents.Whenaknowneventisdetected,thepacketisrejected
• Moderndevicescombinesallofthesefunc6onsinasingledevice/applica6on(SmartFirewall)
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 2
TypesofIDS
• Host-basedIDS(HIDS)– Installedlocallyonmachines– Monitoringlocalusersecurity– Monitoringprogramexecu6on– Monitoringlocalsystemlogs
• Network-basedIDS(NIDS)– Sensorsareinstalledonthenetwork– Monitornetworkac6vity(deeppacketinspec6on)
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 3
TypesofNetwork-basedIDS
• Signature-basedIDS– Comparesincomingpacketswithknownsignatures
– E.g.,Snort,Bro,Suricata• Anomaly-basedIDS– Leansthenormalbehaviorofthesystem– Generatesalertsonpacketsthataredifferentformthenormalbehavior
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 4
Signature-basedIDS
• An6-virustools• Problems– “Zero-day”a^acks– Polymorphica^acks
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 5
Anomaly-basedIDS
• Anomaly-basedIDSiscapableofiden6fying“Zero-day”a^acks
• Problems– Highfalseposi6verates– Labeledtrainingdata
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 6
IDSEvalua6onMetrics• TruePosi6ves(TP)
– Agenuinea^ackisdetected• TrueNega6ves(TN)
– Benigntrafficiden6fiedasbenign• FalsePosi6ves(FP)
– Harmlessbehaviorismisclassifiedasana^ack• Falsenega6ves(FN)
– Agenuinea^ackisnotdetected
• Anintrusiondetec6onsystemis:
– Accurate:ifitdetectsallgenuinea^acks– Precise:ifitneverreportslegi6matebehaviorasana^ack
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 7
IDSEvalua6onMetrics
• Thetrueposi6verateis:TP/(TP+FN)– TPisthenumberofthetrueposi6ves– FNisthenumberofthefalsenega6ves– TP+FNisthetotalnumberofposi6ves
• Thefalseposi6verate:FP/(FP+TN)– FPisthenumberofthefalseposi6ves– TNisthenumberofthetruenega6ves– FP+TNisthetotalnumberofnega6ves
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 8
IDSEvalua6onMetrics
• Anundetecteda^ackmightleadtosevereproblems;frequentfalsealarmscanleadtothesystembeingdisabledorignored.AperfectIDSwouldbebothaccurateandprecise
• Supposethatonly1%oftrafficareactuallya^acks;thedetec6onaccuracyofyourIDSis90%;thefalseposi6verateis10%
• Ifyouhaveanalarm,whatisthechancethatitisafalsealarm?
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 9
IDSEvalua6onMetrics• Supposethatonly1%oftrafficareactuallya^acks
– 1000events:990benign;10a^acks• Thedetec6onaccuracyofyourIDSis90%
– Trueposi6verate:90%– Trueposi6venumber:10*90%=9truealarms
• Thefalseposi6verateis10%– Falseposi6verate:10%– Falseposi6venumber:990*10%=99falsealarms
• P(a^acks/alarms)=9/(9+99)=0.083333• Thereisapproximately92%chancethataraisedalarmis
false
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 10
Snort
• Signature-basedIDS• CanberunasIPSorIDS• Firstreleasedin1997buts6llupdatedandmaintainedtoday
• LatestversionSnort2.9.8.2
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 11
SnortRules
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a^empted-recon;sid:624;rev:1;)ruleheader(ruleop6ons)
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 12
SnortRuleHeader
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 13
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a^empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
SnortRuleHeaderAc6on
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 14
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a^empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
1. alert:Alertsandlogsthepacketwhentriggered.2. log:Onlylogsthepacketwhentriggered.3. pass:Ignoresordropsthepacketortrafficmatching.4. ac0vate:Alertsthenac6vatesadynamicruleorrules.5. dynamic:Ignores,un6lstartedbytheac6vaterule,atwhich6me,actsasalogrule.6. drop:blockandlogthepacket7. reject:blockthepacket,logit,andthensendaTCPresetiftheprotocolisTCPoranICMPport
unreachablemessageiftheprotocolisUDP.8. sdrop:blockthepacketbutdonotlogit.
protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
SnortRuleHeaderProcotol
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 15
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a^empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
Protocols:TCP,UDP,ICMP,andIPFuturemayinclude:ARP,IGRP,GRE,OSPF,RIP,IPX,etc.
SnortRuleHeaderIP
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 16
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
• $EXTERNAL_NETisaconfigvaluesetinsnort.conf• IPisspecifiedalsoasdo^ednota6onwithCIDRmasks.
“any”isalsovalid• !isthenega6onoperator• Mul6pleIPspecifica6onscanbeincludedusingsquare
brackets[]andcomma-separa6ng.Donotaddspaces
SnortRuleHeaderPort
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 17
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
Portcanbespecifiedas:any--anyport1:1024--ports1to1024inclusive55:--ports55andhigher:55--ports0to55(inclusive)
nega6ons6llworks:
!6000:6001 -matchesanyportexcept6000and6001
SnortRuleHeaderDirec6on
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 18
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
Direc6oncanbespecifiedas:-> FromrightIP/Port(source)toleyIP/Port(des6na6on)<> Anydirec6onNote:<-doesnotexist…sothesnortrulesalwaysreadconsistently.
SnortRuleOp6on
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 19
alerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:a^empted-recon;sid:624;rev:1;)name:value;
msg:<samplemessage> Logsmessageinto/var/snort/logflags:<AFPRSU210> MatchesspecificTCPflagscontent:<text> Matchesspecifiedtextinpacketcontent:|<hexadecimal>|Matchesspecifiedhexcharssid:<snortID> Uniquenumbertoiden6fyruleseasily.Yourrules
shoulduseSIDs>1,000,000rev:<revision#> Rulerevisionnumberreference:<ref> Wheretogetmoreinfoabouttherulegid:<generatorID> Iden6fieswhichpartofSnortgeneratedthealert.
See/etc/snort/gen-msg.mapforvalues
Snort
• Moreinthelab8instruc6on!
WayneStateUniversity CSCCourse:CyberSecurityPrac6ce 20
