Network Defenses

  • View
    27

  • Download
    3

Embed Size (px)

DESCRIPTION

Network Defenses. Brad Karp UCL Computer Science. CS GZ03 / 4030 10 th December, 2007. Outline. Firewalls: Simple, perimeter-based security Intrusion Detection Systems (IDSes) Searching for signatures in traffic to detect (and block) attacks e.g., Bro, Snort - PowerPoint PPT Presentation

Transcript

  • Network DefensesBrad KarpUCL Computer ScienceCS GZ03 / 403010th December, 2007

  • OutlineFirewalls:Simple, perimeter-based securityIntrusion Detection Systems (IDSes)Searching for signatures in traffic to detect (and block) attackse.g., Bro, SnortAutomated Worm Signature GenerationFast, automatic discovery of signatures that match worms accurately (for use in IDSes)e.g., EarlyBird, Honeycomb, Autograph, Polygraph

  • Firewalls: Perimeter-Based DefenseDefine trusted perimeter (typically boundary of own infrastructure)All packets between Internet and trusted perimeter flow through firewallFirewall inspects, filters traffic to limit access to non-secure services by remote, untrusted hostsInternetLocal Site NetworkFirewall

  • Firewall: Physical Topology vs. Filtering PoliciesTopological placement of firewall depends on perimeter at which defense desired, e.g.,Firewall between companys net and InternetFirewall between secret future product groups LAN and rest of companys netFirewall A between Internet and public servers, firewall B between servers and rest of companys netSoftware personal firewall on desktop machineFiltering policy depends on which attacks want to defend against, e.g.,Packet filtering routerApplication-level gateway (proxy for ftp, HTTP, &c.)Personal firewall disallows Internet Explorer from making outbound SMTP connections

  • Background: Internet Services and Port NumbersRecall that UDP and TCP protocols identify service by destination 16-bit port numberWell-known services: typically listen on ports
  • Non-Secure ServicesNFS server (port 2049)Recall: can read/write entire file system given file handle for any directoryFile handles guessable on many platformsPortmap (port 111)Relays RPC requests, so they appear to come from localhostFTP (port 21)Client instructs server to connect to self; can instead direct server to connect to 3rd party (bounce attack)Yellow pages/NISAllows remote retrieval of password databaseAny server with a vulnerabilityMS SQL (UDP 1434), DNS (53), rlogin (513), lpd (515),

  • Firewalls: Packet FilteringExamine protocol fields of individual packets; filter according to rulesIP source, destination addressesIP protocol IDTCP/UDP source, destination portsTCP packet flags (e.g., SYN, FIN, )ICMP message typeExample: to prevent remote lpd exploit, block all inbound TCP packets to destination port 515Remote users shouldnt be printing at your site anyway

  • Firewall Example:Blocking Source SpoofingBlock traffic from outside your site with a source address in your sites address blockEgress filtering: block traffic from within your site with a source address not in your sites address blocke.g., rule: deny ip not from 128.16/16 recv em0 xmit em1InternetLocal Site (128.16/16)IP src 128.16.1.13IP src 192.150.187.61em0em1

  • Firewall Example:Blocking Outbound MailWorms often use infected hosts to send spam or confidential documentsDefense: authorize only a few servers at site to send outbound mail; filter all outbound mail connections from otherse.g., rules:allow tcp from 128.16.1.20 not to 128.16/16 dst-port 25deny tcp from 128.16/16 not to 128.16/16 dst-port 25

  • Firewall Example:Block All Inbound Traffic by DefaultLittle control over what software users run on desktops (including servers) at most sitesMay wish to avoid remote exploits of any software run on users desktopsPolicy:disallow all inbound TCP connections but those to known legitimate servers (e.g., one public web server, one mail server)allow all outbound TCP connectionsImplementation:Stateless way: drop all inbound TCP packets with SYN flag set, but not ACK flag

  • Stateful FirewallingStateful way to implement outbound TCP only:Firewall stores state for every active TCP connection (src IP, src port, dst IP, dst port)Only forwards legal packets for current statee.g., if connection unknown, only allow outbound packets with SYN flag set, but not ACK flage.g., if connection known, only allow inbound packets with data after SYN/ACK seenTime out connection state for long-idle connectionsAlso used to block inbound UDP onlyNo standard SYN, ACK fields in UDP to support stateless filteringRisk: state memory exhaustion on firewall

  • Firewalling Complex ProtocolsConsider FTPClient connects to server, instructs server to open TCP connection back to client on specified client-side portClients firewall wont allow inbound connection!One solution: application-level proxyClients firewall starts FTP application-level proxy upon detecting FTP sessionProxy on firewall acts as client for TCP connections with remote server, server for TCP connections with local clientCan enforce policy for many protocols (SMTP, HTTP, &c.)But not used for encrypted protocols (SSL, SSH, &c.)

  • Bro: Intrusion Detection SystemGoals:detect remote attacks on local networkdetect what attackers have done after breaking into local machinesRemote attacks:Buffer overflows on serversPassword guessing&c.

  • Bro ModelBro runs on UNIX machine connected between firewall and outside world (i.e., on DMZ)Monitors all traffic in and outAnalyzes packets to detect likely intruderse.g., reassemble TCP flows, search for regular expressions in reassembled dataPolicies: rules to match against traffic, supplied by administratorReacts to threatsAlert administratorLog traffic for later analysis after detecting attackDynamically block traffic from offending source IPs

  • Bros GoalsProcess traffic in real-time for high-speed links; cant miss packets or may miss attacksReal-time alertsSeparate mechanism from policyLanguage for expressing patterns to search for in trafficExtensibilityResilience to attack

  • Bro Architecture

  • Worm Antibodies for IDSes: SignaturesGoal: limit worms spread within vulnerable population, without negatively impacting innocuous network trafficFirst step: identify signature that matches worms content, but only that worms contentGoal: limit worms spread within vulnerable population, without negatively impacting innocuous network trafficSecond step: filter all traffic matching signature05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1 win 8760 (DF)0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4E.....@.o.S.Z...0x0010 d14e eb80 06b4 0050 5e86 fe57 440b 7c3b.N.....P^..WD.|;0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566P."8l...GET./def0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858ault.ida?XXXXXXX0x0040 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX . . . . .0x00e0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX0x00f0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX0x0100 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX0x0110 5858 5858 5858 5858 5825 7539 3039 3025XXXXXXXXX%u9090%0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f0=a.HTTP/1.0..Co.Signature for CodeRed IISignature: A Payload Content String Specific To A Worm Our networkXTraffic FilteringInternetSignature for CodeRed II

  • Fundamental Challenges:Worm Signature GenerationSpeed: worms spread exponentiallyFlash worms: infect entire Internet in 15 min.Today: manual; hours or daysAccuracy: do no harm to innocuous trafficSensitive: match all worms low false negative rateSpecific: match only worms low false positive rateAdversarial user model: worm authors actively adapt, try to evade deployed defenses

  • Automated Signature GenerationStep 1: Select suspicious flows using heuristicsStep 2: Generate signature using content-prevalence analysisOur networkTraffic FilteringInternetAutograph MonitorSignatureXSignatureSignature

  • Initial AssumptionsFocus on TCP worms that propagate via scanningActually, any transport in which spoofed sources cannot communicate successfully whose framing is known to monitorWorms payloads share a single common substring of non-trivial lengthworm not polymorphic

  • S1: Suspicious Flow SelectionInitial, Simple Heuristic: Flows from scanners are suspiciousFocus on successful flows from IPs that made unsuccessful connections to more than s destinations in last 24 hoursSuitable heuristic for TCP worm that scans network

    Suspicious Flow PoolHolds reassembled, suspicious flows captured during the last time period t Triggers signature generation if there are more than flows

    Autograph (s = 2)Non-existentNon-existentThis flow will be selected

  • S1: Suspicious Flow SelectionHeuristic: Flows from scanners are suspiciousFocus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24 hoursSuitable heuristic for TCP worm that scans network

    Suspicious Flow PoolHolds reassembled, suspicious flows captured during the last time period t Triggers signature generation if there are more than flows

  • S2: Signature GenerationRationaleWorms propagate by duplicating themselvesNon-polymorphic worms contain significant invariant content

    How to find the most frequent byte sequences?

  • Worm Payload PartitioningUse the entire payloadBrittle to byte insertion, deletion, reordering

    GARBAGEEABCDEFGHIJKEGCSXXXXFlow 1Flow 2GARBAGEABCDEFGHIJKEGCSXXXXX

  • Worm Payload PartitioningPartition flows into non-overlapping small blocks and count the number of occurrencesFixed-length PartitionStill brittle to byte insertion, deletion, reordering

    GARBAGEEABCDEFGHIJKEGCSXXXXFlow 1Flow 2GARBAGEABCDEFGHIJKEGCSXXXXX

  • Worm Payload PartitioningContent-based Payload Partitioning (COPP)Partition where low-order bits of Rabin fingerprint over a window of payload match breakmark [LBFS]Configurable parameters: content block size (minimum, average, maximum), breakmark, sliding window

    Breakmark= low 8 bits of fingerprint (ABCD)= low 8 bits of fingerprint (EGCS)GARBAGE