Docstoc

firewalls_and_ids

Document Sample
firewalls_and_ids Powered By Docstoc
					Introduction to firewalls and IDS/IPS




1
    firewalls




2
Firewalls
                                By conventional definition, a firewall is a partition made
                                of fireproof material designed to prevent the spread
                                of fire from one part of a building to another.

    firewall
isolates organization’s internal net from larger Internet, allowing
some packets to pass, blocking others.




               privately administered                    Internet
                  222.22/16
3
              Firewall goals:
• All traffic from outside to inside and vice-
  versa passes through the firewall.
• Only authorized traffic, as defined by local
  security policy, will be allowed to pass.
• The firewall itself is immune to penetration.




4
               Firewalls: taxonomy
1. Traditional packet
   filters                        Major firewall vendors:
                                  Checkpoint
    –   filters often combined    Cisco PIX
        with router, creating a
        firewall

2. Stateful filters
3. Application gateways




5
            Traditional packet filters
    Analyzes each datagram going through it; makes drop
    decision based on:


• source IP address                     • TCP or UDP or ICMP
• destination IP address                    – Firewalls often
                                              configured to block all
• source port                                 UDP

• destination port                      • direction
• TCP flag bits                             – Is the datagram leaving
                                              or entering the internal
       – SYN bit set: datagram                network?
         for connection initiation
                                        • router interface
       – ACK bit set: part of
         established connection             – decisions can be
                                              different for different
6
                                              interfaces
    Filtering Rules - Examples
               Policy           Firewall Setting

     No outside Web access.     Drop all outgoing packets to
                                any IP address, port 80

     External connections to    Drop all incoming TCP SYN
     public Web server only.    packets to any IP except
                                222.22.44.203, port 80
     Prevent IPTV from eating   Drop all incoming UDP packets
     up the available           - except DNS and router
     bandwidth.                 broadcasts.

     Prevent your network       Drop all ICMP packets going
     from being used for a      to a “broadcast” address (eg
     Smurf DoS attack.          222.22.255.255).

     Prevent your network       Drop all outgoing ICMP
     from being tracerouted


7
             Access control lists
Apply rules from top to bottom:

            source       dest                 source   dest     flag
action                               protocol
           address      address                port    port     bit
                        outside of                              any
 allow     222.22/16                   TCP    > 1023    80
                        222.22/16

 allow     outside of   222.22/16
                                       TCP      80     > 1023   ACK
           222.22/16

                        outside of
 allow     222.22/16                  UDP     > 1023    53      ---
                        222.22/16
 allow     outside of   222.22/16
                                      UDP       53     > 1023   ----
           222.22/16

 deny         all          all         all      all      all    all


                                                                       8
          Access control lists
• Each router/firewall interface can have its
  own ACL
• Most firewall vendors provide both command-
  line and graphical configuration interface




9
                                   Introduction
     Advantages and disadvantages of
        traditional packet filters
• Advantages
     – One screening router can protect entire network
     – Can be efficient if filtering rules are kept simple
     – Widely available. Almost any router, even Linux boxes

• Disadvantages
     – Can possibly be penetrated
     – Cannot enforce some policies. For example, permit certain
       users.
     – Rules can get complicated and difficult to test

10
Case Study: iptables
              Firewall: iptables
• Converts linux box into a packet filter.
• Included in most linux distributions today.



          linux       linux       external
          host        host w/     network
                      iptables



                  your job:
                  configure



                                                12
                Firewall: iptables
• iptables
     – Provides firewall capability to a linux host
     – Comes installed with most linux distributions
     – Three types of tables: FILTER, NAT, MANGLE
     – Let’s only consider FILTER table for now




13
          Network or host firewall?
Network firewall: linux host with 2 interfaces:

                                    filter
                                    table

     protected              linux                 Internet
     network                host w/
                            iptables



Host firewall: linux host with 1 interface:

                                 filter
                                 table

                      linux                  network
                      host w/
                      iptables


                                                             14
     Chain types for host firewall

        linux      network
        host w/              INPUT
        iptables             chain




        linux      network
        host w/
                             OUTPUT
        iptables
                             chain




15
     INPUT, OUTPUT, FORWARD
     CHAINS for network firewall
• INPUT chain applies for all packets destined
  to firewall
• OUTPUT chain applies for all packets
  originating from firewall
• FORWARD chain applies for all packets
  passing through firewall.




16
     Chain types for network firewall

        protected   linux      Internet
        network     host w/               INPUT
                    iptables              chain




        protected   linux      Internet
        network     host w/
                    iptables              OUTPUT
                                          chain




       protected    linux      Internet
       network      host w/               FORWARD
                    iptables              chain

17
      iptables: Example command
iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT



• Sets a rule
     – Accepts packets that enter from interface eth0
       and have source address in 232.16.4/24
• Kernel applies the rules in order.
     – The first rule that matches packet determines
       the action for that packet
• Append: -A
     – Adds rule to bottom of list of existing rules
18
      iptables: Example command
iptables –A INPUT –i eth0 –j DENY



• Sets a rule
     – Rejects all packets that enter from interface eth0
       (except for those accepted by previous rules)




19
           iptables: More examples
iptables –L
     – list current rules

iptables –F

     – flush all rules
iptables –D INPUT 2

     – deletes 2nd rule in INPUT chain
iptables –I INPUT 1 –p tcp –tcp-flags SYN –s
  232.16.4.0/24 –d 0/0:22 –j ACCEPT

     – -I INPUT 1: insert INPUT rule at top
     – Accept TCP SYNs to from 232.16.4.0/24 to firewall port 22
20     (ssh)
         iptables Options
-p protocol type (tcp, udp, icmp)
-s source IP address & port number
-d dest IP address & port number
-i interface name (lo, ppp0, eth0)
-j target (ACCEPT, DENY)
-l log this packet
--sport source port
--dport dest port
21
--icmp-type
              iptable Table types
• FILTER:
     – What we have been talking about!
     – 3 chain types: INPUT, OUTPUT, and FORWARD
• NAT:
     – Hide internal network hosts from outside world.
       Outside world only sees the gateway’s external IP
       address, and no other internal IP addresses
     – PREROUTING, POSTROUTING, and others
• MANGLE
22
     – Don’t worry about it.
           Tables, Chains & Rules
• Three types of tables: FILTER, NAT,
  MANGLE
• A table consists of chains.
     – For example, a filter table can have an INPUT
       chain, OUTPUT chain, and a FORWARD chain.
• A chain consists of a set of rules.




23
                          Firewall Lab

          m1
                     m2


          m3




     Configure m2 with iptables.




24
                Stateful Filters
• In earlier example, any packet with ACK=1 and
  source port 80 gets in.
     – Attacker could, for example, attempt a malformed
       packet attack by sending ACK=1 segments
• Stateful filter: Adds more intelligence to the
  filter decision-making process
     – Stateful = remember past packets
     – Memory implemented in a very dynamic state table


25
        Stateful filters: example
 • Log each TCP connection initiated through firewall: SYN segment
 • Timeout entries which see no activity for, say, 60 seconds
           source           dest             source          dest
          address          address            port           port

         222.22.1.7      37.96.87.123        12699            80

                         199.1.205.23        37654            80
         222.22.93.2

        222.22.65.143   203.77.240.43         48712           80

If rule table indicates that stateful table must be checked:
check to see if there is already a connection in stateful table

Stateful filters can also remember outgoing UDP segments


                                                                     26
                Stateful example
1) Packet arrives from outside: SA=37.96.87.123, SP=80,
   DA=222.22.1.7, DP=12699, SYN=0, ACK=1
2) Check filter table ➜ check stateful table
            source       dest               source   dest     flag    check
 action                             proto
           address      address              port    port     bit    conxion
                       outside of                             any
  allow   222.22/16                 TCP     > 1023    80
                       222.22/16
  allow   outside of   222.22/16
                                    TCP      80      > 1023   ACK
                                                                       x
          222.22/16
                       outside of
  allow   222.22/16                 UDP     > 1023    53      ---
                       222.22/16
  allow   outside of   222.22/16
                                    UDP      53      > 1023   ----
                                                                       x
          222.22/16

  deny       all          all        all     all      all     all


3) Connection is listed in connection table ➜ let packet through

                                                                       27
                 Application gateways
                 (aka proxy gateways)
• Gateway sits between user on
  inside and server on outside.                            gateway-to-remote
  Instead of talking directly,                             host ftp session
  user and server talk through
                                         host-to-gateway
                                         ftp session
  proxy.
• Allows more fine grained and
  sophisticated control than
  packet filtering. For example,
  ftp server may not allow files
  greater than a set size.                                       application
                                                                  gateway
• A mail server is an example of
  an application gateway
     – Can’t deposit mail in
       recipient’s mail server without
       passing through sender’s mail
       server
28
                 Configuring client
     Tools/options/connections/LAN settings/proxies:




29
     Advantages and disadvantages of
             proxy gateways
• Advantages
     – Proxy can log all connections, activity in connections
     – Proxy can provide caching
     – Proxy can do intelligent filtering based on content
     – Proxy can perform user-level authentication

• Disadvantages
     – Not all services have proxied versions
     – May need different proxy server for each service
     – Requires modification of client
30   – Performance
      Application gateways + packet filter
                                                            gateway-to-remote
                                                            host ftp session
                                          host-to-gateway
                                          ftp session
• Filters packets on
  application data as well                                         router and filter

  as on IP/TCP/UDP fields.
• Example: allow select                                           application

  internal users to ftp
                                                                   gateway


  outside.
     1. Require all ftp users to ftp through gateway.
     2. For authorized users, gateway sets up ftp connection to dest
        host. Gateway relays data between 2 connections
     3. Router filter blocks all ftp connections not originating from
        gateway.

31
     Chaining Proxies




                       proxy 2




                 proxy 1




32
        Demilitarized Zone (DMZ)

                application
                                firewall
                gateway
                                           Internet




     Internal     Web
     network      server        DNS
                       FTP      server
                       server


                Demilitarized zone



33
              Firewalls: Summary
• Filters
     – Widely available in routers, linux
• Stateful filters
     – Maintains connection state
• Application gateways
     – Often implemented with SOCKS today




34
Intrusion Detection/Prevention
           Systems
Elements of Intrusion Detection
• Primary assumptions:
  – System activities are observable
  – Normal and intrusive activities have distinct
    evidence
• Components of intrusion detection systems:
  – From an algorithmic perspective:
     • Features - capture intrusion evidences
     • Models - piece evidences together
  – From a system architecture perspective:
     • Various components: audit data processor, knowledge
       base, decision engine, alarm generation and responses
      Components of Intrusion
         Detection System
                                 Audit Records
  system activities are
       observable
                           Audit Data
                          Preprocessor

                                 Activity Data

Detection                                    normal and intrusive
 Models
                      Detection Engine      activities have distinct
                                                    evidence
                                 Alarms
                                          Action/Report
  Decision            Decision Engine
   Table
Intrusion Detection Approaches
• Modeling
  – Features: evidences extracted from audit data
  – Analysis approach: piecing the evidences together
     • Misuse detection (a.k.a. signature-based)
     • Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
  – Network based: monitor network traffic
  – Host based: monitor computer processes
            Misuse Detection
                                pattern
                                matching

Intrusion                           intrusion
Patterns

                   activities



Example: if (src_ip == dst_ip) then “land attack”

        Can’t detect new attacks
                Anomaly Detection
                         90
                         80                   probable
                         70                   intrusion
                         60
                activity 50
                measures40                      normal profile
                         30                     abnormal
                         20
                         10
                          0
                              CPU   Process
  Any problem ?                      Size

Relatively high false positive rate
• Anomalies can just be new normal activities.
• Anomalies caused by other element faults
   • E.g., router failure or misconfiguration, P2P
   misconfiguration
               Host-Based IDSs
• Using OS auditing mechanisms
  – E.G., BSM on Solaris: logs all direct or indirect events
    generated by a user
  – strace for system calls made by a program (Linux)
• Monitoring user activities
  – E.G., analyze shell commands
• Problems: user dependent
  – Have to install IDS on all user machines !
  – Ineffective for large scale attacks
The Spread of Sapphire/Slammer
            Worms
Network Based IDSs
    Internet      Gateway routers



                                         Our network



                                    Host based
                                     detection


 • At the early stage of the worm, only limited worm
   samples.
 • Host based sensors can only cover limited IP space,
   which might have scalability issues. Thus they might
   not be able to detect the worm in its early stage
                     Network IDSs
• Deploying sensors at strategic locations
   – E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
   – Watch for violations of protocols and unusual connection patterns
• Monitoring user activities
   – Look into the data portions of the packets for malicious code
• May be easily defeated by encryption
   – Data portions and some header information can be encrypted
   – The decryption engine may still be there, especially for exploit
Architecture of Network IDS

          Signature matching
   (& protocol parsing when needed)


         Protocol identification


             TCP reassembly



        Packet capture libpcap

                        Packet stream
Firewall/Net IPS VS Net IDS
• Firewall/IPS
  – Active filtering
  – Fail-close
• Network IDS
  – Passive monitoring
  – Fail-open
                         IDS



 FW
 Related Tools for Network IDS (I)

• While not an element of Snort, Ethereal is
  the best open source GUI-based packet
  viewer
• www.ethereal.com offers:
  – Windows
  – UNIX, e.g., www.ethereal.com/download.html
  – Red Hat Linux RPMs:
    ftp.ethereal.com/pub/ethereal/rpms/
Related Tools for Network IDS (II)

• Also not an element of Snort, tcpdump is a
  well-established CLI packet capture tool
  – www.tcpdump.org offers UNIX source
  – http://www.winpcap.org/windump/ offers windump,
    a Windows port of tcpdump
     • windump is helpful because it will help you see the
       different interfaces available on your sensor
Case Study: Snort IDS
                                   Snort
1.   A packet sniffer:                   capture and display packets from the network
     with different levels of detail on the console


2. Packet logger:               log data in text file


3. Honeypot monitor:                    deceiving hostile parties


4. NIDS: network intrusion detection system
Typical locations for snort
         Requirement of snort
• lightweight NIDS
• small, flexible
• highly capable system
                Snort architecture




From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,
http://www.linuxjournal.com/article/4668, 2001.
Snort components
     Logical components of snort
• Packet Decoder:              takes packets from different types of network
 interfaces (Ethernet, SLIP,PPP…), prepare packets for processing


• Preprocessor:             (1) prepare data for detection engine; (2) detect anomalies
 in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble
 TCP streams.


• Detection Engine:                the most important part, applies rules to packets


• Logging and Alerting System
• Output Modules:                process alerts and logs and generate final output.
                                    TCP/IP layer




                             Physical layer

Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
                     Detection Engine
 ※Things need to be done for detection engine:
 •The IP header of the packet
 •The transport layer header. TCP, UDP, ICMP etc.
 •The application layer level header. Header of DNS, FTP, SNMP, SMTP
 •Packet payload

※ How to do these?
Apply rules to the packets using a Boyer-Moore string matching algorithm


※ Requirement
1.   Time critical
2.   Fast
            Detection engine
• Number of rules
• Traffic load on the network
• Speed of network and machine
• Efficiency of detection algorithm
                       Rules
• In a single line
• Rules are created by known intrusion signatures.
• Usually place in snort.conf configuration file.

   rule header                       rule options
                                          Rule examples

                                             destination ip address
  Apply to all ip packets

                                                           Destination port
                    Source ip address




                                   Source port #
                                                                              Rule options

Alert will be generated if criteria met




                            Rule header
Thank you !

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:11/4/2011
language:English
pages:62