Firewall and IDS. TELE3119: Week8

Transcription

1 Firewall ad IDS TELE3119: Week8

2 Outlie Firewalls Itrusio Detectio Systems (IDSs) Itrusio Prevetio Systems (IPSs) 8-2

3 Example Attacks Disclosure, modificatio, ad destructio of data Compromise a host ad use it as a Lauchpad to attack others Moitor ad capture user passwords, the impersoate the user 8-3

4 Firewalls firewall isolates orgaizatio s iteral et from larger Iteret, allowig some packets to pass, blockig others. admiistered etwork public Iteret firewall 8-4

5 Firewalls May orgaizatios have distict eeds public data (e.g., website) accessible to ayoe iteral data oly accessible to employees Solutio: ier ad out (DMZ) etworks 8-5

6 Firewall Capabilities Cotrol access restrict icomig ad outgoig traffic accordig to security policies Log traffics (for later aalysis) Network address traslatio (NAT) Ecryptio/decryptio 8-6

7 Firewalls: How? prevet deial of service attacks: SYN floodig: attacker establishes may bogus TCP coectios, o resources left for real coectios prevet illegal modificatio/access of iteral data. e.g., attacker replaces CIA s homepage with somethig else allow oly authorized access to iside etwork (set of autheticated users/hosts) three types of firewalls: stateless packet filters stateful packet filters applicatio gateways 8-7

8 Stateless packet filterig Should arrivig packet be allowed i? Departig packet let out? iteral etwork coected to Iteret via router firewall router filters packet-by-packet, decisio to forward/drop packet based o: source IP address, destiatio IP address TCP/UDP source ad destiatio port umbers ICMP message type TCP SYN ad ACK bits 8-8

9 Stateless packet filterig: example example 1: block icomig ad outgoig datagrams with IP protocol field = 17 ad with either source or dest port = 23. all icomig, outgoig UDP flows ad telet coectios are blocked. example 2: Block iboud TCP segmets with ACK=0. prevets exteral cliets from makig TCP coectios with iteral cliets, but allows iteral cliets to coect to outside. 8-9

10 Stateless packet filterig: more examples Policy Firewall Settig No outside Web access. No icomig TCP coectios, except those for istitutio s public Web server oly. Prevet Web-radios from eatig up the available badwidth. Prevet your etwork from beig used for a smurf DoS attack. Prevet your etwork from beig tracerouted Orgaizatio s etwork: /

11 Stateless packet filterig: more examples Policy No outside Web access. No icomig TCP coectios, except those for istitutio s public Web server oly. Prevet Web-radios from eatig up the available badwidth. Prevet your etwork from beig used for a smurf DoS attack. Prevet your etwork from beig tracerouted Firewall Settig Drop all outgoig packets to ay IP address, port 80 Drop all icomig TCP SYN packets to ay IP, except , port 80 Drop all icomig UDP packets - except DNS ad router broadcasts. Drop all ICMP packets goig to a broadcast address (e.g ). Drop all outgoig ICMP TTL expired traffic Orgaizatio s etwork: /

12 Access Cotrol Lists ACL: table of rules, applied top to bottom to icomig packets: (actio, coditio) pairs actio source address dest address protocol source port dest port flag bit allow /16 outside of /16 TCP > ay allow outside of / /16 TCP 80 > 1023 ACK allow /16 outside of /16 UDP > allow outside of / /16 UDP 53 > dey all all all all all all 8-12

13 Stateless filterig Decisios are made o a per-packet basis o state iformatio about previous packets is maitaied e.g., how to hadle fragmeted packets? tiy-fragmet attack: fragmet the packet so most of the TCP header i a secod fragmet Easy to implemet but havig limited capabilities 8-13

14 Stateful packet filterig stateless packet filter: heavy haded tool admits packets that make o sese, e.g., dest port = 80, ACK bit set, eve though o TCP coectio established: è DoS how about filterig TCP ACK packets too? actio source address dest address protocol source port dest port flag bit allow outside of / /16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP coectio track coectio setup (SYN), teardow (FIN): ca determie whether icomig, outgoig packets makes sese timeout iactive coectios at firewall: o loger admit packets 8-14

15 Coectio Table: example source address dest address Source port dest port Three ogoig TCP coectios All iitiated from withi the orgaizatio Check coectio i ACL rules 8-15

16 Stateful packet filterig ACL augmeted to idicate eed to check coectio state table before admittig packet actio source address allow /16 allow outside of /16 dest address outside of / /16 proto source port dest port TCP > flag bit ay check coxio TCP 80 > 1023 ACK x allow /16 outside of /16 UDP > allow outside of / /16 UDP 53 > x dey all all all all all all 8-16

17 Attack example A attacker seds a packet TCP source port 80 ACK flag set TCP dest port IP source Firewall checks the coectio table Reject or accept? 8-17

18 Stateful filterig Decisios are made i the cotext of coectios (flows) if packet starts a ew coectio: check rules for ew coectios if packet is part of a existig coectio: check rules for the existig coectio, ad the update the state of the coectio More powerful tha stateless packet filterig ca recogize more sophisticated threats ca implemet more complex policies 8-18

19 ACL use-case: Telet 8-19

20 Telet The followig rules allow user to telet from to ay destiatio, but ot vice-versa 8-20

21 ACL use-case: FTP 8-21

22 FTP The followig rules allow user to FTP (ot passive FTP) from ay IP to the FTP server ( ) (problems?) 8-22

23 Applicatio gateways filters packets o applicatio data as well as o IP/TCP/UDP fields. example: allow selected iteral users to telet outside. host-to-gateway telet sessio applicatio gateway gateway-to-remote host telet sessio router ad filter 1. reuire all telet users to telet through gateway. 2. for authorized users, gateway sets up telet coectio to dest host. Gateway relays data betwee 2 coectios 3. router/filter blocks all telet coectios ot origiatig from gateway. 8-23

24 Limitatios of firewalls ad gateways IP spoofig: router ca t kow if data really comes from claimed source filters ofte use all or othig policy for UDP if multiple app s. eed special treatmet, each has ow app. gateway cliet software must kow how to cotact gateway. e.g., must set IP address of proxy i Web browser computatioally expesive tradeoff: degree of commuicatio with outside world, level of security may highly protected sites still suffer from attacks 8-24

25 Itrusio detectio systems packet filterig: operates o TCP/IP headers oly o correlatio check amog sessios IDS: itrusio detectio system deep packet ispectio: look at packet cotets (e.g., check character strigs i packet agaist database of kow virus, attack strigs) examie correlatio amog multiple packets port scaig etwork mappig DoS attack 8-25

26 Itrusio detectio systems multiple IDSs: differet types of checkig at differet locatios applicatio gateway firewall Iteret iteral etwork IDS sesors Web server FTP server DNS server demilitarized zoe 8-26

27 IDS Detect if attacks are beig attempted or if system has bee compromised IDS should be: accurate, fast, flexible, easy to uderstad ad maage 8-27

28 Measurig Accuracy Evets are actios occurrig i the system (e.g., file access, logi, etc) A itrusio is a evet that is a part of a attack A alarm is geerated if a evet is diagosed as beig a itrusio itrusio o-itrusio alarm true positive false positive o alarm false egative true egative 8-28

29 Measurig Accuracy (ct d) True positive rate: fractio of itrusios correctly detected False egative rate: fractio of itrusio icorrectly detected FNR = 1 TPR True egative rate: fractio of o-itrusio correctly diagosed False positive rate: fractio of o-itrusio icorrectly diagosed FPR = 1 - TNR 8-29

30 Measurig Accuracy (ct d) It is trivial to have 100% TPR or 0% FPR how? Need both...challegig 8-30

31 Example evets, 300 itrusios, 2800 alarms of which 298 are correct diagose, 2502 are ot: TPR =? FNR =? TNR =? FPR =? 8-31

32 Example evets, 300 itrusios, 2800 alarms of which 298 are correct diagose, 2502 are ot: TPR = 298 /300 = 99.3% FNR = 1 - TPR = 0.7% TNR = [(70, ) 2502]/(70, ) = 96.4% FPR = 3.6% 8-32

33 Base-Rate Fallacy IDS ofte suffers from base-rate fallacy itrusios are rare evets; o-itrusios are commo correctly detected itrusios are swapped by icorrectly detected o-itrusios! Previous example: oly 298 out of 2800 alarms (10.6%) are correct i reality, ofte less tha 1% alarms are real itrusios 8-33

34 IDS types Sigature-based systems Aomaly-based systems 8-34

35 Sigature-Based IDS Detect attack usig sigatures Siffs packets, compares with sigatures i DB characteristics of real attacks Set of characteristics about a sigle packet or a series of packets Oly detect already-kow attacks Alerts are geerated FPR is low, but FNR is high 8-35

36 Aomaly Detectio Defie a model of ormal behavior, try to detect deviatio from it Potetially detect ew (ot previouslyecoutered) attacks FNR is low, FPR is high 8-36

37 Example Metrics Freuecy of a evet è alert if too high e.g. sudde expoetial growth i port sca Time betwee evets è alert if too small e.g. iordiate percetage of ICMP packets Resource utilizatio è alert if too high Statistical measures (mea, stadard deviatio etc) Markov process: expected likelihood of trasitio from oe system state to aother, or from oe output to aother 8-37

38 Where is IDS Deployed? Host-based IDS moitors activities o a sigle host Network-based IDS moitors traffic (e.g., packet headers) 8-38

39 Host-Based IDS Use OS moitorig mechaisms to fid compromised applicatios e.g., file accesses ad system calls Advatage: better visibility ito behavior of idividual apps Example: virus detectio. How? 8-39

40 Host-Based IDS: Problems Need a IDS for every machie May be tampered by the attacker o the same machie Oly local view of the attack 8-40

41 Network-Based IDS Passively ispect etwork traffic ad moitor traffic patter protocol violatios, uusual coectio patters... Advatage: sigle NIDS ca detect may hosts ad look for widespread patters of activity 8-41

42 NIDS: problems may be defeated by ecryptio ot all attacks arrive from the etwork must process huge amout of etwork traffic overload NIDS with huge data streams, the attack 8-42

43 NIDS example: Sort Popular ope-source NIDS Liux, UNIX ad Widows Uses the geeric siffig iterface libpcap Similar to Wireshark Ca hadle 100Mbps of traffic Multiple istaces are eeded for Gbps+ Large ruleset for vulerabilities (more tha 4000) Supported by commuity of security experts Withi a few hours of a ew attack, the sigature is released! 8-43

44 Sort sigature alert icmp $EXTERNAL_NET ay -> $HOME_NET ay (msg: ICMP PING NMAP ; dsize: 0; itype: 8;) Sigature: Ay packets eter the orgaizatio s etwork from the outside, type 8 (ICMP pig), empty payload (dsize=0) Alert: ICMP PING NMAP 8-44