Page 1. Review: Firewalls. Goals for Today. Polls. Web Servers. Web Servers. CS (CS 161) Computer Security. Lecture 12

Similar documents
Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Web Security. Outline

UMSSIA INTRUSION DETECTION

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CSE 565 Computer Security Fall 2018

CISNTWK-440. Chapter 5 Network Defenses

Chapter 9. Firewalls

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

COMPUTER NETWORK SECURITY

Denial of Service (DoS)

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

2. INTRUDER DETECTION SYSTEMS

Security and Authentication

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Chapter 7. Denial of Service Attacks

CS System Security 2nd-Half Semester Review

Chapter 4. Network Security. Part I

Network Security. Chapter 0. Attacks and Attack Detection

CSE 565 Computer Security Fall 2018

ANATOMY OF AN ATTACK!

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Gladiator Incident Alert

Chapter 10: Denial-of-Services

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

A Review Paper on Network Security Attacks and Defences

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Anomaly Detection in Communication Networks

Unit 5. System Security

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Computer Network Vulnerabilities

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Unit 4: Firewalls (I)

COMPUTER NETWORK SECURITY

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CyberP3i Course Module Series

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

CE Advanced Network Security Honeypots

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Computer Security: Principles and Practice

Raj Jain. Washington University in St. Louis

Basic Concepts in Intrusion Detection

Overview Intrusion Detection Systems and Practices

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Firewalls 1. Firewalls. Alexander Khodenko

intelop Stealth IPS false Positive

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

IDS: Signature Detection

5. Execute the attack and obtain unauthorized access to the system.

Lecture 12. Application Layer. Application Layer 1

CSE Computer Security

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Network Security in the Patched Environment. Guy Helmer, Ph.D. Palisade Systems, Inc.

Firewalls, Tunnels, and Network Intrusion Detection

Network Security Issues and New Challenges

Network Security. Course notes. Version

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

e-commerce Study Guide Test 2. Security Chapter 10

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

NETWORK THREATS DEMAN

Intrusion Detection - Snort

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

CIH

CTS2134 Introduction to Networking. Module 08: Network Security

ProCurve Network Immunity

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

CSE Computer Security (Fall 2006)

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

The Protocols that run the Internet

Indicate whether the statement is true or false.

How were the Credit Card Numbers Published on the Web? February 19, 2004

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Activating Intrusion Prevention Service

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Computer Security: Principles and Practice

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

NetDefend Firewall UTM Services

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

SOC Operations on the Autobahn. Don t let the green grass fool you

Chapter 11: It s a Network. Introduction to Networking

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Honeynets. Chris Brenton Dartmouth College Institute for Security Technology Studies (ISTS) ABSTRACT

Locking down a Hitachi ID Suite server

NetDetector The Most Advanced Network Security and Forensics Analysis System

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Transcription:

Review: Firewalls CS 194-1 (CS 161) Computer Security Lecture 12 Security and Intrusion Detection October 11, 2006 Prof. Anthony D. Joseph http://cs161.org/ Default firewall rule: deny all Other firewall rules: allow tcp *:*/out -> <web server IP>:80/in allow tcp *:*/out -> <web server IP>:443/in drop * *:* -> *:* Lec 12. 2 s Goals for Today Static and Dynamic Content Adding a DMZ to a Firewall Secure Topologies Intrusion Detection History Network-based Host Compromise Host-based Network Intrusion Detection Signature-based, Anomaly-based Distributed Network Intrusion Detection Honeypots, Tarpits An attack against an IDS Lec 12. 3 Polls How many people have set up a personal web server? How many people have set up a business web server? Lec 12. 4 s s DB server serves up static, read-only content from file server Scales up by replicating web servers Can use DNS round-robin or load balancer Add a database server for dynamic content DB used to store per-user info or site content Also, used for authentication, read/write actions, e-commerce, Software connector to DB server Object/Java DataBase Connectivity Lec 12. 5 Lec 12. 6 Page 1

s Static content model: server uses file server for static content, templates, Dynamic content model: server uses database server to retrieve/store dynamic content Can have mixtures Ex: Storing dynamic content in FS Ex: Storing static content in DB What are the security issues? Some Threats and Attacks Replace static content ( defacement ) Exploit vulnerability to access or servers (Distributed) Denial of Service attack Request large image or emulate complex transaction Unauthorized database access Exploit vulnerability (e.g., SQL injection) to read/write database Attack server OS or other services Exploit vulnerability to disable server Lec 12. 7 Lec 12. 8 Replace Static Content ( Defacement ) Cracker exploits a vulnerability to gain access to or s Examples: Flaws in CGI programs Flaws in URL processing Buffer overflows Replaces web pages with their own May also access protected content (Distributed) Denial of Service Attack Cracker performs resource exhaustion attack Overwhelm network, CPU, disk bandwidth, Examples Request large image or file POST large image or file (requires many zombies) Emulate complex transaction Typically use large number of zombies (1,000 s to 100,000 s) Lec 12. 9 Lec 12. 10 Unauthorized Database Access Cracker exploits vulnerability in server to DB server connection to read/write database Example: Use URL or POST attack to inject SQL code Gain access to server, then connect to DB Attacks can compromise DB integrity Attack OS or Other Services Cracker exploits vulnerability to gain access to server Many OS and service vulnerabilities Can be a stepping stone to attacking web service or accessing database Lec 12. 11 Lec 12. 12 Page 2

Stopping Some Attacks Replace static content ( defacement ) Harden server (latest patch levels, minimum services) Limit data on file server (Distributed) Denial of Service attack Add load balancer, DNS round-robin, replicated clusters, Unauthorized database access Harden server (latest patch levels, min. svcs) Sanity check all arguments Attack server OS or other services Harden servers (latest patch levels, min. svcs) Lec 12. 13 Problems Hard to keep servers up-to-date with patches Zero-day exploits Delays in releasing, retrieving, testing, installing patches DDoS attacks still impose load on servers Add layered defense Place firewall between and server Lec 12. 14 Firewall Benefits Helps harden servers by blocking all but web traffic DDoS attacks: add stateful rules or block zombie IP subnets Doesn t work for all content attacks and e-mail server access? VPN Lec 12. 15 Firewall Issues We can add more rules For access to, E-mail server, and other public servers But, what happens if one server or machine is compromised? This is the classic firewall problem: All our machines are now vulnerable! Real issue: We need to both protect public servers and Solution: Place public servers in a DMZ Lec 12. 16 DeMilitarized Zone (DMZ) Administrivia DMZ Separate firewall rules for internal zone and DMZ -DMZ rules only allow web, e-mail traffic VPN Proxy DMZ- rules only allow file, e-mail, remote login from DMZ No - access Where to place e-mail server? Add proxy to isolate e-mail access/storage from e-mail forwarding Lec 12. 17 Lec 12. 18 Page 3

Designing a More Secure Topology Staging DB Design a more secure version of this figure Where to place firewall, DMZ, servers, proxies,? What are the rules? Login Primary DB VPN Design Lec 12. 19 Lec 12. 20 -DMZ rules allow web, e-mail, VPN only One Solution DMZ DMZ- rules allow file, e-mail, staging DB, remote login access only from DMZ hosts - rules deny all VPN Proxy Staging DB Staging DB Login Primary DB Lec 12. 21 Security Summary Public servers are vulnerable to attack OS and services Eliminate unnecessary services Apply all patches Use a DMZ to provide layered defense Place server/proxy in DMZ Place database/file/ real servers in Deny all default for - traffic Lec 12. 22 Intrusion Detection History Detecting attempts to penetrate our systems Used for post-mortem activities Related problem of extrusion (info leaking out) In pre-network days (centralized mainframes) Primary concern is abuse and insider information access/theft Reliance on logging and audit trails But, highly labor intensive to analyze logs What is abnormal activity? Ex: IRS employees snooping records Ex: Moonlighting police officers Lec 12. 23 Network-based Host Compromises How do remote intruders gain access? They attempt network-based attacks that exploit OS & app bugs Ex: Denial of service, spyware install, zombie, Lec 12. 24 Page 4

Host-based Net Intrusion Detection At each host, monitor all incoming and outgoing network traffic for each packet: Analyze 4-tuple and protocol Examine contents Challenge: Separate signal from noise Signal is an attack (intrusion) Noise is normal background traffic Assumption: can separate signal and noise Some Challenges What is normal traffic?, desktop, PDA, PDA/phone, My normal traffic? your normal traffic Lots of data for servers Why do we need sufficient signal and noise separation? To avoid too many false alarms! What happens if signals are missed? Possible intrusion! Lec 12. 25 Lec 12. 26 Some Common False Positives Proximity probes site load balancers will probe your machine for proximity Connect to website hosted by mirror-image.com, and >10 load balancers in 6 countries probe your machine Stale IP caches Using dynamic IP addresses, you may get the old address of someone who was running a P2P app Peers continue to try to re-connect posts with dynamic IP addresses Spiders crawl machine currently using IP address Lec 12. 27 Lots and Lots of Data!! Network trace from Win2K desktop ZoneAlarm Logging Client v3.7.202 Windows 2000-5.0.2195 -Service Pack 4-SP type,date,time,source,destination,transport FWIN,2004/01/15,13:17:38-8:00 GMT,216.183.33.67:42645,128.32.168.229:6129,TCP (flags:s) FWOUT,2004/01/15,13:18:00-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,13:42:38-8:00 GMT,61.178.60.11:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:42:48-8:00 GMT,62.177.227.10:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:48:12-8:00 GMT,128.32.41.80:1040,128.32.168.229:38293,UDP FWIN,2004/01/15,13:58:30-8:00 GMT,24.224.253.230:2446,128.32.168.229:6129,TCP (flags:s) FWIN,2004/01/15,14:04:40-8:00 GMT,80.116.4.42:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWOUT,2004/01/15,14:04:44-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,14:07:36-8:00 GMT,210.217.129.194:3598,128.32.168.229:1433,TCP (flags:s) FWIN,2004/01/15,14:15:00-8:00 GMT,128.32.30.70:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,14:23:20-8:00 GMT,80.56.148.243:0,128.32.168.229:0,ICMP (type:3/subtype:1) FWIN,2004/01/15,14:41:48-8:00 GMT,194.23.44.215:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,14:43:08-8:00 GMT,61.64.246.192:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWOUT,2004/01/15,14:43:16-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,15:02:00-8:00 GMT,128.32.168.21:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,15:06:28-8:00 GMT,81.185.244.166:0,128.32.168.229:0,ICMP (type:8/subtype: 0) FWIN,2004/01/15,15:43:46-8:00 GMT,217.255.55.163:0,128.32.168.229:0,ICMP (type:8/subtype: 0) FWOUT,2004/01/15,15:44:16-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,15:50:06-8:00 GMT,65.78.10.110:3071,128.32.168.229:3410,TCP (flags:s) FWIN,2004/01/15,15:59:42-8:00 GMT,202.42.49.198:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,16:07:40-8:00 GMT,68.22.89.249:4088,128.32.168.229:1433,TCP (flags:s) FWIN,2004/01/15,16:08:36-8:00 GMT,193.95.219.45:0,128.32.168.229:0,ICMP (type:3/subtype:1) FWIN,2004/01/15,16:23:50-8:00 GMT,67.37.40.15:4299,128.32.168.229:3410,TCP (flags:s) FWOUT,2004/01/15,16:24:16-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP Lec 12. 28 Trace Analysis Analyzing Host-based Trace Data ZoneAlarm Logging Client v3.7.202 Windows 2000-5.0.2195-Service Pack 4-SP type,date,time,source,destination,transport FWIN,2004/01/15,13:17:38-8:00 GMT,216.183.33.67:42645,128.32.168.229:6129,TCP (flags:s) FWOUT,2004/01/15,13:18:00-8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,13:42:38-8:00 GMT,61.178.60.11:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:42:48-8:00 GMT,62.177.227.10:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:48:12-8:00 GMT,128.32.41.80:1040,128.32.168.229:38293,UDP b2b-33-67.ip.granderiver.com ping probe Used by the Dameware remote admin sw (old versions have a bug allowing unauthorized login). Dameware also installed by some viruses Lec 12. 29 TCP connection probes on port 445 Day 0 is 2003/03/04 July 23, 2004 (days) MSBlaster Worm Lec 12. 30 Page 5

MSBlaster in Detail MSBlaster in More Detail TCP 445 probes/hr Hour 0 is 15:20 on 2003/07/20 TCP 445 probes / 10 min Minute 0 is 15:20 on 2003/07/20 (hours) Lec 12. 31 (minutes) Lec 12. 32 Example Common Attack Port scanning a host Trying to connect/send data to different ports/protocols: sequential scan of host Nmap tool (http://www.insecure.org/nmap/)» Determines OS/hostname/device type detection via service fingerprinting (ex: SGI IRIX has svc on TCP port 1)» Determines what svc is really listening on a port and can even determine app name and version» Operates in optional obfuscation mode How to detect attack? Intrusion Detection Using Signals This is a misuse detection problem Similar problem to virus detection Match what you know High-level solution: Collect info about attack methods and types» 4-tuple/protocol» Packet contents Create and look for signatures» Slammer packet, port scan, Lec 12. 33 Lec 12. 34 Intrusion Detection Using Noise This is an anomaly detection problem Need to learn normal behavior Match what s different High-level solution: Try to identify what is normal traffic» Common 4-tuple/protocol Heuristic: Look for major deviations (outliers)» Ex: unusual target port, source addr, or port sequence (scan) Apply AI: Statistical Learning Techniques Signature Detection Language to specify intrusion patterns 4-tuple/protocol and potential intrusion values» Ex: External host file server (port 110, 135, )» Ex: Internal workstation external P2P host Packet contents» Could be single or multiple packets (stream reconstruction) Sequence of 4-tuple/protocol and packets» Also, model of protocol/app finite state machine Lots of state in pattern matching engine Example rule: alert tcp any any -> myip 21 (content:"site exec"; content:"%"; msg:"site exec buffer overflow attempt";) Lec 12. 35 Lec 12. 36 Page 6

Signature Detection Snort tool (http://www.snort.org/) 2 million downloads, 100,000+ active users, Advantages Very low false positive (alarm) rate Disadvantages Only able to detect already known attacks Simple changes to attack can defeat detection» Ex: Scan every even port, then every odd port Anomaly Detection Analyze normal operation (behavior), look for anomalies Uses AI techniques: Statistical Learning Techniques Compute statistical properties of features» 4-tuple, protocol, packet contents, packets/sec, range of port numbers, Report errors if statistics are outside of normal range Lec 12. 37 Lec 12. 38 Anomaly Detection Advantages Can recognize evolved and new attacks Disadvantages High false positive rate (alarms) May have delayed alarm Some attacks can hide in normal traffic SLT requires training on known good data Hard to capture protocol state behavior (FSM) Problems when what s normal changes» Ex: flash crowds BREAK Lec 12. 39 Super Stealthy Port Scanning Host A Host B Router 1 Router 2 Router 4 Host C Router 5 Router 6 Router 7 Router 3 Host D Use many zombies (each scans a few ports/hour of target) Each zombie is assigned many machines to scan Fast to scan both one machine, and many Very hard to detect at targets! Host E Lec 12. 41 Distributed Intrusion Detection Place appliance in the network at choke point or, share results across machines Apply signature or anomaly detection across larger data set Advantages: Easier to detect stealth probes of large number of machines Disadvantages: Large amount of data to communicate Lec 12. 42 Page 7

Honeypots Closely monitored network decoys May distract adversaries from more valuable machines on a network May provide early warning about new attack and exploitation trends Enables in-depth examination of adversaries during and after exploitation Lec 12. 43 Honeypots Can simulate one or more network services on one or more machines Can have virtual cluster of machines Causes an attacker to think you're running vulnerable services that can be used to break into the machine Can log access attempts to those ports, including the attacker's source IP and keystrokes Can watch attacker in real-time and trace back/forward Provides advanced warning of an attack Could use to automate generation of new firewall rules Lec 12. 44 Tarpits A very,very sticky honeypot Set up network decoy For each port we want to tarpit, we allow connections to come in, but don t let them out Idea: Slow down scanning tools/worms to kill their performance/propagation because they rely on quick turnarounds Might also give us time to protect real hosts Example Tarpit Implementation Accept any incoming TCP connection When data transfer begins to occur, set TCP window size to zero, so no data can be transferred within the session Hold the connection open, and ignore any requests by remote side to close session Attacker must wait for the connection to timeout in order to disconnect Lec 12. 45 Lec 12. 46 Advantages Tarpits Can customize for specific worms» Ex: analyze incoming packets to port 80 and only tarpit web connections from worms look for cmd.exe (CodeRed) or default.ida (Nimda) Disadvantages Might trap valid host Can cause some operating systems to crash Intrusion Prevention Systems We can detect intrusions, so why not automatically cut off network connections to compromised hosts? Intrusion Prevention Systems do this But, what if we re wrong Possible Denial of Service trick IPS into thinking host is compromised Turn off access our airline reservation server when a fare deal causes very high/different traffic patterns Lec 12. 47 Lec 12. 48 Page 8

Witty Worm March 04: Attacked the IDS Targeted a buffer overflow vulnerability in several of a vendor s IDS products Deletes a randomly chosen sectors of hard drives over time killing system Payload contained phrase: (^.^) insert witty message here (^.^) Lec 12. 49 Witty s Many Firsts First widely propagated worm with a destructive payload First worm with order of magnitude larger hit list than any previous worm Shortest known interval between vulnerability disclosure and worm release 1 day First to spread through nodes doing something proactive to secure their computers / networks Spread through a population almost an order of magnitude smaller than that of previous worms Lec 12. 50 Intrusion Detection Systems Summary Ongoing arms race between attackers and detection technologies Real challenge is false positive rate Renders most IDS useless alerts ignored Adaptive, anomaly detection is promising, but still lacking IPS products are still immature and problematic IDS products are now targets Summary Avoiding attacks against public servers: Eliminate unnecessary services Apply all patches Use a DMZ to provide layered defense Intrusion detection is hard! Crying wolf syndrome Immature products We need new adaptive techniques Ongoing arms race between attackers and defenders Lec 12. 51 Lec 12. 52 Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback