CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Similar documents
CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 22

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 13

Computer and Network Security

Computer and Network Security

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

CSC Network Security

How Chicken Little sees the Internet

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Configuring attack detection and prevention 1

ECCouncil EC Ethical Hacking and Countermeasures V7. Download Full Version :

Internet Security: Firewall

HP High-End Firewalls

Chapter 8 roadmap. Network Security

Introduction to Computer Security

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Firewalls, Tunnels, and Network Intrusion Detection

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Configuring attack detection and prevention 1

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Network Security: Firewall, VPN, IDS/IPS, SIEM

CE Advanced Network Security

Application Firewalls

CSE 565 Computer Security Fall 2018

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Global Information Assurance Certification Paper

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Unit 4: Firewalls (I)

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Network Defenses 21 JANUARY KAMI VANIEA 1

COSC 301 Network Management

20-CS Cyber Defense Overview Fall, Network Basics

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Basic Concepts in Intrusion Detection

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

UTM 5000 WannaCry Technote

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Load Balancing Technology White Paper

9th Slide Set Computer Networks

4. The transport layer

Network Control, Con t

Network Defenses KAMI VANIEA 1

Configuring Flood Protection

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Network Defenses 21 JANUARY KAMI VANIEA 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CSE 565 Computer Security Fall 2018

Worm Detection, Early Warning and Response Based on Local Victim Information

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

Unit 2.

0x1A Great Papers in Computer Security

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Protection of Communication Infrastructures

CSC 474/574 Information Systems Security

Computer Security and Privacy

Assignment - 1 Chap. 1 Wired LAN s

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Forwarding and Routers : Computer Networking. Original IP Route Lookup. Outline

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Outline. WEP privacy. Side-channel attacks. WEP shared key. WEP key size and IV size. Crypto failures, cont d

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Firewall and IDS/IPS. What is a firewall?

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 16

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

H3C SecPath Series High-End Firewalls

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

network security s642 computer security adam everspaugh

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CIT 480: Securing Computer Systems

Introduction to Network. Topics

Cisco s Appliance-based Content Security: IronPort and Web Security

Chapter 4: Networking and the Internet. Network Classifications. Network topologies. Network topologies (continued) Connecting Networks.

Managing SonicWall Gateway Anti Virus Service

Network Security. Thierry Sans

Stateless Firewall Implementation

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

New Directions in Traffic Measurement and Accounting. Need for traffic measurement. Relation to stream databases. Internet backbone monitoring

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

The Bro Cluster The Bro Cluster

internet technologies and standards

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

CSCI 466 Midterm Networks Fall 2013

Transcription:

CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12

Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for today: Talk about the impact of firewalls and filters Firewalls, NATs, etc. 2/23/07 CIS/TCOM 551 2

Summary: Reactive Defense Reaction time: required reaction times are a couple minutes or less (far less for bandwidth-limited scanners) Containment strategy: content filtering is more effective than address blacklisting Deployment scenarios: need nearly all customer networks to provide containment need at least top 40 ISPs provide containment 2/23/07 CIS/TCOM 551 3

Kinds of Firewalls Personal firewalls Run at the end hosts e.g. Norton, Windows, etc. Benefit: has more application/user specific information Network Address Translators Rewrites packet address information Filter Based Operates by filtering based on packet headers Proxy based Operates at the level of the application e.g. HTTP web proxy 2/23/07 CIS/TCOM 551 4

Network Address Translation Idea: Break the invariant that IP addresses are globally unique 10.0.1.15 10.0.1.13 171.69.210.246 NAT Internet 10.0.1.12 10.0.1.14 NAT Port 10.0.1.14 2/23/07 CIS/TCOM 551 5

NAT Behavior NAT maintains a table of the form: <client IP> <client port> <NAT ID> Outgoing packets (on non-nat port): Look for client IP address, client port in the mapping table If found, replace client port with previously allocated NAT ID (same size as PORT #) If not found, allocate a new unique NAT ID and replace source port with NAT ID Replace source address with NAT address 2/23/07 CIS/TCOM 551 6

NAT Behavior Incoming Packets (on NAT port) Look up destination port number as NAT ID in port mapping table If found, replace destination address and port with client entries from the mapping table If not found, the packet is not for us and should be rejected Table entries expire after 2-3 minutes to allow them to be garbage collected 2/23/07 CIS/TCOM 551 7

Benefits of NAT Only allows connections to the outside that are established from inside. Hosts from outside can only contact internal hosts that appear in the mapping table, and they re only added when they establish the connection Some NATs support firewall-like configurability Can simplify network administration Divide network into smaller chunks Consolidate configuration data Traffic logging 2/23/07 CIS/TCOM 551 8

Drawbacks of NAT Rewriting IP addresses isn t so easy: Must also look for IP addresses in other locations and rewrite them (may have to be protocol-aware) Potentially changes sequence number information Must validate/recalculate checksums Hinder throughput May not work with all protocols Clients may have to be aware that NAT translation is going on Slow the adoption of IPv6? Limited filtering of packets / change packet semantics For example, NATs may not work well with encryption schemes that include IP address information 2/23/07 CIS/TCOM 551 9

Firewalls Filter Filter Inside Gateway Outside Filters protect against bad packets. Protect services offered internally from outside access. Provide outside services to hosts located inside. 2/23/07 CIS/TCOM 551 10

Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers: Source Destination Source Port Destination Port Flags (e.g. ACK) Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection, permit inbound reply packets 2/23/07 CIS/TCOM 551 11

Three-Way Handshake 2/23/07 CIS/TCOM 551 12

Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11 2/23/07 CIS/TCOM 551 13

Filter Example Action ourhost port theirhost port comment block * * BAD * untrusted host allow GW 25 * * allow our SMTP port Apply rules from top to bottom with assumed default entry: Action ourhost port theirhost port comment block * * * * default Bad entry intended to allow connections to SMTP from inside: Action ourhost port theirhost port comment allow * * * 25 connect to their SMTP This allows all connections from port 25, but an outside machine can run anything on its port 25! 2/23/07 CIS/TCOM 551 14

Filter Example Continued Permit outgoing calls to port 25. Action src port dest port flags comment allow 123.45.6.* * * 25 * their SMTP allow * 25 * * ACK their replies This filter doesn t protect against IP address spoofing. The bad hosts can pretend to be one of the hosts with addresses 123.45.6.*. 2/23/07 CIS/TCOM 551 15

Snort Snort is a lightweight intrusion detection system: Real-time traffic analysis Packet logging (of IP networks) Rules based logging to perform content pattern matching to detect a variety of attacks and probes: such as buffer overflows, stealth port scans, CGI attacks, SMB probes, etc. Example Rule: alert tcp any any -> 192.168.1.0/24 143 (content:" E8C0 FFFF FF /bin/sh"; msg:"new IMAP Buffer Overflow detected!";) Generates an alert on all inbound traffic for port 143 with contents containing the specified attack signature. The Snort web site: http://www.snort.org/docs/ Question: How do you come up with the filter rules? 2/23/07 CIS/TCOM 551 16

Internet Telescopes Can be used to detect large-scale, wide-spread attacks on the internet. Existing IP addresses Unused addresses Worm sends randomly 2/23/07 CIS/TCOM 551 17

Internet Telescopes Can be used to detect large-scale, wide-spread attacks on the internet. Existing IP addresses UCSD monitors 17M+ addresses Worm sends randomly Telescope monitors packets for large range of unused addresses 2/23/07 CIS/TCOM 551 18

Internet Telescopes Can be used to detect large-scale, wide-spread attacks on the internet. Existing IP addresses UCSD monitors 17M+ addresses Worm sends randomly Telescope monitors packets for large range of unused addresses 2/23/07 CIS/TCOM 551 19

Automated Worm Fingerprinting Paper by Singh, Estan, Varghese, and Savage Assumptions: All worms have invariant content Invariant packets will appear frequently on the network Worms are trying to propagate, after all Packet sources and destinations will show high variability Sources: over time number of distinct infected hosts will grow Destinations: worms scan randomly Distribution will be roughly uniform (unlike regular traffic that tends to be clustered) 2/23/07 CIS/TCOM 551 20

High-prevalence strings are rare 2/23/07 CIS/TCOM 551 21

Naïve Content Sifting ProcessTraffic(packet, srcip, dstip) { count[packet]++; Insert(srcIP, dispersion[packet].sources); Insert(dstIP, dispersion[packet].dests); if (count[packet] > countthresh && size(dispersion[packet].sources) > srcthresh && size(dispersion[packet].dests) > dstthresh) { Alarm(packet) } } Tables count and dispersion are indexed by entire packet content. 2/23/07 CIS/TCOM 551 22

Problems with Naïve approach Frequency count is inaccurate: Misses common substrings Misses shifted content Ideally, would index count and dispersion by all substrings of packet content (of some length) Counting every source and destination is expensive. Too much data to process every packet. Most packets are going to be uninteresting. Tables count and dispersion will be huge! 2/23/07 CIS/TCOM 551 23

Engineering Challenges To support 1Gbps line rate have 12us to process each packet. Naïve implementation can easily use 100MB/sec for tables. Don't want to just do naïve sampling E.g. don't want to just look at 1/N of the packets because detecting the worm will take N times as long 2/23/07 CIS/TCOM 551 24

Practical Content Sifting Reduce size of count table by: Hashing the packet content to a fixed size (not cryptographic hashes) Hash collisions may lead to false positives So, do multiple different hashes (say 3) -- worm content is flagged only if counts along all hashes exceed a threshold Include the destination port in the hash of the packet content Current worms target specific vulnerabilities, so they usually aim for a particular port. To check for substring matches they propose to use a Rabin fingerprint Probabilistic, incrementally computable hash of substrings of a fixed length. 2/23/07 CIS/TCOM 551 25

Multistage Filters, Pictorially 2/23/07 CIS/TCOM 551 26

Tracking Address Dispersion In this case, we care about the number of distinct source (or destination) addresses in packets that contain suspected worm data. Could easily keep an exact count by using a hash table, but that becomes too time and memory intensive. In the limit, need one bit per address to mark whether it has been seen or not. Instead: Keep an approximate count Scalable bitmap counters Reduce memory requirements by 5x 2/23/07 CIS/TCOM 551 27

Scalable Bitmap Counters Suppose there are 64 possible addresses and you want to use only 32 bits to keep track of them. High-level idea: Hash the address into a value between 0 and 63 Use only the lower 5 bits (yielding 32) To estimate actual number of addresses, multiply the number of bits set in the bitmap by 2. 2/23/07 CIS/TCOM 551 28

Multiple Bitmaps, Pictorially Recycle bitmaps after they fill up Adjust the scale factors on the counts accordingly 2/23/07 CIS/TCOM 551 29

Results Earlybird successfully detects and extracts virus signatures from every known recent worm (CodeRed, MyDoom, Sasser, Kibvu.B, ) Tool generates content filter rules suitable for use with Snort 2/23/07 CIS/TCOM 551 30

Analysis False Positives: SPAM BitTorrent Common protocol headers HTTP and SMTP Some P2P system headers Solution: whitelist by hand False Negatives: Hard (impossible?) to prove absence of worms Over 8 months Earlybird detected all worm outbreaks reported on security mailing lists 2/23/07 CIS/TCOM 551 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback