Embed Size (px)
Citation preview
1
Cyberdefense Technologies
Firewalls
Intrusion detection
And beyond
2
Defensive Strategy
• Deceive the attacker
• Frustrate the attacker
• Resist the attacker
• Recognize and Respond to the attacker
3
Security Desires
• Logging of successful connections, rejected packets and suspected attacks
• Immunity to Denial of Service attacks
• Protection against information gathering probes
4
Defenses against DOS
• The best defense against DDos attacks is to prevent initial system compromises
• However, even vigilant hosts can become targets because of lesser prepared, less security aware hosts
• It is difficult to specifically defend against becoming the ultimate target of a DDos attack but protection against being used as a daemon or master system is more easily attainable
5
Ingress Filtering
• Ingress filtering manages the flow of traffic as it enters a network under your administrative control
• Servers are typically the only machines that need to accept inbound connections from the public Internet
• Ingress filtering can be performed at the border to prohibit externally initiated inbound connections to non-authorized services
6
Egress Filtering
• Egress filtering manages the flow of traffic as it leaves a network under your administrative control
• Egress filtering from sources like university campuses can make a difference
• Egress filtering alone does not provide a complete solution to the problem
7
Firewalls
• Defensive “middle ground” between public and protected network
• The demands from a firewall can differ significantly
• An internal network, where a balance has to be found between what can come in and out, a website publicly accessible or a virtual Private Network pose very different problems
8
Firewalls are for policy control
• They permit a site’s administrator to set a policy on external access
• Just as file permissions enforce an internal security policy, a firewall can enforce an external security policy
9
Firewall Technologies
• Network Address Translation (NAT)
• Most use packet filtering rules to determine packet access
• Some use “stateful inspection” to manage connections
• Some application proxy support– A few allow custom proxy creation *BONUS*
10
Static Packet Filtering
• Uses information in Packet headers:– Destination IP address– Source IP subnet – Destination service Port
• Information compared with Access Control List (ACL)
• Flag (TCP): stop Anything with SYN=1, but port scanners can choose to have ACK=1,FIN=1, all other flags set to 0…– Flag Not an option with UDP
11
Example Attack
Internet router is blocking tcp/udp ports 135-139
Firewall allows only outbound http (80) and smtp (25) traffic
Hacker’s Objective: Gain control of internal NT server from Internet
12
Dynamic Packet Filtering (Stateful Inspection)
• Acts on the same principle as Static Packet Filtering, but maintains a connection or “state” table in order to monitor communication session
• Less easy to abuse• Filtering hard to configure to full
satisfaction and reduces router’s performance
13
Problems with Firewalls
• Conventional firewalls rely on the notions of restricted topology and control entry points to function– Everyone on one side of the firewall is to be trusted– Anyone on the other side is potentially an enemy
• “extranets” can allow outsiders to reach the “inside” of the firewall
• Some machines need more access to the outside than do others
• End-to-end encryption: firewalls generally do not have the necessary keys to inspect traffic
• Log review, software currency, … (high maintenance)
14
Distributed Firewalls
• In such a scheme, policy is still centrally defined; enforcement, however, takes place on each endpoint
• Helps control trust issues
15
Distributed Firewalls
16
Distributed Client/Server
17
What are Honeypots?
• Honeypots are one of the methods used in intrusion detection
• Setup a "decoy" system – Non-hardened operating system – Appears to have several vulnerabilities– Similar configuration to production– Fake content
• Deceive intruder for alert and study
18
19
Attracting Blackhats
• What do you do to attract blackhats to your Honeypot?
– Absolutely nothing, that is the scary part. You have to sit back and wait.
– The blackhat community is extremely aggressive, you would be surprised at what they will find.
20
Honeypot as attack host
• Once compromised, can't the bad guys use one of your honeypots to attack someone else?
• That risk exists !
• use several layers of access control devices that limit and control what type of outbound connections are allowed, and how many
21
The Honeynet project
• Distributed team of security experts
• Hardware to capture and analyze intruder activity
• Evolving honeypot technology and attack analysis
22
What’s wrong with honeypots?
• The insurance model will not allow you to take unnecessary risks without a substantial increase in premium
• Risk management says that honey pots increase risk for demonstrably invalid reasons
• You can learn more by using better instrumentation
• Transient effectiveness
23
Transient Effectiveness
• The threat reality is that most attackers are morons and will attack with DoS if denied real access
• Honey pots must be kept up to date but in general aren’t
• Honey pots must act like the host operating system
• Fix current problems rather than generating new ones
24
Too many hosts to secure
• Virtually all operating systems and network devices are insecure out of the box– This must change
• Operating systems maintained by normal users must be set to take care of themselves by default
• Growth of the net will be the single largest factor as to why there are so many vulnerable systems
• It is unrealistic to assume that the net will ever be safe
25
Where does IDS fit?
• IDS are useful as an additional layer of defense, no more
• IDS are not helpful when advanced attackers are attacking you with new attacks
• Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc)
• Missing IDS type: application IDS• High false alarm rates (wasted admin time)
26
IDS and Policy
• Security Policy is the first step (defining what is acceptable and what is being defended)
• Notification – Who, how fast?
• Response Coordination
27
NMAP
Jane dida portsweep!
28
IDS Implementation Map
FilteringRouter
(Perimeter Logs)
Firewall(Perimeter
Logs)
Generic Server(Host-Based ID)
(Snort 2.0)
Network IDS(Snort)
Internet
Honeypot(Deception System)
Statistical IDS (Snort)
29
Detection Engine
• Rules form “signatures”• Modular detection elements are combined to
form these signatures• Wide range of detection capabilities
– Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.
• Rules system is very flexible, and creation of new rules is relatively simple
30
Learning More
• www.snort.org– Writing Snort Rules
• www.snort.org/snort_rules.html
– FAQ, USAGE file, README file, man page
– Snort mailing lists
• Books– Intrusion Detection: An Analysts Handbook by Northcutt
– Intrusion Signatures and Analysis by Northcutt
– The Practical Intrusion Detection Handbook by Paul Proctor
31
But What Slips Through?
• Signatures based on traffic model– Attacks stay with same source IP set
• Signature assume fixed characteristics– Packets involving attack stay with similar
content
• Signature assume obvious distinction from legitimate traffic– What is legitimate is never malicious
32
How do We Catch the Slips?
• Non-signature based collection– Short-term (hours, max) packet collection, rotating ->
libpcap
– Medium-term (weeks, max) headers+content summary -> expanded flow
– Long-term (years) headers+sizes -> flow
• Privacy concerns• Efficiency concerns• Sampling concerns
33
What can You Do with Just Flows?
• Indicative, not probative• Time-series, with departures
– DDoS ramp-up– Scanning: worms/virus
• Threashold violations– Spam vs. email– Streaming media vs. web browsing
• Locality violations– Malware beaconing– Worms/virus– Spyware
34
Automated Response
• Ongoing work• Local indicators fused to alert• Firewalls/IDS exchange intrusion
information– IODEF standard
• Dynamically alter firewall rules • Dynamically alter routing tables to
reconfigure network
35
Layered Architecture
36
Layered Defenses
Frustrate
Deceive
Recognize
Respond
Goal 1
Goal 2
Goal 3
Goal 4Goal 5
Source: Shawn Butler, Security Attribute Evaluation Method
Goal 6
Goal 7
Goal 8
