Embed Size (px)
Citation preview
Firewalls and intrusion detection systems
Bencsáth Boldizsár
2
Outline
Firewalls Intrusion detection systems (IDS)
3
Introduction
– A firewall is a system or group of systems that enforces an access control policy between networks
– Mostly the goal is to protect TCP/IP networks– Other possible firewalls: between applications on a
windows environment, java card firewalls, etc.
– Functions:• Blocking traffic• Permitting traffic• Enabling secure remote connections (VPN)• Logging traffic• Content filtering (blocking): viruses, attacks• Network management purposes (screening the traffic etc.)
Intr
oduc
tion
4
Main goals
The main goal of firewalling is – to control unnecessary services, traffic– to hide our internal network topology and services– to protect against protocol errors (e.g. invalid SMTP commands can be
filtered)– to enable logging– to control the activity of internal users– every accessible point is a possible security hole: With firewalling we
minimize the accessible points and we are making it more difficult to deploy an attack
– we can make it more difficult to exploit the vulnerability: E.g. with tftp denied it is more difficult to send files to the internet after an attack
– we can separate the network to subnetworks: an intrusion will not compromise our whole system, just a subnetwork/server
Intr
oduc
tion
5
A firewall is not good for…
- Stopping information flow/leakage:Data can be leaked out even through DNS applications or e.g. HTTP
tunnels. It is very hard to protect against covert channels.
- Complete protection against intrusions:A single open port can be used to gain privileged access
An application proxy might not stop attacking through badly formed parameters, etc.
An industry spy can use the telefax to transport secrets…
Intr
oduc
tion
6
Packet filtering – disable access to unwanted services
Port State Service9/tcp open discard 13/tcp open daytime 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 109/tcp open pop-2 110/tcp open pop-3 139/tcp open netbios-ssn 143/tcp open imap2 515/tcp open printer 587/tcp open submission
1723/tcp open pptp 3128/tcp open squid-http
Intr
oduc
tion
Port State Service21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 143/tcp open imap2
3128/tcp filtered squid-http
7
Packet filtering
Filtering based on network layer of the IP stack Filtering rules described in rule base Default permit / default deny design Most routers have packet filtering capabilities A good packet filter…-Permits connections to really-needed services
-Also filters internal access – Most of the intrusions come from employees
-Detects anomalies – TCP packet without SYN handshake etc.
-Filters out all the services what we do not use currently (not only those we don’t want to show)
-Hides internal network elements and architecture (NAT)
-Filters services available to internal hosts (e.g. filter out streaming)
Main problem:
Stateless? Stateful? How?
Intr
oduc
tion
8
Packet filtering
Packet filtering rules mostly based on: IP protocol (UDP, TCP, …) Source IP address Destination IP address Source/Destination port (socket) Connection state (TCP: SYN, RST, established,… or
e.g. FTP states) (rate control) (filter rules based on time schedule – no streaming
before 8 p.m.) incoming/outgoing interface etc.
Intr
oduc
tion
9
Application gateway
Proxies rebuild the whole protocol (application layer gateway) Needs to know the exact specification of the protocol we use Can investigate the content of the flow Can protect against protocol errors More vulnerable to DoS Can be more complicated to (internal) users (e.g. telnet proxy) Lower performance Higher security
Intr
oduc
tion
10
Packet filter vs. Application gateway
– Packet filtering without states is insecure– Stateful packet filtering is fast– Stateful packet filtering might not protect against some
protocol errors– Application gateways are more sophisticated– Application gateways are (mostly) not transparent, so an
internal webserver beyond an application gateway can not log who is downloading the page
– Modern solutions mix the two methods.
Intr
oduc
tion
11
Rule sets - example– Linux iptables:
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23
/sbin/iptables -A INPUT -j LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags SYN,ACK,FIN,RST SYN
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 110
/sbin/iptables -A INPUT -j DROP -p tcp -d 0/0 -v --dport 3128
– Checkpoint Firewall – text: :rule-base ("##Standard" :rule (
:src ( : Any )
:dst ( : Any )
:services ( : Any )
:action ( : (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green) ) )
– Graphical tools / ruleset generators help
Intr
oduc
tion
12
Architecture / BasicA
rchi
tect
ure
Internet
router
firewall
Internal network
„filters the traffic”
it can be a dual-homed gateway ora simple packet filter –
screening router
13
ElementsA
rchi
tect
ure
Internal network
Dual-homed gatewaysingle-homed gateway
gateway: application level border element, e.g.: proxy server
14
Packet filter only – screening routerA
rchi
tect
ure
Internet
router
packet filter
Internal network
Can be a singlescreening router
15
Packet filter with bastion hostA
rchi
tect
ure
Internet
router
packet filter
Internal network
Bastion host, here:a dual-homed gateway
== proxy server== application level firewall
16
Packet filter with bastion hostA
rchi
tect
ure
Internet
router
packet filter
Internal network
Bastion host, here: a proxy firewall
internal packet filter
17
Packet filter with bastion host, DMZ, internal pfA
rchi
tect
ure
Internet
router
packet filter
Internal network
Bastion host, here: a proxy firewall
internal packet filter
Mail server Web server
DMZDe-Militarized Zone
?
many differenttopologies can be
considered
18
Platform and other parameters
- Windows, Linux, Solaris, propriaty OS- Hardened operating system- With or without hardware
- Working method (stateful inspection, application proxy)- No. of interfaces- Authentication methods - Maximum traffic- Ease of use- Price
Fire
wal
l - p
rodu
cts
19
Commercial & free products
– Iptables, netfilter packet filtering– Windows internal port filtering ( and IPSEC (policies), network sharing,
routing, etc. )– Checkpoint Firewall (FW-1) Linux, Windows, Nokia– Cisco PIX– Symantec Enterprise Firewall ( <- Raptor )– Secure Computing Sidewinder (incl. Gauntlet)– Zorp (Balabit)– NAI Firewall (Gauntlet->Secure Co)
– Evaluation: ICSA, Common Criteria, …
Fire
wal
l - p
rodu
cts
20
Personal firewalls
– Every single host on the Internet is a target– Most users do not use tight security (no updates, bad passwords, no
security settings)– Attacked clients might become zombies for a DoS attack or a relay for
spams and other attacks– They need some protection– Personal firewalls are mostly simple packet filters– Drop incoming service requests (my windows pc is not a file server)– Alert on (anomalous) outgoing requests– Can protect against trojans / information leakage / privacy problems too– Can be integrated with virus protection
Per
sona
l fire
wal
ls
21
Intrusion detection systems
– Intrusion detection:
detecting inappropriate, incorrect, or anomalous activity
misuse detection != intrusion detection
Host-based: operates on a (single) host
Network-based: operates on network data flows (e.g. promiscuous mode network card on a dedicated host)
IDS
22
IDS Categories
In-Kernel vs. Userspace Distributed vs. Atomic Host-based vs. Network-based Statistical vs. Signature Detection Active vs. Passive Proactive vs. Retroactive Flat vs. Hierarchial(Justin Lundy)
IDS
23
Host-based IDS Checking log files for traces of attacks Checking the condition of processes Looking for anomalies of the authentication system ( Why is X
logging in from Thailand? Why is Z logging in during the weekend?)
Checking the fingerprints of the installed binaries (Operating system integrity)
Checking for malicious user code – possible hacker tools, rootkits
Version (and critical security hole) checking Checking for invalid www request URLs in web server’s log
files Personal firewall? …
IDS
24
Network based IDS
On a single network element (near the firewall) or can be distributed: more agents are distributed on the network and a central server makes the decision
Problem: Encrypted traffic cannot be analyzed (traffic analysis, timing only)
Signature filters: looks for various signatures. Usual attacks possess some kind of signature that identifies them– problem: large number of possible signatures – high traffic rate (~GBps
lines) – large number of dropped packets – less accurate result– problem: signatures has to be known. Regular updates needed and
much work to generate “good” signatures– problem: polymorphic attack: One might change the attack scenario so
that the signature will not match
25
Anomaly detection
Mostly on statistical basis Detects statistically exceptional events Learning: Watching activity during ‘normal’ state and storing
patterns (who logs in, what is the origin, when, etc.) Experience shows that 90% of attacks can be considered as
protocol usage anomalies. Does not require signatures (except what it learns) We should carefully add knowledge about “normal” activity,
such as RFC compilant state machines, it needs much work. A non-RFC compilant client is not always an attacker – we
need flexibility
26
CIDF
– Model: Common Intrusion Detection Framework
intrusion detection components can be reused in other systems
interface & communication protocols– Architecture
• Event generators (colloquially "E-boxes") • Event analyzers ("A-boxes") • Event databases ("D-boxes") • Response units ("R-boxes")
IDS
