Embed Size (px)
Citation preview
1
FIREWALLS
FIREWALLSFirewall: isolates organization’s internal net from larger Internet,allowing some packets to pass, blocking others
2 . 1
FIREWALLS: WHYPrevent denial of service attacks:
SYN �ooding: attacker establishes many bogus TCP connections, noresources left for “real” connections
Prevent illegal modi�cation/access of internal data
e.g., attacker replaces CIA’s homepage with something else
Allow only authorized access to inside network
set of authenticated users/hosts
2 . 22 . 3
TYPESThree types of �rewalls:
1. stateless packet �lters
2. stateful packet �lters
3. application gateways
STATELESS PACKET FILTERING
3 . 1
STATELESS PACKET FILTERINGinternal network connected to Internet via router �rewall
router �lters packet-by-packet, decision to forward/drop packet based on:
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
3 . 23 . 3
EXAMPLE 1Block incoming and outgoing datagrams with IP protocol �eld = 17 and with
either source or dest port = 23
result: all incoming, outgoing UDP �ows and telnet connections areblocked
3 . 4
EXAMPLE 2block inbound TCP segments with ACK=0.
result: prevents external clients from making TCP connections withinternal clients, but allows internal clients to connect to outside.
MORE EXAMPLESPolicy Firewall Setting
No outside Web access. Drop all outgoing packets to any IPaddress, port 80
No incoming TCP connections,except those for institution’s publicWeb server only.
Drop all incoming TCP SYN packetsto any IP except 130.207.244.203,port 80
Prevent Web-radios from eating upthe available bandwidth.
Drop all incoming UDP packets -except DNS and router broadcasts.
3 . 5
MORE EXAMPLESPolicy Firewall Setting
Prevent your network from beingused for a smurf DoS attack.
Drop all ICMP packets going to a“broadcast” address (e.g.130.207.255.255).
Prevent your network from beingtracerouted
Drop all outgoing ICMP TTL expiredtraf�c
3 . 63 . 7
ACCESS CONTROL LISTSACL: Table of rules, applied top to bottom to incoming packets: (action,condition) pairs
ACCESS CONTROL LISTS (1)action source
addressdestaddress
protocol sourceport
destport
�ag bit
allow 222.22/16 outside222.22/16
TCP > 1023 80 any
allow outside222.22/16
222.22/16 TCP 80 > 1023 ACK
allow 222.22/16 outside222.22/16
UDP > 1023 80 -
3 . 8
ACCESS CONTROL LISTS (2)action source
addressdestaddress
protocol sourceport
destport
�agbit
allow outside222.22/16
222.22/16 UDP 80 > 1023 -
deny all all all all all all
3 . 9
STATEFUL PACKET FILTERINGStateless packet �lter: heavy handed tool
Admits packets that "make no sense," e.g., dest port = 80, ACK bit set, eventhough no TCP connection established:
action sourceaddress
destaddress
protocol sourceport
destport
�ag bit
allow outside222.22/16
222.22/16 TCP 80 > 1023 ACK
4 . 14 . 2
STATEFUL PACKET FILTERINGTrack status of every TCP connection
track connection setup (SYN), teardown (FIN): determine whetherincoming, outgoing packets "makes sense"
timeout inactive connections at �rewall: No longer admit packets
4 . 3
ACLACL augmented to indicate need to check connection state table before
admitting packet
ACL (1)action source
addressdestaddress
ptcl sourceport
destport
�agbit
checkconxion
allow 222.22/16 outside222.22/16
TCP >1023
80 any
allow outside222.22/16
222.22/16 TCP 80 >1023
ACK X
allow 222.22/16 outside222.22/16
UDP >1023
80 -
4 . 4
ACL (2)action source
addressdestaddress
ptcl sourceport
destport
�agbit
checkconxion
allow outside222.22/16
222.22/16 UDP 80 >1023
- X
deny all all all all all all
4 . 55 . 1
APPLICATION GATEWAYSFilters packets on application data as well as on IP/TCP/UDP �elds.
EXAMPLE: TELNETAllow selected internal users to telnet outside.
Require all telnet users to telnet through gateway.
For authorized users, gateway sets up telnet connection to dest host.Gateway relays data between 2 connections
Router �lter blocks all telnet connections not originating from gateway.
5 . 2
EXAMPLE: TELNET
5 . 35 . 4
EXAMPLE: TELNET
LIMITATIONS OF FIREWALLS, GATEWAYSIP spoo�ng: router can’t know if data “really” comes from claimed source
if multiple app’s. need special treatment, each has own app. gateway
client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser
�lters often use all or nothing policy for UDP
tradeoff: degree of communication with outside world, level of security
many highly protected sites still suffer from attacks
67 . 1
INTRUSION DETECTION SYSTEMS
7 . 2
WHYFor packet �ltering:
operates on TCP/IP headers only
no correlation check among sessions
IDS: INTRUSION DETECTION SYSTEMDeep packet inspection: look at packet contents (e.g., check characterstrings in packet against database of known virus, attack strings)
Examine correlation among multiple packets
Port scanning
Network mapping
DoS attack
7 . 3
INTRUSION DETECTION SYSTEMSMultiple IDSs: different types of checking at different locations
7 . 47 . 5
INTRUSION PREVENTION SYSTEMSIntrusion detection systems typically raises an alarm by email/sms to thenetwork admin
An Intrusion Prevention Systems simply closes the connection in the�rewall, if something suspicious is detected.
SIGNATURE-BASED IDSMaintains an extensive database of attack signatures
A signature is a set of rules describing an intrusion activity
May simply be a list of characteristics of a single packet (src, dest,portnumbers)
Can be related to a series of packages
Signatures normally made by skilled network security engineers
Local system administrators can customize and add own
8 . 18 . 2
SIGNATURE-BASED IDSOperations of a signature based IDS
Sniffs every packet passing by it
Compares packet with each signature in database
If it matches → generate an alert
8 . 3
SIGNATURE-BASED IDSLimitations
Require previous knowledge of attack to generate signature
Can generate false positives
Large processing load, and may fail in detection of malicious packets
9 . 1
ANOMALY-BASED IDSCreates a pro�le of standard network traf�c
As observed in normal operation
Then looks for packet streams that are statistically different
Example: Exponention growth in portscans or ping sweeps
ANOMALY-BASED IDSPositive
Does not require prior knowledge to an attack
Limitation
Extremely challenging to distinguis between normal an unusual traf�c
Most systems today are signature based
11
EXAMPLE IDS: SNORT# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;)
12
QUESTIONS?
