Network Security Controls

Network Security Controls

CSC 482: Computer Security


Topics

1. Firewalls

2. Virtual Private Networks

3. Intrusion Detection and Prevention

4. Honeypots


What is a Firewall?

A software or hardware component that

restricts network communication between

two computers or networks.

In buildings, a firewall is a fireproof wall

that restricts the spread of a fire.

Network firewall prevents threats from

spreading from one network to another.


Internet Firewalls

Many organizations/individuals deploy a firewall to restrict access to their network from Internet.


What is a Firewall? (2)

A mechanism to enforce security policy

– Choke point that traffic has to flow through.

– ACLs on a host/network level.

Policy Decisions:

– What traffic should be allowed into network?

• Integrity: protect integrity of internal systems.

• Availability: protection from DOS attacks.

– What traffic should be allowed out?

• Confidentiality: protection from data leakage.

Types of Firewalls

Packet Filters (Stateless)

– If individual packet matches rules, then either accept or

drop it.

Stateful Filters

– Maintains records of all connections, so that

– It can accept/deny entire TCP or UDP session.

Application Layer Firewalls

– A proxy server that relays byte streams from client to

server and vice versa.

– Inspects application headers for undesirable sites and

application data for undesirable content (malware etc.)


Stateless Firewalls

A stateless firewall doesn’t maintain any remembered context (or

“state”) with respect to the packets it is processing. Instead, it

treats each packet attempting to travel through it in isolation

without considering packets that it has processed previously.

Trusted internal

network

SYNSeq = x

Port=80

SYN-ACKSeq = y

Ack = x + 1

ACKSeq = x + 1

Ack = y + 1

Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80

Client

Server

Firewall


Packet Filtering Information

Forward or drop packets based on TCP/IP header

information, most often:

– IP source and destination addresses

– Protocol (ICMP, TCP, or UDP)

– TCP/UDP source and destination ports

– TCP Flags, especially SYN and ACK

– ICMP message type

Dual-homed hosts also make decisions based on:

– Network interface the packet arrived on.

– Network interface the packet will depart on.

Stateful Firewalls

Allow only requested TCP connections:

Trusted internal

network

SYNSeq = x

Port=80

SYN-ACKSeq = y

Ack = x + 1

ACKSeq = x + 1

Ack = y + 1

Allow outbound TCP sessions,

destination port=80

Client

SYN-ACKSeq = y

Port=80 Attacker(blocked)

Established TCP session:

(128.34.78.55, 76.120.54.101)

128.34.78.55

76.120.54.101

Firewall state table

Server

Firewall



Firewall Deployment

Gateway Router

– Filtering at interface between networks allows

control via a choke point.

– Can filter spoofed IP addresses.

Host

– Filter packets on each individual computer.

– How to manage thousands of packet filters?


Ingress/Egress Filtering

Block spoofed IP addresses

Ingress Filtering

Drop packets arriving on external interface

whose source IP addresses claims to be from

internal network.

Egress Filtering

Drop packets arriving on internal interface

whose source IP address is not from internal

network.


Packet Filtering Summary

Advantages:– One packet filter can protect an entire network

– Efficient (requires little CPU)

– Supported by most routers

Disadvantages:– Difficult to configure correctly

• Must consider rule set in its entirety

– Difficult to test completely

– Performance penalty for complex rulesets

• Stateful packet filtering much more expensive

– Enforces ACLs at layer 3 + 4, without knowing any application details


Proxy Servers

Proxy host relays Transport/App connections

– Client makes connection to proxy.

– Proxy forwards connection to server.

Proxy can provide multiple security features:

– Access Control

– Authentication

– Logging

– Anonymity


Example: SOCKS v5

Socks Server

Socks Client Library

– Clients must be linked against library.

– Library offers replacements for UNIX network

socket system calls.

User Authentication Protocols

– Cleartext username/password.

– GSS-API authentication.

Application Layer Firewalls

Application layer rules

– HTTP: URLs, headers, etc.

– SMTP: spam statistics

More complex

– Only 216 ports, but

– An infinite number of URLs.



Single Firewall

Simplest type of firewall—one host acts as a

gateway between internal and external networks.

DMZ Firewall Architecture



Firewall Limitations

Cannot protect from internal attacks

– May be able to limit access with internal

firewalls to a segment of your network.

Cannot protect you from user error

– Users will still run trojan horses that make it

past your AV scanner.

Firewall mechanism may not precisely

enforce your security policy.

Tunneling

Tunneling: Encapsulation of one network protocol

in another protocol

– Carrier Protocol: protocol used by network through

which the information is travelling

– Encapsulating Protocol: protocol (GRE, IPsec, L2TP)

that is wrapped around original data

– Passenger Protocol: protocol that carries original data

Can be used to encrypt connections or provider other

security features not available to passenger protocol.


Tunneling vs. Eavesdropping

Tunnel over ssh or SSL to offer encryption of packets.

ServerClient

Encapsulating protocol

(does end-to-end encryption and decryption)

Payloads are encrypted here

TCP/IPTCP/IP

Untrusted

Internet

IPSec

IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets

Each protocol can operate in one of two modes, transport mode or tunnel mode.

– In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated.

– In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet.



Virtual Private Network (VPN)

Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.)

Requirements:

– Confidentiality: encryption

– Integrity: MACs, sequencing, timestamps

Firewall Interactions

– Tunnels can bypass firewall

– Firewall is convenient place to add VPN features

Types of VPNs

Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.

– For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself.

– To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication.

Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.

– Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling.



Models of Intrusion Detection

1. Anomaly detection

– What is usual, is known.

– What is unusual, is bad.

– Statistical IDS.

– Need to update profile so that it matches current usual activities on systems.

2. Misuse detection

– What is bad is known.

– Look for what is bad, hope it doesn’t change.

– Rule based IDS.

– Need to regularly update db of intrusion signatures.

Possible Alarm Outcomes

Intrusion Attack No Intrusion Attack

Alarm

Sounded

No

Alarm

Sounded

True Positive False Positive

True NegativeFalse Negative

Base-Rate Fallacy

• Difficult to create IDS with high true-positive rate and a low false-negative rate.

• If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced.

• In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.

• This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event.

CSC 482: Computer

Security

Base-Rate Fallacy Example

Example case

– IDS 99% accurate, 1% false positives or negatives

– IDS generates 1,000,100 log entries.

– Base rate is 100 malicious events of 1,000,100 examined.

Results

– Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.

– Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!

– Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms.

CSC 482: Computer

Security

IDS Components

Untrusted

Internet

IDS Manager

IDS Sensor

router router

router

IDS Sensor

Firewall



IDS Architecture

An IDS is essentially a sophisticated audit system

– Sensors gathers data for analysis from hosts or network.

– Manager analyzes data obtained from sensors according

to its internal rules.

– Notifier acts on manager results.

• May simply notify security officer.

• May reconfigure sensors or manager to alter

collection, analysis methods.

• May activate response mechanism.


Sguil NSM Console


Intrusion Prevention Systems

What else can you do with IDS alerts?

– Identify attack before it completes.

– Prevent it from completing.

How to prevent attacks?

– Directly: IPS drops packets, kills TCP sessions.

– Indirectly: IPS modifies firewall rules.

Is IPS a good idea?

– How do you deal with false positives?


IPS Deployment Types

Inline

IPSIntranet

Non-Inline

Intranet

IPS


Active Responses by Network Layer

Data Link: Shut down a switch port. Only useful

for local intrusions. Rate limit switch ports.

Network: Block a particular IP address.

– Inline: can perform blocking itself.

– Non-inline: send request to firewall.

Transport: Send TCP RST or ICMP messages to

sender and target to tear down TCP sessions.

Application: Inline IPS can modify application data

to be harmless: /bin/sh -> /ben/sh

Great Firewall = Firewall + IPS

CSC 482: Computer

Security

Honeypots and Honeynets

Honeypot: a system designed solely for intruders to

attack in order to accomplish one or more of the

following goals. Also known as a honeynet.

1. Detect intrusions with very few false positives, since

legitimate users have no reason to access honeypot.

2. Monitor attacker activities to determine targeted

assets, origin, motivation, capabilities, etc.

3. Waste intruder time attacking honeypot, so that

defender has time to respond to incident.


Low Interaction Honeypots

honeyd: responds to probes on a set of unused IP addresses via shell scripts that can return banners for simple scans like nmap –sV.

nepenthes: emulates vulnerable Windows services to collect exploits and malware.

Dionaea: scriptable honeypot designed to be able to emulate wide variety of vulnerable services to collect exploits and malware.

Fakenet: simulates DNS, HTTP, HTTPS to dynamically analyze malware. Returns reasonable responses to malware requests.

CSC 482: Computer

Security

Medium Interaction Honeypots

Kippo is a medium interaction ssh honeypot

designed to log brute force attacks and attacker shell

commands. Inspired by Kojoney, a LI ssh honeypot.

– Fake filesystem with the ability to add/remove files.

– Possibility of adding fake file contents so the attacker

can 'cat' files such as /etc/passwd. Only minimal file

contents are included.

– Saves files downloaded with wget for later inspection

– Deception: ssh pretends to connect, apt-get pretends to

install, etc.



High Interaction Honeypots

Honeywall sets up tools for HI honeypots.

– Environment simulation: virtual machines configured

with appropriate tools for the next three tasks.

– Data control: firewalling tools to limit attacker

activities to avoid damaging other systems.

– Data collection: network (snort) and keystroke loggers

(Sebek kernel module).

– Data analysis: tools to extract relevant data from

tcpdump logs and more.

Client Honeypots


Honeymonkey

– Microsoft Research project.

– Network of VMs running IE crawling the web

in search of malicious sites that attempt to

exploit browsers and distribute malware.

– Multiple versions of Windows and IE used.

Thug

– Low interaction client honeypot.

– Emulates multiple browsers and OSes.

Honeytokens

A honeytoken is data that is designed solely for attackers to abuse. Any access to the data is an indication of unauthorized use.

– Attempts to download honeytoken files or database records can be identified by NIDS.

– Medical record systems will sometimes create fake records for celebrities and politicians.

– Mailing lists may contain email addresses published nowhere else that point to accounts that accept mail and record sender information.

– Maps contain fake streets, towns, or islands to identify when competitors copy the map.



Key Points

1. Firewalls

– Packet filtering (stateless)

– Stateful firewalls

– Proxy servers

– Application layer firewalls

2. Firewall Architectures

– Positioning on network

– DMZ architectures

3. Virtual Private Networks

– Tunneling Protocols: carrier, encapsulating, passenger

– Virtual Private Networks


Key Points (2)

4. Models of IDS:

– Anomaly detection: unexpected events (statistical IDS.)

– Misuse detection: violations of policy (rule-based IDS).

5. IPS

– Stop intrusions, but what about false positives?

– Inline vs. non-inline: how do prevention techniques differ?

6. Honeypots deceive attackers

1. Identify intrusions with low false positive rates.

2. Learn more about intrusions, esp. with HI honeypots.

3. Interaction levels: low, medium, high

4. Honeyclients and honeytokens


References

1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003.

2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.

Documents

Network Security Controls