Eng. Hector M Lugo-Cordero, MS April 2012 Intrusion Detection, Firewalls, and Intrusion Prevention CIS 4361
Most Slides are From Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 6 – Intrusion Detection
Intruders significant issue hostile/unwanted trespass from benign to serious from benign to serious user trespass unauthorized logon, privilege abuse unauthorized logon, privilege abuse software trespass virus, worm, or trojan horse virus, worm, or trojan horse classes of intruders: masquerader, misfeasor, clandestine user masquerader, misfeasor, clandestine user
Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software using an unsecured modem to access net impersonating a user to reset password using an unattended workstation
Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real- time or near real-time warning of attempts to access system resources in an unauthorized manner.
Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software vulnerabilities to execute code to get backdoor e.g. buffer overflow e.g. buffer overflow or to gain protected information e.g. password guessing or acquisition e.g. password guessing or acquisition
Hackers motivated by thrill of access and status hacking community a strong meritocracy hacking community a strong meritocracy status is determined by level of competence status is determined by level of competence benign intruders might be tolerable do consume resources and may slow performance do consume resources and may slow performance can’t know in advance whether benign or malign can’t know in advance whether benign or malign IDS / IPS / VPNs can help counter awareness led to establishment of CERTs collect / disseminate vulnerability info / responses collect / disseminate vulnerability info / responses
Hacker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network
Criminal Enterprise organized groups of hackers now a threat corporation / government / loosely affiliated gangs corporation / government / loosely affiliated gangs typically young typically young often Eastern European or Russian hackers often Eastern European or Russian hackers common target credit cards on e-commerce server common target credit cards on e-commerce server criminal hackers usually have specific targets once penetrated act quickly and get out IDS / IPS help but less effective sensitive data needs strong protection
Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes.
Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated when employment terminated taking customer data when move to competitor taking customer data when move to competitor IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data least privilege, monitor logs, strong authentication, termination process to block access & mirror data
Insider Behavior Example 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. perform large downloads and file copying 7. access the network during off hours.
Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic Network-based IDS: monitor network traffic logical components: sensors - collect data sensors - collect data analyzers - determine if intrusion has occurred analyzers - determine if intrusion has occurred user interface - manage / direct / view IDS user interface - manage / direct / view IDS
IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown expect overlap as shown observe deviations observe deviations from past history problems of: problems of: false positivesfalse positives false negativesfalse negatives must compromisemust compromise
IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration
Host-Based IDS specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions can detect both external and internal intrusions two approaches, often used in combination: anomaly detection - defines normal/expected behavior anomaly detection - defines normal/expected behavior threshold detectionthreshold detection profile basedprofile based signature detection - defines proper behavior signature detection - defines proper behavior
Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S native audit records - provided by O/S always available but may not be optimumalways available but may not be optimum detection-specific audit records - IDS specific detection-specific audit records - IDS specific additional overhead but specific to IDS taskadditional overhead but specific to IDS task often log individual elementary actionsoften log individual elementary actions e.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stampe.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp
Example of Audit Consider copy.exe game.exe /game.exe Several records may be generated for a single command 1. Execute copy.exe 2. Read game.exe 3. Write /game.exe
Anomaly Detection threshold detection checks excessive event occurrences over time checks excessive event occurrences over time alone a crude and ineffective intruder detector alone a crude and ineffective intruder detector must determine both thresholds and time intervals must determine both thresholds and time intervals profile based characterize past behavior of users / groups characterize past behavior of users / groups then detect significant deviations then detect significant deviations based on analysis of audit records based on analysis of audit records gather metrics: counter, guage, interval timer, resource utilizationgather metrics: counter, guage, interval timer, resource utilization analyze: mean and standard deviation, multivariate, markov process, time series, operational modelanalyze: mean and standard deviation, multivariate, markov process, time series, operational model
Examples of Anomaly
Signature Detection observe events on system and applying a set of rules to decide if intruder approaches: rule-based anomaly detection rule-based anomaly detection analyze historical audit records for expected behavior, then match with current behavioranalyze historical audit records for expected behavior, then match with current behavior rule-based penetration identification rule-based penetration identification rules identify known penetrations / weaknessesrules identify known penetrations / weaknesses often by analyzing attack scripts from Internetoften by analyzing attack scripts from Internet supplemented with rules from security expertssupplemented with rules from security experts
Example of Signatures Users should not read files in other users’ personal directories Users must not write other users’ files Users who log in after hours often access the same files they user earlier Users do not generally open disk devices but rely on higher-level operating system utilities Users should not be logged in more than once to the system Users do not make copies of system program
Distributed Host-Based IDS
Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network monitor traffic at selected points on a network in (near) real time to detect intrusion patterns in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) inline (possibly as part of other net device) passive (monitors copy of traffic) passive (monitors copy of traffic)
NIDS Sensor Deployment
Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations at application, transport, network layers; unexpected application services, policy violations anomaly detection of denial of service attacks, scanning, worms of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection by security admin to improve protection
Distributed Adaptive Intrusion Detection
Intrusion Detection Exchange Format
Honeypots are decoy systems filled with fabricated info filled with fabricated info instrumented with monitors / event loggers instrumented with monitors / event loggers divert and hold attacker to collect activity info divert and hold attacker to collect activity info without exposing production systems without exposing production systems initially were single systems more recently are/emulate entire networks
Honeypot Deployment
SNORT lightweight IDS real-time packet capture and rule analysis real-time packet capture and rule analysis passive or inline passive or inline
SNORT Rules use a simple, flexible rule definition language with fixed header and zero or more options header includes: action, protocol, source IP, source port, direction, dest IP, dest port many options example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;)
Summary introduced intruders & intrusion detection hackers, criminals, insiders hackers, criminals, insiders intrusion detection approaches host-based (single and distributed) host-based (single and distributed) network network distributed adaptive distributed adaptive exchange format exchange format honeypots SNORT example
Most Slides are From Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and Intrusion Prevention Systems
Firewall Capabilities & Limits capabilities: defines a single choke point defines a single choke point provides a location for monitoring security events provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: cannot protect against attacks bypassing firewall cannot protect against attacks bypassing firewall may not protect fully against internal threats may not protect fully against internal threats improperly secure wireless LAN improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside laptop, PDA, portable storage device infected outside then used inside
Types of Firewalls
Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted discard - prohibit unless expressly permitted more conservative, controlled, visible to usersmore conservative, controlled, visible to users forward - permit unless expressly prohibited forward - permit unless expressly prohibited easier to manage/use but less secureeasier to manage/use but less secure
Packet Filter Rules
Packet Filter Weaknesses weaknesses cannot prevent attack on application bugs cannot prevent attack on application bugs limited logging functionality limited logging functionality do no support advanced user authentication do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches improper configuration can lead to breaches attacks IP address spoofing, source route attacks, tiny fragment attacks IP address spoofing, source route attacks, tiny fragment attacks
Stateful Inspection Firewall reviews packet header information but also keeps info on TCP connections typically have low, “known” port no for server typically have low, “known” port no for server and high, dynamically assigned client port no and high, dynamically assigned client port no simple packet filter must allow all return high port numbered packets back in simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to high-numbered ports for packets matching an entry in this directory only allow incoming traffic to high-numbered ports for packets matching an entry in this directory may also track TCP seq numbers as well may also track TCP seq numbers as well
Application-Level Gateway acts as a relay of application-level traffic user contacts gateway with remote host name user contacts gateway with remote host name authenticates themselves authenticates themselves gateway contacts application on remote host and relays TCP segments between server and user gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported may restrict application features supported more secure than packet filters but have higher overheads
Circuit-Level Gateway sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic hence independent of application logic just determines whether relay is permitted just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads hence lower overheads
Examples of Firewalls Windows Defender (Application level) IP Tables (Packet level) SOCKS (circuit-level) MAC OS X personal firewall SNORT?
Example Connection State Common to have along with Network Address Translation and Port Address Translation (NAT and PAT) SrcAddrSrcPortDestAddrDestPortStatus Status may be established, expired, ended, etc.
Distributed Firewalls
Intrusion Prevention Systems (IPS) recent addition to security products which inline net/host-based IDS that can block traffic inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based
Host-Based IPS identifies attacks using both: signature techniques signature techniques malicious application packetsmalicious application packets anomaly detection techniques anomaly detection techniques behavior patterns that indicate malwarebehavior patterns that indicate malware can be tailored to the specific platform e.g. general purpose, web/database server specific e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection
Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content monitoring full application flow content can identify malicious packets using: pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets
Unified Threat Management Products
Summary introduced need for & purpose of firewalls types of firewalls packet filter, stateful inspection, application and circuit gateways packet filter, stateful inspection, application and circuit gateways firewall hosting, locations, topologies intrusion prevention systems