Intrusion Protection Mark Shtern

Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing

Firewall Types Network – Packet filters – Proxy servers – State-full inspection – Can be hardware-based or software-based Application – Packet filters – State-full inspection

Packet filtering Firewalls Permits or denies packets based on socket pairs Packet filters operate at layer 4 of the OSI model Defined packet filters are applied to examine traffic attempting to enter or attempting to exit an interface Packet filters do not maintain state

Proxy Server Firewalls Clients configured to use a proxy server package The proxy server completes client requests on behalf of the requesting clients, if permitted

Proxy Server Types Circuit-level proxy servers only understand the socket portion of a request (IP address, port number, and protocol) Application-level proxy servers also understand the internal commands for each type of application – for example, can recognize FTP commands for PUT, GET, MPUT, MGET, and so on

State-full Inspection Firewalls Generally permits all outbound sessions initiated by internal clients (unless an ACL imposes restrictions) – a state table entry is created for each allowed connection Allows return traffic belonging to the same session Generally denies all inbound sessions initiated by external clients (unless an ACL allows exceptions) – a state table entry is created for each allowed connection

State-full Inspection Firewalls State table entries track: – source and destination IP addresses – source and destination port numbers – protocol – TCP sequence numbers and acknowledgment numbers – TCP session state SYN Received, SYN-ACK Sent, Established

Examples of Firewall Network – Firestarter – Windows Firewall Application – Mod_evasive – Mod_security_common

Intrusion Detection Systems An IDS detects attempts at network intrusion – Host-based or network-based sensors collect data for local analysis or uploading to a centralized analysis engine – When intrusion is detected a log entry or alert can be generated

Detection methods Signature analysis – discernable pattern of a previously seen attack – network scans, port scans, malicious payloads Statistical anomaly – unusual usage patterns – log on at unusual hours, uncharacteristically high usage of a protocol Protocol anomaly – an undefined or non-standard use of a protocol – IP header Protocol field value greater than 137 – TCP header Urgent field set to non-zero value with URG flag set to zero

IDS types Network-based – Monitors entire network – NIC operates in promiscuous mode – Complicated sniffers that check all packets against signatures Host-based – Protects only the host system on which it resides – Network card operates in non-promiscuous mode

Intrusion Prevention Systems An IDS receives a copy of network traffic for analysis and reporting – malicious packets reach their targets – analysis and reporting is after the fact An IPS is a pass-through device inline with the traffic – detected malicious packets are dropped at the IPS and do not reach their intended targets

Snort Intrusion protection and prevention system Rules-based detection engine Network sniffer Snort runs on various operating systems and hardware platforms, including many UNIX systems and Windows Large default rule set (several thousand)

Snort Modes Packet Sniffer Mode – In Packet Sniffer Mode Snort acts like tcpdump and is used for testing. – Type “snort –v” at command prompt to start snort in sniffer mode – Other switches -d displays application layer -e displays data link layer Packet Logger Mode – Same as Packet Sniffing Mode but it also logs the output. – Type “snort –dev –l /var/log/snort” where –l is switch for logging and /var/log/snort is directory to save output.

Snort Modes Intrusion Detection Mode – In this mode snort applies signature rules on all captured packets – If packet matches rules, it is logged or an alert is generated

Writing Snort Rules Figure out what is "bad" Capture traffic that includes the "bad" stuff Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule

Rule Format - basic rule alert tcp any -> (msg:"foo"; content:"bar";)

Rule Format alert tcp any -> (msg:"foo"; content:"bar";) Actions alert log pass activate dynamic drop sdrop Acceptable protocols: – TCP, UDP, ICMP, IP Direction – ->, <> Body – msg, content etc

Honeypot A monitored decoy to lure attackers away from critical resources – simulates various OSs and application servers A tool to analyze an attacker’s methods and other characteristics

Honeypot Modes Research mode – collecting data on attacker motivations, attack trends, and emerging threats Production mode – to prevent, detect, and respond to attacks – impeding scans – diverting an attacker to the honeypot rather than critical files – capturing polymorphic code – acquiring attack signatures – providing attack information for analysis

Honeypot Software Labrea Honeyd

Legal issues An organization may be liable if its honeypot is used to launch attacks against another network Attacker might claim entrapment if apprehended through use of a honeypot – Never explicitly invite interaction with the honeypot

Auditing Logs are the primary record keepers of system and network activity – Basis for fast recovery when service is modified illegally – Basis for tracking the break-in

System logs Windows – Application, System and Security Linux – Syslogs files /var/logs/*

Problem in Managing Logs No periodical review The log files may be modified by intrusion Log size constraint Failure to collect critical information

Audit tools Syslog – log collection system Audit – subsystem in Linux kernel that generates audit record (auditctl, ausearch, aureport ) Logwatch – log analysis system Lire - log analyzer system