1 Guide to Network Defense and Countermeasures Chapter 9

2 Chapter 9 - Intrusion Detection: Preventative Measures Explain the benefits of the Common Vulnerabilities and Exposures (CVE) standard Understand why logging network traffic is an integral part of intrusion detection Analyze intrusion signatures so that you can block unauthorized access to resources Identify suspicious events when they are captured by an intrusion detection device Develop filters so that you can take a proactive approach to intrusion detection

3 CVE enables security devices (router, firewall, IDS) to share information about attacks and other vulnerabilities so they can work together CVE enables hardware and security devices that support it to draw from the same databases of vulnerabilities, which are all presented in the same standard format If an IDS that supports CVE transmits an alarm message, the attack signature will be compared to the report of current vulnerabilities to see if an attack has actually occurred Common Vulnerabilities and Exposures (CVE)

4

5 Scanning CVE vulnerability descriptions CVE vulnerabilities can be viewed online and can even be downloaded The CVE list is not a vulnerabilities database that can be used with an IDS system; it is simply an informational tool, its listings are brief, and it refers to listings in other databases CVE references contain: the name of the vulnerability; a short description; and references to the event in other databases Common Vulnerabilities and Exposures (CVE)

6

7 Network security devices generate substantial amounts of log file information over time The task of analyzing log data manually becomes virtually impossible, so this can be automated by the installation of log analysis software A shareware program called ZoneLog is designed to analyze the log file information compiled from the firewall ZoneAlarm; the data is color coded to help in determining which ones are possible attacks Snort is an IDS program, common to UNIX/Linux, that creates log files organized by IP address Logging and Intrusion Detection

8

9

10 Signature analysis is the practice of assessing TCP/IP communications to determine whether they are legitimate or suspicious Suspicious packets fall into these categories: Bad header information - packets that contain malformed header data, where IP or port data is affected; packet alteration commonly occurs here Suspicious data payload - packets may contain payload text that reveals hacker tactics and/or known attack information Analyzing Intrusion Signatures

11

12 Suspicious packets (cont.): Single-packet attacks can be completed by sending a single network packet from client to host; no connection is required when one packet is sent like this; if IP Options settings are manipulated, a server can be forced to freeze or provide data to a hacker Multiple-packet attacks require a series of packets to be received and executed in order for the attack to be completed; these attacks, also called composite attacks, are especially difficult to detect; DoS attacks are an example of a composite attack Analyzing Intrusion Signatures

13

14 Capturing packets is an effective way to become familiar with their contents Studying packets helps you better understand signatures, since the two are close in format The goal is to begin to identify features that tell you what type of connection is underway and whether the attack is legitimate or suspicious Packet sniffers monitor network device traffic; they capture information about each detected packet Two examples of packet capture software: Ethereal for Windows and Linux; The IDS program Snort Analyzing Intrusion Signatures

15

16

17

18

19 To recognize suspicious traffic signatures, first learn to recognize normal traffic signatures One aspect of normal TCP signatures that is easiest to identify is the use of TCP flags (SYN, ACK, PSH, URG, RST, FIN, the numbers 1 and 2) The placement and use of these flags is very definite and strictly defined; deviations from normal usage mean that the communication is suspicious The SYN flag appears at the beginning of a connection, the FIN flag at the end; it is suspicious if both of these flags appear in the same packet Analyzing Intrusion Signatures

20 Normal traffic signatures (cont.): Ping signatures reveal an extensive amount about the systems involved in ICMP echo requests; the type of computers involved (their OS) can be determined from the Time to Live, the IP length, the datagram length, and certain payload characters FTP signatures of a normal connection between a client and an FTP server includes a three-way handshake; three separate packets contain different TCP flags that enable you to track the connection; in particular, if the MSS option is seen in an ACK or ACK/PSH packet, the packet could be falsified Analyzing Intrusion Signatures

21

22

23

24

25 Normal traffic signatures (cont.): WWW signatures consist of packets that are sent back and forth from a Web browser to a Web server as a connection is made; a signature of a normal handshake between two Web browsers consists of a sequence of packets that are distinguished by their TCP flags: the first packet has the SYN flag set, the second packet has the ACK flag set, the ACK flag is exchanged to acknowledge that a connection has been made, the PSH flag is used along with the ACK flag that data is going to be pushed (sent) from a buffer Analyzing Intrusion Signatures

26

27 Categories of suspicious traffic signatures: Informational - may not be malicious itself, but could be used to verify a successful attack Reconnaissance - may represent an attempt to gain information about a network as a prelude to attack Unauthorized access - may be caused by someone who has gained unauthorized access to the system and is attempting to retrieve data from it Denial of Service - may be part of an attempt to slow or halt all connections on a network device, such as a Web server or mail server Analyzing Intrusion Signatures

28 Suspicious traffic signatures (cont.): Ping sweeps involves sending a series of ICMP Echo Request packets in a range of IP addresses; this is one method of determining the location of a host in order to gain network access; the ping sweep does not cause harm to the network, but the IP address should be noted to track further activity Port scans are attempts to connect to a computer’s ports to see if any are active and listening; hackers perform once they’ve obtained the IP address; port scans typically include a SYN packet sent to each port on an IP address, one after the other Analyzing Intrusion Signatures

29

30

31 Suspicious traffic signatures (cont.): Random back door scans involve finding an undocumented or unauthorized opening (such as a port) through which a computer, program, or other resource can be accessed One type of port scan probes a computer to see if any ports are open and listening that are used by well-known Trojan horses, which are programs that seem harmless but can cause harm to a computer or its files; each sent SYN packet attempts to contact a different port used by a Trojan horse Analyzing Intrusion Signatures

32

33

34

35 Suspicious traffic signatures (cont.): Specific Trojan scans reflect the fact that port scans can be performed in several ways: vanilla scans are where all of the ports from 0 to 65,535 are probed in succession; strobe scans are where a hacker only scans ports that are used by specific programs, in an attempt to see if such a program is present and can be utilized Port is used by The Back Orifice Trojan horse, as well as the Trojans ADM worm, Back Fire, and BlitzNet Analyzing Intrusion Signatures

36

37 Suspicious traffic signatures (cont.): Nmap is a program that is a popular tool for scanning networks; Nmap enables hackers to send packets that circumvent the normal three-way handshakes performed by two computers that establish a connection; an example of this type of scan is the FIN scan Nmap enables a hacker to send packets for which an IDS might not be configured to send an alarm, especially if there is no rule to trigger an alarm when a certain combination of TCP flags is seen Analyzing Intrusion Signatures

38

39 Once an IDS transmits an alarm, you should look for suspicious characteristics and events Packet header discrepancies seen in TCP, IP, ICMP, or UDP headers can provide warnings Falsified IP address alarms could indicate that a network device has been misconfigured or is malfunctioning; or it could indicate IP spoofing A port number could be falsified if the source or destination port in a TCP or UDP header is set to 0; protocol numbers could be falsified if they are set to 134 or greater Identifying Suspicious Events

40 Packet header discrepancies (cont.): Illegal TCP flags are one of the most obvious ways to detect an abnormal packet signature Common misuses of the SYN and FIN flags: having both flags together in a packet; packets containing a FIN flag by itself; SYN only packets containing data Another misuse of flags involves a null packet, which is a packet that has no flags set TCP or IP options present in packets can be attacks Fragmentation abuses can occur when a large number of fragmented packets are encountered Identifying Suspicious Events

41 Advanced IDS attacks involve those that are especially complex, such as: Polymorphic buffer overflow attacks change their code so that the do not match the known signatures used by many IDS systems; once they reach their intended target, they reassemble into original form Path obfuscation involves altering the directory path statement in a packet payload by adding forward slashes; this keeps signatures from matching CGI scripts - a series of packets is sent to a series of well-known Common Gateway Interface scripts Identifying Suspicious Events

42 Remote Procedure Call (RPC) is a standard set of communication rules that allow one computer to request a service from another RPC-related events that should trigger alarms: RPC dump - a target host receives an RPC dump request, which is a request to report the presence and port usage of any RPC services RPC set spoof - a target host receives and RPC set request from a source IP address of 127.x.x.x RPC NFS sweep - a target host receives a series of requests for the NFS program Identifying Suspicious Events

43 Respond to IDS alarms by adjusting packet filtering rules, and creating rules on the IDS Configure an IDS to take action (not just alert) as part of its rules when detecting suspicious packages Rule actions add another layer of network defense; rule actions are alert, log, pass, activate (which alerts, but also creates a rule to cover subsequent logging), dynamic (enables logging of subsequent packages when a particular packet is detected) Rule data applies to the rule after a signature match occurs; it includes protocols, source and destination IP addresses, port number, direction of traffic Developing IDS Filter Rules

44 Adjusting packet filtering rules (cont.): Rule options allow rules to become quite granular; options follow rule data in the rule specification Rule options cause specific actions: ttl matches on Time to Live; id matches on fragment ID number; flags match to specific TCP flags; ack matches the ACK flag; content matches on a defined data payload string; logto causes data to be logged to a specified file name instead of the default log files The rule base for an IDS is different from the packet filter rule base and will help you analyze what traffic is getting through the filter Developing IDS Filter Rules

45 Chapter Summary This chapter discussed how to prevent intrusions by understanding how to interpret the signatures of both normal and abnormal network traffic. By being able to recognize the characteristics of a possible intrusion, you gain the ability to read log files and alert messages and react to them effectively. You can adjust filter rules to reduce the number of false alarms you receive from your IDS. More importantly, you are able to prevent intrusions before they occur or keep intrusions that are already underway from causing excessive damage

46 Chapter Summary It is important to have your network security hardware and software work cooperatively by being able to share information. A standard called the Common Vulnerabilities and Exposures (CVE) enables IDS systems, firewalls, and other devices to share attack signatures and information about network vulnerabilities so they can better protect a network. A list of current vulnerabilities is maintained as an online database by MITRE, and you can use the list to update your own CVE database and learn about new attacks

47 Chapter Summary Examination and analysis of the log files complied by your IDS and other devices can help tell you whether remote computers are scanning your network as a prelude to an attack. However, reviewing the log files manually can be tedious and time consuming. A log file analysis program automates the process and helps you identify which external hosts have been attempting to gain unauthorized access. The log files can also reveal patterns of access attempts that may represent intrusion attempts

48 Chapter Summary The analysis of intrusion signatures is an integral aspect of intrusion prevention. A signature is a set of characteristics such as IP address, port numbers, TCP flags, and options. Normal traffic makes valid use of such settings. Note that possible intrusions are marked by invalid settings that are sometimes unable to interpret and that are allowed to pass through the internal network. Those invalid settings include bad header information, suspicious contents in the payload of packets, IP options settings, and a succession of packets such as a Denial of Service attempt

49 Chapter Summary You can set up the freeware IDS Snort as a packet sniffer so that you can capture packets and study their contents. Parts of a packet header indicate whether a Windows or Linux system is being used. The TCP flags are used in sequence to create a normal three-way handshake between two computers. By learning how normal traffic signatures look, you are able to identify suspicious signatures. Monitor suspicious events such as ping sweeps, port scans, random back door scans, and scans for specific Trojan horse programs. The characteristics of packets crafted with with the popular network mapping tool Nmap were also discussed

50 Chapter Summary You can identify a variety of other suspicious network events. These include orphaned packets, Land attacks, LocalHost Source Spoofs, falsified protocol number, and illegal combination of TCP flags

51 Chapter Summary Advanced IDS attacks are especially difficult to detect. Certain complex attacks called polymorphic buffer overflow attacks can be altered so they don’t match a known intrusion signature and elude the IDS. Others use confusing path names or other keywords in the data payload. Still others attempt to connect with and abuse common CGI scripts that may be present, or remote procedure calls that also enable remote users to access services

52 Chapter Summary IDS devices can have their own set of filter rules, like packet filtering routers and firewalls. You can configure a set of rules to send alert messages if ICMP packets or other suspicious packets pass through a packet filter on the perimeter of the network and reach the IDS. Such rules can also be configured to log events or a range of subsequent packets. Rule options such as messages that can be associated with suspicious events can greatly assist you in interpreting log files and determining how to react to attack attempts