Security tools

Outline Firewalls and network design Honeybots IPTables Snort

Firewalls Image from “Computer Networking” by Kurose and Ross. "… a firewall is a piece of hardware or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction."

Types of Firewalls packet filtering gateways or screening routers stateful inspection firewalls application proxies guards personal firewalls From “Security in Computing” by Pfleeger and Pfleeger.

Image from “Computer Security” by Matt Bishop, Addison Wesley. From “Computer Security” by Matt Bishop More Realistic Example Illustrating some current best practices.

Image from “Computer Security” by Matt Bishop, Addison Wesley. Security Mantras principle of least privilege fail-safe defaults principle of open design complete mediation economy of mechanism least common mechanism separation of privilege

Image from “Computer Security” by Matt Bishop, Addison Wesley. DMZ Demilitarized Zone. Part of network that is between internal intranet sand external internet.

Image from “Computer Security” by Matt Bishop, Addison Wesley. Outer Firewall Configuration Conceal information about internal network (NAT). Only allow expected services (HTTP, HTTPS, SMTP), only to DMZ servers.

Image from “Computer Security” by Matt Bishop, Addison Wesley. Inner Firewall Configuration Everything comes from DMZ proxies. Only allow expected traffic (SMTP). Administrator access only via SSH from expected workstations.

Image from “Computer Security” by Matt Bishop, Addison Wesley. DMZ Mail Server Proxy. Virus scanner.

Image from “Computer Security” by Matt Bishop, Addison Wesley. Web Server Boot from CDROM All system files and application on CDROM. CGI files on CDROM Pages are updated frequently, so can be on hard drive. Everything possible is on unalterable media. No unneeded services are present (no compiler for sure). Only updated via SSH.

Image from “Computer Security” by Matt Bishop, Addison Wesley. E-Commerce Order information immediately encrypted with public key. Only public key on machine. Encrypted data downloaded by inner host periodically.

Image from “Computer Security” by Matt Bishop, Addison Wesley. DMZ DNS Server Some hosts. Although hosts may have static addresses for reliability. proxy

Image from “Computer Security” by Matt Bishop, Addison Wesley. DMZ Log Server All servers write to log. write-once media accept connections from internal network only.

Honeynets The Honeynet Project— “To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.” “Know Your Enemy, Learning about Security Threats”, by The Honeynet Project, Second Edition, Addison Wesley, ISBN

Definition "… a honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers. The primary value of a honeypot is in the information it provides, which can be used for things such as detection, early warning and prediction, or awareness. While often a computer, a honeypot can take on other forms, such as files or data records, or even unused IP space. Honeypots have no production value; they should not see any traffic or activity. If they do capture any activity, it is most likely malicious or unauthorized. Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to actually break into a system."

Etymology The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey. An alternative explanation for the term is a reflection of the sarcastic term for outhouses …

Firewalls, IDS and Honeypots Firewalls are a prevention technology; they are network or host solutions that keep attackers out. IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity. Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more.

Many types of Honeypots a honeypot does not even have to be a computer. It can be any type of digital entity (often called a honeytoken) that has no production value. For example, a hospital could create a false set of electronic patient records labeled George W. Bush. Because these records are honeypots, nobody should be accessing or interacting with them. These records could then be implanted into a hospital's patient database as a honeypot component. If any employee or attacker attempted to access these records, this would indicate unauthorized activity because no one should be using these records.

Advantages of Honeypots Honeypots collect only small data sets. Organizations that log thousands of alerts a day may log only a hundred alerts with honeypots. makes the data honeypots collect much easier to manage and analyze. Honeypots reduce false positives. One of the greatest challenges of most detection technologies is that they generate false positives or false alerts. The larger the probability that a security technology produces a false positive, the less likely the technology will be useful. Honeypots dramatically reduce false positives simply because almost any activity with honeypots is by definition unauthorized, making honeypots extremely efficient at detecting attacks.

Advantages of Honeypots (cont.) Honeypots can catch false negatives. Another challenge inherent in traditional detection technologies is that they often fail to detect unknown attacks. This is a critical difference between honeypots and traditional computer security technologies that rely upon known signatures or statistical detection. Signature-based security technologies by definition imply that "someone is going to get hurt" before the new attack is discovered and a signature is distributed. Statistical detection also suffers from probabilistic failures-there is some non-zero probability that a new kind of attack is going to go undetected. Honeypots, on the other hand, are designed to identify and capture new attacks against them. Any activity with the honeypot is an anomaly, making new or unseen attacks stand out.

Advantages of Honeypots (cont.) Honeypots capture encrypted activity. Even if an attack is encrypted, honeypots can capture the activity. As more organizations adopt encryption (such as secure shell [SSH], IP Security Protocol [IPsec], and Secure Sockets Layer [SSL]) within their environments, this becomes a major issue. Honeypots can do this because the encrypted probes and attacks interact with the honeypot as an end point, where the activity is decrypted by the honeypot.

Advantages of Honeypots (cont.) Honeypots are highly flexible. Honeypots are extremely adaptable and can be used in a variety of environments, everything from a social security number embedded into a database to an entire network of computers designed to be broken into. Honeypots require minimal resources. Even on the largest of networks, honeypots require minimal resources. A simple, aging Pentium computer can monitor literally millions of IP addresses

Disadvantages of Honeypots Honeypots have a limited field of view. Honeypots see only what interacts with them. They do not see attacks against or interactions with other systems. A honeypot will not tell you that another system has been compromised, unless that compromised system interacts with the honeypot. Risk. Any time you deploy a new technology, that technology introduces risk-specifically, the risk of an attacker taking over that system and using it as a launching pad for other attacks against internal or external targets.

Types of Honeypots Low interaction emulates services example: honeyd ( High interaction real OS and applications example: Symantec Decoy Server

Low Interaction Honeypots BackOfficer Friendly honeypot: Emulates seven different services

Low Interaction Honeypots (cont.) Honeyd:emulates hundreds of different operating systems and services An open source Honeypot By editing the configuration file, you determine which IP addresses Honeyd will monitor, the types of operating systems it will emulate, and the services it will emulate. For example, you can tell Honeyd to emulate a Linux kernel system with an emulated File Transfer Protocol (FTP) server listening on port 21. –If attackers probe the honeypot, they will believe they are interacting with a Linux system. –If attackers connect to the FTP service, they will be deceived into thinking they are interacting with the wu-ftpd service.

High Interaction Honeypots (cont.) Symantec Docy Server: is a commercial honeypot sold by Symantec. As a high-interaction honeypot, Decoy Server does not emulate operating systems or services. Instead, it creates real systems and real applications for attackers to interact with system and creates up to four identical "cages," each cage being a honeypot. Each cage has a separate operating system with its own file system. Attackers interact with the cages just as they would with real operating systems. What attackers don't realize is that their every action and keystroke is being logged and recorded by the honeypot.

(dis)Advantages of Low Interaction Honeypots Easy to install and deploy; usually requires simply installing and configuring software on a computer Minimal risk as the emulated services control what attackers can and cannot do Captures limited amount of information, mainly transactional data and some limited interaction

(dis)Advantages of High Interaction Honeypots Can be complex to install or deploy (commercial versions tend to be much simpler) Increased risk as attackers are provided real operating systems to interact with its own unique advantages and disadvantages. Different organizations have different goals and therefore use different honeypots. One common trend is that, in general, commercial organizations (such as banks, manufacturing, or retail stores) prefer low-interaction honeypots as they are low risk, easy to deploy, and simple to maintain. High-interaction honeypots are more common among organizations that need the unique capabilities of high-interaction solutions and manage the risk, such as military, government, and educational organizations Can capture far more information than can low-interaction honeypots, including new tools, communications, or attacker keystrokes

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. … all shapes and sizes.

Uses of Honeypots Preventing attacks Detecting attacks Responding to attacks Research

Preventing attacks Honeypots can help prevent attacks in several ways. –For one, honeypots can prevent automated attacks, such as those launched by worms or auto-rooters. –These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. –If vulnerable systems are found, these automated tools then attack and take over the system –One way that honeypots can help defend against such attacks is by slowing the scanning process, potentially even stopping it. Called "sticky honeypots," these solutions monitor unused IP space. When probed by such scanning activity, the honeypots interact with and slow the attacker. –One such example of a sticky honeypot is La Brea Tar pit. Sticky honeypots are most often low-interaction solutions (you can almost call them "no-interaction solutions," as they slow the attacker down to a crawl). You can also use honeypots to protect your organization from human (that is, non-automated) attacks. –The concept is based on deception or deterrence. The idea is to confuse attackers, making them waste their time and resources interacting with honeypots. –Meanwhile, your organization is able to detect the attacker's activity and has the time to respond and stop it. –This can be taken one step farther. If attackers know your organization is using honeypots but they do not know which systems are honeypots and which systems are legitimate computers, they may be so concerned about being caught by honeypots that they decide not to attack your organization.

Detecting attacks Detection has traditionally proven to be an extremely difficult activity. Technologies such as intrusion detection system and systems logs have proven ineffective for several reasons: – They generate far too much data and a large percentage of false positives, –they are unable to detect new attacks, –and they are unable to work in encrypted environments. Honeypots address many of these traditional detection problems, –reducing false positives by capturing small data sets of high value, –capturing unknown attacks such as new exploits or polymorphic shellcode, –and working in encrypted environments

Responding to attacks There are two problems compounding incidence response: –First, the very systems compromised often cannot be taken offline to be analyzed. –there is often so much data pollution that it can be very difficult to determine what the attackers did. Honeypots can help address both problems : –they can quickly and easily be taken offline for a full forensic analysis without impacting day-to-day business operations. –Also, because the only activity a honeypot captures is unauthorized or malicious activity, this makes hacked honeypots much easier to analyze than hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker.

Honeynet Architecture Data Control need to allow an attacker enough freedom to reveal his tactics. an attacker might use a compromised honeypot machine for malicious purposes. Data Capture monitoring and logging of activities activity may be encrypted Neither should be evident to an attacker.

GenI vs. GenII Honeywalls GenI layer 3 (IP) has visible IP address can be accessed from inside or outside decreases TTL can perform NAT GenII layer 2 a bridge (logically) only accessed through management interface GenII harder to detect can observe attackers longer We'll use GenII (if we can)

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. IPTables works with bridging! Why is that surprising?

IPTables Open source firewall. Home page: Good intro: Another good intro:

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. IPTables Capability

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. Processing a chain of rules DROP There's a default policy at the end of the chain Defaults can be DROP, ACCEPT, REJECT, …

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. IPTables configuration Can enter from command line, or collect into an initialization script, commonly called rc.firewall. iptables --list will list all the rules

IPTables files of interest / etc rc.d usr bin local iptables init.d rc.firewall … iptables ….so modules (shared object) executables Honeywall CDROM

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. Adding an Intrusion Detection System – Snort

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. Snort Rules No pun intended (really!). tcp? Other actions: drop, sdrop, reject, replace

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. Snort DB located in various.rules files.

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition.

Snort files of interest / etc var snort snort_inline snortconfig some examples snort.conf other stuff log snort lots of logs usr sbin snort snort_inline Honeywall CDROM rules Known attacks db more rules executables

Image from “Know Your Enemy”, by The Honeynet Project, Addison Wesley, second edition. Sebek Logging an intruders keystrokes Versions for Linux, BSD, Windows

References Know Your Enemy (2nd Ed.), Addison-Wesley, 4/09/24/ http:// 4/09/24/