Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls and intrusion detection systems Bencsáth Boldizsár.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls and intrusion detection systems Bencsáth Boldizsár."— Presentation transcript:

1 Firewalls and intrusion detection systems Bencsáth Boldizsár

2 2 Outline  Firewalls  Intrusion detection systems (IDS)

3 3 Introduction –A firewall is a system or group of systems that enforces an access control policy between networks – Mostly the goal is to protect TCP/IP networks – Other possible firewalls: between applications on a windows environment, java card firewalls, etc. – Functions: Blocking traffic Permitting traffic Enabling secure remote connections (VPN) Logging traffic Content filtering (blocking): viruses, attacks Network management purposes (screening the traffic etc.) Introduction

4 4 Main goals The main goal of firewalling is – to control unnecessary services, traffic – to hide our internal network topology and services – to protect against protocol errors (e.g. invalid SMTP commands can be filtered) – to enable logging – to control the activity of internal users – every accessible point is a possible security hole: With firewalling we minimize the accessible points and we are making it more difficult to deploy an attack – we can make it more difficult to exploit the vulnerability: E.g. with tftp denied it is more difficult to send files to the internet after an attack – we can separate the network to subnetworks: an intrusion will not compromise our whole system, just a subnetwork/server Introduction

5 5 A firewall is not good for… - Stopping information flow/leakage: Data can be leaked out even through DNS applications or e.g. HTTP tunnels. It is very hard to protect against covert channels. - Complete protection against intrusions: A single open port can be used to gain privileged access An application proxy might not stop attacking through badly formed parameters, etc. An industry spy can use the telefax to transport secrets… Introduction

6 6 Packet filtering – disable access to unwanted services Port State Service 9/tcp open discard 13/tcp open daytime 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 109/tcp open pop-2 110/tcp open pop-3 139/tcp open netbios-ssn 143/tcp open imap2 515/tcp open printer 587/tcp open submission 1723/tcp open pptp 3128/tcp open squid-http Introduction Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 143/tcp open imap2 3128/tcp filtered squid-http

7 7 Packet filtering  Filtering based on network layer of the IP stack  Filtering rules described in rule base  Default permit / default deny design  Most routers have packet filtering capabilities  A good packet filter… -Permits connections to really-needed services -Also filters internal access – Most of the intrusions come from employees -Detects anomalies – TCP packet without SYN handshake etc. -Filters out all the services what we do not use currently (not only those we don’t want to show) -Hides internal network elements and architecture (NAT) -Filters services available to internal hosts (e.g. filter out streaming) Main problem: Stateless? Stateful? How? Introduction

8 8 Packet filtering  Packet filtering rules mostly based on:  IP protocol (UDP, TCP, …)  Source IP address  Destination IP address  Source/Destination port (socket)  Connection state (TCP: SYN, RST, established,… or e.g. FTP states)  (rate control)  (filter rules based on time schedule – no streaming before 8 p.m.)  incoming/outgoing interface  etc. Introduction

9 9 Application gateway  Proxies rebuild the whole protocol (application layer gateway)  Needs to know the exact specification of the protocol we use  Can investigate the content of the flow  Can protect against protocol errors  More vulnerable to DoS  Can be more complicated to (internal) users (e.g. telnet proxy)  Lower performance  Higher security Introduction

10 10 Packet filter vs. Application gateway – Packet filtering without states is insecure – Stateful packet filtering is fast – Stateful packet filtering might not protect against some protocol errors – Application gateways are more sophisticated – Application gateways are (mostly) not transparent, so an internal webserver beyond an application gateway can not log who is downloading the page – Modern solutions mix the two methods. Introduction

11 11 Rule sets - example – Linux iptables: /sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23 /sbin/iptables -A INPUT -j LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags SYN,ACK,FIN,RST SYN /sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 110 /sbin/iptables -A INPUT -j DROP -p tcp -d 0/0 -v --dport 3128 – Checkpoint Firewall – text: :rule-base ("##Standard" :rule ( :src ( : Any ) :dst ( : Any ) :services ( : Any ) :action ( : (accept :type (accept) :color ("Dark green") :macro (RECORD_CONN) :icon-name (icon-accept) :text-rid (61463) :windows-color (green) ) ) – Graphical tools / ruleset generators help Introduction

12 12 Architecture / Basic Architecture Internet router firewall Internal network „filters the traffic” it can be a dual-homed gateway or a simple packet filter – screening router

13 13 Elements Architecture Internal network Dual-homed gateway single-homed gateway gateway: application level border element, e.g.: proxy server

14 14 Packet filter only – screening router Architecture Internet router packet filter Internal network Can be a single screening router

15 15 Packet filter with bastion host Architecture Internet router packet filter Internal network Bastion host, here: a dual-homed gateway == proxy server == application level firewall

16 16 Packet filter with bastion host Architecture Internet router packet filter Internal network Bastion host, here: a proxy firewall internal packet filter

17 17 Packet filter with bastion host, DMZ, internal pf Architecture Internet router packet filter Internal network Bastion host, here: a proxy firewall internal packet filter Mail serverWeb server DMZ De-Militarized Zone ? many different topologies can be considered

18 18 Platform and other parameters - Windows, Linux, Solaris, propriaty OS - Hardened operating system - With or without hardware - Working method (stateful inspection, application proxy) - No. of interfaces - Authentication methods - Maximum traffic - Ease of use - Price Firewall - products

19 19 Commercial & free products – Iptables, netfilter packet filtering – Windows internal port filtering ( and IPSEC (policies), network sharing, routing, etc. ) – Checkpoint Firewall (FW-1) Linux, Windows, Nokia – Cisco PIX – Symantec Enterprise Firewall ( <- Raptor ) – Secure Computing Sidewinder (incl. Gauntlet) – Zorp (Balabit) – NAI Firewall (Gauntlet->Secure Co) – Evaluation: ICSA, Common Criteria, … Firewall - products

20 20 Personal firewalls – Every single host on the Internet is a target – Most users do not use tight security (no updates, bad passwords, no security settings) – Attacked clients might become zombies for a DoS attack or a relay for spams and other attacks – They need some protection – Personal firewalls are mostly simple packet filters – Drop incoming service requests (my windows pc is not a file server) – Alert on (anomalous) outgoing requests – Can protect against trojans / information leakage / privacy problems too – Can be integrated with virus protection Personal firewalls

21 21 Intrusion detection systems – Intrusion detection: detecting inappropriate, incorrect, or anomalous activity misuse detection != intrusion detection Host-based: operates on a (single) host Network-based: operates on network data flows (e.g. promiscuous mode network card on a dedicated host) IDS

22 22 IDS Categories  In-Kernel vs. Userspace  Distributed vs. Atomic  Host-based vs. Network-based  Statistical vs. Signature Detection  Active vs. Passive  Proactive vs. Retroactive  Flat vs. Hierarchial (Justin Lundy) IDS

23 23 Host-based IDS  Checking log files for traces of attacks  Checking the condition of processes  Looking for anomalies of the authentication system ( Why is X logging in from Thailand? Why is Z logging in during the weekend?)  Checking the fingerprints of the installed binaries (Operating system integrity)  Checking for malicious user code – possible hacker tools, rootkits  Version (and critical security hole) checking  Checking for invalid www request URLs in web server’s log files  Personal firewall?  … IDS

24 24 Network based IDS  On a single network element (near the firewall) or can be distributed: more agents are distributed on the network and a central server makes the decision  Problem: Encrypted traffic cannot be analyzed (traffic analysis, timing only)  Signature filters: looks for various signatures. Usual attacks possess some kind of signature that identifies them – problem: large number of possible signatures – high traffic rate (~GBps lines) – large number of dropped packets – less accurate result – problem: signatures has to be known. Regular updates needed and much work to generate “good” signatures – problem: polymorphic attack: One might change the attack scenario so that the signature will not match

25 25 Anomaly detection  Mostly on statistical basis  Detects statistically exceptional events  Learning: Watching activity during ‘normal’ state and storing patterns (who logs in, what is the origin, when, etc.)  Experience shows that 90% of attacks can be considered as protocol usage anomalies.  Does not require signatures (except what it learns)  We should carefully add knowledge about “normal” activity, such as RFC compilant state machines, it needs much work.  A non-RFC compilant client is not always an attacker – we need flexibility

26 26 CIDF – Model: Common Intrusion Detection Framework intrusion detection components can be reused in other systems interface & communication protocols – Architecture Event generators (colloquially "E-boxes") Event analyzers ("A-boxes") Event databases ("D-boxes") Response units ("R-boxes") IDS

Download ppt "Firewalls and intrusion detection systems Bencsáth Boldizsár."

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.

Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls: General Principles & Configuration (in Linux)

Firewalls: General Principles & Configuration (in Linux)

Similar presentations

Ads by Google