Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to firewalls and IDS/IPS

Published byDaisy Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to firewalls and IDS/IPS"— Presentation transcript:

1 Introduction to firewalls and IDS/IPS

2 firewalls

3 Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. Internet privately administered 222.22/16

4 Firewall goals: All traffic from outside to inside and vice- versa passes through the firewall. Only authorized traffic, as defined by local security policy, will be allowed to pass. The firewall itself is immune to penetration.

5 Firewalls: taxonomy Traditional packet filters Stateful filters
filters often combined with router, creating a firewall Stateful filters Application gateways Major firewall vendors: Checkpoint Cisco PIX

6 Traditional packet filters
Analyzes each datagram going through it; makes drop decision based on: source IP address destination IP address source port destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firewalls often configured to block all UDP direction Is the datagram leaving or entering the internal network? router interface decisions can be different for different interfaces

7 Filtering Rules - Examples
Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent IPTV from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a Smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg ). Prevent your network from being tracerouted Drop all outgoing ICMP

8 Access control lists action source address dest protocol port flag bit
Apply rules from top to bottom: action source address dest protocol port flag bit allow 222.22/16 outside of TCP > 1023 80 any ACK UDP 53 --- ---- deny all

9 Access control lists Each router/firewall interface can have its own ACL Most firewall vendors provide both command- line and graphical configuration interface Introduction

10 Advantages and disadvantages of traditional packet filters
One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can possibly be penetrated Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test

11 Case Study: iptables

12 Firewall: iptables Converts linux box into a packet filter.
Included in most linux distributions today. linux host w/ iptables linux host external network your job: configure

13 Firewall: iptables iptables
Provides firewall capability to a linux host Comes installed with most linux distributions Three types of tables: FILTER, NAT, MANGLE Let’s only consider FILTER table for now

14 Network or host firewall?
Network firewall: linux host with 2 interfaces: filter table linux host w/ iptables Internet protected network Host firewall: linux host with 1 interface: filter table linux host w/ iptables network

15 Chain types for host firewall
linux host w/ iptables network INPUT chain OUTPUT

16 INPUT, OUTPUT, FORWARD CHAINS for network firewall
INPUT chain applies for all packets destined to firewall OUTPUT chain applies for all packets originating from firewall FORWARD chain applies for all packets passing through firewall.

17 Chain types for network firewall
linux host w/ iptables Internet protected network INPUT chain linux host w/ iptables Internet protected network OUTPUT chain linux host w/ iptables Internet protected network FORWARD chain

18 iptables: Example command
iptables –A INPUT –i eth0 –s /24 –j ACCEPT Sets a rule Accepts packets that enter from interface eth0 and have source address in /24 Kernel applies the rules in order. The first rule that matches packet determines the action for that packet Append: -A Adds rule to bottom of list of existing rules

19 iptables: Example command
iptables –A INPUT –i eth0 –j DENY Sets a rule Rejects all packets that enter from interface eth0 (except for those accepted by previous rules)

20 iptables: More examples
iptables –L list current rules iptables –F flush all rules iptables –D INPUT 2 deletes 2nd rule in INPUT chain iptables –I INPUT 1 –p tcp –tcp-flags SYN –s /24 –d 0/0:22 –j ACCEPT -I INPUT 1: insert INPUT rule at top Accept TCP SYNs to from /24 to firewall port 22 (ssh)

21 iptables Options -p protocol type (tcp, udp, icmp)
-s source IP address & port number -d dest IP address & port number -i interface name (lo, ppp0, eth0) -j target (ACCEPT, DENY) -l log this packet --sport source port --dport dest port --icmp-type

22 iptable Table types FILTER: NAT: MANGLE
What we have been talking about! 3 chain types: INPUT, OUTPUT, and FORWARD NAT: Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses PREROUTING, POSTROUTING, and others MANGLE Don’t worry about it.

23 Tables, Chains & Rules Three types of tables: FILTER, NAT, MANGLE
A table consists of chains. For example, a filter table can have an INPUT chain, OUTPUT chain, and a FORWARD chain. A chain consists of a set of rules.

24 Firewall Lab m1 m2 m3 Configure m2 with iptables.

25 Stateful Filters In earlier example, any packet with ACK=1 and source port 80 gets in. Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments Stateful filter: Adds more intelligence to the filter decision-making process Stateful = remember past packets Memory implemented in a very dynamic state table

26 Stateful filters: example
Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 seconds source address dest port 12699 80 37654 48712 If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segments

27 Stateful example Packet arrives from outside: SA= , SP=80, DA= , DP=12699, SYN=0, ACK=1 Check filter table ➜ check stateful table action source address dest proto port flag bit check conxion allow 222.22/16 outside of TCP > 1023 80 any ACK x UDP 53 --- ---- deny all 3) Connection is listed in connection table ➜ let packet through

28 Application gateways (aka proxy gateways)
Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy. Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. A mail server is an example of an application gateway Can’t deposit mail in recipient’s mail server without passing through sender’s mail server gateway-to-remote host ftp session host-to-gateway ftp session application gateway

29 Configuring client Tools/options/connections/LAN settings/proxies:

30 Advantages and disadvantages of proxy gateways
Proxy can log all connections, activity in connections Proxy can provide caching Proxy can do intelligent filtering based on content Proxy can perform user-level authentication Disadvantages Not all services have proxied versions May need different proxy server for each service Requires modification of client Performance

31 Application gateways + packet filter
host-to-gateway ftp session gateway-to-remote host ftp session application gateway router and filter Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to ftp outside. 1. Require all ftp users to ftp through gateway. 2. For authorized users, gateway sets up ftp connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all ftp connections not originating from gateway.

32 Chaining Proxies proxy 2 proxy 1

33 Demilitarized Zone (DMZ)
application gateway firewall Internet Internal network Web server DNS server FTP server Demilitarized zone

34 Firewalls: Summary Filters Stateful filters Application gateways
Widely available in routers, linux Stateful filters Maintains connection state Application gateways Often implemented with SOCKS today

35 Intrusion Detection/Prevention Systems

36 Elements of Intrusion Detection
Primary assumptions: System activities are observable Normal and intrusive activities have distinct evidence Components of intrusion detection systems: From an algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together From a system architecture perspective: Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

37 Components of Intrusion Detection System
Audit Data Preprocessor Audit Records Activity Data system activities are observable Detection Models Detection Engine Alarms normal and intrusive activities have distinct evidence Decision Table Decision Engine Action/Report

38 Intrusion Detection Approaches
Modeling Features: evidences extracted from audit data Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: Network-based or Host-based Network based: monitor network traffic Host based: monitor computer processes Need “both” on all these.

39 Can’t detect new attacks
Misuse Detection Intrusion Patterns activities pattern matching intrusion Example: if (src_ip == dst_ip) then “land attack” Can’t detect new attacks

40 Anomaly Detection probable intrusion activity measures Any problem ?
Relatively high false positive rate Anomalies can just be new normal activities. Anomalies caused by other element faults E.g., router failure or misconfiguration, P2P misconfiguration

41 Host-Based IDSs Using OS auditing mechanisms
E.G., BSM on Solaris: logs all direct or indirect events generated by a user strace for system calls made by a program (Linux) Monitoring user activities E.G., analyze shell commands Problems: user dependent Have to install IDS on all user machines ! Ineffective for large scale attacks BSM: Basic Security Module

42 The Spread of Sapphire/Slammer Worms
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.

43 Network Based IDSs Our network Internet
Gateway routers Our network Host based detection At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage

44 Network IDSs Deploying sensors at strategic locations
E.G., Packet sniffing via tcpdump at routers Inspecting network traffic Watch for violations of protocols and unusual connection patterns Monitoring user activities Look into the data portions of the packets for malicious code May be easily defeated by encryption Data portions and some header information can be encrypted The decryption engine may still be there, especially for exploit Problems: mainly accuracy

45 Architecture of Network IDS
Signature matching (& protocol parsing when needed) Protocol identification TCP reassembly Packet capture libpcap Packet stream

46 Firewall/Net IPS VS Net IDS
Firewall/IPS Active filtering Fail-close Network IDS Passive monitoring Fail-open Protection is not free/cheap. For example, an intrusion detection system (IDS) needs to analyze each packet. This requires a lot of computing power, usually a dedicated high-end workstation. If the IDS is real-time then its response time must be short. When there is insufficient resources, some protection mechanisms will simply not let data in (fail-close). For example, a firewall, which filters each packet, will simply drop packets when it is overloaded. The dropped packet will not be able to reach beyond the firewall into the internal network. The user experience may not be a happy one because of data loss. However, other protection mechanisms will check/analyze as much as they can but will effectively let all data (fail-open) when there is insufficient resources. For example, an IDS, which simply copies a packet and analyzes it (while the packet continues to reach its target), may only be able to check a packet after a lengthy delay when it is overloaded, letting the packet to complete its potentially malicious actions. When assessing the protection mechanisms, we will develop models and evaluate under what conditions they will fail-close or fail-open. IDS FW

47 Related Tools for Network IDS (I)
While not an element of Snort, Ethereal is the best open source GUI-based packet viewer offers: Windows UNIX, e.g., Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/

48

49 Related Tools for Network IDS (II)
Also not an element of Snort, tcpdump is a well-established CLI packet capture tool offers UNIX source offers windump, a Windows port of tcpdump windump is helpful because it will help you see the different interfaces available on your sensor

50 Case Study: Snort IDS

51 Snort A packet sniffer: capture and display packets from the network with different levels of detail on the console Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system

52 Typical locations for snort

53 Requirement of snort lightweight NIDS small, flexible
highly capable system

54 Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,

55 Snort components

56 Logical components of snort
Packet Decoder: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. Detection Engine: the most important part, applies rules to packets Logging and Alerting System Output Modules: process alerts and logs and generate final output.

57 TCP/IP layer Physical layer
Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer

58 Detection Engine ※Things need to be done for detection engine:
The IP header of the packet The transport layer header. TCP, UDP, ICMP etc. The application layer level header. Header of DNS, FTP, SNMP, SMTP Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm ※ Requirement Time critical Fast

59 Detection engine Number of rules Traffic load on the network
Speed of network and machine Efficiency of detection algorithm

60 Rules rule header rule options In a single line
Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options

61 Rule examples destination ip address Apply to all ip packets
Destination port Source ip address Source port # Rule options Alert will be generated if criteria met Rule header

62 Thank you !

Download ppt "Introduction to firewalls and IDS/IPS"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Similar presentations

Ads by Google