Professional Documents
Culture Documents
Common Security Attacks and Their Countermeasures
Common Security Attacks and Their Countermeasures
countermeasures
• Finding a way into the network
– Firewalls
• Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
• Denial of Service
– Ingress filtering, IDS
• TCP hijacking
– IPSec
• Packet sniffing
– Encryption (SSH, SSL, HTTPS)
• Social problems
– Education
1
INTRODUCTION
• Firewalls are used to create security
checkpoints at the boundaries of private
networks or personal computer
• As a result, firewalls are first line of defense
against outside attacks
• Firewalls emerged in the early 1990s and
they became particularly popular around
1996 - the time where some new attack
techniques emerged (buffer overflows,
remote exploits)
INTRODUCTION (cont.)
Security Policy
WHO ? WHEN ?
WHAT ? HOW ?
My PC
INTERNET
INTERNET
Secure
Firewall Private
Network
CAPABILITIES of FIREWALLS
• A firewall, defining a single choke point, simplifies security
management because security capabilities are consolidated
on a single system or set of systems.
• They provide a location for monitoring security-related
events. Audit and alarms can be implemented on the
firewalls.
• A firewall is a convenient platform for several function that
are not security related such as Network Address Translation
• A firewall can be used to implement VPNs.
• They can authenticate users with the use of different
authentication methods in order users reach certain
resources
TECHNIQUES USED by FIREWALLS
• Service Control
• Allows or blocks certain types of Internet services
• Direction Control
• Initiate and allow certain direction in which particular
service requests
• User Control
• Controls access to a service according to which user is
attempting to access it.
• Behavior Control
• Controls how particular services are used.
• Time Control
• Controls when some services can be used
TYPES of FIREWALLS
• Firewalls can be classified according to different
criterions
– Places at where they are deployed :
– Perimeter Firewalls
– Internal firewalls
– Personal Firewalls
– Distributed Firewalls
– The layer in a network protocol stack at which they
are filtering and what they are doing :
– Packet Filtering Firewalls @
– Circuit Gateways @ Transport Layer
– Application Gateways @ Application Layer
– Dynamic Packet Filtering Firewalls
PACKET FILTERING FIREWALLS
• One of the oldest type of firewalls
• Packet filters, historically implemented on routers, filter user-defined
content, such as IP addresses.
• They examine a packet a the Network or Transport Layers
• They are cheap and useful.
PACKET FILTERING FIREWALLS (cont.)
• They are application independent; this feature is
advantageous in terms of performance
• Since they are not application-aware and can not
understand the context of a given communication, they
are least secure type of firewalls and are good targets
for intruders.
• Packet filter is a three-step process :
• One must decide on what should and should not be permitted
based on a pre-defined security policy
• The allowable types of packets must be specified formally in terms
of logical expressions on packet fields.
• The expression should be rewritten in whatever syntax the vendor
of the firewall supports.
PACKET FILTERING FIREWALLS (cont.)
• Packet filtering is typically set up as a list of rules based on matches to
fileds in the IP or TCP header.
• If there is a match to one of the rules, that rule is invoked and
predefined action is taken, such as dropping that packet or
forwarding it but also warning user or admin.
• The rules are evaluated from top rule to bottom rule, that is also an
important issue that should be carefully considered.
• Rules are created according to two different policies :
– Default = Discard : That which is not expressly permitted is prohibited
– Default = Pass : That which is not expressly prohibited is permitted
• Default = Discard policiy is more conservative; initially everything is
blocked, and services are added on a case-by-case basis.
CIRCUIT GATEWAYS
• The idea of a circuit gateway is fundamentally different from packet
filtering.
• Circuit gateways do not permit an end-to-end TCP connection.
• Circuit gateway works on TCP level and takes a TCP connection request from
a client, authenticates and authorizes the client, and establishes a second
connection to the origin server on client’s behalf.
• After establishment of the connection, circuit gateways simply relays data
forth and back between two connections.
• It does not interfere with data stream.
• The single circuit gateway that is actually widely used is SOCKS.
CIRCUIT GATEWAYS (cont.)
• Circuit gateways can bridge two networks that do not share
any IP connectivity or DNS processing.
APPLICATION GATEWAY
• Application gateways are also called proxy servers.
• Application gateways are deal with the details of the particular
service they are checking.
• Since they are dealing with details, they are usually more complex
than packet filters.
• Rather than using a general-purpose mechanism to allow many
different kinds of traffic to flow, special purpose code is used for each
desired application.
• Application gateways have another advantage that since they are
controlling the content, they can be used as content filters.
APPLICATION GATEWAY (cont.)
The main disadvantage is the need for a specialized
program or user interfaces for different services.
This results in supporting only basic services.
DYNAMIC PACKET FILTERING FWs
(cont.)
• New approach to packet filtering is Dynamic
Packet Filtering based on Stateful Inspection.
– What is new with this approach is that beside the
functionalities that stateless packet filters have such
as looking header information is that stateful
inspection maintains state information about past IP
packages.
• If the first packet in TCP connection is permitted, state
information is added to the state table on an internal
database.
• Then the other packets of this connection can pass quickly
through the firewall.
PERIMETER FIREWALLS
• Traditional “firewall in a box”
• Inserted between trusted and untrusted network
segments
• Can support multiple networks (e.g. a Server farm
and a separate DMZ)
• Mature product, many vendors to choose from
• Local control over firewall policy
• Support VPNs and user authentication
• All devices behind firewall are protected
– … but only from stuff on the outside!
• Users don’t need to manage anything
• An outage affects only the systems behind the
firewall
PERIMETER FIREWALLS (cont.)
LAN 3 Users
Perimeter
Firewall Structure
LAN 3 DMZ
Internet
LAN 2
INTERNAL FIREWALLS
You may also be
protecting parts of
your internal network
from other parts.
Personal
Firewall
Structure
Internet
LAN 2
DISTRIBUTED FIREWALLS
• With distributed firewalls, each individual host
enforces the security policy; however the policy itself is
set by a central management node.
• Rather than have a separate box on the edge of the
network, a rule to reject such connection attempts is
created by the admininistrator and shipped out to
every host within its management domain.
• Advantages:
• Eliminates the risk of central failure
• Suitable for mobile users
• Easy to customize some special connections
DEPLOYEMENT OF FIREWALLS
• Firewalls can be deployed in different structures :
– Screening router structure
– Screening host structure with Bastion host
– Screening host structure with dual-homed Bastion host
– DMZ structure
• Bastion host : A bastion host is a secured computer that allows an
untrusted network (such as the Internet) access to a trusted network
(your internal network). It is typically placed between the two networks
and is often referred to as an application level gateway.
• Demilitarized zone (DMZ)—A DMZ sits between an internal network and
the outside world, and it's the best place to put your public servers.
Examples of systems to place on a DMZ include Web servers, FTP servers,
SMTP servers and log servers.
DEPLOYEMENT OF FIREWALLS
(cont.)
Screening router
DEPLOYEMENT OF FIREWALLS
(cont.)
28
IDS
• Introduction to IDS
• Classification of IDS
• IDS Models
• Available IDS Tools
• Conclusion & Future Work
29
What is Intrusion?
• Intrusion: Actions attempting to break into or misuse
one’s system in violation of an established policy
• Types of Intrusion:
– Attempted break-ins
– Masquarade attacks
– Penetration of the security
control system
– Denial of Service
– Malicious Use
30
What is an IDS?
• IDS: system trying to detect and alert on attempted
intrusions into a system or network
• Reactive rather than proactive
(usually does not prevent unauthorized users from entering the
network, only identifies that an intrusion has occurred)
• May provide diagnostic information, too
• Objective: 100% accuracy
– False positive: false alarm
– False negative: letting an attack pass undetected
31
Elements of a Basic IDS Model
• Audit Data (logs)
– Keyboard inputs, command-based or application-based
Data Collection Issues
logs
• Reference Data Store
– Intrusion signatures (known attack patterns)
– Profiles of normal behaviours
• Algorithms searching for suspicious behaviour
• Alarm Response Issues
32
Classifying IDS’s
33
Offline v.s. Online
Offline Online
• audit data is processed • audit data is processed real-time
periodically, not real-time continuously
• work on audit logs • may react and prevent an intrusion
• data mining still going on
34
Host-Based v.s. Network-Based (1)
• Host-Based / HIDS
A SW installed on each node
Typical Host Based Inrusion Counter Action
Account Scans Log Auditing
(looking for default accounts with (Windows: Event log,
no password set) Disadvantage: Linux/Unix: Syslog)
Trojans locating backdoors Check
Consume CPU time, the integrity
storage, of files
memory and otherand
system
resources user privileges by digital
fingerprints
(calculating more than one hash
of the same file)
35
Host-Based v.s. Network Based (2)
• Network-Based / NIDS
– Monitors all packets on the network wire
e.g. may watch for large number of TCP connection requests to many
different ports
– Either runs on a single machine (hub, router, etc.) or is divided into
several sensors and one central analysis point
– Usually utilize a network adapter
– Typically host-independent but may be a SW package installed on a
dedicated host
– Monitors numerous hosts simultaneously but may suffer from
performance problems as network speed increases
36
Anomaly Detection v.s. Misuse
Detection (1)
• Anomaly Detection:
– Assumption: “Attacks differ from normal behaviour”
– Analyses the network or system and infers what is “normal”
Profile generation:
• one-time (Establishes
activity a “normal activity
Activity measures such asprofile”)
• current–and
Interprets
previous
CPU deviations
timeprofiles maythisAdjustment
from
used, number of threshold
of“normal” behaviour as an intrusion
be merged at intervals
network connections levels
updateinprofile
a is very important
time period statistically
deviant? Attack
Audit Data System Profile
State
38
Anomaly Detection v.s. Misuse
Detection (3)
• Misuse Detection
– Attacks are known in advance (signatures)
– Matches signatures against the audit data stream
– The attack signatures are usually specified as rules
40
Available IDS Tools
• Commercial
– RealSecure
• Public-Domain
– Shadow
– Snort
• Research Prototypes
– Emerald
41
RealSecure
• Real-time IDS
• 3-part architecture
– Network-based recognition engine
• Monitors a network segment and look for packets that match attack
signatures
• Response: terminate connection, send alert, record session, reconfigure
firewall
– Host-based recognition engine
• Analyses system logs
• Response: terminate user processes, suspend user accounts
– Administrator’s module
• www.iss.net
42
Shadow
• Composed of
– Sensors
• Reside at key monitoring points in network (outside firewall)
• Extract packet headers save them to a monitoring file
– Analysis station
• Inside firewall
• Reads the monitoring file periodically
• joint venture of Naval Surface Weapons Center Dahlgren,
Network Flight Recorder, the National Security Agency, and
the SANS Institute
• www.nswc.navy.mil/ISSEC/CID/
43
44
45
Snort
• open-source public-domain ID tool
• real-time traffic analysis and packet logging on IP networks
• protocol analysis, content searching / matching
• flexible rules language to describe traffic that it should collect
or pass
• large group of users who contribute new signatures
• Installation guides written in Turkish!
• www.snort.org
46