Common security attacks and their

countermeasures
• Finding a way into the network
– Firewalls
• Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
• Denial of Service
– Ingress filtering, IDS
• TCP hijacking
– IPSec
• Packet sniffing
– Encryption (SSH, SSL, HTTPS)
• Social problems
– Education

1
 INTRODUCTION
• Firewalls are used to create security
checkpoints at the boundaries of private
networks or personal computer
• As a result, firewalls are first line of defense
against outside attacks
• Firewalls emerged in the early 1990s and
they became particularly popular around
1996 - the time where some new attack
techniques emerged (buffer overflows,
remote exploits)
 INTRODUCTION (cont.)
Security Policy

WHO ? WHEN ?
WHAT ? HOW ?

My PC
INTERNET
INTERNET

Secure
Firewall Private
Network
 CAPABILITIES of FIREWALLS
• A firewall, defining a single choke point, simplifies security
management because security capabilities are consolidated
on a single system or set of systems.
• They provide a location for monitoring security-related
events. Audit and alarms can be implemented on the
firewalls.
• A firewall is a convenient platform for several function that
are not security related such as Network Address Translation
• A firewall can be used to implement VPNs.
• They can authenticate users with the use of different
authentication methods in order users reach certain
resources
 TECHNIQUES USED by FIREWALLS
• Service Control
• Allows or blocks certain types of Internet services
• Direction Control
• Initiate and allow certain direction in which particular
service requests
• User Control
• Controls access to a service according to which user is
attempting to access it.
• Behavior Control
• Controls how particular services are used.
• Time Control
• Controls when some services can be used
 TYPES of FIREWALLS
• Firewalls can be classified according to different
criterions
– Places at where they are deployed :
– Perimeter Firewalls
– Internal firewalls
– Personal Firewalls
– Distributed Firewalls
– The layer in a network protocol stack at which they
are filtering and what they are doing :
– Packet Filtering Firewalls @
– Circuit Gateways @ Transport Layer
– Application Gateways @ Application Layer
– Dynamic Packet Filtering Firewalls
 PACKET FILTERING FIREWALLS
• One of the oldest type of firewalls
• Packet filters, historically implemented on routers, filter user-defined
content, such as IP addresses.
• They examine a packet a the Network or Transport Layers
• They are cheap and useful.
 PACKET FILTERING FIREWALLS (cont.)
• They are application independent; this feature is
advantageous in terms of performance
• Since they are not application-aware and can not
understand the context of a given communication, they
are least secure type of firewalls and are good targets
for intruders.
• Packet filter is a three-step process :
• One must decide on what should and should not be permitted
based on a pre-defined security policy
• The allowable types of packets must be specified formally in terms
of logical expressions on packet fields.
• The expression should be rewritten in whatever syntax the vendor
of the firewall supports.
PACKET FILTERING FIREWALLS (cont.)
• Packet filtering is typically set up as a list of rules based on matches to
fileds in the IP or TCP header.
• If there is a match to one of the rules, that rule is invoked and
predefined action is taken, such as dropping that packet or
forwarding it but also warning user or admin.
• The rules are evaluated from top rule to bottom rule, that is also an
important issue that should be carefully considered.
• Rules are created according to two different policies :
– Default = Discard : That which is not expressly permitted is prohibited
– Default = Pass : That which is not expressly prohibited is permitted
• Default = Discard policiy is more conservative; initially everything is
blocked, and services are added on a case-by-case basis.
 CIRCUIT GATEWAYS
• The idea of a circuit gateway is fundamentally different from packet
filtering.
• Circuit gateways do not permit an end-to-end TCP connection.
• Circuit gateway works on TCP level and takes a TCP connection request from
a client, authenticates and authorizes the client, and establishes a second
connection to the origin server on client’s behalf.
• After establishment of the connection, circuit gateways simply relays data
forth and back between two connections.
• It does not interfere with data stream.
• The single circuit gateway that is actually widely used is SOCKS.
 CIRCUIT GATEWAYS (cont.)
• Circuit gateways can bridge two networks that do not share
any IP connectivity or DNS processing.
 APPLICATION GATEWAY
• Application gateways are also called proxy servers.
• Application gateways are deal with the details of the particular
service they are checking.
• Since they are dealing with details, they are usually more complex
than packet filters.
• Rather than using a general-purpose mechanism to allow many
different kinds of traffic to flow, special purpose code is used for each
desired application.
• Application gateways have another advantage that since they are
controlling the content, they can be used as content filters.
 APPLICATION GATEWAY (cont.)
The main disadvantage is the need for a specialized
program or user interfaces for different services.
This results in supporting only basic services.
 DYNAMIC PACKET FILTERING FWs
(cont.)
• New approach to packet filtering is Dynamic
Packet Filtering based on Stateful Inspection.
– What is new with this approach is that beside the
functionalities that stateless packet filters have such
as looking header information is that stateful
inspection maintains state information about past IP
packages.
• If the first packet in TCP connection is permitted, state
information is added to the state table on an internal
database.
• Then the other packets of this connection can pass quickly
through the firewall.
 PERIMETER FIREWALLS
• Traditional “firewall in a box”
• Inserted between trusted and untrusted network
segments
• Can support multiple networks (e.g. a Server farm
and a separate DMZ)
• Mature product, many vendors to choose from
• Local control over firewall policy
• Support VPNs and user authentication
• All devices behind firewall are protected
– … but only from stuff on the outside!
• Users don’t need to manage anything
• An outage affects only the systems behind the
firewall
 PERIMETER FIREWALLS (cont.)
LAN 3 Users

LAN 3 Secure Servers

Perimeter
Firewall Structure
LAN 3 DMZ

Internet

LAN 2
 INTERNAL FIREWALLS
You may also be
protecting parts of
your internal network
from other parts.

Like the perimeter firewalls; they allow a

limited set of traffic through the network
segments.
 PERSONAL FIREWALLS
• Personal firewalls are software-only firewalls that
run on the computer they protect.
• Designed for individual users or small networks.
(eg. Windows XP comes with a personal firewall)
• Inexpensive and easy to install and use, would
offer clearly explained configuration options.
• Allow the user to access all necessary network
and web resources, protect from external
"hacking" and alert the user to malicious activity.
PERSONAL FIREWALLS (cont.)

Personal
Firewall
Structure

Internet

LAN 2
 DISTRIBUTED FIREWALLS
• With distributed firewalls, each individual host
enforces the security policy; however the policy itself is
set by a central management node.
• Rather than have a separate box on the edge of the
network, a rule to reject such connection attempts is
created by the admininistrator and shipped out to
every host within its management domain.
• Advantages:
• Eliminates the risk of central failure
• Suitable for mobile users
• Easy to customize some special connections
 DEPLOYEMENT OF FIREWALLS
• Firewalls can be deployed in different structures :
– Screening router structure
– Screening host structure with Bastion host
– Screening host structure with dual-homed Bastion host
– DMZ structure
• Bastion host : A bastion host is a secured computer that allows an
untrusted network (such as the Internet) access to a trusted network
(your internal network). It is typically placed between the two networks
and is often referred to as an application level gateway.
• Demilitarized zone (DMZ)—A DMZ sits between an internal network and
the outside world, and it's the best place to put your public servers.
Examples of systems to place on a DMZ include Web servers, FTP servers,
SMTP servers and log servers.
DEPLOYEMENT OF FIREWALLS
(cont.)
Screening router
DEPLOYEMENT OF FIREWALLS
(cont.)

Screening host structure with

Bastion host
DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with dual-
homed Bastion host
DEPLOYEMENT OF FIREWALLS
DMZ – Demilitarized Zone structure
 RISKS with FIREWALLS
• They are pretty complex piece of software!!!
• Commercial firewall systems are closed software, which means that no
one has really put them under the glass in a search for security
problems...
• Over the last couple of years there has been just several bugs found in
them...
• They just filter traffic coming from/to your network
• They can handle dozens of application protocols, but unfortunately
cannot protect you against malicious content
• Security level of a network protected by a firewall system depends on
many factors (DNS, routing infrastructure, security of client software...)
• There is always a great risk associated with the so called “human error”
 WEAKNESSES of FIREWALLS

• Common firewall weaknesses include:

• Firewalls cannot protect against what is authorized. Firewalls protect applications
and permit the normal communications traffic to those applications. If the
applications themselves have flaws, a firewall will not stop the attack because, to the
firewall, the communication is authorized.
• Firewalls are only as effective as the rules they are configured to enforce. An overly
permissive rule set will diminish the effectiveness of the firewall.
• Firewalls cannot fix poor admin practices or a poorly designed security policy.
• Firewalls cannot stop attacks in which traffic does not pass through them.
• Firewalls are bottlenecks, Internet connections are getting faster, and the techniques
for detecting potential issues are getting more complicated. More and more
processing power is required just to stand still and the technologies already exist to
do all this stuff. So it may just be the way forward, for large enterprise security
systems at least.
 Intrusion Detection
• Used to monitor for “suspicious activity” on a
network
– Can protect against known software exploits, like
buffer overflows
• Open Source IDS: Snort, www.snort.org

28
 IDS
• Introduction to IDS
• Classification of IDS
• IDS Models
• Available IDS Tools
• Conclusion & Future Work

29
 What is Intrusion?
• Intrusion: Actions attempting to break into or misuse
one’s system in violation of an established policy
• Types of Intrusion:
– Attempted break-ins
– Masquarade attacks
– Penetration of the security
control system
– Denial of Service
– Malicious Use

30
 What is an IDS?
• IDS: system trying to detect and alert on attempted
intrusions into a system or network
• Reactive rather than proactive
(usually does not prevent unauthorized users from entering the
network, only identifies that an intrusion has occurred)
• May provide diagnostic information, too
• Objective: 100% accuracy
– False positive: false alarm
– False negative: letting an attack pass undetected

31
 Elements of a Basic IDS Model
• Audit Data (logs)
– Keyboard inputs, command-based or application-based
Data Collection Issues
logs
• Reference Data Store
– Intrusion signatures (known attack patterns)
– Profiles of normal behaviours
• Algorithms searching for suspicious behaviour
• Alarm Response Issues

32
 Classifying IDS’s

• Offline v.s. Online

• Host-Based v.s. Network-Based
• Anomaly Detection v.s. Misuse Detection

33
 Offline v.s. Online
Offline Online
• audit data is processed • audit data is processed real-time
periodically, not real-time continuously
• work on audit logs • may react and prevent an intrusion
• data mining still going on

34
 Host-Based v.s. Network-Based (1)

• Host-Based / HIDS
A SW installed on each node
Typical Host Based Inrusion Counter Action
Account Scans Log Auditing
(looking for default accounts with (Windows: Event log,
no password set) Disadvantage: Linux/Unix: Syslog)
Trojans locating backdoors Check
Consume CPU time, the integrity
storage, of files
memory and otherand
system
resources user privileges by digital
fingerprints
(calculating more than one hash
of the same file)
35
Host-Based v.s. Network Based (2)
• Network-Based / NIDS
– Monitors all packets on the network wire
e.g. may watch for large number of TCP connection requests to many
different ports
– Either runs on a single machine (hub, router, etc.) or is divided into
several sensors and one central analysis point
– Usually utilize a network adapter
– Typically host-independent but may be a SW package installed on a
dedicated host
– Monitors numerous hosts simultaneously but may suffer from
performance problems as network speed increases

36
 Anomaly Detection v.s. Misuse
Detection (1)
• Anomaly Detection:
– Assumption: “Attacks differ from normal behaviour”
– Analyses the network or system and infers what is “normal”
Profile generation:
• one-time (Establishes
activity a “normal activity
Activity measures such asprofile”)
• current–and
Interprets
previous
CPU deviations
timeprofiles maythisAdjustment
from
used, number of threshold
of“normal” behaviour as an intrusion
be merged at intervals
network connections levels
updateinprofile
a is very important
time period statistically
deviant? Attack
Audit Data System Profile
State

generate new profiles dynamically

37
 Anomaly Detection v.s. Misuse
Detection (2)
• Anomaly Detection:
– Advantages:
• May catch novel attacks we have not seen before
– Disadvantages:
• Current implementations do not work very well (too many
false positives/negatives)
• Cannot categorize attacks very well
• Difficult to train in highly dynamic environments
• The system may be gradually trained by intruders

38
 Anomaly Detection v.s. Misuse
Detection (3)
• Misuse Detection
– Attacks are known in advance (signatures)
– Matches signatures against the audit data stream
– The attack signatures are usually specified as rules

modify existing rules

Rule
match? Attack
Audit Data System Profile State

add new rules

39
 Anomaly Detection v.s. Misuse
Detection (4)
• Misuse Detection
– Advantages:
• Easy to implement, deploy, update and understand
• Low rate of false positives
• fast
– Disadvantages:
• Cannot detect previously unknown attacks
• Constantly needs to be updated with new rules
• As good as the database of attack signatures

40
 Available IDS Tools
• Commercial
– RealSecure
• Public-Domain
– Shadow
– Snort
• Research Prototypes
– Emerald

41
 RealSecure
• Real-time IDS
• 3-part architecture
– Network-based recognition engine
• Monitors a network segment and look for packets that match attack
signatures
• Response: terminate connection, send alert, record session, reconfigure
firewall
– Host-based recognition engine
• Analyses system logs
• Response: terminate user processes, suspend user accounts
– Administrator’s module
• www.iss.net

42
 Shadow
• Composed of
– Sensors
• Reside at key monitoring points in network (outside firewall)
• Extract packet headers save them to a monitoring file
– Analysis station
• Inside firewall
• Reads the monitoring file periodically
• joint venture of Naval Surface Weapons Center Dahlgren,
Network Flight Recorder, the National Security Agency, and
the SANS Institute
• www.nswc.navy.mil/ISSEC/CID/

43
44
45
 Snort
• open-source public-domain ID tool
• real-time traffic analysis and packet logging on IP networks
• protocol analysis, content searching / matching
• flexible rules language to describe traffic that it should collect
or pass
• large group of users who contribute new signatures
• Installation guides written in Turkish!
• www.snort.org

46