CMPT 480 Computer Network Security Module 7 PDF

Summary

This document is a collection of lecture notes or study material on computer network security. It covers different aspects of firewalls and intrusion detection systems (IDS/IPS), including their functionalities, limitations, and different types. It includes diagrams and figures to illustrate the concepts.

Full Transcript

CMPT 480
COMPUTER
NETWORK
SECURITY
MODULE 7
Firewalls and IDS/IPS
FIREWALLS

The aim of this
Typically, a firewall perimeter is to The firewall
is inserted between protect the provides an This follows the
Firewalls are also
The firewall is an the premises premises network additional layer of classic military
deployed internal to
important network and the from Internet- defense, insulating doctrine of
the enterprise
complement to Internet to establish based attacks and internal systems “defense in depth,”
network to
host-based security a controlled link to provide a single from external which is just as
segregate portions
services and to erect an choke point where networks or other applicable to IT
of the network
outer security wall security and parts of the internal security
or perimeter auditing can be network
imposed
FIREWALL DESIGN GOALS

All traffic from inside to outside, and vice versa, must
pass through the firewall. This is achieved by physically
blocking all access to the local network except via the
firewall

Only authorized traffic, as defined by the local security
policy, will be allowed to pass. Various types of firewalls
are used, which implement various types of security
policies

The firewall itself is immune to penetration. This implies
the use of a hardened system with a secured operating
system (OS). Trusted computer systems are suitable for
hosting a firewall and are often required in government
applications
FIREWALL TECHNIQUES

Determines the types of
Internet services that can be
Service control
accessed, inbound or
outbound

Determines the direction in
which particular service
Direction control requests may be initiated
There are four and allowed to flow through
techniques that the firewall
firewalls use to control
access and enforce the
site’s security policy Controls access to a service
User control according to which user is
attempting to access it

Controls how particular
Behavior control
services are used
FIREWALL CAPABILITIES

The following A firewall defines a single choke point that keeps
unauthorized users out of the protected network,
capabilities are prohibits potentially vulnerable services from
within the scope entering or leaving the network, and provides
of a firewall: protection from various kinds of IP spoofing and
routing attacks
A firewall provides a location for monitoring
security-related events

A firewall is a convenient platform for several
Internet functions that are not security related

A firewall can serve as the platform for
implementing virtual private networks
FIREWALL LIMITATIONS

Firewalls have their limitations, including
the following:
An improperly
secured wireless LAN
The firewall cannot
may be accessed
protect against
from outside the
attacks that bypass The firewall may not A laptop,
organization. An
the firewall. Internal protect fully against smartphone, or
internal firewall that
systems may have internal threats, such portable storage
separates portions of
dial-out capability to as a disgruntled device may be used
an enterprise
connect to an ISP. An employee or an and infected outside
network cannot
internal LAN may employee who the corporate
guard against
support a modem unwittingly network, and then
wireless
pool that provides cooperates with an connected and used
communications
dial-in capability for external attacker internally
between local
traveling employees
systems on different
and telecommuters
sides of the internal
firewall
PACKET FILTERING FIREWALLS
 Very basic type of firewall
 Also referred to as “screening” firewalls
 Works by examining a packet’s
 Source address
 Destination address
 Source port
 Destination port
 Protocol type
PACKET FILTERING FIREWALL RULES
 Rules should cover:
 What types of protocols to allow
 FTP
 SMTP
 POP3
 What source ports to allow
 What destination ports to allow
 What source IP addresses to allow
PACKET FILTERING FIREWALLS
 Advantages:
 Simplicity
 Typically transparent to users
 Are very fast
 Weaknesses:
 They cannot prevent attacks that employ application-specific
vulnerabilities or functions
 The logging functionality present in packet filter firewalls is limited
 Most packet filter firewalls do not support advanced user
authentication schemes
 Packet filter firewalls are generally vulnerable to attacks and
exploits that take advantage of problems within the TCP/IP
specification and protocol stack
 Packet filter firewalls are susceptible to security breaches caused
by improper configurations
ATTACKS AND COUNTERMEASURES
 Some of the attacks that can be made on packet filtering
firewalls and the appropriate countermeasures are the
following:
 IP address spoofing: The intruder transmits packets from the
outside with a source IP address field containing an address of
an internal host
 The countermeasure is to discard packets with an inside source
address if the packet arrives on an external interface. In fact, this
countermeasure is often implemented at the router external to the
firewall
ATTACKS AND COUNTERMEASURES
 Some of the attacks that can be made on packet filtering
firewalls and the appropriate countermeasures are the
following:
 Source routing attacks: The source station specifies the route that
a packet should take as it crosses the Internet, in the hopes that this
will bypass security measures that do not analyze the source
routing information
 The countermeasure is to discard all packets that use this option
 Tiny fragment attacks: The intruder uses the IP fragmentation
option to create extremely small fragments and force the TCP
header information into a separate packet fragment
 A tiny fragment attack can be defeated by enforcing a rule that the first
fragment of a packet must contain a predefined minimum amount of the
transport header. If the first fragment is rejected, the filter can remember the
packet and discard all subsequent fragments
STATEFUL PACKET INSPECTION
 Being aware of the context of packets makes them less
susceptible to flood attacks
 Knows if packet is part of a larger stream
 Recognizes whether source IP is within the firewall
 Can look at the contents of the packet
 When possible, the recommended firewall solution
(Table is on page 659 in the textbook)
APPLICATION-LEVEL GATEWAY
 Also called an application proxy
 Acts as a relay of application-level traffic
 Tend to be more secure than packet filters
 Rather than trying to deal with the numerous possible combinations that are
to be allowed and forbidden at the TCP and IP level, the application-level
gateway need only scrutinize a few allowable applications

 A prime disadvantage of this type of gateway is the
additional processing overhead on each connection
 In effect, there are two spliced connections between the end users, with the
gateway at the splice point, and the gateway must examine and forward all
traffic in both directions
CIRCUIT-LEVEL GATEWAY
 A fourth type of firewall is the circuit-level gateway or circuit-
level proxy
 Can be a stand-alone system or it can be a specialized
function performed by an application-level gateway for certain
applications
 A circuit-level gateway does not permit an end-to-end TCP
connection
 The security function consists of determining which
connections will be allowed
 A typical use of circuit-level gateways is a situation in which
the system administrator trusts the internal users
APPLICATION VS. CIRCUIT LEVEL GATEWAY
HYBRID FIREWALLS
 Becoming more popular, these configurations take
multiple approaches to their firewall implementations
 SPI and circuit level gateways might be used together
IMPLEMENTING FIREWALLS
 Need to understand the firewall’s relationship to the
network it is protecting
 Most common solutions
 Network host-based
 Dual-homed host
 Router-based firewall
 Screened host
NETWORK HOST-BASED
 Software-based solution runs on top of operating system
 Must harden the operating system in the following ways:
 Ensure all patches are updated
 Uninstall unneeded applications or utilities
 Close unused ports
 Turn off all unused services
 Cheap solution
IN PRACTICE: SCREENED NETWORK (DMZ)
 Two separate firewalls
 One faces the outside world
 Once faces the inside
 Web, email, and FTP servers are
located in the area in-between
them
ROUTER-BASED FIREWALL
 Usually the first line of defense
 Uses simple packet filtering
 Ideal for novice administrators
 Can be preconfigured by vendor for specific needs of user
 Can be placed between segments of a network
SCREENED HOST
 A combination of firewalls
 Bastion host and screening router is used
 Similar in concept to the dual-homed host
IN PRACTICE: UTMOST SECURITY
 Multiple firewalls
 Stateful packet inspecting
firewall
 Application gateway
 Screened firewall routers
separating each network
segment
 Dual-perimeter firewall,
packet screening on all
routers, individual packet
filtering firewalls on every
server
SELECTING AND USING A FIREWALL
 Configure it properly
 Consider a consultant for initial setup
 Review logs periodically for anomalies
 Utilize statistics for baseline performance
USING PROXY SERVERS
 Prevent the outside world from gathering information
about your internal network
 Provide valuable log information
 Can redirect certain traffic, based on configuration
 Typically runs on the firewall machine
 Protects against spoofing
NETWORK ADDRESS TRANSLATION (NAT)
 Supersedes proxy servers
 Translates internal IP addresses to public addresses
 Can explicitly map ports to internal addresses for web
servers
TYPES OF FIREWALLS
 Single machine firewall (SMFW)
 Small Office Home Office Firewalls (SOHO)
 Up to 25 users at a single location
 Commercial FW come preset
 Medium-Sized Network Firewalls
 Up to a few hundred users at single location
 Often have dedicated network administration personnel
 Ex: Cisco Adaptive Security Appliances (ASA) - NGFW
 Enterprise Firewalls
 Network that typically includes a WAN connection
 Extremely complex security situation
 Dedicated team of administrators included security professionals
SINGLE MACHINE FIREWALLS (SMFS)
 Used on PCs in a home office or individual workstations
on a network
 Commonality of single machine firewalls
 Packet filtering or screening firewalls
 Software-based
 Easy to configure and set up
 Helpful as a supporting role for network security, not a
primary solution
SINGLE MACHINE FIREWALLS (SMFS)
 Target market: home user
 Key characteristics
 Ease of use
 Low cost or even free download
 Meant for essential security, not high security
 Available for all the major OS platforms
 Windows
 Linux
 MacOS
WINDOWS 10/11 FIREWALL
 Windows 10/11 provides a free fully-functional firewall
 Blocks inbound and outbound packets
 Configurable through the Windows Firewall with
Advanced Security app
 Can apply different rules depending on traffic source
 Has a logging feature, which is disabled by default
LINUX FIREWALL - IPTABLES
 Primary firewall for Linux
 Three kinds of objects
 Tables
 Chains
 Rules
 Three tables and their standard chains
 Packet filtering
 Network address translation
 Packet alteration
 In *BSD *pf replaces IPTables
INTRUSION DETECTION SYSTEMS
 Intrusion:
 Violations of security policy, usually characterized as attempts to
affect the confidentiality, integrity, or availability of a computer or
network. These violations can come from attackers accessing
systems from the Internet or from authorized users of the systems
who attempt to overstep their legitimate authorization levels or
who use their legitimate access to the system to conduct
unauthorized activity
 Intrusion detection:
 The process of collecting information about events occurring in a
computer system or network and analyzing them for signs of
intrusions
 Intrusion prevention:
 Preemptive approach to network security used to identify potential
threats and respond to them swiftly.
INTRUSION DETECTION SYSTEMS
 Intrusion detection system:
 Hardware or software products that gather and analyze
information from various areas within a computer or a network for
the purpose of finding, and providing real-time or near-real-time
warning of, attempts to access system resources in an unauthorized
manner
IDS VS IPS

Intrusion Detection System Intrusion Prevention System
 Passive  Active
 Logs the activity  Takes steps to prevent an
 Alerts an administrator attack in progress
(perhaps)  Problem of false
positives
INTRUSION DETECTION SYSTEMS
 Intrusion detection systems (IDSs) can be classified as
follows:
 Host-based IDS:
 Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity

 Network-based IDS:
 Monitors network traffic for particular network segments or
devices and analyzes network, transport, and application
protocols to identify suspicious activity
 An IDS comprises
three logical
components:

Sensors: Analyzers: User interface:

Sensors are responsible for Analyzers receive input from one or more
collecting data. The input for a sensors or from other analyzers. The The user interface to an IDS enables
sensor may be any part of a system analyzer is responsible for determining if an a user to view output from the
that could contain evidence of an intrusion has occurred. The output of this system or control the behavior of
intrusion. Types of input to a sensor component is an indication that an intrusion the system. In some systems, the
include network packets, log files, has occurred. The output may include user interface may equate to a
and system call traces. Sensors evidence supporting the conclusion that an manager, director, or console
collect and forward this information intrusion occurred. The analyzer may component
to the analyzer provide guidance about what actions to
take as a result of the intrusion
PREEMPTIVE BLOCKING
 Sometimes called banishment vigilance
 Attempts to detect impending intrusions through foot
printing
 Susceptible to false positives
 May block legitimate traffic
ANOMALY DETECTION
 Anomaly Detection
 Any activity that does not match normal use is saved in a log
 Normal usage profiles are kept and updated and then compared
to anomalous behavior
 Components
 Threshold monitoring
 Resource profiling
 User/group work profiling
 Executable profiling
TYPES OF ANOMALY DETECTION
 Threshold monitoring
 Defines acceptable behaviors
 Presets acceptable behavior levels
 Monitors the exceeding of these levels
 Difficult to set times for monitoring behavior
 Susceptible to false positives and negatives
TYPES OF ANOMALY DETECTION
 Resource Profiling
 Measures system-wide resource use to develop a historic usage
profile
 Abnormal readings can indicate illicit activity
TYPES OF ANOMALY DETECTION
 User/Group Work Profiling
 Each user/group’s typical activities are stored in its work profile
 Activities not typical of that user or group are suspect
 Changes in work patterns need to be updated in profile
 Dynamic user base could be difficult to profile
TYPES OF ANOMALY DETECTION
 Executable Profiling
 Measures and monitors how programs use system resources
 Helpful in detecting many types of malware attacks
 System services cannot be traced to a particular user
 Profiles how system objects (files and printers) are normally used
 Enables the IDS to identify activity that might indicate an attack
NETWORK-BASED INTRUSION DETECTION
SYSTEM

A network-based ID system (NIDS) monitors
the traffic on its network segment as a data
source

This is generally accomplished by placing the
network interface card in promiscuous mode
to capture all network traffic that crosses its
network segment

Network traffic on other segments, and traffic
on other means of communication (like phone
lines), can’t be monitored by a single NIDS
NIDS

Network-based ID involves
looking at the packets on
the network as they pass
by some sensor

Packets are considered to
Look for a text string that
be of interest if they match String signatures indicates a possible attack
a signature

Watch for connection
Three primary types of
signatures are:
Port signatures attempts to well known,
frequently attacked ports

Watch for dangerous or
Header condition
illogical combinations in
signatures packet headers
SNORT
 Possibly the most well-known open source IDS
 Available on multiple platforms including:
 UNIX, Linux, and Windows
 Three modes of operation:
 Sniffer
 Packet logger
 Network intrusion-detection
SNORT MODES
 Sniffer Mode
 Monitors all traffic coming and going on a computer
 Excellent way to check encryption
 Helps determine potential sources of problems
 Packet Logger Mode
 Similar to sniffer mode
 Packet contents are written to a text file
 Contents can be searched for specific items
SNORT MODES
 Network Intrusion-Detection Mode
 Uses a heuristic approach
 Rules-based
 Command-line-based interface
 Need to know commands and what they do
NETWORK TRAFFIC ANALYSIS
 Involves monitoring traffic flows to detect potentially
malicious activity
 Such monitors are often placed at the boundary of the enterprise network
to the outside world

 Monitors can also be placed on internal network devices or near server
endpoints

 Traffic analysis can involve misuse detection (signature
detection) or anomaly detection
 As an example of misuse detection, a dramatic surge in traffic at any point
likely indicates that a DDoS attack is underway

 For anomaly detection, network security software needs to collect and
maintain profiles of typical network traffic patterns, and then monitor
current traffic for significant deviation from normal behavior
PAYLOAD ANALYSIS

Payload refers to the data encapsulated within packets that has
meaning to endpoint applications

Payload analysis is a real-time or near-real-time activity

It involves looking for known malicious payloads or looking for
payload patterns that are anomalous

One useful technique for payload analysis is the use of a sandbox
environment, which quarantines the payload until the analysis is done
UNDERSTANDING AND IMPLEMENTING
HONEYPOTS
 A honeypot is a single machine set up to appear to be an
important server
 All traffic to the machine is suspicious; no legitimate
users should connect
 Honeypots can help track and catch attackers
 Honeypots can be configured to emulate many server
services
 Extensions
 Honeynets
 Honeytokens
 Tarpits – slow done response to attacks
INCIDENT MANAGEMENT
 Information security incident management consists of
processes for detecting, reporting, assessing, responding
to, dealing with, and learning from information security
incidents
 Key elements of incident management include:
 Data collection
 Data aggregation
 Data normalization
 Correlation
 Alerting
 Reporting/Compliance
 REVIEW QUESTIONS
 List four techniques used by firewalls to control access and
enforce a security policy.
 What is a Perimeter Network (DMZ) network and what
types of systems would you expect to find on such
networks?
 What are the two main approaches to intrusion detection?
 Explain the difference between network traffic analysis,
payload analysis, and endpoint behaviour analysis.
PROBLEMS
 A common management requirement is that “all external
Web traffic must flow via the organization’s Web proxy.”
However, that requirement is easier stated than
implemented.
 Discuss the various problems and issues, possible
solutions, and limitations supporting this requirement.
 In particular, consider issues such as identifying exactly
what constitutes “Web traffic” and how it may be
monitored, given the large range of ports and various
protocols used by Web browsers and servers.
SUMMARY

 Explain the role of  Understand the basic
firewalls as part of a principles of and
computer and network requirements for
security strategy intrusion detection
 List the key  Discuss the key features
characteristics of of intrusion detection
firewalls systems
 Understand the relative  Present an overview of
merits of various the key elements of
choices for firewall malware defense
location and
configurations