1 guide to network defense and countermeasures chapter 9
TRANSCRIPT
2
Chapter 9 - Intrusion Detection: Preventative Measures
Explain the benefits of the Common Vulnerabilities and Exposures (CVE) standard
Understand why logging network traffic is an integral part of intrusion detection
Analyze intrusion signatures so that you can block unauthorized access to resources
Identify suspicious events when they are captured by an intrusion detection device
Develop filters so that you can take a proactive approach to intrusion detection
3
CVE enables security devices (router, firewall, IDS) to share information about attacks and other vulnerabilities so they can work together CVE enables hardware and security devices that
support it to draw from the same databases of vulnerabilities, which are all presented in the same standard format
If an IDS that supports CVE transmits an alarm message, the attack signature will be compared to the report of current vulnerabilities to see if an attack has actually occurred
Common Vulnerabilities and Exposures (CVE)
5
Scanning CVE vulnerability descriptions CVE vulnerabilities can be viewed online and can
even be downloaded The CVE list is not a vulnerabilities database that
can be used with an IDS system; it is simply an informational tool, its listings are brief, and it refers to listings in other databases
CVE references contain: the name of the vulnerability; a short description; and references to the event in other databases
Common Vulnerabilities and Exposures (CVE)
7
Network security devices generate substantial amounts of log file information over time The task of analyzing log data manually becomes
virtually impossible, so this can be automated by the installation of log analysis software
A shareware program called ZoneLog is designed to analyze the log file information compiled from the firewall ZoneAlarm; the data is color coded to help in determining which ones are possible attacks
Snort is an IDS program, common to UNIX/Linux, that creates log files organized by IP address
Logging and Intrusion Detection
10
Signature analysis is the practice of assessing TCP/IP communications to determine whether they are legitimate or suspicious
Suspicious packets fall into these categories: Bad header information - packets that contain
malformed header data, where IP or port data is affected; packet alteration commonly occurs here
Suspicious data payload - packets may contain payload text that reveals hacker tactics and/or known attack information
Analyzing Intrusion Signatures
12
Suspicious packets (cont.): Single-packet attacks can be completed by sending
a single network packet from client to host; no connection is required when one packet is sent like this; if IP Options settings are manipulated, a server can be forced to freeze or provide data to a hacker
Multiple-packet attacks require a series of packets to be received and executed in order for the attack to be completed; these attacks, also called composite attacks, are especially difficult to detect; DoS attacks are an example of a composite attack
Analyzing Intrusion Signatures
14
Capturing packets is an effective way to become familiar with their contents Studying packets helps you better understand
signatures, since the two are close in format The goal is to begin to identify features that tell you
what type of connection is underway and whether the attack is legitimate or suspicious
Packet sniffers monitor network device traffic; they capture information about each detected packet
Two examples of packet capture software: Ethereal for Windows and Linux; The IDS program Snort
Analyzing Intrusion Signatures
19
To recognize suspicious traffic signatures, first learn to recognize normal traffic signatures One aspect of normal TCP signatures that is easiest to
identify is the use of TCP flags (SYN, ACK, PSH, URG, RST, FIN, the numbers 1 and 2)
The placement and use of these flags is very definite and strictly defined; deviations from normal usage mean that the communication is suspicious
The SYN flag appears at the beginning of a connection, the FIN flag at the end; it is suspicious if both of these flags appear in the same packet
Analyzing Intrusion Signatures
20
Normal traffic signatures (cont.): Ping signatures reveal an extensive amount about the
systems involved in ICMP echo requests; the type of computers involved (their OS) can be determined from the Time to Live, the IP length, the datagram length, and certain payload characters
FTP signatures of a normal connection between a client and an FTP server includes a three-way handshake; three separate packets contain different TCP flags that enable you to track the connection; in particular, if the MSS option is seen in an ACK or ACK/PSH packet, the packet could be falsified
Analyzing Intrusion Signatures
25
Normal traffic signatures (cont.): WWW signatures consist of packets that are sent back
and forth from a Web browser to a Web server as a connection is made; a signature of a normal handshake between two Web browsers consists of a sequence of packets that are distinguished by their TCP flags: the first packet has the SYN flag set, the second packet has the ACK flag set, the ACK flag is exchanged to acknowledge that a connection has been made, the PSH flag is used along with the ACK flag that data is going to be pushed (sent) from a buffer
Analyzing Intrusion Signatures
27
Categories of suspicious traffic signatures: Informational - may not be malicious itself, but could
be used to verify a successful attack Reconnaissance - may represent an attempt to gain
information about a network as a prelude to attack Unauthorized access - may be caused by someone
who has gained unauthorized access to the system and is attempting to retrieve data from it
Denial of Service - may be part of an attempt to slow or halt all connections on a network device, such as a Web server or mail server
Analyzing Intrusion Signatures
28
Suspicious traffic signatures (cont.): Ping sweeps involves sending a series of ICMP Echo
Request packets in a range of IP addresses; this is one method of determining the location of a host in order to gain network access; the ping sweep does not cause harm to the network, but the IP address should be noted to track further activity
Port scans are attempts to connect to a computer’s ports to see if any are active and listening; hackers perform once they’ve obtained the IP address; port scans typically include a SYN packet sent to each port on an IP address, one after the other
Analyzing Intrusion Signatures
31
Suspicious traffic signatures (cont.): Random back door scans involve finding an
undocumented or unauthorized opening (such as a port) through which a computer, program, or other resource can be accessed
One type of port scan probes a computer to see if any ports are open and listening that are used by well-known Trojan horses, which are programs that seem harmless but can cause harm to a computer or its files; each sent SYN packet attempts to contact a different port used by a Trojan horse
Analyzing Intrusion Signatures
35
Suspicious traffic signatures (cont.): Specific Trojan scans reflect the fact that port scans
can be performed in several ways: vanilla scans are where all of the ports from 0 to 65,535 are probed in succession; strobe scans are where a hacker only scans ports that are used by specific programs, in an attempt to see if such a program is present and can be utilized
Port 31337 is used by The Back Orifice Trojan horse, as well as the Trojans ADM worm, Back Fire, and BlitzNet
Analyzing Intrusion Signatures
37
Suspicious traffic signatures (cont.): Nmap is a program that is a popular tool for
scanning networks; Nmap enables hackers to send packets that circumvent the normal three-way handshakes performed by two computers that establish a connection; an example of this type of scan is the FIN scan
Nmap enables a hacker to send packets for which an IDS might not be configured to send an alarm, especially if there is no rule to trigger an alarm when a certain combination of TCP flags is seen
Analyzing Intrusion Signatures
39
Once an IDS transmits an alarm, you should look for suspicious characteristics and events
Packet header discrepancies seen in TCP, IP, ICMP, or UDP headers can provide warnings Falsified IP address alarms could indicate that a
network device has been misconfigured or is malfunctioning; or it could indicate IP spoofing
A port number could be falsified if the source or destination port in a TCP or UDP header is set to 0; protocol numbers could be falsified if they are set to 134 or greater
Identifying Suspicious Events
40
Packet header discrepancies (cont.): Illegal TCP flags are one of the most obvious ways to
detect an abnormal packet signature Common misuses of the SYN and FIN flags: having
both flags together in a packet; packets containing a FIN flag by itself; SYN only packets containing data
Another misuse of flags involves a null packet, which is a packet that has no flags set
TCP or IP options present in packets can be attacks Fragmentation abuses can occur when a large number
of fragmented packets are encountered
Identifying Suspicious Events
41
Advanced IDS attacks involve those that are especially complex, such as: Polymorphic buffer overflow attacks change their code
so that the do not match the known signatures used by many IDS systems; once they reach their intended target, they reassemble into original form
Path obfuscation involves altering the directory path statement in a packet payload by adding forward slashes; this keeps signatures from matching
CGI scripts - a series of packets is sent to a series of well-known Common Gateway Interface scripts
Identifying Suspicious Events
42
Remote Procedure Call (RPC) is a standard set of communication rules that allow one computer to request a service from another
RPC-related events that should trigger alarms: RPC dump - a target host receives an RPC dump
request, which is a request to report the presence and port usage of any RPC services
RPC set spoof - a target host receives and RPC set request from a source IP address of 127.x.x.x
RPC NFS sweep - a target host receives a series of requests for the NFS program
Identifying Suspicious Events
43
Respond to IDS alarms by adjusting packet filtering rules, and creating rules on the IDS Configure an IDS to take action (not just alert) as part of
its rules when detecting suspicious packages Rule actions add another layer of network defense; rule
actions are alert, log, pass, activate (which alerts, but also creates a rule to cover subsequent logging), dynamic (enables logging of subsequent packages when a particular packet is detected)
Rule data applies to the rule after a signature match occurs; it includes protocols, source and destination IP addresses, port number, direction of traffic
Developing IDS Filter Rules
44
Adjusting packet filtering rules (cont.): Rule options allow rules to become quite granular;
options follow rule data in the rule specification Rule options cause specific actions: ttl matches on Time
to Live; id matches on fragment ID number; flags match to specific TCP flags; ack matches the ACK flag; content matches on a defined data payload string; logto causes data to be logged to a specified file name instead of the default log files
The rule base for an IDS is different from the packet filter rule base and will help you analyze what traffic is getting through the filter
Developing IDS Filter Rules
45
Chapter Summary
This chapter discussed how to prevent intrusions by understanding how to interpret the signatures of both normal and abnormal network traffic. By being able to recognize the characteristics of a possible intrusion, you gain the ability to read log files and alert messages and react to them effectively. You can adjust filter rules to reduce the number of false alarms you receive from your IDS. More importantly, you are able to prevent intrusions before they occur or keep intrusions that are already underway from causing excessive damage
46
Chapter Summary
It is important to have your network security hardware and software work cooperatively by being able to share information. A standard called the Common Vulnerabilities and Exposures (CVE) enables IDS systems, firewalls, and other devices to share attack signatures and information about network vulnerabilities so they can better protect a network. A list of current vulnerabilities is maintained as an online database by MITRE, and you can use the list to update your own CVE database and learn about new attacks
47
Chapter Summary
Examination and analysis of the log files complied by your IDS and other devices can help tell you whether remote computers are scanning your network as a prelude to an attack. However, reviewing the log files manually can be tedious and time consuming. A log file analysis program automates the process and helps you identify which external hosts have been attempting to gain unauthorized access. The log files can also reveal patterns of access attempts that may represent intrusion attempts
48
Chapter Summary
The analysis of intrusion signatures is an integral aspect of intrusion prevention. A signature is a set of characteristics such as IP address, port numbers, TCP flags, and options. Normal traffic makes valid use of such settings. Note that possible intrusions are marked by invalid settings that are sometimes unable to interpret and that are allowed to pass through the internal network. Those invalid settings include bad header information, suspicious contents in the payload of packets, IP options settings, and a succession of packets such as a Denial of Service attempt
49
Chapter Summary
You can set up the freeware IDS Snort as a packet sniffer so that you can capture packets and study their contents. Parts of a packet header indicate whether a Windows or Linux system is being used. The TCP flags are used in sequence to create a normal three-way handshake between two computers. By learning how normal traffic signatures look, you are able to identify suspicious signatures. Monitor suspicious events such as ping sweeps, port scans, random back door scans, and scans for specific Trojan horse programs. The characteristics of packets crafted with with the popular network mapping tool Nmap were also discussed
50
Chapter Summary
You can identify a variety of other suspicious network events. These include orphaned packets, Land attacks, LocalHost Source Spoofs, falsified protocol number, and illegal combination of TCP flags
51
Chapter Summary
Advanced IDS attacks are especially difficult to detect. Certain complex attacks called polymorphic buffer overflow attacks can be altered so they don’t match a known intrusion signature and elude the IDS. Others use confusing path names or other keywords in the data payload. Still others attempt to connect with and abuse common CGI scripts that may be present, or remote procedure calls that also enable remote users to access services
52
Chapter Summary
IDS devices can have their own set of filter rules, like packet filtering routers and firewalls. You can configure a set of rules to send alert messages if ICMP packets or other suspicious packets pass through a packet filter on the perimeter of the network and reach the IDS. Such rules can also be configured to log events or a range of subsequent packets. Rule options such as messages that can be associated with suspicious events can greatly assist you in interpreting log files and determining how to react to attack attempts