firewalls and ids 1 firewalls and intrusion detection systems
Post on 15-Jan-2016
234 views
TRANSCRIPT
Firewalls and IDS 1
Firewallsand
Intrusion Detection Systems
Firewalls and IDS 2
Firewalls
Firewalls and IDS 3
Firewalls
Firewall must determine what to let in to internal network and/or what to let out
Access control for the network
InternetInternalnetworkFirewall
Firewalls and IDS 4
Firewall as Secretary A firewall is like a secretary To meet with an executive
o First contact the secretaryo Secretary decides if meeting is reasonableo Secretary filters out many requests
You want to meet chair of CS department?o Secretary does some filtering
You want to meet President of US?o Secretary does lots of filtering!
Firewalls and IDS 5
Firewall Terminology No standard terminology Types of firewalls
o Packet filter works at network layero Stateful packet filter transport
layero Application proxy application layero Personal firewall for single user,
home network, etc.
Firewalls and IDS 6
Packet Filter Operates at network layer Can filters based on
o Source IP addresso Destination IP addresso Source Porto Destination Porto Flag bits (SYN, ACK, etc.)o Egress or ingress
application
transport
network
link
physical
Firewalls and IDS 7
Packet Filter Advantage
o Speed Disadvantages
o No stateo Cannot see TCP connectionso Blind to application data
application
transport
network
link
physical
Firewalls and IDS 8
Packet Filter Configured via Access Control Lists (ACLs)
o Different meaning of ACL than previously
Allow Inside Outside Any 80 HTTP
Allow Outside Inside 80 > 1023 HTTP
Deny All All All All All
Action
Source IP
Dest IP
Source
Port
Dest Port Protoco
l
Intention is to restrict incoming packets to Web responses
Any
ACK
All
FlagBits
Firewalls and IDS 9
TCP ACK Scan Attacker sends packet with ACK bit set,
without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter
firewallo Appears to be part of an ongoing connection
RST sent by recipient of such packet Attacker scans for open ports thru
firewall
Firewalls and IDS 10
TCP ACK Scan
PacketFilter
Trudy InternalNetwork
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
RST
Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this (next)
o Since ACK scans not part of established connections
Firewalls and IDS 11
Stateful Packet Filter
Adds state to packet filter Operates at transport layer Remembers TCP
connections and flag bits Can even remember UDP
packets (e.g., DNS requests)
application
transport
network
link
physical
Firewalls and IDS 12
Stateful Packet Filter Advantages
o Can do everything a packet filter can do plus...
o Keep track of ongoing connections
Disadvantageso Cannot see application datao Slower than packet filtering
application
transport
network
link
physical
Firewalls and IDS 13
Application Proxy A proxy is something
that acts on your behalf Application proxy looks at
incoming application data Verifies that data is safe
before letting it in
application
transport
network
link
physical
Firewalls and IDS 14
Application Proxy Advantages
o Complete view of connections and applications data
o Filter bad data at application layer (viruses, Word macros)
Disadvantageo Speed
application
transport
network
link
physical
Firewalls and IDS 15
Application Proxy Creates a new packet before sending it
thru to internal network Attacker must talk to proxy and
convince it to forward message Proxy has complete view of connection Prevents some attacks stateful packet
filter cannot see next slides
Firewalls and IDS 16
Firewalk Tool to scan for open ports thru firewall Known: IP address of firewall and IP
address of one system inside firewallo TTL set to 1 more than number of hops to
firewall and set destination port to No If firewall does not let thru data on port N,
no responseo If firewall allows data on port N thru firewall,
get time exceeded error message
Firewalls and IDS 17
Firewalk and Proxy Firewall
Dest port 12345, TTL=4
Dest port 12344, TTL=4
Dest port 12343, TTL=4
Time exceeded
Trudy
Packetfilter
Router
This will not work thru an application proxy The proxy creates a new packet, destroys old TTL
RouterRouter
Firewalls and IDS 18
Personal Firewall To protect one user or home
network Can use any of the methods
o Packet filtero Stateful packet filtero Application proxy
Firewalls and IDS 19
Firewalls and Defense in Depth
Example security architecture
Internet
Intranet withPersonalFirewalls
PacketFilter
ApplicationProxy
DMZ
FTP server
DNS server
WWW server
Firewalls and IDS 20
Intrusion Detection Systems
Firewalls and IDS 21
Intrusion Prevention
Want to keep bad guys out Intrusion prevention is a traditional
focus of computer securityo Authentication is to prevent intrusionso Firewalls a form of intrusion preventiono Virus defenses also intrusion prevention
Comparable to locking the door on your car
Firewalls and IDS 22
Intrusion Detection In spite of intrusion prevention, bad
guys will sometime get into system Intrusion detection systems (IDS)
o Detect attackso Look for “unusual” activity
IDS developed out of log file analysis IDS is currently a very hot research
topic How to respond when intrusion
detected?o We don’t deal with this topic here
Firewalls and IDS 23
Intrusion Detection Systems
Who is likely intruder?o May be outsider who got thru firewallo May be evil insider
What do intruders do?o Launch well-known attackso Launch variations on well-known attackso Launch new or little-known attackso Use a system to attack other systemso Etc.
Firewalls and IDS 24
IDS Intrusion detection approaches
o Signature-based IDSo Anomaly-based IDS
Intrusion detection architectureso Host-based IDSo Network-based IDS
Most systems can be classified as aboveo In spite of marketing claims to the contrary
Firewalls and IDS 25
Host-based IDS Monitor activities on hosts for
o Known attacks oro Suspicious behavior
Designed to detect attacks such aso Buffer overflowo Escalation of privilege
Little or no view of network activities
Firewalls and IDS 26
Network-based IDS Monitor activity on the network for
o Known attackso Suspicious network activity
Designed to detect attacks such aso Denial of serviceo Network probeso Malformed packets, etc.
Can be some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS
Firewalls and IDS 27
Signature Detection Example
Failed login attempts may indicate password cracking attack
IDS could use the rule “N failed login attempts in M seconds” as signature
If N or more failed login attempts in M seconds, IDS warns of attack
Note that the warning is specifico Admin knows what attack is suspectedo Admin can verify attack (or false alarm)
Firewalls and IDS 28
Signature Detection Suppose IDS warns whenever N or more
failed logins in M seconds Must set N and M so that false alarms
not too common Can do this based on normal behavior But if attacker knows the signature, he
can try N1 logins every M seconds In this case, signature detection slows
the attacker, but might not stop him
Firewalls and IDS 29
Signature Detection
Many techniques used to make signature detection more robust
Goal is usually to detect “almost signatures”
For example, if “about” N login attempts in “about” M secondso Warn of possible password cracking attempto What are reasonable values for “about”?o Can use statistical analysis, heuristics, etc.o Must take care not to increase false alarm
rate
Firewalls and IDS 30
Signature Detection Advantages of signature detection
o Simpleo Detect known attackso Know which attack at time of detectiono Efficient (if reasonable number of
signatures) Disadvantages of signature detection
o Signature files must be kept up to dateo Number of signatures may become largeo Can only detect known attackso Variation on known attack may not be
detected
Firewalls and IDS 31
Anomaly Detection Anomaly detection systems look for
unusual or abnormal behavior There are (at least) two challenges
o What is normal for this system?o How “far” from normal is abnormal?
Statistics obviously required hereo The mean defines normalo The variance indicates how far abnormal
lives from normal
Firewalls and IDS 32
What is Normal? Consider the scatterplot below
x
y
White dot is “normal”
Is red dot normal? Is green dot
normal? How abnormal is
the blue dot? Stats can be subtle
Firewalls and IDS 33
How to Measure Normal?
How to measure normal?o Must measure during “representative”
behavioro Must not measure during an attack…o …or else attack will seem normalo Normal is statistical meano Must also know variance to have any
reasonable chance of success
Firewalls and IDS 34
How to Measure Abnormal?
Abnormal is relative to some “normal”o Abnormal indicates possible attack
Statistical discrimination techniques: o Bayesian statisticso Linear discriminant analysis (LDA)o Quadratic discriminant analysis (QDA)o Neural nets, hidden Markov models, etc.
Fancy modeling techniques also usedo Artificial intelligenceo Artificial immune system principleso Many many others
Firewalls and IDS 35
Anomaly Detection (1) Spse we monitor use of three commands:
open, read, close Under normal use we observe Alice:
open,read,close,open,open,read,close,… Of the six possible ordered pairs, four
pairs are “normal” for Alice:(open,read), (read,close), (close,open), (open,open)
Can we use this to identify unusual activity?
Firewalls and IDS 36
Anomaly Detection (1)
We monitor use of the three commands open, read, close
If the ratio of abnormal to normal pairs is “too high”, warn of possible attack
Could improve this approach by o Also using expected frequency of each pairo Use more than two consecutive commandso Include more commands/behavior in the
modelo More sophisticated statistical discrimination
Firewalls and IDS 37
Anomaly Detection (2) Over time, Alice
has accessed file Fn at rate Hn
H0 H1 H2 H3
.10 .40 .40 .10
Is this “normal” use? We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02 And consider S < 0.1 to be normal, so this is normal Problem: How to account for use that varies over
time?
Recently, Alice has accessed file Fn at rate An
A0 A1 A2 A3
.10 .40 .30 .20
Firewalls and IDS 38
Anomaly Detection (2) To allow “normal” to adapt to new use, we
update long-term averages asHn = 0.2An + 0.8Hn
Then H0 and H1 are unchanged, H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And the long term averages are updated as
H0 H1 H2 H3
.10 .40 .38 .12
Firewalls and IDS 39
Anomaly Detection (2) The updated long
term average is
H0 H1 H2 H3
.10 .40 .38 .12
Is this normal use? Compute S = (H0A0)2+…+(H3A3)2 = .0488 Since S = .0488 < 0.1 we consider this
normal And we again update the long term
averages by Hn = 0.2An + 0.8Hn
New observed rates are…
A0 A1 A2 A3
.10 .30 .30 .30
Firewalls and IDS 40
Anomaly Detection (2) The starting
averages were
H0 H1 H2 H3
.10 .40 .40 .10
The stats slowly evolve to match behavior This reduces false alarms and work for admin But also opens an avenue for attack… Suppose Trudy always wants to access F3 She can convince IDS this is normal for Alice!
After 2 iterations, the averages are
H0 H1 H2 H3
.10 .38.364
.156
Firewalls and IDS 41
Anomaly Detection (2) To make this approach more robust, must
also incorporate the variance Can also combine N stats as, for example,
T = (S1 + S2 + S3 + … + SN) / Nto obtain a more complete view of “normal”
Similar (but more sophisticated) approach is used in IDS known as NIDES
NIDES includes anomaly and signature IDS
Firewalls and IDS 42
Anomaly Detection Issues System constantly evolves, so must IDS
o Static system would place huge burden on admin o But evolving IDS makes it possible for attacker to
(slowly) convince IDS that an attack is normal!o Attacker may win simply by “going slow”
What does “abnormal” really mean?o Only that there is possibly an attacko May not say anything specific about “attack”o How to respond to such vague information?
Signature detection tells exactly which attack
Firewalls and IDS 43
Anomaly Detection Advantages
o Chance of detecting unknown attackso May be more efficient (no signatures)
Disadvantageso Must be used with signature detectiono Reliability is unclearo May be subject to “go slow” attacko Anomaly implies unusual activityo Lack of specific info on possible attack
Firewalls and IDS 44
Anomaly Detection: The Bottom Line
Anomaly-based IDS is active research topic Many have high hopes for its ultimate
success Often cited as key future security technology Hackers are not convinced…
o Title of a talk at Defcon 11: “Why Anomaly-based IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky Is anomaly detection as hard as AI?