PERIMETER SECURITY

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview

• Intrusion detection systems (IDSes)– Host-based vs. network-based

• Firewalls– Three major types of firewalls

• Packet filter• Stateful inspection• NAT

– Demilitarized Zones (DMZs)

3

Intrusion Detection

• An intrusion is any use or attempted use of a system that exceeds authentication limits.

• Intrusions are similar to incidents.– An incident does not necessarily involve an active

system or network device, an intrusion does.• An intrusion detection system (IDS) is

software/hardware that monitors activity on the system or network.– And delivers an alert if it notices suspicious activity.

4

IDS Architecture

5

Snort Configuration

• Behaviors of Snort is controlled by a configuration file (as defined by the –c command line switch) that is loaded when Snort is started. In this file, we can define:– What constitute external networks (the EXTERNAL_NET variable)– What is considered the internal network (the HOME_NET variable)– Where to find rules files if Snort is instructed to use them (the RULE_PATH variable)

6

Snort Rules• alert tcp any any -> 10.1.99.0/24 111 (content:"|00 01 86 a5| ";msg:"mountd access";)– alert specifies the action to take– tcp specifies the protocol– any any specifies the source network and port– 10.1.99.0/24 specifies the destination network– 111 specifies the port– content specifies the value of a payload– msg specifies the message to send

7

Snort Rules

• If a packet– comes from a network as defined by the EXTERNAL_NET variable, regardless of the

source port (any),– goes to a host in the “home” network as defined by the HOME_NET variable,

regardless of the destination port (any),– and the F, P, and U bits are on (12 meaning if we want to detect a SYN packet

regardless of what are in the 2 reserved bits)• Then raise an alert with the message “Xmas Scan”.

8

False Responses• There is no way for an IDS to know the true intent behind an activity and

determine whether or not it is benign or hostile.– Thus, the IDS can react only as it has been programmed.

• False positive – An IDS matches a pattern and generates an alarm for benign traffic.

• False negative – Hostile activity does not match an IDS signature and, therefore, goes undetected.

Intrusion Occurred Intrusion Not Occurred

IDS Alerts OK False Positive

IDS Does not Alert False Negative OK

9

Main Categories of IDSs

• Host-Based IDS (HIDS)– Concerned only with activity on an individual

system and usually has no visibility into the activity on the network or systems around it.

• Network-Based IDS (NIDS)– Has visibility only into the traffic crossing the

network link it is monitoring and typically has no idea of what is happening on individual systems.

10

Host-Based IDS• Examines log files, audit trails, and network traffic

coming in to or leaving a specific host. – Operates in real time, looking for activity as it occurs.– Operates in batch mode, looking for activity on a periodic

basis.

• They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system.

• Host-based systems use local system resources to operate.

11

HIDS Focus - Log Files• A HIDS searches the log files or audit trails from the

local OS for hostile actions or misuse activities, e.g.,– Logins at odd hours– Login authentication failures– Adding new user accounts– Modification or access of critical system files– Modification or removal of binary files (executables)– Starting or stopping processes– Privilege escalation– Using certain programs

12

HIDS Pros and Cons• The advantages of host-based IDSs include:

– Operating system-specific and more detailed.– Reduced false positive rates.– Examination of data after decryption.– Application specific.– Can determine an alarm’s impact on the protected system.

• Reduces the number of alarms generated.

• Before deployment, weigh the disadvantages of this technology:– One HIDS per system watched. – High cost of ownership and maintenance. – Uses local system resources. – Focused view; Cannot relate to activity around it. – A locally logged IDS may be compromised or disabled.

13

Network-Based IDS• A network IDS (NIDS) examines network traffic as it

passes by. – Bits and bytes traveling through cables

interconnecting the systems. – It must be able to analyze traffic by protocol,

type, amount, source, destination, content, and traffic already seen.

– The analysis must happen quickly.• The IDS must be able to handle traffic at whatever

speed the network operates to be effective.

14

NIDS Focus – Network Traffic• An NIDS analyzes traffic patterns to detect activities that

represent hostile actions or misuse.– Denial-of-Service attacks– Port scans or sweeps– Malicious content in the data payload of a packet or

packets– Vulnerability scanning– Trojans, viruses, or worms– Tunneling– Brute-force attacks

15

NIDS Pros and Cons• NIDS advantages

– Takes fewer systems to provide IDS coverage. – Lower deployment, maintenance, and upgrade costs. – Has visibility into all network traffic and can correlate

attacks among multiple systems.• NIDS disadvantages

– Ineffective when traffic is encrypted.– Cannot see traffic that does not cross it. – Must be able to handle high volumes of traffic.– It does not know about activity on the hosts themselves.

16

Misuse (Signature) Detection Model• The IDS looks for suspicious activity or activity that

violates specific policies and then reacts as it has been programmed. – This is the more efficient model.

• Does not need to learn what “normal” behavior is.• Generates an alarm whenever a pattern is successfully

matched.

– The greatest weakness of a misuse model is its reliance on a predefined signature base.• Any activity that the misuse-based IDS does not have a

signature for will go undetected.

17

Anomaly Detection Model• The intrusion detection system must know what

“normal” behavior on the host or network being protected really is. – Once the “normal” behavior baseline is established, the

IDS can then identify deviations from the norm, which are further scrutinized to determine if that activity is malicious.

• Building the profile of normal activity is usually done by the IDS. – This is done with some input from security administrators,

and can take days or months.

18

Anomaly Detection Model• The IDS must be flexible enough to account for things such

as new systems, new users, and movement of information resources, while being sensitive enough to detect abnormal traffic.

• An anomaly-based system is not restricted to a specific signature set and is far more likely to identify a new exploit or attack tool that would go unnoticed by a traditional IDS.

• Most anomaly-based systems suffer from high false positives, especially during the “break-in” period while it is learning the network.

19

Firewalls

• A device that filters traffic between a protected or “inside” network and a less trustworthy or “outside” network.

• Can be implemented as hardware or software.• Usually runs on a dedicated device because

performance is critical.• It works based on a series of rules that define what

traffic is permissible and what traffic is to be blocked or denied (for both directions).

20

Packet Filtering Firewalls• Use lines of text called “rules” that define what

packets should be allowed or denied, e.g.,– Any packets coming from the 172.19.0.0 network should

be denied.– No ICMP traffic should be allowed.– All traffic through Port 80 should be allowed.

• The filtering is based on Layer 3 information.• Make decision based on IP header information only.• Do not keep track of the state of a connection.

21

Firewall Rulebases• Rulebase is used to provide the definition of what

traffic is allowable and what is not.• Most firewalls have good user interfaces to support

rule definition.• General syntax is similar to:

<action> <protocol> from <source_address> <source_port> to <destination_address> <destination_port>

• Some firewalls have advanced functionality to supplement the basic fields above.

22

Cisco PIX Firewall Rule• Access-list <acl_name> {deny | permit} <protocol> [host] <src_address> <src_add_mask> [<operator> <port>][host] <dest_addr> <dest_add_mask> [<operator> <port>]

• ACL Name: Can be word or number• Address and Mask: “any” means any host• [host]: Used to specify a single host to control• Operator and Port: Specify a port or port range and are

used with TCP or UDP. Port can be number or name.

23

24

Cisco Firewall Rules• line 1 permit tcp any host 129.120.16.221 eq www– line 1 is line number in the rule set– permit is the action to take– tcp is the transport-layer protocol the packet uses– any is the source IP address– host 129.120.16.221 is the particular destination host– eq www is the port number (translated)

• Allows TCP packets coming from any host and any port to Port 80 on the host 129.120.16.221.

25

Cisco Firewall Rules• line 4 permit ip 129.120.18.0 255.255.254.0 host 129.120.16.221– line 3 is line number in the rule set– permit is the action to take– ip is the network-layer protocol the packet uses– 129.120.18.0 255.255.254.0 are the source IP

address and subnet mask– host 129.120.16.221 is the particular destination host

• Allows IP packets from any host in the 129.120.18.0 network to get to the host 129.120.16.221.

26

Stateful Inspection• A common approach to foil detection by firewalls is to

break packets involved in an attack into multiple packets so that the firewall cannot detect it based on a single packet.

• If a firewall can track all packets belonging to a session, it has a better chance at detecting an attack.

• Whereas packet filters only looks into Layer 3 header, stateful inspection firewalls also checks Layer 4 information.

27

Stateful Inspection Firewalls• They maintain a state table of sessions.• When a stateful firewall receives a packet, it first searches

its state table to see whether a connection has already been established and whether this packet was requested.– If a packet arrives with no record of its being part of legitimate

session, the firewall will block access by dropping it.• Stateful firewalls work at Layers 3 and 4.• Stateful monitoring enables a system to determine which

sets of communications are permissible and which should be blocked.

28

Network Address Translation (NAT)• NAT translates between two addressing schemes, public and

private. • This permits enterprises to use the non-routable private IP

address space internally and reduce the number of external IP addresses used across the Internet.

• When outside, i.e. Internet-based resources are needed, NAT is required to assign the internal hosts valid external IP addresses so that they can establish connections to those resources.

• Typically, a pool of external IP addresses is used by the NAT firewall, with the firewall keeping track of which internal address is using which external address at any given time.

29

Network Address Translation (NAT)

30

Dynamic NAT• The firewall has a pool of public IP addresses, but the number of

public address is smaller than the number of internal hosts.– If all the hosts wanted to connect externally at the same time, there wouldn’t

be enough to go around. But the exact assumption of dynamic NAT is that this rarely happens and so we can conserve public IP addresses by not maintaining one-to-one mappings between public and private IP addresses.

• When an internal host wants to connect outward, the firewall picks up an available public address from the pool and assigns it to the host.

• Once the host is done with a session, the firewall disassociates the public address with the host and returns the address to the pool.

• The address becomes available to other hosts.

31

Demilitarized Zone (DMZ)

DMZ

32

Demilitarized Zone (DMZ)• A buffer zone between the Internet, where no controls exist,

and the inner secure network, where an organization has security policies in place.

• The idea behind the use of the DMZ topology is to force a user to make at least one hop in the DMZ before accessing information inside the trusted network.

• To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ. – The area between these firewalls is accessible from either the inner

secure network or the Internet. – The firewalls are specifically designed to prevent access across the

DMZ directly from the Internet to the inner secure network.

33

DMZ As Layered Security Protection• Different zones provide layers of defense:

– Successive zones are guarded by firewalls enforcing ever increasingly strict security policies.

– The outer firewall provides less protection than the inner firewall does.• Accessibility is inversely related to the level of protection.

– The DMZ is less protected but more accessible to users on the Internet.– The inner network is more protected but not readily accessible to

external users.• It is difficult to provide complete protection and unfettered access

at the same time. – Trade-offs between access and security are handled through zones.

34

Servers in the DMZ• Servers typically placed in the DMZ include Web servers, FTP

servers, remote access service (RAS) servers, mail servers, etc.

• Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ. – All the standard servers used in the trusted network, as well as the

routers and the switches that connect these machines together, should be behind the inner firewall.

• Special attention should be given to the security settings of the network devices placed in the DMZ. – They should be considered compromised to unauthorized use. – Still, efforts should be made to harden servers in the DMZ.