of IT Security An Overview of Firewalls and Intrusion Detection Systems IIG 1/29

Transcription

1 Theory and Practice of IT Security An Overview of Firewalls and Intrusion Detection Systems Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 1/29

2 What is Firewall? Protection against internet risks Protectet network (Home Network) Insecure Networks (Internet) Data interexchange is required: Ersatz von durch Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 2/29

3 Why you need Firewalls? Home Network Internet A B Gain of multiplex advantages over network protectio Single Point of Administration Seperation: Intern and Extern Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 3/29

4 Firewalls s and TCP/IP Layer model Nach Tanenbaum Application Layer Transport Layer Network Layer Data Link Layer Physical Layer Application Layer Transport Layer Network Layer Data Link Layer Physical Layer Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 4/29

5 Firewalls - Internet Protocol ols Services: FTP SMTP Telnet HTTP DNS RPC NFS TCP IP ICMP UDP ARP Ethernet, Token Ring, FDDI, PPP, ATM Twisted Pair, LWL, Radio, Laser Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 5/29

6 Firewall - Proxies Proxie: Stellvertreter Applicationsproxy Transparency Proxy Generic Proxy (Socks) Home Network P Internet A Proxy services: Telnet,WWW B Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 6/29

7 Firewall ApplicatonA Proxy Example: HTTP-Proxy Client HTTP - request Proxy Server HTTP - reply HTTP - request HTTP - reply Client adresses Proxy Browser knows only Proxy Proxy repesents Browser Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 7/29

8 Firewall - Transparencyncy Proxies Example: HTTP-Proxy Home Network Internet Client HTTP - request Proxy Server HTTP - reply HTTP - request HTTP - reply Client adresses Server Browser does not know Proxy Proxy intercept the trafic Proxy represents Browser Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 8/29

9 Firewalls - SOCKS Proxy Generic Proxy Transport Layer Internes Netz Internet Client Rconnect Proxy connect Server Socksified TCP-Stack Application knows only Proxy Proxy kennt Socks Protokoll Proxy represents TCP-Client Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 9/29

10 Firewalls - Pack cketfilter Rules are implemented in IP Layer Routers are used as Paketfilters Home Network Paketfilter Internet A B IP-Trafic (Packes) is only allowed between A and B Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 10/29

11 Firewalls - Pack cketfilter Example: telnet Home Network Internet Client: Server: proto src-address port dst-address port flags action tcp * >1023 * 23 * allow tcp * * >1023 A allow * * * * * * deny Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 11/29

12 Firewalls - Dynamic Paketfilter Beispiel: ftp Home Network Internet Client: Server: # proto src-address port dst-address port flags action 1 tcp * >1023 * 21 * allow 2 tcp * * >1023 A allow 3 * * * * * * deny Client>PORT 132,230,16,1,4,150 ( :1174) Client updates State Table Information 3 tcp * allow 4 tcp A allow 5 * * * * * * deny Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 12/29

13 Firewalls -Network Address Translation Internes Netz Internet Client: Server: Private Adresses : Routing via Internet is not possible 10.*.*.*, *.*, *.* Translation of private IP adresses in to public adresses src-addr: :1074 in to src-addr: :65001 Answer also likewise translated into private address (dyn. or stat.) Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 13/29

14 Firewalls - Paketfilter vs Proxies Home Network A Packet -filter Internet B Home Network A P Proxy-Services: Telnet,WWW Internet B Implementation in IP Layer mostly on Routers implemented permit trafic between each IP Addresses Evaluation of TCP Headers is possible Port filtering (SMTP, TELNET) Protocol filtering (RIP) IP-Option filtering (SourceRouting) and defence against IP-Spoofing Implementation in Applivation Layer User authentication is possible no direct data interchange (Buffer overflow and Flooding attacks in a home network is not pssible) Evaluation of application protocols enables filtering of services(smtp command VRFY, EXPN) Hybrid solution: dynamic Packetfilter, Stateful Inspection Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 14/29

15 Firewalls - Topology Packetfilter: Home Network Internet Dual homed application gateway: Home Network Proxy Internet Proxy Screened host: Home Network Internet Proxy Screened subnet: Home Network DMZ Internet Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 15/29

16 Firewalls - Example Additional functions: Content Filtering Firewall with Proxies and dynamic Paketfilters Internes Netz Paketfilter Paketfilter Internet A Virus scanner for Mail & FTP WWW DNS DMZ Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 16/29

17 Firewalls - distributed Firewalls Why distributed Firewalls high bandwith und komplex Protokolle (IPsec) Protocols, which are very hard to process by one Firewall Trust for Insider Additional access points (Modems) Multple access points (Load balancing, Redundancy) Bedarf feinerer Kontrolle Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 17/29

18 Distributed Firewalls - Components B Internet A C M Language to interprete security policies Mechanisms to distribute security policies Mechanisms to assert implemented security policies Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 18/29

19 Distributed Firewalls - Implementation Userspace Application Library Demen for Security polices Keynodes to distribute security policies accept() connect() mdodified System routines context Kernelspace Pseudodevicedriver nach Ioannidis Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 19/29 Disadvantage:New modern system routines cant be forced to apply in the processs

20 Firewalls and Privacy Internes Netz Internet Traffic via the Firewall: Log-Files -> User Profiles Access to the Firewall -> the whole traffic is readable Administration is complex Difficult to assert a security policy only with firewalls Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 20/29

21 Firewall - Intrusion Detection Internes Netz. 13:15: get :16: logi :16: login :17: conne :17: passw 1. 15:17: reje 15:17: l Internet Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 21/29 IDS logs the traffic on a Firewall: detects every connection between secure and unsecure area ensures the integrity of the Firewall (e.g. software) detects attacks But, you have to keep it up to date

22 Intrusion Detection Systems (IDS) Intrusion: Unallowed action, which is not allowed by the Securitypolicy e.g: try to get a virus in a secured intranet try to run exploits (buffer-overflows) CGI-Errors Denial of Service (Ping of Death) Address-spoofing Race Conditions Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 22/29

23 IDS - A generic Model Sensor Sensor Information about Events Sensor Activityprofile Evaluation Systems Detects attacks Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 23/29

24 IDS - Categories Detection Pattern Recognition Statistical Methods Hybrids Preferred Positions Host based Network based Hybrids Time of Evaluation Realtime (possibility to react) Later Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 24/29

25 IDS - Network-based Probe Probe Internes Netz Firewall Internet Probe Probe Probe IDS Manager Distributed sensors announcing network traffic events to the IDS Manager Advantage: more sensors than only the firewall, can detect more attack scenarios Disadvantage: cannot handle encrypted traffic, privacy aspects Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 25/29

26 IDS - Host-based A Audit-trail Logs Quotas Event- Generator Event- Generator Firewall Log-File Firewall Software IDS Manager Distributed sensors announcing host actions and events to the IDS-Manager e.g.: Virus-scanners Advantage: can handle traffic which will be deor encrypted on the network Disadvantage: serious privacy problems, performance Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 26/29

27 IDS - kinds of detections Pattern recognition: can detect attacks on know attack patterns Anomaly: abnormal actions are treated as attacks Integrity-Check for software Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 27/29

28 IDS and privacy Big problem, needs trusted operator Processing is allowed under restrictions Pseudomising of log-data keep identifying data only in case of suspicion only of academic interests Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 28/29

29 Summary & Outlook Firewalls & IDS are trying to limit/detect the use around the Clients IDS is a Big Brother? Circumvent security policy is very often very easy New security mechanisms are needed e.g Trusted Computing (with a lot of new problems) Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 29/29

30 Literature Rolf Oppliger - Internet and Intranet Security; 1998 Norbert Pohlmann - Firewall Systeme; 1998 Rainer Falk - Formale Spezifikation von Sicherheitspolitiken für Paketfilter; GI-Fachtagung VIS 97 Steven Bellovin - Distributed Firewalls; ;login: Magazin November 99 S. Ioannidis et al. - Implementing a Distributed Firewall; CCS 2000 Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 30/29 M. Sobirey - Aktuelle Anforderungen an Intrusion Detection Systeme...; GI-Fachtagung VIS 99 Mark Krause and Clarissa Cook - Tutorial Intrusion Detection; ACSAC 98

31 Literature Andrew Tanenbaum - Computernetzwerke; 1996 Richard Stevens - TCP/IP Illustrated, Volume 1; 1994 Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 31/29

32 IPSec Network Security Internet Protocol Security Architecture Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 32/29

33 IPSec - A short trip to networking A short trip to network protocols and layers Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 33/29

34 IPSec - IP Packet IPv4 Header IPv6 Header There are no security flags --> needs extension Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 34/29

35 IPSec - IPSec Extension Header Security by encapsulation in a new header Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 35/29

36 IPSec - The Architecture Architecture of IPSec RFC 2401,... ESP AH IPComp Algorithms: Encryption, Hash, Compression Key Management Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 36/29

37 IPSec - Authentication Header Remember: Security Association is identifiable by SPI, the protocol (AH/ESP) and the IP-Addresses Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 37/29

38 IPSec - Encapsulation Security Payload Remember also! Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 38/29

39 IPSec - Transport vs.. Tunnel Mode Endsystems support IPSec: Only corporate routers support IPSec: Classical VPN Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 39/29

40 IPSec - AH Example The original IP-packet: Secured in Transport Mode IP-packet: Secured in Tunnel Mode IP-packet: authenticated authenticated Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 40/29

41 IPSec - ESP Example The original IP-packet: Secured in Transport Mode IP-packet: Secured in Tunnel Mode IP-packet: encrypted authenticated encrypted authenticated Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 41/29

42 IPSec - A Tunnel Mode Example VPN between VPN-routers Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 42/29

43 IPSec - Multiple Tunnels Packet can be encapsulated several times!!! Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 43/29

44 IPSec - Key Exchange Algorithms for encryption (AES, 3DES,...) needs a shared secret to work Shared secrets are generated during setup of a Security Association (Transport or a Tunnel Mode SA) Secrets are refreshed regularly Authentication can be done with preshared secrets and certificates (X.509) IKE (the IPSec Key Exchange) supports several public key algorithms (ECC, DH,.. ) Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 44/29

45 IPSec - An Example Let me see, i you re sleeping. Take a pencil and a sheet of paper! Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 45/29

46 IPSec - Summary IPSec - ensures security on the network layer Supports both IP protocols Two additional headers: AH and ESP Two operational modes: Tunnel and Transport Very flexible, but not easy to deploy Try it out!! Many distributions have it on board (OpenBSD, NetBSD, FreeBSD, Linux) Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 46/29

47 IPSec - Literature RFC 2401 and the following Theorie und Praxis der IT-Sicherheit - Firewalls und Intrusion Detection 47/29