Network Layer Attacks and Defenses

Size: px
Start display at page:

Download "Network Layer Attacks and Defenses"

Transcription

1 Network Layer Attacks and Defenses Last updated: Tuesday, 01 May 2007 Prof. Amir Herzberg (except where noted) Computer Science Department, Bar Ilan University 01/05/

2 Lecture Outline Vulnerabilities and Patches Reconnaissance / Scan attacks Packet filtering and firewalls Intrusion Detecting Systems (IDS) and Evasion Decoys / Honeypots Not in scope (next topic): Application vulnerabilities, attacks and defences

3 Complexity Breeds Vulnerabilities Computer and network systems are complex Everybody cares about security But more about usability, functionality Competitive market with limited penalty to bugs Multi-vendor systems result in finger pointing Bugs and vulnerabilities are common, expected Limited risk of liability, impact on reputation Fix security in new release/system increase revenues Result: Many vulnerabilities, exploits and attacks

4 Knowledge is Power: Bug, Exploit, Fix Many vulnerabilities, exploits and attacks Myth: All systems have bugs, attackers find bugs quickly Patch/new version quickly after exploit detected But then attackers find new bug Mythical timeline: NewOS/App ver1.1 Detected NewOS/App ver1.11 (patch) Detected Time Bug found, exploited Bug found, exploited Time

5 Knowledge is Power: Myths & Reality Many vulnerabilities, exploits and attacks Myth: hackers easily break any system, defense Reality: vulnerabilities are exceptions, easy fix Bugs due to complexity, size, negligence Patches often installed late (why? Lazy/reliability) Most exploits btw warning & patch install Vuln. Detected NewOS/App ver1.1 Patch available NewOS/App ver1.11 Fix/1.11 installed Time Exploit Attack using Exploit Time

6 What of Auto-Install Patches? Auto-patch install (e.g. WinXP) Authenticated, signed download, version checking; E.g. SSL/TLS Reliability Concerns: Patches cannot be tested as much as a real release Testing takes time tradeoff of risks, not one answer What of conflicts between patches? Auto-install patches in critical-mission machine? Attacks by vendor (or malware/insider at vendor): Increased trust in vendor: realtime, targeted vs. offline Hiding traces [protocol can prevent this, how?] No security by scrutiny (changing target), accountability Sometimes, workaround is better than patch E.g. disable feature till patch is `stable`

7 Summary: Knowledge is Power Many vulnerabilities, exploits and attacks Unrealistic to block all on all machines Patch installation lag: Due to unawareness, reliability concerns Attackers: Reconnaissance/scan: detect vulnerabilities, targets Exploit Eve s 1 st Law: Avoid Detection! Remove traces/logs Defences: Detect and Block

8 Reconnaissance / Scan Attacks Goal: find targets, vulnerabilities Targets: hosts (IP, DN), ports, Apps, Servers, OS Passive reconnaissance: hard to detect Open information: whois DB, site, Google, Build pages with links for Google to follow Eavesdropping, esp. to wireless LAN (`wardriving`) Active reconnaissance: Network scanning Tools, e.g. NMap, SuperScan,IPSonar, Network scanning cues Explicit self identification, e.g. HTTP header Implementation differences, bugs TTL, TCP init window size, MSS, Existence of response

9 Common Reconnaissance Scans IP Scan / Sweep: Ping (ICMP), SNMP, other Services and ports scans: TCP Scans (normal or `stealth` - Syn -> SynAck -> abort) UDP Scans; reply of ICMP `dest port unreachable` (if unused) Identify Software: Operating System, server, etc. Account scan: Identify accounts Attempt logins Attacker Dilemma Most scans fail need many to find something But Eve s 1 st Law: Avoid Detection Intrusion Detection: `Cry Wolf` Dilemma Too many (false) alarms will reduce attention External scans: only block & log (e.g. to identify suspect source)

10 Detecting Services Scan Attacker uses random IP and port to reduce statistics UDP / ICMP Scans: Send request, get reply logged, load noticed Send junk ICMP port unreachable indication TCP scans: Find open & exploitable TCP ports Regular TCP connection logged, load noticed, slow Stealth scans: half-open connection scans or FIN scans not always logged Log and detect also these events

11 Networks Scans IP Scan / Sweep: Ping (ICMP), SNMP Identify existence of machine Services Scan: TCP, UDP, ICMP TCP: connect, or SYN (SYN-SYN/ACK-RST) Responses: none (no machine), RST (closed), ICMP Port Unreachable (blocked), Ack Stealth TCP scans: try to avoid detection NULL (no flag) FIN XMAS (URG, PSH and FIN all set) Standard response: RST if port closed, none if open Windows: always sends RST [detect?]

12 Predictable Challenge Scans Detect, then exploit use of sequential identifier In place of random identifier Allows blind attacker to spoof responses Perform (limited) MITM attack Identifiers used to ensure `fresh` responses in: TCP: initial sequence number DNS: identifier in queries IP: identifier field, used for defragmentation Scan to detect sequential identifier Send two requests, Validate sequential identifiers in responses How can we exploit sequential IP ID? Allows spoofed (dumb) port scan

13 Spoofed (dumb) port scan Exploit of server (Bob) using sequential IP ID Stealth scan from spoofed IP address Eve HTTP GET x.htm, SenderIP= first packet of x.htm, IP ID = 345 second H packet of x.htm, IP ID = 346 TCP H NULL/XMAS, SRC= (spoofed) RST or none, ID=347 HTTP GET x.htm, SenderIP= first packet of x.htm, IP ID = 348 second H packet of x.htm, IP ID = 349

14 Firewalls Keeping Attackers Out (1) Firewall (definition): A secure / trusted machine Placed on the communication path from a protected network to the Internet Controls, inspects and filters the communication Attempts to prevent attacks from outside

15 Defense in Depth Military term for multiple lines of defence External firewall + inter-department firewalls Intrusion Detection System (IDS) behind firewall Allows detection Cannot alert on each scan from Network (too many) Redundancy Damage control Beyond blocking: resiliency, backup, recovery

16 Firewalls Keeping Attackers Out (2) Firewall (improved definition): A secure / trusted machine, or module on a machine On the path between two networks / host(s) One or both networks are protected by firewall Can be used between departments to limit damage Controls, inspects and filters the communication To prevent / limit reconnaissance, exploits

17 Packet Filter: Router-Firewall A router: forwards packets between two networks Or even a bridge (no routing): `transparent FW` No IP address, subnet ; less overhead, visibility Most basic and common firewall Filters packets to block/detect attacks Stateless filtering (simpler, fast) or stateful filtering Filtering policy is often called Access Control List Typically: specified as a list of rules Rules are pairs: <Selector, Action> Selector identifies which rule applies to the packet

18 Packet Filtering Policy and Rules Packet filtering policy is often a list of rules Often called Access Control List (ACL) ACL:= Rule ACL, Rule Rules are usually processed by order Each rule is a pair selector and action Rule:= Selectors Actions Selectors defines if the rule applies to the packet As a function of values of fields in the packet Example: protocol=udp, SrcPort=7 (Echo) Actions defines what to do with the packet Example: silently discard (block echo requests)

19 Packet Filtering: Selectors Selectors defines if the rule applies to the packet Selectors:= Selector Selectors {AND/OR} Selectors (Selectors) NOT Selectors Allows composite selectors (with AND, OR, etc.) A selector: = field operator value Field := {SrcIP, DstIP, SrcPort, DstPort, Protocol, Flags, ICMPType}, TTL, Length, Interface_in} Operator := { =/ / />/ } Value:= IPADDR PORT Protocol Flag Types Hops Selector is a function of field in packet Stateless rule: value is constant Stateful rule: value can be variable, or: selector a function

20 Examples of Stateless Selectors selector: = field operator value Field := {SrcIP, DstIP, SrcPort, DstPort, Protocol, ICMPType}, TTL, Length, Interface_in} Examples 1 [2]: protocol=udp [AND DstIP=*.*.*.FF] Block all UDP traffic [to broadcast address] Example 3: Protocol=UDP AND DstPort=7 (Echo) Block incoming UDP Echo requests (`smurf` attack) Example 4: Protocol=ICMP AND ICMPType=8 (Echo) Block incoming ICMP Echo requests (`fraggle` attack)

21 Internet Control Message Protocol ICMP: Internet Control Message Protocol Status, control between routers, hosts Error handling and debugging protocol Unauthenticated protocol Encapsulated in IP header 40 assigned types Many exploits E.g. DoS Amplification attack, by echo request to broadcast address More later Echo Reply Destination Unreachable Source Quench Redirect Echo Time Exceeded

22 Packet Filtering Actions Actions define what to do with the packet: Allow Log Alert response team Discard (silently) [aka deny, drop] Reject (e.g., send RST for TCP, or Port Unreachable) (more)

23 Packet Filtering Policy First Challenge: define packet filtering policy Restrictions on users accessing Internet Block all applications except Allow all applications except Which services to open to incoming requests Validate policy carefully Then: write Access Control List rules for policy Validate and optimize the rules Some typical basic policies and rules are described in the sequel

24 Service Blocking Rules Problem: Many attacks exploit vulnerable services Solution: Block incoming requests Also block outgoing requests to vulnerable services Identify by protocol (TCP/UDP/ICMP ), port May fail for new services or non-default ports Better: Allow only specific and essential services Block new and rogue services (e.g., P2P networks) Really rogue services may hide E.g. bot-nets use IRC but use port 80 (like http) Need stronger, content filtering Examples of vulnerabilities and rules follow...

25 Some Vulnerable Services A few (of many) examples of vulnerable services Port Service Echo CharGen (random character generator) SysStat list of processes Finger NetBIOS Exploit Denial of Service, with spoofed source as victim Denial of Service, especially by sending from port 7 of victim Identify vulnerabilities Bug lets attacker control (some) machines Access to files, printers, etc

26 Block, but how: Discard or Reject? How to block suspect request? Discard (silently) Reject (send RST) Discard better if packet was malicious Don t waste resources Don t expose existence Source IP is often spoofed don t attack it (victim) Or risk being labeled as attacker, blacklisted Reject better if connection may be legitimate Not to delay it

27 Example: Blocking Ident Protocol IDENT protocol (to port 113) resolves IP Name Invoked by many applications, e.g. Windows Why block? Discard or reject? Rule Intrfce SrcIP SPort DstIP DPort Flags Action in out

28 Block Incoming Requests How to block incoming requests? First: TCP (connection-based services) Later: UDP & ICMP (connection-less services) To send a TCP request, must initiate connection Usually the client initiates the connection Note: FTP server also initiates `data` connection Internal clients initiate from inside Attackers initiate from outside Block incoming TCP connection requests

29 Block Incoming TCP Requests TCP initiation is always by sending a SYN packet Responder sends back a SYN-ACK packet SYN bit is only set in these first two packets Hence: Block incoming SYN packets without an ACK Exception: public servers (e.g., external Web servers) Place them on separate subnet: De-Militarized Zone (DMZ) We discuss DMZ later on Responder SYN SYN- ACK Initiator

30 Block UDP/ICMP Requests How to block incoming UDP and ICMP requests? Connectionless Can use spoofed IP addresses (don't need reply) Many UDP & ICMP vulnerabilities and attacks Solution 1: Block all UDP, ICMP traffic Solution 2: Allow only UDP & ICMP responses How we distinguish btw request and response?

31 Blocking UDP Requests UDP applications are usually request-response How to allow incoming UDP responses? Problem: no request / response flag Partial Solution: app-specific response identification Block (all) UDP requests: stateful packet filtering Upon receipt of UDP packet from within: Let s=srcip, sp=srcport, d=dstip, dp=dstport For X seconds, allow incoming UDP packet if DstIP=s, DstPort=sp, SrcIP=d, SrcPort=dp

32 Block TCP Stealth Scans Recall: TCP stealth scans detect open TCP ports NULL / FIN / XMAS segment Standard response: RST if port closed, none if open Windows: send RST to all Possible firewall actions: Reject (RST) Discard (drop) If (StlthCtr[SrcIP]++)>MaxStlth: add SrcIP to BlockIPList Reset StlthCtr[ ] periodically Another rule blocks all traffic with SrcIP in BlockIPList Compare! [see notes]

33 Anti-Spoofing Rules (ingress/egress filtering) IP source address spoofing threat ISPs and organizations should prevent spoofing Egress filtering: spoofed outgoing packets Block packets not using assigned IP address Block outgoing broadcasts? Ingress filtering: spoofed incoming packets Customer of ISP using unassigned IP address Incoming packet using an internal IP address Incoming broadcasts But: ISPs don t filter hosted servers, domains Legitimate use of unassigned IP

34 Legitimate Use of Unassigned IP Source Addr: 1 st example: multihomedcorporation USA-ISP.net Foo.com s Private Private Net Net The Internet MexISP.net

35 Legitimate Use of Unassigned IP, 2 nd example: Mobile IP `triangle routing` [See notes ] DstIP: Home IP SrcIP: Temp IP DstIP: DstIP:

36 MobileIP behind Egress Filter: Must Tunnel via Home Server DstIP: Home IP Temp IP SrcIP: DstIP: DstIP:

37 Aggressive Ingress Filtering When we really care Under (DoS) attack Against IP spoofing (of special hosts / networks?) Firewall-to-firewall (IP-Sec) tunnel Identify by `code` attached to packets Cryptographic MAC (IP-Sec), or random identifier (IP- Sec SPI, MPLS,?) One sided filtering? Some ideas, e.g., using TTL... Lengths of paths are almost fixed Few initial choices of TTL, often same in a network Fixed TTL in packets from network Other TTL: suspect spoofed packet

38 Example: Few Basic Rules Rule name / goal Intfc Src IP Src Port Dst IP DPort Protocol Flags Action Stealth TCP Scans (In) No In TCP Connections No incoming spoofed pkts Stealth TCP Scan (out) Egress Filter (don t spoof) in out Internet

39 Firewall Access Rules: Protecting the Firewall Block traffic to the firewall Discard when destination IP address is the firewall This prevents attacks on the firewall From Internet or from inside the protected network Exception: from administrator machine(s) Only to management application / shell Only via secure protocol (IP-Sec, SSH, SSL) Other means to protect firewall machine Locked room Good authentication, operating system security Only essential applications

40 Stateful Packet Filtering Need state for many filtering tasks We ve seen: UDP requests/responses Statistical identification of attack, source Rate control disconnect from DoS attacker (by IP) Filtering fragmented IP packets Blocking application-specific vulnerabilities Requires application awareness Must reconstruct and analyze application messages Malicious content, e.g. viruses, spoofed web sites, web attacks, etc. Often done by application-level gateway (firewall)

41 Packet Filtering More Actions Actions define what to do with the packet: Allow / Discard / Reject Log / Alert Perform mandatory services, such as: Apply IP-Sec s tunnel mode (AH/ESP) Network Address and Port Translation (NAPT) Route via specific interface Invoke function (`hook` to stateful, tailored function) Main use: force application gateway/firewall / WAF /

42 Content Filtering / Appl Gateway /FW Packet filter cannot identify application attacks Messages may span multiple packets Too complex, much processing, stateful Solution: use separate module / machine Application Gateway / Firewall Content-filtering server Web Application Firewall (proxy) Intrusion detection / prevention system (IDS/IPS) Use packet filter to enforce content filtering / application firewall Prevent bypassing

43 Web Application Firewall: Goals Virtual patching Block specific vulnerability `outside` application Positive filtering Input sanitization: remove control chars, restrict length Allow only `clean` inputs (scripts) Prone to interfere with usage Negative filtering Block known attacks Prone to miss new attacks Intrusion prevention / detection [later]

44 Enforcing Application Gateways / WAF Method 1: WAF (Web Application Firewall) as proxy Client connects to gateway & gateway connects to server Simple to implement gateway Client side WAF: requires configuration Two TCP connections (overhead) Method 2: Transparent application gateway / WAF Client connects to server & gateway captures connection Usually a single TCP connection Harder to implement but easier to deploy, faster

45 WAF/Application Gateway as Proxy Application gateway is visible to client Client application is configured to use gateway Requires configuration Sometimes automated Example: HTTP proxy Firewall prevents direct access Application Gateway

46 HTTP Filtering Proxy Rules Force use of (filtering) web proxy Allow only outgoing connections Rule Intrfce SrcIP SPort DstIP DPort Flags Action In2Prx In2Net P2Net Proxy: CNN.com in out Internet

47 Example: Tunnel HTTP Response Selector: SrcIP not in internal network, SrcPort=80 Action: Tunnel to S: D: Problem: non-standard proxy How to use standard proxy? Solution: re-route S: D: S: D: SP:80 DP:3776 <HTML> SP:80 DP:3776 <HTML> S: D: SP:80 DP:3776 <HTML>

48 HTTP Transparent WAF Rules Enforce WAF (& HTTP proxy) transparently Allow only outgoing connections Rule Intrfce SrcIP SPort DstIP DPort Flags Action Proxy: CNN.com in out

49 De-Militarized Zone (DMZ) Blocking incoming requests is a good practice Most vulnerabilities result from service exploits But we may need to provide some public services: External web FTP servers Incoming mail server Domain name service, Others Solution: De-Militarized Zone (DMZ) DMZ is a network protected by firewall DMZ contains public-accessible servers DMZ is less secure, but it is separate from the Internal network

50 DMZ with Two Firewalls First packet filtering firewall protects internal +DMZ Preferably on different interfaces Second firewall protects only the internal network DMZ is in border area DMZ WWW WWW Mail

51 DMZ with a Single Firewall DMZ: separate interface of packet filter Allow incoming connections: Only from outside Maintain separate internal servers (e.g. web, mail) Except: sys-admin, (web)mail [separate DMZ?] DMZ Mail Delivery Agent WWW WWW DNS Incoming Mail Transfer Agent

52 DMZ: Outgoing Connections Block outgoing connections and alert DMZ servers never open connections Possibly few exceptions (e.g. NNTP) May allow specific connections to internal servers E.g., incoming mail (SMTP MTA) [but better `pull`] To / from specific IP & port: can place on separate DMZ WWW DMZ DNS Mail Delivery Agent WWW Incoming Mail Transfer Agent

53 DMZ Rules Rule Intrfce SrcIP SPort DstIP DPort Flags Action DMZ Mail Delivery Agent WWW WWW DNS Incoming Mail Transfer Agent

54 Limitations of Firewalls Firewalls are very important Firewalls are the first (external) line of defense But Firewalls cannot block all attacks Unknown bug of useful application (e.g. Web) Firewalls cannot filter encrypted traffic (e.g., IPSec) Many firewalls support IP-Sec tunnel mode Many firewalls use IP-Sec tunnel between Firewall and Net This fails if host also encrypts Filtering depends on use of standards Ports (to identify services), protocols and applications Filtering fails if both ends collude

55 Firewall cannot Isolate Insiders, Trojans! Corrupted Internal PC (Zombie) firewall Attacker Consider malware behind the firewall ( inside ): Initiate communication to attacker s site Use port-spoofing or encapsulation to hide the communication protocol Encrypt if firewall scans content If firewall monitors statistics to limit traffic: Use multiple internal addresses Sniff to pick up replies Result: Firewall cannot protect against Insiders & Trojans 01/05/

56 Intrusion Detection Systems Content-filtering is hard, resource intensive Very hard: blocking attack at real time Performance (buffering) costs Better: detect and respond to intrusion attempts Intrusion Detection System Preferably at reconnaissance stage Or: to abort on-going attack At least: post-mortem analysis, evaluation of defenses Why is content-filtering so hard? Attacker uses evasion techniques

57 Content Filtering and Evasion Content and application filtering: Critical for security (block, detect) Resource-intensive Filter: known/suspect attacks (`signatures`), addresses (`blacklist`), or attack-mechanisms Evasion: avoid filtering, by Content morphing and encoding Content changes signature mismatch Content editing attacks FW/IDS sees one content, victim sees different Insertion/deletion attacks Fragmentation tricks, Request smuggling, Encrypted content Overloading the IDS system (DoS)

58 Evasion by Morphing Goal: prevent recognition of `attack signature` How? `Morphing` change attack string Object code (e.g. virus): Most of its code is `encrypted` (randomized) A tiny `loader` to decrypt, execute (too small to identify) And/or: add no-ops, etc. (`obfuscate`) Scripts, etc.: easier : Add spaces, change capitalization, e.g. `< ScRiPt >` Different encodings for `same characters Better: filter control chars (`<`) [except permitted tags] Identifying attacks by `signature database` is not long-term viable!!

59 Evasion by Encoding Tricks Non-standard encoding UTF-8 encodes unicode as 1 to 4 bytes Unicode xxx xxxx (Ascii) 1B UTF8 : (0xxx xxxx) Unicode: 00000yyy yyzzzzzz 2B UTF8: 110yyyyy 10zzzzzz How to decode UTF y 10zzzzzz? WAF, standard: allow only shortest encodings But server/client may accept also longer encodings! E.g. IIS 4.0 / 5.0 Extended UNICODE Directory Traversal Vulnerability. Decode as 0yzzzzzz

60 Evasion via UTF-7 Auto-Encoding Another evasion technique: hidden UTF-7 encoding Char-set of HTTP response defined by: Explicit charset attribute in header or body Content-Type: text/html; charset=3d[encoding] Implicit, auto-encoding on detecting UTF-7 chars Attack: Response contains no explicit charset WAF assumes no encoding, finds no script Browser finds UTF-7 char, auto-decodes Decoding reveals mal-script

61 Domain Blacklist Evasion Domain blacklist: suspect domains, block request Popular (IEv7, FF, ), (currently?) effective Domain Blacklist Evasion: Change domains frequently Redirect to IP address From free web page, or even Google archive Negligible costs domain blacklists may not be a long term solution What of IP blacklists? Dynamic DNS, dynamic IP-address redirect Zombies, dial-up

62 Evasion by `Content Editing` Attacks Idea: filter (FW) sees `sanitized/edited` stream Yet, victim receives `real` requests/responses Insertion: IDS sees `attxack`, victim sees `attack` E.g.: packet with short TTL (dropped before victim) Deletion: IDS sees `ack`, victim sees `attack` E.g. packet with `wrong` IP version (e.g. 2) Merge/split, e.g. request smuggling Victim (server) gets two requests FW sees one request (2 nd becomes part of 1 st ) Fragmentation/partitioning tricks

63 IDS Evasion by Request Smuggling Different parsing between WAF and application server E.g. IIS limits requests to 48KB Fixed/patched Web Application Firewalls (usually) allow longer requests IIS considers data after 48KB as new request Web Application Firewall considers it as body (ignore) Due to no separation between requests! See:

64 Evasion by Response Splitting Attacker sends a request Or: victim sends a request By following link in , or from web, or otherwise Site responds, reflecting request Response appears to client and/or proxies as two HTTP responses Second `response` controlled by attacker Allows all malscript/xss attacks (e.g. defacement) And web cache poisoning attack on other user Again: due to no separation between responses Defense: HTTP Request/Response separation

65 Evasion by Fragmentation/Partitioning IP packet fragments, multi-packet request/response Filters may fail to detect multi-fragment/packet signature Requires state, reconstruction by filter If done may be abused for DoS (waste state) Or: exploit implementation differences If receiving packet/fragment with already-received ID Use older or newer contents? Common solution: block all fragments `fragmentation considered harmful`

66 Evasion by Encrypting Content Send attack over encrypted connection Download over SSL/TLS (https://) Attack over SSH Filter sees only encrypted contents can t filter `Solutions`: MITM SSL content-filtering (details) Forbid encrypted traffic (e.g. SSH)

67 Intrusion Detection Systems (IDS) Goals: detect, log, alert Detect known attack signatures / patterns Detect other attacks based on heuristics & statistics Critical: Must exhibit few false alarms Otherwise they will be ignored Basic types of IDS [compare?]: Network-based IDS Host-based IDS Decoy IDS

68 Types of IDS comparison Network-based IDS: + Sees (all net) traffic (multiple dest, low-level) - evasion techniques - performance/cost (how to see traffic?) - evasion techniques Host-based IDS + detect attacks from within host - only detect attacks to/from single host, visible to monitor - Fooled by (smart) attacker controling machine! Decoy IDS: great detection of attack on the decoy Complements other tools and must avoid detection!

69 Network-Based IDS Network-Based Intrusion-Detection Systems: Detect by listening to (all) packets on the network Multiple senders/receivers (can correlate, too) Sniffing by: Shared segment: promiscuous mode Switched LAN: sniffing device (switch, hub or tap) Limitations Cannot identify viruses, appl level attacks Susceptible to evasion techniques

70 Host-Based IDS Host-Based Intrusion-Detection Systems: Monitor host events, log files Detect intrusions to host Some Host IDS monitor packets to / from host Detect (prevent) network attacks on host Detect (block) attacks from host Implement personal-firewall functions View is limited to host Host IDS is vulnerable once host is compromised: Erase traces Modify log

71 Distributed IDS DIDS: Distributed Intrusion Detection Systems Distributed system consists of: Monitors: network and host IDS Manager: management system(s) Peers: cooperating remote DIDS systems Combine information from multiple sources Secure communication between manager, monitors, and peers: Can use IP-Sec Use keep alive messages

72 Distributed Intrusion Detection System Remote IDS App GW Network IDS WWW Host-based IDS DMZ Mail IDS Manager Decoy IDS Intrusion Detection System monitor / manager

73 Intrusion Detection Basic Approaches Detect Attack Signature Analyze attacks, find identification marks/patterns Example: CharGen (port 19) used only for attacks Detects only identified attacks Detect Anomaly & Statistical Deviation Learn (automatically) patterns of normal operation vs.patterns of attacks Use to detect attack or deviation from normal behavior Challenge: acceptable false alarm rate Limited success at detecting new attacks Decoy / Honeypot IDS Detect any activity

74 Anomaly Detection Goal: Detect new attacks Attack signatures are clearly better for known attacks Learn patterns of normal operation vs. patterns of attacks Use to detect attack or deviation from normal behavior Much research tools of machine learning Problems: Too few samples of `attacks` Worse: would learning find new (other) attacks? Can we test / benchmark?

75 False Alarms False Alarm IDS alert on Non-Attack event: e NA False Positive Rate FP = Prob(IDS(e)=Alert) for e NA Number of false alarms is FP * Log Realistic numbers: Log events: 1 million / day (even for small systems) With FP of 0.1%, this gives 1000 false alarms (!) Number of real (attack-related) events is much lower System admin likely to ignore alerts Must minimize log events & false positive rates Limited success, especially for new attacks

76 Minimize Log Events Focus on events after the firewall Problem: Firewall blocks known attacks And IDS is not too good on unknown attacks So why IDS? Detect attacks by malware / insiders Detect firewall failures (e.g. wrong rule) May also use inner firewall to block these But not the same firewall & rules Post-mortem analysis and security evaluation Correlate information and decoy/honey-pot IDS

77 Decoy / Honeypot IDS Decoy / Honey-pot / Bait: An object whose (only) goal is to: Appear to be a desirable target for attack Allow easy detection of attacks on it Waste attacker s resources in meaningless attacks Decoy has no legitimate traffic Traffic & modification alert, log, analysis Except: camouflage traffic Decoys have few (or no) false alarms Decoys detect new attacks There are different types of decoys

78 Types of Decoys Decoys for different objects mailbox (for spam) Addresses in address-book (detect abuse by malware) Programs on computer (detect virus contamination) File or records in DB (detect access / modification) Host, router, application (detect access / change) Real or virtual Dedicating real subnet, host, router is expensive Detecting access / modification is easier for a virtual host or a virtual subnet But attacker may detect that this a virtual decoy

79 Example: Honeyd Honeyd: small, simple, open-source virtual decoy Simulates arbitrary TCP / UDP / ICMP services Web, servers (SMTP / POP3), etc. Answers to pings and traceroutes Provides logging Supports multiple IP addresses Routed to Honeyd host, or: to any unallocated IP Can run various virtual, proxied, or fake services Limitations: Small set of available services Simulates only network, not operating system

80 Honeynet Experiment Experiment by The Honeynet Project [March 2005] Setup (below): Honeypot machine(s): un-patched Windows 2000 or XP Compromised in minutes, e.g. via port 135 Behind Honeywall to prevent malware from attacking from honeypot Honeywall Honeypot Management

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

General Network Security

General Network Security 4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Security principles Firewalls and NAT

Security principles Firewalls and NAT Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Chapter 8 Network Security

Chapter 8 Network Security [Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network

More information

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering.

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering. CSE 127 Computer Security Fall 2011 More on network security Todays outline NAT, Firewalls IDS DDoS Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] TCP/IP Protocol

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure

More information

Cryptography and network security

Cryptography and network security Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Content Distribution Networks (CDNs)

Content Distribution Networks (CDNs) 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

Internet Worms, Firewalls, and Intrusion Detection Systems

Internet Worms, Firewalls, and Intrusion Detection Systems Internet Worms, Firewalls, and Intrusion Detection Systems Brad Karp UCL Computer Science CS 3035/GZ01 12 th December 2013 Outline Internet worms Self-propagating, possibly malicious code spread over Internet

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Introduction TELE 301. Routers. Firewalls

Introduction TELE 301. Routers. Firewalls Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection

More information

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)

More information

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

Stop that Big Hack Attack Protecting Your Network from Hackers. www.lauraknapp.com

Stop that Big Hack Attack Protecting Your Network from Hackers. www.lauraknapp.com Stop that Big Hack Attack Protecting Your Network from Hackers Laura Jeanne Knapp Technical Evangelist 1-919-224-2205 laura@lauraknapp.com www.lauraknapp.com NetSec_ 010 Agenda Components of security threats

More information

Barracuda Intrusion Detection and Prevention System

Barracuda Intrusion Detection and Prevention System Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques

More information

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow IDS 4.0 Roadshow Module 1- IDS Technology Overview Agenda Network Security Network Security Policy Management Protocols The Security Wheel IDS Terminology IDS Technology HIDS and NIDS IDS Communication

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:

More information

Firewalls and Intrusion Detection Systems. Advanced Computer Networks

Firewalls and Intrusion Detection Systems. Advanced Computer Networks Firewalls and Intrusion Detection Systems Advanced Computer Networks Firewalls & IDS Outline Firewalls Stateless packet filtering Stateful packet filtering Access Control Lists Application Gateways Intrusion

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem

More information

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

TCP/IP Concepts Review. A CEH Perspective

TCP/IP Concepts Review. A CEH Perspective TCP/IP Concepts Review A CEH Perspective 1 Objectives At the end of this unit, you will be able to: Describe the TCP/IP protocol stack For each level, explain roles and vulnerabilities Explain basic IP

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging

SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION:

More information

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones Network Security Security in Compu5ng, Chapter 7 Topics l Network AAacks l Reconnaissance l AAacks l Spoofing l Web Site Vulnerabili5es l Denial of Service l Network Defences l Firewalls l Demilitarised

More information

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important Presented By: Holes in the Fence Dave Engebretson, Contributing Technology writer, SDM Magazine Industry Instructor in Fiber and Networking Prevention of Security System breaches of networked Edge Devices

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out? Flashback: Internet design goals Security Part Two: Attacks and Countermeasures 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6.

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10) APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &

More information

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning

More information

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) Author: Avinash Singh Avinash Singh is a Technical Evangelist currently worksing at Appin Technology Lab, Noida. Educational Qualification: B.Tech from Punjab Technical

More information

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations

More information

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant What infrastructure security really means? Infrastructure Security is Making sure that your system services are always running

More information

Network Security Fundamentals

Network Security Fundamentals APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion

More information

Firewalls P+S Linux Router & Firewall 2013

Firewalls P+S Linux Router & Firewall 2013 Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Networks: IP and TCP. Internet Protocol

Networks: IP and TCP. Internet Protocol Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments

More information

Announcements. No question session this week

Announcements. No question session this week Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being

More information

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Attack and Defense Techniques 2

Attack and Defense Techniques 2 Network Security Attack and Defense Techniques 2 Anna Sperotto, Ramin Sadre Design and Analysis of ommunication Networks (DAS) University of Twente The Netherlands Firewalls Network firewall Internet 25

More information

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW) Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information