CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Similar documents
CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Intrusion Detection Systems (IDS)

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

INTRUSION DETECTION SYSTEMS and Network Security

How To Test A Control System With A Network Security Tool Like Nesus

SCP - Strategic Infrastructure Security

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Network Attacks and Defenses

Passive Vulnerability Detection

Vulnerability Assessment and Penetration Testing

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Security: Attack and Defense

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Cyber Essentials. Test Specification

Chapter 6 Phase 2: Scanning

Course Title: Penetration Testing: Security Analysis

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Penetration Testing Report Client: Business Solutions June 15 th 2015

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

HoneyBOT User Guide A Windows based honeypot solution

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

How To Protect Your Network From Attack From A Hacker On A University Server

FIREWALL POLICY November 2006 TNS POL - 008

Web App Security Audit Services

Firewalls & Intrusion Detection

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Lab 3: Recon and Firewalls

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Radware s Behavioral Server Cracking Protection

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Medical Device Security Health Group Digital Output

Network Forensics: Log Analysis

IDS / IPS. James E. Thiel S.W.A.T.

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Certified Ethical Hacker (CEH)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

NETWORK SECURITY WITH OPENSOURCE FIREWALL

An Overview of the Bro Intrusion Detection System

Outline. Outline. Outline

Stop that Big Hack Attack Protecting Your Network from Hackers.

Introduction of Intrusion Detection Systems

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Network Instruments white paper

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CIT 380: Securing Computer Systems

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Attacks and Defense. Phase 1: Reconnaissance

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Network Incident Report

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

GFI White Paper PCI-DSS compliance and GFI Software products

A Decision Maker s Guide to Securing an IT Infrastructure

Learn Ethical Hacking, Become a Pentester

HP A-IMC Firewall Manager

Security Considerations White Paper for Cisco Smart Storage 1

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

24/7 Visibility into Advanced Malware on Networks and Endpoints

IBM. Vulnerability scanning and best practices

Network Monitoring Tool to Identify Malware Infected Computers

Penetration Testing with Kali Linux

Role of Anomaly IDS in Network

Chapter 11 Cloud Application Development

For more information or call

Patch and Vulnerability Management Program

Intrusion Detection Systems

Second-generation (GenII) honeypots

How To Protect A Network From Attack From A Hacker (Hbss)

Network- vs. Host-based Intrusion Detection

Open Source Security: Opportunity or Oxymoron?

Running a Default Vulnerability Scan SAINTcorporation.com

Nessus and Antivirus. January 31, 2014 (Revision 4)

An Introduction to Network Vulnerability Testing

Basics of Internet Security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Transcription:

CSE331: Introduction to Networks and Security Lecture 17 Fall 2006

Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2

Summary: Reactive Defense Reaction time: required reaction times are a couple minutes or less (far less for bandwidth-limited scanners) Containment strategy: content filtering is more effective than address blacklisting Deployment scenarios: need nearly all customer networks to provide containment need at least top 40 ISPs provide containment CSE331 Fall 2004 3

Virus Scanners Search the system for virus signatures Main memory All files in file system Should also check boot sector Where to scan? At each host (e.g. Norton Antivirus) At the firewall At the mail server When to scan? On access (when a program is run) On demand (at user s request, or scheduled) When e-mail is received? Before web content is displayed? How to scan? Potentially large database of signatures Need to match against all software on the system CSE331 Fall 2004 4

Virus/Worm Scanning Pros Effectively detects known viruses/worms before they can cause harm Few false alarms Cons Can detect only viruses/worms with known signatures Performance penalty (due to scanning) Signature set must be kept up to date Virus/worm writers can easily change signatures ==> Generate signatures automatically Automated Worm Fingerprinting (more in a bit) CSE331 Fall 2004 5

Software Integrity Checks Compute a hash or checksum of executable files Merkle Hash trees Assumes the software to be virus free! Store the hash information for later verification Verify new hash vs. saved one during scan Also used for ensuring that software is not corrupted/modified when shipped over the network. Pros: Can detect corruption of executables too Reliable Doesn t require virus signatures Cons: False positives (i.e. recompilation) Can t use it on documents (they change too often) Not supported by most vendors CSE331 Fall 2004 6

Heuristic Detection Collection of ad hoc rules that identifies virus behavior or virus-like programs Modification of system executables Modification of template documents like normal.doc Self-modifying and self-referential code Atypical or abnormal behavior Pros Perhaps able to detect unknown viruses/worms Can build tools to look for these features Cons Heuristics are expensive and hard to develop. Too may false positives? CSE331 Fall 2004 7

Detecting Attacks Attacks (against computer systems) usually consist of several stages: Finding software vulnerabilities Exploiting them Hiding/cleaning up the exploit Attackers care about finding vulnerabilities: What machines are available? What OS / version / patch level are the machines running? What additional software is running? What is the network topology? Attackers care about not getting caught: How detectible will the attack be? How can the attacker cover her tracks? Programs can automate the process of finding/exploiting vulnerabilities. Same tools that sys. admins. use to audit their systems A worm is just an automatic vulnerability finder/exploiter CSE331 Fall 2004 8

Attacker Reconnaissance Network Scanning Existence of machines at IP addresses Attempt to determine network topology ping, tracert Port scanners Try to detect what processes are running on which ports, which ports are open to connections. Typical machine on the internet gets 10-20 port scans per day! Can be used to find hit lists for flash worms Web services Use a browser to search for CGI scripts, Javascript, etc. CSE331 Fall 2004 9

Determining OS information Gives a lot of information that can help an attacker carry out exploits Exact version of OS code can be correlated with vulnerability databases Sadly, often simple to obtain this information: Just try telnet playground~> telnet hpux.u-aizu.ac.jp Trying 163.143.103.12... Connected to hpux.u-aizu.ac.jp. Escape character is '^]'. HP-UX hpux B.10.01 A 9000/715 (ttyp2) login: CSE331 Fall 2004 10

Determining OS Or ftp: $ ftp ftp.netscape.com 21 Connected to ftp.gftp.netscape.com. 220-36 220 ftpnscp.newaol.com FTP server (SunOS 5.8) ready. Name (ftp.netscape.com:stevez): 331 Password required for stevez. Password: 530 Login incorrect. ftp: Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> system 215 UNIX Type: L8 Version: SUNOS ftp> CSE331 Fall 2004 11

Determining OS Exploit different implementations of protocols Different OS s have different behavior in some cases Consider TCP protocol, there are many flags and options, and some unspecified behavior Reply to bogus FIN request for TCP port (should not reply, but some OS s do) Handling of invalid flags in TCP packets (some OS s keep the invalid flags set in reply) Initial values for RWS, pattern in random sequence numbers, etc. Can narrow down the possible OS based on the combination of implementation features Tools can automate this process CSE331 Fall 2004 12

Auditing: Remote auditing tools Several utilities available to attack or gather information about services/daemons on a system. SATAN (early 1990 s): Security Administrator Tool for Analyzing Networks SAINT - Based on SATAN utility SARA - Also based on SATAN Nessus - Open source vulnerability scanner http://www.nessus.org Nmap Commercial: ISS scanner Cybercop CSE331 Fall 2004 13

Nmap screen shot http://www.insecure.org/nmap http://www.insecure.org/nmap/nmap-fingerprinting-article.html CSE331 Fall 2004 14

Kinds of Auditing done Nessus web pages: Backdoors CGI abuses Denial of Service Finger abuses Firewalls FTP Gain a shell remotely Gain root remotely Netware NIS Port scanners Remote file access RPC Settings SMTP problems SNMP Useless services Windows Windows : User management Doing this kind of auditing by hand is complex and error prone These tools aren t fool proof or complete. CSE331 Fall 2004 15

Snort Snort is a lightweight intrusion detection system: Real-time traffic analysis Packet logging (of IP networks) Rules based logging to perform content pattern matching to detect a variety of attacks and probes: such as buffer overflows, stealth port scans, CGI attacks, SMB probes, etc. Example Rule: alert tcp any any -> 192.168.1.0/24 143 (content:" E8C0 FFFF FF /bin/sh"; msg:"new IMAP Buffer Overflow detected!";) Generates an alert on all inbound traffic for port 143 with contents containing the specified attack signature. The Snort web site: http://www.snort.org/docs/ Question: How do you come up with the filter rules? CSE331 Fall 2004 16

Detection & Prevention Recap Many strategies for intrusion detection So far, the techniques we've seen are local to a machine or local network. What about large scale behavior? Virus/worm scanners work well if known signatures are available Constructing signatures can be hard Reaction time must be very quick CSE331 Fall 2004 17

Internet Telescopes Can be used to detect large-scale, widespread attacks on the internet. Existing IP addresses Unused addresses Worm sends randomly CSE331 Fall 2004 18

Internet Telescopes Can be used to detect large-scale, widespread attacks on the internet. Existing IP addresses UCSD monitors 17M+ addresses Worm sends randomly Telescope monitors packets for large range of unused addresses CSE331 Fall 2004 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information