Network Security Management TWNIC 2003 Objective Have an overview concept on network security management. Learn how to use NIDS and firewall technologies to secure our networks. 1
Outline Network Security Management NIDS Firewall Case Study: Firewall on Linux What is Information Security? In its most simple form, it is protecting data from unauthorized access. Three basic levels of security: The application level. The host level. The network level. Each level must be properly secured. The weakest link theory. 2
Why Network Security? The Internet, just like a traditional society, exists some unfriendly people which try to break into your network system for certain reason. Money Access to additional resources Competitive advantages Curiosity and Mischief Network Security Objectives Confidentiality Authenticity Integrity Availability Authorization 3
Network Security Utilities? There are two common network security utilities Network Intrusion Detection System (NIDS) Which is able to identify intrusion attempts. Firewall Which is able to do network access control. NIDS 4
NIDS NIDS stands for Network Intrusion Detection System Intrusion Someone tries to break into your network system. NIDS is a intelligent system which is able to monitor packets on the network wire, identify network intrusion attempts, then send alert to administrators, and make response. Attack Identification Stateless Pattern Matching Stateful Pattern Matching Protocol Decode-based Analysis Heuristic-based Analysis Anomaly-base Analysis 5
Stateless Pattern Matching Pattern matching is based on looking for a fixed sequence of bytes in a single packet. Pros Simplest method to detect intrusions Cons Any modification to the attack can lead to missed events (false negatives) limited to inspection of a single packet Stateful Pattern Matching Maintain state information on the TCP stream being monitored. Matches is made in context within the state of the stream. Pros Matching patterns across packet boundaries. Cons May lead to high false positive rates if the pattern is not as unique as the signature writer assumed. 6
Protocol Decode-based Analysis Decoding the various elements in the same manner as the client or server in the conversation would. When the elements of the protocol are identified, the IDS applies rules defined by the RFCs to look for violations. Pros Minimizes the chance for false positives if the protocol is well defined and enforced. Cons Can lead to high false positive rates if the RFC is ambiguous. However, these gray area protocol violations are very common. Heuristic-based Analysis Use some type of algorithmic logic on which to base their alarm decisions. These algorithms are often statistical evaluations of the type of traffic being presented. Pros Some types of suspicious/malicious activity cannot be detected through any other means. Cons Algorithms may require tuning or modification in order to better conform to network traffic and limit false positives. 7
Anomaly-base Analysis Geared to looking for network traffic that deviates from what is seen normally. A subcategory of this type of detection is the profile-based detection methods. Base their alerts on changes in the way that users or systems are interacting on the network. Pros Can detect unknown attacks if implemented properly. Cons Highly dependent on the environment in which the systems learn what normal is. NIDS Reaction Common actions Log suspicious attempts Log suspicious packets sent alert (email or short message) to administrator Make response Reset connection Change Firewall configuration accordingly 8
NIDS Limitation NIDS may not be able to identify intrusion attempts based on newly hacking or cracking technologies. NIDS monitors network traffic in a realtime manner; however, its reaction to intrusion attempts may not take effect in time. An IDS SNORT The Open Source Network Intrusion Detection System http://www.snort.org/ 9
Firewall Firewall An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (RFC 2828) 10
Firewall (cont.) A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network. Firewall Zones Un-trust (Internet, external) DMZ De-Militarized Zone: a portion of a network that separate a purely internal network from an external network. Trust (intranet, internal) 11
Firewall Zones (cont.) MAIL WEB Un-trust Outer Wall DMZ Inner Wall Trust Firewall Types Packet filtering Stateless (IP) Stateful (TCP) Application Gateway Hybrid 12
Stateless Firewall Application TCP IP Data Link Physical Filtering based on packet rules, IP address, port number, etc. Packets Packets Stateful Firewall Application TCP IP Data Link Filtering based on session rules, TCP flags, etc. Physical Packets Packets 13
Application Gateway Application TCP IP Data Link Filtering based on application rules, protocol, contents, etc. Physical Packets Packets Hybrid Firewall Application TCP IP Data Link Physical Filtering based on packet rules, session rules, and application rules. Packets Packets 14
Firewall Limitation Cannot protect against attacks inside networks. Cannot protect against attacks coming from trusted networks. Cannot protect against traffic with viral contents. (Anti-Virus Programs required) A Firewall netfilter firewalling, NAT and packet mangling for Linux 2.4 http://www.netfilter.org/ 15
Case Study Firewall on Linux iptables Linux 2.4 kernels Stateful IPV6 support Backwards compatibility modules for ipfwadm and ipchains Extensible tests and actions Fully modular design 16
iptables Syntax Example #domain/udp (O) /sbin/iptables A OUTPUT o lo p udp s localhost/32 - -sport 1024:65535 d localhost/32 - -dport domain j ACCEPT Initial Check firewall rules iptables L INPUT, OUTPUT, FORWARD chains IP Forwarding echo "1" > /proc/sys/net/ipv4/ip_forward 17
Rules Add rules iptables -A INPUT -p icmp -j DROP Delete rules iptables -D INPUT 1 Flush rules iptables -F INPUT Configuration Examples # 198.168.0.0 ssh (O) iptables -A INPUT -s 198.168.0.0 -p tcp -- destination-port ssh -j ACCEPT # Not from 198.168.0.0 (D) iptables -A INPUT -s! 198.168.0.0 -p tcp --destination-port ssh -j DROP 18
Configuration Examples (cont.) #198.168.0.0 telnet service iptables -A OUTPUT -p tcp --destinationport telnet -d 198.168.0.0 -j ACCEPT #Not from 192.168.0.0 telnet service iptables -A OUTPUT -p tcp --destinationport telnet -d! 198.168.0.0 -j REJECT iptables Log Format Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53 19
Reference Cisco System, Inc., The Science of Intrusion Detection System Attack Identification. http://www.firewall-software.com/ firewall_white_paper.html http://www.netfilter.org/ Thank You! Q & A 20