Firewalls & Intrusion Detection

Similar documents
Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Overview. Firewall Security. Perimeter Security Devices. Routers

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

CMPT 471 Networking II

Chapter 15. Firewalls, IDS and IPS

Guideline on Firewall

Firewalls, IDS and IPS

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Introduction of Intrusion Detection Systems

Norton Personal Firewall for Macintosh

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Security Technology: Firewalls and VPNs

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.


Firewalls and Intrusion Detection

Packet filtering and other firewall functions

Firewalls. Chapter 3

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

CMS Operational Policy for Firewall Administration

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewall Firewall August, 2003

Chapter 9 Firewalls and Intrusion Prevention Systems

Computer Security: Principles and Practice

FIREWALL POLICY November 2006 TNS POL - 008

CSCE 465 Computer & Network Security

Firewalls Overview and Best Practices. White Paper

Global Partner Management Notice

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Computer Security DD2395

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

10 Configuring Packet Filtering and Routing Rules

Networking for Caribbean Development

8. Firewall Design & Implementation

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Defense Tools

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewalls (IPTABLES)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Cryptography and network security

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Abstract. Introduction. Section I. What is Denial of Service Attack?

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Firewall Defaults and Some Basic Rules

allow all such packets? While outgoing communications request information from a

Firewall VPN Router. Quick Installation Guide M73-APO09-380

FIREWALL AND NAT Lecture 7a

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Secure Software Programming and Vulnerability Analysis

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Chapter 20. Firewalls

Firewall Design Principles

1. Firewall Configuration

Testing Network Security Using OPNET

FIREWALLS & CBAC. philip.heimer@hh.se

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Virtual Private Cloud. Service Level Agreement. Terms and Abbreviations

Cisco Secure PIX Firewall with Two Routers Configuration Example

INTRODUCTION TO FIREWALL SECURITY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Configuration Example

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Second-generation (GenII) honeypots

About Firewall Protection

CSCI Firewalls and Packet Filtering

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 4 Firewall Protection and Content Filtering

FortKnox Personal Firewall

Configuring Security for FTP Traffic

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

A Decision Maker s Guide to Securing an IT Infrastructure

Chapter 4 Firewall Protection and Content Filtering

Firewall Security. Presented by: Daminda Perera

Edge Configuration Series Reporting Overview

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Firewalls, Tunnels, and Network Intrusion Detection

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Transcription:

Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan

Security Intrusion A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. RFC 2828, Internet Security Glossary, (May 2000)

Most recent (?) Storm Doh! April Fools followed by numeric URL, starting in late March Leads to link asking you to click something That opens firewall using netsh firewall set command; then opens a lot of outbound connections

Firewalls Firewall is a perimeter defense: electronic fence at the outskirts of an organization s network Most widely sold form of protection Prevents (some or all) incoming network communications

Firewalls (cont) Network services (e.g., file sharing, remote login, web serving) lives at fixed address of IP + port number that clients use to connect Organization decides which services not to offer, and filters out requests for those at the gateway firewall Interior hosts thus protected against

Perimeter defense Protect against misconfigured or underprotected systems Implement organization-wide policy Provide redundant protection defense in depth

Software vs. Hardware firewalls Money vs. bandwidth tradeoff All of us in this room can use software firewall on our home network (unless major web server) University needs hardware firewall Related but distinct issue: personal vs. network firewall

Organization vs. host Organization will almost certainly have (at least one) hardware-based firewall. Dedicated computer with special-purpose minimal OS (NOT traditional Windows nor Linux nor Mac OS X) whose only job is firewall. Host: You and me In addition.

Packet filtering Firewalls inspect packets (normally both incoming and outgoing) to determine whether to let them pass Earliest firewalls used only static packet filtering: look at each packet individually (e.g., source and destination IP # and port # and transport protocol) to determine whether it should be allowed.

Stateful inspection Stateful packet inspection keeps track of active connections to determine whether packets should be filtered Necessary to have protocol where surfer sends from random high number port to Web Server at port 80 (standard) and Server replies and sets up connection from some other random high number

Firewall topology Firewall must be located at some point where packets pass. This is for organization in addition to individual machines (personal firewall). Common choices: Single gateway (bastion host) Screened subnet (DMZ): Allow more access to subnet with public services e.g., web server, little/zero access to private internal. (Using 1 or 2 software/ hardware firewalls)

Firewall uses set of rules Ordered set of rules; first match is applied. Form is something like: Allow or Deny protocol (TCP, UDP, ICMP, IP) from source address to source address Unless you are a deep specialist, you don t want to be writing your own rules Mine are automatically generated for me by Mac OS X based on my preferences.

My firewall rules sloan$ sudo ipfw list 02000 allow ip from any to any via lo* 02010 deny ip from 127.0.0.0/8 to any in 02020 deny ip from any to 127.0.0.0/8 in 02030 deny ip from 224.0.0.0/3 to any in 02040 deny tcp from any to 224.0.0.0/3 in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 02065 allow tcp from any to any frag 02070 allow tcp from any to any dst-port 548 in 02080 allow tcp from any to any dst-port 427 in 02090 allow tcp from any to any dst-port 3689 in 02100 allow tcp from any to any dst-port 631 in 02110 allow tcp from any to any dst-port 515 in 12190 deny log tcp from any to any 65535 allow ip from any to any

What the rules mean 1. Allow computer to talk to itself (loopback) 2. Deny well-known spoofing 3. Allow outbound connections 4. Allow established connections (stateful!) 5. Allow explicitly wanted inbound connections

Why do I need a Firewall? Jun 25 10:28:11 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:14 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:17 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:21 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:24 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:27 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:33 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:28:45 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:29:10 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 121.11.91.3:52361 131.193.40.122:25 in via en0 Jun 25 10:29:11 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 200.123.173.85:4155 131.193.40.122:25 in via en0 Jun 25 10:29:14 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 200.123.173.85:4155 131.193.40.122:25 in via en0 Jun 25 10:29:20 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 200.123.173.85:4155 131.193.40.122:25 in via en0 Jun 25 10:29:32 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 200.123.173.85:4155 131.193.40.122:25 in via en0 Jun 25 10:29:56 robert-sloans-powerbook-g4-12 ipfw: 12190 Deny TCP 200.123.173.85:4155 131.193.40.122:25 in via en0

Analysis of my logs 4 day snippet ending Friday June 29 at 13:26 1,323 TCP connections requested Most looking for port 25, SMTP outgoing email. Spam, anyone? Also port 21, FTP (warez anyone?), various high-numbered ports that are probably known Windows vulnerabilities

Firewalls and encryption Firewalls work best when they can see all the traffic in the network Thus encryption of email, web pages, tends to work against firewalls

Tradeoffs Diligent review of logs in real world much more likely with small logs Massive overlogging can cause system performance hit Usually keep fixed # days or # bytes of log don t want large number of trivial events overwriting serious incident

Firewall limitations Do not protect against attacks using allowed services Only as good as the configuration If they get in people s way, then they will work around them Have no effect on DDoS attack against me

Logging and auditing logs Logging is recording system events and keeping the record for some length of time. Issues: What events to log? How long to keep? Which events should trigger which kind of immediate alert?

Analysis First need to determine baseline activity levels (CPU activity, IP traffic, RAM or disk memory consumption, etc.) including typical variance Then decide which deviations are significant, and how significant think about next time skim the log files; send me an email now; beep my pager 24/7?

Securing logs themselves Logging is of course among first activities that malware with Superuser access stops and next it erases the logs Solutions can include remote logging on separate machine elsewhere in network that is specially hardened; or printing immediately to printer in addition to computer file

Key audit log weakness Requires a knowledgeable human in the loop Difficult to impossible for smallish organization; effectively impossible for Small Office/Home Office types.

Intrusion Detection Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding, and providing realtime or near real-time warning of, attempts to access system resources in an unauthorized manner. RFC 2828, Internet Security Glossary

Why IDS 1. If intrusion detected fast enough, intruder can be ejected before (much) harm 2. Can be a deterrent 3. Teaches white hats what to do to prevent next breakin

Modern trend: Intrusion Detection The next step beyond audit logs and firewalls are Intrusion Detection Systems (IDS) Look (automated) for anomalous patterns May or may not be attacks Inform Sys Admin staff who can investigate Hot product today; roughly same high-level technical issues as audit logs

IDS Two broad ways to go: Look for signatures of attacks Develop (machine learning) profile of normal behavior and attack behavior Multiple intruder behaviors? Hacker vs. Criminal vs. Insider

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information