CSCI 4250/6250 Fall 2015 Computer and Networks Security

Similar documents
Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection

Network Security Controls. CSC 482: Computer Security

Introduction of Intrusion Detection Systems

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Chapter 9 Firewalls and Intrusion Prevention Systems

CS5008: Internet Computing

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls. Chapter 3

CIT 480: Securing Computer Systems. Firewalls

FIREWALL AND NAT Lecture 7a

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewall Firewall August, 2003

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Network Defense Tools

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Intruders and viruses. 8: Network Security 8-1

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

8. Firewall Design & Implementation

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

IDS / IPS. James E. Thiel S.W.A.T.

Intro to Firewalls. Summary

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

CIT 480: Securing Computer Systems. Firewalls

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Computer Security: Principles and Practice

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls and Intrusion Detection

Chapter 8 Security Pt 2

Solution of Exercise Sheet 5

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Computer Security DD2395

CSCI Firewalls and Packet Filtering

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

CSCE 465 Computer & Network Security

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Basics of Internet Security

Firewalls (IPTABLES)

Guideline on Firewall

IDS : Intrusion Detection System the Survey of Information Security

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Network Incident Report

INTRUSION DETECTION SYSTEMS and Network Security

Types of Firewalls E. Eugene Schultz Payoff

Overview. Firewall Security. Perimeter Security Devices. Routers

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

CSCI 454/554 Computer and Network Security. Final Exam Review

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

How To Understand A Firewall

Chapter 8 Network Security

Own your LAN with Arp Poison Routing

Intrusion Detection Systems

Taxonomy of Intrusion Detection System

Network Access Security. Lesson 10

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Intrusion Detection for Mobile Ad Hoc Networks

Firewalls, IDS and IPS

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Network Based Intrusion Detection Using Honey pot Deception

Second-generation (GenII) honeypots

How To Protect A Network From Attack From A Hacker (Hbss)

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Intrusion Detection Systems

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Network/Internet Forensic and Intrusion Log Analysis

FIREWALLS & CBAC. philip.heimer@hh.se

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

INTRODUCTION TO FIREWALL SECURITY

Transcription:

CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6

Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session. } One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol. } In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 2

Tunneling Prevents Eavesdropping } Packets sent over the Internet are automatically encrypted. Client Tunneling protocol (does end-to-end encryption and decryption) Server TCP/IP Untrusted Internet TCP/IP 3 Payloads are encrypted here

Secure Shell (SSH) } A secure interactive command session: 1. The client connects to the server via a TCP session. 2. The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports. 3. The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 4. The server sends the client a list of acceptable forms of authentication, which the client will try in sequence. The most common mechanism is to use a password or the following public-key authentication method: a) If public-key authentication is the selected mechanism, the client sends the server its public key. b) The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client s public key and sends it to the client. c) The client decrypts the challenge with its private key and responds to the server, proving its identity. 5. Once authentication has been successfully completed, the server lets the client 4 access appropriate resources, such as a command prompt.

Tunneling with SSH } Socks proxy demo } SOCKS protocol v5 } http://tools.ietf.org/html/rfc1928 5

Firewalls } A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. } A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 6

Firewall Policies } To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Firewall policies Trusted internal network Untrusted Internet 7

Policy Actions } Packets flowing through a firewall can have one of three outcomes: } Accepted: permitted through the firewall } Dropped: not allowed through with no indication of failure } Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected } Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as: } TCP or UDP } the source and destination IP addresses } the source and destination ports } the application-level payload of the packet (e.g., whether it contains a virus). 8

Blacklists and White Lists } There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer). } Blacklist approach 9 } All packets are allowed through except those that fit the rules defined specifically in a blacklist. } This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall, but is naïve from a security perspective in that it assumes the network administrator can enumerate all of the properties of malicious traffic. } Whitelist approach } A safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall.

Firewall Types packet filters (stateless) If a packet matches the packet filter's set of rules, the packet filter will drop or accept it "stateful" filters it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. application layer It works like a proxy it can understand certain applications and protocols. It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities,...) 10

Stateless Firewalls } A stateless firewall doesn t maintain any remembered context (or state ) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. SYN Seq = x Port=80 Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 Firewall Server 11 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80

Stateless Restrictions } Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Client (blocked) SYN Seq = y Port=80 Attacker Trusted internal network Firewall 12 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80

Statefull Firewalls } Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. } Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets. } Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 13

Statefull Firewall Example } Allow only requested TCP connections: 76.120.54.101 128.34.78.55 SYN Seq = x Port=80 Server Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 (blocked) SYN-ACK Seq = y Port=80 Attacker Allow outbound TCP sessions, destination port=80 Firewall 14 Established TCP session: (128.34.78.55, 76.120.54.101) Firewall state table

Intrusion Detection Systems } Intrusion } Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) } Intrusion detection } The identification through intrusion signatures and report of intrusion activities } Intrusion prevention } The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 15

IDS Components } The IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred. } This determination is based on a set of site policies, which are rules and conditions that define probable intrusions. } If an IDS manager detects an intrusion, then it sounds an alarm. Untrusted Internet IDS Manager router Firewall IDS Sensor IDS Sensor router router 16

Intrusions } An IDS is designed to detect a number of threats, including the following: } masquerader: an attacker who is falsely using the identity and/or credentials of a legitimate user to gain access to a computer system or network } Misfeasor: a legitimate user who performs actions he is not authorized to do } Clandestine user: a user who tries to block or cover up his actions by deleting audit files and/or system logs } In addition, an IDS is designed to detect automated attacks and threats, including the following: } port scans: information gathering intended to determine which ports on a host are open for TCP connections } Denial-of-service attacks: network attacks meant to overwhelm a host and shut out legitimate accesses } Malware attacks: replicating malicious software attacks, such as Trojan horses, computer worms, viruses, etc. } ARP spoofing: an attempt to redirect IP traffic in a local-area network } DNS cache poisoning: a pharming attack directed at changing a host s DNS cache to create a falsified domain-name/ip-address association 17

Possible Alarm Outcomes } Alarms can be sounded (positive) or not (negative) Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive No Alarm Sounded 18 False Negative True Negative

The Base-Rate Fallacy } It is difficult to create an intrusion detection system with the desirable properties of having both a high true-positive rate and a low false-negative rate. } If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced. } In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the baserate fallacy. } This type of error occurs when the probability of some conditional event is assessed without considering the base rate of that event. 19

Base-Rate Fallacy Example } Suppose an IDS is 99% accurate, having a 1% chance of false positives or false negatives. Suppose further } An intrusion detection system generates 1,000,100 log entries. } Only 100 of the 1,000,100 entries correspond to actual malicious events. } Because of the success rate of the IDS, of the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. } Nevertheless, of the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! } Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That is, roughly 99% of our alarms are false alarms. 20

Base-Rate Fallacy } Police has a drunk test with these properties } True positive rate (TPR) = 100% } False positive rate = 5% } Assume that about 1/1000 people actually drink and drive. What is the probability P(drunk Positive)? } P(Positive drunk) = 1 } P(Positive sober) = 0.05 } P(drunk Positive) = P(Positive drunk)*p(drunk) / P(Positive) } = P(Positive drunk)*p(drunk) / [ P(Positive drunk)*p(drunk) + P(Positive sober)*p(sober) ] } Therefore } P(drunk Positive) = 1*0.001 / [ 1*0.001 + 0.05*0.999 ] ~= 0.02 21

Base-Rate Fallacy } Police has a drunk test with these properties } True positive rate (TPR) = 100% } False positive rate = 5% } Assume that about 1/1000 people actually drink and drive. What is the probability P(drunk Positive)? } P(Positive drunk) = 1 } P(Positive sober) = 0.05 } P(drunk Positive) = P(Positive drunk)*p(drunk) / P(Positive) } = P(Positive drunk)*p(drunk) / [ P(Positive drunk)*p(drunk) + P(Positive sober)*p(sober) ] } Therefore } P(drunk Positive) = 1*0.001 / [ 1*0.001 + 0.05*0.999 ] ~= 0.02 22

Base-Rate Fallacy 23

Base-Rate Fallacy 24

Base-Rate Fallacy 25

IDS Data } In an influential 1987 paper, Dorothy Denning identified several fields that should be included in IDS event records: } Subject: the initiator of an action on the target 26 } Object: the resource being targeted, such as a file, command, device, or network protocol } Action: the operation being performed by the subject towards the object } Exception-condition: any error message or exception condition that was raised by this action } Resource-usage: quantitative items that were expended by the system performing or responding to this action } Time-stamp: a unique identifier for the moment in time when this action was initiated

Types of Intrusion Detection Systems } Rule-Based Intrusion Detection } Rules identify the types of actions that match certain known profiles for an intrusion attack, in which case the rule would encode a signature for such an attack. Thus, if the IDS manager sees an event that matches the signature for such a rule, it would immediately sound an alarm, possibly even indicating the particular type of attack that is suspected. } Statistical Intrusion Detection } A profile is built, which is a statistical representation of the typical ways that a user acts or a host is used; hence, it can be used to determine when a user or host is acting in highly unusual, anomalous ways. } Once a user profile is in place, the IDS manager can determine thresholds for anomalous behaviors and then sound an alarm any time a user or host deviates significantly from the stored profile for that person or machine. 27

IDS taxonomy } Host-based vs. Network-based } Misuse-based vs. Anomaly-based vs. Specification-based } Examples: } A sense of self for Unix processes (Forrest et al.) } PAYL payload anomaly detection (Want et al.) Payload byte distribution 28

IDS examples } Snort } http://snort.org } Suricata } http://suricata-ids.org } Bro } http://www.bro.org 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information