ACS-3921/4921-050 Computer Security And Privacy Lecture Note 8 October 28 th 2015 Chapter 9 Firewalls and Intrusion Prevention Systems

ACS-3921/4921-050 Computer Security And Privacy Lecture Note 8 October 28 th 2015 Chapter 9 Firewalls and Intrusion Prevention Systems

ACS-3921/4921-050 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified from the original for the use in this course. The author of the text have make these slides available to all (faculty, students, readers) and they obviously represent a lot of work on their part. In return for use, please: If slides are being used (e.g., in a class) that the source be mentioned (after all, the author like people to use our book!) If any slides are being posted on a www site, note that they are adapted from (or perhaps identical to) the author original slides, and note their copyright of this material. All material copyright 2008, 2012, 2015 William Stalling and Lawrie Brown, All Rights Reserved

ACS-3921/4921-050 The Need For Firewalls Internet connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link Can be a single computer system or a set of two or more systems working together Used as a perimeter defense Single choke point to impose security and auditing Insulates the internal systems from external networks

ACS-3921/4921-050 Firewall Characteristics Design goals All traffic from inside to outside, and vice versa, must pass through the firewall Only authorized traffic as defined by the local security policy will be allowed to pass The firewall itself is immune to penetration

ACS-3921/4921-050 Firewall Access Policy A critical component in the planning and implementation of a firewall is specifying a suitable access policy This lists the types of traffic authorized to pass through the firewall Includes address ranges, protocols, applications and content types This policy should be developed from the organization s information security risk assessment and policy Should be developed from a broad specification of which traffic types the organization needs to support Then refined to detail the filter elements which can then be implemented within an appropriate firewall topology

ACS-3921/4921-050 Firewall Filter Characteristics Characteristics that a firewall access policy could use to filter traffic include: IP address and protocol values Application protocol User identity Network activity This type of filtering is used by packet filter and stateful inspection firewalls Typically used to limit access to specific services This type of filtering is used by an applicationlevel gateway that relays and monitors the exchange of information for specific application protocols Typically for inside users who identify themselves using some form of secure authentication technology Controls access based on considerations such as the time or request, rate of requests, or other activity patterns

ACS-3921/4921-050 Firewall Capabilities And Limits Defines a single choke point Provides a location for monitoring security events Convenient platform for several Internet functions that are not security related Can serve as the platform for IPSec Cannot protect against attacks bypassing firewall May not protect fully against internal threats Improperly secured wireless LAN can be accessed from outside the organization Laptop, PDA, or portable storage device may be infected outside the corporate network then used internally

ACS-3921/4921-050 Types of Firewalls

ACS-3921/4921-050 Packet Filtering Firewall Applies rules to each incoming and outgoing IP packet Typically a list of rules based on matches in the IP or TCP header Forwards or discards the packet based on rules match Filtering rules are based on information contained in a network packet Source IP address Destination IP address Source and destination transport-level address IP protocol field Interface Two default policies: Discard - prohibit unless expressly permitted More conservative, controlled, visible to users Forward - permit unless expressly prohibited Easier to manage and use but less secure

ACS-3921/4921-050 Packet-Filtering Examples Rule Direction Src address Dest addresss Protocol Dest port Action A In External Internal TCP 25 Permit B Out Internal External TCP >1023 Permit C Out Internal External TCP 25 Permit D In External Internal TCP >1023 Permit E Either Any Any Any Any Deny

ACS-3921/4921-050 Packet Filter Advantages And Weaknesses Advantages Simplicity Typically transparent to users and are very fast Weaknesses Cannot prevent attacks that employ application specific vulnerabilities or functions Limited logging functionality Do not support advanced user authentication Vulnerable to attacks on TCP/IP protocol bugs Improper configuration can lead to breaches

ACS-3921/4921-050 Stateful Inspection Firewall Tightens rules for TCP traffic by creating a directory of outbound TCP connections There is an entry for each currently established connection Packet filter allows incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory Reviews packet information but also records information about TCP connections Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number Inspects data for protocols like FTP, IM and SIPS commands

ACS-3921/4921-050 Example Stateful Firewall Connection State Table Source Address Source Port Destination Address Destination Port Connection State 192.168.1.100 1030 210.9.88.29 80 Established 192.168.1.102 1031 216.32.42.123 80 Established 192.168.1.101 1033 173.66.32.122 25 Established 192.168.1.106 1035 177.231.32.12 79 Established 223.43.21.231 1990 192.168.1.6 80 Established 219.22.123.32 2112 192.168.1.6 80 Established 210.99.212.18 3321 192.168.1.6 80 Established 24.102.32.23 1025 192.168.1.6 80 Established 223.21.22.12 1046 192.168.1.6 80 Established

ACS-3921/4921-050 Application-Level Gateway Also called an application proxy Acts as a relay of application-level traffic User contacts gateway using a TCP/IP application User is authenticated Gateway contacts application on remote host and relays TCP segments between server and user Must have proxy code for each application May restrict application features supported Tend to be more secure than packet filters Disadvantage is the additional processing overhead on each connection

ACS-3921/4921-050 Circuit-Level Gateway Circuit level proxy Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host Relays TCP segments from one connection to the other without examining contents Security function consists of determining which connections will be allowed Typically used when inside users are trusted May use application-level gateway inbound and circuit-level gateway outbound Lower overheads

ACS-3921/4921-050 SOCKS Circuit-Level Gateway SOCKS v5 defined in RFC1928 Designed to provide a framework for client-server applications in TCP/UDP domains to conveniently and securely use the services of a network firewall Client application contacts SOCKS server, authenticates, sends relay request Server evaluates and either establishes or denies the connection SOCKS-ified client applications SOCKS server SOCKS client library Components

ACS-3921/4921-050 Bastion Hosts System identified as a critical strong point in the network s security Serves as a platform for an application-level or circuitlevel gateway Common characteristics: Runs secure O/S, only essential services May require user authentication to access proxy or host Each proxy can restrict features, hosts accessed Each proxy is small, simple, checked for security Each proxy is independent, non-privileged Limited disk use, hence read-only code

ACS-3921/4921-050 Host-Based Firewalls Used to secure an individual host Available in operating systems or can be provided as an add-on package Filter and restrict packet flows Common location is a server Advantages: Filtering rules can be tailored to the host environment Protection is provided independent of topology Provides an additional layer of protection

ACS-3921/4921-050 Personal Firewall Controls traffic between a personal computer or workstation and the Internet or enterprise network For both home or corporate use Typically is a software module on a personal computer Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface Typically much less complex than server-based or stand-alone firewalls Primary role is to deny unauthorized remote access May also monitor outgoing traffic to detect and block worms and malware activity

ACS-3921/4921-050 Fire Configuration Example of Fire Configuration

ACS-3921/4921-050 Virtual Private Network (VPN)

ACS-3921/4921-050 Distributed Firewall Configuration Example of Distributed Firewall Configuration

ACS-3921/4921-050 Firewall Topologies Host-resident firewall Screening router Includes personal firewall software and firewall software on servers Single router between internal and external networks with stateless or full packet filtering Single bastion inline Single firewall device between an internal and external router Single bastion T Has a third network interface on bastion to a DMZ where externally visible servers are placed Double bastion inline DMZ is sandwiched between bastion firewalls Double bastion T Distributed firewall configuration DMZ is on a separate network interface on the bastion firewall Used by large businesses and government organizations

ACS-3921/4921-050 Intrusion Prevention Systems (IPS) Also known as Intrusion Detection and Prevention System (IDPS) Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity Can be host-based, network-based, or distributed/hybrid Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so

ACS-3921/4921-050 Host-Based IPS (HIPS) Can make use of either signature/heuristic or anomaly detection techniques to identify attacks Signature: focus is on the specific content of application network traffic, or of sequences of system calls, looking for patterns that have been identified as malicious Anomaly: IPS is looking for behavior patterns that indicate malware Examples of the types of malicious behavior addressed by a HIPS include: Modification of system resources Privilege-escalation exploits Buffer-overflow exploits Access to e-mail contact list Directory traversal

ACS-3921/4921-050 HIPS Capability can be tailored to the specific platform A set of general purpose tools may be used for a desktop or server system Some packages are designed to protect specific types of servers, such as Web servers and database servers In this case the HIPS looks for particular application attacks Can use a sandbox approach Sandboxes are especially suited to mobile code such as Java applets and scripting languages HIPS quarantines such code in an isolated system area then runs the code and monitors its behavior Areas for which a HIPS typically offers desktop protection: System calls File system access System registry settings Host input/output

ACS-3921/4921-050 The Role of HIPS Many industry observers see the enterprise endpoint, including desktop and laptop systems, as now the main target for hackers and criminals Thus security vendors are focusing more on developing endpoint security products Traditionally, endpoint security has been provided by a collection of distinct products, such as antivirus, antispyware, antispam, and personal firewalls Approach is an effort to provide an integrated, single-product suite of functions Advantages of the integrated HIPS approach are that the various tools work closely together, threat prevention is more comprehensive, and management is easier A prudent approach is to use HIPS as one element in a defense-in-depth strategy that involves network-level devices, such as either firewalls or network-based IPSs

ACS-3921/4921-050 Network-Based IPS (NIPS) Inline NIDS with the authority to modify or discard packets and tear down TCP connections Makes use of signature/heuristic detection and anomaly detection May provide flow data protection Requires that the application payload in a sequence of packets be reassembled Methods used to identify malicious packets: Pattern matching Stateful matching Protocol anomaly Traffic anomaly Statistical anomaly

ACS-3921/4921-050 Digital Immune System Comprehensive defense against malicious behavior caused by malware Developed by IBM and refined by Symantec Motivation for this development includes the rising threat of Internet-based malware, the increasing speed of its propagation provided by the Internet, and the need to acquire a global view of the situation Success depends on the ability of the malware analysis system to detect new and innovative malware strains

ACS-3921/4921-050 Worm Monitors

ACS-3921/4921-050 Snort Inline Enables Snort to function as an intrusion prevention system Includes a replace option which allows the Snort user to modify packets rather than drop them Useful for a honeypot implementation Attackers see the failure but cannot figure out why it occurred Drop Snort rejects a packet based on the options defined in the rule and logs the result Reject Packet is rejected and result is logged and an error message is returned Sdrop Packet is rejected but not logged

ACS-3921/4921-050 Unified Threat Management (UTM) System Unified Threat Management Appliance (based on [JAME06])

ACS-3921/4921-050 Example of the Scope of a UTM Appliance Invalid port numbers Invalid sequence numbers SYN floods XMAS tree attacks Invalid CRC values Zero length Random data as TCP header Attacks and Internet Threats TCP hijack attempts TCP spoofing attacks Small PMTU attacks SYN attack Script Kiddie attacks Packet crafting: different TCP options set TCP Enforce correct TCP flags Enforce TCP header length Ensures a proper 3-way handshake Closes TCP session correctly 2 sessions, one on the inside and one on the outside Enforce correct TCP flag usage Manages TCP session timeouts Blocks SYN attacks Protections Reassembly of packets ensuring correctness Properly handles TCP timeouts and retransmits timers All TCP proxies are protected Traffic Control through access lists Drop TCP packets on ports not open Proxies block packet crafting Invalid UDP packets Random UDP data to bypass rules Connection prediction UDP port scanning UDP Verify correct UDP packet Drop UDP packets on ports not open Sidewinder G2 Security Appliance Attack Protections Summary Transport Level Examples

ACS-3921/4921-050 Summary The need for firewalls Firewall characteristics and access policy Types of firewalls Packet filtering firewall Stateful inspection firewalls Application-level gateway Circuit-level gateway Firewall basing Bastion host Host-based firewalls Personal firewall Firewall location and configurations DMZ networks Virtual private networks Distributed firewalls Firewall locations and topologies Intrusion prevention systems Host-based IPS Network-based IPS Distributed or hybrid IPS Snort inline Example: Unified Threat Management Products

ACS-3921/4921-050 Computer Security And Privacy Chapter 11 Software Security

ACS-3921/4921-050 Software Security Issues Many vulnerabilities result from poor programming practices Consequence from insufficient checking and validation of data and error codes Awareness of these issues is a critical initial step in writing more secure program code Software error categories: Insecure interaction between components Risky resource management Porous defences

ACS-3921/4921-050 Software Errors Software Error Category: Insecure Interaction Between Components Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unrestricted Upload of File with Dangerous Type Cross-Site Request Forgery (CSRF) URL Redirection to Untrusted Site ('Open Redirect') Software Error Category: Risky Resource Management Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Download of Code Without Integrity Check Inclusion of Functionality from Untrusted Control Sphere Use of Potentially Dangerous Function Incorrect Calculation of Buffer Size Uncontrolled Format String Integer Overflow or Wraparound Software Error Category: Porous Defenses Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Missing Encryption of Sensitive Data Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Incorrect Authorization Incorrect Permission Assignment for Critical Resource Use of a Broken or Risky Cryptographic Algorithm Improper Restriction of Excessive Authentication Attempts Use of a One-Way Hash without a Salt CWE/SANS TOP 25 Most Dangerous Software Errors (2011)

ACS-3921/4921-050 Software Security, Quality and Reliability Software quality and reliability: Concerned with the accidental failure of program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code Improve using structured design and testing to identify and eliminate as many bugs as possible from a program Concern is not how many bugs, but how often they are triggered Software security: Attacker chooses probability distribution, specifically targeting bugs that result in a failure that can be exploited by the attacker Triggered by inputs that differ dramatically from what is usually expected Unlikely to be identified by common testing approaches

ACS-3921/4921-050 Defensive Programming Designing and implementing software so that it continues to function even when under attack Requires attention to all aspects of program execution, environment, and type of data it processes Software is able to detect erroneous conditions resulting from some attack Also referred to as secure programming Key rule is to never assume anything, check all assumptions and handle any possible error states

ACS-3921/4921-050 Programs Abstract View of Program

ACS-3921/4921-050 Defensive Programming Programmers often make assumptions about the type of inputs a program will receive and the environment it executes in Assumptions need to be validated by the program and all potential failures handled gracefully and safely Requires a changed mindset to traditional programming practices Programmers have to understand how failures can occur and the steps needed to reduce the chance of them occurring in their programs Conflicts with business pressures to keep development times as short as possible to maximize market advantage

ACS-3921/4921-050 Security by Design Security and reliability are common design goals in most engineering disciplines Software development not as mature Recent years have seen increasing efforts to improve secure software development processes Software Assurance Forum for Excellence in Code (SAFECode) Develop publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development

ACS-3921/4921-050 Handling Program Input Incorrect handling is a very common failing Input is any source of data from outside and whose value is not explicitly known by the programmer when the code was written Must identify all data sources Explicitly validate assumptions on size and type of values before use

ACS-3921/4921-050 Input Size & Buffer Overflow Programmers often make assumptions about the maximum expected size of input Allocated buffer size is not confirmed Resulting in buffer overflow Testing may not identify vulnerability Test inputs are unlikely to include large enough inputs to trigger the overflow Safe coding treats all input as dangerous

ACS-3921/4921-050 Interpretation of Program Input Program input may be binary or text Binary interpretation depends on encoding and is usually application specific There is an increasing variety of character sets being used Care is needed to identify just which set is being used and what characters are being read Failure to validate may result in an exploitable vulnerability 2014 Heartbleed OpenSSL bug is a recent example of a failure to check the validity of a binary input value

ACS-3921/4921-050 Injection Attacks Flaws relating to invalid handling of input data, specifically when program input data can accidentally or deliberately influence the flow of execution of the program Most often occur in scripting languages Encourage reuse of other programs and system utilities where possible to save coding effort Often used as Web CGI scripts

ACS-3921/4921-050 Cross Site Scripting (XSS) Attacks Attacks where input provided by one user is subsequently output to another user Commonly seen in scripted Web applications Vulnerability involves the inclusion of script code in the HTML content Script code may need to access data associated with other pages Browsers impose security checks and restrict data access to pages originating from the same site Exploit assumption that all content from one site is equally trusted and hence is permitted to interact with other content from the site XSS reflection vulnerability Attacker includes the malicious script content in data supplied to a site

ACS-3921/4921-050 Validating Input Syntax It is necessary to ensure that data conform with any assumptions made about the data before subsequent use Input data should be compared against what is wanted Alternative is to compare the input data with known dangerous values By only accepting known safe data the program is more likely to remain secure

ACS-3921/4921-050 Alternate Encodings May have multiple means of encoding text Growing requirement to support users around the globe and to interact with them using their own languages Unicode used for internationalization Uses 16-bit value for characters UTF-8 encodes as 1-4 byte sequences Many Unicode decoders accept any valid equivalent sequence Canonicalization Transforming input data into a single, standard, minimal representation Once this is done the input data can be compared with a single representation of acceptable input values

ACS-3921/4921-050 Validating Numeric Input Additional concern when input data represents numeric values Internally stored in fixed sized value 8, 16, 32, 64-bit integers Floating point numbers depend on the processor used Values may be signed or unsigned Must correctly interpret text form and process consistently Have issues comparing signed to unsigned Could be used to thwart buffer overflow check

ACS-3921/4921-050 Input Fuzzing Developed by Professor Barton Miller at the University of Wisconsin Madison in 1989 Software testing technique that uses randomly generated data as inputs to a program Range of inputs is very large Intent is to determine if the program or function correctly handles abnormal inputs Simple, free of assumptions, cheap Assists with reliability as well as security Can also use templates to generate classes of known problem inputs Disadvantage is that bugs triggered by other forms of input would be missed Combination of approaches is needed for reasonably comprehensive coverage of the inputs

ACS-3921/4921-050 Writing Safe Program Code Second component is processing of data by some algorithm to solve required problem High-level languages are typically compiled and linked into machine code which is then directly executed by the target processor Security issues: Correct algorithm implementation Correct machine instructions for algorithm Valid manipulation of data

ACS-3921/4921-050 Correct Algorithm Implementation Issue of good program development technique Initial sequence numbers used by many TCP/IP implementations are too predictable Another variant is when the programmers deliberately include additional code in a program to help test and debug it Algorithm may not correctly handle all problem variants Consequence of deficiency is a bug in the resulting program that could be exploited Combination of the sequence number as an identifier and authenticator of packets and the failure to make them sufficiently unpredictable enables the attack to occur Often code remains in production release of a program and could inappropriately release information May permit a user to bypass security checks and perform actions they would not otherwise be allowed to perform This vulnerability was exploited by the Morris Internet Worm

ACS-3921/4921-050 Ensuring Machine Language Corresponds to Algorithm Issue is ignored by most programmers Assumption is that the compiler or interpreter generates or executes code that validly implements the language statements Requires comparing machine code with original source Slow and difficult Development of computer systems with very high assurance level is the one area where this level of checking is required Specifically Common Criteria assurance level of EAL 7

ACS-3921/4921-050 Correct Data Interpretation Data stored as bits/bytes in computer Grouped as words or longwords Accessed and manipulated in memory or copied into processor registers before being used Interpretation depends on machine instruction executed Different languages provide different capabilities for restricting and validating interpretation of data in variables Strongly typed languages are more limited, safer Other languages allow more liberal interpretation of data and permit program code to explicitly change their interpretation

ACS-3921/4921-050 Correct Use of Memory Issue of dynamic memory allocation Used to manipulate unknown amounts of data Allocated when needed, released when done Memory leak Steady reduction in memory available on the heap to the point where it is completely exhausted Many older languages have no explicit support for dynamic memory allocation Use standard library routines to allocate and release memory Modern languages handle automatically

ACS-3921/4921-050 Race Conditions Without synchronization of accesses it is possible that values may be corrupted or changes lost due to overlapping access, use, and replacement of shared values Arise when writing concurrent code whose solution requires the correct selection and use of appropriate synchronization primitives Deadlock Processes or threads wait on a resource held by the other One or more programs has to be terminated

ACS-3921/4921-050 Operating System Interaction Programs execute on systems under the control of an operating system Mediates and shares access to resources Constructs execution environment Includes environment variables and arguments Systems have a concept of multiple users Resources are owned by a user and have permissions granting access with various rights to different categories of users Programs need access to various resources, however excessive levels of access are dangerous Concerns when multiple programs access shared resources such as a common file

ACS-3921/4921-050 Questions?