Firewalls and Intrusion Detection
What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall function Protect the internal network from Internet based attacks A single choke point to impose security and audit
Design Goals All traffic from inside to outside, or outside to inside, must pass through the firewall - Configuration Only authorized traffic allowed to pass Security policy The firewall itself is secure.
Types of Firewalls Packet filter Application level gateway Encrypted tunnel
Packet Filters Apply rules to each incoming IP packet and then forward or discard the packet Rules based on information contained in the packet Source IP address Destination IP address Source and destination transport level address IP protocol field Interface Default policy: discard/forward
Packet Filtering Examples
Stateful Packet Filter Problem: high-numbered port numbers are dynamic, could be exploited Solution: Remember the established connections
Application Level Gateway Bastion host, Proxy server Support specific applications, and specific features More secure, easy to log and audit Additional processing overhead
Encrypted Tunnels
What a Firewall can t do Cannot protect against internal threat Cannot protect against attacks that bypass the firewall Cannot protect against the transfer of virus-infected programs or files.
Why we need IDS? IDS: Intrusion Detection System Second line of defense: Prevention, Detection, Recovery Motivation: Detect an attack: the sooner an attack is detected, the less the amount of damage and the more quickly that recovery can be achieved. An effective IDS can serve as a deterrent, so acting to prevent intrusions. IDS collects information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
Intrusion Detection Approaches Rule-based or misuse detection Attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder Define improper behavior, or attack signature, for known attacks False negative rate is high Anomaly detection Collect data relating to the behavior of legitimate users over a period of time, then apply statistical tests to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior Define normal, or expected, behavior, use threshold or profile to detect abnormal behavior, could be used for unknown attacks False positive rate is high
Intrusion Examples Spam coming from a machine in your network Packets with forged source addresses A machine trying to contact a known bad service such as an IRC channel that s being used to control a botnet Multiple failed login attempts
Attacks on Rule-based IDS Insertion attack: to evade the detection by NIDS Approach: insert certain packet that will be seen by NIDS but not be seen by the destination host, such that the attack signature is garbled at NIDS.
Evasion Attack Goal: evade the detection by NIDS Approach: construct certain packet that will not be seen by NIDS but will be seen by the destination host, such that the attack signature is garbled at NIDS.
Denial-of-Service Attacks
DoS Attacks An explicit attempt by attackers to prevent legitimate users of a service from using that service. Overpowering the victim Small resource consumption at the attacker side; larger resource consumption at the victim side Brute-force: Flooding by a large number of attackers Concealing the attacker s identity Forge source addresses Examples: one-packet kill, land attack, TCP SYN flooding attack, smurf attack, WinFreeze, Loki, TFN, Trinoo, Stacheldraht Firewalls can help protect against DoS attacks by keeping nuisance traffic off your net but cannot eliminate IPspoofed packets.
One-Packet Kill Exploit the software vulnerability or bugs by sending a single packet that causes a system to crash For example, sending a packet to port 427 of a Windows 98 system running the Novell Intranet Client will cause the blue screen of death.
Land Attack Exploit the flaw of some IP stack implementation by sending a forged packet with the source address the same as the destination address, which causes the operation system to crash
Smurf Attack
WinFreeze Using a large number of ICMP redirect messages to keep the victim host busy in updating its route table, achieving DoS
Loki A Loki server is installed on a compromised machine, listening to ICMP traffic The attacker sends ICMP echo request to the Loki server, which transfers data by ICMP echo reply An implementation of tunneling, where data is transmitted secretly across a network by hiding it in traffic that normally does not contain payloads It is used as a backdoor into a Unix system after root access has been compromised
Distributed DoS Increase the resources available for offense Make it harder to trace the attacker A typical DDoS architecture The attacker operates from its console, communicating with a group of masters. Each master controls a group of daemons, which actually launch the attacks. Masters and daemons are compromised machines, on which the attack software is installed.
Trinoo Communication means: TCP and UDP Attacks: UDP floods to random ports of the victim
Why not TCP Flooding? UDP does not have flow control. The attacker can send at the highest rate that its network connection allows. If the attacker has a faster Internet link than the victim, the attacker can congest the victim s Internet connection.
Tribe Flood Network (TFN) Communication means: ICMP echo reply Attacks: UDP flood, TCP SYN flood, ICMP echo flood
TFN2k First DDoS program on Windows Communication means: encryption over TCP, UDP, or ICMP with no identifying ports Attacks: UDP flood, TCP SYN flood, ICMP echo flood
Stacheldraht Combination of Trinoo and TFN Communication means: encryption over TCP or ICMP echo reply Attacks: UDP flood, TCP SYN flood, ICMP echo flood
Defense
Client Puzzle The victim can exhaust the attacker s resources. Can prevent spams and DoS attacks.
Anti-Address Spoofing Ingress filtering An edge router filters packets with sources not belonging to the network. Require wide deployment to be effective.
Route-based Distributed Packet Filtering A router drops a packet if the packet is received from an adjacent link that is not on any routing path from the packet s source to the packet s destination.
IP Traceback in Flooding Attack
IP Traceback Fit traceback information (distance, edge fragment, path identifier) in the IP header
Path Identifier Encode the path information in the packet header and allow the victim to filter the attack packets.
Perimeter-Based Defense Rate-limit is pushed directly to the edge routers. Rate-limit AIMD. Rate limit with IP traceback.
Reading Assignment [Kaufman] Chapter 23