Network Security Controls
Topics 1. Firewalls 2. Virtual Private Networks 3. Intrusion Detection and Prevention 4. Honeypots
What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another.
Internet Firewalls Many organizations/individuals deploy a firewall to restrict access to their network from Internet.
What is a Firewall? (2) A mechanism to enforce security policy Choke point that traffic has to flow through. ACLs on a host/network level. Policy Decisions: What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DOS attacks. What traffic should be allowed out? Confidentiality: protection from data leakage.
Types of Firewalls Packet Filters (Stateless) If individual packet matches rules, then either accept or drop it. Stateful Filters Maintains records of all connections, so that It can accept/deny entire TCP or UDP session. Application Layer Firewalls A proxy server that relays byte streams from client to server and vice versa. Inspects application headers for undesirable sites and application data for undesirable content (malware etc.)
Stateless Firewalls A stateless firewall doesn t maintain any remembered context (or state ) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. SYN Seq = x Port=80 Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 Firewall Server Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80
Packet Filtering Information Forward or drop packets based on TCP/IP header information, most often: IP source and destination addresses Protocol (ICMP, TCP, or UDP) TCP/UDP source and destination ports TCP Flags, especially SYN and ACK ICMP message type Dual-homed hosts also make decisions based on: Network interface the packet arrived on. Network interface the packet will depart on.
Stateful Firewalls Allow only requested TCP connections: 76.120.54.101 128.34.78.55 SYN Seq = x Port=80 Server Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 (blocked) SYN-ACK Seq = y Port=80 Attacker Allow outbound TCP sessions, destination port=80 Firewall Established TCP session: (128.34.78.55, 76.120.54.101) Firewall state table
Gateway Router Host Firewall Deployment Filtering at interface between networks allows control via a choke point. Can filter spoofed IP addresses. Filter packets on each individual computer. How to manage thousands of packet filters?
Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network.
Packet Filtering Summary Advantages: One packet filter can protect an entire network Efficient (requires little CPU) Supported by most routers Disadvantages: Difficult to configure correctly Must consider rule set in its entirety Difficult to test completely Performance penalty for complex rulesets Stateful packet filtering much more expensive Enforces ACLs at layer 3 + 4, without knowing any application details
Proxy Servers Proxy host relays Transport/App connections Client makes connection to proxy. Proxy forwards connection to server. Proxy can provide multiple security features: Access Control Authentication Logging Anonymity
Example: SOCKS v5 Socks Server Socks Client Library Clients must be linked against library. Library offers replacements for UNIX network socket system calls. User Authentication Protocols Cleartext username/password. GSS-API authentication.
Application Layer Firewalls Application layer rules HTTP: URLs, headers, etc. SMTP: spam statistics More complex Only 2 16 ports, but An infinite number of URLs.
Single Firewall Simplest type of firewall one host acts as a gateway between internal and external networks.
DMZ Firewall Architecture
Firewall Limitations Cannot protect from internal attacks May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error Users will still run trojan horses that make it past your AV scanner. Firewall mechanism may not precisely enforce your security policy.
Tunneling Tunneling: Encapsulation of one network protocol in another protocol Carrier Protocol: protocol used by network through which the information is travelling Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data Passenger Protocol: protocol that carries original data Can be used to encrypt connections or provider other security features not available to passenger protocol.
Tunneling vs. Eavesdropping Tunnel over ssh or SSL to offer encryption of packets. Client Encapsulating protocol (does end-to-end encryption and decryption) Server TCP/IP Untrusted Internet TCP/IP Payloads are encrypted here
IPSec IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets Each protocol can operate in one of two modes, transport mode or tunnel mode. In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated. In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet.
Virtual Private Network (VPN) Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.) Requirements: Confidentiality: encryption Integrity: MACs, sequencing, timestamps Firewall Interactions Tunnels can bypass firewall Firewall is convenient place to add VPN features
Types of VPNs Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet. For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself. To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication. Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks. Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling.
Models of Intrusion Detection 1. Anomaly detection What is usual, is known. What is unusual, is bad. Statistical IDS. Need to update profile so that it matches current usual activities on systems. 2. Misuse detection What is bad is known. Look for what is bad, hope it doesn t change. Rule based IDS. Need to regularly update db of intrusion signatures.
Possible Alarm Outcomes Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive No Alarm Sounded False Negative True Negative
Base-Rate Fallacy Difficult to create IDS with high true-positive rate and a low false-negative rate. If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced. In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy. This type of error occurs when the probability of some conditional event is assessed without considering the base rate of that event. CSC 482: Computer Security
Base-Rate Fallacy Example Example case IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100 examined. Results Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms. CSC 482: Computer Security
IDS Components IDS Manager Untrusted Internet router Firewall IDS Sensor IDS Sensor router router
IDS Architecture An IDS is essentially a sophisticated audit system Sensors gathers data for analysis from hosts or network. Manager analyzes data obtained from sensors according to its internal rules. Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection, analysis methods. May activate response mechanism.
Sguil NSM Console
Intrusion Prevention Systems What else can you do with IDS alerts? Identify attack before it completes. Prevent it from completing. How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules. Is IPS a good idea? How do you deal with false positives?
IPS Deployment Types Inline IPS Intranet Non-Inline IPS Intranet
Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. Inline: can perform blocking itself. Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh
Great Firewall = Firewall + IPS CSC 482: Computer Security
Honeypots and Honeynets Honeypot: a system designed solely for intruders to attack in order to accomplish one or more of the following goals. Also known as a honeynet. 1. Detect intrusions with very few false positives, since legitimate users have no reason to access honeypot. 2. Monitor attacker activities to determine targeted assets, origin, motivation, capabilities, etc. 3. Waste intruder time attacking honeypot, so that defender has time to respond to incident.
Low Interaction Honeypots honeyd: responds to probes on a set of unused IP addresses via shell scripts that can return banners for simple scans like nmap sv. nepenthes: emulates vulnerable Windows services to collect exploits and malware. Dionaea: scriptable honeypot designed to be able to emulate wide variety of vulnerable services to collect exploits and malware. Fakenet: simulates DNS, HTTP, HTTPS to dynamically analyze malware. Returns reasonable responses to malware requests. CSC 482: Computer Security
Medium Interaction Honeypots Kippo is a medium interaction ssh honeypot designed to log brute force attacks and attacker shell commands. Inspired by Kojoney, a LI ssh honeypot. Fake filesystem with the ability to add/remove files. Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included. Saves files downloaded with wget for later inspection Deception: ssh pretends to connect, apt-get pretends to install, etc.
High Interaction Honeypots Honeywall sets up tools for HI honeypots. Environment simulation: virtual machines configured with appropriate tools for the next three tasks. Data control: firewalling tools to limit attacker activities to avoid damaging other systems. Data collection: network (snort) and keystroke loggers (Sebek kernel module). Data analysis: tools to extract relevant data from tcpdump logs and more.
Honeymonkey Thug Client Honeypots Microsoft Research project. Network of VMs running IE crawling the web in search of malicious sites that attempt to exploit browsers and distribute malware. Multiple versions of Windows and IE used. Low interaction client honeypot. Emulates multiple browsers and OSes.
Honeytokens A honeytoken is data that is designed solely for attackers to abuse. Any access to the data is an indication of unauthorized use. Attempts to download honeytoken files or database records can be identified by NIDS. Medical record systems will sometimes create fake records for celebrities and politicians. Mailing lists may contain email addresses published nowhere else that point to accounts that accept mail and record sender information. Maps contain fake streets, towns, or islands to identify when competitors copy the map.
Key Points 1. Firewalls Packet filtering (stateless) Stateful firewalls Proxy servers Application layer firewalls 2. Firewall Architectures Positioning on network DMZ architectures 3. Virtual Private Networks Tunneling Protocols: carrier, encapsulating, passenger Virtual Private Networks
Key Points (2) 4. Models of IDS: Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS). 5. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ? 6. Honeypots deceive attackers 1. Identify intrusions with low false positive rates. 2. Learn more about intrusions, esp. with HI honeypots. 3. Interaction levels: low, medium, high 4. Honeyclients and honeytokens
References 1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O Reilly & Associates, 2003. 3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. 5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2 nd edition, O Reilly & Associates, 2000.