Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d



Similar documents
CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Segurança Redes e Dados

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 9 Firewalls and Intrusion Prevention Systems

Computer Security: Principles and Practice

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. Chapter 3

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Computer Security DD2395

Firewalls CSCI 454/554

Chapter 20. Firewalls

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

What would you like to protect?

INTRUSION DETECTION SYSTEMS and Network Security

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Proxy Server, Network Address Translator, Firewall. Proxy Server

Computer Security DD2395

Security Technology: Firewalls and VPNs

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

CMPT 471 Networking II

Firewalls, IDS and IPS

Firewall Design Principles Firewall Characteristics Types of Firewalls

NETWORK SECURITY (W/LAB) Course Syllabus

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How To Protect Your Network From Attack From Outside From Inside And Outside

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls (IPTABLES)

Introduction of Intrusion Detection Systems

Network Security and Firewall 1

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Name. Description. Rationale

PROFESSIONAL SECURITY SYSTEMS

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

INTRODUCTION TO FIREWALL SECURITY

IDS / IPS. James E. Thiel S.W.A.T.

Chapter 15. Firewalls, IDS and IPS

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Firewalls. Ahmad Almulhem March 10, 2012

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Architecture Overview

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Firewalls. Mahalingam Ramkumar

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Lecture 23: Firewalls

Taxonomy of Intrusion Detection System

12. Firewalls Content

Cryptography and network security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Securing Cisco Network Devices (SND)

How To Protect Your Network From Attack From A Hacker On A University Server

Firewall Security. Presented by: Daminda Perera

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Network Defense Tools

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Intranet, Extranet, Firewall

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Intrusion Detection Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

13 Ways Through A Firewall

Network- vs. Host-based Intrusion Detection

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Windows Remote Access

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Network Based Intrusion Detection Using Honey pot Deception

Transcription:

CS 6v81 - Network Security Firewalls Firewalls and Intrusion Detection Systems 2 (Source: Stallings book, papers) What is a firewall? Collection of components between two networks that filter cross traffic based on some security policy Used as a perimeter defense to block/permit untrusted/trusted access to internal resources protecting networks and hosts Can also be used to block access to certain external sites by internal users To prevent users from downloading from blacklisted sites To prevent users from visiting blacklisted sites, etc. Challenge: managing a large number of firewalls and ensuring they enforce a consistent policy across the organization s network Firewall capabilities Installed at the boundary, choke point, of the nw to Keep unauthorized users out of the nw Prohibit potentially vulnerable services from entering/exiting the network Provides protection from IP spoofing and routing attacks Provides a location for monitoring security-related functions Can implement audits and alarms Can implement several security-related functions Network address translation Network management auditing and logging of usage Can be an end point for a VPN connection 3 4 Firewall limitations Cannot protect against attacks that bypass firewall Dial-out /dial-in systems for commuting employees Cannot protect against internal threats A disgruntled employee An unwitting employee cooperating with attacker Cannot protect against the transfer of virusinfected programs or files Need to be customized to specific use scenario Difficult and error-prone process, requires verification and testing to ensure that it does what it is supposed to do Firewall limitations, cont d Traffic amount and the need to analyze packet content may cause firewalls to become congestion point in the network Diversity of network access technologies may necessitate use of multiple firewalls for each access point resulting in the need for distributed firewall management End-to-end encryption is an issue for firewall use 5 6 1

Packet filtering firewalls Stateful inspection firewalls Application level firewalls Circuit level firewalls 7 Packet-filtering firewalls A with a set of static rules/filters to determine which packets are allowed to cross the inspection point Filtering is based on info contained in the packet Source/Dest IP; source/dest port no; IP protocol field; interface Limitations due to operation on individual packets Cannot filter packets that use application layer vulnerabilities Attacks involving multiple packets Ex. A hand crafted bogus TCP ACK packet for a non-existent TCP connection IP address spoofing 8 Source routing based attacks Tiny fragmentation attacks Packet-filtering firewalls Example rules Action Ourhost Port Theirhost Port comment Block * * SPIGOT * We don t trust these people Allow OUR-GW 25 * * Connection to our SMTP port Action Ourhost Port Theirhost Port comment Block * * * * Default is to block all traffic Stateful inspection firewalls Inspects packets in the context of their role in an incipient or ongoing conversation (e.g., TCP connection) Maintains data about open connections to ensure that the packet is part of a valid connection initiated by an authorized user Enforces policy on which type of conversation can take place (e.g., TCP connections if opened by local users) Maintains state for ongoing connections and accepts incoming packets for those connections only if they fit the profile of the connections 9 10 Stateful inspection firewalls Maintain a table for allowed connections By default, allow connections originated from internal hosts & deny connections originated from external hosts Accept packets belonging to allowed connections with no/minimal inspection Only the initial packets are matched against firewall rule db Other packets are matched with table of allowed connections Ex. connection table Type Internal IP Internal Port External IP External Port Status TCP 192.168.5.12 64333 129.110.44.12 80 OK UDP 192.168.33.13 60002 129.110.23.5 69 OK Application-level firewall proxy server Relays application traffic Client application contacts the relay to establish a connection and have it relay packets in both directions on its behalf Adv More secure than packet filters User authentication allows for effective blocking of unwanted traffic Easy to log and audit all incoming traffic at protocol level Disadv Requires additional processing overhead for each connection Effectively two connections between the users Still susceptible to SYN floods and ping floods 11 12 2

Application-level firewall proxy server Circuit-level firewall A stand-alone system or a specialized function performed by an application level gateway Does not permit and end-to-end TCP connection Gateway sets up two connections one with inner host, one with outside host Before the connection is set up, user must authenticate After authentication, TCP segments are forwarded between the two sides without examining their content Security provided by determining which connections are allowed Can be configured to support application level or proxy service on inbound connections and circuit level functions for outbound connections 13 14 Circuit-level firewall Bastion host A system that hosts application-level or circuitlevel gateways in a critical point in the network Hosts only the required/minimal set of services and shuts down all unnecessary services May require additional authentication before a user is allowed to access the proxy services Proxy modules include bare minimum required service functionality for network security 15 16 Firewall Deployment Topologies Simple packet filtering Packet filtering Private Network Firewall Deployment Topologies Screened host firewall system single-homed bastion host Consists of two nodes packet filtering and bastion host Bastion host performs authentication and proxy function All traffic (internal/external) has to go thru bastion host Server can be allowed to directly communicate w/ outside Packet filtering Bastion host Server Private network hosts 17 18 DMZ 3

Firewall Deployment Topologies Screened host firewall system dual-homed bastion host Consists of two nodes packet filtering and bastion host Bastion host physically separates the private network from the public network Firewall Deployment Topologies Screened subnet firewall Consists of three nodes two packet filtering and bastion host Outside only advertizes the screened subnet (not the private subnet) to outside world private subnet is invisible Packet filtering Bastion host Bastion host Outside Inside Server Private network hosts Server Private subnet 19 DMZ 20 DMZ Firewall Deployment Topologies A bridge (layer 2 LAN switch) firewall case Allows nw separation at layer 2 so that all the devices can be on the same subnet Eliminates the need to create multiple subnets to separate private subnet from the screened subnet Firewall platforms (hardware & software) Another classification of firewall types Screening firewalls Computer-based firewalls Firewall appliances Host firewalls on clients and servers Outside LAN switch Server Private subnet 21 22 Firewall platforms (hardware & software) Screening firewalls Add firewall software on a Usually provides light filtering only Expensive for the processing power usually must upgrade hardware too Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering can eliminate scanning responses, even from the Firewall platforms (hardware & software) Computer-based firewalls Add firewall software to a server running a general purpose OS MS Windows or UNIX/LINUX Can be purchased with power to handle any load Easy to use due to familiarity with the OS Vendor may bundle software w/ hardened hw/os General purpose OS results in slower processing Security can be a hacked in Attacker can change filtering rules to allow attack packets in Attacker can change filtering rules to filter legitimate traffic 23 24 4

Firewall platforms (hardware & software) Firewall appliances Boxes with minimal OS difficult to hack Setup is minimal Not customized to specific application scenario Must be able to update for continual use/utility Firewall platforms (hardware & software) Host firewalls Installed on hosts servers and/or clients Enhanced security due to host-specific knowledge Eg. Filter out everything but Web traffic to webserver Defense in depth Normally used in conjunction with other firewalls Configuration may be difficult by ordinary users May require maintenance by a specialist for effectiveness/consistence with security policy 25 26 Additional Services Network Address Translation NAT A technology that allows one to use as few as one single IP address for hosts in a private network Nodes in the private network are by default inaccessible from outside Network translation helps local clients to communicate with external servers NAT functionality 128.119.40.186 Server 2 NAT translation table WAN side addr LAN side addr 12.10.2.4,5001 10.0.0.1,3345 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 12.10.2.4 10.0.0.4 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 1 10.0.0.1 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 3 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4 10.0.0.2 10.0.0.3 Private subnet 27 28 Split-Horizon DNS DNS Domain Name Service Provides hostname-to-ip address mapping DNS info may be used by attackers to identify target machines within the internal network Use two DNS servers One to serve external queries includes DNS info for publicly accessible servers only Another to serve internal queries may include DNS info for all systems including the ones in the private network Mitigating host fingerprinting Fingerprinting the task of inferring information about a system Its OS, type of services and their particular implementation Used to learn info about systems for attacking purposes Many packet filtering firewalls include a scrub function to normalize and defragment incoming packets to protect internal systems from leaking info about their configurations 29 30 5

Virtual Private Networks (VPNs) Firewalls can support VPN functionality A VPN allows a remote user to be seen as local to the protected network via a secure tunnel ending at the firewall Used to allow remote connection to secured network and use services within the network E.g., use VPNs to connect UTD network and download your e-mails to your local PC or to map your home directory to your PC while working at home VPNs typically use IPsec to secure communication between your PC and the firewall Linux Firewalls Firewalls lab and related discussion 31 32 Intrusion Detection Intruders Significant issue hostile/unwanted trespass From benign to serious User trespass Unauthorized logon, privilege abuse Software trespass Virus, worm, or trojan horse Classes of intruders: Masquerader, misfeasor, clandestine user 33 (Slides by Lawrie Brown) Examples of Intrusion Remote root compromise Web server defacement Guessing / cracking passwords Copying viewing sensitive data / databases Running a packet sniffer Distributing pirated software Using an unsecured modem to access net Impersonating a user to reset password Using an unattended workstation Security Intrusion & Detection Security Intrusion A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner. 6

Hackers Motivated by thrill of access and status Hacking community a strong meritocracy Status is determined by level of competence Benign intruders might be tolerable Do consume resources and may slow performance Can t know in advance whether benign or malign IDS / IPS / VPNs can help counter Awareness led to establishment of CERTs Collect/disseminate vulnerability info/responses Hacker Behavior Example 1. Select target using IP lookup tools 2. Map network for accessible services 3. Identify potentially vulnerable services 4. Brute force (guess) passwords 5. Install remote administration tool 6. Wait for admin to log on and capture password 7. Use password to access remainder of network Insider Attacks Among most difficult to detect and prevent Employees have access & systems knowledge May be motivated by revenge / entitlement When employment terminated Taking customer data when move to competitor IDS / IPS may help but also need: Least privilege, monitor logs, strong authentication, termination process to block access & mirror data Intrusion Techniques Objective to gain access or increase privileges Initial attacks often exploit system or software vulnerabilities to execute code to get backdoor E.g. buffer overflow Or to gain protected information E.g. password guessing or acquisition Intrusion Detection Systems Classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic Logical components: Sensors - collect data Analyzers - determine if intrusion has occurred User interface - manage / direct / view IDS IDS Principles Assume intruder behavior differs from legitimate users Expect overlap as shown Observe deviations from past history Problems of: False positives False negatives Must compromise 7

IDS Requirements Run continually Be fault tolerant Resist subversion Impose a minimal overhead on system Configured according to system security policies Adapt to changes in systems and users Scale to monitor large numbers of systems Provide graceful degradation of service Allow dynamic reconfiguration Host-Based IDS Specialized software to monitor system activity to detect suspicious behavior Primary purpose is to detect intrusions, log suspicious events, and send alerts Can detect both external and internal intrusions Two approaches, often used in combination: Anomaly detection - defines normal/expected behavior Threshold detection Profile based Signature detection - defines proper behavior Audit Records A fundamental tool for intrusion detection Two variants: Native audit records - provided by O/S Always available but may not be optimum Detection-specific audit records - IDS specific Additional overhead but specific to IDS task Often log individual elementary actions E.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp Anomaly Detection Threshold detection Checks excessive event occurrences over time Alone a crude and ineffective intruder detector Must determine both thresholds and time intervals Profile based Characterize past behavior of users / groups Then detect significant deviations Based on analysis of audit records Gather metrics: counter, gauge, interval timer, resource utilization Analyze: mean and standard deviation, multivariate, Markov process, time series, operational model Signature Detection Observe events on system and applying a set of rules to decide if intruder Approaches: Rule-based anomaly detection Analyze historical audit records for expected behavior, then match with current behavior Rule-based penetration identification Rules identify known penetrations / weaknesses Often by analyzing attack scripts from Supplemented with rules from security experts Distributed Host-Based IDS 8

Distributed Host-Based IDS Network-Based IDS Network-based IDS (NIDS) Monitor traffic at selected points on a network In (near) real time to detect intrusion patterns May examine network, transport and/or application level protocol activity directed toward systems Comprises a number of sensors Inline (possibly as part of other net device) Passive (monitors copy of traffic) NIDS Sensor Deployment Intrusion Detection Techniques Signature detection At application, transport, network layers; unexpected application services, policy violations Anomaly detection Of denial of service attacks, scanning, worms When potential violation detected sensor sends an alert and logs information Used by analysis module to refine intrusion detection parameters and algorithms By security admin to improve protection Distributed Adaptive Intrusion Detection Honeypots Are decoy systems Filled with fabricated info Instrumented with monitors / event loggers Divert and hold attacker to collect activity info Without exposing production systems Initially were single systems More recently are/emulate entire networks 9

SNORT Lightweight IDS Real-time packet capture and rule analysis Passive or inline Honeypot Deployment SNORT Rules Use a simple, flexible rule definition language With fixed header and zero or more options Header includes: action, protocol, source IP, source port, direction, dest IP, dest port Many options Example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information