““IDS and your network”IDS and your network”

Dale TongueDale Tongue

10 September 200510 September 2005

IntroIntro

• What is a router?

• What is a syslog server?

• What is a Firewall?

• What is an IDS?

• How does a network get blocked?

What is a router?What is a router?

• Router– A router is a hardware device designed to take incoming packets,

analyzing the packet and then directing it to the appropriate location, moving the packet to another network, converting the packet to be moved across a different type of network interface,  dropping the packet, or performing any other number of other types of actions. 

• Brouter– Short for Bridge Router a "brouter" is a networking device that serves as

both a bridge and a router.• Core router

– A core router is a router in a computer network that routes data within a network but not between networks.

• Edge router– A edge Router is a router in a computer network that routes data

between one or more networks.• Virtual router

– A Virtual Router is a backup router used in a VRRP setup.

Router examplesRouter examples

What is a Syslog Server?What is a Syslog Server?

• Syslog– Short for SYStems LOG, syslog is a logging

system originally developed for UNIX systems. The syslog is a collection of error messages, warning messages, and/or other system messages that are sent to the central location through UDP port 514. Today syslog is available and/or capable of being run by the majority of all operating systems as well as hardware devices such as network switches and routers.

Syslog Server exampleSyslog Server example

ID/Pwrd

ID/Pwrd

What is a Firewall?What is a Firewall?• Firewall - The primary method for keeping a computer secure

from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.

• Firewalls are good DETECTION devices– they can detect legal/illegal access by logging it

• Firewalls are weaker PROTECTION devices– attack code could be in the application layer not the network layer– application firewalls address this

What is a Firewall? (Cont)What is a Firewall? (Cont)Firewall TechniquesFirewall Techniques

• Following are the different methods used to provide firewall protection, and several of them are often used in combination.– Packet Filter - Blocks traffic based on a specific Web address (IP

address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.

– Proxy Server - Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).

– Network Address Translation (NAT) - Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.

– Stateful Inspection - Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.

• Most are “Deny All – Allow By Exception”

Firewall ExampleFirewall Example

The use of two screening routers in the firewall configuration offers two points of protection from the outside world to the internal LAN.

Denying all,Allow by exception

What is an IDS?What is an IDS?

• IDS (Intrusion Detection System) Software that detects an attack on a network or computer system. A Network IDS (NIDS) is designed to support multiple hosts, whereas a Host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarms. Insufficient analysis can overlook a valid attack. See protocol anomaly, traffic anomaly, IPS and attack.

NIDS exampleNIDS example WAN WAN

router NIDS

LAN/IP based network

LAN/IP based network

WAN

WAN

router NIDS

LAN/IP based network

LAN/IP based network

Syslog Server WAN WAN

router NIDS

LAN/IP based network

LAN/IP based network

WAN WAN

router NIDS

LAN/IP based network

LAN/IP based network

Sequence of eventsSequence of events

• Network looks for signatures and is checked for someone “knocking” on the door (such as) (1) Scan the network to:

- Locate which IP addresses are in use, - Identify what operating system is in use, - Identify what TCP or UDP ports are “open” (being listened to by Servers).

(2) Run “Exploit” scripts against open ports(3) Get access to Shell program which is “suid” (has “root”

privileges).(4) Download special versions of systems files that will let Hackers

have free access without his /her CPU time or disk storage space being noticed by auditing programs.

(5) Use IRC (Internet Relay Chat) to invite fellow hackers.

Sequence of events (Cont)Sequence of events (Cont)

• As IDS boxes spit out data, syslog server is checked against the “knocking” IP/network– Searches for anything from that IP or subnet

• Use ARIN (http://www.arin.net/whois/) or

• APNIC (http://www.apnic.net/apnic-bin/whois.pl) or• RIPE (http://www.ripe.net/) or• Sam Spade, etc

– Dial up will give a new IP, but probably same subnet• If it’s not a coincidence, block the IP or the subnet

Blocking the networkBlocking the network

• Using CISCO Works, edit the template and FTP it to all sites– Offending network would/could be trying all

networks, cuts down on labor and assures a block everywhere

– If the offending network is korea.com, will you get your mail to an army.mil domain?

– Discuss the bh.korea list that commercial vendors use

Domains?Domains?

• The internet is big.

• Two entry points into the NIPRNet

• From the “fixed east” and fixed west:– Access the army.mil networks– Each post has its own gateway

• Each gateway has its Access Control List• As Huachuca edits the list, subnets can be denied• Can also have “allow” list

Sequence of events?Sequence of events?

Intrusion Steps from the bad guys Intrusion Steps from the bad guys perspectiveperspective

• Outside Reconnaissance – whois, DNS, WWW, FTP• Inside Reconnaissance – ping sweep, inverse mapping,

port scanning, rpcinfo, showmount, snmpwalk.• Exploit – exploiting vulnerabilities discovered earlier.• Foothold – gained entrance into the machine and now

starts to hide the evidence. Install rootkits, trojans.• Profit – taking advantage of the entry, the hacker now

goes after the real target – information, $$, credit card info, etc.

• Joyride – systems used in a relay attack.

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

Common WWW ExploitsCommon WWW Exploits• CGI – passing data to the command shell via shell metacharacters, using hidden

variables, phf.• WWW server • IIS/RDP - ../../../../ attack to get files from the server.• Alternate data streams ( Win95 names).• URL – fields can cause buffer overflows as it’s parsed in the HTTP header, displayed

on the screen or saved in the cache history. Old IE bug would execute .LNK or .URL commands.

• HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information.

• HTML – MIME-type overflow in Netscape Communicator’s <EMBED> command.• Javascript – usually tries to exploit the “file upload” function by generating a filename

and automatically hidden the SUBMIT button. Many fixes for this but equal # of circumventions.

• Frames – part of JavaScript or Java hack (hiding web bugs). Hackers include link to valid site that uses frames then replace some of those frames with bad www pages.

• Java – normal Java applets have no access to the local system but sometimes they’d be more useful if they did have local access.

• Active X – works purely on trust model and runs in native mode.

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

Common Reconnaissance Scans Common Reconnaissance Scans and DOS Attacksand DOS Attacks

• Ping Sweeps• TCP/UDP Scans• OS identification• Account Scans• Ping of Death• SYN Flood• Land• DDoS• See PDF File that I brought for RealSecure signatures

file

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

How Do NIDS Detect Intrusions?How Do NIDS Detect Intrusions?

• Anomaly detection – measures a baseline of stats like CPU utilization, disk activity, user logins, file activity. NIDS triggers when a deviation from this baseline occurs.

• Signature recognition – pattern matching attack probes. Uses large databases to detect the attack. Antiviral software uses this. Works only for known attacks.

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

Matching Signatures with Incoming Matching Signatures with Incoming TrafficTraffic

• NIDS consists of special TCP/IP stack that reassembles datagrams and TCP streams. It uses:– Protocol Stack Verification – search for

protocol violations (SYN/FIN, etc.)– Application Protocol Verification – New Event Creation – log all application layer

protocols for later correlation.

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

NIDS Detect the AttackNIDS Detect the Attack

• Firewall reconfiguration to block IP address.• Chime – “Danger, Will Robinson!” alarm. Email

or page admins.• SNMP trap – send trap datagram to console.• Syslog – record it in NT Event log or Unix syslog• Save Evidence.• Launch Program to handle the event.• Terminate the TCP connection by sending a FIN.

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

Some NIDS ProductsSome NIDS Products

• BlackIce Defender (Network Ice)• CyberCop Monitor (Network Associates)• RealSecure (ISS)• NetRanger (WheelGroup/Cisco)• eTrust Intrusion Detection (CA)• NetProwler (Axent)• Centrax (CyberSafe)• NFR (Network Flight Recorder)• Dragon (Security Wizards)

Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu