Lab 8: Firewalls & Intrusion Detec6on Systems
20
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1
Transcript of Lab 8: Firewalls & Intrusion Detec6on Systems
Lab8:Firewalls&IntrusionDetec6onSystems
FengweiZhang
WayneStateUniversity CSC5991CyberSecurityPrac6ce 1
Firewall&IDS• Firewall
– Adeviceorapplica6onthatanalyzespacketheadersandenforcespolicybasedonprotocoltype,sourceaddress,des6na6onaddress,sourceport,anddes6na6onport.Packetsthatdonotmatchpolicyarerejected
• IntrusionDetec6onSystem(IDS)– Adeviceorapplica6onthatanalyzeswholepackets,bothheaderand
payload,lookingforknownevents.Whenaknowneventisdetected,alogmessageisgarneteddetailingtheevent
• IntrusionPreventSystem(IPS)– Adeviceorapplica6onthatanalyzeswholepackets,bothheaderand
payload,lookingforknownevents.Whenaknowneventisdetected,thepacketisrejected
• Moderndevicescombinesallofthesefunc6onsinasingledevice/applica6on(SmartFirewall)
WayneStateUniversity CSC5991CyberSecurityPrac6ce 2
TypesofIDS
• Host-basedIDS(HIDS)– Installedlocallyonmachines– Monitoringlocalusersecurity– Monitoringprogramexecu6on– Monitoringlocalsystemlogs
• Network-basedIDS(NIDS)– Sensorsareinstalledonthenetwork– Monitornetworkac6vity(deeppacketinspec6on)
WayneStateUniversity CSC5991CyberSecurityPrac6ce 3
TypesofNetwork-basedIDS
• Signature-basedIDS– Comparesincomingpacketswithknownsignatures
– E.g.,Snort,Bro,Suricata• Anomaly-basedIDS– Leansthenormalbehaviorofthesystem– Generatesalertsonpacketsthataredifferentformthenormalbehavior
WayneStateUniversity CSC5991CyberSecurityPrac6ce 4
Signature-basedIDS
• An6-virustools• Problems– “Zero-day”a`acks– Polymorphica`acks
WayneStateUniversity CSC5991CyberSecurityPrac6ce 5
Anomaly-basedIDS
• Anomaly-basedIDSiscapableofiden6fying“Zero-day”a`acks
• Problems– Highfalseposi6verates– Labeledtrainingdata
WayneStateUniversity CSC5991CyberSecurityPrac6ce 6
IDSEvalua6onMetrics• TruePosi6ves(TP)
– Hit:Agenuinea`ackisdetected• TrueNega6ves(TN)
– Correctrejec6on:Benigntrafficiden6fiedasbenign• FalsePosi6ves(FP)
– Falsealarm:Harmlessbehaviorismisclassifiedasana`ack• Falsenega6ves(FN)
– Miss:Agenuinea`ackisnotdetected
• Anintrusiondetec6onsystemis:– Accurate:ifitdetectsallgenuinea`acks– Precise:ifitneverreportslegi6matebehaviorasana`ack
WayneStateUniversity CSC5991CyberSecurityPrac6ce 7
IDSEvalua6onMetrics
• Thetrueposi6ve(hit)rateis:TP/(TP+FN)– TPisthenumberofthetrueposi6ves– FNisthenumberofthefalsenega6ves
• Thefalseposi6ve(falsealarm)rate:FP/(FP+TN)– FPisthenumberofthefalseposi6ves– TNisthenumberofthetruenega6ves
WayneStateUniversity CSC5991CyberSecurityPrac6ce 8
IDSEvalua6onMetrics
• Anundetecteda`ackmightleadtosevereproblems;frequentfalsealarmscanleadtothesystembeingdisabledorignored.AperfectIDSwouldbebothaccurateandprecise
• Supposethatonly1%oftrafficareactuallya`acks;thedetec6onaccuracyofyourIDSis90%;thefalseposi6verateis10%
• Ifyouhaveanalarm,whatisthechancethatitisafalsealarm?
WayneStateUniversity CSC5991CyberSecurityPrac6ce 9
IDSEvalua6onMetrics• Supposethatonly1%oftrafficareactuallya`acks
– 1000events:990benign(falsealarmorcorrectrejec6on);10a`acks(hitormiss)
• Thedetec6onaccuracyofyourIDSis90%– Trueposi6verate(hitaccuracy):90%– Trueposi6venumber:(TP+FN)*TPR=10*90%=9truealarms
• Thefalseposi6verateis10%– Falseposi6verate:10%– Falseposi6venumber:(FP+TN)*FPR=990*10%=99falsealarms
• P(a`acks/alarms)=9/(9+99)=0.083333• Thereisapproximately92%chancethataraisedalarmis
false
WayneStateUniversity CSC5991CyberSecurityPrac6ce 10
Snort
• Signature-basedIDS• CanberunasIPSorIDS• Firstreleasedin1997buts6llupdatedandmaintainedtoday
• LatestversionSnort2.9.8.2
WayneStateUniversity CSC5991CyberSecurityPrac6ce 11
SnortRules
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a`empted-recon;sid:624;rev:1;)ruleheader(ruleop6ons)
WayneStateUniversity CSC5991CyberSecurityPrac6ce 12
SnortRuleHeader
WayneStateUniversity CSC5991CyberSecurityPrac6ce 13
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a`empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
SnortRuleHeaderAc6on
WayneStateUniversity CSC5991CyberSecurityPrac6ce 14
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a`empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
1. alert:Alertsandlogsthepacketwhentriggered.2. log:Onlylogsthepacketwhentriggered.3. pass:Ignoresordropsthepacketortrafficmatching.4. ac0vate:Alertsthenac6vatesadynamicruleorrules.5. dynamic:Ignores,un6lstartedbytheac6vaterule,atwhich6me,actsasalogrule.6. drop:blockandlogthepacket7. reject:blockthepacket,logit,andthensendaTCPresetiftheprotocolisTCPoranICMPport
unreachablemessageiftheprotocolisUDP.8. sdrop:blockthepacketbutdonotlogit.
protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
SnortRuleHeaderProcotol
WayneStateUniversity CSC5991CyberSecurityPrac6ce 15
alerttcp$EXTERNAL_NETany->$HOME_NETany(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;classtype:a`empted-recon;sid:624;rev:1;)alerttcp$EXTERNAL_NETany->$HOME_NETany
ac6on protocol
SrcIP SrcPort
Direc6on
DstIP DstPort
Protocols:TCP,UDP,ICMP,andIPFuturemayinclude:ARP,IGRP,GRE,OSPF,RIP,IPX,etc.
SnortRuleHeaderIP
WayneStateUniversity CSC5991CyberSecurityPrac6ce 16
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
• $EXTERNAL_NETisaconfigvaluesetinsnort.conf• IPisspecifiedalsoasdo`ednota6onwithCIDRmasks.
“any”isalsovalid• !isthenega6onoperator• Mul6pleIPspecifica6onscanbeincludedusingsquare
brackets[]andcomma-separa6ng.Donotaddspaces
SnortRuleHeaderPort
WayneStateUniversity CSC5991CyberSecurityPrac6ce 17
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
Portcanbespecifiedas:any--anyport1:1024--ports1to1024inclusive55:--ports55andhigher:55--ports0to55(inclusive)
nega6ons6llworks:
!6000:6001 -matchesanyportexcept6000and6001
SnortRuleHeaderDirec6on
WayneStateUniversity CSC5991CyberSecurityPrac6ce 18
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
SrcIP SrcPort DstIP DstPort
Direc6oncanbespecifiedas:-> FromrightIP/Port(source)toleyIP/Port(des6na6on)<> Anydirec6onNote:<-doesnotexist…sothesnortrulesalwaysreadconsistently.
SnortRuleOp6on
WayneStateUniversity CSC5991CyberSecurityPrac6ce 19
alerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:a`empted-recon;sid:624;rev:1;)name:value;
msg:<samplemessage> Logsmessageinto/var/snort/logflags:<AFPRSU210> MatchesspecificTCPflagscontent:<text> Matchesspecifiedtextinpacketcontent:|<hexadecimal>|Matchesspecifiedhexcharssid:<snortID> Uniquenumbertoiden6fyruleseasily.Yourrules
shoulduseSIDs>1,000,000rev:<revision#> Rulerevisionnumberreference:<ref> Wheretogetmoreinfoabouttherulegid:<generatorID> Iden6fieswhichpartofSnortgeneratedthealert.
See/etc/snort/gen-msg.mapforvalues
Snort
• Moreinthelab8instruc6on!
WayneStateUniversity CSC5991CyberSecurityPrac6ce 20
