Network Security Controls
Transcript of Network Security Controls
Network Security Controls
CSC 482: Computer Security
CSC 482: Computer Security
Topics
1. Firewalls
2. Virtual Private Networks
3. Intrusion Detection and Prevention
4. Honeypots
CSC 482: Computer Security
What is a Firewall?
A software or hardware component that
restricts network communication between
two computers or networks.
In buildings, a firewall is a fireproof wall
that restricts the spread of a fire.
Network firewall prevents threats from
spreading from one network to another.
CSC 482: Computer Security
Internet Firewalls
Many organizations/individuals deploy a firewall to restrict access to their network from Internet.
CSC 482: Computer Security
What is a Firewall? (2)
A mechanism to enforce security policy
– Choke point that traffic has to flow through.
– ACLs on a host/network level.
Policy Decisions:
– What traffic should be allowed into network?
• Integrity: protect integrity of internal systems.
• Availability: protection from DOS attacks.
– What traffic should be allowed out?
• Confidentiality: protection from data leakage.
Types of Firewalls
Packet Filters (Stateless)
– If individual packet matches rules, then either accept or
drop it.
Stateful Filters
– Maintains records of all connections, so that
– It can accept/deny entire TCP or UDP session.
Application Layer Firewalls
– A proxy server that relays byte streams from client to
server and vice versa.
– Inspects application headers for undesirable sites and
application data for undesirable content (malware etc.)
CSC 482: Computer Security
Stateless Firewalls
A stateless firewall doesn’t maintain any remembered context (or
“state”) with respect to the packets it is processing. Instead, it
treats each packet attempting to travel through it in isolation
without considering packets that it has processed previously.
Trusted internal
network
SYNSeq = x
Port=80
SYN-ACKSeq = y
Ack = x + 1
ACKSeq = x + 1
Ack = y + 1
Allow outbound SYN packets, destination port=80
Allow inbound SYN-ACK packets, source port=80
Client
Server
Firewall
CSC 482: Computer Security
Packet Filtering Information
Forward or drop packets based on TCP/IP header
information, most often:
– IP source and destination addresses
– Protocol (ICMP, TCP, or UDP)
– TCP/UDP source and destination ports
– TCP Flags, especially SYN and ACK
– ICMP message type
Dual-homed hosts also make decisions based on:
– Network interface the packet arrived on.
– Network interface the packet will depart on.
Stateful Firewalls
Allow only requested TCP connections:
Trusted internal
network
SYNSeq = x
Port=80
SYN-ACKSeq = y
Ack = x + 1
ACKSeq = x + 1
Ack = y + 1
Allow outbound TCP sessions,
destination port=80
Client
SYN-ACKSeq = y
Port=80 Attacker(blocked)
Established TCP session:
(128.34.78.55, 76.120.54.101)
128.34.78.55
76.120.54.101
Firewall state table
Server
Firewall
CSC 482: Computer Security
CSC 482: Computer Security
Firewall Deployment
Gateway Router
– Filtering at interface between networks allows
control via a choke point.
– Can filter spoofed IP addresses.
Host
– Filter packets on each individual computer.
– How to manage thousands of packet filters?
CSC 482: Computer Security
Ingress/Egress Filtering
Block spoofed IP addresses
Ingress Filtering
Drop packets arriving on external interface
whose source IP addresses claims to be from
internal network.
Egress Filtering
Drop packets arriving on internal interface
whose source IP address is not from internal
network.
CSC 482: Computer Security
Packet Filtering Summary
Advantages:– One packet filter can protect an entire network
– Efficient (requires little CPU)
– Supported by most routers
Disadvantages:– Difficult to configure correctly
• Must consider rule set in its entirety
– Difficult to test completely
– Performance penalty for complex rulesets
• Stateful packet filtering much more expensive
– Enforces ACLs at layer 3 + 4, without knowing any application details
CSC 482: Computer Security
Proxy Servers
Proxy host relays Transport/App connections
– Client makes connection to proxy.
– Proxy forwards connection to server.
Proxy can provide multiple security features:
– Access Control
– Authentication
– Logging
– Anonymity
CSC 482: Computer Security
Example: SOCKS v5
Socks Server
Socks Client Library
– Clients must be linked against library.
– Library offers replacements for UNIX network
socket system calls.
User Authentication Protocols
– Cleartext username/password.
– GSS-API authentication.
Application Layer Firewalls
Application layer rules
– HTTP: URLs, headers, etc.
– SMTP: spam statistics
More complex
– Only 216 ports, but
– An infinite number of URLs.
CSC 482: Computer Security
CSC 482: Computer Security
Single Firewall
Simplest type of firewall—one host acts as a
gateway between internal and external networks.
DMZ Firewall Architecture
CSC 482: Computer Security
CSC 482: Computer Security
Firewall Limitations
Cannot protect from internal attacks
– May be able to limit access with internal
firewalls to a segment of your network.
Cannot protect you from user error
– Users will still run trojan horses that make it
past your AV scanner.
Firewall mechanism may not precisely
enforce your security policy.
Tunneling
Tunneling: Encapsulation of one network protocol
in another protocol
– Carrier Protocol: protocol used by network through
which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec, L2TP)
that is wrapped around original data
– Passenger Protocol: protocol that carries original data
Can be used to encrypt connections or provider other
security features not available to passenger protocol.
CSC 482: Computer Security
Tunneling vs. Eavesdropping
Tunnel over ssh or SSL to offer encryption of packets.
ServerClient
Encapsulating protocol
(does end-to-end encryption and decryption)
Payloads are encrypted here
TCP/IPTCP/IP
Untrusted
Internet
IPSec
IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets
Each protocol can operate in one of two modes, transport mode or tunnel mode.
– In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated.
– In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet.
CSC 482: Computer Security
CSC 482: Computer Security
Virtual Private Network (VPN)
Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.)
Requirements:
– Confidentiality: encryption
– Integrity: MACs, sequencing, timestamps
Firewall Interactions
– Tunnels can bypass firewall
– Firewall is convenient place to add VPN features
Types of VPNs
Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.
– For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself.
– To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication.
Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.
– Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling.
CSC 482: Computer Security
CSC 482: Computer Security
Models of Intrusion Detection
1. Anomaly detection
– What is usual, is known.
– What is unusual, is bad.
– Statistical IDS.
– Need to update profile so that it matches current usual activities on systems.
2. Misuse detection
– What is bad is known.
– Look for what is bad, hope it doesn’t change.
– Rule based IDS.
– Need to regularly update db of intrusion signatures.
Possible Alarm Outcomes
Intrusion Attack No Intrusion Attack
Alarm
Sounded
No
Alarm
Sounded
True Positive False Positive
True NegativeFalse Negative
Base-Rate Fallacy
• Difficult to create IDS with high true-positive rate and a low false-negative rate.
• If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced.
• In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.
• This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event.
CSC 482: Computer
Security
Base-Rate Fallacy Example
Example case
– IDS 99% accurate, 1% false positives or negatives
– IDS generates 1,000,100 log entries.
– Base rate is 100 malicious events of 1,000,100 examined.
Results
– Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.
– Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!
– Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms.
CSC 482: Computer
Security
IDS Components
Untrusted
Internet
IDS Manager
IDS Sensor
router router
router
IDS Sensor
Firewall
CSC 482: Computer Security
CSC 482: Computer Security
IDS Architecture
An IDS is essentially a sophisticated audit system
– Sensors gathers data for analysis from hosts or network.
– Manager analyzes data obtained from sensors according
to its internal rules.
– Notifier acts on manager results.
• May simply notify security officer.
• May reconfigure sensors or manager to alter
collection, analysis methods.
• May activate response mechanism.
CSC 482: Computer Security
Sguil NSM Console
CSC 482: Computer Security
Intrusion Prevention Systems
What else can you do with IDS alerts?
– Identify attack before it completes.
– Prevent it from completing.
How to prevent attacks?
– Directly: IPS drops packets, kills TCP sessions.
– Indirectly: IPS modifies firewall rules.
Is IPS a good idea?
– How do you deal with false positives?
CSC 482: Computer Security
IPS Deployment Types
Inline
IPSIntranet
Non-Inline
Intranet
IPS
CSC 482: Computer Security
Active Responses by Network Layer
Data Link: Shut down a switch port. Only useful
for local intrusions. Rate limit switch ports.
Network: Block a particular IP address.
– Inline: can perform blocking itself.
– Non-inline: send request to firewall.
Transport: Send TCP RST or ICMP messages to
sender and target to tear down TCP sessions.
Application: Inline IPS can modify application data
to be harmless: /bin/sh -> /ben/sh
Great Firewall = Firewall + IPS
CSC 482: Computer
Security
Honeypots and Honeynets
Honeypot: a system designed solely for intruders to
attack in order to accomplish one or more of the
following goals. Also known as a honeynet.
1. Detect intrusions with very few false positives, since
legitimate users have no reason to access honeypot.
2. Monitor attacker activities to determine targeted
assets, origin, motivation, capabilities, etc.
3. Waste intruder time attacking honeypot, so that
defender has time to respond to incident.
CSC 482: Computer Security
Low Interaction Honeypots
honeyd: responds to probes on a set of unused IP addresses via shell scripts that can return banners for simple scans like nmap –sV.
nepenthes: emulates vulnerable Windows services to collect exploits and malware.
Dionaea: scriptable honeypot designed to be able to emulate wide variety of vulnerable services to collect exploits and malware.
Fakenet: simulates DNS, HTTP, HTTPS to dynamically analyze malware. Returns reasonable responses to malware requests.
CSC 482: Computer
Security
Medium Interaction Honeypots
Kippo is a medium interaction ssh honeypot
designed to log brute force attacks and attacker shell
commands. Inspired by Kojoney, a LI ssh honeypot.
– Fake filesystem with the ability to add/remove files.
– Possibility of adding fake file contents so the attacker
can 'cat' files such as /etc/passwd. Only minimal file
contents are included.
– Saves files downloaded with wget for later inspection
– Deception: ssh pretends to connect, apt-get pretends to
install, etc.
CSC 482: Computer Security
CSC 482: Computer Security
High Interaction Honeypots
Honeywall sets up tools for HI honeypots.
– Environment simulation: virtual machines configured
with appropriate tools for the next three tasks.
– Data control: firewalling tools to limit attacker
activities to avoid damaging other systems.
– Data collection: network (snort) and keystroke loggers
(Sebek kernel module).
– Data analysis: tools to extract relevant data from
tcpdump logs and more.
Client Honeypots
CSC 482: Computer Security
Honeymonkey
– Microsoft Research project.
– Network of VMs running IE crawling the web
in search of malicious sites that attempt to
exploit browsers and distribute malware.
– Multiple versions of Windows and IE used.
Thug
– Low interaction client honeypot.
– Emulates multiple browsers and OSes.
Honeytokens
A honeytoken is data that is designed solely for attackers to abuse. Any access to the data is an indication of unauthorized use.
– Attempts to download honeytoken files or database records can be identified by NIDS.
– Medical record systems will sometimes create fake records for celebrities and politicians.
– Mailing lists may contain email addresses published nowhere else that point to accounts that accept mail and record sender information.
– Maps contain fake streets, towns, or islands to identify when competitors copy the map.
CSC 482: Computer Security
CSC 482: Computer Security
Key Points
1. Firewalls
– Packet filtering (stateless)
– Stateful firewalls
– Proxy servers
– Application layer firewalls
2. Firewall Architectures
– Positioning on network
– DMZ architectures
3. Virtual Private Networks
– Tunneling Protocols: carrier, encapsulating, passenger
– Virtual Private Networks
CSC 482: Computer Security
Key Points (2)
4. Models of IDS:
– Anomaly detection: unexpected events (statistical IDS.)
– Misuse detection: violations of policy (rule-based IDS).
5. IPS
– Stop intrusions, but what about false positives?
– Inline vs. non-inline: how do prevention techniques differ?
6. Honeypots deceive attackers
1. Identify intrusions with low false positive rates.
2. Learn more about intrusions, esp. with HI honeypots.
3. Interaction levels: low, medium, high
4. Honeyclients and honeytokens
CSC 482: Computer Security
References
1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003.
2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.
4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.