Chapter_Five[1].ppt
- 2. Firewall
Is hardware, software, or a combination of both
used to prevent unauthorized programs or Internet
users from accessing a private network and/or a
single computer.
2
- 3. Hardware vs. Software Firewalls
3
Hardware Firewalls
Protect an entire network
Implemented on the router level
Software Firewalls
Protect a single computer
- 4. How does a software firewall work?
4
Inspects each individual “packet” of data as it arrives
at either side of the firewall
Determines whether it should be allowed to pass
through or if it should be blocked
- 5. Firewall Rules
5
Allow – traffic that flows automatically because it has
been deemed
Block – traffic that is blocked because it has been
deemed dangerous to your computer
Ask – asks the user whether or not the traffic is
allowed to pass through
- 6. What Can a Firewall Do?
Focus for security decisions
Stop hackers from accessing your computer
Can enforce security policy
Protects your personal information
Limits your exposure
Blocks “pop up” ads and certain cookies
Can log Internet activity efficiently
Determines which programs can access the Internet
Can't protect you against malicious insiders
Can't protect you against connections that don't go through
it
Can't protect against completely new threats
6
- 7. Firewall features
General Firewall Features
Port Control
Network Address Translation
Application Monitoring
Packet Filtering
Access control
Additional features
Data encryption
Authentication
Connection relay (hide internal network)
reporting/logging
e-mail virus protection
spy ware protection
7
- 8. What It Protects You From
Remote login
SMTP session hijacking
Operating system bugs
Spam
IP spoofing
Denial of Service
E-mail bombs
Source routing
8
- 9. Security Strategies Implemented
Default Deny
Prohibit all communication that is not expressly permitted
Default Permit
Permit all communication that is not explicitly prohibited
Least Privilege
reduces the authorization level at which various actions are
performed
Defense in Depth
security approach whereby each system on the network is
secured to the greatest possible degree
Choke Point
forces attackers to use a narrow channel to bypass the
network
9
- 10. Example: Firewall Configuration
10
# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0
accepted
# ipchains -C forward -p tcp -s 172.16.2.0 1025 -d 44.136.8.2 80 -i eth0
denied
# ipchains -C forward -p udp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0
denied
# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 23 -i eth0
denied
source
Destination
Wrong
Wrong
Wrong
- 11. Firewall Filtering Rule
Egress Filtering
Restricting the flow of information from a private TCP/IP computer
network to the Internet
Outbound traffic from external address Drop
Ingress Filtering
Contrast with egress filtering, it ensure that incoming packets are
actually from the networks from which they claim to originate
Inbound Traffic from internal address Drop
Default
Any
Dst
Port
Any Deny
Any
Any
Int
Any
Int
In
Ingress
Deny
Any
Any
Ext
Any
Ext
Out
Egress
Any Deny
Any
Any
Any
Any
Any
Any
Default
Dst
Addr
Proto
Ack
Set?
Action
Src
Port
Src
Addr
Dir
Rule
11
- 12. Types of Firewalls
Packet Filtering Firewalls
Proxy Server Firewalls or Application level Gateway
Circuit Level Gateway
12
- 13. Types of Firewalls ….
Two primary types of firewalls are:
Packet filtering firewall
Proxy-server firewall
Sometimes both are employed to protect a network
Firewalls can be designed to operate at any of the
following three layers in the TCP/IP protocol stacks:
The application layer(eg: HTTP proxy)
The network and transport layer(eg: packet filtering)
The layer b/n the application layer and the transport layer
(eg: SOCKS proxy)
13
- 14. Packet Filtering Firewalls/Routers
Packet Filtering router applies a set of rules to each incoming and
outgoing IP packet and then forwards or discards the packet.
A filtering firewall works at the network level.
The router is typically configured to filter packets going in both
directions (from and to the internal network).
Filtering rules are based on information contained in a network
packet:
Source IP address: The IP address of the system that originated the IP
packet (e.g., 192.178.1.1)
Destination IP address: The IP address of the system the IP packet is
trying to reach (e.g., 192.168.1.2)
Source and destination port address: The transport level (e.g., TCP or
UDP) port number, which defines applications such as SNMP or TELNET
14
- 15. 15
Packet Filtering Firewalls
Packet-filtering Router…
Many network routers have the ability to perform some firewall
services.
Filtering firewalls can be thought of as a type of router
- 16. Application Level Gateway
Also called proxy server
Acts as a relay of application-level traffic
Proxy Services
Application that mediates traffic between a protected
network and the internet
Able to understand the application protocol being utilized
and implement protocol specific security
Protocols include: FTP, HTTP, Telnet etc
16
- 17. Application Level Gateway
17
Use an application specific gateway / proxy
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
need separate proxies for each service
- 18. Circuit Level Gateway
18
They are used for TCP connections to observe
handshaking between packets to ensure a requested
session is legitimate.
- 19. Circuit Level Gateway
Normally, it would store the following information:
a unique session identifier,
the state of the connection (i.e., handshake established or closing),
sequencing information,
source or destination IP address, and
the physical network interface through which the packet arrives or
departs.
The firewall then checks to see:
if the sending host has permission to send to the destination, and
the receiving host has permission to receive from the sender.
If the connection is acceptable, all packets are routed through
the firewall with no more security tests.
19
- 20. Circuit Level Gateway
Doesn’t permit an end-to-end TCP connection.
The gateway sets up two TCP connections:
one between itself and a TCP user on an inner host and
one between itself and a TCP user on an outside host.
once created usually relays traffic without examining
contents
SOCKS commonly used for this
20
- 22. Proxy Server
Proxy Server is a computer program that acts as an
intermediary between a web browser and a web
server.
To give users rapid access to popular web destinations.
Internet Service Providers use proxy servers as
“holding bins" to store frequently requested pages,
rather than going out and fetching them repeatedly from the
Net (Eg, www.google.com.et)
Proxy server is also used to control and monitor
outbound traffic.
22
- 23. 23
Web caches (proxy server)
user sets browser: Web
accesses via cache
browser sends all HTTP
requests to cache
object in cache: cache
returns object
else cache requests
object from origin server,
then returns object to
client
Goal: satisfy client request without involving origin server
client
Proxy
server
client
origin
server
origin
server
- 24. How Proxy Servers Work
Function as a software , forwarding data between
internal and external hosts
Focus on the port each service uses
Screen all traffic into and out of each port
Decide whether to block or allow traffic based on rules
Add time to communications, but in return, they:
Conceal clients
Translate network addresses (NAT)
Filter content
24
- 25. 25
Steps Involved in a Proxy Transaction
1. Internal host makes request to
access a Web site
2. Request goes to proxy server, which
examines header and data of the
packet against rule base
3. Proxy server recreates packet in its
entirety with a different source IP
address
4. Proxy server sends packet to
destination; packet appears to come
from proxy server
5. Returned packet is sent to proxy
server, which inspects it again and
compares it against its rule base
6. Proxy server rebuilds returned
packet and sends it to originating
computer; packet appears to come
from external host
- 26. How Proxy Servers Differ from Packet
Filters
Scan entire data part of IP packets and create more
detailed log file listings
Rebuild packet with new source IP information
covers internal users from outside users
Caches data
26
- 27. Goals of Proxy Servers
Conceal internal clients
Block URLs
Block and filter content
Protect e-mail proxy
Improve performance
Ensure security
Provide user authentication
Redirect URLs
27
- 28. Concealing Internal Clients
Network appears as a single machine
If external users cannot detect hosts on your internal
network, they cannot initiate an attack against these
hosts
Proxy server receives requests as though it were the
destination server,
then completely regenerates a new request, which is sent
to its destination
28
- 29. Concealing Internal Clients
29
Demilitarized zone
• A DMZ is part of a
network on which you
place servers that must be
accessible by sources both
outside and inside your
network.
• However, the DMZ is not
connected directly to
either network, and it must
always be accessed through
the firewall.
• By using a DMZ, you can
create an additional
step that makes it more
difficult for an intruder to
gain access to the internal
network.
A proxy server
makes all
communication
come from a
single gateway
- 30. Blocking URLs
An attempt to keep
employees from
visiting unsuitable
Web sites
An unreliable
practice;
users can use the IP
address that
corresponds to the
URL
30
NetProxy lets you block URLs based on domain name
- 31. Blocking and Filtering Content
Can block and strip out Java applets or ActiveX
controls
Can delete executable files attached to
e-mail messages
Can filter out content based on rules that contain a
variety of parameters (eg, time, IP address, port
number)
31
- 32. E-Mail Proxy Protection
External e-mail users never interact directly with internal hosts
32 E-mail protection with a proxy SMTP server
- 33. Ensuring Security with Log Files
Log file
Text file set up to
store information
about access to
networked resources
Can ensure
effectiveness of
firewall
Detect intrusions
Uncover weaknesses
Provide documentation
33
Select only the most critical services and events to log
- 35. Creating Filter Rules
Allow certain hosts to bypass the proxy
Filter out URLs
Enable internal users to send outbound requests only
at certain times
Govern length of time a session can last
35
- 36. Proxy Server Configuration Considerations
Scalability issues
Add multiple proxy servers to the same network connection
Need to configure each piece of client software that
will use the proxy server
Need to have a separate proxy service available for
each network protocol (HTTP,TELNET,SMTP,…)
Need to create packet filter rules
Security vulnerabilities
Single point of failure
Buffer overflow
36
- 37. Working with Client Configurations
37
Each client on the network must be configured to access the proxy server
- 38. Working with Service Configurations
38
Each service needs to be configured to use a proxy server
- 39. Proxy Server-Based Firewalls
Firewalls based on proxy servers:
TIS
T.REX
Squid
SOCKS
WinGate
Symantec Enterprise Firewall
Microsoft Internet Security & Acceleration Server
Choice depends on your platform and the number of
hosts and services you need to protect
39
- 41. 41
Intrusion Detection
IDSs prepare for and deal with attacks by
collecting information from a variety of system
and network sources, then analyzing the
symptoms of security problems
IDSs serve three essential security functions;
monitor, detect and respond to unauthorized
activity
IDS can also response automatically (in real-
time) to a security breach event such as logging
off a user, disabling a user account and
launching of some scripts
- 42. Intrusion Detection…
Firewalls generally don’t detects internal attacks or
attacks once the system is compromised
An ID system gathers and analyzes information from
various areas within a computer or a network to identify
possible security breaches
It detects both intrusions and misuse
Intrusion detection functions include
Monitoring and analyzing both user and system activities
Analyzing system configurations and vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
42
- 43. 43
Intrusion Detection…
Uses “intrusion signatures”
Well known patterns of behavior
Ping sweeps, port scanning, web server indexing, OS
fingerprinting, DoS attempts, etc.
Example
IRIX vulnerability in webdist.cgi
Can make a rule to drop packets containing the line
“/cgi-bin/webdist.cgi?distloc=?;cat%20/etc/passwd”
However, IDS is only useful if contingency plans
are in place to curb attacks as they are occurring
- 44. Components of Intrusion Detection System
Audit Data
Preprocessor
Audit Records
Activity Data
Detection
Models
Detection Engine
Alarms
Decision
Table
Decision Engine
Action/Report
system activities are
observable
normal and intrusive
activities have distinct
evidence
- 45. Intrusion Detection Approaches
Modeling
Features: evidences extracted from audit data
Analysis approach: piecing the evidences together
Misuse detection (signature-based)
Anomaly detection (statistical-based)
Deployment: Network-based or Host-based
Network based: monitor network traffic
Host based: monitor computer processes
- 46. Signature based IDS
This IDS possess an attacked description that can
be matched to sensed attack manifestations.
The question of what information is relevant to an
IDS depends upon what it is trying to detect.
E.g DNS, FTP etc.
- 47. Signature based IDS (contd.)
ID system is programmed to interpret a certain series of
packets, or a certain piece of data contained in those
packets as an attack.
For example, an IDS that watches web servers might be
programmed to look for the string “phf” as an indicator of a CGI
program attack.
Most signature analysis systems are based off of simple
pattern matching algorithms.
In most cases, the IDS simply looks for a sub string within a
stream of data carried by network packets. When it finds this
sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it
identifies those network packets as vehicles of an attack.
- 48. Signature based IDS (contd.)
Intrusion
Patterns:
Sequences of
system calls,
patterns of
network traffic,
etc.
activities
pattern
matching
intrusion
Can’t detect new attacks
E.g: if (traffic contains “x90+de[^rn]{30}”) then “attack detected”
Advantage: Mostly accurate.
- 49. Drawbacks of Signature based IDS
They are unable to detect novel attacks.
Suffer from false alarms
Have to programmed again for every new pattern to
be detected.
- 50. Anomaly based IDS
It detect both network and computer intrusions and
misuse by monitoring system activity and classifying
it as either normal or anomalous.
The classification is based on heuristics or rules, rather
than patterns or signatures, and attempts to detect any
type of misuse that falls out of normal system operation.
Anomaly detection systems consist of the training
phase and testing phase
Most often uses artificial intelligence type techniques
The primary strength is its ability to recognize novel
attacks.
- 51. Drawbacks of Anomaly detection IDS
Assumes that intrusions will be accompanied by
manifestations that are sufficiently unusual so as
to permit detection.
These generate many false alarms and hence
compromise the effectiveness of the IDS.
- 52. Host-Based IDSs
Use OS auditing and monitoring/analysis mechanisms to
find malware
Can execute full static and dynamic analysis of a program
Monitor shell commands and system calls executed by user
applications and system programs
Has the most comprehensive program info for detection, thus
accurate
Problems:
User dependent: install/update IDS on all user machines!
If attacker takes over machine, can tamper with IDS binaries
and modify audit logs
Only local view of the attack
- 53. Network IDSs
Deploying sensors at strategic
locations
For example, Packet sniffing via tcpdump
at routers
Inspecting network traffic
Watch for violations of protocols and
unusual connection patterns
Look into the packet payload for malicious
code
Limitations
Cannot execute the payload or do any code analysis !
Record and process huge amount of traffic
May be easily defeated by encryption, but can be mitigated with
encryption only at the gateway/proxy