Khaled Harras
School of Computer Science
Carnegie Mellon University
15-349 Computer and Network Security
Fall 2012
Some material borrowed from Hui Zhang and Adrian Perrig and google images 1

2

 How to prepare for war?
» Reconnaissance: Port Scanning
» Intelligence: Social Engineering, Dumpster diving, Eavesdropping on people, befriending, documentation, blogs…etc
» Interception: Eavesdropping, wiretapping. Depends on Medium.
» Attacks: Authentication, Spoofing (Masquerading, Phishing, Man-inthe-middle), Web vulnerabilities, and DoS
 How to defend
» Network Segmentation and Redundancy
» Encryption. Varies based on which layer it is implemented
» Firewalls
» VPNs, SSH and SSL
» IPSec
» Wireless Security (WEP and WPA)
3

Firewalls…
Intrusion Detection Systems…
4

 Traditionally, protects cities against raids/hits
 Acts as an access control device between two networks
 Filters traffic between inside (trusted) and outside (dangerous) networks
 They can do many functionalities, depending on their type.
 Let’s take a closer look…
5




Simplest and in many cases, most effective.
Controls access on the basis of addresses or protocol
Great for:
» blocking networks, services…etc
» Regulating in and out traffic between subnets
» Knows internal addresses, therefore, helps avoid externalbased spoofing
 Drawbacks
» Too simplistic.
» Hard to do sophisticated filtering.
» Ex: block a service except if coming from particular users.
6

 Attackers can break their attack into multiple packets.
 TCP packets arrive out of order
 Stateful inspection firewalls keep track of multiple packets, make sense out of them, and thwart such attacks.
 Drawback: the firewall needs to do more buffering, becomes more intelligent and slows down communication
7

 What is a proxy?
» Someone that acts on your behalf
» Looks like a server to the LAN and a client to the Internet
» Detailed sophisticated proxies are called guards
 Why would we need a proxy?
» Anonymity
» Screening Data (vs headers only)
» Caching popular files
 Examples:
» Using some FTP features/commands such as gets and blocking puts.
» Web proxies for caching, or selecting external users from internal service
» Enabling extra services/levels of authentication to alleviate load on actual server
8

 Traditional firewalls protect networks, or a subnet
 A personal firewall is an application running on a workstation to block traffic
 Personal firewalls can
» Enforce localized policies that are user-defined
» Generate logs to better help modify and create new policies
» Merge with other applications
(such as virus scanner) to be more efficient and effective
9

 Only controls the defined perimeter. If there is a breach, nothing can be done
 Does not provide any protection outside the perimeter.
Once something is out of the protected network, it is in the WWW (Wild Wild West!)
 Like real firewalls, they take all the hits. Sometimes having several lines of defense is a good idea
 Firewall configuration, activity reports, logs need to be evaluated and policies updated accordingly
 Since it is a main target, no tools are usually put on them. If exploited, an attacker can maliciously use these tools
 In the end of the day, firewalls only block “known” things… What if something unknown comes knocking?
10

 Most, if not all measures discussed so far (firewalls, access control, and authentication) are preventive measures
 What do we do if someone still manages to break in using an “unknown” technique, or if very small unrecognized individual attacks lead to a large one?
 We need a detection system!
11





Signature-based IDS
» Pattern matching system
Ex: Defending against many SYN requests sent to successive ports
(what is this called?)
Problems?
» Small manipulations represent new signatures, how do we keep up?
» Large signatures mean slower response time
» Cannot detect new attacks or patterns
Solution in statistical analysis
» Use sample measures to match measurements with signatures
» Very hard to be bullet proof
12

 Heuristic IDS
» Anomaly-based that builds model of acceptable behavior and flags exceptions
» Log and record normal behavioral patterns for a while, then detect deviation from that
» Put small unrecognized events together and anticipate the large attack
 Inference Engine performs such tasks
» State-based: changes state, and sounds alarm once we enter unsafe state
» Model-based: Builds static and dynamic behavior models (for prediction)
13

 An IDS can be host based or network based depending on what we want to protect
 What do we do if an IDS itself is targeted?
 We need to run in Stealth mode
» Two network interfaces
» Only receives on one interface, never sends on it
» Other interface connected to an alarm network
» Passive wiretapping
14

 Generally, and IDS should be really fast!
 How do we respond to an Alarm?
» Monitor, Protect, or even Call for human intervention
 What if an IDS makes a mistake?
» An IDS could need some tuning and time over which administrators can properly set it up
 Challenges for an IDS
» Adapting to growing problems/signatures
» False alarms/Sensitivity
» Needs an admin to monitor it as well in most cases
15