Intruder
NS-H0503-02/1104
1
Intruders
• Three classes of intruders (hackers or
crackers):
– Masquerader
– Misfeasor
– Clandestine user
NS-H0503-02/1104
2
Intrusion Techniques
• System maintain a file that associates a
password with each authorized user.
• Password file can be protected with:
– One-way encryption
– Access Control
NS-H0503-02/1104
3
Intrusion Techniques
•
•
NS-H0503-02/1104
Techniques for guessing passwords:
• Try default passwords.
• Try all short words, 1 to 3 characters long.
• Try all the words in an electronic
dictionary(60,000).
• Collect information about the user’s hobbies,
family names, birthday, etc.
• Try user’s phone number, social security number,
street address, etc.
• Try all license plate numbers (MUP103).
• Use a Trojan horse
• Tap the line between a remote user and the host
system.
Prevention:
Enforce good password selection (Ij4Gf4Se%f#)
4
The Stages of a Network Intrusion
1. Scan the network to:
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to
by Servers).
2. Run “Exploit” scripts against open ports
3. Get access to Shell program which is “suid” (has
“root” privileges).
4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in
the future without his cpu time or disk storage space
being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the
feast.
NS-H0503-02/1104
5
5
Intusion Detection
• The intruder can be identified and ejected from
the system.
• An effective intrusion detection can prevent
intrusions.
• Intrusion detection enables the collection of
information about intrusion techniques that can
be used to strengthen the intrusion prevention
facility.
NS-H0503-02/1104
6
Profiles of Behavior
Intruders and Authorized Users
NS-H0503-02/1104
7
Intrusion Detection
• Statistical anomaly detection
– Treshold detection
– Profile based
• Rule based detection
– Anomaly detection
– Penetration identidication
NS-H0503-02/1104
8
Measures used for Intrusion Detection
•
•
•
•
•
•
•
•
NS-H0503-02/1104
Login frequency by day and time.
Frequency of login at different locations.
Time since last login.
Password failures at login.
Execution frequency.
Execution denials.
Read, write, create, delete frequency.
Failure count for read, write, create and delete.
9
Distributed Intrusion Detection
Developed at University of California at Davis
NS-H0503-02/1104
10
Distributed Intrusion Detection
NS-H0503-02/1104
11
Firewall
NS-H0503-02/1104
12
Firewalls
Effective means of protection a local system or
network of systems from network-based security
threats while affording access to the outside
world via WAN`s or the Internet
NS-H0503-02/1104
13
Firewall Design Principles
• Information systems undergo a steady evolution
(from small LAN`s to Internet connectivity)
• Strong security features for all workstations and
servers not established
• The firewall is inserted between the premises
network and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from Internetbased attacks
– Provide a single choke point
NS-H0503-02/1104
14
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass
through the firewall (physically blocking all
access to the local network except via the
firewall)
– Only authorized traffic (defined by the local
security policy) will be allowed to pass
– The firewall itself is immune to penetration
(use of trusted system with a secure operating
system)
NS-H0503-02/1104
15
Firewall Characteristics
• Four general techniques:
• Service control
– Determines the types of Internet services that
can be accessed, inbound or outbound
• Direction control
– Determines the direction in which particular
service requests are allowed to flow
• User control
– Controls access to a service according to
which user is attempting to access it
• Behavior control
– Controls how particular services are used (e.g.
filter e-mail)
NS-H0503-02/1104
16
Types of Firewalls
• Three common types of Firewalls:
– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
NS-H0503-02/1104
17
Types of Firewalls
Packet-filtering Router
NS-H0503-02/1104
18
Types of Firewalls
• Packet-filtering Router
– Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet
– Filter packets going in both directions
– The packet filter is typically set up as a list of
rules based on matches to fields in the IP or
TCP header
– Two default policies (discard or forward)
NS-H0503-02/1104
19
Types of Firewalls
• Advantages:
– Simplicity
– Transparency to users
– High speed
• Disadvantages:
– Difficulty of setting up packet filter rules
– Lack of Authentication
• Possible attacks and appropriate countermeasures
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
NS-H0503-02/1104
20
Types of Firewalls
Application-level Gateway
NS-H0503-02/1104
21
Types of Firewalls
• Application-level Gateway
– Also called proxy server
– Acts as a relay of application-level traffic
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
NS-H0503-02/1104
22
Types of Firewalls
• Circuit-level Gateway
NS-H0503-02/1104
23
Types of Firewalls
• Circuit-level Gateway
– Stand-alone system or
– Specialized function performed by an
Application-level Gateway
– Sets up two TCP connections
– The gateway typically relays TCP segments
from one connection to the other without
examining the contents
• Circuit-level Gateway
– The security function consists of determining
which connections will be allowed
– Typically use is a situation in which the system
administrator trusts the internal users
– An example is the SOCKS package
NS-H0503-02/1104
24
Firewall Configurations
Screened host firewall system (single-homed
bastion host)
NS-H0503-02/1104
25
Firewall Configurations
• Screened host firewall, single-homed bastion
configuration
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
NS-H0503-02/1104
26
Firewall Configurations
• Configuration for the packet-filtering router:
– Only packets from and to the bastion host are
allowed to pass through the router
• The bastion host performs authentication and
proxy functions
NS-H0503-02/1104
27
Firewall Configurations
• Greater security than single configurations
because of two reasons:
– This configuration implements both packetlevel and application-level filtering (allowing
for flexibility in defining security policy)
– An intruder must generally penetrate two
separate systems
NS-H0503-02/1104
28
Firewall Configurations
• This configuration also affords flexibility in
providing direct Internet access (public
information server, e.g. Web server)
NS-H0503-02/1104
29
Firewall Configurations
Screened host firewall system (dual-homed bastion host)
NS-H0503-02/1104
30
Firewall Configurations
• Screened host firewall, dual-homed bastion
configuration
– The packet-filtering router is not completely
compromised
– Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host
NS-H0503-02/1104
31
Firewall Configurations
Screened-subnet firewall system
NS-H0503-02/1104
32
Firewall Configurations
• Screened subnet firewall configuration
– Most secure configuration of the three
– Two packet-filtering routers are used
– Creation of an isolated sub-network
NS-H0503-02/1104
33
Firewall Configurations
• Advantages:
– Three levels of defense to thwart intruders
– The outside router advertises only the
existence of the screened subnet to the
Internet (internal network is invisible to the
Internet)
NS-H0503-02/1104
34
Firewall Configurations
• Advantages:
– The inside router advertises only the existence
of the screened subnet to the internal network
(the systems on the inside network cannot
construct direct routes to the Internet)
NS-H0503-02/1104
35