Download 7-ids.ppt

advertisement
Firewalls
&
Intrusion Detection Systems
Communications, Networking &
Computer Security
Sanjay Goel
University at Albany
Outline
•
Firewall
–
–
–
–
•
Definition
Types
Configuration
Lab Exercise (Kerio Personal Firewall)
IDS
– Definition
– Operation
– Lab Exercises
Firewall
What is a Firewall?
• A firewall is any device used to prevent outsiders
from gaining access to your network.
• It checks each packet against a list of rules to permit
or deny its transmission
• Firewalls commonly implement exclusionary
schemes or rules that sort out wanted and unwanted
addresses.
– They filter all traffic between a protected (“inside”) network and a
less trustworthy (“outside”) network
Firewall
Composition?
• Firewalls can be composed of software,
hardware, or, most commonly, both.
– The software components can be either
proprietary, shareware, or freeware.
– The hardware is typically any hardware that
supports the firewall software.
Firewall
Design Goals
• All traffic in both direction must pass through the
firewall
• Only authorized traffic should be allowed to pass
• Firewall should itself be immune to penetration
– Compromised firewall can completely undermine the
network security
• Tradeoff between security and productivity
– Internal network could be completely secure, but
employees may not be able to communicate
Firewall
Types
• There are different kinds of firewalls, and
each type has its advantages & disadvantages.
• Firewalls can be classified in two broad
categories
– Network Level Firewalls
– Personal Firewalls
Firewall
Network Level Firewalls
• Network-level firewalls are usually router based.
– Rules of who & what can access your network is applied at router level.
• Scheme is applied through a technique called packet filtering
• Network Level Firewalls can be classified as
– Packet-Filtering Firewalls
• The simplest and most effective type of firewalls
– Stateful Inspection Firewalls
• Maintain state info from a packet to another in the input stream
– Application-Level Firewalls (Proxies)
• Proxy server, a relay of application-level traffic
Firewall
Packet Filtering
• Packet Filtering is the process of examining the
packets that come to the router from the outside
world.
• Packet headers are inspected by a firewall or router to
make a decision to block the packet or allow access
• Two Approaches:
– Stateless (a.k.a. static)
– Stateful
Firewall
Stateless Packet Filtering
• Ignores the “state” of the connection
• Each packet header is examined individually
and compared to a “rule base”
– Packet data is ignored
• Common criteria to filter on:
–
–
–
–
Protocol Type
IP address
Port Number
Message Type
Sanjay Goel, School of Business
9
Firewall
Stateful Packet Filtering
• Maintains a record of the state of the
connection (referred to as state table)
• Packet is compared against both rule base and
state table
• Some stateful filters can examine both packet
header and content
• Called “stateful” because it permits outgoing
sessions while denying incoming sessions
Sanjay Goel, School of Business
10
Firewall
Application Gateway Firewall
• When a remote user contacts a network running an
application gateway, the gateway blocks the remote
connection.
• Instead of passing the connection along, the gateway
examines various fields in the request.
• If these meet a set of predefined rules, the gateway
creates a bridge between the remote host and the
internal host.
Firewall
Access Policy
• A list of rules describing which packets are to
be forwarded
• Each packet is compared against this list
• The longer the list the greater the latency
(delay)
• Examples:
– From any to any port 80 permit
– From any to any PORT any deny
– From *.albany.edu to any PORT any DENY
Firewall
Limitations
• Firewalls are not a complete solution to all
computer security problems, limitations:
– The firewall cannot protect against attacks that bypass
the firewall
– The firewall does not protect against internal threats
– The firewall cannot protect against the transfer of
virus-infected programs or files
Sanjay Goel, School of Business
13
Firewall
Configuration Strategies
Screening Router
Internet
• Simple
• Filters traffic to
internal computers
• Provides minimal
security
External Interface
10.1.1.200 /24
Router
Internal Interface
192.168.2.1 /24
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
Source: Guide To Firewalls and Network Security
Sanjay Goel, School of Business
14
Firewall
Configuration Strategies
Screening Host
Internet
• Host makes Internet request
• Gateway receives client
request and makes a request on
behalf of the client
Router
Application
Gateway
• Host IP address never
displayed to public
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
Source: Guide To Firewalls and Network Security
Sanjay Goel, School of Business
15
Firewall
Configuration Strategies
Internet
Two Routers, One Firewall
• External router can perform
initial static packet filtering
Router
• Internal router can perform
stateful packet filtering
• Multiple internal routers can
direct traffic to different subnets
192.168.2.2
Firewall
Router
LAN Gateway
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
Source: Guide To Firewalls and Network Security
Sanjay Goel, School of Business
16
Firewall
Configuration Strategies
Internet
DMZ Screened Subnet
Web Server
Email Server
FTP Server
10.1.1.2
10.1.1.3
10.1.1.4
• DMZ sits outside internal
network but is connected
to the firewall
Router
Firewall
• Public can access servers
residing in DMZ, but
cannot connect to internal
LAN
10.1.1.1 /24
DMZ
Router
LAN Gateway
192.168.1.1 /24
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
Source: Guide To Firewalls and Network Security
Sanjay Goel, School of Business
17
Firewall
Configuration Strategies
Two Firewalls, One
DMZ
Internet
Web Server
Email Server
FTP Server
10.1.1.2
10.1.1.3
10.1.1.4
• First firewall controls
traffic between the
Internet and DMZ
• Second firewall controls
traffic between the internal
network and DMZ
• Second firewall can also
be a failover firewall
Firewall
10.1.1.1 /24
Router
DMZ
Router
LAN Gateway
192.168.1.1 /24
192.168.2.2
Sanjay Goel, School of Business
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
18
Firewall
Kerio Personal Firewall (KPF)
• What’s KPF?
A software agent builds a barrier between PC and the Internet, to
protect PC against hacker attacks and data leaks.
• Why KPF?
– KPF is designed to protect PC against attacks from both the
Internet, and other computers in the local network.
– KPF controls all data flow in both directions – from the Internet to
your computer and vice versa
– KPF can block all attempted communication allowing only what you
choose to permit.
Lab Exercise
Configure Kerio Personal Firewall
Sanjay Goel, School of Business
20
KPF
How does it work?
KPF
Features
• Blocks all externally originated IP traffic
• Three security settings for easy configuration
• MD5 signature verification protects the
computer from Trojan horses
• Protecting from Denial of Service (DOS) attacks to
applications or services
• Connections dialog clearly displays each application's
activity at any given moment
KPF
Features Cont’d.
• Availability (KPF version 4.1.3):
– Available for trial for home use (limited free version)
http://www.kerio.com/kpf_download.html
– Manual is available at the following site
http://download.kerio.com/dwn/kpf/kpf41-en-v3.pdf
– Business and institutional customers are encouraged to
download this software for evaluation purposes.
• Platform:
– For Windows 98, Me, NT, 2000 and XP
– (Win 95 not available any more)
KPF
Installation
• System requirements:
• CPU Intel Pentium or 100% compatible
• 64 MB RAM
• 8 MB hard drive space (for installation only; at least 10 MB of
additional space is recommended for logging)
• Installation:
• Executing the installation archive (kerio-pf-201-en-win.exe)
• Choose the directory KPF be installed, or leave the default
setting (C:\Program Files\Kerio\Personal Firewall)
• Restart system after installation in order for the low-lever driver
to be loaded
KPF
Configuration
• Overview — list of active and open ports, statistics, user
preferences.
• Network Security — rules for network communication of
individual applications, Packet filtering, trusted area definitions
• System Security — rules for startup of individual applications
• Intrusions — configuration of parameters which will be used for
detection of known intrusion types
• Web - web content rules (URL filter, pop-ups blocking, control
over sent data)
• Logs & Alters -- logs viewing and settings
KPF
Firewall Engine
• The Firewall Engine takes
care of all KPF functions
• It runs as a background
application
• It is represented by an icon
in the System Tray
• Right click the icon:
– Stop All Traffic
– Firewall Status
– Administration
KPF
Configuration Window
KPF
Administration
Test
KPF
Status Window
KPF
Security Settings
• Level of Security: (KPF allows 3 security levels)
– Permit Unknown: minimum security
– Ask Me First: all communication is denied implicitly
at this level
– Deny Unknown: all communication is denied which is
not explicitly permitted by the existing filter rules
KPF
Security Settings Cont’d.
• Test
KPF
Interaction with Users (Incoming)
KPF
Interaction with Users (Outgoing)
KPF
Packet Filtering Rules
Comments
KPF
Application MD5 Signature
KPF
Filter.log File
• The filter.log file is used for logging KPF actions on
a local computer
• Filter.log is a text file where each record is placed on
a new line. It has the following format:
– 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services':
Blocked: In TCP, richard.kerio.cz [192.168.2.38:3772]>localhost:25, Owner:
G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
• How to read this log file?
Intrusion Detection Systems
Sanjay Goel, School of Business
37
IDS
What Does it Do?
• An intrusion detection system (IDS) monitors systems
and analyzes network traffic to detect signs of
intrusion.
• An IDS can detect a variety of attacks in progress as
well as well as attempts to scan a network for
weaknesses.
• An IDS can be a dedicated network appliance or a
software solution installed on a host computer.
• Two kinds of IDS Systems
– Client Based (On a single node)
– Network Based (Protecting the entire network)
IDS
How does it work?
• If configured correctly, a network intrusion
detection system (NIDS) can monitor all
traffic on a network segment.
• A NIDS is most effective when used in
conjunction with a firewall solution, and
having all of its dependent components being
properly connected and functioning.
IDS
Configuration
• NIDS can be installed on the external
routers, the internal routers, or both.
• Placing NIDS on external routers enables
detection of attacks from the Internet
• Placing NIDS on internal routers enables
detection of internal hosts attempting to
access the Internet on suspicious ports.
Sanjay Goel, School of Business
40
IDS
Methods of Detection
• A NIDS/IDS mainly use anomaly or pattern detection to
identify an intrusion or intrusion attempt.
• An anomaly example: This involves monitoring resource use,
network traffic, user behavior and comparing it against normal
levels.
• If a user that normally only accesses the system between 9 am
– 5pm, suddenly logs on at 3 am then this may indicate that an
intruder has compromised the user’s account. A NIDS/IDS
would then alert administrators to this suspicious activity.
• A NIDS/IDS can detect hacker attempts to scan your network
for intelligence gathering purposes.
IDS
Network Packet Checking
• Sits On Network location and “checks” packets that
travel across the network.
• If a packet contains a certain “footprint”, then it
triggers an alert
• Audit logs are generated and kept as records of
alerts.
IDS
Commonly Used IDS Systems (Windows)
• ISS Internet Security Systems (Black Ice Guardian)
– Used by individuals and small business networks.
– Looks for common algorithms concealed or “wrapped”
in wrappers i.e. TCP Wrapper.
– Can be configured as an IDS and a Firewall.
– Can track unauthorized traffic and block the ports the
intruding script/software is using.
IDS
Vendor Firewalls & Versions (Hardware Based)
•
•
•
•
Axent: Raptor v6.5
Checkpoint: FW1 v4.1
Cisco: PIX v525
MS: Proxy v2.0
Zone Alarm Pro!
View Demo
Firewalls & IDS
Contributors
• Edward Zhang
• Michael LaBarge
• Christopher Brown
Download