Lecture 19: Firewalls and Intrusion Detection CS588: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Malcode Defenses 1. Prevent malcode from running Virus scanners – recognize known malcode Firewalls – drop incoming packets Code signing (only run code from trusted sources) Education – make users smarter 2. Limit damage it can do Sandbox (“Playpen”) – run malcode in protected virtual machine Reference monitors – enforce policy on execution Intrusion Detection, System maintenance 3. Discourage attackers Legal – pass laws to penalize attackers 26 Nov 2001 University of Virginia CS 588 2 The Best Firewall to network Functionality is Bad power 26 Nov 2001 University of Virginia CS 588 3 Lesser Firewall to network firewall (p: packet) { if (allow (p)) forward (p); else drop (p); } 26 Nov 2001 University of Virginia CS 588 4 Networks – OSI Model Application Presentation FTP SMTP HTTP RealPlayer ... Session TCP Transport IP Network Data Link UDP Ethernet FDDI CDMA Physical 26 Nov 2001 University of Virginia CS 588 Smoke Signals Other 5 An IP (V4) Packet Data Options Destination IP Address Source IP Address Header Checksum Transport Protocol (e.g., TCP) TTL Fragment Offset Flags Packet Identification Size of Datagram Type of Service (not used) IP Header Length IP Version (4) 6 University of Virginia CS 588 26 Nov 2001 128 160 96 80 64 48 32 16 0 A Simple Packet Filter boolean allow (packet) { if (match (packet.source, “18.26.4.*”)) return false; // No packets from Robert Morris’ machines. else if (match (packet.source, “149.150.209.*”)) return false; // Cheaton Hall else return true; } 26 Nov 2001 University of Virginia CS 588 7 Typical Packet Filtering Rules Incoming: permit 0.0.0.0 128.143.137.19 TCP src >= 1024 dst = 25 permit 0.0.0.0 128.143.137.19 TCP src = 25 dst >= 1024 Outgoing: permit 128.143.137.19 0.0.0.0 TCP src = 25 dst >= 1024 permit 128.143.137.19 0.0.0.0 TCP src >= 1024 dst = 25 26 Nov 2001 University of Virginia CS 588 8 Packet Filter Layers Application Presentation FTP SMTP HTTP RealPlayer ... Session TCP Transport IP Network Data Link UDP Ethernet FDDI CDMA Smoke Signals Other Physical 26 Nov 2001 University of Virginia CS 588 9 Application-Layer Gateways • Analyze communication at application layer • All communication must go through a proxy that knows about application • Able to detect application-level attacks • Poor scalability, performance • Fail-safe is annoying 26 Nov 2001 University of Virginia CS 588 10 Project Presentations Tell a story, don’t read a list. 26 Nov 2001 University of Virginia CS 588 11 All Good Talks Tell a Story • Introduce characters (rabbit, fox) • Describe an important problem (fox wants to eat rabbit) • Relate events that resolve the problem (rabbit tells fox about thesis) • A few examples (rabbit tells wolf, ...) • Draw a general conclusion that is supported by your story (thesis doesn’t matter, only advisor) 26 Nov 2001 University of Virginia CS 588 12 Introduction • Introduce characters: motivate your work – Convey why the problem you are solving is interesting, important and exciting – Place your work in context: how is it different from what others have done • Teaser for your results – why should we listen to the rest of the talk? – Don’t need a full outline, but let audience know enough so they want to listen to the rest – Unlike Rabbit story, suspense is not good 26 Nov 2001 University of Virginia CS 588 13 Guts • Explain what you did – Don’t be comprehensive – convey the big picture – Use pictures, 1-2 examples, etc. • Convey one technical nugget – Show one neat concrete thing that came out of your work. • Analysis – Did your work solve the problem? – What are the important results of your work 26 Nov 2001 University of Virginia CS 588 14 Conclusion Summarize your project with one key point. If your audience remembers one thing from your talk, you have succeeded. 26 Nov 2001 University of Virginia CS 588 15 Some Specific Advice • Average 2 minutes per slide • Your target audience is the other students in the class – Assume they know as much security as has been covered in the class • Use Pictures • Use Humor (but only if its relevant) • Don’t put this much text on any of your slides! 26 Nov 2001 University of Virginia CS 588 16 Can you do all this in 13 minutes? • Advertisers pay $2.5M for 30 seconds during Superbowl – they must be pretty sure they can tell a compelling story in that time • Seinfeld episode is 22 minutes long • Make your points directly, avoid unnecessary details • Organize your presentation 26 Nov 2001 University of Virginia CS 588 17 Practice! • Without an audience • In front of your teammates • In front of friends not familiar with your project • I will listen to any group that wants to practice their talk Tuesday Nov 27th (email your preferred time 8pm-midnight) and sometime this weekend (email to arrange) 26 Nov 2001 University of Virginia CS 588 18 Intrusion Detection 26 Nov 2001 University of Virginia CS 588 19 Why Detect Intruders? • Catch them before they cause damage and plug holes • Identify damage • Collect evidence for prosecution • Deterrent 26 Nov 2001 University of Virginia CS 588 20 Behavior Obviously Normal 26 Nov 2001 Obviously Malicious University of Virginia CS 588 21 Typical Intrusion Graph (Stallings, p. 491) Probability Authorized user profile density function Intruder profile Measurable behavior parameter 26 Nov 2001 University of Virginia CS 588 22 More Realistic Graph (Why intrusion detection is impossible?) Probability Authorized user density function profile Intruder profile Measurable behavior parameter 26 Nov 2001 University of Virginia CS 588 23 False Positives Dilemma • Doctor invents a new, inexpensive test for a deadly disease that is 95% accurate • Assume 1 in 1000 people have deadly disease (but don’t know it yet) • Should everyone get the test? – – – – 1000 people tested Expect .95 + (999 * .05) positives 50 people will be told they have disease If you test positive, there is a 1/50 chance you have disease 26 Nov 2001 University of Virginia CS 588 24 Intrusion Detection Approaches • Statistical Anomaly Detection – Produce a profile of the normal behavior of each user (or independent of user) – Notice statistical deviations from that behavior • Rule-based Detection – Think really hard and make up rules that describe intruder behavior. – Hope intruders can’t read and figure out the rules also. 26 Nov 2001 University of Virginia CS 588 25 Detect an Intrusion • • • • Do nothing Email system administrator Page system administrator Shut down system 26 Nov 2001 University of Virginia CS 588 26 Network Intrusion Detection • Monitor activity on many hosts • Aggregate audit records to detect anomalous behavior • Managed Security Monitoring (Counterpane, Inc.) – $12,000/month 26 Nov 2001 University of Virginia CS 588 27 Challenges in Intrusion Detection • The first thing a smart intruder will do is tamper with the Intrusion Detection system! • Few activities are either obviously normal or obviously malicious • False positives dilemma 26 Nov 2001 University of Virginia CS 588 28 Immunology 26 Nov 2001 University of Virginia CS 588 29 Biological Inspiration • Biological systems are incredibly resilient • Most humans survive ~80 years • Before medical advances, most still would survive ~30 years • Operate in a hostile, unpredictable environment • No way to reboot, reinstall operating system, upgrade software, etc. 26 Nov 2001 University of Virginia CS 588 30 Genetic Code • Human genome: 1.5 Billion base pairs = 3 Gb = 375 MB • Windows XP requires 1500MB = 4 humans! • Two humans differ by only 2M base pairs = 0.5MB • Nature is really good at programming, maybe we can learn something from it! 26 Nov 2001 University of Virginia CS 588 31 Immune Systems Lymphocytes recognize pathogens by binding. Proteins have distinctive shapes. An Overview of the Immune System. © 1997 Steven A Hofmeyr Binding is approximate. Sometimes match wrong things (this is why organ transplants get rejected). http://www.cs.unm.edu/~immsec/html-imm/introduction.html 26 Nov 2001 University of Virginia CS 588 32 Receptor Diversity • Need to recognize all foreign intruders, but DNA can’t know about all possible intruders – 1016 intruder patterns, 106 self patterns • Gene segments are randomly combined to form different receptors – Can make up to 1015 different receptors (usually have about 108 – 1012 at one time) • How is that enough? – Matching is approximate – Create 100M new lymphocytes every day 26 Nov 2001 University of Virginia CS 588 33 How You Make Them 26 Nov 2001 University of Virginia CS 588 34 Better Not Kill Yourself Clonal Deletion 26 Nov 2001 University of Virginia CS 588 35 Affinity Maturation • The ones that match intruders are produced in quantity • B-cells in bone marrow – most effective cells reproduce more quickly 26 Nov 2001 An Overview of the Immune System. © 1997 Steven A Hofmeyr University of Virginia CS 588 36 Can computers do this? • [Forrest 97] • Programs identified by sequences of system calls • Build a database of normal patterns (how?) • Receptors recognize unusual patterns • Enough unusual patterns is considered an intrusion 26 Nov 2001 University of Virginia CS 588 37 False Positives • Sequence of system calls not recognized as a normal pattern generated by non-intrusive execution • Do biological immune systems have false positives? Yes – that is what auto-immune diseases are: Multiple Sclerosis – motor nerve cells are non-self Grave’s Disease – thyroid gland is non-self Rhematoid Arthritis – connective tissue is non-self 26 Nov 2001 University of Virginia CS 588 38 Fatal Flaw of Intrusion Detection • Might work okay if no one important is using it • Will it work if an attacker knows about it and is deliberately constructing an attack to avoid detection? – Do biological viruses evolve to mimic host proteins? 26 Nov 2001 University of Virginia CS 588 39 Course Evaluations 26 Nov 2001 University of Virginia CS 588 40 Course Evaluation Email “The information you provide will be reviewed by the course instructor and by the UVa committee and will be used for instructional improvement. YOUR RESPONSES WILL ALWAYS BE TOTALLY ANONYMOUS.” 26 Nov 2001 University of Virginia CS 588 41 SEAS Course Evaluations Myths Dispelled by Phil 1. They are secure. Varner’s project last 2. They are anonymous. year 3. The administration doesn’t take teaching seriously. Not true – read the SEAS Tenure guidelines (teaching is 1/3rd) 4. The administration doesn’t care what students think. Not true – but comments must be well-supported (e.g., “Prof should not eat onions for lunch.” is ignored.) 5. They are used to improve teaching. Not true – need very specific questions to do this Course Evaluations • Fill out the SEAS Evaluation on-line – Its not secure, but I promise not to break in... – Write comments based on whether you want me to get fired or promoted • Fill out my course-specific survey – Help improve future versions of the course for later students – Return on last day of class – All members of a team must return a survey to be eligible for Jeopardy prizes 26 Nov 2001 University of Virginia CS 588 43 Charge • Project Presentations Wednesday and Monday • Project Reports due next Wednesday 26 Nov 2001 University of Virginia CS 588 44