Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Lecture 19: Firewalls and Intrusion Detection David Evans

advertisement 
Lecture 19:
Firewalls and Intrusion
Detection
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Malcode Defenses
1. Prevent malcode from running




Virus scanners – recognize known malcode
Firewalls – drop incoming packets
Code signing (only run code from trusted sources)
Education – make users smarter
2. Limit damage it can do
 Sandbox (“Playpen”) – run malcode in protected
virtual machine
 Reference monitors – enforce policy on execution
 Intrusion Detection, System maintenance
3. Discourage attackers

Legal – pass laws to penalize attackers
26 Nov 2001
University of Virginia CS 588
2
The Best Firewall

to network

Functionality is Bad
power
26 Nov 2001
University of Virginia CS 588
3
Lesser Firewall
to network
firewall (p: packet) {
if (allow (p)) forward (p);
else drop (p);
}
26 Nov 2001
University of Virginia CS 588
4
Networks – OSI Model
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
UDP
Ethernet
FDDI
CDMA
Physical
26 Nov 2001
University of Virginia CS 588
Smoke
Signals
Other
5
An IP (V4) Packet
Data
Options
Destination IP Address
Source IP Address
Header Checksum
Transport Protocol (e.g., TCP)
TTL
Fragment Offset
Flags
Packet Identification
Size of Datagram
Type of Service (not used)
IP Header Length
IP Version (4)
6
University of Virginia CS 588
26 Nov 2001
128 160
96
80
64
48
32
16
0
A Simple Packet Filter
boolean allow (packet) {
if (match (packet.source,
“18.26.4.*”))
return false;
// No packets from Robert Morris’ machines.
else if (match (packet.source,
“149.150.209.*”))
return false; // Cheaton Hall
else
return true;
}
26 Nov 2001
University of Virginia CS 588
7
Typical Packet Filtering Rules
Incoming:
permit 0.0.0.0 128.143.137.19
TCP src >= 1024 dst = 25
permit 0.0.0.0 128.143.137.19
TCP src = 25 dst >= 1024
Outgoing:
permit 128.143.137.19 0.0.0.0
TCP src = 25 dst >= 1024
permit 128.143.137.19 0.0.0.0
TCP src >= 1024 dst = 25
26 Nov 2001
University of Virginia CS 588
8
Packet Filter Layers
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
UDP
Ethernet
FDDI
CDMA
Smoke
Signals
Other
Physical
26 Nov 2001
University of Virginia CS 588
9
Application-Layer Gateways
• Analyze communication at application
layer
• All communication must go through a
proxy that knows about application
• Able to detect application-level attacks
• Poor scalability, performance
• Fail-safe is annoying
26 Nov 2001
University of Virginia CS 588
10
Project Presentations
Tell a story, don’t read a list.
26 Nov 2001
University of Virginia CS 588
11
All Good Talks Tell a Story
• Introduce characters (rabbit, fox)
• Describe an important problem (fox
wants to eat rabbit)
• Relate events that resolve the problem
(rabbit tells fox about thesis)
• A few examples (rabbit tells wolf, ...)
• Draw a general conclusion that is
supported by your story (thesis doesn’t
matter, only advisor)
26 Nov 2001
University of Virginia CS 588
12
Introduction
• Introduce characters: motivate your work
– Convey why the problem you are solving is
interesting, important and exciting
– Place your work in context: how is it
different from what others have done
• Teaser for your results – why should we
listen to the rest of the talk?
– Don’t need a full outline, but let audience
know enough so they want to listen to the
rest
– Unlike Rabbit story, suspense is not good
26 Nov 2001
University of Virginia CS 588
13
Guts
• Explain what you did
– Don’t be comprehensive – convey the big
picture
– Use pictures, 1-2 examples, etc.
• Convey one technical nugget
– Show one neat concrete thing that came out
of your work.
• Analysis
– Did your work solve the problem?
– What are the important results of your work
26 Nov 2001
University of Virginia CS 588
14
Conclusion
Summarize your project with one key
point.
If your audience remembers one thing
from your talk, you have succeeded.
26 Nov 2001
University of Virginia CS 588
15
Some Specific Advice
• Average 2 minutes per slide
• Your target audience is the other students in
the class
– Assume they know as much security as has
been covered in the class
• Use Pictures
• Use Humor (but only if its relevant)
• Don’t put this much text on any of your
slides!
26 Nov 2001
University of Virginia CS 588
16
Can you do all this in 13 minutes?
• Advertisers pay $2.5M for 30 seconds
during Superbowl – they must be pretty
sure they can tell a compelling story in
that time
• Seinfeld episode is 22 minutes long
• Make your points directly, avoid
unnecessary details
• Organize your presentation
26 Nov 2001
University of Virginia CS 588
17
Practice!
• Without an audience
• In front of your teammates
• In front of friends not familiar with your
project
• I will listen to any group that wants to
practice their talk Tuesday Nov 27th (email
your preferred time 8pm-midnight) and
sometime this weekend (email to arrange)
26 Nov 2001
University of Virginia CS 588
18
Intrusion Detection
26 Nov 2001
University of Virginia CS 588
19
Why Detect Intruders?
• Catch them before they cause damage
and plug holes
• Identify damage
• Collect evidence for prosecution
• Deterrent
26 Nov 2001
University of Virginia CS 588
20
Behavior
Obviously Normal
26 Nov 2001
Obviously Malicious
University of Virginia CS 588
21
Typical Intrusion Graph
(Stallings, p. 491)
Probability
Authorized user
profile
density function
Intruder
profile
Measurable
behavior parameter
26 Nov 2001
University of Virginia CS 588
22
More Realistic Graph
(Why intrusion detection is impossible?)
Probability
Authorized user
density function
profile
Intruder
profile
Measurable
behavior parameter
26 Nov 2001
University of Virginia CS 588
23
False Positives Dilemma
• Doctor invents a new, inexpensive test for a
deadly disease that is 95% accurate
• Assume 1 in 1000 people have deadly
disease (but don’t know it yet)
• Should everyone get the test?
–
–
–
–
1000 people tested
Expect .95 + (999 * .05) positives
50 people will be told they have disease
If you test positive, there is a 1/50 chance you
have disease
26 Nov 2001
University of Virginia CS 588
24
Intrusion Detection Approaches
• Statistical Anomaly Detection
– Produce a profile of the normal behavior of
each user (or independent of user)
– Notice statistical deviations from that
behavior
• Rule-based Detection
– Think really hard and make up rules that
describe intruder behavior.
– Hope intruders can’t read and figure out the
rules also.
26 Nov 2001
University of Virginia CS 588
25
Detect an Intrusion
•
•
•
•
Do nothing
Email system administrator
Page system administrator
Shut down system
26 Nov 2001
University of Virginia CS 588
26
Network Intrusion Detection
• Monitor activity on many hosts
• Aggregate audit records to detect
anomalous behavior
• Managed Security Monitoring
(Counterpane, Inc.)
– $12,000/month
26 Nov 2001
University of Virginia CS 588
27
Challenges in Intrusion Detection
• The first thing a smart intruder will
do is tamper with the Intrusion
Detection system!
• Few activities are either obviously
normal or obviously malicious
• False positives dilemma
26 Nov 2001
University of Virginia CS 588
28
Immunology
26 Nov 2001
University of Virginia CS 588
29
Biological Inspiration
• Biological systems are incredibly resilient
• Most humans survive ~80 years
• Before medical advances, most still would
survive ~30 years
• Operate in a hostile, unpredictable
environment
• No way to reboot, reinstall operating
system, upgrade software, etc.
26 Nov 2001
University of Virginia CS 588
30
Genetic Code
• Human genome:
1.5 Billion base pairs = 3 Gb = 375 MB
• Windows XP requires 1500MB = 4
humans!
• Two humans differ by only 2M base
pairs = 0.5MB
• Nature is really good at programming,
maybe we can learn something from it!
26 Nov 2001
University of Virginia CS 588
31
Immune Systems
Lymphocytes
recognize pathogens
by binding. Proteins
have distinctive
shapes.
An Overview of the Immune System.
© 1997 Steven A Hofmeyr
Binding is approximate.
Sometimes match
wrong things (this is
why organ transplants
get rejected).
http://www.cs.unm.edu/~immsec/html-imm/introduction.html
26 Nov 2001
University of Virginia CS 588
32
Receptor Diversity
• Need to recognize all foreign intruders, but
DNA can’t know about all possible intruders
– 1016 intruder patterns, 106 self patterns
• Gene segments are randomly combined to
form different receptors
– Can make up to 1015 different receptors (usually
have about 108 – 1012 at one time)
• How is that enough?
– Matching is approximate
– Create 100M new lymphocytes every day
26 Nov 2001
University of Virginia CS 588
33
How You Make Them
26 Nov 2001
University of Virginia CS 588
34
Better Not Kill Yourself
Clonal Deletion
26 Nov 2001
University of Virginia CS 588
35
Affinity
Maturation
• The ones that match
intruders are
produced in quantity
• B-cells in bone
marrow – most
effective cells
reproduce more
quickly
26 Nov 2001
An Overview of the Immune System.
© 1997 Steven A Hofmeyr
University of Virginia CS 588
36
Can computers do this?
• [Forrest 97]
• Programs identified by sequences of
system calls
• Build a database of normal patterns
(how?)
• Receptors recognize unusual patterns
• Enough unusual patterns is considered
an intrusion
26 Nov 2001
University of Virginia CS 588
37
False Positives
• Sequence of system calls not
recognized as a normal pattern
generated by non-intrusive execution
• Do biological immune systems have
false positives?
Yes – that is what auto-immune diseases are:
Multiple Sclerosis – motor nerve cells are non-self
Grave’s Disease – thyroid gland is non-self
Rhematoid Arthritis – connective tissue is non-self
26 Nov 2001
University of Virginia CS 588
38
Fatal Flaw of Intrusion Detection
• Might work okay if no one important is
using it
• Will it work if an attacker knows about it
and is deliberately constructing an
attack to avoid detection?
– Do biological viruses evolve to mimic host
proteins?
26 Nov 2001
University of Virginia CS 588
39
Course Evaluations
26 Nov 2001
University of Virginia CS 588
40
Course Evaluation Email
“The information you provide will be
reviewed by the course instructor and
by the UVa committee and will be
used for instructional improvement.
YOUR RESPONSES WILL ALWAYS
BE TOTALLY ANONYMOUS.”
26 Nov 2001
University of Virginia CS 588
41
SEAS Course Evaluations Myths
Dispelled by Phil
1. They are secure.
Varner’s project last
2. They are anonymous. year
3. The administration doesn’t take
teaching seriously.
Not true – read the SEAS Tenure guidelines (teaching is 1/3rd)
4. The administration doesn’t care what
students think.
Not true – but comments must be well-supported
(e.g., “Prof should not eat onions for lunch.” is ignored.)
5. They are used to improve teaching.
Not true – need very specific questions to do this
Course Evaluations
• Fill out the SEAS Evaluation on-line
– Its not secure, but I promise not to break in...
– Write comments based on whether you want me to get
fired or promoted
• Fill out my course-specific survey
– Help improve future versions of the course for later
students
– Return on last day of class
– All members of a team must return a survey to be
eligible for Jeopardy prizes
26 Nov 2001
University of Virginia CS 588
43
Charge
• Project Presentations Wednesday and
Monday
• Project Reports due next Wednesday
26 Nov 2001
University of Virginia CS 588
44
Related documents
Effective Date: March 25, 2004 Authority Reference: WV Code 18B-1-6
Effective Date: March 25, 2004 Authority Reference: WV Code 18B-1-6
Chapter 6 Vocabulary Review
Chapter 6 Vocabulary Review
You Are Invited
You Are Invited
Download
advertisement