Lecture 20:
Firewalls and
Intrusion Detection
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
•
•
•
•
Firewalls
How to give a good project presentation
Traditional Intrusion Detection
Computer Immunology
27 July 2016
University of Virginia CS 551
2
Voting Challenge #1
• Why witness must observe opening
Envelope A?
– Your answer should be 6 words long
– Or, your answer should cite government
explanation
27 July 2016
University of Virginia CS 551
3
Voting Challenge #2
• Improved absentee ballot protocol
– Must be as (or almost as) convenient as
current procotol  cannot require voter to
use computer to vote
– Should provide better integrity (my vote is
counted right) and anonymity (no one can
tell who I voted for) than current system
27 July 2016
University of Virginia CS 551
4
27 July 2016
University of Virginia CS 551
5
Check Point Software, +3000% over past 18 months
Market capitalization = ~$20B (GM = $30B)
27 July 2016
University of Virginia CS 551
6
27 July 2016
University of Virginia CS 551
7
The Best Firewall

to network

Functionality is Bad
power
27 July 2016
University of Virginia CS 551
8
Lesser Firewall
to network
firewall (p: packet) {
if (allow (p)) forward (p);
else drop (p);
}
27 July 2016
University of Virginia CS 551
9
Networks – OSI Model
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
Ethernet
FDDI
Physical
27 July 2016
UDP
University of Virginia CS 551
CDMA
Smoke
Signals
Other
10
An IP (V4) Packet
Data
Options
Destination IP Address
Source IP Address
Header Checksum
Transport Protocol (e.g., TCP)
TTL
Fragment Offset
Flags
Packet Identification
Size of Datagram
Type of Service (not used)
IP Header Length
IP Version (4)
11
University of Virginia CS 551
27 July 2016
128 160
96
80
64
48
32
16
0
A Simple Packet Filter
boolean allow (packet) {
if (match (packet.source,
“18.26.4.*”))
return false;
// No packets from Robert Morris’ machines.
else if (match (packet.source,
“198.82.*.*”))
return false; // Virginia Tech
else
return true;
How well does this satisfy
}
Saltzer/Schroeder principles?
27 July 2016
University of Virginia CS 551
12
Typical Packet Filtering Rules
Input:
permit 0.0.0.0 128.143.137.19
TCP src >= 1024 dst = 25
permit 0.0.0.0 128.143.137.19
TCP src = 25 dst >= 1024
Output:
permit 128.143.137.19 0.0.0.0
TCP src = 25 dst >= 1024
permit 128.143.137.19 0.0.0.0
TCP src >= 1024 dst = 25
27 July 2016
University of Virginia CS 551
13
Packet Filter Layers
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
UDP
Ethernet
FDDI
CDMA
Smoke
Signals
Other
Physical
27 July 2016
University of Virginia CS 551
14
Application-Layer Gateways
• Analyze communication at application
layer
• All communication must go through a
proxy that knows about application
• Poor scalability, performance
27 July 2016
University of Virginia CS 551
15
Why is a little Israeli firewall
company worth $20B?
• Stateful Inspection
– Intercept packets at network layer, but
analyze at all communications layers
– Maintain application-specific state
• e.g., Save PORT command of outgoing FTP
session, compare with incoming FTP data
– Programmable filters and manipulators
– Provide a graphical front end for
programming filters and monitoring activity
27 July 2016
University of Virginia CS 551
16
Project Presentations
Tell a story, don’t read a list.
27 July 2016
University of Virginia CS 551
17
All Good Talks Tell a Story
• Introduce characters (rabbit, fox)
• Describe an important problem (fox
wants to eat rabbit)
• Relate events that resolve the problem
(rabbit tells fox about thesis)
• A few examples (rabbit tells wolf, ...)
• Draw a general conclusion that is
supported by your story (thesis doesn’t
matter, only advisor)
27 July 2016
University of Virginia CS 551
18
Introduction
• Introduce characters: motivate your work
– Convey why the problem you are solving is
interesting, important and exciting
– Place your work in context: how is it
different from what others have done
• Teaser for your results – why should we
listen to the rest of the talk?
– Don’t need a full outline, but let audience
know enough so they want to listen to the
rest
– Unlike Rabbit story, suspense is not good
27 July 2016
University of Virginia CS 551
19
Guts
• Explain what you did
– Don’t be comprehensive – convey the big
picture
– Use pictures, 1-2 examples, etc.
• Convey one technical nugget
– Show one neat concrete thing that came out
of your work.
• Analysis
– Did your work solve the problem?
– What are the important results of your work
27 July 2016
University of Virginia CS 551
20
Conclusion
Summarize your project with one key
point.
If your audience remembers one thing
from your talk, you have succeeded.
27 July 2016
University of Virginia CS 551
21
Some Specific Advice
• Average 2 minutes per slide
• Your target audience is the other students in
the class
– Assume they know as much security as has
been covered in the class
• Use Pictures
• Use Humor (but only if its relevant)
• Don’t put this much text on any of your
slides!
27 July 2016
University of Virginia CS 551
22
Can you do all this in 13 minutes?
• Advertisers pay $2.5M for 30 seconds
during Superbowl – they must be pretty
sure they can tell a compelling story in
that time
• Seinfeld episode is 22 minutes long
• Make your points directly, avoid
unnecessary details
• Organize your presentation
27 July 2016
University of Virginia CS 551
23
Practice!
• Without an audience
• In front of your teammates
• In front of friends not familiar with your
project
• I will listen to any group that wants to
practice their talk Tuesday Nov 28th
(email your preferred time 9pm-midnight)
and Sunday Dec 3rd (after 7pm)
27 July 2016
University of Virginia CS 551
24
Intrusion Detection
27 July 2016
University of Virginia CS 551
25
Why Detect Intruders?
• Catch them before they cause damage
and plug holes
• Identify damage
• Collect evidence for prosecution
• Deterrent
27 July 2016
University of Virginia CS 551
26
Behavior
Obviously Normal
27 July 2016
Obviously Malicious
University of Virginia CS 551
27
Stallings Graph (p. 491)
Probability
density function
Authorized user
profile
Intruder
profile
Measurable
behavior parameter
27 July 2016
University of Virginia CS 551
28
More Realistic Graph
Probability
density function
Authorized user
profile
Intruder
profile
Measurable
behavior parameter
27 July 2016
University of Virginia CS 551
29
False Positives Dilemma
• Doctor invents a new, inexpensive test for a
deadly disease that is 95% accurate
• Assume 1 in 1000 people have deadly
disease (but don’t know it yet)
• Should everyone get the test?
–
–
–
–
1000 people tested
Expect .95 + (999 * .05) positives
50 people will be told they have disease
If you test positive, there is a 1/50 chance you
have disease
27 July 2016
University of Virginia CS 551
30
Intrusion Detection Approaches
• Statistical Anomaly Detection
– Produce a profile of the normal behavior of
each user (or independent of user)
– Notice statistical deviations from that
behavior
• Rule-based Detection
– Think really hard and make up rules that
describe intruder behavior.
– Hope intruders can’t read and figure out the
rules also.
27 July 2016
University of Virginia CS 551
31
Detect an Intrusion
•
•
•
•
Do nothing
Email system administrator
Page system administrator
Shut down system
27 July 2016
University of Virginia CS 551
32
Network Intrusion Detection
• Monitor activity on many hosts
• Aggregate audit records to detect
anomalous behavior
• Managed Security Monitoring
(Counterpane, Inc.)
– $12,000/month
27 July 2016
University of Virginia CS 551
33
Challenges in Intrusion Detection
• The first thing a smart intruder will
do is tamper with the Intrusion
Detection system!
• Few activities are either obviously
normal or obviously malicious
• False positives dilemma
27 July 2016
University of Virginia CS 551
34
Immunology
27 July 2016
University of Virginia CS 551
35
Biological Inspiration
• Biological systems are incredibly resilient
• Most humans survive ~80 years
• Before medical advances, most still would
survive ~30 years
• Operate in a hostile, unpredictable environment
• No way to reboot, reinstall operating system,
upgrade software, etc.
• Human genome:
3 Billion base pairs = 6 Gb = 750 MB
(Human genome project says 3GB ??)
27 July 2016
University of Virginia CS 551
36
Immune Systems
Lymphocytes
recognize pathogens
by binding. Proteins
have distinctive
shapes.
An Overview of the Immune System.
© 1997 Steven A Hofmeyr
27 July 2016
Binding is
approximate.
Sometimes match
wrong things (this is
why organ transplants
get rejected).
University of Virginia CS 551
37
Receptor Diversity
• Need to recognize all foreign intruders,
but DNA can’t know about all possible
intruders
• Gene segments are randomly combined
to form different receptors
– About 108 – 1012 different receptors
27 July 2016
University of Virginia CS 551
38
Affinity
Maturation
• B-cells in bone
marrow – most
effective cells
reproduce more
quickly
An Overview of the Immune System.
© 1997 Steven A Hofmeyr
27 July 2016
University of Virginia CS 551
39
Can computers do this?
• Programs identified by sequences of
system calls
• Build a database of normal patterns
(how?)
• Receptors recognize unusual patterns
• Enough unusual patterns is considered
an intrusion
27 July 2016
University of Virginia CS 551
40
Fatal Flaw?
• Might work okay if no one important is
using it.
• Will it work if an attacker knows about it
and is deliberately constructing an
attack to avoid detection?
– Do biological viruses evolve to mimic host
proteins?
27 July 2016
University of Virginia CS 551
41
Charge
• Next time – pick one:
– Denial of service attacks and countermeasures
– Law/Politics: Carnivore, Encryption Policy, Digital
Signatures
– Security Policies: MAC/DAC, Chinese Wall, Orange
Book
– Other?
• Send email/tell me your suggestions before
Wednesday (if I don’t get any, I’ll talk about
formal logics for analyzing security protocols)
27 July 2016
University of Virginia CS 551
42