CP2414 Network Security Intruders and Firewalls Warm-up https://www.youtube.com/watch?v=Ahg6qcgoay4 It is easy to miss things if you don’t know what you are looking for! Credit: https://www.youtube.com/watch?v=0nzgQ7dd6wI Intruders • Three classes of intruders: Masquerader • An individual who is not authorised to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account Misfeasor • A legitimate user who accesses data, programs, or resources for which such access is not authorised, or who is authorised for such access but misuses his or her privileges Clandestine user • An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection Examples of Intrusion • Performing a remote root compromise of an e-mail server • Defacing a Web server • Guessing and cracking passwords • Copying a database containing credit card numbers • Viewing sensitive data, including payroll records and medical information, without authorisation • Running a packet sniffer on a workstation to capture usernames and passwords • Using a permission error on an anonymous FTP server to distribute pirated software and music files • Dialing into an unsecured modem and gaining internal network access • Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password • Using an unattended, logged-in workstation without permission Hackers • Traditionally, those who hack into computers do so for the thrill of it or for status • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to counter hacker threats ◦ In addition to using such systems, organisations can consider restricting remote logons to specific IP addresses and/or use virtual private network technology • CERTs ◦ Computer emergency response teams ◦ These cooperative ventures collect information about system vulnerabilities and disseminate it to systems managers ◦ Hackers also routinely read CERT reports ◦ It is important for system administrators to quickly insert all software patches to discovered vulnerabilities Criminal hackers • Organised groups of hackers • Usually have specific targets, or at least classes of targets in mind • Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting • IDSs and IPSs can be used for these types of attackers, but may be less effective because of the quick in-and-out nature of the attack Insider Attacks • Among the most difficult to detect and prevent • Can be motivated by revenge or simply a feeling of entitlement • Countermeasures: ◦ Enforce least privilege, only allowing access to the resources employees need to do their job ◦ Set logs to see what users access and what commands they are entering ◦ Protect sensitive resources with strong authentication ◦ Upon termination, delete employee’s computer and network access ◦ Upon termination, make a mirror image of employee’s hard drive before reissuing it (used as evidence if your company information turns up at a competitor Intrusion Techniques • Objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system • Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a backdoor into the system • Ways to protect a password file: One-way functioning • The system stores only the value of a function based on the user’s password Access control • Access to the password file is limited to one or a very few accounts Quick Quiz-Intrusion Detection •What are these terminologies mean? ◦True positive ◦True negative ◦False positive ◦True positive •Regarding intruder detection, which of these is/are the worst? Intrusion Techniques • 1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults. • 2. Exhaustively try all short passwords (those of one to three characters). • 3. Try words in the system’s online dictionary or a list of likely passwords. ◦ Examples of the latter are readily available on hacker bulletin boards. • 4. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies. • 5. Try users’ phone numbers, Social Security numbers, and room numbers. • 6. Try all legitimate license plate numbers for this state. • 7. Use a Trojan horse to bypass restrictions on access. • 8. Tap the line between a remote user and the host system. Intrusion Detection • A system’s second line of defense • Is based on the assumption that the behaviour of the intruder differs from that of a legitimate user in ways that can be quantified • Considerations: ◦ If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised ◦ An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions ◦ Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility Profiles of behaviour of Intruders and Authorised Users Approaches to Intrusion Detection • Statistical anomaly detection ◦ Involves the collection of data relating to the behaviour of legitimate users over a period of time ◦ Then statistical tests are applied to observed behaviour to determine whether that behaviour is not legitimate user behaviour ◦ Threshold detection ◦ This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events ◦ Profile based ◦ A profile of the activity of each user is developed and used to detect changes in the behaviour of individual accounts • Rule-based detection ◦ Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behaviour is that of an intruder ◦ Often referred to as signature detection Audit Records • Fundamental tool for intrusion detection Native audit records Detection-specific audit records Virtually all multiuser operating systems include accounting software that collects information on user activity A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system The advantage of using this information is that no additional collection software is needed One advantage of such an approach is that it could be made vendor independent and ported to a variety of systems The disadvantage is that the native audit records may not contain the needed information or may not contain it in a convenient form The disadvantage is the extra overhead involved in having two accounting packages running on a machine Statistical Anomaly Detection • Threshold detection ◦ Involves counting the number of occurrences of a specific event type over an interval of time ◦ If the count surpasses what is considered a reasonable number that one might expect to occur, then intrusion is assumed ◦ By itself is a crude and ineffective detector of even moderately sophisticated attacks • Profile-based ◦ Focuses on characterizing the past behaviour of individual users or related groups of users and then detecting significant deviations ◦ A profile may consist of a set of parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert Measures That May Be Used For Intrusion Detection Measure Model Type of Intrusion Detected Login and Session Activity Login frequency by day Mean and standard deviation Intruders may be likely to log in during off-hours and time Frequency of login at Mean and standard deviation Intruders may log in from a location that a different locations particular user rarely or never uses. Time since last login Operational Break-in on a “dead” account Elapsed time per session Mean and standard deviation Significant deviations might indicate masquerader. Quantity of output to Mean and standard deviation Excessive amount of data transmitted to remote location locations could signify leakage of sensitive data. Session resource utilization Password failures at login Failures to login from specified terminals Execution frequency Mean and standard deviation Unusual processor or I/O levels could signal an intruder Operational Attempted break-in by password guessing. Operational Attempted break-in Command or Program Execution Activity Mean and standard deviation May detect intruders, who are likely to use different commands, or a successful penetration by a legitimate user, who has gained access to privileged commands. Program resource utilization Mean and standard deviation An abnormal value might suggest injection of a virus or Trojan horse, which performs side-effects that increase I/O or processor utilization. Execution denials Operational model Read, write, create, delete frequency Records read, written Failure count for read, write, create, delete May detect penetration attempt by individual user who seeks higher privileges. File access activity Mean and standard deviation Abnormalities for read and write access for individual users may signify masquerading or browsing. Mean and standard deviation Abnormality could signify an attempt to obtain sensitive data by inference and aggregation. Operational May detect users who persistently attempt to access Rule-Based Intrusion Detection • Techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious • Rule-based anomaly detection ◦ Is similar in terms of its approach and strengths to statistical anomaly detection ◦ Historical audit records are analyzed to identify usage patterns and to automatically generate rules that describe those patterns ◦ Current behaviour is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behaviour ◦ In order for this approach to be effective, a rather large database of rules will be needed Rule-Based Intrusion Detection • Rule-based penetration identification ◦ Typically, the rules used in these systems are specific to the machine and operating system ◦ The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet ◦ These rules can be supplemented with rules generated by knowledgeable security personnel • USTAT (UNIX State Transition Analysis Tool) ◦ A model independent of specific audit records ◦ Deals in general actions rather than the detailed specific actions recorded by the UNIX auditing mechanism ◦ Implemented on a SunOS system that provides audit records on 239 events USTAT Actions versus SunOS Event Types USTAT Action SunOS Event Type Read open_r, open_rc, open_rtc, open_rws, open_rwtc, open_rt, open_rw, open_rwt Write truncate, ftruncate, creat, open_rtc, open_rwc, open_rwtc, open_rt, open_rw, open_rwt, open_w, open_wt, open_wc, open_wct Create mkdir, creat, open_rc, open_rtc, open_rwc, open_rwtc, open_wc, open_wtc, mknod Delete rmdir, unlink Execute exec, execve Exit exit Modify_Owner chown, fchown Modify_Perm chmod, fchmod Rename rename Hardlink link Base-Rate Fallacy • To be of practical use, an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level ◦ If only a modest percentage of actual intrusions are detected, the system provides a false sense of security ◦ If the system frequently triggers an alert when there is no intrusion, then either system managers will begin to ignore the alarms or much time will be wasted analyzing the false alarms • Because of the nature of the probabilities involved, it is very difficult to meet the standard of high rate of detections with a low rate of false alarms ◦ If the actual numbers of intrusions is low compared to the number of legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating Distributed Intrusion Detection • Traditional systems focused on single-system stand-alone facilities ◦ The typical organisation, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork ◦ A more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network • Major design issues: A distributed intrusion detection system may need to deal with different audit record formats One or more nodes in the network will serve as collection and analysis points for the data from the systems on the network Either a centralized or decentralized architecture can be used Architecture for Distributed Intrusion Detection Agent Architecture Honeypots • Decoy systems that are designed to lure a potential attacker away from critical systems • Because any attack against the honeypot is made to seem successful, administrators have time to mobilize and log and track the attacker without ever exposing productive systems • Recent research has focused on building entire honeypot networks that emulate an enterprise, possible with actual or simulated traffic and data Has no production value Designed to: • These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldn’t access • Thus, any attempt to communicate with the system is most likely a probe, scan, or attack • Divert an attacker from accessing critical systems • Collect information about the attacker’s activity • Encourage the attacker to stay on the system long enough for administrators to respond Example of Honeypot Deployment Intrusion detection exchange format • To facilitate the development of distributed intrusion detection systems that can function across a wide range of platforms and environments, standards are needed to support interoperability • Internet Engineering Task Force (IETF) Intrusion Detection Working Group ◦ Purpose of the group is to define data formats and exchange procedures for sharing information of interest to intrusion detection with response systems and to management systems that may need to interact with them ◦ Have issued the following Request for Comments (RFC)s: ◦ Intrusion Detection Message Exchange Requirements (RFC 4766) ◦ The Intrusion Detection Message Exchange Format (RFC 4765) ◦ The Intrusion Detection Exchange Protocol (RFC 4767) Model For Intrusion Detection Message Exchange Password Management •Front line of defense against intruders •Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password ◦ Password serves to authenticate the ID of the individual logging on to the system ◦ The ID provides security by: ◦ Determining whether the user is authorised to gain access to a system ◦ Determining the privileges accorded to the user ◦ Used in discretionary access control Attack strategies and countermeasures Workstation hijacking Exploiting user mistakes • The attacker waits until a logged-in workstation is unattended • The standard countermeasure is automatically logging the workstation out after a period of inactivity • Attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password; a user may intentionally share a password to enable a colleague to share files; users tend to write passwords down because it is difficult to remember them • Countermeasures include user training, intrusion detection, and simpler passwords combined with another authentication mechanism Offline dictionary attack Specific account attack • Determined hackers can frequently bypass access controls and gain access to the system’s password file • Countermeasures include controls to prevent unauthorised access to the password file, intrusion detection measures to identify a compromise, and rapid reissuance of passwords should the password file be compromised • The attacker targets a specific account and submits password guesses until the correct password is discovered • The standard countermeasure is an account lockout mechanism, which locks out access to the account after a number of failed login attempts Attack strategies and countermeasures Electronic monitoring • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping • Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary Password guessing against single user • The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password • Countermeasures include training in and enforcement of password policies that make passwords difficult to guess Exploiting multiple password use Popular password attack • Attacks can become much more effective or damaging if different network devices share the same or a similar password for a given user • Countermeasures include a policy that forbids the same or similar password on particular network devices • Attack is to use a popular password and try it against a wide range of user IDs • Countermeasures include policies to inhibit the selection by users of common passwords and scanning the IP addresses of authentication requests and client cookies for submission patterns UNIX Password Scheme Unix implementations • Crypt(3) ◦ Was designed to discourage guessing attacks ◦ This particular implementation is now considered inadequate ◦ Despite its known weaknesses, this UNIX scheme is still often required for compatibility with existing account management software or in multivendor environments • MD5 secure hash algorithm ◦ The recommended hash function for many UNIX systems, including Linux, Solaris, and FreeBSD ◦ Far slower than crypt(3) • Bcrypt ◦ Developed for OpenBSD ◦ Probably the most secure version of the UNIX hash/salt scheme ◦ Uses a hash function based on the Blowfish symmetric block cipher ◦ Slow to execute ◦ Includes a cost variable Passwords Cracked from a Sample Set of 13,797 Accounts * Computed as the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio. © 2017 Pearson Education, Inc., Hoboken, NJ. Password selection strategies • The goal is to eliminate guessable passwords while allowing the user to select a password that is memorable • Four basic techniques are in use: User education • Users can be told the importance of using hardto-guess passwords and can be provided with guidelines for selecting strong passwords Computer-generated passwords • Computer-generated password schemes have a history of poor acceptance by users • Users have difficulty remembering them Reactive password checking Proactive password checking • A strategy in which the system periodically runs its own password cracker to find guessable passwords • A user is allowed to select his or her own password, however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it Performance of Bloom Filter Summary • Intruders ◦ behaviour patterns ◦ Intrusion techniques • Intrusion detection ◦ Audit records ◦ Statistical anomaly detection ◦ Rule-based intrusion detection ◦ The base-rate fallacy ◦ Distributed intrusion detection ◦ Honeypots ◦ Intrusion detection exchange format • Password management ◦ The vulnerability of passwords ◦ The use of hashed passwords ◦ User password choices ◦ Password selection strategies ◦ Bloom filter Quick Quiz • What are the three classes of intruders? Explain. • What is the difference between statistical anomaly detection and rule-based intrusion detection? • What are honeypots? Where are the locations which they can be deployed? CP2414 Network Security Firewalls The Need for firewalls • Internet connectivity is no longer optional for organisations ◦ Individual users within the organisation want and need Internet access • While Internet access provides benefits to the organisation, it enables the outside world to reach and interact with local network assets ◦ This creates a threat to the organisation ◦ While it is possible to equip each workstation and server on the premises network with strong security features, this may not be sufficient and in some cases is not cost-effective The Need for firewalls • Firewall ◦ An alternative, or at least complement, to host-based security services ◦ Is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter ◦ The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and auditing can be imposed ◦ May be a single computer system or a set of two or more systems that cooperate to perform the firewall function Firewall characteristics • Design goals for a firewall: ◦ All traffic from inside to outside, and vice versa, must pass through the firewall ◦ Only authorised traffic, as defined by the local security policy, will be allowed to pass ◦ The firewall itself is immune to penetration • Characteristics that a firewall access policy could use to filter traffic: IP Address and Protocol Values • Controls access based on the source or destination addresses and port numbers, direction of flow being inbound or outbound, and other network and transport layer characteristics Application Protocol • Controls access on the basis of authorised application protocol data User Identity • Controls access based on the user’s identity, typically for inside users who identify themselves using some form of secure authentication technology, such as IPSec Network Activity • Controls access based on considerations such as the time or request Firewall expectations Defines a single choke point that keeps unauthorised users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks Provides a location for monitoring security-related events A firewall Is a convenient platform for several Internet functions that are not security related Can serve as the platform for IPsec Firewall limitations Cannot protect against attacks that bypass the firewall A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally A Firewall Cannot guard against wireless communications between local systems on different sides of the internal firewall May not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker Types of Firewalls Packet-Filtering Example Rule Direction Src address Dest address Protocol Dest port Action A In External Internal TCP 25 Permit B Out Internal External TCP >1023 Permit C Out Internal External TCP 25 Permit D In External Internal TCP >1023 Permit E Either Any Any Any Any Deny Packet Filtering firewalls Weaknesses • Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities or functions • Because of the limited information available to the firewall, the logging functionality present in packet filter firewalls is limited • Most packet filter firewalls do not support advanced user authentication schemes • Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack - spoofing • Due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations Strengths • Its simplicity • Transparent to users and are very fast Attacks and countermeasures IP address spoofing Source routing attacks Tiny fragment attacks The intruder transmits packets from the outside with a source IP address field containing an address of an internal host The source station specifies the route that a packet should take as it crosses the internet, in the hopes that this will bypass security measures that do not analyze the source routing information The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment Countermeasure is to discard all packets that use this option Countermeasure is to enforce a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header Countermeasure is to discard packets with an inside source address if the packet arrives on an external interface Stateful Firewall Connection State Table Source Address Source Port Destination Address Destination Port Connection State 192.168.1.100 1030 126.96.36.199 80 Established 192.168.1.102 1031 188.8.131.52 80 Established 192.168.1.101 1033 184.108.40.206 25 Established 192.168.1.106 1035 220.127.116.11 79 Established 18.104.22.168 1990 192.168.1.6 80 Established 22.214.171.124 2112 192.168.1.6 80 Established 210.922.212.18 3321 192.168.1.6 80 Established 126.96.36.199 1025 192.168.1.6 80 Established 188.8.131.52 1046 192.168.1.6 80 Established Application Level Gateway • Also called an application proxy • Acts as a relay of application-level traffic • If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall • The gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features • Tend to be more secure than packet filters • Disadvantage: ◦ The additional processing overhead on each connection Circuit-Level Gateway • Also called circuit-level proxy • Can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain applications • Does not permit an end-to-end TCP connection • The security function consists of determining which connections will be allowed • Typical use is a situation in which the system administrator trusts the internal users • Can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections • Example of implementation is the SOCKS package Bastion Host • A system identified by the firewall administrator as a critical strong point in the network’s security • Typically serves as a platform for an application-level or circuit-level gateway Bastion Host • Common characteristics: ◦ Executes a secure version of its operating system, making it a hardened system ◦ Only the services that the network administrator considers essential are installed ◦ May require additional authentication before a user is allowed access to the proxy services ◦ Each proxy is configured to support only a subset of the standard application’s command set Bastion Host • Common characteristics (Cont.’): ◦ Each proxy is configured to allow access only to specific host systems ◦ Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of each connection ◦ Each proxy module is a very small software package specifically designed for network security ◦ Each proxy is independent of other proxies on the bastion host ◦ A proxy generally performs no disk access other than to read its initial configuration file ◦ Each proxy runs as a nonprivileged user in a private and secured directory on the bastion host Host-Based Firewall • A software module used to secure an individual host • Is available in many operating systems or can be provided as an add-on package • Filters and restricts the flow of packets • Common location is a server • Advantages: ◦ Filtering rules can be tailored to the host environment ◦ Protection is provided independent of topology ◦ Used in conjunction with stand-alone firewalls, provides an additional layer of protection Personal Firewall • Controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side • Can be used in the home environment and on corporate intranets • Typically is a software module on the personal computer • Can also be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface • Primary role is to deny unauthorised remote access to the computer • Can also monitor outgoing activity in an attempt to detect and block worms and other malware Example Firewall Configuration A VPN Security Scenario Example Distributed Firewall Configuration Summary of Firewall Locations and Topologies • Host-resident firewall ◦ This category includes personal firewall software and firewall software on servers ◦ Can be used alone or as part of an in-depth firewall deployment • Screening router ◦ A single router between internal and external networks with stateless or full packet filtering ◦ This arrangement is typical for small office/home office (SOHO) applications • Single bastion inline ◦ A single firewall device between an internal and external router ◦ This is the typical firewall appliance configuration for small-to-medium sized organisations Summary of Firewall Locations and Topologies • Single bastion T ◦ Similar to single bastion inline but has a third network interface on bastion to a DMZ where externally visible servers are placed • Double bastion inline ◦ DMZ is sandwiched between bastion firewalls • Double bastion T ◦ DMZ is on a separate network interface on the bastion firewall • Distributed firewall configuration ◦ Used by some large businesses and government organisations Summary • The need for firewalls • Firewall characteristics and access policy • Types of firewalls ◦ ◦ ◦ ◦ Packet filtering firewall Stateful inspection firewalls Application level gateway Circuit level gateway • Firewall basing ◦ Bastion host ◦ Host based firewalls ◦ Personal firewall • Firewall locations and configurations ◦ ◦ ◦ ◦ DMZ networks Virtual private networks Distributed firewalls Firewall location and topologies summary Quick Quiz •What are firewalls? Why are they important? •What are the disadvantages of packet filter firewalls? •What are distribute firewalls? What are the advantages of using them? •Where would you place a demilitarised zone (DMZ) network? Why?