Firewall Architecture and Intrusion Detection Systems
advertisement
Firewall Architecture
Firewall Architecture and
Intrusion Detection Systems
Firewalls Architectural Platforms
Packet Filters/Screening Routers
Application Layer Firewalls
Stateful Inspection Engines
Screened Subnets
Reactive / Conditional Firewalls
Proxy Gateways
Firewall Architecture
Firewall Architecture
Two levels
Application level firewalls
operate at session, presentation and
application layers. Also called
bastion hosts or proxy firewall
(LINUX, UNIX or Windows 2000)
Secure Internet Gateway
Application
Presentation
Session
Transport
Trusted
Network
Network
Packet level firewalls
Data Link
at network (IP) and transport
(TCP) layers. Called screening
routers or packet filters
Packet Filters/Screening Routers
Firewall Architecture
Trusted
Network
Untrusted
Network
Optional (DMZ)
Networks (1+)
Untrusted
Network
DMZ
Physical
operate
Demilitarised Zone - DMZ
Packet Layer Firewalls
Filtering based on source IP address
destination IP address
TCP/UDP source port
TCP/UDP destination port
May block on specific ports,
hosts, networks, all external
addresses, etc.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Internet
LAN
Packet Filter/
Screening Router
1
Packet Layer Firewalls
Policing Protocols
Application
Application
Presentation
Presentation
Session
Session
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
PROS
Application Independence
High Performance
Scalability
CONS
Router
Low Security
No Screening Above the Network
Layer (No “State” or ApplicationContext Information)
TFTP (port 69)
X-Windows (ports 6000+, port 2000)
rlogin, rsh, and rexec (ports 513, 514, and 512)
Telnet (port 23), RPC (port 111)
FTP (ports 20 and 21), SMTP (port 25)
RIP (port 520), DNS (port 53)
UUCP (port 540), NNTP (port 119)
Gopher, HTTP (ports 70 and 80)
Application-Layer Gateway
(Proxy-Service)
Application Layer Firewalls
Advantages
Information hiding
names of internal systems not
known to Internet users
Authentication and logging
Cost effectiveness
authentication can be located at
application gateway
Less-complex filtering rules
than with packet filter
Only host whose name made
known to outside systems
Telnet
HTTP
Application
Application
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Session
Transport
Network
Network
Network
Network
DataLink
DataLink
DataLink
Data Link
Physical
Physical
Physical
Application Gateway
Physical
Good Security
Full Application-Layer Awareness
Proxy Gateways
FTP
Presentation
PROS
Application firewall mediates traffic between
protected network and Internet
a proxy service is an application which routes
IP traffic from one port to another (it breaks
the connection, cf stateful packet filter)
can provide user authentication, auditing, and
logging facilities
great improvement over packet
filters/screening routers
proxy software written for each service
CONS
Transport
The following services are inherently vulnerable:
Poorer Performance
Limited Application Support
Poor Scalability
(Breaks the Client/Server Model)
Proxy Gateways contd...
basic proxies available for - Telnet, FTP,
HTTP, WWW etc
users on Internet can only see proxy
proxy allows services for which proxy
application has been specified
connection broken hence proxy will not
work for some services - eg VPN tunnels
2
Stateful Packet Filters
Stateful Packet Filters
Application
Application
LAN
Trusted
DataLink
DataLink
DataLink
Physical
Physical
Network
PROS
Good Security
Full Application-Layer Awareness
Transparency
Physical
Engine
Performance
Mis-configuration
Dynamic
Dynamic
State
Tables
State Tables
Screened subnet considered to be the most
secure firewall architecture:
isolated network positioned between the
external and internal networks
allows non-critical hosts (web servers,
anonymous FTP sites) to be placed outside
internal network
forces all traffic and services through firewall
provides source for encrypted tunnels
SC
ENDM
AX
Optional (DMZ)
X
Most secure firewall architecture
Reactive / Conditional Firewalls
Transport
Untrusted
Public
Services
Network
INSPECT
Server
Session
Transport
A SCEN D
X
Presentation
Transport
Screened Subnet Benefits
Internet
Firewall
Application
Session
Session
Network
Screened Subnet
Firewall & Public Services Server
Presentation
Presentation
CONS
Dynamic packet filtering
Examines packet stream based upon
dynamic state tables
Mandates storing of state information
Usually implemented with support of entire
TCP/IP stack
Examines:
content vector protocol
Allows/denies packet based upon rules
appropriate for the TCP service
Current firewall architectures:
Packet filter
Application proxy
Stateful packet filters
All imply a static rule set (even if analysis and filtering
engines are really powerful)
A reactive or conditional firewall will change / adapt its
rule set as a result of certain attack scenarios observed
either by an IDS or the firewall itself.
A reactive or conditional firewall can process multiple
17
connections (eg Nimda - 24,000!)
Reactive / Conditional Firewalls
18
3
Reactive / Conditional Firewalls
Reactive / Conditional Firewalls
Autoblocking
leading to
Denial of
Service
condition
Some firewalls appear to change their rule set in the
face of an attack - but results are very limited:
Watchguard watches for attempted access to
services defined as sensitive and policy violations.
When violation is detected, source is submitted to a
preprocessor which discards all further packets
involving that host.
Checkpoint has an API which allows it to accept
firewall rule modification from an external IDS.
Should a compatible IDS detect an attack it could
modify the firewall configuration to exclude the
attacker.
19
20
Reactive / Conditional Firewalls
Some firewalls appear to change their rule set in the
face of an attack - but results are very limited:
Port Sentry monitors unused ports. Any attempt to
access such ports are indicative of port scanning
attacks or other probes. On detection, the local
firewall/router configuration is modified to exclude the
host involved.
Guardian is a security program which operates by
automatically updating firewall rules based upon
alerts generated by Snort and blocking all incoming
data from the IP address of the attacking machine
S/MIME
SSH
PPTP
SET
IPv6
SSL/TLS
IPSec
Reactive / conditional firewalls allow considerable
flexibility in implementing packet filtering rules and
proxies, ranging from elegant support for excluding
attackers, to the ability to define complex traffic, statetracking systems and bandwidth management systems.
Various terms can be used to describe a firewall which
changes its rules based upon external conditions. Such
terms include:
conditional, adaptive, mutable, responsive or reactive
firewalls
21
22
Secure Transactions on the
Internet/Intranet
Secure Multipart Internet Mail Encoding
Secure Shell (Telnet, FTP etc)
Point to Point Tunnelling Protocol
Secure Electronic Transactions
SSH
IP version 6 (IPv6)
Secure Sockets Layer
T
E
F
Encrypted Tunnelling
S
L
T
P
N
E
T
Hole in the (Fire)wall …..
Holes for
Hackers
N
M
P
S
M
T
P
BROWSER
SET
S/MIME
or PGP
Reactive / Conditional Firewalls
HTTP/HTTPS
SSL/TLS
TCP
PPTP
UDP
IPSec
IPv4 and IPv6
LAN - Ethernet, WAN-PPP ADSL,
ISDN, Frame Relay, ATM
Server
Client
Firewall
4
Personal Firewall Vendors
Firewall Vendors
Tiny
Firewall (www.tinysoftware.com)
(www.networkice.com)
Norton (www.norton.com)
SyGate (wwww.sygate.com)
BlackICE/Networkice
Watchguard Technologies (Firebox 4500 System 5)
Symantec Corp. (Symantec Enterprise Firewall v6.5.2)
Stonesoft Corp. (Stonegate v17.0)
SonicWall Inc. (SonicWall Tele3 v6.2)
Secure Computing (Sidewinder v5.2)
Global Technologies (GNAT Box v3.2)
Network-1 Security Solutions (CyberwallPLUS v7.0)
Cyberguard Corp. (CyberGuard KnightStar v5.0)
Checkpoint Technologies (NG FW-1)
Borderware Technologies (Firewall Server v6.5)
see also www.networkintrusion.co.uk
www.sygate.com/products/centrally_managed_personal_firewall.htm
Zone
alarm (www.zonelabs.com) .. see on...
(Linux) (www.ipcop.com)
Smoothwall (Linux) (www.smoothwall.org)
IPCop
last two loaded onto a gateway machine
IPCop is an offshoot of Smoothwall
26
Smoothwall can operate as a packet filtering IDS
Personal Firewall Vendors
Zone
alarm (www.zonelabs.com) …..
Personal firewall with security settings of High,
Medium, Low for both LAN and Internet
connections
Alerts occur during access to unauthorised port.
ZoneAlarm advises what likely cause is and how
indicative of an attack it is - hence acts as an IDS
Access is allowed/denied for programs on the
host PC to connect to the Internet
ZoneAlarm Pro $US50 for single user and
$US1800 for 50 users
27
ZoneAlarm - free for home users
Intrusion Detection Systems
28
Major Reasons for Using Intrusion Detection
Systems are…..
What is an Intrusion?
Sequence of related actions by a malicious adversary that
results in occurrence of security threats to target computer
or network
Indicators:
Repetition of unusual behaviour
Exploitation of known vulnerabilities
Inconsistent packet sequences or routes
Unexplained problems
Suspicious traffic content
29
To detect intruders, attacks, abuse...
To detect probes
To provide active network security
To provide a means of deterrent
To collect data on system behavior so as to
recover after intrusion
To indirectly provide useful information
30
5
IDS Goals
History of IDS
Developments/Products
• Differentiate normal from damaging actions
• Scalable
• Variety of network systems and architectures
• Adapts in response to new attacks
• Reports attacks in real-time
• Co-operates with other security mechanisms
32
31
IDS Goals
• Increase monitoring at suspicious points
• Protect against being attacked itself
• Function in face of network failure
• Minimal performance impact
X
IDS Architecture
• Generate audit information
• Reflect security policy of organisation
33
34
IDS Architecture Components
IDS Techniques
• Sensors - data gathering for the IDS
• Misuse Detection (M-IDS) - attempts to match
• Monitors - process the collected data
observed v expected behaviour (eg signature
• Resolver - determines appropriate responses
analysis, Petri nets, state transition diagrams, genetic
• Controller - configuration of components in a distributed
algorithms)
system
• Anomaly Detection (A-IDS) - models expected
Modern IDS apply these components in a cascading
fashion, ie - allowing higher level system overviews to be
behaviour (eg statistical, expert systems, neural
gained as a user ascends through the tree
35
networks)
36
6
IDS Techniques
Capabilities of IDS
• Location of Sensors - network-based (no processing
• Second level of defense if primary security fails
overheads and difficult to attack) or host-based
• Clear view and summary (eg Tripwire)
(performance impact but good data collection)
• Extracts information useful in tracking intrusions
• Monitor Processing Patterns - real-time (cf. batch)
• Identifies nature of abuse - (eg systems
detection of significant benefit (performance issues)
modifications for later backdoor use)
• Distributed Correlation - simple interfaces (eg Shadow)
• IDS logs as evidence in legal cases
or hierarchical (eg GrIDS)
37
38
Capabilities of IDS
Limitations of IDS
• IDS can assist in detecting mis-configurations
• Combined with network security scanners, security
holes can be revealed - eg finding particular firewall
is vulnerable to certain attacks
• IDS can determine which resources are targeted
• New attacks every month - simplifies detection
• IDS works well with security policy
39
•
•
•
•
•
•
•
•
•
•
Reporting tool - cannot stop ongoing intrusions
Cannot trace intrusion with poor authentication
Can only trace intrusion to point of entry to system
Must be aware of security policy
Attackers may attack IDS systems
Depends upon seeing all traffic
Models event - systems react in different ways
Widely spread attacks may be ignored
New attacks continually being discovered
Scaling problems
40
IPS - Intrusion Prevention Systems
Current Development in IDS
• Distributed and scalable IDS
• Use of AI and pattern matching
Current IDS systems “notify” but do not react
Current Firewalls are mainly static rule based systems
IPS implies a combination of IDS + Firewall
• Embedded IDS in network devices
• Use in other areas - telephone / credit card systems
• Adaptation to new technologies
“Conditional or Reactive” firewalls imply:
• Automatic recognition of new attacks (adaptive AI)
• IDS which responds to attacks in progress
This can still be static although sophisticated in its filtering and
analysis engines
If this is the case - is it different from IDS+firewall?
IDS / IPS / Firewall with dynamic rules which adapt to specific
attack scenarios
• IDS standards/groups (eg CIDF, IDWG, IDSC ….)
41
42
7
Types of IDS
Intrusion Detection Systems and Products
Host-based (HIDS)
• Manual Review Techniques
• Full-scale IDS may not always be appropriate:
Network-based (NIDS)
• connect dummy service to ports (eg IMAP (143), SMB
searches for mis-configurations and dangerous settings,
unusual privileges etc
checks host security policies, dangerous or unnecessary
services
Hybrid
Vary according to whether:
(139), HTTP (80) - trigger script when attacked
fixed/wireless
commercial/freeware
operating system
• use log files and audit info to build critical log
• use simple monitors such as NetMon and FileMon
43
44
Host-Based IDS
Network-Based IDS
GFi LANgaurd SELM Windows Commercial
http://www.gfi.com/lanselm/index.html
EMERALD eXpert-BSM Solaris Commercial
http://www.sdl.sri.com/projects/emerald/releases/eXpert-BSM/
ISS BlackICE Windows Commercial http://blackice.iss.net
Symantec Host IDS Windows/Solaris Commercial
http://enterprisesecurity.symantec.com/products
LIDS Linux GPL http://www.lids.org
GPL = General Public Licence
AirDefense Guard (Wireless IDS) Hardware Commercial
www.airdefense.net/products/airdefense_ids.shtm
NetDetector Solution Hardware Commercial
www.niksun.com/index.php?id=194
Network Flight Recorder Security Hardware Commercial
RealSecure Network Sensor Windows/Linux/Solaris/Nokia
Commercial
Symantec ManHunt Solaris/Linux Commercial
Shoki *nix GPL http://shoki.sourceforge.net
Snort *nix GPL http://www.snort.org
Sourcefire Intrusion MS Hardware Commercial
45
Hybrid IDS
46
Example NIDS: SNORT
Prelude *nix GPL http://www.prelude-ids.org
RealSecure Network Sensor Windows/*nix Commercial
www.iss.net/products_services
• Lightweight IDS system capable of performing real-time traffic
analysis and packet logging
• Can perform protocol analysis, content searching/matching.
• Can be used to detect a variety of attacks and probes, eg:
• buffer overflows
[nix = UNIX compatible]
[GPL = Public License]
• stealth port scans
• CGI attacks
• SMB probes
• OS fingerprinting attempts
47
48
8
Example IDS: SNORT
Example IDS: BlackIce
• Snort has three primary uses. It can be used as:
Host-based IDS for Windows and carries out extensive port
analysis
• a packet sniffer like tcpdump
• a packet logger (useful for network traffic debugging, etc)
• a full network intrusion detection system
• Four levels: Paranoid, Nervous, Cautious, Trusting
• Snort/IDS operates from a script rule file applied to each
packet monitored
• Provides back-trace of intruders via NetBios
• Uses signature files to detect known attacks
• Provides specialised access to IP packets, eg
fragmentation bit checks
• Real time network usage graph
• Links to full protocol stack
• Example rule:
• http://blackice.iss.net
alert tcp any any -> 192.168.0.1/24 111 {content: “|00 01 86 A5|”;
msg: “mountd access”; }
49
Example IDS: BlackIce Display
50
Example IDS: ZoneAlarm
ZoneAlarm (= Firewall + IDS)
•
www.zonelabs.com
•
Personal firewall with security settings of High, Medium, Low
for both LAN and Internet connections, and a mail attachment
check setting
•
Alerts occur when access to an unauthorised port is
attempted. ZoneAlarm advises what likely cause is and how
indicative of an attack it is
•
Access is allowed/denied for programs on the host PC to
connect to the Internet
•
ZoneAlarm Pro $US50 for single user and $US1800 for 50
users
•
ZoneAlarm - free for home users
51
Tools Supporting Active Security
52
IDS Support Tools - Mapping Tools
Network Mappers
• Mapping Tools
• Commercial and free tools available - nmap and CheopsNG
• Carry out - DNS zone transfers, address/port scanning,
host requests, promiscuous monitoring
• nmap sends variety of packets with illegal flags, ICMP
echos, fragmented packets etc to hosts and analysing
responses
• System Scanning Tools
• System Integrity Checkers
• Honeytraps / Honeypots
• eg recognise Linux with kernels older than 2.0.35 by
using packet with SYN and illegal flags set
53
54
9
IDS Support Tools - System Scanning Tools
IDS Support Tools - Mapping Tools
Cheops *nix GPL (no longer supported)
www.marko.net/cheops/
Cheops-NG *nix GPL http://cheops-ng.sourceforge.net/
nmap *nix/Windows GPL http://www.insecure.org/nmap
Tools used to detect and report on
vulnerabilities in computer or network
Uses database of known vulnerabilities and
attempts matching to these records
For an attacker these tools allow location of
potential specific targets, eg
open HTTP port with a known vulnerability
56
55
IDS Support Tools - System Integrity Checkers
IDS Support Tools - System Scanning Tools
Detect anomalies which may indicate that data on
computer has been tampered with
Cannot detect intruders until after intrusion and so
are not real-time like IDSs
Stores hashed snapshot of file systems and
compares to current system state and reports
discrepancies
Core Impact Windows Commercial
GFi LANguard NSS Windows Commercial/Freeware
ISS Internet Scanner Commercial
Nessus *nix GPL www.nessus.org
Rapid7 NeXpose Linux/Windows Commercial
Retina Windows Commercial
57
58
59
60
IDS Support Tools - System Integrity Checkers
Tripwire is best example
Commonly support hashing algorithms, eg - MD4/5,
SHA, ITU CRC-16 and -32 signatures
Reference database based upon initial trusted system
Only reports changes already present in system
Last line of defence - system is already compromised!
10
IDS Support Tools - System Integrity Checkers
IDS Support Tools - Honeytraps
Current IDS methodologies have shortcomings:
Aide *nix GPL
Chkrootkit *nix Open Source
Integrit *nix GPL
Ionx Data Sentinel Windows Commercial
GFi LANguard SIM Windows Commercial/Freeware
Osiris *nix Open Source
Samhain *nix GPL
Tripwire *nix/Windows Commercial and Open Source
problem recognising novel attacks
occurrence of false positives
reporting of attacks of no interest
Honeytrap system – simulated or real system that
exists for sole purpose of being attacked!
Looks and behaves like real system
Must not be launching pad
61
Must gather valuable information on attacker
62
IDS Support Tools - Honeytraps
KFSensor
Honeypot
Output
Bait and Switch *nix BSD
KeyFocus Sensor Windows Commercial
NetBait Enterprise i386-based Commercial
Symantec Decoy Server Solaris Commercial
Verizon NetFacade *nix Commercial
NFR Back Officer Friendly (designed to prevent Back
Orifice scans) Commercial but free trial
63
Intrusion Detection Experiments
IDS Standards
Common
Intrusion Detection Framework (CIDF)
Common protocols and interface standards (1999)
Intrusion
• Watchguard firewall used as testbed for Intrusion
Detection Working Group (IDWG)
Detection Analysis
Produced 4 Internet Drafts (2002)
• simulates small office network
Open Security Evaluation Criteria (OSEC)
Evaluation of and tests on products (2003)
Intrusion
64
• single public server
Detection Systems Consortium (IDSC)
• limited set of machines on firewall’s trusted network
Vendor consortium promoting product adoption by defining
common terminology, integrity, standards
• unspecified number of machines on external network
65
66
11
Intrusion Detection Case Study
Sample Firewall policy might be ….
• Incoming FTP traffic allowed (via proxy) only if destined for
204.137.98.164 - public server located in optional network
• Outgoing FTP traffic allowed without restriction
• Incoming HTTP traffic allowed (via proxy) only if destined for
204.137.98.165
• Outgoing HTTP traffic allowed without restriction Incoming SMTP traffic
was allowed only to 177.209.49.31 (external firewall interface)
• Outgoing SMTP traffic was allowed only from 177.209.0.25 (hypothetical
SMTP server on trusted network)
• Configuration access to firewall allowed from internal networks
67
• IP Masquerading was disabled
• Port Autoblocking was disabled
• All other ports and services were blocked
68
Intrusion Detection Case Study
Intrusion Detection Case Study
1. Scan Web server (2) and IDS server (2) from Attack host (3)
(all machines on a common network segment)
• Scan 1 gives baseline of what attacks IDS tools are capable
of recognising, and corresponds to an internal attack on
trusted network
2. Scan Web server (1) and IDS server (1) from Attack host (3)
(attack on optional from trusted network)
• Scan 2 simulates internal attack against optional network
3. Scan Web server (2) and IDS server (2) from Attack host (2)
(attack on trusted from optional network)
• Scan 3 simulates result if machine on optional network is
compromised and then attacks internal machines
4. Scan Web server (1) and IDS server (1) from Attack host (1)
(external attack on optional network)
• Scan 4 -very common case - external attacker attempts to
access machines on optional network
5. Scan Web server (2) and IDS-server (2) from Attack host (1)
(external attack on trusted network)
• Scan 5 is same situation for trusted network
69
70
Intrusion Detection Case Study
Conclusions
•
•
•
•
•
•
•
•
•
•
IDS can highlight problems with Firewall configurations
Out-of-box configurations may be dangerous
Firewalls protect inaccessible machines well
Firewalls do not protect against application-level attacks
Firewalls are themselves vulnerable to attack
IDS tools can recognise many attacks
IDS tools have different detection sets
Network IDS recognise attacks from their area of coverage
Network scanning tools are susceptible to false readings
Firewalls offer minimal detection capabilities
71
12
