Firewall Architecture Firewall Architecture and Intrusion Detection Systems Firewalls Architectural Platforms Packet Filters/Screening Routers Application Layer Firewalls Stateful Inspection Engines Screened Subnets Reactive / Conditional Firewalls Proxy Gateways Firewall Architecture Firewall Architecture Two levels Application level firewalls operate at session, presentation and application layers. Also called bastion hosts or proxy firewall (LINUX, UNIX or Windows 2000) Secure Internet Gateway Application Presentation Session Transport Trusted Network Network Packet level firewalls Data Link at network (IP) and transport (TCP) layers. Called screening routers or packet filters Packet Filters/Screening Routers Firewall Architecture Trusted Network Untrusted Network Optional (DMZ) Networks (1+) Untrusted Network DMZ Physical operate Demilitarised Zone - DMZ Packet Layer Firewalls Filtering based on source IP address destination IP address TCP/UDP source port TCP/UDP destination port May block on specific ports, hosts, networks, all external addresses, etc. Application Presentation Session Transport Network Data Link Physical Internet LAN Packet Filter/ Screening Router 1 Packet Layer Firewalls Policing Protocols Application Application Presentation Presentation Session Session Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical PROS Application Independence High Performance Scalability CONS Router Low Security No Screening Above the Network Layer (No “State” or ApplicationContext Information) TFTP (port 69) X-Windows (ports 6000+, port 2000) rlogin, rsh, and rexec (ports 513, 514, and 512) Telnet (port 23), RPC (port 111) FTP (ports 20 and 21), SMTP (port 25) RIP (port 520), DNS (port 53) UUCP (port 540), NNTP (port 119) Gopher, HTTP (ports 70 and 80) Application-Layer Gateway (Proxy-Service) Application Layer Firewalls Advantages Information hiding names of internal systems not known to Internet users Authentication and logging Cost effectiveness authentication can be located at application gateway Less-complex filtering rules than with packet filter Only host whose name made known to outside systems Telnet HTTP Application Application Application Application Presentation Presentation Presentation Session Session Session Transport Transport Transport Session Transport Network Network Network Network DataLink DataLink DataLink Data Link Physical Physical Physical Application Gateway Physical Good Security Full Application-Layer Awareness Proxy Gateways FTP Presentation PROS Application firewall mediates traffic between protected network and Internet a proxy service is an application which routes IP traffic from one port to another (it breaks the connection, cf stateful packet filter) can provide user authentication, auditing, and logging facilities great improvement over packet filters/screening routers proxy software written for each service CONS Transport The following services are inherently vulnerable: Poorer Performance Limited Application Support Poor Scalability (Breaks the Client/Server Model) Proxy Gateways contd... basic proxies available for - Telnet, FTP, HTTP, WWW etc users on Internet can only see proxy proxy allows services for which proxy application has been specified connection broken hence proxy will not work for some services - eg VPN tunnels 2 Stateful Packet Filters Stateful Packet Filters Application Application LAN Trusted DataLink DataLink DataLink Physical Physical Network PROS Good Security Full Application-Layer Awareness Transparency Physical Engine Performance Mis-configuration Dynamic Dynamic State Tables State Tables Screened subnet considered to be the most secure firewall architecture: isolated network positioned between the external and internal networks allows non-critical hosts (web servers, anonymous FTP sites) to be placed outside internal network forces all traffic and services through firewall provides source for encrypted tunnels SC ENDM AX Optional (DMZ) X Most secure firewall architecture Reactive / Conditional Firewalls Transport Untrusted Public Services Network INSPECT Server Session Transport A SCEN D X Presentation Transport Screened Subnet Benefits Internet Firewall Application Session Session Network Screened Subnet Firewall & Public Services Server Presentation Presentation CONS Dynamic packet filtering Examines packet stream based upon dynamic state tables Mandates storing of state information Usually implemented with support of entire TCP/IP stack Examines: content vector protocol Allows/denies packet based upon rules appropriate for the TCP service Current firewall architectures: Packet filter Application proxy Stateful packet filters All imply a static rule set (even if analysis and filtering engines are really powerful) A reactive or conditional firewall will change / adapt its rule set as a result of certain attack scenarios observed either by an IDS or the firewall itself. A reactive or conditional firewall can process multiple 17 connections (eg Nimda - 24,000!) Reactive / Conditional Firewalls 18 3 Reactive / Conditional Firewalls Reactive / Conditional Firewalls Autoblocking leading to Denial of Service condition Some firewalls appear to change their rule set in the face of an attack - but results are very limited: Watchguard watches for attempted access to services defined as sensitive and policy violations. When violation is detected, source is submitted to a preprocessor which discards all further packets involving that host. Checkpoint has an API which allows it to accept firewall rule modification from an external IDS. Should a compatible IDS detect an attack it could modify the firewall configuration to exclude the attacker. 19 20 Reactive / Conditional Firewalls Some firewalls appear to change their rule set in the face of an attack - but results are very limited: Port Sentry monitors unused ports. Any attempt to access such ports are indicative of port scanning attacks or other probes. On detection, the local firewall/router configuration is modified to exclude the host involved. Guardian is a security program which operates by automatically updating firewall rules based upon alerts generated by Snort and blocking all incoming data from the IP address of the attacking machine S/MIME SSH PPTP SET IPv6 SSL/TLS IPSec Reactive / conditional firewalls allow considerable flexibility in implementing packet filtering rules and proxies, ranging from elegant support for excluding attackers, to the ability to define complex traffic, statetracking systems and bandwidth management systems. Various terms can be used to describe a firewall which changes its rules based upon external conditions. Such terms include: conditional, adaptive, mutable, responsive or reactive firewalls 21 22 Secure Transactions on the Internet/Intranet Secure Multipart Internet Mail Encoding Secure Shell (Telnet, FTP etc) Point to Point Tunnelling Protocol Secure Electronic Transactions SSH IP version 6 (IPv6) Secure Sockets Layer T E F Encrypted Tunnelling S L T P N E T Hole in the (Fire)wall ….. Holes for Hackers N M P S M T P BROWSER SET S/MIME or PGP Reactive / Conditional Firewalls HTTP/HTTPS SSL/TLS TCP PPTP UDP IPSec IPv4 and IPv6 LAN - Ethernet, WAN-PPP ADSL, ISDN, Frame Relay, ATM Server Client Firewall 4 Personal Firewall Vendors Firewall Vendors Tiny Firewall (www.tinysoftware.com) (www.networkice.com) Norton (www.norton.com) SyGate (wwww.sygate.com) BlackICE/Networkice Watchguard Technologies (Firebox 4500 System 5) Symantec Corp. (Symantec Enterprise Firewall v6.5.2) Stonesoft Corp. (Stonegate v17.0) SonicWall Inc. (SonicWall Tele3 v6.2) Secure Computing (Sidewinder v5.2) Global Technologies (GNAT Box v3.2) Network-1 Security Solutions (CyberwallPLUS v7.0) Cyberguard Corp. (CyberGuard KnightStar v5.0) Checkpoint Technologies (NG FW-1) Borderware Technologies (Firewall Server v6.5) see also www.networkintrusion.co.uk www.sygate.com/products/centrally_managed_personal_firewall.htm Zone alarm (www.zonelabs.com) .. see on... (Linux) (www.ipcop.com) Smoothwall (Linux) (www.smoothwall.org) IPCop last two loaded onto a gateway machine IPCop is an offshoot of Smoothwall 26 Smoothwall can operate as a packet filtering IDS Personal Firewall Vendors Zone alarm (www.zonelabs.com) ….. Personal firewall with security settings of High, Medium, Low for both LAN and Internet connections Alerts occur during access to unauthorised port. ZoneAlarm advises what likely cause is and how indicative of an attack it is - hence acts as an IDS Access is allowed/denied for programs on the host PC to connect to the Internet ZoneAlarm Pro $US50 for single user and $US1800 for 50 users 27 ZoneAlarm - free for home users Intrusion Detection Systems 28 Major Reasons for Using Intrusion Detection Systems are….. What is an Intrusion? Sequence of related actions by a malicious adversary that results in occurrence of security threats to target computer or network Indicators: Repetition of unusual behaviour Exploitation of known vulnerabilities Inconsistent packet sequences or routes Unexplained problems Suspicious traffic content 29 To detect intruders, attacks, abuse... To detect probes To provide active network security To provide a means of deterrent To collect data on system behavior so as to recover after intrusion To indirectly provide useful information 30 5 IDS Goals History of IDS Developments/Products • Differentiate normal from damaging actions • Scalable • Variety of network systems and architectures • Adapts in response to new attacks • Reports attacks in real-time • Co-operates with other security mechanisms 32 31 IDS Goals • Increase monitoring at suspicious points • Protect against being attacked itself • Function in face of network failure • Minimal performance impact X IDS Architecture • Generate audit information • Reflect security policy of organisation 33 34 IDS Architecture Components IDS Techniques • Sensors - data gathering for the IDS • Misuse Detection (M-IDS) - attempts to match • Monitors - process the collected data observed v expected behaviour (eg signature • Resolver - determines appropriate responses analysis, Petri nets, state transition diagrams, genetic • Controller - configuration of components in a distributed algorithms) system • Anomaly Detection (A-IDS) - models expected Modern IDS apply these components in a cascading fashion, ie - allowing higher level system overviews to be behaviour (eg statistical, expert systems, neural gained as a user ascends through the tree 35 networks) 36 6 IDS Techniques Capabilities of IDS • Location of Sensors - network-based (no processing • Second level of defense if primary security fails overheads and difficult to attack) or host-based • Clear view and summary (eg Tripwire) (performance impact but good data collection) • Extracts information useful in tracking intrusions • Monitor Processing Patterns - real-time (cf. batch) • Identifies nature of abuse - (eg systems detection of significant benefit (performance issues) modifications for later backdoor use) • Distributed Correlation - simple interfaces (eg Shadow) • IDS logs as evidence in legal cases or hierarchical (eg GrIDS) 37 38 Capabilities of IDS Limitations of IDS • IDS can assist in detecting mis-configurations • Combined with network security scanners, security holes can be revealed - eg finding particular firewall is vulnerable to certain attacks • IDS can determine which resources are targeted • New attacks every month - simplifies detection • IDS works well with security policy 39 • • • • • • • • • • Reporting tool - cannot stop ongoing intrusions Cannot trace intrusion with poor authentication Can only trace intrusion to point of entry to system Must be aware of security policy Attackers may attack IDS systems Depends upon seeing all traffic Models event - systems react in different ways Widely spread attacks may be ignored New attacks continually being discovered Scaling problems 40 IPS - Intrusion Prevention Systems Current Development in IDS • Distributed and scalable IDS • Use of AI and pattern matching Current IDS systems “notify” but do not react Current Firewalls are mainly static rule based systems IPS implies a combination of IDS + Firewall • Embedded IDS in network devices • Use in other areas - telephone / credit card systems • Adaptation to new technologies “Conditional or Reactive” firewalls imply: • Automatic recognition of new attacks (adaptive AI) • IDS which responds to attacks in progress This can still be static although sophisticated in its filtering and analysis engines If this is the case - is it different from IDS+firewall? IDS / IPS / Firewall with dynamic rules which adapt to specific attack scenarios • IDS standards/groups (eg CIDF, IDWG, IDSC ….) 41 42 7 Types of IDS Intrusion Detection Systems and Products Host-based (HIDS) • Manual Review Techniques • Full-scale IDS may not always be appropriate: Network-based (NIDS) • connect dummy service to ports (eg IMAP (143), SMB searches for mis-configurations and dangerous settings, unusual privileges etc checks host security policies, dangerous or unnecessary services Hybrid Vary according to whether: (139), HTTP (80) - trigger script when attacked fixed/wireless commercial/freeware operating system • use log files and audit info to build critical log • use simple monitors such as NetMon and FileMon 43 44 Host-Based IDS Network-Based IDS GFi LANgaurd SELM Windows Commercial http://www.gfi.com/lanselm/index.html EMERALD eXpert-BSM Solaris Commercial http://www.sdl.sri.com/projects/emerald/releases/eXpert-BSM/ ISS BlackICE Windows Commercial http://blackice.iss.net Symantec Host IDS Windows/Solaris Commercial http://enterprisesecurity.symantec.com/products LIDS Linux GPL http://www.lids.org GPL = General Public Licence AirDefense Guard (Wireless IDS) Hardware Commercial www.airdefense.net/products/airdefense_ids.shtm NetDetector Solution Hardware Commercial www.niksun.com/index.php?id=194 Network Flight Recorder Security Hardware Commercial RealSecure Network Sensor Windows/Linux/Solaris/Nokia Commercial Symantec ManHunt Solaris/Linux Commercial Shoki *nix GPL http://shoki.sourceforge.net Snort *nix GPL http://www.snort.org Sourcefire Intrusion MS Hardware Commercial 45 Hybrid IDS 46 Example NIDS: SNORT Prelude *nix GPL http://www.prelude-ids.org RealSecure Network Sensor Windows/*nix Commercial www.iss.net/products_services • Lightweight IDS system capable of performing real-time traffic analysis and packet logging • Can perform protocol analysis, content searching/matching. • Can be used to detect a variety of attacks and probes, eg: • buffer overflows [nix = UNIX compatible] [GPL = Public License] • stealth port scans • CGI attacks • SMB probes • OS fingerprinting attempts 47 48 8 Example IDS: SNORT Example IDS: BlackIce • Snort has three primary uses. It can be used as: Host-based IDS for Windows and carries out extensive port analysis • a packet sniffer like tcpdump • a packet logger (useful for network traffic debugging, etc) • a full network intrusion detection system • Four levels: Paranoid, Nervous, Cautious, Trusting • Snort/IDS operates from a script rule file applied to each packet monitored • Provides back-trace of intruders via NetBios • Uses signature files to detect known attacks • Provides specialised access to IP packets, eg fragmentation bit checks • Real time network usage graph • Links to full protocol stack • Example rule: • http://blackice.iss.net alert tcp any any -> 192.168.0.1/24 111 {content: “|00 01 86 A5|”; msg: “mountd access”; } 49 Example IDS: BlackIce Display 50 Example IDS: ZoneAlarm ZoneAlarm (= Firewall + IDS) • www.zonelabs.com • Personal firewall with security settings of High, Medium, Low for both LAN and Internet connections, and a mail attachment check setting • Alerts occur when access to an unauthorised port is attempted. ZoneAlarm advises what likely cause is and how indicative of an attack it is • Access is allowed/denied for programs on the host PC to connect to the Internet • ZoneAlarm Pro $US50 for single user and $US1800 for 50 users • ZoneAlarm - free for home users 51 Tools Supporting Active Security 52 IDS Support Tools - Mapping Tools Network Mappers • Mapping Tools • Commercial and free tools available - nmap and CheopsNG • Carry out - DNS zone transfers, address/port scanning, host requests, promiscuous monitoring • nmap sends variety of packets with illegal flags, ICMP echos, fragmented packets etc to hosts and analysing responses • System Scanning Tools • System Integrity Checkers • Honeytraps / Honeypots • eg recognise Linux with kernels older than 2.0.35 by using packet with SYN and illegal flags set 53 54 9 IDS Support Tools - System Scanning Tools IDS Support Tools - Mapping Tools Cheops *nix GPL (no longer supported) www.marko.net/cheops/ Cheops-NG *nix GPL http://cheops-ng.sourceforge.net/ nmap *nix/Windows GPL http://www.insecure.org/nmap Tools used to detect and report on vulnerabilities in computer or network Uses database of known vulnerabilities and attempts matching to these records For an attacker these tools allow location of potential specific targets, eg open HTTP port with a known vulnerability 56 55 IDS Support Tools - System Integrity Checkers IDS Support Tools - System Scanning Tools Detect anomalies which may indicate that data on computer has been tampered with Cannot detect intruders until after intrusion and so are not real-time like IDSs Stores hashed snapshot of file systems and compares to current system state and reports discrepancies Core Impact Windows Commercial GFi LANguard NSS Windows Commercial/Freeware ISS Internet Scanner Commercial Nessus *nix GPL www.nessus.org Rapid7 NeXpose Linux/Windows Commercial Retina Windows Commercial 57 58 59 60 IDS Support Tools - System Integrity Checkers Tripwire is best example Commonly support hashing algorithms, eg - MD4/5, SHA, ITU CRC-16 and -32 signatures Reference database based upon initial trusted system Only reports changes already present in system Last line of defence - system is already compromised! 10 IDS Support Tools - System Integrity Checkers IDS Support Tools - Honeytraps Current IDS methodologies have shortcomings: Aide *nix GPL Chkrootkit *nix Open Source Integrit *nix GPL Ionx Data Sentinel Windows Commercial GFi LANguard SIM Windows Commercial/Freeware Osiris *nix Open Source Samhain *nix GPL Tripwire *nix/Windows Commercial and Open Source problem recognising novel attacks occurrence of false positives reporting of attacks of no interest Honeytrap system – simulated or real system that exists for sole purpose of being attacked! Looks and behaves like real system Must not be launching pad 61 Must gather valuable information on attacker 62 IDS Support Tools - Honeytraps KFSensor Honeypot Output Bait and Switch *nix BSD KeyFocus Sensor Windows Commercial NetBait Enterprise i386-based Commercial Symantec Decoy Server Solaris Commercial Verizon NetFacade *nix Commercial NFR Back Officer Friendly (designed to prevent Back Orifice scans) Commercial but free trial 63 Intrusion Detection Experiments IDS Standards Common Intrusion Detection Framework (CIDF) Common protocols and interface standards (1999) Intrusion • Watchguard firewall used as testbed for Intrusion Detection Working Group (IDWG) Detection Analysis Produced 4 Internet Drafts (2002) • simulates small office network Open Security Evaluation Criteria (OSEC) Evaluation of and tests on products (2003) Intrusion 64 • single public server Detection Systems Consortium (IDSC) • limited set of machines on firewall’s trusted network Vendor consortium promoting product adoption by defining common terminology, integrity, standards • unspecified number of machines on external network 65 66 11 Intrusion Detection Case Study Sample Firewall policy might be …. • Incoming FTP traffic allowed (via proxy) only if destined for 204.137.98.164 - public server located in optional network • Outgoing FTP traffic allowed without restriction • Incoming HTTP traffic allowed (via proxy) only if destined for 204.137.98.165 • Outgoing HTTP traffic allowed without restriction Incoming SMTP traffic was allowed only to 177.209.49.31 (external firewall interface) • Outgoing SMTP traffic was allowed only from 177.209.0.25 (hypothetical SMTP server on trusted network) • Configuration access to firewall allowed from internal networks 67 • IP Masquerading was disabled • Port Autoblocking was disabled • All other ports and services were blocked 68 Intrusion Detection Case Study Intrusion Detection Case Study 1. Scan Web server (2) and IDS server (2) from Attack host (3) (all machines on a common network segment) • Scan 1 gives baseline of what attacks IDS tools are capable of recognising, and corresponds to an internal attack on trusted network 2. Scan Web server (1) and IDS server (1) from Attack host (3) (attack on optional from trusted network) • Scan 2 simulates internal attack against optional network 3. Scan Web server (2) and IDS server (2) from Attack host (2) (attack on trusted from optional network) • Scan 3 simulates result if machine on optional network is compromised and then attacks internal machines 4. Scan Web server (1) and IDS server (1) from Attack host (1) (external attack on optional network) • Scan 4 -very common case - external attacker attempts to access machines on optional network 5. Scan Web server (2) and IDS-server (2) from Attack host (1) (external attack on trusted network) • Scan 5 is same situation for trusted network 69 70 Intrusion Detection Case Study Conclusions • • • • • • • • • • IDS can highlight problems with Firewall configurations Out-of-box configurations may be dangerous Firewalls protect inaccessible machines well Firewalls do not protect against application-level attacks Firewalls are themselves vulnerable to attack IDS tools can recognise many attacks IDS tools have different detection sets Network IDS recognise attacks from their area of coverage Network scanning tools are susceptible to false readings Firewalls offer minimal detection capabilities 71 12