Common Security Attacks and Their Countermeasures

8/8/2019 Common Security Attacks and Their Countermeasures

1/46

1

Common security attacks and their

countermeasuresFinding a way into the network Firewalls

Exploiting software bugs, buffer overflows Intrusion Detection Systems

Denial of Service Ingress filtering, IDS

TCP hijacking IPSec

Packet sniffing Encryption (SSH, SSL, HTTPS)

Social problems Education


2/46

INTRODUCTION

Firewalls are used to create securitycheckpoints at the boundaries of privatenetworks or personal computer

As a result, firewalls are first line of defenseagainst outside attacksFirewalls emerged in the early 1990s andthey became particularly popular around

1996 - the time where some new attacktechniques emerged (buffer overflows,remote exploits)


3/46

INTRODUCTION (cont.)

INTERNET

Firewall

Secure

Private

Network

WHO ? WHEN ?

WHAT ? HOW ?

My PC

Security Policy


4/46

CAPABILITIES of FIREWALLS

A firewall, defining a single choke point, simplifies securitymanagement because security capabilities are consolidatedon a single system or set of systems.

They provide a location for monitoring security-relatedevents. Audit and alarms can be implemented on thefirewalls.A firewall is a convenient platform for several function thatare not security related such as Network Address TranslationA firewall can be used to implement VPNs.They can authenticate users with the use of differentauthentication methods in order users reach certainresources


5/46

TECHNIQUES USED by FIREWALLS

Service ControlAllows or blocks certain types of Internet services

Direction Control

Initiate and allow certain direction in which particularservice requests

User ControlControls access to a service according to which user isattempting to access it.

Behavior ControlControls how particular services are used.Time Control

Controls when some services can be used


6/46

TYPES of FIREWALLS

Firewalls can be classified according to differentcriterions

Places at where they are deployed : Perimeter Firewalls Internal firewalls Personal Firewalls Distributed Firewalls

The layer in a network protocol stack at which theyare filtering and what they are doing :

Packet Filtering Firewalls @ Circuit Gateways @ Transport Layer Application Gateways @ Application Layer Dynamic Packet Filtering Firewalls


7/46

PACKET FILTERING FIREWALLS

One of the oldest type of firewallsPacket filters, historically implemented on routers, filter user-definedcontent, such as IP addresses.

They examine a packet a the Network or Transport LayersThey are cheap and useful.


8/46

PACKET FILTERING FIREWALLS (cont.)

They are application independent; this feature isadvantageous in terms of performanceSince they are not application-aware and can not

understand the context of a given communication, theyare least secure type of firewalls and are good targetsfor intruders.Packet filter is a three-step process :

One must decide on what should and should not be permittedbased on a pre-defined security policyThe allowable types of packets must be specified formally in termsof logical expressions on packet fields.The expression should be rewritten in whatever syntax the vendorof the firewall supports.


9/46

PACKET FILTERING FIREWALLS (cont.)

Packet filtering is typically set up as a list of rules based on matches tofileds in the IP or TCP header.If there is a match to one of the rules, that rule is invoked andpredefined action is taken, such as dropping that packet or forwardingit but also warning user or admin.The rules are evaluated from top rule to bottom rule, that is also animportant issue that should be carefully considered.Rules are created according to two different policies :

Default = Discard : That which is not expressly permitted is prohibited

Default = Pass : That which is not expressly prohibited is permittedDefault = Discard policiy is more conservative; initially everything isblocked, and services are added on a case-by-case basis.


10/46

CIRCUIT GATEWAYS

The idea of a circuit gateway is fundamentally different from packetfiltering.Circuit gateways do not permit an end-to-end TCP connection.

Circuit gateway works on TCP level and takes a TCP connection request froma client, authenticates and authorizes the client, and establishes a secondconnection to the origin server on client s behalf.After establishment of the connection, circuit gateways simply relays dataforth and back between two connections.It does not interfere with data stream.The single circuit gateway that is actually widely used is SOCKS.


11/46

CIRCUIT GATEWAYS (cont.)

Circuit gateways can bridge two networks that do not share

any IP connectivity or DNS processing.


12/46

APPLICATION GATEWAY

Application gateways are also called proxy servers.Application gateways are deal with the details of the particular servicethey are checking.

Since they are dealing with details, they are usually more complexthan packet filters.Rather than using a general-purpose mechanism to allow manydifferent kinds of traffic to flow, special purpose code is used for eachdesired application.Application gateways have another advantage that since they arecontrolling the content, they can be used as content filters.


13/46

APPLICATION GATEWAY (cont.)y The main disadvantage is the need for a specializedprogram or user interfaces for different services.This results in supporting only basic services.


14/46

DYNAMIC PACKET FILTERING FWs(cont.)

New approach to packet filtering is DynamicPacket Filtering based on Stateful Inspection.

What is new with this approach is that beside the

functionalities that stateless packet filters have suchas looking header information is that statefulinspection maintains state information about past IPpackages.

If the first packet in TCP connection is permitted, stateinformation is added to the state table on an internaldatabase.Then the other packets of this connection can pass quicklythrough the firewall.


15/46

PERIMETER FIREWALLSTraditional firewall in a boxInserted between trusted and untrusted networksegmentsCan support multiple networks (e.g. a Server farm

and a separate DMZ)Mature product, many vendors to choose fromLocal control over firewall policySupport VPNs and user authentication

All devices behind firewall are protected but only from stuff on the outside!Users don t need to manage anythingAn outage affects only the systems behind thefirewall


16/46

PERIMETER FIREWALLS (cont.)

In ter n et

LAN 2

LAN 3 Secure Servers

LAN 3 Users

LAN 3 DMZ

PerimeterFirewall Structure


17/46

INTERNAL FIREWALLS

Like the perimeter firewalls; they allow alimited set of traffic through the networksegments.

You may also beprotecting parts of your internal networkfrom other parts.


18/46

PERSONAL FIREWALLS

Personal firewalls are software-only firewalls thatrun on the computer they protect.Designed for individual users or small networks.(eg. Windows XP comes with a personal firewall)Inexpensive and easy to install and use, wouldoffer clearly explained configuration options.

Allow the user to access all necessary networkand web resources, protect from external"hacking" and alert the user to malicious activity.


19/46

PERSONAL FIREWALLS (cont.)

In ter n et

LAN 2

PersonalFirewall

Structure


20/46

DISTRIBUTED FIREWALLS

With distributed firewalls, each individual hostenforces the security policy; however the policy itself isset by a central management node.

Rather than have a separate box on the edge of thenetwork, a rule to reject such connection attempts iscreated by the admininistrator and shipped out toevery host within its management domain.Advantages:

Eliminates the risk of central failureSuitable for mobile usersEasy to customize some special connections


21/46

DEPLOYEMENT OF FIREWALLS

Firewalls can be deployed in different structures : Screening router structure Screening host structure with Bastion host Screening host structure with dual-homed Bastion host DMZ structure

Bastion host : A bastion host is a secured computer that allows anuntrusted network (such as the Internet) access to a trusted network (yourinternal network). It is typically placed between the two networks and isoften referred to as an application level gateway.Demilitarized zone (DMZ) A DMZ sits between an internal network and

the outside world, and it's the best place to put your public servers.Examples of systems to place on a DMZ include Web servers, FTP servers,SMTP servers and log servers.


22/46

DEPLOYEMENT OF FIREWALLS(cont.)

Screening router


23/46

DEPLOYEMENT OF FIREWALLS(cont.)

Screening host structure withBastion host


24/46

DEPLOYEMENT OF FIREWALLS (cont.)

Screening host structure with dual-homed Bastion host


25/46

DEPLOYEMENT OF FIREWALLS

DMZ Demilitarized Zone structure


26/46

RISKS with FIREWALLSThey are pretty complex piece of software!!!Commercial firewall systems are closed software, which means that noone has really put them under the glass in a search for security problems...Over the last couple of years there has been just several bugs found inthem...

They just filter traffic coming from/to your networkThey can handle dozens of application protocols, but unfortunately cannotprotect you against malicious contentSecurity level of a network protected by a firewall system depends onmany factors (DNS, routing infrastructure, security of client software...)There is always a great risk associated with the so called human error


27/46

WEAKNESSES of FIREWALLS

Common firewall weaknesses include:Firewalls cannot protect against what is authorized. Firewalls protect applicationsand permit the normal communications traffic to those applications. If theapplications themselves have flaws, a firewall will not stop the attack because, to thefirewall, the communication is authorized.Firewalls are only as effective as the rules they are configured to enforce. An overlypermissive rule set will diminish the effectiveness of the firewall.Firewalls cannot fix poor admin practices or a poorly designed security policy.Firewalls cannot stop attacks in which traffic does not pass through them.Firewalls are bottlenecks, Internet connections are getting faster, and the techniquesfor detecting potential issues are getting more complicated. More and moreprocessing power is required just to stand still and the technologies already exist todo all this stuff. So it may just be the way forward, for large enterprise securitysystems at least.


28/46

28

Intrusion Detection

Used to monitor for suspicious activity on anetwork

Can protect against known software exploits, likebuffer overflows

Open Source IDS: Snort, www.snort.org


29/46

2 9

IDS

Introduction to IDSClassification of IDS

IDS ModelsAvailable IDS ToolsConclusion & Future Work


30/46

3 0

What is Intrusion?

Intrusion: Actions attempting to break into or misuseone s system in violation of an established policyTypes of Intrusion:

Attempted break-ins Masquarade attacks Penetration of the security

control system

Denial of Service Malicious Use


31/46

3 1

What is an IDS?

IDS: system trying to detect and alert on attemptedintrusions into a system or networkReactive rather than proactive(usually does not prevent unauthorized users from entering thenetwork, only identifies that an intrusion has occurred)

May provide diagnostic information, tooObjective: 100% accuracy

False positive: false alarm False negative: letting an attack pass undetected


32/46

3 2

Elements of a Basic IDS Model

Audit Data (logs) Keyboard inputs, command-based or application-based

logs

Reference Data Store Intrusion signatures (known attack patterns) Profiles of normal behaviours

Algorithms searching for suspicious behaviour

Alarm

Data Collection Issues

Response Issues


33/46

33

Classifying IDS s

Offline v.s. OnlineHost-Based v.s. Network-BasedAnomaly Detection v.s. Misuse Detection


34/46

34

Offline v.s. Online

Offlineaudit data is processed periodically,

not real-time

work on audit logs

data mining

Onlineaudit data is processed real-time

continuously

may react and prevent an intrusionstill going on


35/46

35

Host-Based v.s. Network-Based (1)

H ost-Based / H IDSA SW installed on each node

Typical Host Based Inrusion Counter Action Account Scans(looking for default accounts withno password set)

Log Auditing(Windows: Event log,Linux/Unix: Syslog)

Trojans locating backdoors Check the integrity of files anduser privileges by digitalfingerprints(calculating more than one hashof the same file)

Disadvantage:

Consume CPU time, storage, memory and other systemresources


36/46

3 6

Host-Based v.s. Network Based ( 2 )

Network-Based / NIDS Monitors all packets on the network wire

e.g. may watch for large number of TCP connection requests to many differentports

Either runs on a single machine (hub, router, etc.) or is divided intoseveral sensors and one central analysis point

Usually utilize a network adapter Typically host-independent but may be a SW package installed on a

dedicated host

Monitors numerous hosts simultaneously but may suffer fromperformance problems as network speed increases


37/46

37

Anomaly Detection v.s. MisuseDetection (1)

Anomaly Detection: Assumption: Attacks differ from normal behaviour Analyses the network or system and infers what is normal

(Establishes a normal activity profile ) Interprets deviations from this normal behaviour as an intrusion

A udit Data System ProfileA ttackState

statisticallydeviant?

update profile

generate new profiles dynamically

Activity measures such asCPU time used, number of network connections in a

time period

Profile generation:one-time activitycurrent and previous profiles

may be merged at intervals

Adjustment of threshold levelsis very important


38/46

3 8

Anomaly Detection v.s. MisuseDetection ( 2 )

Anomaly Detection: Advantages:

May catch novel attacks we have not seen before Disadvantages:

Current implementations do not work very well (too manyfalse positives/negatives)Cannot categorize attacks very well

Difficult to train in highly dynamic environmentsThe system may be gradually trained by intruders


39/46

3 9


Misuse Detection Attacks are known in advance (signatures) Matches signatures against the audit data stream The attack signatures are usually specified as rules

A udit Data System Profile A ttackState

Rule

match?

modify existing rules

add new rules


40/46

4 0


Misuse Detection Advantages:

Easy to implement, deploy, update and understandLow rate of false positivesfast

Disadvantages:Cannot detect previously unknown attacks

Constantly needs to be updated with new rulesAs good as the database of attack signatures


41/46

4 1

Available IDS Tools

Commercial RealSecure

Public-Domain Shadow Snort

Research Prototypes Emerald


42/46

4 2

RealSecure

Real-time IDS3 -part architecture

Network-based recognition engineMonitors a network segment and look for packets that match attack

signaturesResponse: terminate connection, send alert, record session, reconfigurefirewall

Host-based recognition engineAnalyses system logsResponse: terminate user processes, suspend user accounts

Administrator s modulewww.iss.net


43/46

43

Shadow

Composed of Sensors

Reside at key monitoring points in network (outside firewall)Extract packet headers save them to a monitoring file

Analysis stationInside firewallReads the monitoring file periodically

joint venture of Naval Surface Weapons Center Dahlgren,Network Flight Recorder, the National Security Agency, and

the SANS Institutewww.nswc.navy.mil/ISSEC/CID/


44/46

44


45/46

45


46/46

4 6

Snort

open-source public-domain ID toolreal-time traffic analysis and packet logging on IP networks

protocol analysis, content searching / matching

flexible rules language to describe traffic that it should collector passlarge group of users who contribute new signaturesInstallation guides written in Turkish!

www.snort.org

Documents

Common Security Attacks and Their Countermeasures