CS165 –Computer Securitycsong/cs165/17/l/network2.pdf–Firewalls •Exploiting software bugs,...
Transcript of CS165 –Computer Securitycsong/cs165/17/l/network2.pdf–Firewalls •Exploiting software bugs,...
FirewallsandIDSNov22th,2017
CS165– ComputerSecurity
Administrivia
• Lab3– Due:MondayDec11st
– 3challenges:bypassstackcookie,bypassingNX,bypass32-bitASLR
• Homework2– Due:WednesdayNov29th
– OSsecurity+crypto
2
3
Commonnetworksecurityattacksandtheircountermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• Exploitingsoftwarebugs,bufferoverflows– IntrusionDetectionSystems
• DenialofService– Ingressfiltering,IDS
NEXT
Findingawayintothenetwork--Scanning
4
Host 192.168.2.1 appears to be up.MAC Address: 00:04:E2:34:B6:CE (SMC Networks)Host 192.168.2.79 appears to be up.MAC Address: 00:11:11:5B:7A:CD (Intel)Host 192.168.2.82 appears to be up.MAC Address: 00:10:5A:0D:F6:D7 (3com)Host 192.168.2.198 appears to be up.MAC Address: 00:10:DC:55:89:27 (Micro-star International)Host 192.168.2.199 appears to be up.MAC Address: 00:C0:4F:36:33:91 (Dell Computer)Host 192.168.2.200 appears to be up.MAC Address: 00:0C:41:22:CC:01 (The Linksys Group)Host 192.168.2.251 appears to be up.MAC Address: 00:0F:66:75:3D:75 (Cisco-Linksys)
DoesThatMatter?
• Iftheyidentifyaservicethathasaknownvulnerability(e.g.,bufferoverflow),theycanlaunchthecorrespondingexploit
5
$nmap -Pn www.cs.ucr.edu
StartingNmap 6.40(http://nmap.org)at2015-11-1720:03UTCNmap scanreportforwww.cs.ucr.edu(169.235.30.15)Hostisup(0.00033slatency).rDNS recordfor169.235.30.15:thoth.cs.ucr.eduNotshown:996closedportsPORTSTATESERVICE22/tcp openssh80/tcp openhttp111/tcp openrpcbind5666/tcp opennrpe
6
Firewalls
• Basicproblem– manynetworkapplicationsandprotocolshavesecurityproblemsthatarefixedovertime– Difficultforuserstokeepupwithchangesandkeephostsecure
– Solution• Administratorslimitaccesstoendhostsbyusingafirewall
• Firewalliskeptup-to-datebyadministrators
2
Principal ReferenceMonitor Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
AccessControl
2
Principal ReferenceMonitor Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
AccessControl
2
Principal ReferenceMonitor Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
AccessControl
Internet
ALERT!!
SecurityRequirement• Controlaccesstonetworkinformationandresources• Protectthenetworkfromattacks
NetworkAccessControl
Firewalls
• FromWebster’sDictionary:awallconstructedtopreventthespreadoffire
• Internetfirewallsaremorethemoataroundacastlethanabuildingfirewall
• Controlledaccesspoint
WhatisaFirewall?
• Devicethatprovidessecureconnectivitybetweennetworks(internal/external;varyinglevelsoftrust)
• Usedtoimplementandenforcesecuritypoliciesforcommunicationbetweennetworks
Trusted NetworksUntrusted Networks & ServersFirewall
Router
Internet
Intranet
DMZ Public Accessible Servers & Networks
Trusted Users
Untrusted Users
Goals
Enforceleastofprivilege by:1. Blockingaccesstonetworkservices
Providedefenseindepthby:1. Blockingattacksagainsthostsandservices2. Controltrafficbetweenzonesoftrust
6
14
Dimensions
• Hardwarevs.software– ipfw,ipchains,pfonUnixsystems,iptables onLinux,WindowsandmacOS havebuilt-infirewalls
• Hostvs.Network• Statelessvs.Stateful
Host-basedvs.Network-based
Host-basedFirewall
Network-BasedFirewall
9
Host Firewall Outside
Firewall OutsideHostB
HostC
HostA
Features:• Faithfultolocalconfiguration
• Travelswithyou
Features:• Protectwholenetwork• Canmakedecisionsonalloftraffic(traffic-basedanomaly)
Parameters
TypesofFirewalls1. PacketFiltering2. Stateful Inspection3. Applicationproxy
Policies1. Defaultallow2. Defaultdeny
10
Recall:ProtocolStack
11
Application(e.g.,SSL)Transport
(e.g.,TCP,UDP)Network(e.g.,IP)LinkLayer
(e.g.,ethernet)
Physical
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
dataTCPIPETH ETH
Link (Ethernet)Header
Link (Ethernet)Trailer
IP Header
StatelessFirewallFilterbypacketheaderfields1. IPField
(e.g.,src,dst)2. Protocol
(e.g.,TCP,UDP,...)3. Flags
(e.g.,SYN,ACK)
Application
Transport
Network
LinkLayer
Firewall
Outside Inside
e.g.,iptables inLinux2.4andabove
12
StatelessFirewallFilterbypacketheaderfields1. IPField
(e.g.,src,dst)2. Protocol
(e.g.,TCP,UDP,...)3. Flags
(e.g.,SYN,ACK)
Application
Transport
Network
LinkLayer
Firewall
Outside Inside
Example:onlyallowincomingDNSpacketstonameserver A.A.A.A.
12
e.g.,iptables inLinux2.4andabove
StatelessFirewallFilterbypacketheaderfields1. IPField
(e.g.,src,dst)2. Protocol
(e.g.,TCP,UDP,...)3. Flags
(e.g.,SYN,ACK)
Application
Transport
Network
LinkLayer
Firewall
Outside Inside
Example:onlyallowincomingDNSpacketstonameserver A.A.A.A.
AllowUDPport53toA.A.A.ADenyUDPport53allFail-safegood
practice12
e.g.,iptables inLinux2.4andabove
Needtokeepstate
13
Inside Outside
Listening
StoreSNc,SNs
Wait
SNC¬randCANC¬0SYN
SYN/ACK:SNS¬randSANS¬SNC
Established
ACK: SN¬SNC+1AN¬SNS
Example:TCPHandshakeFirewall
DesiredPolicy:EverySYN/ACKmusthavebeenpreceded
byaSYN
Stateful InspectionFirewall
Addedstate(plusobligation tomanage)
– Timeouts– Sizeoftable
State
Application
Transport
Network
LinkLayer
Outside Inside
e.g.,iptables inLinux2.4
14
Stateful MoreExpressive
15
Inside Outside
Listening
StoreSNc,SNs
Wait
SNC¬randCANC¬0SYN
SYN/ACK:SNS¬randSANS¬SNC
Established
ACK: SN¬SNC+1AN¬SNS
Example:TCPHandshakeFirewall
RecordSNc intable
VerifyANsintable
VerifySNc intable
Stateful Firewalls
Pros• Moreexpressive
Cons• State-holdingattack
17
ApplicationFirewall
Checkprotocolmessagesdirectly
Examples:– SMTPvirusscanner– Proxies– Application-levelcallbacks
18
State
Application
Transport
Network
LinkLayer
Outside Inside
26
Commonnetworksecurityattacksandtheircountermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• Exploitingsoftwarebugs,bufferoverflows– IntrusionDetectionSystems
• DenialofService– Ingressfiltering,IDS
NEXT
IntrusionDetection• Intrusion
– Asetofactionsaimedtocompromisethesecuritygoals,namely• Confidentiality,integrity,oravailability,ofacomputingandnetworkingresource
• Intrusiondetection– Theprocessofidentifyingandrespondingtointrusionactivities
27
NetworkFirewallvs.NetworkIDS
• Firewall(alsoIPS)– Activefiltering– Fail-close
• NetworkIDS(alsoCensorship)– Passivemonitoring– Fail-open
FW
IDS
28
WhyisIntrusionDetectionNecessary?
29
Ifouroperatingsystemsandsoftwarearekeptup-to-dateandfreefromvulnerabilities
Prevent
WhyisIntrusionDetectionNecessary?
30
Prevent
WhyisIntrusionDetectionNecessary?
31
Prevent
WhyisIntrusionDetectionNecessary?
32
Prevent
WhyisIntrusionDetectionNecessary?
Detect
33
Prevent
WhyisIntrusionDetectionNecessary?
Detect
34
Prevent
WhyisIntrusionDetectionNecessary?
Detect React/Survive
35
Prevent
WhyisIntrusionDetectionNecessary?
Detect React/Survive
Security principles: layered mechanisms
36
IDSandFirewallGoalsExpressiveness:Whatkindsofpoliciescanwewrite?
Effectiveness:Howwelldoesitdetectattackswhileavoidingfalsepositives?
Efficiency: Howmanyresourcesdoesittake,andhowquicklydoesitdecide?
Easeofuse: Howmuchtrainingisnecessary?Cananon-securityexpertuseit?
Security: Canthesystemitselfbeattacked?
Transparency: Howintrusiveisittouse?
37
ElementsofIntrusionDetection• Primaryassumptions:
– System/networkactivitiesareobservable– Normalandintrusiveactivitieshavedistinctevidence
– Counterexamplesthatbreaktheassumptions?• Componentsofintrusiondetectionsystems:– Fromanalgorithmicperspective:
• Features- captureintrusionevidence• Models- pieceevidencetogether
– Fromasystemarchitectureperspective:• Auditdataprocessor,knowledgebase,decisionengine,alarmgenerationandresponses
38
ComponentsofIntrusionDetectionSystem
AuditDataPreprocessor
AuditRecords
ActivityData
DetectionModels DetectionEngine
Alarms
DecisionTable
DecisionEngineAction/Report
system activities are observable
normal and intrusive activities have distinct
evidence
39
IntrusionDetectionApproaches
• Modeling– Features:evidenceextractedfromauditdata– Analysisapproach:piecingevidencetogether
• Misuse(policy-based)detection(signature-based,e.g.,Snort,Bro)
• Anomalydetection(e.g.,statistical-based)• Deployment:Network-basedorHost-based• Developmentandmaintenance
– Hand-codingof“expertknowledge”– Learningbasedonauditdata
40
MisusebasedDetection
IntrusionPatterns
activities
patternmatching
intrusion
41
MisusebasedDetection
IntrusionPatterns
activities
patternmatching
intrusion
Example: if (src_ip == dst_ip) then “land attack”
42
MisusebasedDetection
IntrusionPatterns
activities
patternmatching
intrusion
Can’t detect new attacks
Example: if (src_ip == dst_ip) then “land attack”
43
MisuseBasedIDSUsepre-determinedrulestodetectattacks
Examples:Regularexpressions(snort)
Detectanyfragmentslessthan256bytesalerttcp anyany->anyany(minfrag:256;msg:"Tinyfragmentsdetected,possiblehostileactivity";)DetectIMAPbufferoverflowalerttcp anyany->192.168.1.0/24143(content:"|90C8C0FFFFFF|/bin/sh";msg:"IMAPbufferoverflow!”;)
ExampleSnortrules44
AnomalyDetection
Distributionof“normal”events
IDS
NewEvent
Attack
Safe
45
Misusevs.AnomalyDetection
46
Allpossiblebehaviors
Badbehavior
Misuse
Goodbehavior
Anomaly
AnomalyDetection
activitymeasures
0102030405060708090
CPU ProcessSize
normal profileabnormal
probableintrusion
47
AnomalyDetection
activitymeasures
0102030405060708090
CPU ProcessSize
normal profileabnormal
probableintrusion
Relatively high false positive rate -anomalies can just be new normal activities.
48
AnomalyDetection
Pros• Doesnotrequirepre-determiningpolicy(an“unknown”threat)
Cons• Requiresattacksarenotstronglyrelatedtoknownactivities
• Learningdistributionsishard
49
Host-BasedIDSs(HIDS)
• UsingOSauditingmechanisms– E.G.,BSMonSolaris:logsalldirectorindirecteventsgeneratedbyauser
– strace forsystemcallsmadebyaprogram– auditd inmodernlinux
• Monitoringuseractivities– E.G.,Analyzeshellcommands
• Monitoringexecutionsofsystemprograms– E.G.,Analyzesystemcallsmadebysendmail
50
NetworkIDSs(NIDS)• Deployingsensorsatstrategiclocations
– E.G.,Packetsniffingviatcpdump atrouters• Inspectingnetworktraffic
– Watchforviolationsofprotocolsandunusualconnectionpatterns
• Monitoringuseractivities– Lookintothedataportionsofthepacketsformaliciouscommandsequences
• Maybeeasilydefeatedbyencryption– Dataportionsandsomeheaderinformationcanbeencrypted
• Otherproblems…
51
52
Commonnetworksecurityattacksandtheircountermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• Exploitingsoftwarebugs,bufferoverflows– IntrusionDetectionSystems
• DenialofService– Ingressfiltering,IDS
NEXT
53
DenialofService
• Purpose:Makeanetworkserviceunusable,usuallybyoverloadingtheserverornetwork
• ManydifferentkindsofDoS attacks– SYNflooding– SMURF– Distributedattacks
TCPThree-wayhandshake
54
Remembers X
Remembers YChecks Ack=X+1
Checks Ack=Y+1
SYNSeq=X, Ack = 0
SYN-ACKSeq=Y, Ack = X+1
ACKSeq=X+1, Ack = Y+1
55
DenialofService• SYNfloodingattack• SendSYNpacketswithbogussourceaddress
– Why?• ServerrespondswithSYNACKandkeepsstateaboutTCPhalf-openconnection– Eventually,servermemoryisexhaustedwiththisstate
56
DenialofService
57
DenialofService
• SMURF– SourceIPaddressofabroadcastpingisforged– Largenumberofmachinesrespondbacktovictim,overloadingit
58
DenialofService
Internet
Perpetrator Victim
ICMP echo (spoofed source address of victim)Sent to IP broadcast address
ICMP echo reply
StateHoldingAttack
16
Firewall AttackerInside
Assumestateful TCPpolicy
StateHoldingAttack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
Assumestateful TCPpolicy
StateHoldingAttack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
Assumestateful TCPpolicy
StateHoldingAttack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
3.SneakPacket
Assumestateful TCPpolicy