Post on 19-Dec-2015
Network Security
授課老師 : 鄭伯炤 (Bo Cheng)中正大學通訊系
Tel: 05-272-0411 Ext 33512Email: bcheng@ccu.edu.tw
http://www.andrew.cmu.edu/course/95-753/lectures/MooreTalkCERT-combined.pdf
We Are in Dangerous Zone!
• Insider• Outsider
• Insider• Outsider
• Unstructured• Structured
• Unstructured• Structured
CERT: Computer Emergency Response Team
http://www.cert.org/
What Is Network Security?
• Confidentiality: The property that information is not made available or disclosed to any unauthorized system entity
• Integrity: The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.
• Availability: services must be accessible and available to users
Availability Integrity
Confidentiality Network Security
ftp://ftp.rfc-editor.org/in-notes/rfc2828.txt
Confidentiality Enabler
• AAA– Authentication: The process of verifying an identity claimed by
or for a system entity.– Authorization: A right or a permission that is granted to a system
entity to access a system resource.– Accounting: Ensures the actions of a system entity be traced
uniquely to that entity, which can be held responsible for its actions.
• Encryption – Cryptographic transformation of data (called "plaintext") into a
form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used.
Plaintext PlaintextCiphertext
DecryptEncrypt
Attack Motivations, Phases and Goals
• Revenge• Political activism• Financial gain
Data manipulation System access Elevated privileges Denial of Service
Collect Information• Public data source• Scanning and probing
Collect Information• Public data source• Scanning and probing
Actual Attack Network Compromise DoS/DDoS Attack
• Bandwidth consumption• Host resource starvation
Actual Attack Network Compromise DoS/DDoS Attack
• Bandwidth consumption• Host resource starvation
Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology
Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology
Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses Author: Ed Skoudis; Publisher: Prentice Hall; ISBN 0130332739
Tools, Tools, Tools
Reconnaissance•Nslookup •Whois•ARIN•Dig•Target Web Site•Others
Network Scanning•Telnet•Nmap•Hping2•Netcat•ICMP: Ping and Traceroute
Vulnerability Assessment •Nessus•SARA
Penetration Tool
http://www.sans.org/rr/papers/index.php?id=267
“Penetration Studies – A Technical Overview”
GSEC SANS GIAC Certification: Security Essentials Toolkit Author: Eric Cole et al. ISBN 0789727749
Hacker vs. Cracker• Cracker ( 怪客 ): Someone who tries to break the security of, a
nd gain access to, someone else's system without being invited to do so.– 怪客注重於入侵、破壞與偷取資料,在網路上恣意的攻擊別人。– 網路上流傳著不少 Crack 程式 ( 常被誤稱為“駭客軟體” ) ,
都是被怪客們惡意釋出,擾亂網路上的秩序。– 大眾媒體所指的駭客其實就是指這些擁有高度知識的怪客。
• Hacker ( 駭客 ): Someone with a strong interest in computers, who enjoys learning about them and experimenting with them.– 不會故意毀壞他人主機中的資料。– 駭客入侵電腦的目的,只為證實防護安全上的漏洞確實存在。
且在入侵之後,會寄出一封 E-mail 給該網站擁有最高權限的管理者,告知管理者該漏洞的所在。
http://www.trendmicro.com/tw/products/desktop/gatelock/use/hackers.htm
Dollar Amount of Losses in 2003
Source: CSI/FBI 2003 Computer Crime and Security Survey
The total annual losses reportedin the 2003 survey were $201,797,340.
Denial of Service (DoS)
• The prevention of authorized access to a system resource or the delaying of system operations and functions (by RFC2828).– IETF: The Internet Engineering Task Force– RFC: Request for Comments
• Modes of Attack – Consumption of Scarce Resources – Destruction of Alteration of Configuration Information – Physical Destruction or Alteration of Network Components
http://www.cert.org/tech_tips/denial_of_service.html
Building Security Perimeter
• The boundary of the domain in which a security policy or security architecture applies (by RFC2828)
• Components– Firewall– Virtual Private Network (VPN)– Intrusion Detection System (IDS)
• Defense in depth– Multiple layers of protection to prevent and mitigate
security accidents, an event that involves a security violation.
Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPN's), Routers, and Intrusion Detection Systems Author: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent Frederick, et al.; ISBN 0735712328
Firewall
• An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).
• Access Control List (ACL): A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resource.
Outside
Inside
ACLACL
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
Intrusion Detection System (IDS)
• A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner. (RFC2828)
• Types of IDS:– Host-based: operate on information collected from
within an individual computer system.
– Network-based: listen on a network segment or switch and detect attacks by capturing and analyzing network packets.
http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf
Virtual Private Network (VPN)
• The VPN is a data network connection that makes use of the public communication infrastructure, but maintains privacy through the use of a tunneling protocol and security procedures.
http://www.computerassets.com/downloads/Why_VPN.doc
Internet
Branch Office
HQBusiness Partners
Net, Net and Net
• Intranet: VPN facilitates secure communications between a company's internal departments and its branch offices.
• Extranet: Extranet VPNs between a company and its strategic partners, customers and suppliers require an open, standards-based solution to ensure interoperability with the various solutions that the business partners might implement.
• Internet: A global and public network connecting millions of computers.
Financial Losses in 2002
Firewall AAA VPN Anti-virusIntrusion Detection
0
50
100
150
200
Theft of proprietary Info Sabotage of Network System Penetration by outsider Insider abuse of Net accessFinancial Fraud DoSVirus Laptop theft
$Million
Source 2002 CSI/FBI Survey
100% security is impossible; Security can only mitigate, but not eliminate
Authentication: "Are you who you say you are?" Authorization: "Can you do that?"Accounting: "What did you do?"
RADIUS: Remote Authentication Dial-In User Service
IPSec vs. SSL• IPSec (Internet Protocol Security)
– Tunnel between the two endpoints– Works on the Network Layer of the OSI Model- without an association to
any specific application.– When connected on an IPSec VPN the client computer is “virtually” a full
member of the corporate network- able to see and potentially access the entire network
– The majority of IPSec VPN solutions require third-party hardware and / or software
• SSL– A common protocol and most web browsers have SSL capabilities built in. – More precise access control – Only work for web-based applications and possible to web-enable
applications
Hacking Techniques
Attack Motivations, Phases and Goals
• Revenge• Political activism• Financial gain
Data manipulation System access Elevated privileges Deny of Service
Collect Information• Public data source• Scanning and probing
Collect Information• Public data source• Scanning and probing
Actual Attack Network Compromise DoS/DDoS Attack
• Bandwidth consumption• Host resource starvation
Actual Attack Network Compromise DoS/DDoS Attack
• Bandwidth consumption• Host resource starvation
Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology
Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology
Tools, Tools, Tools
Reconnaissance•Nslookup •Whois•ARIN•Dig•Target Web Site•Others
Network Scanning•Telnet•Nmap•Hping2•Netcat•ICMP: Ping and Traceroute
Vulnerability Assessment •Nessus•SARA
Penetration Tool
Collect Information
• Public data source
• Scanning and probing
Whois Database
• Contain data elements regarding Internet addresses, domain names, and individual contacts
• domain name uniquely
ARIN
• American Registry for Internet Numbers
• Gather information about who owns particular IP address ranges, given company or domain names
DNS
• A hierarchical database
Root DNS Servers (start point)
com DNS Servers net DNS Servers org DNS Servers
abc.com DNS Servers
The DNS hierarchy
DNS Resolve
LOCALDNS SERVER
ROOTDNS SERVER
comDNS SERVER
abc.comDNS SERVER
www.abc.com
10.11.12.13
www.abc.com
refe
rral t
o com
A recursive search to resolve a domain name
www.abc.com
referral to abc.com
www.abc.com10.11.12.13CLIENT
www.abc.com = 10.11.12.13www.abc.com = 10.11.12.13
Some DNS Record Type
Record Type Name Purpose Example Record Format
Address(A Record)
Maps a domain name to a specific IP address
www 1D IN A 10.1.1.1
Host Information(HINFO Record)
Identifies the host system type www 1D IN HINFO Solaris8
Mail Exchanger(MX record)
Identifies a mail system accepting mail for the giver domain
@ 1D IN MX 10 mail.abc.com
Name Server(NS Record)
Identifies the DNS servers associated with a giver domain
@ 1D IN NS nameserver.abc.com
Text (TXT Record) Associates an arbitrary text string with the domain name
System1 IN TXT “This is a cool system”
nslookup
Return from local DNS cacheReturn from remote DNS cache
Zone Transfer
IP 反查 domain name
INTERNALDNS
INTERNALNETWORKINTERNET
DMZ
INTERNALSYSTEM
A split DNS
EXTERNALDNS
DMZ• DMZ stands for De-Militarized Zone. The DMZ
setting allows the server that provides public resources (Ex. Web or FTP) to map public IP addresses for Internet users to use in a Broadband sharing router environment.
DMZ system,such as Web, Mail,
DNS and FTP
INTERNET
InternalNetwork
DMZ
Allowed
Forbidden
Collect Information
• Public data source
• Scanning and probing
Network Mapping
• Map out your network infrastructure– Mapping and scanning your Internet gateway,
including DMZ systems, such as Web, mail, FTP, and DNS
– Mapping and scanning your internal network
• Techniques– Finding live hosts– Tracing your network topology
Finding Live Hosts
• Two methods– ICMP ping
• Ping all possible addresses to determine which ones have active hosts
• Ping, using an ICMP Echo Request packet– Alive, sending an ICMP Echo Reply message
– Otherwise, nothing is listening at that address
– TCP/UDP packet• If block incoming ICMP
• send a TCP or UDP packet to a port, such as TCP port 80
Traceroute
Time exceeded
Using traceroute to discover the path from source to destination
TTL = 2
Time exceeded
TTL = 1
Cheops
Defenses against Network Mapping
• Filter– IN: Firewalls and packet-filtering capabilities of your
routers– OUT: Stop ICMP Time Exceeded messages leaving
your network• Blocking
– Block incoming ICMP messages at gateway– Ping Web server? Maybe– Ping DMZ database server? Probably not– Ping internal network hosts? Definitely not
Using port scanners
• Analyzing which ports are open– To know the purpose of each system– To learn potential entryways into system
• TCP/IP stack has 65,535 TCP/UDP ports
• “well-known” port numbers– TCP port 80– RFC 1700
• Nmap @ www.insecure.org/Nmap
Nmap
• What type of packets does the scanning system send– TCP Connect, TCP SYN, TCP FIN, …
Types of Nmap Scans
• Legitimate TCP connections established using a three-way handshake
ALICE BOB
The TCP three-way handshake
SYN with ISNA
ACK ISNA and SYN with ISNB
ACK ISNB
Connection
TCP Header
FIN
SYN
RST
PSH
ACK
URG
Reserved
Options + padding
Urgent pointerChecksum
WindowDataoffset
Acknowledgement number
Sequence number
Destination portSource port
Bit: 0 4 10 16 31
20 o
cte
ts
The Polite Scan: TCP Connect
• Completes the three-way handshake, and then gracefully tears down the connection using FIN packets
• If closed– No SYN-ACK returned– Receive either no response, a RESET packet, or an
ICMP Port Unreachable
• Easy to detect
A Little Stealthier: TCP SYN Scan
• TCP SYN scans– Sending a SYN to each target port– If open, a SYN-ACK response– Sends a RESET packet, aborting the connection
• Referred to as “half-open” scans• Two benefits
– The end system Not record the connection, however, routers or firewalls do
– Its speed
Other Scans: Violate the Protocol Spec.
• TCP FIN scan– A FIN packet to tear down the connection, but no
connections are set up!!
• Xmas Tree scan– Sends packets with the FIN, URG, and PUSH code
bits set
• Null scan– Sends packets with no code bits set
TCP ACK Scans
PacketFilter
Device
SYN-ACK
SYN
Allow outgoing trafficand the established
responsesSYN
Block incoming trafficif the SYN packet is set
EXTERNALNETWORK
INTERNALNETWORK
Allowing outgoing sessions (and responses), while blocking incoming session initiation
TCP ACK Scans (cont.)
PacketFilter
Device
RESET
ACK dest port 1024
Aha! I know port 1026 isopen through the firewall
EXTERNALNETWORK
INTERNALNETWORK
ACK dest port 1025ACK dest port 1026
Vulnerability Scanning Tools
• What’s vulnerability scanner
• Types of vulnerabilities– Common configuration errors– Default configuration weaknesses– Well-known system vulnerabilities
Vulnerability Scanning Tools (cont.)
UserConfiguration
Tool
ScanningEngine
KnowledgeBase of Current
Active Scan
ResultsRepository& Report
Generation
VulnerabilityDatabase
TARGETS
A generic vulnerability scanner
Nessus• Nessus Plug-ins categories:
– Finger abuses– Windows– Backdoors– Gain a shell remotely– CGI abuses– Remote file access– RPC– Firewalls– FTP– SMTP– ……
The Nessus Architecture• Client-server architecture
– Client: user configuration tool and a results repository/report generation tool
– Server: vulnerabilities database, a knowledge base of the current active scan, and a scanning engine
• Supports strong authentication, based on public key encryption• Supports strong encryption based on the twofish and ripemd al
gorithms• The advantage of the client-server architecture• The most common use: running on a single machine
Gaining Access Using Application and Operating System Attacks
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
What is a Stack-Based Buffer Overflow?
The Make up of a Buffer Overflow
Application Layer IDS Evasion for Buffer Overflow
• K2 released ADMutate
• polymorphism– For NOPs
• Substitute a bunch of functionally equivalent statements for the NOPs
– For the machine language code• Applies the XOR to the code to combine it with a randomly g
enerated key
ADMutateA buffer overflowsexploit
A new exploit
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
Password Attacks
• Guessing Default Passwords
• Password Guessing through Login Scription
• Password cracking
Let’s Crack Those Passwords!
• Stealing the encrypted passwords and trying to recover the clear-text password– Dictionary– Brute-force cracking– hybrid
•Create a password guess
Password cracking is really just a loop.
•Compare encrypted guess with encrypted value from the stolen password file
•Encrypt the guess
•If match, you’ve got the password! Else, loop back to the top.
Tools Cracking Passwords
• Cracking Windows NT/2000 Passwords Using L0phtCrack (LC4)– http://www.atstake.com/products/lc/
• Cracking UNIX-like and Windows-based Passwords Using John the Ripper– http://www.openwall.com/john/
Outlines
• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks
Account Harvesting
• Account harvesting’s concept– Different error message for an incorrect userID tha
n for an incorrect password
• Lock out user accounts?– Yes, DoS attack– No, password guessing across the network
Yellow-orange 230IAmRyan 241
Gaining Access Using Network Attacks
Sniffer
• A sniffer grab anything sent across the LAN
• What type of data can a sniffer capture?– Anything, but encrypted– An attacker must have an account
• Island hopping attack
Island hopping attack
LANLAN
Some of the most interesting sniffers
• Passive sniffing– Snort, a freeware sniffer and network-based IDS, av
ailable at www.snort.org– Sniffit, freeware running on a variety of UNIX flavo
rs, available at reptile.rug.ac.be/~coder/sniffit/sniffit.html
• Active sniffing– Dsniff, a free suite of tools built around a sniffer run
ning on variations of UNIX, available at www.monkey.org/~dugsong/dsniff
Sniffing through a Hub: Passive Sniffing
HUBBlah, blah, blah
Blah, blah, blah
Blah, blah, blah
Blah, blah, blah
BROADCAST ETHERNET
Active Sniffing: Sniffing through a Switch and Other Cool Goodies
• Switched Ethernet does not broadcast– Looks at the MAC address
• Active sniffing tool: Dsniff
SWITCHBlah, blah, blah
Blah, blah, blah
SWITCHED ETHERNET
Advanced sniffing attacks
• Foiling Switches with Spoofed ARP Messages
• Remapping DNS names to redirect network connections
• Sniffing SSL and SSH connections
Foiling Switches with Spoofed ARP Messages(1)
CLIENTMACHINE
Blah, blah, blahSWITCH
DEFAULTROUTER
THEOUTSIDEWORLD
Blah, blah, blah
Victim’s trafficisn’t sent to
attacker
A switched LAN prevents an attacker from passively sniffing traffic
DEFAULTROUTER
THEOUTSIDEWORLD
SWITCH
Foiling Switches with Spoofed ARP Messages(2)
SWITCH
Arpspoof redirects traffic, allowing the attacker to sniff a switched LAN
1 Configure IP Forwarding to send packets to the default router for the LAN and activatesthe Dsniff program
4 Sniff the traffic from the link.
5 Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world.
CLIENTMACHINE
SWITCH
2 Send fake ARP response to remap default router IP address to attacker’s MAC address.
3 Victim sends traffic destined for the outside world. Based on poisoned ARP table entry, traffic is really sent to the attacker’s MAC address.
Router’s IP
Router’s MACAttacker’s MAC
DEFAULTROUTER
Sniffing and Spoofing DNS
CLIENTMACHINE
SWITCH
THEOUTSIDEWORLD
1 Attacker activates dnsspoof program
Attacker sniffs DNS request from the line.
Attacker quickly sends fake DNS response with any IP address the attacker wants the victim to use: www.skoudisstuff.com = 10.1.1.56
Victim now surfs to attacker’s site instead of desired destination.
Attacker’s machine at 10.1.1.56
www.skoudisstuff.com ,the desired destination at 10.22.12.41
Victim tries to resolve a name using DNS
Sniffing an HTTPS connection using dsniff’s person-in-the-middle attack
LAN
DEFAULTROUTER
THEOUTSIDEWORLD
1 Attacker activates dnsspoof and webmitm programs
4 Webmitm proxies the https connection, establishing an https connection to the server and sending the attacker’s own certificate to the client
2 Dnsspoof sends fake DNSresponse with the IP addressof the machine runningwebmitm (10.1.2.3)
5 Victim now accessthe desired server,but all traffic is viewable by attacker using webmitm as a proxy
www.edsbank.com
IP address 10.22.12.41
www.skoudisstuff.comthe desired destination at 10.22.12.41
IP address = 10.1.2.3
3 Victim establishesSSL connection, not knowing attacker is proxying connection
IP Address Spoofing
• Changing or disguising the source IP address– Not want to have their actions traced back– Helps attackers undermine various applications
• IP Address Spoofing– Flavor 1: Simply Changing the IP Address– Flavor 2: Undermining UNIX r-Commands– Flavor 3: Spoofing with Source Routing
Simply Changing the IP Address
SYN (A, ISNA)
ACK (A, ISNA) SYN (B, ISNB)
RESET !!!
EVE
BOBALICE
Spoofing with Source Routing 1/2
• Let the attacker get responses
• Allows the source machine sending a packet to specify the path it will take on the network
• Two kinds of source routing– Loose source routing– Strict source routing
• Reference: RFC 791
IP Options
Class Number Length Description0
0
0
0
0
0
1
2
3
7
0
0
11
Var
Var
End of Options
No op
Security
Loose Source Routing
Record Route
0
0
2
8
9
4
4
Var
Var
Stream ID (obsolete)
Strict Source Routing
Internet Time-Stamp
Spoofing with Source Routing 2/2
EVE
BOB
ALICE
PACKET
Route:
1. Alice
2. Eve
3. Bob
Packet ContentsPACKET
Route:
1. Alice
2. Eve
3. Bob
Packet Contents
Spoofing attack usingsource routing.
IP Spoofing Defense
• Implement “anti-spoof” packet filters– Both incoming (ingress) and outgoing (egress)
• Not allow source-routed packets through network gateways
IP Spoofing Defense
FILTERINGDEVICE
NETWORK A NETWORK B
Packet withIP source addresson Network A
Dropped
Anti-spoof filters.
Session Hijacking 1/3
• A marriage of sniffing and spoofing
• Seeing packets, but also monitoring the TCP sequence numbers
• Sniffing, then injecting spoofed traffic
Alice telnet
“Hi, I’mAlice”
Alice BOB
EVE
NETWORK
A network-based session hijacking scenario.
Session Hijacking 2/3
• Session hijacking tools– Hunt, network-based– Dsniff’s sshmitm tool– Juggernaut, network-based– TTYWatcher, host-based– TTYSnoop, host-based
Session Hijacking 3/3
ACK ACK ACK ACK
Packets with increasingsequence numbers
Alice BOB
EVE
NETWORK
An ACK storm triggered by session hijacking.
Session Hijacking with Hunt 1/3• Hunt
– Network-based session-hijacking tool– Runs on Linux– Allows to view a bunch of sessions, and select a particula
r one to hijack– Inject a command or two into the session stream, resultin
g in an ACK storm– How to prevent an ACK storm?
• ARP spoofing– Sends unsolicited ARPs, known as “gratuitous packets”– Most system devour, overwriting the IP-to-MAC address map
ping in their ARP tables
Session Hijacking with Hunt 2/3
IP = a.b.c.dMAC = AA.AA.AA.AA.AA.AA
IP = w.x.y.zMAC = BB.BB.BB.BB.BB.BB
IP = AnythingMAC = CC.CC.CC.CC.CC.CC
“ARPw.x.y.z is at
DD.DD.DD.DD.DD.DD”“ARPa.b.c.d is atEE.EE.EE.EE.EE.EE”
Session Hijacking with Hunt 3/3
IP = a.b.c.dMAC = AA.AA.AA.AA.AA.AA
IP = w.x.y.zMAC = BB.BB.BB.BB.BB.BB
IP = AnythingMAC = CC.CC.CC.CC.CC.CC
“ARPi.j.k.l is at
II.II.II.II.II.II”
“ARPe.f.g.h is atJJ.JJ.JJ.JJ.JJ.JJ”
IP = e.f.g.hMAC = GG.GG.GG.GG.GG.GG
IP = i.j.k.lMAC = HH.HH.HH.HH.HH.HH
Netcat: A General Purpose Network Tool
• Swiss Army knife of network tools
• two modes– Client mode: nc
– Listen mode: nc –l
– Supports source routing
NETCATIN CLIENT
MODE
Input froma file
SYSTEM RUNNING NETCAT
Output sentacross the network to anyTCP or UDP porton any system.
NETCATIN LISTEN
MODE
Input froma file
SYSTEM RUNNING NETCAT
Input receivedfrom the network
on any TCP orUDP port.
Netcat for File Transfer
• Pushing– Destination machine receiving file
• $nc –l –p 1234 > [file]
– Source machine sending file• $nc [remote_machine] 1234 < [file]
NETCATIN CLIENT
MODE
Input froma file
NETCATIN LISTEM
MODE
Output toa file
SOURCE DESTINATION
Listenon port X
Send to TCPport X
Netcat for File Transfer
• Pulling– Source machine, offering file for transfer
• $nc –l –p 1234 < [file]
– Destination machine, pulling file • $nc [remote_machine] 1234 > [file]
NETCATIN LISTEN
MODE
Input froma file
NETCATIN CLIENT
MODE
Output toa file
SOURCE DESTINATIONListenon port X
Dumps fileacross network
Receives filefrom network
Connectto port X
Netcat for Port Scanning
• Supports only standard, “vanilla” port scans, which complete the TCP three-way handshake
• $ echo QUIT | nc –v –w 3 [target_machine] [startport] - [endport]
Netcat for Vulnerability Scanning
• Used as a limited vulnerability scanning tool• Write various scripts that implement vulnerability
checks• The UNIX version of Netcat ships with several shell
scripts, including– RPC– NFS– Weak trust relationships– Bad passwords
• Limited compared to Nessus
Relaying Traffic with Netcat
NCLISTENER
NCCLIENT
Sendoutput
to input
NCLISTENER
NCCLIENT
Sendoutput
to input
Relaying Traffic with Netcat
NETCAT LISTENER ONINTERNAL SYSTEM
INSIDE
DMZSYSTEM COMPROMIZED
BY ATTACKER
NETCATCLIENT
OUTSIDE
NCLISTENER
NCCLIENT
Sendoutput
to input
Listenon UDPport 53
Originateon TCPport 25
No traffic allowed from outside to inside.DNS traffic (UDP 53) allowed from outside to DMZ.SMTP traffic (TCP 25) allowed from DMZ to inside.
Introduction to DoS
Packet floods, (e.g., SYN Flood, Smurf, Distributed Denial of Service
Malformed packet attacks (e.g., Land, Teardrop, etc.)
Forking processes to fill the process tableFilling up the whole file system
Process killingSystem reconfiguringProcess crashing
STOPPING SERVICES EXHAUSTING RESOURCES
LOCALLY
REMOTELY
ATTACK ISLAUNCHED…
Denial-of-Service attack categories
Stopping Local Services
• Using a local account, stopping valuable processes that make up services– Shut down the inetd process
• Methods for stopping local services:– Process killing– System reconfiguration– Process crashing
• A nasty example: the logic bomb– Logic bomb extortion threats
Locally Exhausting Resources
• When resources are exhausted, the system grind to a halt, preventing legitimate access
• Methods for exhausting local resources– Filling up the process table– Filling up the file system– Sending outbound traffic that fills up the
communications link
Remotely Stopping Services
• Remote DoS attacks more prevalent• Exploit an error in the TCP/IP stackExploit Name Overview of How It Works Susceptible Platforms
Land Sends a spoofed packet, where the source IP address is the same as the destination IP address, and the source port is the same as the destination port, The target receives a packet that appears to be leaving the same port that it is arriving on, at the same time on the same machine. Older TCP/IP stacks get confused at this unexpected event and crash
A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.
Latierra A relative of Land, which sends multiple Land-type packets to multiple ports simultaneously
A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.
Remotely Stopping Services
Exploit Name Overview of How It Works Susceptible Platforms
Ping of Death Sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes, and crash when one arrives.
Numerous systems, including Windows, many UNIX variants, printers, etc.
Jolt2 Sends a stream of packet fragments, none of which have a fragment offset of zero. Therefore, none of the fragments looks like the first one in the series. As long as the stream of fragments is being sent, rebuilding these bogus fragments consumes all processor capacity on the target machine.
Windows 95, 98, NT, and 2000
Teardrop, Newtear, Bonk, Syndrop
Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments.
Windows 95, 98, and NT and Linux machines.
Winnuke Sends garbage data to an open file sharing port (TCP port 139) on a Windows machine. When data arrives on the port that is not formatted in legitimate Server Message Block (SMB) protocol, the system crashes.
Windows 95 and NT.
Remotely Exhausting Resources
• Using a flood of packets– SYN floods– Smurf attacks– Distributed DoS attacks, DDoS
SYN Flood
• Three-way handshake
• The TCP/IP stack allocates a small piece of memory on its connection queue– To remember the initial sequence number
• Two ways– To fill the connection queue with half-open
connections– Just fill the entire communications link
SYN Flood
RESET!!!
SYN (ISNA)
Connection queuefreed up uponreceiving RESETpacket.
ALICEBOB
EVE
SYN(X1,ISNx)
SYN(X2,ISNx)
SYN(X3,ISNx)
SYN-ACKEVE BOB
SYN-ACK
SYN cookies (Linux Kernel)
SYN(A, ISNA)
SYN(B, ISNB) ACK(A, ISNA)
ACK(B, ISNB)
SY
N(X
, IS
N X)ALICE BOB
EVE
EVE sends spoofed packets from X
ISNB is a function of the source IP address,destination IP address, port numbers, anda secret seed. Bob doesn’t rememberISNB, or store any information about thehalf-open connection in the queue.
When the ACK (B, ISNB) arrives, Bobapplies the same function to the ACK packetto check if the value of ISNB is legitimate.If this is a valid ISNB, the connection isestablished.
Bob will never store informationin the connection queue for theseSYNs; Instead, Bob sendsSYN(B, ISNB) ACK(X, ISNx)
Smurf Attacks
• Also known as directed broadcast attacks
• Router converts the IP broadcast message to a MAC broadcast message using a MAC address of FF:FF:FF:FF:FF:FF– Every machine read the message and send a respon
e
Smurf Attacks
Broadcast pingspoofed from
w.x.y.z
SMURF AMPLIFIER
w.x.y.z
Responses!
UGH!
DDoS Architecture
• First, tack over a large number of victim machine, referred to as “zombies”
• Install the zombie software on the systems– The component of the DDoS tool
• The attacker uses a special client tool to interact with the zombies
A DDoS Attack:Tribe Flood Network 2000
ATTACKERWITH NETCAT
CLIENT
ZOMBIE
VICTIM
UGH!
CLIENT
ZOMBIE
ZOMBIE
ZOMBIE
ZOMBIE
TFN2K, a Powerful DDoS Tool
• Attack types including:– Targa– UDP Flood– SYN Flood– ICMP Flood– Smurf Attack– “Mix” Attack-UDP, SYN, and ICMP Floods
TFN2K, a Powerful DDoS Tool
• Features– Authentication using an encrypted password– All packets from the client to the zombies are sent using
an ICMP Echo Reply packet• ICMP Echo Replies allowed into many network
• No port number associated with ICMP
• Finding the attacker is very difficult
• The client machine included a encrypted file indicating the IP addresses of all of the zombies under its control
• Allows the attacker to run a single arbitrary command simultaneously on all zombies
Maintaining Access: Trojans, Backdoors, and Rootkits
Backdoors
• Allow an attacker to access a machine using an alternative entry method
• To bypass the front door• When Attackers Collide
– Attacker closes security holes, and installs backdoor
– Backdoor security controls even stronger than standard system security controls, possibly using SSH
Backdoors Melded into Trojan Horses
Type of Trojan Horse Backdoor
Characteristics Analogy Example Tools
Application-level Trojan Horse Backdoor
A separate application runs on the system, giving the attacker backdoor access.
An attacker adds poison to your soup. A foreign entity is added into the existing system by the attacker.
• Back Orifice 2000–(BO2K)
•Sub7
•Hack-a-tack
•QAZ
Traditional RootKits
Critical operating system components are replaced or modified by the attacker to create backdoors and hide on the system
An attacker replaces the potatoes in your soup with modified potatoes that are poisonous. The existing components of the system are modified by the attacker.
•Linux RootKit5 for Linux
•T0rnKit for Linux, Solaris
•Other, platform-specific RootKits for SunOS, AIX, SCO, Solaris, etc.
Backdoors Melded into Trojan Horses (cont.)
Type of Trojan Horse Backdoor
Characteristics Analogy Example Tools
Kernel-level RootKits
The operating system kernel itself is modified to foster backdoor access and allow the attacker to hide.
An attacker replaces your tongue with a modified, poison tongue so that you cannot detect their deviousness by looking at the soup. The very organs you eat with are modified to poison you.
• Knark for Linux
•Adore for Linux
•Plasmoid’s Solaris Kernel-Level RootKit
•Windows NT RootKit
Application-Level
• Add a separate application to a system• Mostly developed for Windows platforms• RootKits are more popular in the UNIX world• EX. Back Orifice 2000 (BO2K)
NETWORK(Internet, intranet, etc.)
Remote access and control
BackdoorClient
BackdoorServer
ATTACKER VICTIM
Traditional RootKits
• Replace critical operating system executables
• Traditionally focused on UNIX systems
• NT/2000 RootKits replace Dynamic Link Libraries
Comparison
EVIL BACKDOOR
Good
Login
Good
PS
Good
ifconfig
KERNEL
Login
With
Backdoor
Trojan
PS
Trojan
ifconfig
KERNEL
SystemExecutables
Remainintact
SystemExecutablesAre altered toIncludeBackdoor andOther stealthcapabilities
Comparing Application-Level Trojan horse backdoors with traditional RootKits
What Do Traditional RootKits Do?
• RootKits depend on the attacker already having root access
• A RootKit is a suite of tools that allow the attacker to maintain root-level access by implementing a backdoor
/bin/login Replacement
• Authentication
• A RootKit replaces /bin/login with a modified version that includes a backdoor password
Traditional RootKits
• Linux RootKit 5 (lrk5)– Targeting Linux systems
• t0rnkit– Targeting Linux and Solaris systems
Nastiest:Kernel-Level RootKits
• The kernel is the fundamental, underlying part of the OS
Trojan
Login
Trojan
PS
Trojan
ifconfig
KERNEL
Good
Login
Good
PS
Good
Ifconfig
Good
tripwire
KERNEL TROJAN KERNEL MODULE
What They can Do…• The Power of Execution Redirection
– Most Kernel-level RootKits include a capability to do execution redirection– Bait-and-switch– /bin/login -> /bin/backdoorlogin
• File Hiding– Kernel-level RootKits support file hiding– Implemented in the kernel
• Process Hiding– Hiding processes, such as a Netcat backdoor
• Network Hiding– netstat– Masking particular network port usage– Nmap
How to Implement Kernel-Level RootKits
• Loadable Kernel Modules
• Many kernel-level RootKits are implemented as LKMs
• insmod knark.o
Some Examples of Kernel-Level RootKits
• Knark, a Linux Kernel-Level RootKit– Remote execution– Promiscuous mode hiding– Taskhacking– Real-ttime process hiding
•Kill -31 process_id– Kernel-module hiding
• Knark package includes a separate module called modhide
Some Examples of Kernel-Level RootKits
• Adore, Another Linux Kernel-Level RootKit
• Plasmoid’s Solaris Loadable Kernel Module RootKit
• Windows NT Kernel-Level RootKit by RootKit.com– www.rootkit.com– A patch
Network Compromise & Denial of Service
Internet
Intranet
Extranet
74%
Authentication: Password Crackers
Poor Service Configuration: e.g., DNS, Mail, FTP and Web
Protocol Weakness: ARP, ICMP
Application hole
Backdoors
Physical Access
Remote Access12%
Internal System33%
Out-of-Bounds Attack:e.g., Ping of Death and IP fragment attack
Host Resource Starvation:e.g., SYN flood
DDoS: Client Handler Agent Victime.g., Trinoo and Tribe Flood Network
Bandwidth Consumption:e.g., SMURF and Fraggle
Hackers Beware Author: Eric Cole; ISBN 0735710090
• Unsolicited Commercial E-mail (UCE) — Junk e-mail
– usually annoying but harmless commercial advertising.
• But …– Spread a computer virus
– Dangerous when it is a fraud.
– Illegal when a chain letter involves the U.S. Postal Service
• IDC predicts that a growing glut of spam – daily volume of e-mail from 31 billion messages 2002 to 60 billi
on in 2006.
• 寄信者為了不被抓到都會使用假的 E-mail address 及利用其它單位的 mail server 作為 relay 來送信。
Mail spam
History of Spam• Nothing with Hormel product, SPAM (SPiced hAM).• Monty Python's sketch:
– A restaurant that serves SPAM with every meal. – A particular customer tries to order a meal without SPAM. – A side table of SPAM-loving Vikings
• When they hear the word SPAM they would joyously sing a song about their love for SPAM.
• The song quietly started of with the words, " SPAM, SPAM, SPAM, SPAM, SPAM..." The Vikings would sing the song, rising in volume and drowning out other conversations.
– During the 2.5 minute sketch, the word SPAM would be used more than 100 times.
– The analogy of unwanted messages drowning out normal Internet communications.
http://notebook.ifas.ufl.edu/spam/
React to Mail spam
台灣大學 abuse@ntu.edu.tw政治大學 abuse@nccu.edu.tw中央大學 abuse@ncu.edu.tw交通大學 abuse@nctu.edu.tw中興大學 abuse@nchu.edu.tw中正大學 abuse@ccu.edu.tw成功大學 abuse@ncku.edu.tw中山大學 abuse@mail.nsysu.edu.tw花蓮師院 abuse@nhltc.edu.tw東華大學 abuse@ndhu.edu.tw台東師院 abuse@cc.ntttc.edu.tw
各區網中心處理檢舉 Spam Mail 信箱
Source: http://140.111.1.22/tanet/spam.html
•當教育部收到國內外的抗議信件時會將信件轉給十二個區域網路中心的管理者或相關人員處理, 並限制該主機連接學術網路骨幹。 •在得到 mail server 管理者處理並改善的回信後,再行解除限制, ( 依據台灣學術網路技術小組 第五十三次會議記錄 ) 。
惡性程式( Malicious Code )• 『惡性程式』則泛指所有不懷好意的程式碼,包括電腦病毒 (Viruses) 、特洛伊木馬程式 (Trojan) 、電腦蠕蟲 (Worm) 。
*Analysis by Symantec Security Response using data from Symantec Security Response, IDC, & ICSA; 2002 estimated**Source: CERT
毒 ! 毒 ! 毒 !
發生年份 病毒名稱 歷史意義損失金額 (以美金計算)
感染電腦數目 (與產能損失)
Blast 電腦受攻擊數目:
疾風病毒 100 ( )超過 萬截至目前為止
電腦受攻擊數目:
100超過 萬
2002Klez求職信首個歷經一年的變種病毒,依然造成全球大感染。
90 億美金 600電腦受攻擊數目: 萬
Code Red 100電腦受攻擊數目: 萬
紅色警戒 11清除病毒花費: 億
2001Nimda 娜妲首個利用多重途徑途徑癱瘓網路的駭客型病毒,包含:電子
IIS 郵件、 伺服器、網上鄰居。6.35 億美金 電腦受攻擊數目:超過800萬
2001首個駭客型病毒,因不斷搜尋IIS Server 而導致網路交通異常
26.2 億美金
統計中
2003SQL SlammerSQL警戒
SQL 首個攻擊 伺服器的病毒 10 億美金
2003首個利用公佈不到一個月的微軟漏洞犯案的病毒
http://www.trendmicro.com/tw/about/news/pr/archive/2003/pr030827.htm
救命 , 我 . 中毒了
What Is Viruses ( 電腦病毒 )?• A hidden, self-replicating section of computer softwa
re, usually malicious logic, that propagates by infecting--i.e., inserting a copy of itself into and becoming part of--another program (RFC 2828).
• A virus cannot run by itself; it requires that its host program be run to make the virus active.
• When does it bomb? – 這就和病毒的寫作者如何設計程式有關,並不屬於電腦病毒的
特性。• “PETER-2”: 在每年 2 月 27 日會提 3 個問题,答錯則將 HD加密。
• “黑色星期五”在逢 13 日的星期五發作
Virus
What Is Trojan Horse ( 特洛伊木馬程 )?
BackdoorRootkit
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
特洛伊木馬程式就不像電腦病毒一樣會感染其他檔案
What Is Worm ( 電腦蠕蟲 )?
• A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.
• 但『本尊』會複制出很多『分身』,然後像蠕蟲般在電腦網路中爬行,從一台電腦爬到另外一台電腦
• 最常用的方法是透過區域網路( LAN )、網際網路( Internet )或是 E-mail 來散佈自己。著名的電腦蠕蟲『 VBS_LOVELETTER 』就是一個例子。
Viruses, Worm and Trojan Horse
電腦病毒 特洛伊木馬程式 電腦蠕蟲感染其他檔案 O X X
被動散播自己 O O X
主動散播自己 X X O
造成程式增加數目
一般隨電腦使用率提高,受染感檔案數目則增加
不增加
視網路連結狀況而定,連結範圍愈廣,散佈的數目多
破壞能力 視寫作者而定 視寫作者而定 X
對企業的影響性 中 低 高
Source: http://www.trendmicro.com/tw/security/general/guide/overview/guide01.htm
Anti-Virus Management
• 不使用及安裝來路不明的軟體、磁碟片、光碟片與 Internet下載的檔案
• 務必安裝防毒軟體– 記得更新病毒碼才能夠防止新病毒入侵。– 定期掃描系統是否有中毒
• 注意病毒新知 – OS 系統本身與軟體應用程式安全漏洞– 查詢相關網站修補系統的安全漏洞
• 定期做好資料備份
Risk Management
VPN
Firewall
IDSRisk Management
Risk Assessment Risk Mitigation
Threat, Vulnerability and Asset
Risk Mitigation Action Points
Security Management
• ISO/IEC7799-1:2000 (Part 1)
– a standard code of practice and can be regarded as a
comprehensive catalogue of good security things to do. • BS7799-2:2002 (Part 2)
– a standard specification for an Information Security Management Systems (ISMS).
– Senior Management monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
– Scope, ISMS Policy, Risk assessment, Risk management/Risk treatment, Select control objectives and controls, Statement of Applicability (SOA), Risk Treatment Plan
http://www.fisc.com.tw/news/MAZ/30/p4a.asp
http://www.gammassl.co.uk/bs7799/works.html
Guidelines on Firewalls
Building Internet Firewalls
Application Proxy
Physical
Data Link
Network
Transport
Session
Presentation
Application
Stateful Inspection
Packet Filter
Packet Filter Firewalls• Access control based upon several pieces of information
contained in a network packet:– The source address of the packet– The destination address of the packet– The type of traffic:
• the specific network protocol being used to communicate between the source and destination systems or devices (e.g., ICMP)
– Possibly some characteristics of the Layer 4 communications sessions, such as the source and destination ports of the sessions
• Interface of the router the packet came from and which interface of the router the packet is destined for– this is useful for routers with 3 or more network interfaces.
Boundary Routers
• The packet filter, referred to as a boundary router, can block certain attacks, possibly filter un-wanted protocols, perform simple access control, and then pass the traffic onto other fire-walls that examine higher layers of the OSI stack.
Packet Filter used as Boundary Router
Basic Weaknesses Associated with Packet Filters
• Do not examine upper-layer data– Cannot prevent attacks that employ application-specific vulnerabilities or
functions. • Limited information available to the firewall
– Logging functionality present in packet filter firewalls is limited. • Do not support advanced user authentication schemes.• Network protocol weakness
– Vulnerable to TCP/IP specification and protocol stack, such as network layer address spoofing.
• Small number of variables used in access control decisions– Susceptible to security breaches caused by improper configurations.
• But …– Consequently, packet filter firewalls are very suitable for high-speed
environments where logging and user authentication with network resources are not important.
Packet Filter Rulesets
• Actions: – Accept– Deny– Discard
• By default:– Any type of access from the inside to the outside is
allowed.– No access originating from the outside to the inside is
allowed except for SMTP and HTTP.• SMTP and HTTP servers are positioned “behind” the firewall.
Stateful Inspection Firewalls
• More secure – Tracks client ports individually rather than opening
all high-numbered ports for external access.
• Useful or applicable only within TCP/IP network infrastructures.
• Representing a superset of packet filter firewall functionality.
Application-Proxy Gateway Firewalls
• Combine lower layer access control with upper layer (Layer 7 . Application Layer) functionality.
• For Example: Web Proxy• In addition to the ruleset, include authentication of ea
ch individual network user:– User ID and Password Authentication,– Hardware or Software Token Authentication,– Source Address Authentication, and– Biometric Authentication.
Dedicated Proxy Servers • Are useful for web and email content scanning
– Java applet or application filtering – ActiveX control filtering – JavaScript filtering, – Blocking specific Multipurpose Internet Multimedia Exte
nsions (MIME) types . for example, .application/msword. for Microsoft Word documents
– Virus scanning and removal, – Macro virus scanning, filtering, and removal, – Application-specific commands, for example, blocking t
he HTTP .delete. command, and– User-specific controls, including blocking certain content
types for certain users.
Dedicated Proxy Servers Deployments
Network Address Translation
• Developed in response to two major issues:– Hiding the network-addressing schema present behind a
firewall environment.– The depletion of the IP address space has caused some
organizations to use NAT for mapping non-routable IP addresses to a smaller set of legal addresses, according to RFC 1918.
• 10.0.0.0 to 10.255.255.255 (Class A)• 172.16.0.0 to 172.31.255.255 (Class B)• 192.168.0.0 to 192.168.255.255 (Class C)
• Accomplished in three fashions:– Static Network Address Translation– Port Address Translation (PAT)
IANA-allocated, Non-Internet routable IP address
American Registry for Internet Numbers (ARIN)
IP address
Public Private
Address Class Network Address Range
A
B C
10.0.0.0 ~ 10.255.255.255 172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
recommend non-routable IP for home networks
Static Network Address Translation
Each internal system on the private network has a corresponding external, routable IP address associated with it. Each internal system on the private network has a corresponding external, routable IP address associated with it.
PAT
Personal Firewalls/Personal Firewall Appliances
• Personal Firewall:– Installed on the system it is meant to protect; – Usually do not offer protection to other systems or resources
• Personal Firewall Appliance:– Usually run on specialized hardware and integrate some
other form of network infrastructure components• Cable Modem WAN Routing, • LAN Routing (dynamic routing support), • Network hub,• Network switch,• DHCP (Dynamic Host Configuration Protocol) server,• Network management (SNMP) agent, and• Application-proxy agents.
DMZ (DeMilitarized Zone)
• A DMZ is your frontline when protecting valuables from direct exposure to an untrusted environment. – "A network added between a protected network and an e
xternal network in order to provide an additional layer of security.“
• A DMZ is sometimes called a "Perimeter network" or a "Three-homed perimeter network."
• A DMZ is a glowing example of the Defense-in-Depth principle.
Defense-in-Depth
• The Defense-in-Depth principle states that no one thing, no two things, will ever provide total security.
• It states that the only way for a system to be reasonably secured is to consider every aspect of the systems existence and secure them all.
• A DMZ is a step towards defense in depth because it adds an extra layer of security beyond that of a single perimeter.
Design DMZ
• Start by asking yourself – what do I want to protect? Or
– what is most valuable to me?
– what is the entrance point into this system? Or
– what is my front door?
• If there are more than one entrance to your system such as an Internet connection and dial-up connections– have two different DMZ’s.
– Have different configurations for each of those access types.
DMZ Networks
A DMZ Firewall Environment Service Leg DMZ Configuration
Domain Name Service (DNS)
Split DNS example
Placement of Servers in Firewall Environments
Summary Example Firewall Environment
Firewall Ruleset: Blocking Traffics• Inbound traffic from a non-authenticated source system with a destination address o
f the firewall system itself.• Inbound traffic with a source address indicating that the packet originated on a net
work behind the firewall. • Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.• Inbound or Outbound traffic from a system using a source address that falls within t
he address ranges set aside in RFC 1918 as being reserved for private networks. • Inbound traffic from a non-authenticated source system containing SNMP (Simple
Network Management Protocol) traffic.• Inbound traffic containing IP Source Routing information.• Inbound or Outbound network traffic containing a source or destination address of
127.0.0.1 (localhost). • Inbound or Outbound network traffic containing a source or destination address of
0.0.0.0. • Inbound or Outbound traffic containing directed broadcast addresses.
Inbound
Outbound
FW
Network Intrusion Detection Systems
• Compromise the confidentiality, integrity, availability, • Bypass the security mechanisms of a computer or network
IDS History
http://www.securityfocus.com/infocus/1514
Types of IDS (Information Source)
Network (NID)Capture and analyze all network packets
Host (HID)Operate on information (e.g., log or OS system call) collected from within an individual computer system.
Network-Node (NNID)Monitor packets to/from a specific node
Uses a module, coupled with the application, to extract the desired information and monitor transactions
Application-Integrated (AIID)
Application (AID)
Operate on application transactions loge.g., Entercept Web Server Edition
http://www.networkintrusion.co.uk/ids.htm
Complement IDS Tools
Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml
Honey PotHoney Pot
A system/resource designed to be attractive to potential attackerPadded CellPadded Cell
When the IDS detects attackers, it seamlessly transfers then to a special padded cell host
Vulnerability Assessment
Vulnerability Assessment
Determine whether a network or host is vulnerable to known attacks
File Integrity CheckersFile Integrity Checkers
Create a baseline and apply a message digest (cryptographic hash) to key files and then checking the files periodically
IDS Life Cycle
Testing
• Accuracy• Resource Usage• Stress
Vulnerability Assessment
Installation• Information Collecting• Filtering and Correlation• Traffic Analysis
Tuning
Configuration
• Signature Updating• Writing Signature
Setting up the current generation of IDSs requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone. www.nwfusion.com/techinsider/2002/0624security1.html
IDS Market Forecast (I)
Source: IDC, 2001
IDS Market Forecast (II)
Source: IDC, 2001
When Firewall Meets IDS
IDS
A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner
• Validate firewall configuration • Detect attacks but firewalls allow them to pass through (such as attacks against web servers). • Seize insider hacking
An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).
Firewall
• Access Control• NAT• Prevent the attacks
NIDS Deployments
Mode:•Tap•SPAN (Mirror)•Port Clustering•In-Line
External firewall
Critical Subnets
Network Backbones
DMZ
Internet
2
•Identify DMZ related attacks•Spot outside attacks penetrate the network's perimeter•Avoid outside attacks to IDS itself•Highlight external firewall problems with the policy/performance•Pinpoint compromised server via outgoing traffic
1
•See all outside attacks to help forensic analysis
3
•Increase the possibility to recognize attacks.•Detect attacks from insider or authorized users within the security perimeter.
4•Observe attacks on critical systems and resources•Provide cost effective solutions
IDS Balancer
Internet
GigaBit SX Tap
Network
•Toplayer’s IDS Balancer •Radware FireProof
•Availability•Scalability •ROI•Cost-effective (reduce sensors while increasing intrusion coverage)
•Availability•Scalability •ROI•Cost-effective (reduce sensors while increasing intrusion coverage)
IDS BalancerFiber Tap
Detection Engine Analysis
Protocol AnomaliesProtocol Anomalies
Stateful SignaturesStateful SignaturesBackdoor DetectionBackdoor Detection
Traffic AnomaliesTraffic Anomalies
Simple Pattern MatchingSimple Pattern Matching
String Matching Weaknesses
Whisker Evasion Mode
•URL encoding
•/./ d
irectory insertion
•Premature URL ending
•Long URL
•Fake parameter
•TAB separation not NT/IIS
•Case sensitiv
ity
•Windows delimiter
• Session splicing slow
• NULL method
Polymorphic Mutation
Fragmentation•Overlap•Overwrite•Time out
Denial of Service
The Detection Results
False Positive
False Negative
True Positive
True Negative • Wire-speed performance• Mis-configuration• Poor detection engine• IDS Evasion
• Annoy • Crying wolf• Tuning• Prevention?
IDS Responses After Detection
Active Responses
Passive Responses
Change the Environment
Take Action Against the Intruder
Collect additional information
Alarms/ Notifications
SNMP Integration
Source: NIST
Reconfiguring routers/firewalls (e.g., via FW-1 OPSEC) to block packets based on IP address, network ports, protocols, or services
Injecting TCP reset packets
Retaliation: Information warfare
Support SNMP Manager (e.g., HP OV) and MIB (e.g., iss.mib trap)
Generate SNMP trap
Intrusion Detection Working Group•IDMEF - Message Exchange Format XML-based alert format among IDS components•IDXP - Exchange Protocol Communication protocol for exchanging IDMEF messages
Check Point - Open Platform for Secure Enterprise Connectivity (OPSEC)
TCP/UDP Port Name Short description
18181 /tcp FW1_cvpCheck Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server
18182 /tcp FW1_ufpCheck Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content)
18183 /tcp FW1_samCheck Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM and FWM
18184 /tcp FW1_leaCheck Point OPSEC Log Export API - Protocol for exporting logs from MM
18185 /tcp FW1_omiCheck Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM
18187 /tcp FW1_elaCheck Point Event Logging API - Protocol used by applications delivering logs to MM
18207 /tcpFW1_pslo
gonCheck Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl
NFR and RealSecure support FW-1_sam and FW1_ela
NIDS Market Predictions: Head to Head
• IDS is dead, long live IPS
• Intrusion detection market jumped 29.2 per cent year on year (firewall/virtual private network security appliance market increased 7.5 per cent).• In contrast to statements that intrusion detection software is dead, the growth in intrusion detection appliances show that many organizations still see the value in monitoring their networks • Could reached $2 billion in 2005, up from $486 million in 2000.
•IDS market will grow 43 per cent to $149m by 2004•IDS revenue will hit $1.1bn by 2006,
http://www.vnunet.com/News/1143747
http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf
571
70
634
327
491
688
230
0
200
400
600
800
1000
2002 2003 2004 2005
IPS Revenue IDS Revenue
• By end of 2003, 90% of IDS deployments will fail when false positives are not reduced by 50%.
• By year end 2004, advances in non-signature based intrusion detection technology will enable network-based intrusion prevention to replace 50% of established IDS deployments and capture 75% of new deployments.
Gateway IDS (GIDS) and Host Intrusion Prevention (HIP)
Company Website
Entercept Security Technologies www.entercept.com
Harris STAT Neutralizer www.statonline.com
Okena StormWatch and StormFront www.okena.com
Sana Security www.sanasecurity.com
Linux IDS www.lids.org
OneSecure NetscreenOkena Cisco Entercept and Intruvert Network Associates
OneSecure NetscreenOkena Cisco Entercept and Intruvert Network Associates
Inadvertently block legitimate traffic
Ineffective against denial-of-service attacks
Company Website
Captus Networks www.captusnetworks.com
Cisco Systems IDS www.cisco.com
ForeScout ActiveScout www.forescout.com
RealSecure Network Protection www.iss.net
Intruvert Networks www.intruvert.com
NetScreen Technologies IDP www.netscreen.com
Snort Hogwash http://hogwash.sourceforge.net
TippingPoint Technologies UnityOne
www.tippingpoint.com
http://www.cio.com/archive/061503/et_article.html