강의자료-7장(3)
-
Upload
sandra4211 -
Category
Documents
-
view
451 -
download
1
description
Transcript of 강의자료-7장(3)
1
7.4 Firewalls7.4 Firewalls
A device that filters all traffic between inside network and outside network
Purpose protect a private network against intrusion
prevent unnoticed and unauthorized export of proprietary information.
2
FirewallsFirewallsJohn Mitchell
Credit: some text, illustrations from Simon Cooper
May 20, 2004
3
Basic Firewall ConceptBasic Firewall Concept
Separate local area net from internet
Router
Firewall
All packets between LAN and internet routed through firewall
4
Why firewalls?Why firewalls?Need to exchange information
Education, business, recreation, social and political
AttacksDrawbacks; unsolicited attention and bugs
Program bugsAll programs contain bugs
Larger programs contain more bugs!
Network protocols contain;Design weaknesses (SSH CRC)
Implementation flaws (SSL, NTP, FTP, SMTP...)
Careful (defensive) programming & protocol design is hard
5
Firewall goalsFirewall goals
What is a firewall ?Logically
A separator, a restrictor and an analyzer
Rarely a single physical object!Any place where internal and external data can meet
Can be distributed (although this is not common now)
Castle & Moat AnalogyRestricts access from the outside
Prevents attackers from getting too close
Restricts people from leaving <- Important!!
6
Firewall Design & Architecture IssuesFirewall Design & Architecture Issues
Least privilege
Defense in depth (very important)
Choke point
Weakest links
Fail-safe stance
Universal participation
Diversity of defense
Simplicity
7
Two Separable TopicsTwo Separable TopicsArrangement of firewall and routers
Several different configurationsSeparate internal LAN from external InternetWall off subnetwork within an organization
Test networks, financial records, secret projects
Intermediate zone for web server, etc.
Personal firewall on end-user machine
How does the firewall process dataPacket filtering routerApplication-level gateway
Proxy for protocols such as ftp, smtp, http, etc.
Circuit-level gatewayPersonal firewall also knows which application
E.g., disallow telnet connection from email client
8
Firewall Design DecisionsFirewall Design Decisions
Two fundamental philosophiesnot expressly permitted is prohibited.
Block everything, and allow services on a case-by-case basis.
This approach is the easiest from an administrator's point of view
It provides a more "fail-safe" stance and does not demand that the administrator possess exceptional skills.
9
Firewall Design DecisionsFirewall Design Decisions
not expressly prohibited is permittedAlthough this offers the user the greatest flexibility, it often pits the user against the administrator.
This approach requires that the administrator anticipate what users will do and requires considerable skill in auditing and maintaining the overall security of the network.
From a security standpoint, this approach is an administrator's nightmare.
10
Design of FirewallsDesign of Firewalls
Firewall is a special form of a reference monitor.
always invoked
tamperproof
small and simple enough for rigorous analysis
11
TCP Protocol StackTCP Protocol Stack
Application
Transport
Network
Link
Application protocol
TCP, UDP protocol
IP protocol
Data
Link
IP
Network Access
IP protocol
Data
Link
Application
Transport
Network
Link
Transport layer provides ports, logical channels identified by number
12
Data FormatsData Formats
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
IP Header
dataTCPIPETH ETF
Link (Ethernet) Header
Link (Ethernet) Trailer
segment
packet
frame
message
13
Types of FirewallsTypes of Firewalls
Packet-Filtering Gateway
Stateful inspection firewalls
Bastion host(application proxies)
guards
personal firewalls
14
Types of FirewallsTypes of Firewalls
Packet-Filtering GatewaySimplest, most effective
Controls access to packets based on packet address or specific transport protocol type
15
Types of FirewallsTypes of Firewalls
16
Packet FilteringPacket Filtering
Uses transport-layer information onlyIP Source Address, Destination AddressProtocol/Next Header (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message type
ExamplesDNS uses port 53
No incoming port 53 packets except known trusted servers
IssuesStateful filteringEncapsulation: address translation, … Fragmentation
17
Types of FirewallsTypes of Firewalls
18
Types of FirewallsTypes of Firewalls
19
Screening router for packet filteringScreening router for packet filtering
20
Packet filtering examplesPacket filtering examples
21
Port numberingPort numbering
TCP connection Server port is number less than 1024 Client port is number between 1024 and 16383
Permanent assignmentPorts <1024 assigned permanently
20,21 for FTP 23 for Telnet25 for server SMTP 80 for HTTP
Variable usePorts >1024 must be available for client to make any connectionThis presents a limitation for stateless packet filtering
If client wants to use port 2048, firewall must allow incoming traffic on this port
Better: stateful filtering knows outgoing requests
22
Filtering Example: Inbound SMTPFiltering Example: Inbound SMTP
23
Filtering Example: Outbound SMTPFiltering Example: Outbound SMTP
24
Types of FirewallsTypes of Firewalls
Stateful Inspection FirewallMaintain state information from one packet to another in the input stream
Track the sequence of packets and conditions from one packet to another
detect attackers who break an attack into multiple packets
25
Stateful or Dynamic Packet FilteringStateful or Dynamic Packet Filtering
26
TelnetTelnet
“PORT 1234”
“ACK”
Telnet ClientTelnet Server
23 1234
Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets Server acknowledges
27
FTP ClientFTP Server
“PORT 5151”
“OK”
DATA CHANNEL
TCP ACK
20Data
21Command 5150 5151
Client opens command channel to server; tells server second port number
Server acknowledges
Server opens data channel to client’s second port
Client acknowledges
FTPFTP
28
Network Address Translation (NAT)Network Address Translation (NAT)Port & Address Translation (PAT)Port & Address Translation (PAT)
29
Normal FragmentationNormal Fragmentation
30
Abnormal FragmentationAbnormal Fragmentation
31
Types of FirewallsTypes of Firewalls
Bastion host (Application proxy)Simulate the effects of application
Application will receive only requests that act properly
Two-headed piece of softwareInside : as if it were the outside connection
Outside : it respond as the insider would
32
Application-level proxiesApplication-level proxies
Use “bastion host”Computer running protocol stack
Enforce policy for specific protocolsE.g., Virus scanning for SMTP
Need to understand MIME, encoding, Zip archives
33
Bastion HostBastion Host
A secured systemWill interact/accepts data from the Internet
Disable all non-required services; keep it simple
Install/modify services you want
Run security audit to establish baseline
Connect system to network <- important
Be prepared for the system to be compromised
34
Types of FirewallsTypes of Firewalls
35
Dual Homed Host ArchitectureDual Homed Host Architecture
36
Screened Host ArchitectureScreened Host Architecture
37
Screened Subnet Using Two RoutersScreened Subnet Using Two Routers
38
Source/Destination Address ForgerySource/Destination Address Forgery
39
Firewall mechanismFirewall mechanism
Firewall runs set of proxy programsProxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxiesApplication-level proxies
Tailored to http, ftp, smtp, etc.
Circuit-level proxiesDecisions based on header information
40
Proxies Proxies
Application level: dedicated proxy (HTTP)
Circuit level: generic proxySOCKS
WinSock – almost generic proxy for Microsoft
Some protocols are natural to proxySMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System)
NTP (Network Time Protocol)
41
Firewall architectureFirewall architecture
Daemon spawns proxy when communication detected …
Network Connection
Telnet daemon
SMTP daemon
FTP daemon
Telnet
proxy
FTP proxy SMTP
proxy
42
A Complex Firewall SetupA Complex Firewall Setup
43
Web server, database on perimeter networkWeb server, database on perimeter network
44
Web server, database on internal networkWeb server, database on internal network
Not a good idea !!!
45
Types of Firewalls : GuardsTypes of Firewalls : Guards
Guards are distinguished from firewalls in following ways
Guards have an application filtering capability that is much stronger than a typical firewall. Guards interprets protocol data units.Guards software is generally developed to meet higher assurance requirements.Guards undergo a much more extensive test and evaluation.
46
Personal FirewallsPersonal Firewalls
Application program runs on a PC to block unwanted traffic
Complement conventional firewall by screening the kind of data a single host will accept
Compensate for the lack of a regular firewall as in a private DSL or cable modem connection.
47
Comparison of Firewall TypeComparison of Firewall Type
48
Configuration issuesConfiguration issues
49
Example Firewall ConfigurationExample Firewall Configuration
50
Example Firewall ConfigurationExample Firewall Configuration
51
Example Firewall ConfigurationExample Firewall Configuration
52
SolsoftSolsoft
53
SecurifySecurify
54
What Firewalls Can and Can’t BlockWhat Firewalls Can and Can’t Block
Firewall is effective only if there are no connections through the perimeter that are not mediated by the firewall.Firewalls do not protect data outside the perimeter. Firewalls are the most visible part of an installation to the outside.Firewalls must be correctly configured, and firewall activity reports must be reviewed periodically for evidence of attempted or successful intrusion.Firewalls are targets for penetrators. Designers intentionally keep a firewall small and simple.Firewalls exercise only minor control over the content admitted to the inside.
55
Problems with FirewallsProblems with Firewalls
They interfere with the Internet
They don't solve the real problemsBuggy software
Bad protocols
Generally cannot prevent Denial of Service
Firewalls do not prevent insider attacks
Are becoming more complicated
Many commercial firewalls permit very, very complex configurations
56
Reference 1Reference 1
Elizabeth D. ZwickySimon Cooper
D. Brent Chapman
57
Reference 2Reference 2
William R CheswickSteven M Bellovin
Aviel D Rubin
58
Intrusion DetectionIntrusion Detection
John Mitchell
59
7.5 7.5 침입탐지시스템침입탐지시스템 (IDS)(IDS)
Intrusion detection system (IDS) is a device that monitors activity to identify malicious or suspicious events.
60
Method of last resortMethod of last resort
Intrusion preventionNetwork firewall
Restrict flow of packets
System securityFind buffer overflow vulnerabilities and remove them!
Intrusion detectionDiscover system modifications
Tripwire
Look for attack in progressNetwork traffic patterns
System calls, other system events
61
IDSIDS
62
IDSIDS
IDS perform a variety of functionsMonitoring users and system activity
Auditing system configuration for vulnerabilities and misconfigurations
Assessing the integrity of critical system and data files
Recognizing known attack patterns in system activity
Identifying abnormal activity through statistical Analysis
Managing audit trails and highlighting users violating policy or normal activity
Correcting system configuration errors
Installing and operating traps to record information about intruders
63
TripwireTripwire
What is Tripwire software?A software tool that checks to see what has changed on your system.
The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.
What is Tripwire used for?Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more.
64
TripwireTripwire
Outline of standard attackGain user access to system
Gain root access
Replace system binaries to set up backdoor
Use backdoor for future activities
Tripwire detection point: system binariesCompute hash of key system binaries
Compare current hash to hash stored earlier
Report problem if hash is different
Store reference hash codes on read-only medium
65
Is Tripwire too late?Is Tripwire too late?
Typical attack on serverGain accessInstall backdoor
This can be in memory, not on disk!!Use it
TripwireIs a good ideaWon’t catch attacks that don’t change system filesDetects a compromise that has happened
Remember: Defense in depth
66
Detect modified binary in memory?Detect modified binary in memory?
Can use system-call monitoring techniquesFor example [Wagner, Dean IEEE S&P ’01]
Build automaton of expected system callsCan be done automatically from source code
Monitor system calls from each program
Catch violation
Results so far: lots better than not using source code!
67
Example code and automatonExample code and automaton
Entry(f)Entry(g)
Exit(f)Exit(g)
open()
close()
exit()
getuid() geteuid()
f(int x) { x ? getuid() : geteuid(); x++}g() { fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0);}
If code behavior is inconsistent with automaton, something is wrong
68
General intrusion detectionGeneral intrusion detection
Many intrusion detection systemsClose to 100 systems with current web pages
Network-based, host-based, or combination
Two basic modelsMisuse detection model (Signature based)
Maintain data on known attacks
Look for activity with corresponding signatures
Anomaly detection model (Heuristic)Try to figure out what is “normal”
Report anomalous behavior
Fundamental problem: too many false alarms
http://www.snort.org/
69
Types of IDSTypes of IDS
Signature-Based Intrusion Detectionsimple pattern matching and report situations that match a pattern corresponding to a known attack type.
ProblemAn attacker will try to modify a basic attack such that it will not match the known signature of that attack.
cannot detect a new attack, one for which there is no signature installed yet in the IDS database.
70
Types of IDSTypes of IDS
Heuristic Intrusion Detectionbuild a model of acceptable behavior and flag exceptions to that model
The technique compares real activity with a known representation of normality.
misuse intrusion detectionthe real activity is compared against a known suspicious area.
Detection activity is classified in one of three categories
good/benign, suspicious, or unknown.
71
Types of IDSTypes of IDS
Stealth Modemost IDS run in stealth mode,
IDS has two network interfacesthe network (or network segment) being monitored
the other to generate alerts and perhaps other administrative needs
72
Types of IDSTypes of IDS
73
Types of IDSTypes of IDS
Other IDS TypesTripwire program
ISS Scanner or Nessus
honeypot
74
Misuse example - rootkitMisuse example - rootkit
Rootkit sniffs network for passwordsCollection of programs that allow attacker to install and operate a packet sniffer (on Unix machines)
Emerged in 1994, has evolved since then
1994 estimate: 100,000 systems compromised
Rootkit attackUse stolen password or dictionary attack to get user access
Get root access using vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc.ypupdated, lpr, or passwd
Ftp Rootkit to the host, unpack, compile, and install it
Collect more username/password pairs and move on
75
Rootkit covers its tracksRootkit covers its tracks
Modifies netstat, ps, ls, du, ifconfig, loginModified binaries hide new files used by rootkit
Modified login allows attacker to return for passwords
Rootkit fools simple Tripwire checksumModified binaries have same checksum
But a better hash would be able to detect rootkit
76
Detecting rootkit on systemDetecting rootkit on system
Sad way to find outDisk is full of sniffer logs
Manual confirmationReinstall clean ps and see what processes are running
Automatic detectionRootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfigHost-based intrusion detection can find rootkit files
As long as an update version of Rootkit does not disable your intrusion detection system …
77
Detecting network attack Detecting network attack (Sept 2003)(Sept 2003)
Symantec honeypot running Red Hat Linux 9
AttackSamba ‘call_trans2open’ Remote Buffer Overflow (BID 7294)
Attacker installed a copy of the SHV4 Rootkit
Snort NIDS generated alerts, from this signaturealert tcp $EXTERNAL_NET any -> $HOME_NET 139 \
(msg:"NETBIOS SMB trans2open buffer overflow attempt"; \
flow:to_server,established; \
content:"|00|"; offset:0; depth:1; \
content:"|ff|SMB|32|"; offset:4; depth:5;
content:"|00 14|"; offset:60; depth:2; \
…More info: https://tms.symantec.com/members/
AnalystReports/030929-Analysis-SHV4Rootkit.pdf
78
Misuse example - port sweepMisuse example - port sweep
Attacks can be OS specificBugs in specific implementations
Oversights in default configuration
Attacker sweeps net to find vulnerabilitiesPort sweep tries many ports on many IP addresses
If characteristic behavior detected, mount attackSGI IRIX responds TCPMUX port (TCP port 1)
If machine responds, SGI IRIX vulnerabilities can be tested and used to break in
Port sweep activity can be detected
79
Anomaly DetectionAnomaly Detection
Basic ideaMonitor network traffic, system calls
Compute statistical properties
Report errors if statistics outside established range
Example – IDES (Denning, SRI)For each user, store daily count of certain activities
E.g., Fraction of hours spent reading email
Maintain list of counts for several days
Report anomaly if count is outside weighted norm
Big problem: most unpredictable user is the most important
80
Anomaly – sys call sequencesAnomaly – sys call sequences
Build traces during normal run of programExample program behavior (sys calls)
open read write open mmap write fchmod close
Sample traces stored in file (4-call sequences)open read write open
read write open mmap
write open mmap write
open mmap write fchmod
mmap write fchmod close
Report anomaly if following sequence observedopen read read open mmap write fchmod close
Compute # of mismatches to get mismatch rate
[Hofmeyr, Somayaji, Forrest]
81
Difficulties in intrusion detectionDifficulties in intrusion detection
Lack of training dataLots of “normal” network, system call dataLittle data containing realistic attacks, anomalies
Data driftStatistical methods detect changes in behaviorAttacker can attack gradually and incrementally
Main characteristics not well understoodBy many measures, attack may be within bounds of “normal” range of activities
False identifications are very costlySys Admin spend many hours examining evidence
82
Response to intrusion?Response to intrusion?
Ideally,Identify attack (possible if misuse, hard if anomaly)
Limit damage, stop attack, block further attacks
Restore system, identify and prosecute attacker
Cliff StollDetected attacker at Lawrence Berkeley
Created large file with nuclear weapons keywords
Traced international phone call during download
83
Goal for Goal for IDSIDSfast, simple, and accurate, being completeDesign approach
Filter on packet headersFilter on packet contentMaintain connection stateUse complex, multipacket signaturesUse minimal number of signatures with maximum effectFilter in real time, on lineHide its presenceUse optimal sliding time window size to match signatures
84
Goal forGoal for IDSIDS
Responding to Alarmsresponses fall into three major categories
Monitor, collect data, perhaps increase amount of data collected
Protect, act to reduce exposure
Call a human
False Resultsfalse positive or type I error : raising an alarm for something that is not really an attack
false negative or type II error : not raising an alarm for a real attack
85
IDS Strengths and LimitationsIDS Strengths and Limitations
StrengthsIDS detect an ever-growing number of serious problems.
LimitationsAvoiding an IDS is a first priority for successful attackers.
Sensitivity : difficult to measure and adjust.
IDS does not run itself.
86
Strategic Intrusion Assessment Strategic Intrusion Assessment [Lunt][Lunt]
International/Allied Reporting Centers
National Reporting Centers
DoD Reporting CentersRegional Reporting
Centers (CERTs)
Organizational Security Centers
Local Intrusion Detectors
www.blackhat.com/presentations/bh-usa-99/teresa-lunt/tutorial.ppt
87
Strategic Intrusion Assessment Strategic Intrusion Assessment [Lunt][Lunt]
Test over two-week period AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessionsManual review identified 12,000 suspicious eventsFurther manual review => four actual incidents
* AFIWC:Air Force Warfare Information Center
ConclusionMost alarms are false positivesMost true positives are trivial incidentsOf the significant incidents, most are isolated attacks to be dealt with locally
88
7.6 Secure E-mail7.6 Secure E-mail
Security Threats for E-mailmessage interception (confidentiality)message interception (blocked delivery)message interception and subsequent replaymessage content modificationmessage origin modificationmessage content forgery by outsidermessage origin forgery by outsidermessage content forgery by recipientmessage origin forgery by recipientdenial of message transmission
89
Secure E-mailSecure E-mail
Requirements for Secure E-mailmessage confidentiality
the message is not exposed en route to the receiver
message integrity what the receiver sees is what was sent
sender authenticitythe receiver is confident who the sender was
Nonrepudiationthe sender cannot deny having sent the message
90
Encrypted E-mailEncrypted E-mail
91
Encrypted E-mailEncrypted E-mail
92
Encrypted E-mailEncrypted E-mail
93
Example of Secure E-mail SystemsExample of Secure E-mail Systems
PGP – Pretty Good PrivacyProcess
Create a random session key for a symmetric algorithm.
Encrypt the message using the session key (for message confidentiality).
Encrypt the session key under the recipient’s public key.
Generate a message digest or hash of the message; sign the hash by encrypting it with the sender’s private key (for message integrity and authenticity).
Attach the encrypted session key to the encrypted message and digest.
Transmit the message to the recipient.
94
Example of Secure E-mail SystemsExample of Secure E-mail Systems
S/MIMEInternet standard for secure e-mail attachmentS/MIME is very much like PGP.Difference of S/MIME and PGP : method of key exchange.
S/MIME uses hierarchically validated certificates, usually represented in X.509 format, for key exchange.it is not necessary for sender and recipient to have exchanged keys in advance, as long as they have a common certifier they both trust.
works with a variety of cryptographic algorithms DES, AES, and RC2 for symmetric encryption.