강의자료-7장(3)

1

7.4 Firewalls7.4 Firewalls

A device that filters all traffic between inside network and outside network

Purpose protect a private network against intrusion

prevent unnoticed and unauthorized export of proprietary information.

2

FirewallsFirewallsJohn Mitchell

Credit: some text, illustrations from Simon Cooper

May 20, 2004

3

Basic Firewall ConceptBasic Firewall Concept

Separate local area net from internet

Router

Firewall

All packets between LAN and internet routed through firewall

4

Why firewalls?Why firewalls?Need to exchange information

Education, business, recreation, social and political

AttacksDrawbacks; unsolicited attention and bugs

Program bugsAll programs contain bugs

Larger programs contain more bugs!

Network protocols contain;Design weaknesses (SSH CRC)

Implementation flaws (SSL, NTP, FTP, SMTP...)

Careful (defensive) programming & protocol design is hard

5

Firewall goalsFirewall goals

What is a firewall ?Logically

A separator, a restrictor and an analyzer

Rarely a single physical object!Any place where internal and external data can meet

Can be distributed (although this is not common now)

Castle & Moat AnalogyRestricts access from the outside

Prevents attackers from getting too close

Restricts people from leaving <- Important!!

6

Firewall Design & Architecture IssuesFirewall Design & Architecture Issues

Least privilege

Defense in depth (very important)

Choke point

Weakest links

Fail-safe stance

Universal participation

Diversity of defense

Simplicity

7

Two Separable TopicsTwo Separable TopicsArrangement of firewall and routers

Several different configurationsSeparate internal LAN from external InternetWall off subnetwork within an organization

Test networks, financial records, secret projects

Intermediate zone for web server, etc.

Personal firewall on end-user machine

How does the firewall process dataPacket filtering routerApplication-level gateway

Proxy for protocols such as ftp, smtp, http, etc.

Circuit-level gatewayPersonal firewall also knows which application

E.g., disallow telnet connection from email client

8

Firewall Design DecisionsFirewall Design Decisions

Two fundamental philosophiesnot expressly permitted is prohibited.

Block everything, and allow services on a case-by-case basis.

This approach is the easiest from an administrator's point of view

It provides a more "fail-safe" stance and does not demand that the administrator possess exceptional skills.

9

Firewall Design DecisionsFirewall Design Decisions

not expressly prohibited is permittedAlthough this offers the user the greatest flexibility, it often pits the user against the administrator.

This approach requires that the administrator anticipate what users will do and requires considerable skill in auditing and maintaining the overall security of the network.

From a security standpoint, this approach is an administrator's nightmare.

10

Design of FirewallsDesign of Firewalls

Firewall is a special form of a reference monitor.

always invoked

tamperproof

small and simple enough for rigorous analysis

11

TCP Protocol StackTCP Protocol Stack

Application

Transport

Network

Link

Application protocol

TCP, UDP protocol

IP protocol

Data

Link

IP

Network Access

IP protocol

Data

Link

Application

Transport

Network

Link

Transport layer provides ports, logical channels identified by number

12

Data FormatsData Formats

Application

Transport (TCP, UDP)

Network (IP)

Link Layer

Application message - data

TCP data TCP data TCP data

TCP Header

dataTCPIP

IP Header

dataTCPIPETH ETF

Link (Ethernet) Header

Link (Ethernet) Trailer

segment

packet

frame

message

13

Types of FirewallsTypes of Firewalls

Packet-Filtering Gateway

Stateful inspection firewalls

Bastion host(application proxies)

guards

personal firewalls

14


Packet-Filtering GatewaySimplest, most effective

Controls access to packets based on packet address or specific transport protocol type

15


16

Packet FilteringPacket Filtering

Uses transport-layer information onlyIP Source Address, Destination AddressProtocol/Next Header (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message type

ExamplesDNS uses port 53

No incoming port 53 packets except known trusted servers

IssuesStateful filteringEncapsulation: address translation, … Fragmentation

17


18


19

Screening router for packet filteringScreening router for packet filtering

20

Packet filtering examplesPacket filtering examples

21

Port numberingPort numbering

TCP connection Server port is number less than 1024 Client port is number between 1024 and 16383

Permanent assignmentPorts <1024 assigned permanently

20,21 for FTP 23 for Telnet25 for server SMTP 80 for HTTP

Variable usePorts >1024 must be available for client to make any connectionThis presents a limitation for stateless packet filtering

If client wants to use port 2048, firewall must allow incoming traffic on this port

Better: stateful filtering knows outgoing requests

22

Filtering Example: Inbound SMTPFiltering Example: Inbound SMTP

23

Filtering Example: Outbound SMTPFiltering Example: Outbound SMTP

24


Stateful Inspection FirewallMaintain state information from one packet to another in the input stream

Track the sequence of packets and conditions from one packet to another

detect attackers who break an attack into multiple packets

25

Stateful or Dynamic Packet FilteringStateful or Dynamic Packet Filtering

26

TelnetTelnet

“PORT 1234”

“ACK”

Telnet ClientTelnet Server

23 1234

Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets Server acknowledges

27

FTP ClientFTP Server

“PORT 5151”

“OK”

DATA CHANNEL

TCP ACK

20Data

21Command 5150 5151

Client opens command channel to server; tells server second port number

Server acknowledges

Server opens data channel to client’s second port

Client acknowledges

FTPFTP

28

Network Address Translation (NAT)Network Address Translation (NAT)Port & Address Translation (PAT)Port & Address Translation (PAT)

29

Normal FragmentationNormal Fragmentation

30

Abnormal FragmentationAbnormal Fragmentation

31


Bastion host (Application proxy)Simulate the effects of application

Application will receive only requests that act properly

Two-headed piece of softwareInside : as if it were the outside connection

Outside : it respond as the insider would

32

Application-level proxiesApplication-level proxies

Use “bastion host”Computer running protocol stack

Enforce policy for specific protocolsE.g., Virus scanning for SMTP

Need to understand MIME, encoding, Zip archives

33

Bastion HostBastion Host

A secured systemWill interact/accepts data from the Internet

Disable all non-required services; keep it simple

Install/modify services you want

Run security audit to establish baseline

Connect system to network <- important

Be prepared for the system to be compromised

34


35

Dual Homed Host ArchitectureDual Homed Host Architecture

36

Screened Host ArchitectureScreened Host Architecture

37

Screened Subnet Using Two RoutersScreened Subnet Using Two Routers

38

Source/Destination Address ForgerySource/Destination Address Forgery

39

Firewall mechanismFirewall mechanism

Firewall runs set of proxy programsProxies filter incoming, outgoing packets

All incoming traffic directed to firewall

All outgoing traffic appears to come from firewall

Policy embedded in proxy programs

Two kinds of proxiesApplication-level proxies

Tailored to http, ftp, smtp, etc.

Circuit-level proxiesDecisions based on header information

40

Proxies Proxies

Application level: dedicated proxy (HTTP)

Circuit level: generic proxySOCKS

WinSock – almost generic proxy for Microsoft

Some protocols are natural to proxySMTP (E-Mail)

NNTP (Net news)

DNS (Domain Name System)

NTP (Network Time Protocol)

41

Firewall architectureFirewall architecture

Daemon spawns proxy when communication detected …

Network Connection

Telnet daemon

SMTP daemon

FTP daemon

Telnet

proxy

FTP proxy SMTP

proxy

42

A Complex Firewall SetupA Complex Firewall Setup

43

Web server, database on perimeter networkWeb server, database on perimeter network

44

Web server, database on internal networkWeb server, database on internal network

Not a good idea !!!

45

Types of Firewalls : GuardsTypes of Firewalls : Guards

Guards are distinguished from firewalls in following ways

Guards have an application filtering capability that is much stronger than a typical firewall. Guards interprets protocol data units.Guards software is generally developed to meet higher assurance requirements.Guards undergo a much more extensive test and evaluation.

46

Personal FirewallsPersonal Firewalls

Application program runs on a PC to block unwanted traffic

Complement conventional firewall by screening the kind of data a single host will accept

Compensate for the lack of a regular firewall as in a private DSL or cable modem connection.

47

Comparison of Firewall TypeComparison of Firewall Type

48

Configuration issuesConfiguration issues

49

Example Firewall ConfigurationExample Firewall Configuration

50


51


52

SolsoftSolsoft

53

SecurifySecurify

54

What Firewalls Can and Can’t BlockWhat Firewalls Can and Can’t Block

Firewall is effective only if there are no connections through the perimeter that are not mediated by the firewall.Firewalls do not protect data outside the perimeter. Firewalls are the most visible part of an installation to the outside.Firewalls must be correctly configured, and firewall activity reports must be reviewed periodically for evidence of attempted or successful intrusion.Firewalls are targets for penetrators. Designers intentionally keep a firewall small and simple.Firewalls exercise only minor control over the content admitted to the inside.

55

Problems with FirewallsProblems with Firewalls

They interfere with the Internet

They don't solve the real problemsBuggy software

Bad protocols

Generally cannot prevent Denial of Service

Firewalls do not prevent insider attacks

Are becoming more complicated

Many commercial firewalls permit very, very complex configurations

56

Reference 1Reference 1

Elizabeth D. ZwickySimon Cooper

D. Brent Chapman

57

Reference 2Reference 2

William R CheswickSteven M Bellovin

Aviel D Rubin

58

Intrusion DetectionIntrusion Detection

John Mitchell

59

7.5 7.5 침입탐지시스템침입탐지시스템 (IDS)(IDS)

Intrusion detection system (IDS) is a device that monitors activity to identify malicious or suspicious events.

60

Method of last resortMethod of last resort

Intrusion preventionNetwork firewall

Restrict flow of packets

System securityFind buffer overflow vulnerabilities and remove them!

Intrusion detectionDiscover system modifications

Tripwire

Look for attack in progressNetwork traffic patterns

System calls, other system events

61

IDSIDS

62

IDSIDS

IDS perform a variety of functionsMonitoring users and system activity

Auditing system configuration for vulnerabilities and misconfigurations

Assessing the integrity of critical system and data files

Recognizing known attack patterns in system activity

Identifying abnormal activity through statistical Analysis

Managing audit trails and highlighting users violating policy or normal activity

Correcting system configuration errors

Installing and operating traps to record information about intruders

63

TripwireTripwire

What is Tripwire software?A software tool that checks to see what has changed on your system.

The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.

What is Tripwire used for?Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more.

64

TripwireTripwire

Outline of standard attackGain user access to system

Gain root access

Replace system binaries to set up backdoor

Use backdoor for future activities

Tripwire detection point: system binariesCompute hash of key system binaries

Compare current hash to hash stored earlier

Report problem if hash is different

Store reference hash codes on read-only medium

65

Is Tripwire too late?Is Tripwire too late?

Typical attack on serverGain accessInstall backdoor

This can be in memory, not on disk!!Use it

TripwireIs a good ideaWon’t catch attacks that don’t change system filesDetects a compromise that has happened

Remember: Defense in depth

66

Detect modified binary in memory?Detect modified binary in memory?

Can use system-call monitoring techniquesFor example [Wagner, Dean IEEE S&P ’01]

Build automaton of expected system callsCan be done automatically from source code

Monitor system calls from each program

Catch violation

Results so far: lots better than not using source code!

67

Example code and automatonExample code and automaton

Entry(f)Entry(g)

Exit(f)Exit(g)

open()

close()

exit()

getuid() geteuid()

f(int x) { x ? getuid() : geteuid(); x++}g() { fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0);}

If code behavior is inconsistent with automaton, something is wrong

68

General intrusion detectionGeneral intrusion detection

Many intrusion detection systemsClose to 100 systems with current web pages

Network-based, host-based, or combination

Two basic modelsMisuse detection model (Signature based)

Maintain data on known attacks

Look for activity with corresponding signatures

Anomaly detection model (Heuristic)Try to figure out what is “normal”

Report anomalous behavior

Fundamental problem: too many false alarms

http://www.snort.org/

69

Types of IDSTypes of IDS

Signature-Based Intrusion Detectionsimple pattern matching and report situations that match a pattern corresponding to a known attack type.

ProblemAn attacker will try to modify a basic attack such that it will not match the known signature of that attack.

cannot detect a new attack, one for which there is no signature installed yet in the IDS database.

70


Heuristic Intrusion Detectionbuild a model of acceptable behavior and flag exceptions to that model

The technique compares real activity with a known representation of normality.

misuse intrusion detectionthe real activity is compared against a known suspicious area.

Detection activity is classified in one of three categories

good/benign, suspicious, or unknown.

71


Stealth Modemost IDS run in stealth mode,

IDS has two network interfacesthe network (or network segment) being monitored

the other to generate alerts and perhaps other administrative needs

72


73


Other IDS TypesTripwire program

ISS Scanner or Nessus

honeypot

74

Misuse example - rootkitMisuse example - rootkit

Rootkit sniffs network for passwordsCollection of programs that allow attacker to install and operate a packet sniffer (on Unix machines)

Emerged in 1994, has evolved since then

1994 estimate: 100,000 systems compromised

Rootkit attackUse stolen password or dictionary attack to get user access

Get root access using vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc.ypupdated, lpr, or passwd

Ftp Rootkit to the host, unpack, compile, and install it

Collect more username/password pairs and move on

75

Rootkit covers its tracksRootkit covers its tracks

Modifies netstat, ps, ls, du, ifconfig, loginModified binaries hide new files used by rootkit

Modified login allows attacker to return for passwords

Rootkit fools simple Tripwire checksumModified binaries have same checksum

But a better hash would be able to detect rootkit

76

Detecting rootkit on systemDetecting rootkit on system

Sad way to find outDisk is full of sniffer logs

Manual confirmationReinstall clean ps and see what processes are running

Automatic detectionRootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfigHost-based intrusion detection can find rootkit files

As long as an update version of Rootkit does not disable your intrusion detection system …

77

Detecting network attack Detecting network attack (Sept 2003)(Sept 2003)

Symantec honeypot running Red Hat Linux 9

AttackSamba ‘call_trans2open’ Remote Buffer Overflow (BID 7294)

Attacker installed a copy of the SHV4 Rootkit

Snort NIDS generated alerts, from this signaturealert tcp $EXTERNAL_NET any -> $HOME_NET 139 \

(msg:"NETBIOS SMB trans2open buffer overflow attempt"; \

flow:to_server,established; \

content:"|00|"; offset:0; depth:1; \

content:"|ff|SMB|32|"; offset:4; depth:5;

content:"|00 14|"; offset:60; depth:2; \

…More info: https://tms.symantec.com/members/

AnalystReports/030929-Analysis-SHV4Rootkit.pdf

78

Misuse example - port sweepMisuse example - port sweep

Attacks can be OS specificBugs in specific implementations

Oversights in default configuration

Attacker sweeps net to find vulnerabilitiesPort sweep tries many ports on many IP addresses

If characteristic behavior detected, mount attackSGI IRIX responds TCPMUX port (TCP port 1)

If machine responds, SGI IRIX vulnerabilities can be tested and used to break in

Port sweep activity can be detected

79

Anomaly DetectionAnomaly Detection

Basic ideaMonitor network traffic, system calls

Compute statistical properties

Report errors if statistics outside established range

Example – IDES (Denning, SRI)For each user, store daily count of certain activities

E.g., Fraction of hours spent reading email

Maintain list of counts for several days

Report anomaly if count is outside weighted norm

Big problem: most unpredictable user is the most important

80

Anomaly – sys call sequencesAnomaly – sys call sequences

Build traces during normal run of programExample program behavior (sys calls)

open read write open mmap write fchmod close

Sample traces stored in file (4-call sequences)open read write open

read write open mmap

write open mmap write

open mmap write fchmod

mmap write fchmod close

Report anomaly if following sequence observedopen read read open mmap write fchmod close

Compute # of mismatches to get mismatch rate

[Hofmeyr, Somayaji, Forrest]

81

Difficulties in intrusion detectionDifficulties in intrusion detection

Lack of training dataLots of “normal” network, system call dataLittle data containing realistic attacks, anomalies

Data driftStatistical methods detect changes in behaviorAttacker can attack gradually and incrementally

Main characteristics not well understoodBy many measures, attack may be within bounds of “normal” range of activities

False identifications are very costlySys Admin spend many hours examining evidence

82

Response to intrusion?Response to intrusion?

Ideally,Identify attack (possible if misuse, hard if anomaly)

Limit damage, stop attack, block further attacks

Restore system, identify and prosecute attacker

Cliff StollDetected attacker at Lawrence Berkeley

Created large file with nuclear weapons keywords

Traced international phone call during download

83

Goal for Goal for IDSIDSfast, simple, and accurate, being completeDesign approach

Filter on packet headersFilter on packet contentMaintain connection stateUse complex, multipacket signaturesUse minimal number of signatures with maximum effectFilter in real time, on lineHide its presenceUse optimal sliding time window size to match signatures

84

Goal forGoal for IDSIDS

Responding to Alarmsresponses fall into three major categories

Monitor, collect data, perhaps increase amount of data collected

Protect, act to reduce exposure

Call a human

False Resultsfalse positive or type I error : raising an alarm for something that is not really an attack

false negative or type II error : not raising an alarm for a real attack

85

IDS Strengths and LimitationsIDS Strengths and Limitations

StrengthsIDS detect an ever-growing number of serious problems.

LimitationsAvoiding an IDS is a first priority for successful attackers.

Sensitivity : difficult to measure and adjust.

IDS does not run itself.

86

Strategic Intrusion Assessment Strategic Intrusion Assessment [Lunt][Lunt]

International/Allied Reporting Centers

National Reporting Centers

DoD Reporting CentersRegional Reporting

Centers (CERTs)

Organizational Security Centers

Local Intrusion Detectors

www.blackhat.com/presentations/bh-usa-99/teresa-lunt/tutorial.ppt

87

Strategic Intrusion Assessment Strategic Intrusion Assessment [Lunt][Lunt]

Test over two-week period AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessionsManual review identified 12,000 suspicious eventsFurther manual review => four actual incidents

* AFIWC:Air Force Warfare Information Center

ConclusionMost alarms are false positivesMost true positives are trivial incidentsOf the significant incidents, most are isolated attacks to be dealt with locally

88

7.6 Secure E-mail7.6 Secure E-mail

Security Threats for E-mailmessage interception (confidentiality)message interception (blocked delivery)message interception and subsequent replaymessage content modificationmessage origin modificationmessage content forgery by outsidermessage origin forgery by outsidermessage content forgery by recipientmessage origin forgery by recipientdenial of message transmission

89

Secure E-mailSecure E-mail

Requirements for Secure E-mailmessage confidentiality

the message is not exposed en route to the receiver

message integrity what the receiver sees is what was sent

sender authenticitythe receiver is confident who the sender was

Nonrepudiationthe sender cannot deny having sent the message

90

Encrypted E-mailEncrypted E-mail

91


92


93

Example of Secure E-mail SystemsExample of Secure E-mail Systems

PGP – Pretty Good PrivacyProcess

Create a random session key for a symmetric algorithm.

Encrypt the message using the session key (for message confidentiality).

Encrypt the session key under the recipient’s public key.

Generate a message digest or hash of the message; sign the hash by encrypting it with the sender’s private key (for message integrity and authenticity).

Attach the encrypted session key to the encrypted message and digest.

Transmit the message to the recipient.

94

Example of Secure E-mail SystemsExample of Secure E-mail Systems

S/MIMEInternet standard for secure e-mail attachmentS/MIME is very much like PGP.Difference of S/MIME and PGP : method of key exchange.

S/MIME uses hierarchically validated certificates, usually represented in X.509 format, for key exchange.it is not necessary for sender and recipient to have exchanged keys in advance, as long as they have a common certifier they both trust.

works with a variety of cryptographic algorithms DES, AES, and RC2 for symmetric encryption.

강의자료-7장(3)

Documents

Transcript of 강의자료-7장(3)