Intrusion Protection Mark Shtern Protection systems Firewalls Intrusion

Intrusion Protection Mark Shtern

Protection systems • • Firewalls Intrusion detection and protection systems Honeypots System Auditing

Firewall Types • Network – Packet filters – Proxy servers – State-full inspection – Can be hardware-based or software-based • Application – Packet filters – State-full inspection

Packet filtering Firewalls • Permits or denies packets based on socket pairs • Packet filters operate at layer 4 of the OSI model • Defined packet filters are applied to examine traffic attempting to enter or attempting to exit an interface • Packet filters do not maintain state

Proxy Server Firewalls • Clients configured to use a proxy server package • The proxy server completes client requests on behalf of the requesting clients, if permitted

Proxy Server Types • Circuit-level proxy servers only understand the socket portion of a request (IP address, port number, and protocol) • Application-level proxy servers also understand the internal commands for each type of application – for example, can recognize FTP commands for PUT, GET, MPUT, MGET, and so on

State-full Inspection Firewalls • Generally permits all outbound sessions initiated by internal clients (unless an ACL imposes restrictions) – a state table entry is created for each allowed connection • Allows return traffic belonging to the same session • Generally denies all inbound sessions initiated by external clients (unless an ACL allows exceptions) – a state table entry is created for each allowed connection

State-full Inspection Firewalls • State table entries track: – source and destination IP addresses – source and destination port numbers – protocol – TCP sequence numbers and acknowledgment numbers – TCP session state • SYN Received, SYN-ACK Sent, Established

Examples of Firewall • Network – Firestarter – Windows Firewall • Application – Mod_evasive – Mod_security_common

Intrusion Detection Systems • An IDS detects attempts at network intrusion – Host-based or network-based sensors collect data for local analysis or uploading to a centralized analysis engine – When intrusion is detected a log entry or alert can be generated

Detection methods • Signature analysis – discernable pattern of a previously seen attack – network scans, port scans, malicious payloads • Statistical anomaly – unusual usage patterns – log on at unusual hours, uncharacteristically high usage of a protocol • Protocol anomaly – an undefined or non-standard use of a protocol – IP header Protocol field value greater than 137 – TCP header Urgent field set to non-zero value with URG flag set to zero

IDS types • Network-based – Monitors entire network – NIC operates in promiscuous mode – Complicated sniffers that check all packets against signatures • Host-based – Protects only the host system on which it resides – Network card operates in non-promiscuous mode

Intrusion Prevention Systems • An IDS receives a copy of network traffic for analysis and reporting – malicious packets reach their targets – analysis and reporting is after the fact • An IPS is a pass-through device inline with the traffic – detected malicious packets are dropped at the IPS and do not reach their intended targets

Snort Intrusion protection and prevention system Rules-based detection engine Network sniffer Snort runs on various operating systems and hardware platforms, including many UNIX systems and Windows • Large default rule set (several thousand) • •

Snort Modes • Packet Sniffer Mode – In Packet Sniffer Mode Snort acts like tcpdump and is used for testing. – Type “snort –v” at command prompt to start snort in sniffer mode – Other switches • -d displays application layer -e displays data link layer • Packet Logger Mode – Same as Packet Sniffing Mode but it also logs the output. – Type “snort –dev –l /var/log/snort” where –l is switch for logging and /var/log/snort is directory to save output.

Snort Modes • Intrusion Detection Mode – In this mode snort applies signature rules on all captured packets – If packet matches rules, it is logged or an alert is generated

Writing Snort Rules • • • Figure out what is "bad" Capture traffic that includes the "bad" stuff Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule

Rule Format - basic rule • alert tcp 10. 1. 1. 1 any -> 10. 1. 1. 2 80 (msg: "foo"; content: "bar"; )

Rule Format • alert tcp 10. 1. 1. 1 any -> 10. 1. 1. 2 80 (msg: "foo"; content: "bar"; ) • Actions • alert log pass activate dynamic drop sdrop • Acceptable protocols: – TCP , UDP, ICMP, IP • Direction – ->, <> • Body – msg, content etc

Honeypot • A monitored decoy to lure attackers away from critical resources – simulates various OSs and application servers • A tool to analyze an attacker’s methods and other characteristics

Honeypot Modes • Research mode – collecting data on attacker motivations, attack trends, and emerging threats • Production mode – to prevent, detect, and respond to attacks – impeding scans – diverting an attacker to the honeypot rather than critical files – capturing polymorphic code – acquiring attack signatures – providing attack information for analysis

Honeypot Software • Labrea • Honeyd

Legal issues • An organization may be liable if its honeypot is used to launch attacks against another network • Attacker might claim entrapment if apprehended through use of a honeypot – Never explicitly invite interaction with the honeypot

Auditing • Logs are the primary record keepers of system and network activity – Basis for fast recovery when service is modified illegally – Basis for tracking the break-in

System logs • Windows – Application, System and Security • Linux – Syslogs files /var/logs/*

Problem in Managing Logs • • No periodical review The log files may be modified by intrusion Log size constraint Failure to collect critical information

Audit tools • Syslog – log collection system • Audit – subsystem in Linux kernel that generates audit record (auditctl, ausearch, aureport ) • Logwatch – log analysis system • Lire - log analyzer system