Lecture 20 Firewalls and Intrusion Detection CS 551
- Slides: 42
Lecture 20: Firewalls and Intrusion Detection CS 551: Security and Privacy David Evans University of Virginia CS 551 http: //www. cs. virginia. edu/~evans Computer Science
Menu • • Firewalls How to give a good project presentation Traditional Intrusion Detection Computer Immunology 11/2/2020 University of Virginia CS 551 2
Voting Challenge #1 • Why witness must observe opening Envelope A? – Your answer should be 6 words long – Or, your answer should cite government explanation 11/2/2020 University of Virginia CS 551 3
Voting Challenge #2 • Improved absentee ballot protocol – Must be as (or almost as) convenient as current procotol cannot require voter to use computer to vote – Should provide better integrity (my vote is counted right) and anonymity (no one can tell who I voted for) than current system 11/2/2020 University of Virginia CS 551 4
11/2/2020 University of Virginia CS 551 5
Check Point Software, +3000% over past 18 months Market capitalization = ~$20 B (GM = $30 B) 11/2/2020 University of Virginia CS 551 6
11/2/2020 University of Virginia CS 551 7
The Best Firewall to network power 11/2/2020 Functionality is Bad University of Virginia CS 551 8
Lesser Firewall to network firewall (p: packet) { if (allow (p)) forward (p); else drop (p); } 11/2/2020 University of Virginia CS 551 9
Networks – OSI Model Application Presentation FTP SMTP HTTP Real. Player . . . Session TCP Transport IP Network Data Link Ethernet FDDI Physical 11/2/2020 UDP University of Virginia CS 551 CDMA Smoke Signals Other 10
An IP (V 4) Packet Data Options Destination IP Address Source IP Address Header Checksum Transport Protocol (e. g. , TCP) TTL Fragment Offset Flags Packet Identification Size of Datagram Type of Service (not used) IP Header Length IP Version (4) 11 University of Virginia CS 551 11/2/2020 128 160 96 80 64 48 32 16 0
A Simple Packet Filter boolean allow (packet) { if (match (packet. source, “ 18. 26. 4. *”)) return false; // No packets from Robert Morris’ machines. else if (match (packet. source, “ 198. 82. *. *”)) return false; // Virginia Tech else return true; How well does this satisfy Saltzer/Schroeder principles? } 11/2/2020 University of Virginia CS 551 12
Typical Packet Filtering Rules Input: permit 0. 0 128. 143. 137. 19 TCP src >= 1024 dst = 25 permit 0. 0 128. 143. 137. 19 TCP src = 25 dst >= 1024 Output: permit 128. 143. 137. 19 0. 0 TCP src = 25 dst >= 1024 permit 128. 143. 137. 19 0. 0 TCP src >= 1024 dst = 25 11/2/2020 University of Virginia CS 551 13
Packet Filter Layers Application Presentation FTP SMTP HTTP Real. Player . . . Session TCP Transport IP Network Data Link Ethernet FDDI Physical 11/2/2020 UDP University of Virginia CS 551 CDMA Smoke Signals Other 14
Application-Layer Gateways • Analyze communication at application layer • All communication must go through a proxy that knows about application • Poor scalability, performance 11/2/2020 University of Virginia CS 551 15
Why is a little Israeli firewall company worth $20 B? • Stateful Inspection – Intercept packets at network layer, but analyze at all communications layers – Maintain application-specific state • e. g. , Save PORT command of outgoing FTP session, compare with incoming FTP data – Programmable filters and manipulators – Provide a graphical front end for programming filters and monitoring activity 11/2/2020 University of Virginia CS 551 16
Project Presentations Tell a story, don’t read a list. 11/2/2020 University of Virginia CS 551 17
All Good Talks Tell a Story • Introduce characters (rabbit, fox) • Describe an important problem (fox wants to eat rabbit) • Relate events that resolve the problem (rabbit tells fox about thesis) • A few examples (rabbit tells wolf, . . . ) • Draw a general conclusion that is supported by your story (thesis doesn’t matter, only advisor) 11/2/2020 University of Virginia CS 551 18
Introduction • Introduce characters: motivate your work – Convey why the problem you are solving is interesting, important and exciting – Place your work in context: how is it different from what others have done • Teaser for your results – why should we listen to the rest of the talk? – Don’t need a full outline, but let audience know enough so they want to listen to the rest – Unlike Rabbit story, suspense is not good 11/2/2020 University of Virginia CS 551 19
Guts • Explain what you did – Don’t be comprehensive – convey the big picture – Use pictures, 1 -2 examples, etc. • Convey one technical nugget – Show one neat concrete thing that came out of your work. • Analysis – Did your work solve the problem? – What are the important results of your work 11/2/2020 University of Virginia CS 551 20
Conclusion Summarize your project with one key point. If your audience remembers one thing from your talk, you have succeeded. 11/2/2020 University of Virginia CS 551 21
Some Specific Advice • Average 2 minutes per slide • Your target audience is the other students in the class – Assume they know as much security as has been covered in the class • Use Pictures • Use Humor (but only if its relevant) • Don’t put this much text on any of your slides! 11/2/2020 University of Virginia CS 551 22
Can you do all this in 13 minutes? • Advertisers pay $2. 5 M for 30 seconds during Superbowl – they must be pretty sure they can tell a compelling story in that time • Seinfeld episode is 22 minutes long • Make your points directly, avoid unnecessary details • Organize your presentation 11/2/2020 University of Virginia CS 551 23
Practice! • Without an audience • In front of your teammates • In front of friends not familiar with your project • I will listen to any group that wants to practice their talk Tuesday Nov 28 th (email your preferred time 9 pm-midnight) and Sunday Dec 3 rd (after 7 pm) 11/2/2020 University of Virginia CS 551 24
Intrusion Detection 11/2/2020 University of Virginia CS 551 25
Why Detect Intruders? • Catch them before they cause damage and plug holes • Identify damage • Collect evidence for prosecution • Deterrent 11/2/2020 University of Virginia CS 551 26
Behavior Obviously Normal 11/2/2020 Obviously Malicious University of Virginia CS 551 27
Stallings Graph (p. 491) Probability density function Authorized user profile Intruder profile Measurable behavior parameter 11/2/2020 University of Virginia CS 551 28
More Realistic Graph Probability density function Authorized user profile Intruder profile Measurable behavior parameter 11/2/2020 University of Virginia CS 551 29
False Positives Dilemma • Doctor invents a new, inexpensive test for a deadly disease that is 95% accurate • Assume 1 in 1000 people have deadly disease (but don’t know it yet) • Should everyone get the test? – – 1000 people tested Expect. 95 + (999 *. 05) positives 50 people will be told they have disease If you test positive, there is a 1/50 chance you have disease 11/2/2020 University of Virginia CS 551 30
Intrusion Detection Approaches • Statistical Anomaly Detection – Produce a profile of the normal behavior of each user (or independent of user) – Notice statistical deviations from that behavior • Rule-based Detection – Think really hard and make up rules that describe intruder behavior. – Hope intruders can’t read and figure out the rules also. 11/2/2020 University of Virginia CS 551 31
Detect an Intrusion • • Do nothing Email system administrator Page system administrator Shut down system 11/2/2020 University of Virginia CS 551 32
Network Intrusion Detection • Monitor activity on many hosts • Aggregate audit records to detect anomalous behavior • Managed Security Monitoring (Counterpane, Inc. ) – $12, 000/month 11/2/2020 University of Virginia CS 551 33
Challenges in Intrusion Detection • The first thing a smart intruder will do is tamper with the Intrusion Detection system! • Few activities are either obviously normal or obviously malicious • False positives dilemma 11/2/2020 University of Virginia CS 551 34
Immunology 11/2/2020 University of Virginia CS 551 35
Biological Inspiration • Biological systems are incredibly resilient • Most humans survive ~80 years • Before medical advances, most still would survive ~30 years • Operate in a hostile, unpredictable environment • No way to reboot, reinstall operating system, upgrade software, etc. • Human genome: 3 Billion base pairs = 6 Gb = 750 MB (Human genome project says 3 GB ? ? ) 11/2/2020 University of Virginia CS 551 36
Immune Systems Lymphocytes recognize pathogens by binding. Proteins have distinctive shapes. An Overview of the Immune System. © 1997 Steven A Hofmeyr 11/2/2020 Binding is approximate. Sometimes match wrong things (this is why organ transplants get rejected). University of Virginia CS 551 37
Receptor Diversity • Need to recognize all foreign intruders, but DNA can’t know about all possible intruders • Gene segments are randomly combined to form different receptors – About 108 – 1012 different receptors 11/2/2020 University of Virginia CS 551 38
Affinity Maturation • B-cells in bone marrow – most effective cells reproduce more quickly An Overview of the Immune System. © 1997 Steven A Hofmeyr 11/2/2020 University of Virginia CS 551 39
Can computers do this? • Programs identified by sequences of system calls • Build a database of normal patterns (how? ) • Receptors recognize unusual patterns • Enough unusual patterns is considered an intrusion 11/2/2020 University of Virginia CS 551 40
Fatal Flaw? • Might work okay if no one important is using it. • Will it work if an attacker knows about it and is deliberately constructing an attack to avoid detection? – Do biological viruses evolve to mimic host proteins? 11/2/2020 University of Virginia CS 551 41
Charge • Next time – pick one: – Denial of service attacks and countermeasures – Law/Politics: Carnivore, Encryption Policy, Digital Signatures – Security Policies: MAC/DAC, Chinese Wall, Orange Book – Other? • Send email/tell me your suggestions before Wednesday (if I don’t get any, I’ll talk about formal logics for analyzing security protocols) 11/2/2020 University of Virginia CS 551 42
- Ids sensors
- Intrusion detection system open source
- Common intrusion detection framework
- Intrusion detection systems (ids)
- Bro intrusion detection system
- Fiber optic perimeter intrusion detection systems
- Infrasonic intrusion detection
- Auditing firewalls
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- History of the firewall
- Solf
- Stateless vs stateful firewall
- List three design goals for a firewall.
- Ufw implicit deny
- Firewalls are used for what security principle
- Uhcl vpn
- Types of firewalls ppt
- Dynamic firewalls
- Perimeter firewalls are the simplest type of firewall
- Firewalls computer science
- Linux firewalls
- 18 446 744 073 709 551 615
- Hino de número 600
- Ece 551
- 115 en yakın onluğa yuvarlama
- Akpc 551 manual
- I 551 number
- Csci-b 551 elements of artificial intelligence
- Cs 551
- Ece 551
- Number 551
- Cs 551
- Rodrigo rubira branco
- What is intrusion? *
- Intrusión dental
- Magmatic intrusion
- Certified intrusion analyst
- Intrusion fantasy
- Intrusion.win.iis.unicode.a.exploit
- Datenkorrelation
- Skewards
- Intrusion budget
- Authorial intrusion definition