1 NETWORKS Fall 2009

2 Review – Last Lecture Computer Crimes Firewall ArchitecturesPacket Filtering Other Firewall Approaches

3 Review - A Packet Filter ArchitectureThe most simple architecture just consists of a packet filtering router It can be either realized with: A standard workstation (e.g. Linux PC) with at least two network interfaces plus routing and filtering software A dedicated router device, which usually also offers filtering capabilities Router Internet Packet filter rules

4 Computer Crimes

5 Crimes 1 Charges have been filed against John Bombard of Florida for allegedly launching a distributed denial-of-service (DDoS) attack against Akamai DNS servers. Bombard allegedly used an worm to create a botnet used in the June 2004 attack. Many Akamai client websites were unavailable for a time; Akamai provides caching services for a number of high profile companies. If Bombard is convicted of the charges of "intentionally accessing a protected computer without authorization," he could face up to two years in prison and a fine of as much as US$200,000.

6 Crimes 2 After the National Australia Bank (NAB) became the target of a distributed denial-of-service (DDoS) attack last week, the bank issued a warning to its customers about phishing s. An NAB spokesperson said the bank is concerned that phishers could exploit the situation by luring customers to spoofed NAB sites. NAB customers were targeted by a phishing attack in September

7 Crimes 3 In an effort to retain computer resources for its own use, the SpamThru Trojan horse installs a pirated copy of an anti-virus program on computers it infects. Once installed, the program begins scanning the computer and deletes any competing malware at the next Windows reboot. The Trojan, which is used to send spam for a pump-and-dump stock scam, communicates via peer-to-peer technology; this means that even if the control server is shut down, the person launching the spam attack needs to control just one peer to let the others know the location of a new control server.

8 Proxy Server

9 The Problem Screening routers look only at the headers of packets, not at the data inside the packets. Therefore, a screening router would pass anything to port 25, assuming its screening rules said to allow inbound connections to that port. However, applications are complex and sometimes contain errors. Worse, applications (such as the delivery agent) often act on behalf of all users, so they require privileges of all users, for example, to store incoming mail messages so that inside users can read them. A flawed application, running with all users' privileges, can cause much damage.

10 A Proxy Server A proxy server, a type of bastion host, is a firewall that simulates the (proper) effects of an application so that the actual application will receive only requests to act properly. A proxy server is a two-headed piece of software: to the inside it looks as if it is the outside (destination) connection, while to the outside it responds just as the inside would.

11 Operation A proxy server runs pseudo-applications.For example, when electronic mail is transferred to a location, a sending process at one site and a receiving process at the destination communicate by a protocol that establishes the legitimacy of a mail transfer and then actually transfers the mail message. The protocol between sender and destination is carefully defined. A proxy server essentially intrudes into the middle of this protocol exchange, seeming like a destination in communications with the sender that is outside the firewall, and then seeming like the sender in communications with the real destination on the inside. The proxy in the middle has the opportunity to screen the mail transfer, ensuring that only acceptable e- mail protocol commands are sent to the destination.

12 Example A company wants to set up an on- line price list so that outsiders can see the products and prices offered. It wants to be sure that no outsider can change the prices or product list and that outsiders can access only the price list, not any of the more sensitive files stored inside. Customers would actually access the proxy server the proxy would monitor the file transfer protocol data to ensure that only the price list file was accessed and that file could only be read, not modified.

13 Proxy Summary The distinction of a proxy over a screening router is that the proxy interprets the protocol stream to an application in order to control actions through the firewall on the basis of things visible within the protocol, not just on external header data.

14 Circuit Level Gateways

15 Circuit Level Gateway Client connects to port on proxy (gateway)Permission granted by port address Creates circuit between client & server without interpreting application protocol Relays connections Relay program copies bytes back & forth Relay services do not examine the bytes Can controls connection on basis of source/destination. Can also do access control at connect time based on user, department etc. and service being requested.

16 Example The client establishes a tcp connection to the circuit-level gateway and requests a second tcp connection to a remote server The circuit-level gateway Checks the client IP address Authenticates and authorizes the client according to the network security policy Connects the remote server and copies back and forth data between the two tcp connections Remote Server Circuit-level gateway Client

17 Network Address Translation

18 Network Address TranslationNetwork Address Translation (NAT) allows a network to use one set of addresses internally and a different set when dealing with external networks. For example the following blocks of the IP address space have been reserved for private use: bit block bit block bit block It helps conceal internal network and force connections to go through choke point. Router does the extra work required for address translation.

19 NAT Operation A NAT firewall works as a transparent firewallIP packets with unknown destination IP addresses are routed to the network segment that hosts the NAT firewall The NAT firewall grabs the IP packets that request a TCP connection and establishes the connection on behalf of the client. Furthermore, the NAT firewall substitutes the private IP addresses (used on the intranet) with officially assigned IP addresses (used on the Internet) and vice-versa.

20 Advantages/DisadvantagesHelps enforce firewall control over outbound connections Can help restrict incoming traffic Can help conceal internal network configuration Disadvantages Interferes with logging Could interfere with packet filtering Could interfere with encryption and authentication Dynamic allocation could lead to broken connections

21 Introduction to Intrusion Detection

22 What is Intrusion DetectionIntrusion Detection is the process of identifying and responding to malicious activity targeted at computing and networking resources. Intrusion Detection System collect information from a variety of system and network sources then analyze the information for signs of intrusion (outside attacks) and misuse (inside attacks). Help computer and network systems prepare for and deal with an attack.

23 Unrealistic ExpectationsThey are not silver bullets for security They can not compensate for weak identification and authentication mechanisms They can not conduct investigations of attacks without human intervention They can not compensate for weakness in network protocols, applications, systems,…. They can not analyze all of the traffic on a network They can not always deal with problems involving packet-level attacks

24 Realistic ExpectationsIDS can add to the integrity of your existing security infrastructure IDS can spot errors of your system configuration that have security implications. IDS can recognize when systems appear to be subjected to a particular attack. IDS can sometimes help tell you what is really happening on your systems. IDS do not typically act to prevent or block attacks IDS might make the security management of your systems by non-expert staff possible. (May Or May Not be so good!)

25 Why Firewalls are not enoughNot all access to the Internet occurs through the firewalls Not all threats originate from outside the firewall Firewalls are subject to attack themselves Little protection against data-driven attacks (i.e. virus-infected programs or data files, as well as malicious Java applets and ActiveX controls)

26 IDS vs Firewall Firewalls Intrusion DetectionOriginally thought a firewall was all that was needed Protects perimeter Provides NAT for outgoing traffic Provides a component for enterprise security Intrusion Detection Forensic data allows post hacking analysis Can be integrated into other security technologies Both perimeter and internal surveillance

27 General IDS TechnologiesThere are several approaches to IDS implementation Ad Hoc ID Network Based Host Based Application Based Most systems involve some combination of these

28 Ad Hoc Intrusion DetectionAd Hoc ID involves the use of selected software and human analysis procedures: Freeware Sniffers Log analysis (this is a real pain) It takes lots of time and can easily miss attacks It is almost always “after the fact” It requires continuous inspection of a Unix system by hand

29 Example (part 1) Checklist for unix recommended by CERT1. Examine log files for connections from unusual locations or other unusual activity. For example, look at your 'last' log, process accounting, all logs created by syslog, and other security logs. 2. Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time.

30 Example (part 2) Checklist for unix recommended by CERT3. Check your system binaries to make sure that they haven't been altered. Intruders change programs on UNIX systems such as login, su, telnet, netstat, ifconfig, ls, find, du, df, libc, sync, any binaries referenced in /etc/inetd.conf, and other critical network and system programs and shared object libraries. 4. Check your systems for unauthorized use of a network monitoring program, commonly called a sniffer or packet sniffer.

31 Example (part 3) Checklist for unix recommended by CERT5. Examine all the files that are run by 'cron' and 'at.' Intruders leave back doors in files run from 'cron' or submitted to 'at.' These techniques can let an intruder back on the system (even after you believe you had addressed the original compromise). 6. Check for unauthorized services. Inspect /etc/inetd.conf for unauthorized additions or changes. In particular, search for entries that execute a shell program (for example, /bin/sh or /bin/csh) and check all programs that are specified in /etc/inetd.conf to verify that they are correct and haven't been replaced by Trojan horse programs.

32 Example (part 4) Checklist for unix recommended by CERT7. Examine the /etc/passwd file on the system and check for modifications to that file. In particular, look for the unauthorized creation of new accounts, accounts with no passwords, or UID changes (especially UID 0) to existing accounts. 8. Check your system and network configuration files for unauthorized entries. 9. Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls').

33 Example (part 5) Checklist for unix recommended by CERTImagine the complexity and degree of expertise needed to carry out the tasks in this checklist for every host and every sensitive network link on a network every single day. The ad hoc approach is not recommended! Automated systems are needed: monitor multiple hosts and network links for suspicious behaviour; report this behaviour, possibly react to it.

34 Network Based IDS Collects Information from the network usually by packet sniffing, using network interfaces set in promiscuous mode. Listens to All Traffic on Segment Must Live on Target Net Has Throughput Limitations

35 Advantages/DisadvantagesPros No performance impact More tamper resistant No management impact on platforms Works across O/S’ Can derive information that host based logs might not provide (half scans, port scanning, etc.) Cons May mis-reassemble packets May not understand O/S specific application protocols (e.g.: SMB) May not understand obsolete network protocols (e.g.: anything non-IP) May lose packets on flooded networks Does not handle encrypted data Can not tell outcome of commands executed on host Additional hardware required

36 Host Based ID Lives on the Host It can be expensiveIt collects information reflecting the activity that occurs on a particular system. This information is sometimes in the form of operating system audit trails. It can also include system logs, other logs generated by operating system processes, and contents of system objects not reflected in the standard operating system audit and logging mechanisms It can be expensive Uses CPU Cycles Uses Disk Cycles It does provide Real-time Alerts

37 Advantages/DisadvantagesPros Quality of information is very high Systems can monitor information access in terms of “who accessed what” Systems can map problem activities to a specific user id System can track behavior changes associated with misuse. Systems can operate in encrypted environments AND switched networks Density of information is very high Cons Performance is a wild-card Capture is often highly system specific Network activity is not visible to host-based sensors BUT that is changing Hosts are often the target of attack Must be platform specific therefore, management and deployment costs are usually greater than NIDS

38 Application Based ID Collect Information at the application level.Examples of application-level include logs generated by database management software, web servers, or firewalls.

39 Advantages/DisadvantagesPros This approach allows targeting of finer grained activities on the system (e.g. one can monitor for a user utilizing a particular application feature) Cons Application layer vulnerabilities can undermine the integrity of application based monitoring and detection approaches