1

Introduction to firewalls and IDS/IPS

2

firewalls

3

Firewalls

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.

firewall

Internetprivately administered

222.22/16

By conventional definition, a firewall is a partition madeof fireproof material designed to prevent the spreadof fire from one part of a building to another.

4

Firewall goals:

• All traffic from outside to inside and vice-versa passes through the firewall.

• Only authorized traffic, as defined by local security policy, will be allowed to pass.

• The firewall itself is immune to penetration.

5

Firewalls: taxonomy

1. Traditional packet filters

– filters often combined with router, creating a firewall

2. Stateful filters

3. Application gateways

Major firewall vendors:CheckpointCisco PIX

6

Traditional packet filters

• source IP address

• destination IP address

• source port

• destination port

• TCP flag bits

– SYN bit set: datagram for connection initiation

– ACK bit set: part of established connection

• TCP or UDP or ICMP

– Firewalls often configured to block all UDP

• direction

– Is the datagram leaving or entering the internal network?

• router interface

– decisions can be different for different interfaces

Analyzes each datagram going through it; makes dropdecision based on:

7

Filtering Rules - Examples

Policy Firewall Setting

No outside Web access. Drop all outgoing packets to any IP address, port 80

External connections to public Web server only.

Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80

Prevent IPTV from eating up the available bandwidth.

Drop all incoming UDP packets - except DNS and router broadcasts.

Prevent your network from being used for a Smurf DoS attack.

Drop all ICMP packets going to a “broadcast” address (eg 222.22.255.255).

Prevent your network from being tracerouted

Drop all outgoing ICMP

8

Access control lists

actionsourceaddres

s

destaddress

protocol

sourceport

destport

flagbit

allow 222.22/16

outside of222.22/16

TCP>

102380

any

allowoutside

of222.22/1

6

222.22/16TCP 80 > 1023 ACK

allow 222.22/16

outside of222.22/16

UDP>

102353 ---

allowoutside

of222.22/1

6

222.22/16UDP 53 > 1023 ----

deny all all all all all all

Apply rules from top to bottom:

Introduction9

Access control lists

• Each router/firewall interface can have its own ACL

• Most firewall vendors provide both command-line and graphical configuration interface

10

Advantages and disadvantages of traditional packet filters

• Advantages

– One screening router can protect entire network

– Can be efficient if filtering rules are kept simple

– Widely available. Almost any router, even Linux boxes

• Disadvantages

– Can possibly be penetrated

– Cannot enforce some policies. For example, permit certain users.

– Rules can get complicated and difficult to test

Case Study: iptables

12

Firewall: iptables

• Converts linux box into a packet filter.

• Included in most linux distributions today.

linuxhost

linuxhost w/iptables

externalnetwork

your job:configure

13

Firewall: iptables

• iptables

– Provides firewall capability to a linux host

– Comes installed with most linux distributions

– Three types of tables: FILTER, NAT, MANGLE

– Let’s only consider FILTER table for now

14

Network or host firewall?

linuxhost w/iptables

Internetprotectednetwork

Network firewall: linux host with 2 interfaces:

Host firewall: linux host with 1 interface:

linuxhost w/iptables

network

filtertable

filtertable

15

Chain types for host firewall

linuxhost w/iptables

network

linuxhost w/iptables

network

INPUTchain

OUTPUTchain

16

INPUT, OUTPUT, FORWARD CHAINS for network firewall

• INPUT chain applies for all packets destined to firewall

• OUTPUT chain applies for all packets originating from firewall

• FORWARD chain applies for all packets passing through firewall.

17

Chain types for network firewall

linuxhost w/iptables

Internetprotectednetwork FORWARD

chain

linuxhost w/iptables

Internetprotectednetwork

linuxhost w/iptables

Internetprotectednetwork

OUTPUTchain

INPUTchain

18

iptables: Example command

iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT

• Sets a rule

– Accepts packets that enter from interface eth0 and have source address in 232.16.4/24

• Kernel applies the rules in order.

– The first rule that matches packet determines the action for that packet

• Append: -A

– Adds rule to bottom of list of existing rules

19

iptables: Example command

iptables –A INPUT –i eth0 –j DENY

• Sets a rule

– Rejects all packets that enter from interface eth0 (except for those accepted by previous rules)

20

iptables: More examples

iptables –L

– list current rules

iptables –F

– flush all rules

iptables –D INPUT 2

– deletes 2nd rule in INPUT chain

iptables –I INPUT 1 –p tcp –tcp-flags SYN –s 232.16.4.0/24 –d 0/0:22 –j ACCEPT

– -I INPUT 1: insert INPUT rule at top

– Accept TCP SYNs to from 232.16.4.0/24 to firewall port 22 (ssh)

21

iptables Options

-p protocol type (tcp, udp, icmp)

-s source IP address & port number

-d dest IP address & port number

-i interface name (lo, ppp0, eth0)

-j target (ACCEPT, DENY)

-l log this packet

--sport source port

--dport dest port

--icmp-type

22

iptable Table types

• FILTER:

– What we have been talking about!

– 3 chain types: INPUT, OUTPUT, and FORWARD

• NAT:

– Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses

– PREROUTING, POSTROUTING, and others

• MANGLE

– Don’t worry about it.

23

Tables, Chains & Rules

• Three types of tables: FILTER, NAT, MANGLE

• A table consists of chains.

– For example, a filter table can have an INPUT chain, OUTPUT chain, and a FORWARD chain.

• A chain consists of a set of rules.

24

Firewall Lab

m1

m3

m2

Configure m2 with iptables.

25

Stateful Filters

• In earlier example, any packet with ACK=1 and source port 80 gets in.

– Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments

• Stateful filter: Adds more intelligence to the filter decision-making process

– Stateful = remember past packets

– Memory implemented in a very dynamic state table

26

Stateful filters: example

sourceaddress

destaddress

sourceport

destport

222.22.1.7 37.96.87.123 12699 80

222.22.93.2199.1.205.23 37654 80

222.22.65.143 203.77.240.43 48712 80

If rule table indicates that stateful table must be checked:check to see if there is already a connection in stateful table

• Log each TCP connection initiated through firewall: SYN segment• Timeout entries which see no activity for, say, 60 seconds

Stateful filters can also remember outgoing UDP segments

27

Stateful example

actionsourceaddress

destaddress

protosource

portdestport

flagbit

check conxion

allow 222.22/16outside of222.22/16

TCP > 1023 80any

allow outside of222.22/16

222.22/16TCP 80 > 1023 ACK

x

allow 222.22/16outside of222.22/16

UDP > 1023 53 ---

allow outside of222.22/16

222.22/16UDP 53 > 1023 ----

x

deny all all all all all all

1) Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12699, SYN=0, ACK=1

2) Check filter table ➜ check stateful table

3) Connection is listed in connection table ➜ let packet through

28

Application gateways(aka proxy gateways)

host-to-gatewayftp session

gateway-to-remote host ftp session

applicationgateway

• Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy.

• Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size.

• A mail server is an example of an application gateway

– Can’t deposit mail in recipient’s mail server without passing through sender’s mail server

29

Configuring clientTools/options/connections/LAN settings/proxies:

30

Advantages and disadvantages of proxy gateways

• Advantages

– Proxy can log all connections, activity in connections

– Proxy can provide caching

– Proxy can do intelligent filtering based on content

– Proxy can perform user-level authentication

• Disadvantages

– Not all services have proxied versions

– May need different proxy server for each service

– Requires modification of client

– Performance

31

Application gateways + packet filter

• Filters packets on application data as well as on IP/TCP/UDP fields.

• Example: allow select internal users to ftp outside.

1. Require all ftp users to ftp through gateway.

2. For authorized users, gateway sets up ftp connection to dest host. Gateway relays data between 2 connections

3. Router filter blocks all ftp connections not originating from gateway.

host-to-gatewayftp session

gateway-to-remote host ftp session

applicationgateway

router and filter

32

Chaining Proxies

proxy 1

proxy 2

33

Demilitarized Zone (DMZ)

Webserver

FTPserver

DNSserver

applicationgateway

Internet

Demilitarized zone

Internalnetwork

firewall

34

Firewalls: Summary

• Filters

– Widely available in routers, linux

• Stateful filters

– Maintains connection state

• Application gateways

– Often implemented with SOCKS today

Intrusion Intrusion Detection/Prevention Detection/Prevention

SystemsSystems

Elements of Intrusion Detection

• Primary assumptions:

– System activities are observable

– Normal and intrusive activities have distinct evidence

• Components of intrusion detection systems:

– From an algorithmic perspective:

• Features - capture intrusion evidences

• Models - piece evidences together

– From a system architecture perspective:

• Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

Components of Intrusion Detection System

Audit Data Preprocessor

Audit Records

Activity Data

Detection Models

Detection Engine

Alarms

Decision Table

Decision EngineAction/Report

system activities are system activities are observableobservable

normal and intrusive normal and intrusive activities have distinct activities have distinct

evidenceevidence

Intrusion Detection Approaches

• Modeling

– Features: evidences extracted from audit data

– Analysis approach: piecing the evidences together

• Misuse detection (a.k.a. signature-based)

• Anomaly detection (a.k.a. statistical-based)

• Deployment: Network-based or Host-based

– Network based: monitor network traffic

– Host based: monitor computer processes

Misuse Detection

Intrusion Patterns

activities

pattern matching

intrusion

Can’t detect new attacks

Example: if (src_ip == dst_ip) then “land attack”

Anomaly Detection

activity measures

0102030405060708090

CPU ProcessSize

normal profile

abnormal

probable intrusion

Relatively high false positive rate • Anomalies can just be new normal activities.• Anomalies caused by other element faults

• E.g., router failure or misconfiguration, P2P misconfiguration

Any problem ?

Host-Based IDSs• Using OS auditing mechanisms

– E.G., BSM on Solaris: logs all direct or indirect events generated by a user

– strace for system calls made by a program (Linux)

• Monitoring user activities– E.G., analyze shell commands

• Problems: user dependent

– Have to install IDS on all user machines !

– Ineffective for large scale attacks

The Spread of Sapphire/Slammer Worms

Network Based IDSs

• At the early stage of the worm, only limited worm samples.

• Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage

Gateway routers

Internet

Our network

Host baseddetection

Network IDSs• Deploying sensors at strategic locations

– E.G., Packet sniffing via tcpdump at routers

• Inspecting network traffic

– Watch for violations of protocols and unusual connection patterns

• Monitoring user activities

– Look into the data portions of the packets for malicious code

• May be easily defeated by encryption

– Data portions and some header information can be encrypted

– The decryption engine may still be there, especially for exploit

Architecture of Network IDS

Packet capture libpcapPacket capture libpcap

TCP reassemblyTCP reassembly

Protocol identificationProtocol identification

Packet streamPacket stream

Signature matchingSignature matching(& protocol parsing when needed)(& protocol parsing when needed)

Firewall/Net IPS VS Net IDS• Firewall/IPS

– Active filtering

– Fail-close

• Network IDS

– Passive monitoring

– Fail-open

FW

IDS

Related Tools for Network IDS (I)

• While not an element of Snort, Ethereal is the best open source GUI-based packet viewer

• www.ethereal.com offers:

– Windows

– UNIX, e.g., www.ethereal.com/download.html

– Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/

Related Tools for Network IDS (II)

• Also not an element of Snort, tcpdump is a well-established CLI packet capture tool

– www.tcpdump.org offers UNIX source

– http://www.winpcap.org/windump/ offers windump, a Windows port of tcpdump

• windump is helpful because it will help you see the different interfaces available on your sensor

Case Study: Snort IDS

Snort

1. A packet sniffer: capture and display packets from the network with different levels of detail on the console

2. Packet logger: log data in text file

3. Honeypot monitor: deceiving hostile parties

4. NIDS: network intrusion detection system

Typical locations for snort

Requirement of snort

• lightweight NIDS

• small, flexible

• highly capable system

Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.

Snort components

Logical components of snort

• Packet Decoder: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing

• Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams.

• Detection Engine: the most important part, applies rules to packets

• Logging and Alerting System

• Output Modules: process alerts and logs and generate final output.

TCP/IP layer

Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer

Physical layer

Detection Engine

※ Requirement

1. Time critical

2. Fast

※Things need to be done for detection engine: •The IP header of the packet

•The transport layer header. TCP, UDP, ICMP etc.

•The application layer level header. Header of DNS, FTP, SNMP, SMTP

•Packet payload

※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm

Detection engine

• Number of rules

• Traffic load on the network

• Speed of network and machine

• Efficiency of detection algorithm

Rules • In a single line

• Rules are created by known intrusion signatures.

• Usually place in snort.conf configuration file.

rule header rule options

Rule examples

Alert will be generated if criteria met

Apply to all ip packets

Source ip address

Source port #

destination ip address

Destination port

Rule options

Rule header

Thank you !