850 likes | 1.04k Views
Intrusion Detection System (IDS). Outlines Host-base IDS – Tripewire Network IDS – Snort How to defeat an IDS. Intrusion Detection System (IDS). Host-base IDS – Tripewire
E N D
Intrusion Detection System (IDS) Outlines • Host-base IDS – Tripewire • Network IDS – Snort • How to defeat an IDS
Intrusion Detection System (IDS) Host-base IDS – Tripewire Tripwire is a very popular system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted,with optional email and pager reporting. Support files (databases, reports, etc.) are cryptographically signed.
Intrusion Detection System (IDS) Host-base IDS – Tripewire Lab 7: install tripewire IDS to monitor the the integrity of the data of your hosts
Intrusion Detection System (IDS) Network IDS – Snort Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more
Intrusion Detection System (IDS) Network IDS – Snort Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Intrusion Detection System (IDS) Network IDS – Snort Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.
Intrusion Detection System (IDS) Network IDS – Snort snort is a very flexible tool. You can customize the rulesets to suit your needs. We have just give you a very simple introduction in this workshop. For more details of rule setting, you should go to http://www.snort.org/docs/writing_rules/
Intrusion Detection System (IDS) Network IDS – Snort Lab7: Install a snort IDS on your host and use nessus network scanner to test your snort IDS
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Insert packets that the end-point server will ignore but picked up by IDS as vaild packets. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack E.G.The signature of the php attack may be something like ``GET /cgi-bin/phf?''. We may insert extra packets such the IDS detect the packets as ``GET /cgi-bin/pleasedontdetecttthisforme?'' while the end-point server still read as ``GET /cgi-bin/phf?''
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Techniques: • Using Invalid Sequence no. Most IDS do not check sequence no. Invalid sequence no. packets are reject by end-point servers but may be picked up by these IDS
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Techniques: • Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Techniques: • Using incorrect TCP checksum.Most IDS do not check TCP checksums. Incorrect TCP checksum packets are reject by end-point servers but may be picked up by these IDS
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Techniques: • Using short TTL.If the IDS sit on the network have many hops away from the end-point servers, short TTL packets will be dropped before they reach the end-point servers. We can just tune the insert packet TTL such that they can pass the IDS but are dropped before the end-point servers.
Intrusion Detection System (IDS) How to defeat a Network IDS • Insertion Attack Techniques: • Using short TTL
Intrusion Detection System (IDS) How to defeat a Network IDS • Evasion Attack An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely. E.G.The packets of ``GET /cgi-bin/phf?''may show as ``GET /gin/f'' in IDS detection
Intrusion Detection System (IDS) How to defeat a Network IDS • Evasion Attack
Intrusion Detection System (IDS) How to defeat a Network IDS • Evasion Attack Techniques • Some IDS can only keep track of one host/port connection at a time. Flood the target port with non-existent SNY packet first so that these IDS ignore our real connection afterwards
Intrusion Detection System (IDS) How to defeat a Network IDS • Evasion Attack Techniques • IP Fragmentation Sending out fragment packets out of orderSome IDS assume the fragment packets arrive in order. They just reassemble the data as soon as the marked final fragment arrives. Sending out fragment packets out of order may fool these IDS
Intrusion Detection System (IDS) How to defeat a Network IDS • Evasion Attack Techniques • Sending overlapping fragment packetsThere may be a gap between the IDS and end-point server handling overlapping fragment. If the IDS does not handle overlapping fragments in a manner consistent with the systems it watches, it may, given a stream of fragments, reassemble a completely different packet than an end system in receipt of the same fragments.
Firewall Outlines • Variations on Firewall Architecture • Setting up network layer Firewalls • Firewall log • Setting private network with NAT
Firewall Firewall In brief, a firewall is typically the first line of defense for any Internet-connected network. What a firewall does and how it behaves depends on what level it operates on. (Those familiar with the OSI model will understand this.) Firewalls generally operate at the network layer (IP), or the application layer, such as HTTP proxies.
Firewall Firewall
Lab 12B: Firewall Firewall Those firewalls at the network layer are often called screening routers. A screening router examines the IP header on each incoming (and possibly outgoing) datagram and determines whether or not it should pass. It makes this determination by comparing key fields such as the source and destination addresses to the policy set by the administrator. Most screening routers will also examine the packet at the next layer (the transport layer), which allows you to create policies based on TCP or UDP port, or ICMP type and code.
Firewall Firewall Firewalls at the application layer are called gateways or proxies, and are designed to understand protocols at this level, such as HTTP or telnet. Application gateways are useful because they can offer very high level control over traffic, and so they are in some ways more secure than screening routers. For example, an application gateway may choose to filter all HTTP POST commands. Most importantly, gateways can maintain logging specific to application layer protocols. A paranoid (and privacy-ignorant) company may choose to have all mail pass through a gateway to log the To, From, and Subject fields of the header, for instance.
Firewall Variations on Firewall Architecture • Single layer firewall architecture • Two layer firewall architecture • Merged interior and exterior firewall architecture • Two layer firewall architecture with two internal network • Two layer firewall architecture with merged bastion host and exterior firewall
Firewall Bastion host A system exposed to the Internet that is expected to come under thorough attack. The term contrasts those hosts that are inside a firewall's protection. DMZ (Demilitarized Zone) In firewalls, a DMZ is an area that is mostly public to the Internet. This is where a companies web, e-mail, and DNS servers are located. A DMZ often has some limited protection, but since it is very exposed to the Internet, the assumption is that the machines in the zone will eventually be compromised. Therefore, the machines often have as little connectivity to the private network as any other machine from the Internet.
Firewall Type A: Single layer firewall architecture
Lab 12B: Firewall Type B: Two layer firewall architecture
Firewall Type C: Merged interior and exterior firewall architecture
Firewall Type D: Two layer firewall architecture with two internal network
Firewall Type E: Two layer firewall architecture with merged bastion host and exterior firewall
Firewall Lab 8: Deploy firewall on your host using ipchains
Firewall Linux firewall log All the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile.
Firewall Linux firewall log Here is an example: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 • `input' is the chain which contained the rule which matched the packet, causing the log message. • `DENY' is what the rule said to do to the packet. If this is `-' then the rule didn't effect the packet at all (an accounting rule). • `eth0' is the interface name. Because this was the input chain, it means that the packet came in `eth0'. • `PROTO=17' means that the packet was protocol 17. A list of protocol numbers is given in `/etc/protocols'. The most common are 1 (ICMP), 6 (TCP) and 17 (UDP).
Firewall Linux firewall log Here is an example: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 • `192.168.2.1' means that the packet's source IP address was 192.168.2.1. • `:53' means that the source port was port 53. Looking in `/etc/services' shows that this is the `domain' port (ie. this is probably an DNS reply). For UDP and TCP, this number is the source port. For ICMP, it's the ICMP type. For others, it will be 65535. • `192.168.1.1' is the destination IP address.
Firewall Linux firewall log Here is an example: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 • `:1025' means that the destination port was 1025. For UDP and TCP, this number is the destination port. For ICMP, it's the ICMP code. For others, it will be 65535. • `L=34' means that packet was a total of 34 bytes long. • `S=0x00' means the Type of Service field (divide by 4 to get the Type of Service as used by ipchains). • `I=18' is the IP ID.
Firewall Linux firewall log Here is an example: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 • `F=0x0000' is the 16-bit fragment offset plus flags. A value starting with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2' or `0x3' means the `More Fragments' bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8.
Firewall Linux firewall log Here is an example: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 • `T=254' is the Time To Live of the packet. One is subtracted from this value for every hop, and it usually starts at 15 or 255. • `(#5)' there may be a final number in brackets on more recent kernels (perhaps after 2.2.9). This is the rule number which caused the packet log.
Firewall Linux firewall log Here is another example: Feb 26 11:15:56 iegatea0 kernel: Packet log: input DENY eth0 PROTO=6 200.223.111.242:1956 137.189.97.67:25 L=60 S=0x60 I=59731 F=0x4000 T=42 SYN (#77) The TCP SYN packet of the SMTP (port 25) access to the host 137.189.97.67 from the host 200.223.111.242 client port 1956 was blocked by the ipchains rule #77
Firewall Linux firewall log Port numbers are divided into three ranges: • The Well Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic. • The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes. For example, most systems start handing out dynamic ports starting around 1024.
Firewall Linux firewall log Port numbers are divided into three ranges: • The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports. In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768. For a complete complete list of port info, you may refer http://www.iana.org/assignments/port-numbers
Firewall Setting private network with IP Masquerade IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers.
Firewall Setting private network with IP Masquerade MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a HEAVILY secured networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish.
Firewall Setting private network with IP Masquerade
Firewall Setting private network with IP Masquerade EG. /sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ This setting will allow all the clients in the private network 192.168.0.0/16 to have IP masquerade in Linux Masquerade gateway
Firewall Setting private network with iptable NAT Linux iptable provides two different types of NAT: Source NAT (SNAT) and Destination NAT (DNAT). • Source NAT is when you alter the source address of the first packet: ie. you are changing where the connection is coming from. Masquerading is a specialized form of SNAT. • Destination NAT is when you alter the destination address of the first packet: ie. you are changing where the connection is going to. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
Firewall Setting private network with iptable NAT Example of source NAT: ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 Example of destination NAT: ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8
Network Address Translation (NAT) (Linux calls it masquerading) 10.42.6.9 35.9.20.20 NAT Client Server