Professional Documents
Culture Documents
Sayantan Chakraborty
sayantan@nsd.org.in
9051 4848 43
First Part Firewall
Firewall
Types of Firewall
Firewall Identification
Banner Grabbing
Port Scanning
Firewall ports
Breaching and bypassing firewall
Firewall and Firewall Types
Circuit Level
A circuit level proxy server also provides
protection and anonymity to the originating
server, but does not use proxy software
It creates a circuit between the server and client
that allows communication through the firewall
Operates at layer 4 of the OSI model
Application level is not involved, that is why gives
higher speed, accommodate different types of
protocol
Checks to see if a client is using a valid TCP
protocol and then compares the intended
connection to a list of acceptable and
unacceptable connections
Packet Level Filtering Firewall
True positive
A valid anomaly was detected, and an alarm
was generated.
True negative
No anomaly was present, and no alarm was
generated
False positive
No anomaly was present, but an alarm was
generated
False negative
A valid anomaly was present, and no alarm
was generated
Using an IDS in a Switched
Environment
Packet moves across a network comes to a
switch
The packet traverses the switch through a
temporary connection to a destination port.
Because this connection is not a permanent
one, the IDS sensors must be placed in all
necessary locations so that they can monitor
the required network traffic.
This situation is different from the operation of a
network hub, which transmits an incoming
packet to every port on the hub, making the
data easily available to the IDS sensors.
Evading IDSs
Fragmentation overlap
This approach attempts to foil an IDS by
transmitting packets in a fashion that one packet
fragment overwrites data from a previous fragment
Denial of Service
The IDS will be consumed with the overwhelming
traffic, allowing malicious code to slip through
Session splicing
Data to be delivered for the attack is spread out
over multiple packets, thus making it more difficult
for pattern matching techniques to detect an
attack signature
Evading IDSs
Polymorphic code.
If a continually changing signature is
generating by encoding the attack payload with a
polymorphic code, this signature would not match
a signature in the attack signature database
Insertion.
In an insertion attack, an IDS accepts a packet
and assumes that the host system will also
accept and process the packet.
In fact, the host system will reject the packet. The
IDS will, then, accumulate attack strings that will
exploit vulnerabilities in the IDS and, for example,
contaminate the signatures used in signature
analysis
Tools for Evading and Testing IDSs
IDSWakeup.
This IDS test tool comprises a suite of
programs that generates simulated attacks to
test the IDS to determine if the IDS detects them.
The IDS should generate false positives if the
detection process is successful
IDS informer.
Useful tool for testing inline and passive IDS
and Intrusion Prevention Systems
Stateful tool with three-way handshakes that can
identify packets responsible for attacks and
evaluate the architecture of the IDS/IPS.
IDS informer maintains a database of attacks
which are compared to suspected intrusions to
determine the robustness of the IDS/IPS
devices.
Tools for Evading and Testing IDSs
Evasion gateway
The evasion gateway is now called Karlon
Traffic Gateway, comprising a suite of evasion
techniques used to test network IDSs.
It also provides Fragrouter-like capabilities for
Windows platforms
Fragroute
Fragroute provides an attacker with the
ability to fragment packets before transmission.
In order to obtain a signature of the message, a
network-based IDS has to reassemble all the
packets and try to discern the attack signature.
In many instances, the fragmented packets can
bypass the IDS.
Intrusion Prevention Systems
An intrusion prevention system (IPS) not only
detects intrusions but takes steps to prevent
attacks resulting from the intrusions
Intrusion prevention systems are not perfect
and can be costly to implement on a large-scale
network
IPS operates at multiple layers of the OSI
model, its performance is not as fast as
conventional IDS and firewall approaches
Snort 2.x and Cisco Security Agent are
examples of IPS systems
SNORT 2.x (www.snort.com)
Snort operates in the following four different
modes
Sniffer mode. Snort acquires packets
traversing the network and displays them in a
continuous format.
Packet Logger mode. Snort logs the packets
and stores them on disk.
Network Intrusion Detection System (NIDS)
mode. Snort monitors and analyzes network
traffic and compares the traffic to a user-defined
rule set and initiates actions based on the
comparison results.
Inline mode. Snort acts as an IPS to pass or
drop packets based on specific rules.
Cisco Security Agent
Cisco Security Agent (CSA) is a rule-based
endpoint intrusion prevention system that monitors
network traffic for behaviors indicating an attack
scenario.
CSA contains the following elements
A Management Center, which includes the control
program to detect intrusions, effect collaboration
with other network security devices, and apply the
CSA personal firewall
An MS SQL database storage backend, for holding
configuration data and alert information
A software Agent that resides on the computers to
be defended, logs anomalous events and sends this
data to the management center, and receives rule
updates from the Management Center
Computer Incident Response
Team
1. PREPARE
a. Establish policies and procedures for responding to
intrusions
b. Prepare to respond to intrusions
2. HANDLE
a. Analyze all available information to characterize an intrusion.
b. Communicate with all parties that need to be made aware of
an intrusion and its progress.
c. Collect and protect information associated with an intrusion.
d. Apply short-term solutions to contain an intrusion.
e. Eliminate all means of intruder access.
f. Return systems to normal operation.
3. FOLLOW UP
a. Identify security lessons learned.
b. Implement security lessons learned
Honeypots
A honeypot is a monitored decoy used to lure
attackers away from critical resources as well as a
tool to analyze an attackers methods and
characteristics
Research mode
In research mode, a honeypot characterizes attack
environments by collecting data on attacker motivations,
attack trends, and emerging threats.
Production mode
In production mode, a honeypot is used to prevent, detect,
and respond to attacks.
Prevention is accomplished through deterrence,
impeding scans initiated by attackers, and diverting an
attacker to interact with the honeypot rather than critical
files.
Honeypots.....
Production mode.
A honeypot can also detect attacks by capturing
polymorphic code, capturing a variety of attacks,
working with encrypted data, and acquiring attack
signatures.
Honeypots enhance response to attacks by
providing a large amount of valuable attack
information for analysis
Honeypots..
low-interaction honeypot
Provides a minimal emulation of an operating
system running on the target computer.
High-interaction honeypot
Provides a more realistic target for an attacker
because it uses an actual operating system and
associated services
Can acquire more detailed information on the
attacker but is more vulnerable to compromise
Honeypot Applications