You are on page 1of 47

Firewalls, IDS, Honeypots

Sayantan Chakraborty
sayantan@nsd.org.in
9051 4848 43
First Part Firewall
Firewall
Types of Firewall
Firewall Identification
Banner Grabbing
Port Scanning
Firewall ports
Breaching and bypassing firewall
Firewall and Firewall Types

Firewalls are software or hardware mechanisms


that operate at the perimeter of a network and
are designed to protect the network from
intrusions and unauthorized access
Firewall can be of different types
Proxy Firewall
Packet Filtering firewall
Stateful Inspection Firewall
OSI Model revisited
Different firewall work on different layer of OSI
model
Proxy Firewall
Fall into the categories of
application level
circuit level
Application level firewall
Is implemented by a proxy server program
running on a host computer.
Sometimes this proxy server is known as an
application layer gateway and it operates at layer
5 of the OSI model
Hiding the originating server, a proxy server
affords additional protection against attackers
By examining packets at the Application layer,
this type of firewall provides additional security
but slows processing speeds
Proxy Firewall

Circuit Level
A circuit level proxy server also provides
protection and anonymity to the originating
server, but does not use proxy software
It creates a circuit between the server and client
that allows communication through the firewall
Operates at layer 4 of the OSI model
Application level is not involved, that is why gives
higher speed, accommodate different types of
protocol
Checks to see if a client is using a valid TCP
protocol and then compares the intended
connection to a list of acceptable and
unacceptable connections
Packet Level Filtering Firewall

A packet filtering firewall operates at the


Network Layer 3 of the OSI model and provides
good processing performance
Blocks or passes the packet to its intended
destination network
Can allow or deny or access to specific
applications or services based on ACL
The packet is examined for its source and
destination addresses, source and destination
application ports, direction, TCP flags, and for
the protocol used in the communications ession
Packet Level Filtering Firewall
Can block specific source address
Can be configured to allow to access ports and
services
A weakness is that it does not maintain state
information and, for example, does not know if a
communication session is already in progress
or just beginning
Stateful Inspection Firewalls

The stateful inspection firewall intercepts


packets at the Network layer of the OSI model
and creates dynamic state tables in which
information on the state of existing and
incoming connections is stored
Keeps track of communication sessions already
in progress and those attempting to be started
When a connection is requested from an
outside source, the parameters associated with
that connection in the TCP and higher levels of
the OSI model are examined
Stateful Inspection Firewalls..

Because of the dynamic state tables and


associated processes, stateful inspection
firewalls are more complex and tend to function
more slowly than other firewalls when the
number of connections increases and,
consequently,the size of the state tables
increases
Hardware and Software Firewalls

Firewalls can come in the form of hardware or


software
A hardware firewall has the advantages of
being able to protect all computers on a network
and requiring minimal configuration
Usually incorporated into a broadband router
and uses packet filtering
Therefore, Trojans or other types of malicious
software planted on an internal network
machine would not be detected when launching
attacks such as DDoS.
Hardware and Software Firewalls

A software firewall has the advantage of being


flexible and programmable. It can employ
inspection techniques that can discern illegal
communications originating from inside a
protected network
Software firewall can protect only the computer
on which it is installed
Can also provide additional services such Web
filtering and privacy protection
Packet-Filtering Routers
Placed between the public, untrusted network
Private and trusted network
Dual-Homed Hosts
A dual-homed host
architecture comprises two
network interface cards
(NICs) in a single (host)
computer
One NIC connects to the
trusted network and the
other NIC connects to an
untrusted network
A dual-homed firewall
residing on the host usually
acts to block or filter some
or all of the traffic trying to
pass between the networks
Screened Host

Two NICs are used as in


the dual-homed firewall
A screening router is
inserted between the
host and the untrusted
network
Screened-Subnet Firewalls

Two NICs and two


screening routers
The screening routers
are placed between the
bastion host and the
trusted network as well
as between the bastion
and the untrusted
network.
Firewall Identification
In preparation for attacking a firewall, a hacker
would first go through an identification process
Typical information that an attacker or an ethical
hacker attempts to discover in firewall
identification includes the following:
Open ports
Open protocols
Firewall filtering type
Firewall architecture
Firewall operating system
Firewall manufacturer and model type
Firewall version
Patch level of firewall software
DNS names or IP addresses of firewall elements
Banner Grabbing
Banner grabbing is a form of enumeration that
obtains banner information transmitted by
services such as Telnet and FTP
The server returned information that tells the
attacker that it is a MicrosoftExchange Server
running IMAP4 version 6.5
Banner Grabbing.
A common method of identifying HTTP servers is
to send an HTTP request to a server to obtain the
return HTTP response header of the server. An
example of this approach is given as follows
Port Scanning
Ports are divided into the following three different
classification categories
Well-known Ports. Port numbers from 0 to
1,023
Registered ports. Port numbers from 1,024 to
49,151
Dynamic or private ports. 49,152 to 65,535
Port Scanning
When a port scan is conducted against a port or
ports, there are three possible responses:
Open or accepted. The port is open, and a host
service is listening on the open port. An open
port is vulnerable to attacks against the program
providing the host service and to attacks on the
host operating system.
Closed or denied, or not listening. The port is
closed, and the host will deny connections to
this port. This type of port is vulnerable to attacks
on the host operating system.
Filtered, dropped, or blocked. The host did not
reply to the scan. Vulnerabilities are generally
not present on a port with no response
Firewall Ports
Because many firewalls use specific ports,
identifying these open ports can determine the
firewall being employed
Examples of ports used by common firewalls are
given in the following list:
Check Point Firewall -1: ports 256, 257, 258
Microsoft Proxy Server: ports 1080, 1745
BlackICE PC Protection: port 5000, ports > 1024
McAfee Firewall: port 5000
Breaching and Bypassing
Firewalls
Hping
Traceroute tool
Traceroute
simple trace route
Covert Channeling
ACK Tunneling
HTTP Tunneling (Hopster)
Firewall Backdoors
Firewall Informer
Second Part IDS and Response
An intrusion detection system (IDS) is a detective
control that monitors systems
Detects intrusion attempts and other types of
inappropriate activities
An IDS includes
Storage capacity to log events, sensors to collect
data, a central
Data processing and analyzing engine, and a
response generating mechanism
One way of categorizing an IDS is by its placement
An IDS residing on a host system is called a host-
based IDS and an IDS monitoring a network segment
is known as a network-based IDS
Host-Based ID Systems
A host-based ID system comprises software
which
Monitors a host computers operating system
Logs events
Reports suspected inappropriate activities
Issues alarms
Does not provide surveillance of network segments
Effective in detecting insider attacks
Login attempts
Suspicious dial
Tripwire is a commercial software product, but is
also available as an open source package
Another useful tool is a log file monitor (LFM),
scans log files for suspicious events and patterns
that might indicate that an attack has occurred
Network-Based ID systems
IDS uses a network interface card (NIC) to
capture all network packets in promiscuous
mode.
The network based IDS is limited to monitoring
and analyzing network traffic on a specific
network segment.
It cannot monitor host activity or other network
segments that do not have sensors feeding the
particular IDS.
The network-based IDS monitors text strings
(string signatures), connection attempts to
frequently attacked ports (port signatures), and
suspicious or illegal constructions in packet
headers (header condition signatures).
IDS Detection Methods

Statistical Anomaly Detection


Also known as behavior-based detection
Compares current system operating
characteristics with compiled, learned patterns of
normal system behavior
They are relatively independent of the operating
system being used
They are sensitive to abuse-of-privilege attacks
They are susceptible to generating a high number
of false alarms
They are vulnerable to attack when learning a new
behavior
IDS Detection Methods
Pattern Matching Detection
sometimes called a knowledge-based or
signature-based IDS.
Match between the current attack signatures and
an attack signature in the database generate
signal
Characterized by low false alarm rates because
This method is vulnerable to new attacks
A signature-based IDS is also not very effective in
detecting insider privilege escalation attacks,
IDS Detection Methods
Protocol Detection
IDS keeps state information and can detect
abnormal protocol activity for protocols such as IP,
TCP, and UDP

Can look at high level packet activity and search


for protocol-based attacks by inspecting each field
of the different protocols of an incoming packet for
violations of protocol rules
IDS Responses

True positive
A valid anomaly was detected, and an alarm
was generated.
True negative
No anomaly was present, and no alarm was
generated
False positive
No anomaly was present, but an alarm was
generated
False negative
A valid anomaly was present, and no alarm
was generated
Using an IDS in a Switched
Environment
Packet moves across a network comes to a
switch
The packet traverses the switch through a
temporary connection to a destination port.
Because this connection is not a permanent
one, the IDS sensors must be placed in all
necessary locations so that they can monitor
the required network traffic.
This situation is different from the operation of a
network hub, which transmits an incoming
packet to every port on the hub, making the
data easily available to the IDS sensors.
Evading IDSs

Fragmentation overlap
This approach attempts to foil an IDS by
transmitting packets in a fashion that one packet
fragment overwrites data from a previous fragment
Denial of Service
The IDS will be consumed with the overwhelming
traffic, allowing malicious code to slip through
Session splicing
Data to be delivered for the attack is spread out
over multiple packets, thus making it more difficult
for pattern matching techniques to detect an
attack signature
Evading IDSs

Polymorphic code.
If a continually changing signature is
generating by encoding the attack payload with a
polymorphic code, this signature would not match
a signature in the attack signature database
Insertion.
In an insertion attack, an IDS accepts a packet
and assumes that the host system will also
accept and process the packet.
In fact, the host system will reject the packet. The
IDS will, then, accumulate attack strings that will
exploit vulnerabilities in the IDS and, for example,
contaminate the signatures used in signature
analysis
Tools for Evading and Testing IDSs
IDSWakeup.
This IDS test tool comprises a suite of
programs that generates simulated attacks to
test the IDS to determine if the IDS detects them.
The IDS should generate false positives if the
detection process is successful
IDS informer.
Useful tool for testing inline and passive IDS
and Intrusion Prevention Systems
Stateful tool with three-way handshakes that can
identify packets responsible for attacks and
evaluate the architecture of the IDS/IPS.
IDS informer maintains a database of attacks
which are compared to suspected intrusions to
determine the robustness of the IDS/IPS
devices.
Tools for Evading and Testing IDSs
Evasion gateway
The evasion gateway is now called Karlon
Traffic Gateway, comprising a suite of evasion
techniques used to test network IDSs.
It also provides Fragrouter-like capabilities for
Windows platforms
Fragroute
Fragroute provides an attacker with the
ability to fragment packets before transmission.
In order to obtain a signature of the message, a
network-based IDS has to reassemble all the
packets and try to discern the attack signature.
In many instances, the fragmented packets can
bypass the IDS.
Intrusion Prevention Systems
An intrusion prevention system (IPS) not only
detects intrusions but takes steps to prevent
attacks resulting from the intrusions
Intrusion prevention systems are not perfect
and can be costly to implement on a large-scale
network
IPS operates at multiple layers of the OSI
model, its performance is not as fast as
conventional IDS and firewall approaches
Snort 2.x and Cisco Security Agent are
examples of IPS systems
SNORT 2.x (www.snort.com)
Snort operates in the following four different
modes
Sniffer mode. Snort acquires packets
traversing the network and displays them in a
continuous format.
Packet Logger mode. Snort logs the packets
and stores them on disk.
Network Intrusion Detection System (NIDS)
mode. Snort monitors and analyzes network
traffic and compares the traffic to a user-defined
rule set and initiates actions based on the
comparison results.
Inline mode. Snort acts as an IPS to pass or
drop packets based on specific rules.
Cisco Security Agent
Cisco Security Agent (CSA) is a rule-based
endpoint intrusion prevention system that monitors
network traffic for behaviors indicating an attack
scenario.
CSA contains the following elements
A Management Center, which includes the control
program to detect intrusions, effect collaboration
with other network security devices, and apply the
CSA personal firewall
An MS SQL database storage backend, for holding
configuration data and alert information
A software Agent that resides on the computers to
be defended, logs anomalous events and sends this
data to the management center, and receives rule
updates from the Management Center
Computer Incident Response
Team
1. PREPARE
a. Establish policies and procedures for responding to
intrusions
b. Prepare to respond to intrusions
2. HANDLE
a. Analyze all available information to characterize an intrusion.
b. Communicate with all parties that need to be made aware of
an intrusion and its progress.
c. Collect and protect information associated with an intrusion.
d. Apply short-term solutions to contain an intrusion.
e. Eliminate all means of intruder access.
f. Return systems to normal operation.
3. FOLLOW UP
a. Identify security lessons learned.
b. Implement security lessons learned
Honeypots
A honeypot is a monitored decoy used to lure
attackers away from critical resources as well as a
tool to analyze an attackers methods and
characteristics
Research mode
In research mode, a honeypot characterizes attack
environments by collecting data on attacker motivations,
attack trends, and emerging threats.
Production mode
In production mode, a honeypot is used to prevent, detect,
and respond to attacks.
Prevention is accomplished through deterrence,
impeding scans initiated by attackers, and diverting an
attacker to interact with the honeypot rather than critical
files.
Honeypots.....
Production mode.
A honeypot can also detect attacks by capturing
polymorphic code, capturing a variety of attacks,
working with encrypted data, and acquiring attack
signatures.
Honeypots enhance response to attacks by
providing a large amount of valuable attack
information for analysis
Honeypots..

A honeypot can also be characterized by


the level of activity provided by the
honeypot to an attacker
If the level of activity is minimal, the
honeypot is known as a low-interaction
honeypot
Conversely, if the level of activity provided
to the attacker is high, the honeypot is
classified as a high-interaction device
Honeypots..

low-interaction honeypot
Provides a minimal emulation of an operating
system running on the target computer.

It is easy to deploy because of its limited


operating system emulation

An attackers actions are, therefore,restricted

low-interaction honeypot makes it possible for an


attacker to determine that he or she is dealing
with a honeypot and not the actual computer
resources
Honeypots..

High-interaction honeypot
Provides a more realistic target for an attacker
because it uses an actual operating system and
associated services
Can acquire more detailed information on the
attacker but is more vulnerable to compromise
Honeypot Applications

In research mode, a honeypot can use a


honeynet to characterize an attacker and his or
her behavior
A honeynet is a controlled network of high-
interaction honeypots set up to be targets of
attacks
Honeynet and Honeyd are examples of
honeypot applications (www.honeyd.org/)
Discovering Honeypots

Honeypots can be probed by attackers to


determine if they are decoys.
One example is that a low-interaction honeypot
might not be able to complete the correct
handshaking protocol.
Some tools that can be used to probe for and
detect honeypots are Nessus and Send-safe
Honeypot Hunter
ASSESSMENT QUESTIONS

You might also like