Firewall and Intrusion Detection

Firewall and
Intrusion Detection
By
Farhan M.Shaikh
B.Sc. (CS),M.Sc. (IT), B.Ed.,M.Ed., M.A (Sociology)., UGC-NET (Education/ Sociology)
Visiting Faculty
L.S. Raheja College, SantaCruz
Tolani College, Andheri
Pioneer Education Center, Borivali, Andheri & Vasai
L.I.I.T., Dadar & Mulund
T.I.M.E., Andheri & Borivali
Objectives
Firewalls and their Types
DMZ
Limitations of Firewalls
Intruders
Intrusion
Detection (Host based,
Networked, Distributed)
IDS
farhan.mohd@yahoo.co.in 2
Firewalls
At a broad level, there are two kinds of attacks:
Most corporations have large amounts of
valuable and confidential data in their networks.
Leaking of this critical information to competitors
can be a great setback.
Apart from the danger of the insider information
leaking out, there is a great danger of the
outside elements (such as viruses and Worms)
entering a corporate network to create havoc.
Firewalls and Proxy Servers
As a result of these dangers, we must
have mechanisms which can ensure that
the inside information remains inside, and
also prevents the outsider attackers from
entering inside a corporate network. This
is where a firewall is needed. A firewall
acts like a guard, which can guard a
corporate network by standing between
the network and the outside world.
Firewalls
Firewalls
All traffic between the network and the
Internet in either direction must pass
through the firewall. The firewall decides if
the traffic can be allowed to flow, or
whether it must be stopped from
proceeding further. Technically, therefore,
a firewall is specialized version of a router.
Apart from the basic routing functions and
rules, a router can be configured to
perform the firewall functionality with the
help of additional software resources.
Characteristics of a good firewall
All traffic from inside to outside, and vice
versa must pass through the firewall. To
achieve this, all the access to the local
network must first be physically blocked,
and access only via the firewall should be
permitted.
Only the traffic authorized as per the local
security policy should be allowed to
pass through.
The firewall itself must be strong enough,
so as to render attacks on it useless.
Firewalls
The word 'firewall' has come from a kind of
arrangement in automobiles, to prevent the
passengers from engine components. The
firewalls in computers also work with similar
concept. It is defined as 'the collection of
components that are placed between the local
(unprotected) private network / workstation and
the Internet (unprotected) which is the external
public network.
Firewalls come in various categories,
configurations, set of devices and products
which run on the hosts in the network. They
work like logical security guards which keep an
eye on the outgoing and incoming traffic.
Kinds of Firewalls
In general, the firewalls have been classified
as per the work carried out by them.
They have two basic types:
Packet Filtering and
Application Level.
Two more types have also resulted based on
these two primary types. They are:
Circuit level gateways and
Stateful Multi-layer inspection (Dynamic).
Packet Filtering
This is the basic level of the firewalls. As the
name suggests, this firewall checks for each
and every IP packet individually, either coming
in or going out of private network.
According to the selected policies (called Rule-
sets or Access Control Lists or ACLs) it
determines whether to accept a packet or
reject it. This is the first line of defense against
the intruders, and is not totally foolproof. It has
to be combined with other techniques as well,
to strengthen the security.
Packet Filtering
Disadvantages of packet filters
Rule-sets to be defined for a packet filter may be very
complex to specify as well as to test.
In order to allow certain access, some exceptions to the
rules need to be added. This may add further to the
complexity.
Some packet filters do not filter on the source TCP/UDP
ports at all, which may increase the flaws in the filtering
system.
These do not possess any auditing capabilities and auditing
is considered to be of major importance in security.
All the applications on Internet may not be fully supported by
packet filtering firewalls.
These type of firewalls do not attempt to hide the private
network topology to the outside network and hence it gets
exposed.
Using packet filters may be complex as graphical interface is
not available in most of the cases.
Application Level Filtering
An application gateway is also called as a proxy
server. This is because it acts like a proxy i.e deputy
or substitute, and decides about the flow of
application level traffic.
An application gateway typically works as follows:
An internal user contacts the application gateway
using a TCP/IP application, such as HTTP or
TELNET. .
The application gateway asks the user about the
remote host with which the user wants to set up a
connection for actual communication (i.e. its domain
name or IP address) The application gateway also
asks for the user id and the password required to
access the services of the application gateway.
The user provides the information to the application
gateway.
The application gateway now accesses the remote host
on .behalf of the user, and passes the packets of the user to
the remote host.
Application gateways are generally more secure than
packet filters, because rather than examining every packet
against a number of rules, we simply detect whether a user
is allowed to work with a TCP/IP application or not.
The disadvantage is the overhead in terms of connections.
There are actually two sets of connections now: one /
between the end user and the application gateway, and
another between the application gateway and the remote
host. The application gateway has to manage these two
sets of connections, and the traffic going between them.
This means that the actual communicating internal host is
under an illusion.
The Application level firewalls work at the
topmost layer in the network i. e. the Application
Layer. Hence, they can monitor the flow of
information in great details. They do not need to
check each and every packet but rather check an
application as a whole and determine whether it
should be allowed the access of a network both
in-bound as well as out-bound. Hence, they are
more secure than the packet filters.
These are also called Application level gateways
as they are between the local network and the
Internet. They require the policies to be set up by
using specific software and hence are NOT
transparent to the end users.
Proxy Servers
Proxy Servers
The services which are proxied include FTP,
DNS, TELNET, HTTP, SMTP and so on. Thus,
the application gateway allows the clients to think
or believe that they are getting the direct
connection to the Internet; in fact it is routed
always through the proxy server.
Examples of Application level firewalls include
Zone Lab's Zone Alarm, and Zone Alarm-Pro,
IBM firewall, Mc-Afee Firewall, Norton Firewall,
Linux based Mitel Networks SME server, Squid
proxy server, Wingate, Winproxy and many more
with various facilities and configurations.
Advantages of Application Level
Firewalls
Checks traffic in greater details than the
packet filters.
No need to check each and every packet,
but checks application as a whole.
Provides more security than the packet
filters.
These are available as software with
Graphical interface, hence specifying,
changing the Rule-sets is easier in this
case.
Advantages of Application Level
Firewalls
Ability to hide the structure, topology and
other sensitive information of the private
network from the external parties.
Has capability of complete
auditing/logging of events, which is an
important aspect of security.
Easier to install, setup and operate from
the point of users (also called as
personal firewalls sometimes)
Disadvantages of Application level
firewalls
Operation may be slower since it has to
check the traffic in more detail.
The software products used may be
costly to procure.
In some cases, setup may be difficult
and require administrative help.
They are not transparent to the end
users, and may have to be set up
specifically on the client nodes.
Circuit level Gateways
Another variation of firewalls is called the Circuit
Level Gateways. These are set to run on the
Transport level of TCP/IP model (or Session layer
in case of the OSI model). This check for the
specific sessions or services for filtering. They
neither check individual packets nor the entire
applications for filtering purpose. They are
sometimes called as the Relays which relay the
sessions / services (also called circuits) for the
users. Normally they relay the services such as
Telnet or FTP for the users. But in the process, they
tend to break the standard client-server model.
Thus, for every request/response, there will be two
connections to be set-up: one from the client machine to the
firewall, and the second between the firewall to the external
server, and similarly in reverse way. But they provide the
facility to control these services. It is hence possible to
enable/disable these services through the circuit gateways.
It performs some additional functions as compared to those
performed by an application gateway. A circuit gateway, in
fact, creates a new connection between itself and the remote
host. The user is not aware of this, and thinks that there is a
direct connection between itself and the remote host. Also,
the circuit gateway changes the source IP addresses in the
packets from the end user's IP address to its own. This way
the IP address of the internal network are hidden from the
outer world.
The SOCKS server is an example of the real life
implementation of a circuit gateway. It is a client server
application. The SOCKS client runs on the internal host, and,
the SOCKS server runs on the firewall.
Advantages of Circuit level Gateways
More secure than packet filters since
work on higher level.
Do not check individual packets inbound
or outbound.
Can hide internal network structure to
the external entities.
Flexibility to enable or disable sessions
or services is available. 5. Less
expensive compared to the Application
level products. 6. Operation is
transparent to the end-users
Disadvantages of Circuit level Gateways
Less secure compared to
application level gateways.
Breaks the client-server model.
Requires two dedicated
connections to be set up for
each service / response.
Dynamic (Stateful Multi-layer Inspection)
Firewalls
The last category of firewalls is the Dynamic also
known as the Stateful, multi-layer inspection
type. As the name suggests it checks the traffic
in multiple layers viz. Application, Transport as
well as Internet layer. Hence, it combines all the
advantages of the first three categories of
firewalls. These are the recent type of firewalls
being used. They check the individual packets at
the Internet layer, checks for valid sessions at
the Transport layer and evaluates the application
at the topmost layer.
Firewalls
Firewalls
Another difference between this type and earlier ones is
the awareness of a State and the Dynamic nature of
them. This means, the firewall can modify itself or can
adapt to changes in situations and can change the rules
dynamically. This facility is not available in any of the
earlier types, which make this a more efficient. and
hence they are known to be Stateless. For this purpose
the firewall needs to maintain some historical information
about all the transactions in a form called state tables.
These state tables are updated as and when new events
are generated. These are used by the firewall to modify
or update the Rule-sets in different situations.
Examples of this type of firewall include Checkpoint's
Firewall-1, Sun's SunScreen etc.
Advantages of Dynamic Firewalls
Scans the traffic in three different layers in
great details
Provides much more security than in first
three types of firewalls
Facility to adapt to the changes in the
stage of network.
More flexible in its operation due to its
dynamic nature
Combines most of the advantages of first
three types of firewalls.
Disadvantages of Dynamic Firewalls
Operation much slow may reduce the
overall performance.
Applications need to be procured,
especially and can be expensive.
Setup or implementation may be more
difficult.
Distributed Firewalls
Provide multiple checkpoints less prone (is in multiple
forms). Possible to prevent inside attacks more secure
implementation Servers can be outside perimeter More
flexibility in operation Different security levels possible.
The Distributed firewalls are the host-resident security
solutions which protect the enterprise network's critical
end points against the intrusion. As the name suggests,
the firewall implementation is distributed over multiple
points rather than providing a single-point-entry into your
network in case of traditional firewalls. With distributed
firewalls, one can provide separate level of security to
the Web, Mail servers, Application servers or individual
nodes in the setup.
These are meant to provide higher security to
the corporate networks. These can also prevent
the malicious inside attacks also within the
network, as they treat all traffic as unfriendly
whether it is originating from the Internet or your
Local network. This is more important
advantage, since most of the attacks are
initiated from inside the network. These firewalls
also guard the individual machines the same
way as the perimeter firewall guards the entire
network.
These are like the personal firewalls but the
additional features include the centralized
management, logging and a fine access-control
granularity.
What Firewalls Cannot Do?
Firewalls in general, cannot prevent from
Internal attacks at all.
Does not prevent viruses from entering into the
local network.
Do not differentiate between users on a single
side i.e. either the Internet side or the Local
side. This means one Internet user can spoof
another or one local user can spoof other.
They only try to differentiate between local and
the External members.
Do not protect any connection that is not going
through them or in some way by passing them.
What Firewalls Cannot Do?
Can be bypassed by users in order to
avail of the services normally blocked in
which case they fail to provide any
security to these connections. e.g. using
modems to connect to Internet directly.
Cannot prevent from any new kind of
threats or attacks for which the firewalls
may not have been configured.
Fail to provide enough security, if not
properly configured or not updated
continuously.
Limitations of the Firewall
Insider's intrusion: A firewall system is designed to
thwart outside attacks. Therefore, if an inside user
attacks the internal network in some way, the firewall
cannot prevent such an attack.
Direct Internet traffic: A firewall must be configured
very carefully. It is effective only if it is the only-entry
point of an organization's network. If, instead, the
firewall is one of the entry-exit points, a user can
bypass the firewall and exchange information with the
Internet via the other entry exit points. This can open
up the possibilities of attacks on the internal network
through those points. The firewall cannot, obviously be
expected to take care of such situations.
Limitations of the Firewall
Virus attacks: A firewall cannot protect
the internal network from virus threats.
This is because a firewall cannot be
expected to scan every incoming file or
packet for possible virus contents.
Therefore, a separate virus detection
and removal mechanism is required for
preventing virus attacks. Alternatively,
some vendors bundle their firewall
products with anti virus software, to
enable both the features out of the box.
DMZ Networks
Some servers are difficult to trust because of the size
and the complexity of the code they run. Web servers
are a classic example.
Do you place your external Web server inside the
firewall, or outside?
The
Internet
External Web The Corporate LAN

Server
DMZ Networks
If you place it inside, then a compromise
creates a launch point for further attacks
on inside machines.
The
Internet
The Corporate
LAN
External Web
Server
DMZ Networks
If you place it outside, then you make it
even easier to attack.
The common approach to this is to
create a demilitarized zone (DMZ)
between two firewalls.
It is important to carefully control
administrative access to services on the
DMZ. Most likely, this should only come
from the internal network, and preferably
over a cryptographically protected
connection, such as ssh.
DMZ networks
The concept of a Demilitarized Zone (DMZ)
networks is quite popular in firewall
architectures. Firewalls can be arranged to form
a DMZ. DMZ is required only if an organization
has servers that it needs to make available to
the outside world (e.g. Web Servers or FTP
servers). For this, a firewall has at least three
network interfaces. One interface connects to
the internal private network; the second
connects to the external public network (i.e. the
Internet), and the third connects to the public
servers (which form the DMZ network).
DMZ Networks
A DMZ is an example of our general philosophy of
defense in depth. That is, multiple layers of security
provide a better shield. If an attacker penetrates past the
first firewall, he or she gains access to the DMZ, but not
necessarily to the internal network.
The
Internet
The Corporate
LAN
External Web
Server
DMZ Networks
Without the DMZ, the first successful penetration could
result in a more serious compromise.
You should not fully trust machines that reside in the DMZ-
that's the reason we put them there. Important Web servers
may need access to, say, a vital internal database, but
ensure that the database server assumes that queries may
come from an un-trusted source. Otherwise, an attacker
may be able to steal the crown jewels via the compromised
Web server.
DMZ Networks
The chief advantage of such a scheme is that
the access to any service on the DMZ can be
restricted. For instance, if the Web server is the
only required service, we can limit the traffic
in/out of the DMZ network to the HTTP and
HTTPS protocols (i.e. ports 80 and 443,
respectively). All other traffic can be filtered.
More significantly, the internal private network is
no way directly connected to the DMZ. So, even
if an attacker can somehow manage to hack into
the DMZ, the internal private network is safe,
and out of the reach of the attacker.
Intruders
TOOL
KIT
Packaging
and Internet
Distribution
Intruders
Intruders
Intruder Detection
Approaches to Intrusion
Detection
Can identify the following approaches to intrusion detection:
1. Statistical anomaly detection: collect data relating to the
behavior of legitimate users, then use statistical tests to
determine with a high level of confidence whether new
behavior is legitimate user behavior or not.
a. Threshold detection: define thresholds, independent of user,
for the frequency of occurrence of events.
b. Profile based: develop profile of activity of each user and use
to detect changes in the behavior
2. Rule-based detection: attempt to define a set of rules used
to decide if given behavior is an intruder
a. Anomaly detection: rules detect deviation from previous
usage patterns
b. Penetration identification: expert system approach that
searches for suspicious behavior
Audit Records
A fundamental tool for intrusion detection is the audit
record. Some record of ongoing activity by users
must be maintained as input to an intrusion
detection system. Basically,two plans are used:
Native audit records: Virtually all main O/Ss include
accounting software that collects information on user
activity, advantage is its already there, disadvantage
is it may not contain the needed information.
Detection-specific audit records: implement
collection facility to generates custom audit records
with desired info, advantage is it can be vendor
independent and portable, disadvantage is extra
overhead involved.
Statistical Anomaly Detection
Statistical anomaly detection techniques cover threshold
detection and profile-based systems.
Threshold detection involves counting no occurrences of a
specific event type over an interval of time, if count surpasses
a reasonable number, then intrusion is assumed. By itself, is
a crude and ineffective detector of even moderately
sophisticated attacks.
Profile-based anomaly detection focuses on characterizing
past behavior of users or groups, and then detecting
significant deviations. A profile may consist of a set of
parameters, so that deviation on just a single parameter may
not be sufficient in itself to signal an alert. Foundation of this
approach is analysis of audit records.
Audit Record Analysis
An analysis of audit records over a period of time
can be used to determine the activity profile of the
average user. Then current audit records are used
as input to detect intrusion, by analyzing incoming
audit records to determine deviation from average
behavior. Examples of metrics that are useful for
profile-based intrusion detection are: counter,
gauge, interval timer, resource use. Given these
general metrics, various tests can be performed to
determine whether current activity fits within
acceptable limits, such as: Mean and standard
deviation, Multivariate, Markov process, Time
series, Operational.
Rule Based Intrusion Detection
rule-based penetration identification
uses expert systems technology
with rules identifying known penetration,
weakness patterns, or suspicious behavior
compare audit records or states against rules
rules usually machine & O/S specific
rules are generated by experts who interview &
codify knowledge of security admins
quality depends on how well this is done
Intrusion Detection Systems
(IDS)
Intrusion Detection Systems look for attack
signatures, which are specific patterns that
usually indicate malicious or suspicious
intent.
Host/Applications based IDS
The host operating system or the
application logs in the audit information.
These audit information includes events like
the use of identification and authentication
mechanisms (logins etc.) , file opens and
program executions, admin activities etc.
This audit is then analyzed to detect trails
of intrusion.
Drawbacks of the host based
IDS
The kind of information needed to be
logged in is a matter of experience.
Unselective logging of messages may
greatly increase the audit and analysis
burdens.
Selective logging runs the risk that attack
manifestations could be missed.
Strengths of the host based IDS
Attack verification
System specific activity
Encrypted and switch environments
Monitoring key components
Near Real-Time detection and response.
No additional hardware
Network based IDS
This IDS looks for attack signatures in
network traffic via a promiscuous interface.
A filter is usually applied to determine which
traffic will be discarded or passed on to an
attack recognition module. This helps to
filter out known un-malicious traffic.
Strengths of Network based IDS
Cost of ownership reduced
Packet analysis
Evidence removal
Real time detection and response
Malicious intent detection
Complement and verification
Operating system independence
Distributed Intrusion Detection
Until recently, work on intrusion detection systems focused on
single-system standalone facilities. The typical organization,
however, needs to defend a distributed collection of hosts
supported by a LAN or internetwork, where a more effective
defense can be achieved by coordination and cooperation
among intrusion detection systems across the network.
Porras points out the following major issues in the design of a
distributed IDS:
A distributed intrusion detection system may need to deal with
different audit record formats
One or more nodes in the network will serve as collection and
analysis points for the data, which must be securely
transmitted to them
Either a centralized (single point, easier but bottleneck) or
decentralized (multiple centers must coordinate) architecture
can be used.
Distributed IDS Architecture
Distributed IDS Architecture
Figure shows the overall architecture, consisting of
three main components, of the system independent
distributed IDS developed at the University of
California at Davis. The components are:
Host agent module: audit collection module
operating as a background process on a monitored
system
LAN monitor agent module: like a host agent module
except it analyzes LAN traffic
Central manager module: Receives reports from
LAN monitor and host agents and processes and
correlates these reports to detect intrusion
Future of IDS
To integrate the network and host based
IDS for better detection.
Developing IDS schemes for detecting
novel attacks rather than individual
instantiations.
HoneyPots
Honeypots are decoy systems, designed to lure a potential attacker
away from critical systems, and:
divert an attacker from accessing critical systems
collect information about the attackers activity
encourage the attacker to stay on the system long enough for
administrators to respond
These systems are filled with fabricated information designed to
appear valuable but which any legitimate user of the system
wouldnt access, thus, any access is suspect.
They are instrumented with sensitive monitors and event loggers
that detect these accesses and collect information about the
attackers activities.
Have seen evolution from single host honeypots to honeynets of
multiple dispersed systems.
The IETF Intrusion Detection Working Group is currently drafting
standards to support interoperability of IDS info (both honeypot and
normal IDS) over a wide range of systems & O/Ss.
References
Cryptography and Network Security,
Forouzan B (TMH)
Network Security Essentials,

Stallings W (Pearson Education)
Firewalls and Internet Security - Repelling

the Wily Hacker.2nd Edition

Firewall and Intrusion Detection

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewall and Intrusion Detection

Uploaded by

Copyright:

Available Formats

Firewall and

External Web The Corporate LAN

Network Security Essentials,

Firewalls and Internet Security - Repelling

You might also like