Download
security perimeter n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Perimeter PowerPoint Presentation
Download Presentation
Security Perimeter

Security Perimeter

227 Vues Download Presentation
Télécharger la présentation

Security Perimeter

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Perimeter Eng. Mohammad Adly, M. Sc.

  2. Intrusion Detection • Host-based • HIDS, HIPS • Network-based • NIDS, NIPS

  3. What is IDS • Reports attacks against monitored systems/networks • Alarm System • Mature Technology that has significant utilization

  4. What IDS is NOT? • Not a replacement for firewalls, strong policies, system hardening, timely patching, and other DiD techniques • Not a low maintenance tool • Not an inexpensive tool • Not a silver bullet

  5. IDS in Action • Attacker used nmap to scan a host for open ports • Attacker managed to scan and find the open ports already • Victim used TCP_Xmas_Scan that logged the attacker’s activity and IP address • This tool just presented data to an analyst to take action

  6. IDS Alerts • Alerts are generated from Events of Intrest EOI • 4 types of events: • True Positive, True Negative • False Positive, False Negative • Which one is the worst to have on your network?

  7. NIDS Overview • Deployed as a passive sensor at network aggregation points • Captures traffic like a sniffer • Detects EOI on the network • Uses signature, anomaly, or application/protocol analysis

  8. Signature Analysis • Rules indicate criteria in packet that represent EOI • Rules are applied to packets as they are received by the IDS • Alerts are created when matches are found

  9. Rules and Signature Criteria • Protocol, address and port information • Payload contents • String matching • Traffic flow analysis • Flags in protocol headers

  10. Anomaly Analysis • Flags anomalous conditions in traffic on the network • Unexpected conditions are identified as suspicious • Requires understanding of what “normal” is • Usually based on good traffic as baseline for future analysis • Usually an inclusive detection method

  11. Application/Protocol Analysis • IDS has understanding of the logic for a specific application or protocol • Any protocol activity that is not known as normal is flagged • Difficult to implement • Few protocol implementations are standard • Usually an exclusive detection method

  12. Deep Vs Shallow Inspection • Shallow • Fast, but provides little fidelity • Examines header information, limited payload data • Deep • Slow, requires stateful tracking of data • Inspects all fields including variable length fields

  13. NIDS Challenges • Deployment challenges including deployment and access limitations • Analyzing encrypted traffic • Quantity Vs quality of signatures • Performance limitations (Speed of Processing, and Size of Storage) • Very costly for proper management

  14. Where to put NIDS?

  15. TCPDump as NIDS • Uses libpcap for packet capture • Always available • Complies on many unix platforms • Runs on Windows • High fedelity • Same program for data collection and first order analysis

  16. Snort • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Low effort for reporting

  17. Snort Capture

  18. Basic Snort Rule • Rule : • alert tcp any any -> 192.168.1.0/24 80 (msg: "Inbound HTTP Traffic"; ) • Output: • [**] [1:0:0] Inbound HTTP Traffic [**] 09/02-13:03:22.734392 192.168.1.104:1460 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:28581 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2550D716 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK

  19. Advanced Snort Rule • Rule: • alert tcp any any -> 192.168.1.0/24 80 (content: "/cgibin/ test.cgi"; msg: "Attempted CGI-BIN Access!!";) • Output : • [**] [1:0:0] Attempted CGI-BIN Access!! [**] 09/02-13:18:30.550445 192.168.1.104:1472 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:29951 IpLen:20 DgmLen:466 DF ***AP*** Seq: 0x32D8E9C1 Ack: 0xB427699E Win: 0x4470 TcpLen:20

  20. Additional Snort Tools • Log Analysis Tools • Snort Stat • http://www.snort.org/dl/contrib/data_analysis/snort_stat.pl • Snort Snarf • http://www.silicondefense.com/software/snortsnarf/index.htm • Snort Log • http://www.snort.org/dl/contrib/data_analysis/snortlog3.pl • Real-Time Alerting Tools • SWATCH . the Simple WATCHer

  21. Snort Stat

  22. Snort Snarf

  23. Core_Host Filter • DNS, Web, and mail servers draw a lot of fire • About 20% of all our attacks • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look

  24. Core_Host Filter- Web Server

  25. HR IDS Application • Content monitoring systems • Spy on employees • Monitors web, IM, e-mail, for confidential information leakage • Helps address the inside attacker • Identifies violations against the company acceptable use policy

  26. NIDS Pros • Internet is a large attack vector • Fairly easy to setup • Does not affect the speed of the network or add load to the systems it monitors

  27. NIDS Cons • Sensors have limited speed • Almost impossible to detect attacks not in rule set • Very susceptible to “low” and “slow” attacks

  28. NIDS Summary • NIDS is an important part of a robust perimeter defense. • NIDS tools such as BlackICE, Defender, Snort, and Ethereal are available and viable products • Add-ons provide additional features

  29. Why NIDS is not Enough? • Very fast networks • Switched networks • Encrypted networks • Backdoors in local network • Insider on network • NIDS may miss attack • Don’t trust corporate security that much

  30. HIDS • Host-based systems monitor their network connections and file system status. • Have to acquire the aggregate logs of ALL critical systems at a minimum • When potential problems are found, alerts are raised

  31. HIDS • Monitoring and controlling traffic into and out of the host • Generating logs that record activity on the host • Performing actions based on what is found in the logs • Managing file changes on the host- authorized or otherwise

  32. Unix Based- HIDS • TCPWrappers and Xinetd • Port Sentry (reacts to port scans) • Syslog • Swatch • Tripwire

  33. TCPWrappers • Monitors and filters incoming TCP network service requests • Valuable logging tool • Currently included in most Unix / Linux distributions

  34. Without TCPWrappers

  35. With TCPWrappers

  36. TCPWrappers Configuration • The ACLs for TCP Wrappers are configured in the /etc/hosts.deny and /etc/hosts.allow files. • The default setting in /etc/hosts.deny is a single line: • ALL: ALL • # Deny everything, add back with /etc/hosts.allow • “deny everything not expressly permitted”

  37. Host Allow ALL: .nnnn.abc.org, 192.168.2, friend.somewhere.edu sshd: trustedhost.somewhere.org

  38. TCPWrappers • Checks both forward and reverse DNS lookup • Both answers must match or connection is dropped • Adds a layer of security against spoofing

  39. DNS Review

  40. TCPWrappers in Action

  41. Psionic Port Sentry • Runs on TCP and UDP • Stealth scan detection for Linux • Reacts to a port scan attempt by blocking the host in real-time • Remembers hosts that connected previously

  42. Port Sentry Log • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host: node10453.a2000.nl/24.132.4.83 to TCP port: 143 • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via wrappers with string: "ALL: 24.132.4.83" • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via dropped route using command: "/sbin/route add –host 24.132.4.83 gw 333.444.555.666"

  43. Syslog • Unix system logger can be on a local system or other system • TCPWrappers logs to Syslog by default • Logs can offer valuable information, but they can also be compromised • Swatch or other tools can monitor syslog and raise alerts

  44. Syslog Example • Nov 13 01:28:36 ns1 named[22988]: unapproved AXFR from [192.168.1.2].3209 for abc.nnnn.org • Nov 13 01:28:36 ns2 named[89]: unapproved AXFR from [192.168.1.2].3250 for abc.nnnn.org • AXFR= Zone Transfer Attempt

  45. Swatch • Swatch (Simple WATCHer) is one such tool that monitors selected log files • Completes one or more user-specified actions when it encounters a match to a user defined search string

  46. Swatch • Keywords: • watchforregular expression • ignore regular expression

  47. Swatch • Actions: • echo attributes • bell length • mail recipient,subject line • write user • exec “command” • pipe “command”

  48. Swatch- Sample Configuration File

  49. Swatch Notification

  50. Tripwire • It will examine some or all of the file system (configurable) • Create one or more cryptographic hashes of each file • If a file changes, the change can be detected