Download
network perimeter security 2 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Network Perimeter Security 2 PowerPoint Presentation
Download Presentation
Network Perimeter Security 2

Network Perimeter Security 2

159 Vues Download Presentation
Télécharger la présentation

Network Perimeter Security 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Network Perimeter Security 2 Firewall Configurations, NIDS, and IPS

  2. Basic Packet Filtering • Direct Access • simple to setup • But rules can be complex • Hard to verify • Exceptions are hard to manage • Flexible rule sets needed

  3. Stateful Filtering • Maintain state • Alice is talking to Bob on port 2401 • Alice sent a SYN/ACK packet • expect an ACK from Bob

  4. Application Gateway • Virtual Connection • Connect to the proxy • Connect from the proxy to the outside

  5. Application Gateway • Benefits • Information hiding: no nmaps, etc. • Incoming traffic gets pre-authenticated • Less complex packet filtering rules • more conservative filtering • more detailed audit logs

  6. Configuration Options • Packet Filtering Only • Dual-homed Gateway • Screened Host Firewall • Screened Subnet Firewall

  7. Dual-Homed Gateway • App. Gateway • 2 NIC’s • IP forwarding disabled • Info server: Web, FTP, Gopher, etc.

  8. Screened Host • Combines • Packet Filter • App. Gateway • Filter • Routes app. traffic to AG • Rejects non-app. traffic • Rejects outgoing traffic that is not from AG

  9. Screened Host • Flexibility • Can allow “trusted” traffic past AG • concerns? • e.g. DNS • Some Complexity

  10. Screened Subnet (DMZ) • Two packet filters • DMZ: Info server, email, & App. Gateway • Everything goes through the right channels • Benefits • Relatively simple rules at the filters • Router as gate to internal n/w • Potentially faster • Concerns • ?

  11. Screened Subnet (DMZ)

  12. NIDS • Network-Based Intrusion Detection • Using network-level data • Generally using packet captures

  13. Intrusion Detection Placement

  14. Snort IDS • Snort consists of three subsystems: • packet decoder (libpcap-based) • detection engine • logging and alerting subsystem • Detection engine • Rules form signatures • Some anomaly detection • stealth scans, OS fingerprinting, invalid ICMP codes, etc.

  15. Snort: Sample IDS output Escalation! • Apr 12 01:56:21 ids snort: EXPLOIT sparc setuid 0: 218.19.15.17:544 à xxx.yyy.zzz.41:37987 • Apr 12 01:56:21 ids snort: EXPLOIT x86 NOOP: 23.91.17.7:544 à xxx.yyy.zzz.41:37987 • Apr 12 07:31:03 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 63.26.255.221 à xxx.yyy.zzz.34 • Apr 12 09:59:38 ids snort: RPC portmap request rstatd: 28.11.67.132:1033 à xxx.yyy.zzz.29:111 • Apr 12 13:20:05 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 12.13.1.67 à xxx.yyy.zzz.126 • Apr 12 14:13:22 ids snort: RPC portmap request rstatd: 134.1.5.12:3649 à xxx.yyy.zzz.29:111 • Apr 12 20:19:34 ids snort: BACKDOOR back orrifice attempt: 209.255.213.130:1304 à xxx.yyy.zzz.241:31337 • Apr 12 22:53:52 ids snort: DNS named iquery attempt: 209.126.168.231:4410 à xxx.yyy.zzz.23:53 Buffer Overflow? Network Mapping Trojan Horse DoS: crash BIND

  16. Snort Rules • Snort rules consist of two parts • Rule header • Specifies src/dst host and port • Alert tcp !128.119.0.0/16 any -> 128.119.166.5 any • Rule options • Specifies flags, content, output message • (flags: SFAPR; msg: “Xmas tree scan”) • Using both parts together gives snort great flexibility • Variables are allowed in the ruleset

  17. Writing Snort Rules • Snort uses a simple rules language • http://packetstormsecurity.nl/papers/IDS/snort_rules.htm • Rule header consists of • Rule Actions • Alert, Log, Pass Dynamic, activate, etc… • Protocol • tcp, udp, icmp, etc… • IP Addresses • Source, dest, CIDR mask • Port numbers • Source, dest, range • Direction • Negation

  18. Writing Snort Rules • Rule options consists of • msg • flags • content • dsize • seq • ack • itype/icode • fragbits • ttl • Many others

  19. Making a Snort Rule • FIN Scan • Open ports don’t respond • Closed ports respond with a RST # nmap -sF -v 192.168.0.7 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:17 EDT Initiating FIN Scan against 192.168.0.7 [1663 ports] at 21:17 The FIN Scan took 1.51s to scan 1663 total ports. Host 192.168.0.7 appears to be up ... good. Interesting ports on 192.168.0.7: (The 1654 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open|filtered ftp 22/tcp open|filtered ssh … Nmap finished: 1 IP address (1 host up) scanned in 2.276 seconds Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)

  20. Making a Snort Rule • OS fingerprinting • OSes have different implementations • Probe to find these • Examples: • T1: Test 1 sends a SYN frame with a mix of TCP options to an open port. These options consist of a window scale option of 10, a maximum segment size of 265, and a timestamp value of 1061109567. • T2: Test 2 sends a NULL TCP frame (no flags set) to an open port. This frame includes the same TCP options as those in Test 1. • T3: Test 3 sends a TCP frame with the SYN, FIN, PSH, and URG flags to an open port. This frame also includes the same TCP options as those found in test 1 and test 2.

  21. Making a Snort Rule • Smurf Attack • ICMP • 1500 bytes • Spoofed IP • Broadcast Address • Snort options • dsize, itype=8 (echo)

  22. Making Snort Rules • Attacks • SYN FIN scan • OS Fingerprinting • Smurf • Parameters • Network: 202.15.6.0/24 • Variables • $EXTERNAL_NET, $HOME_NET

  23. Intrusion Detection Evasion • Modify standard attack packets • Fragmentation • Re-encoding • Multi-packet attacks • DoS the IDS

  24. IDS Evasion with Unicode • Unicode • Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. • Unicode characters are called code points and can be represented by U+xxxx where x is a hexadecimal digit.

  25. IDS Evasion with Unicode • Why is Unicode a problem? • Multiple representations of a single character. • ‘A’ is the same in Russian • Some code points can be used to modify the previous code point. • Many code points have multiple representations. • 30 different representations for the letter "A". • The string "AEIOU" can be expressed 83,060,640 ways • Re-encode Attacks • “Today it is possible to use UTF-8 encoding to attack an IIS server and evade detection from all vendor's NIDS.”

  26. Snot • Snort requires resources • like anything else • Snot • takes a snort ruleset • generates packets that fit the rules • Clobber snort with hits • DoS the IDS • http://www.sec33.com/sniph/

  27. IPS • Reality of today’s n/w • Automated attacks • Too many alerts! • BRF meaningless • Solution • Use IDS to decide what to block • Fast n/w processing units

  28. Snort Inline • New rules • Drop: no response • Reject • TCP reset or ICMP unreachable • Sdrop: no response, no log

  29. END

  30. Snort Rules Example alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flags: A+; reference:arachnids,254;) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186;) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*"; reference:arachnids,185;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00:Attacker to Master default startup password";flags: A+; content:"betaalmostdone"; reference:arachnids,197;)

  31. Snort rules examples alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password";flags: A+; content:"gOrave";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password";flags: A+; content:"killme";) alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00:MastertoDaemon( defaultpassdetected!)"; content:"l44adsl"; reference:arachnids,197;)

  32. ICMP Type Information Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 8 Echo [RFC792] 9 Router Advertisement [RFC1256] 10 Router Solicitation [RFC1256] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] …

  33. Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 0 No Code 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 0 Net Unreachable [RFC792] 1 Host Unreachable [RFC792] 2 Protocol Unreachable [RFC792] … 4 Source Quench [RFC792] 0 No Code 5 Redirect [RFC792] 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host … 6 Alternate Host Address [JBP] 0 Alternate Address for Host 7 Unassigned [JBP] 8 Echo [RFC792] 0 No Code

  34. Unicode problems • IDS Evasion with Unicode (Eric Hacker)http://online.securityfocus.com/infocus/1232 • Microsoft Internet Information Server (IIS) comes with unicode extensions that are notoriously exploitable: • http://192.168.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ • %c0%af is unicode for / • More details • in “Microsoft IIS Unicode Exploit” (Nate Miller, lucent white paper)http://www.lucent.com/livelink/197020_Whitepaper.pdf • Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerabilityhttp://online.securityfocus.com/bid/1806

  35. Insertion and Evasion • http://192.168.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ • %c0%af is unicode for / • Making the end-system and the IDS match up is important. • When data reaches the IDS but not the endhost, the type of attack is called insertion. • Fragmentation attacks are a form of insertion because extra data reaches the IDS. • When data is dropped by the IDS but reaches the end-host, then it is called evasion. • The unicode example is evasion in a sense because the important data was “dropped”, that is “wasn’t dectected” by the IDS.

  36. CTF • Capture the Flag • International competition • 30+ other schools • Logistics • 12/5, 10 am to 6 pm. • Pizza & drinks • Goals • Defend your network • Keep services running • Attack!

  37. CTF Team • Need to prepare • Go to • http://www.hackthissite.org • Register • Solve at least 5 out of 10 Basic Missions • Email me to join the team: • mwright@uta.edu

  38. Security Classes • Infosec 2 • Cryptography • Protocols • Labs and Project • 6000-level • Internet Security (Spring) • Intrusion Detection (Fall) • Wireless Security (?)

  39. Making a Snort Rule

  40. Making a Snort Rule