480 likes | 684 Vues
Firewalls & Intrusion Detection Systems. Communications, Networking & Computer Security Sanjay Goel University at Albany. Outline. Firewall Definition Types Configuration Lab Exercise (Kerio Personal Firewall) IDS Definition Operation Lab Exercises. Firewall What is a Firewall?.
E N D
Firewalls & Intrusion Detection Systems Communications, Networking & Computer Security Sanjay Goel University at Albany
Outline • Firewall • Definition • Types • Configuration • Lab Exercise (Kerio Personal Firewall) • IDS • Definition • Operation • Lab Exercises
Firewall What is a Firewall? • A firewall is any device used to prevent outsiders from gaining access to your network. • It checks each packet against a list of rules to permit or deny its transmission • Firewalls commonly implement exclusionary schemes or rules that sort out wanted and unwanted addresses. • They filter all traffic between a protected (“inside”) network and a less trustworthy (“outside”) network
Firewall Composition? • Firewalls can be composed of software, hardware, or, most commonly, both. • The software components can be either proprietary, shareware, or freeware. • The hardware is typically any hardware that supports the firewall software.
Firewall Design Goals • All traffic in both direction must pass through the firewall • Only authorized traffic should be allowed to pass • Firewall should itself be immune to penetration • Compromised firewall can completely undermine the network security • Tradeoff between security and productivity • Internal network could be completely secure, but employees may not be able to communicate
Firewall Types • There are different kinds of firewalls, and each type has its advantages & disadvantages. • Firewalls can be classified in two broad categories • Network Level Firewalls • Personal Firewalls
Firewall Network Level Firewalls • Network-level firewalls are usually router based. • Rules of who & what can access your network is applied at router level. • Scheme is applied through a technique called packet filtering • Network Level Firewalls can be classified as • Packet-Filtering Firewalls • The simplest and most effective type of firewalls • Stateful Inspection Firewalls • Maintain state info from a packet to another in the input stream • Application-Level Firewalls (Proxies) • Proxy server, a relay of application-level traffic
Firewall Packet Filtering • Packet Filtering is the process of examining the packets that come to the router from the outside world. • Packet headers are inspected by a firewall or router to make a decision to block the packet or allow access • Two Approaches: • Stateless (a.k.a. static) • Stateful
Firewall Stateless Packet Filtering • Ignores the “state” of the connection • Each packet header is examined individually and compared to a “rule base” • Packet data is ignored • Common criteria to filter on: • Protocol Type • IP address • Port Number • Message Type
Firewall Stateful Packet Filtering • Maintains a record of the state of the connection (referred to as state table) • Packet is compared against both rule base and state table • Some stateful filters can examine both packet header and content • Called “stateful” because it permits outgoing sessions while denying incoming sessions
Firewall Application Gateway Firewall • When a remote user contacts a network running an application gateway, the gateway blocks the remote connection. • Instead of passing the connection along, the gateway examines various fields in the request. • If these meet a set of predefined rules, the gateway creates a bridge between the remote host and the internal host.
Firewall Access Policy • A list of rules describing which packets are to be forwarded • Each packet is compared against this list • The longer the list the greater the latency (delay) • Examples: • From any to any port 80 permit • From any to any PORT any deny • From *.albany.edu to any PORT any DENY
Firewall Limitations • Firewalls are not a complete solution to all computer security problems, limitations: • The firewall cannot protect against attacks that bypass the firewall • The firewall does not protect against internal threats • The firewall cannot protect against the transfer of virus-infected programs or files
Firewall Configuration Strategies • Screening Router • Simple • Filters traffic to internal computers • Provides minimal security Source: Guide To Firewalls and Network Security
Firewall Configuration Strategies • Screening Host • Host makes Internet request • Gateway receives client request and makes a request on behalf of the client • Host IP address never displayed to public Source: Guide To Firewalls and Network Security
Firewall Configuration Strategies • Two Routers, One Firewall • External router can perform initial static packet filtering • Internal router can perform stateful packet filtering • Multiple internal routers can direct traffic to different subnets Source: Guide To Firewalls and Network Security
Firewall Configuration Strategies • DMZ Screened Subnet • DMZ sits outside internal network but is connected to the firewall • Public can access servers residing in DMZ, but cannot connect to internal LAN Source: Guide To Firewalls and Network Security
Firewall Configuration Strategies • Two Firewalls, One DMZ • First firewall controls traffic between the Internet and DMZ • Second firewall controls traffic between the internal network and DMZ • Second firewall can also be a failover firewall
Firewall Kerio Personal Firewall (KPF) • What’s KPF? A software agent builds a barrier between PC and the Internet, to protect PC against hacker attacks and data leaks. • Why KPF? • KPF is designed to protect PC against attacks from both the Internet, and other computers in the local network. • KPF controls all data flow in both directions – from the Internet to your computer and vice versa • KPF can block all attempted communication allowing only what you choose to permit.
KPF Features • Blocks all externally originated IP traffic • Three security settings for easy configuration • MD5 signature verification protects the computer from Trojan horses • Protecting from Denial of Service (DOS) attacks to applications or services • Connections dialog clearly displays each application's activity at any given moment
KPF Features Cont’d. • Availability (KPF version 4.1.3): • Available for trial for home use (limited free version) http://www.kerio.com/kpf_download.html • Manual is available at the following site http://download.kerio.com/dwn/kpf/kpf41-en-v3.pdf • Business and institutional customers are encouraged to download this software for evaluation purposes. • Platform: • For Windows 98, Me, NT, 2000 and XP • (Win 95 not available any more)
KPF Installation • System requirements: • CPU Intel Pentium or 100% compatible • 64 MB RAM • 8 MB hard drive space (for installation only; at least 10 MB of additional space is recommended for logging) • Installation: • Executing the installation archive (kerio-pf-201-en-win.exe) • Choose the directory KPF be installed, or leave the default setting (C:\Program Files\Kerio\Personal Firewall) • Restart system after installation in order for the low-lever driver to be loaded
KPF Configuration • Overview — list of active and open ports, statistics, user preferences. • Network Security — rules for network communication of individual applications, Packet filtering, trusted area definitions • System Security — rules for startup of individual applications • Intrusions — configuration of parameters which will be used for detection of known intrusion types • Web - web content rules (URL filter, pop-ups blocking, control over sent data) • Logs & Alters -- logs viewing and settings
The Firewall Engine takes care of all KPF functions It runs as a background application It is represented by an icon in the System Tray Right click the icon: Stop All Traffic Firewall Status Administration KPF Firewall Engine
KPF Administration Test
KPF Security Settings • Level of Security: (KPF allows 3 security levels) • Permit Unknown: minimum security • Ask Me First: all communication is denied implicitly at this level • Deny Unknown: all communication is denied which is not explicitly permitted by the existing filter rules
KPF Packet Filtering Rules Comments
KPF Filter.log File • The filter.log file is used for logging KPF actions on a local computer • Filter.log is a text file where each record is placed on a new line. It has the following format: • 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE • How to read this log file?
IDSWhat Does it Do? • An intrusion detection system (IDS) monitors systems and analyzes network traffic to detect signs of intrusion. • An IDS can detect a variety of attacks in progress as well as well as attempts to scan a network for weaknesses. • An IDS can be a dedicated network appliance or a software solution installed on a host computer. • Two kinds of IDS Systems • Client Based (On a single node) • Network Based (Protecting the entire network)
IDSHow does it work? • If configured correctly, a network intrusion detection system (NIDS) can monitor all traffic on a network segment. • A NIDS is most effective when used in conjunction with a firewall solution, and having all of its dependent components being properly connected and functioning.
IDSConfiguration • NIDS can be installed on the external routers, the internal routers, or both. • Placing NIDS on external routers enables detection of attacks from the Internet • Placing NIDS on internal routers enables detection of internal hosts attempting to access the Internet on suspicious ports.
IDSMethods of Detection • A NIDS/IDS mainly use anomaly or pattern detection to identify an intrusion or intrusion attempt. • An anomaly example: This involves monitoring resource use, network traffic, user behavior and comparing it against normal levels. • If a user that normally only accesses the system between 9 am – 5pm, suddenly logs on at 3 am then this may indicate that an intruder has compromised the user’s account. A NIDS/IDS would then alert administrators to this suspicious activity. • A NIDS/IDS can detect hacker attempts to scan your network for intelligence gathering purposes.
IDSNetwork Packet Checking • Sits On Network location and “checks” packets that travel across the network. • If a packet contains a certain “footprint”, then it triggers an alert • Audit logs are generated and kept as records of alerts.
IDSCommonly Used IDS Systems (Windows) • ISS Internet Security Systems (Black Ice Guardian) • Used by individuals and small business networks. • Looks for common algorithms concealed or “wrapped” in wrappers i.e. TCP Wrapper. • Can be configured as an IDS and a Firewall. • Can track unauthorized traffic and block the ports the intruding script/software is using.
IDSVendor Firewalls & Versions (Hardware Based) • Axent: Raptor v6.5 • Checkpoint: FW1 v4.1 • Cisco: PIX v525 • MS: Proxy v2.0
Zone Alarm Pro! View Demo
Firewalls & IDSContributors • Edward Zhang • Michael LaBarge • Christopher Brown