Firewall Versus Network IDS

Firewall
-active filtering
-fail-close

Network IDS
-passive monitoring
-fail-open

NIDS Sensor Deployment

SNORT
-open source
-Highly configurable
-Lightweight IDS

Characteristics:
easily deployed on most nodes
efficient operation
easily configured by system administrators

Performs real-time packet capture
Detects a variety of attacks and probes

Packet -> Decoder -> Detection Engine -> Alert

Configured as passive
– Monitors traffic
– Is not in the main transmission path
– Is not an inline sensor

Configured as Intrusion Detection

Misuse Signature Intruder Detection

Example: if(src_ip == dsp_ip && src_prt == dst_prt)
then “land attack”

Monitoring Networks and Host
An IDS performs passive monitoring:
it records and analyzes data about system and network activity
if the IDS sends out an alert AND the response policy dictates intervention, then activities are affected

Network Based IDS
– Monitors traffic at selected points on a network in real or close to real time
– May examine network, transport, and/or application-level protocol activity
– Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
– Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

Host IDS
– Operating System Event

Inline Sensors
– used to block an attack when one is detected, performing both intrusion detection and prevention functions
– An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
– Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
– Using a stand-alone inline NIDS sensor

Passive Sensors
– A passive sensor monitors a copy of network traffic; the actural traffic does not pass through the device
– Passive sensors are more efficient
Network traffic: monitoring interface, management interface(with IP)

Machine Learning Intruder Detection Approaches

Neural networks: Simulate human brain operaion with neurons and synapse between them

clustering and out lier detection: Group the observed data into clusters then identify subsequent data as either belonging to cluster or as an outlier.

Limitations of Anomaly Detection
They are generally trained on legitimate data
This limits the effectiveness of some of the techniques discussed.

Relatively high false positive rate anomalies can just be new normal activities

Detect intrusion by:
– observing events in the system
– applying a set of patterns or rules to the data
– determining if the is intrusive or normal

Signature Approaches
– match a large collection of known patterns of malicious data against data stored on system or in transit over a network
– the signature need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
– Widely used in anti-virus products, network traffic scanning proxies, and in NIDS

Signature Approach
-Advantages:
low cost in time and reource use
Wide acceptance
-Disadvantages:
significant effort to identify and review new malware to create signatures
inability to detect zero-day attacks

Rule-Based Detection
-involves the use of rules for identifying known penetrations or penetraions that would exploit known weakness
-Rules can also defined that identify suspicious behavior
-Typically rules used are specific

A variety of classification approaches

Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Machine learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.

Issues Affecting Performance:
Efficiency, cost of detection

Statistical Approaches
characteristics:
– use captured sensor data
– multivariate models using time of and order of event

Advantages:
– their relative simplicity
– low computation cost
– lack of assumptions about expected behavior

Disadvantages:
– difficulty selecting suitable metrics
– not all behaviors can be modeled using these approaches.

Knowledge base approaches
– developed during training to characterize data into distinct classes

advantages:
– robust
– flexible

disadvantages:
– the difficulty and time required to develop knowledge from the data
– human experts must assist with the process

Machine learning approaches
– use data mining techniques to develop a model that can classify data as normal or anomalous

Advantages:
– flexibility
– adaptability
– ability to capture inter-dependencies between observed metrics

disadvantages:
– dependency on assumptions about accepted behavior
– high false alarm rate
– high resource cost
– significant time and computational resources

Bayesian networks: encode probabilistic relationship among observed metrics
Markov models: Develop a model with sets of states

Elements of intrusion detection

components of intrusion detection systems:
From an algorithmic perspective
-Features – capture intrusion evidences
-Models – piece evidences together

From a system architecture perspective:
Audit data processor, knowledge base, decision engine, alarm generation and responses

Data preprocessor
Detection Engine <- Detection Models Decision Engine <- Decision Table Modeling and analysis - misuse detection(a.k.a. signature-based) - anomaly detection Deployment - host-based - network-based Development and maintenance - hand-coding of "expert knowledge" - learning based on data Analysis Approaches - anomaly detection - misuse / signature detection Anomaly Detection: involves the collection of data relating to the behavior of legitimate users over a period of time current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder Misuse/ Signature Detection uses a set of known malicious data patterns or attack rules that are compared with current behavior also known as misuse detection Can only identify known attacks for which it has patterns or rules

Defense-in-Depth

Prevent -> Detect -> Survive

Instruction Examples
– remote root compromise, running packet sniffer, web server defacement, distributing pirated software, guessing/cracking password, using an unsecured modem to access internal network, copying databases containing credit card numbers, impersonating an executive to get information, viewing sensitive data without authorization, using an unattended workstation

Designed to Counter Threats:
known, less sophisticated attacks
sophisticated targeted attacks
new, zero-day exploits

Defense-in-depth strategies include:
encryption
detailed audit trails
strong authentication and authorization controls
active management of operation systems
application security

Intruder behavior
primary assumptions:
system activities are observable
Normal and intrusive activities have distinct evidence

Personal Firewalls

-Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface
– Typcially much less complex than server-based or standalone firewalls
– Primary role is to deny unauthorized remote access
– May also monitor outgoing traffic to detect and block worms and malware activity

Stealth Mode hides the system from the internet by dropping unsolicited communication packets
UDP packets can be blocked
Logging for checking on unwanted activity
Applications must have authorization to provide services

Deploying firewalls
– Internal DMZ network
– Internal protected network

Add more stringent filtering capabililty
Provide two-way protection with respect to the DMZ
Multiple firewalls can be used to protect portions of the internal network from each other

An important aspect of distribute firewall configuration: security monitoring

Host-resident firewall, screening router, single bastion inline, single bastion, double bastion inline, double bastion T, distribution firewall configuration

Bastion Host

Serves as a platform for an application-level gateway
System identified as a critical strong point in the network’s security

common characteristics
– runs secure o/s, only essential services
– may require user authentication to access proxy or host
– each proxy can restrict features, hosts accessed
– each proxy is small, simple, checked for security
– limited disk use, hence read-only code
– each proxy runs as a non-privileged user in a private and secured directory on the bastion host

Host Based Firewalls
– used to secure an individual host
– available in operating systems or can be provided as an add-on package
– Filter and restrict packet flows
– Common location is a server

Advantages:
filtering rules can be tailored to the host envrionment
protection is provided independent of topology
provides an additional layer of protection

Personal Firewalls
– controls traffic between a personal computer or workstation and the internet or enterprise network
– for both home or corporate use
– typically is a software module on a personal computer

Packet Filtering Firewall Countermeasures

IP Address spoofing Countermeasure: Discard packets with an inside source address if the packet arrives on an external interface.
Source routing attacks countermeasure: Discard all packets in which the source destination specifies the route.
Tiny Fragment Attack Countermeasure: Enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header.

Tightens rules for TCP traffic by creating a directory of TCP connections
– there is an entry for each currently established connection
– Packet filter will allows incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory

Reviews packet information but also records information about TCP connections
– Keep track of TCP sequence numbers to prevent attacks that depend on the sequence number
– Inspects data for protocols like FTP, IM, and SIPS commands

Application-Level Gateway
Also called an application proxy
Acts as a relay of application-level traffic(basically a man or system in the middle)

User -> Gateway -> RemoteHost

Must have proxy code for each application
– may restrict application features supported
– tend to be more secure than packet filters

Disadvantage
– Additional processing overhead on each connection

Packet Filtering

Filtering rules are based on information contained in a network packet:
– source IP address
– Destination IP address
– Source and destination transport-level address:
– IP protocol field
– Interface

Two default policies:
-Discard prohibit unless expressly permitted
more conservative, controlled, visible to users
-Forward – permit unless expressly prohibited
easier to manage and use but less secure

If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work.
Ports > 1024 left open

Packet filtering advantages
– simplicity
– Typically transparent to users and are very fast

Cannot prevent attacks that employ application specific vulnerabilities or functions
limited logging functionality
vulnerable to attacks and exploits that take advantage of TCP/IP
Packet filter firewalls are susceptible to security breaches caused by improper configurations