Category: Security

Serves as a platform for an application-level gateway
System identified as a critical strong point in the network’s security

common characteristics
– runs secure o/s, only essential services
– may require user authentication to access proxy or host
– each proxy can restrict features, hosts accessed
– each proxy is small, simple, checked for security
– limited disk use, hence read-only code
– each proxy runs as a non-privileged user in a private and secured directory on the bastion host

Host Based Firewalls
– used to secure an individual host
– available in operating systems or can be provided as an add-on package
– Filter and restrict packet flows
– Common location is a server

Advantages:
filtering rules can be tailored to the host envrionment
protection is provided independent of topology
provides an additional layer of protection

Personal Firewalls
– controls traffic between a personal computer or workstation and the internet or enterprise network
– for both home or corporate use
– typically is a software module on a personal computer

IP Address spoofing Countermeasure: Discard packets with an inside source address if the packet arrives on an external interface.
Source routing attacks countermeasure: Discard all packets in which the source destination specifies the route.
Tiny Fragment Attack Countermeasure: Enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header.

Tightens rules for TCP traffic by creating a directory of TCP connections
– there is an entry for each currently established connection
– Packet filter will allows incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory

Reviews packet information but also records information about TCP connections
– Keep track of TCP sequence numbers to prevent attacks that depend on the sequence number
– Inspects data for protocols like FTP, IM, and SIPS commands

Application-Level Gateway
Also called an application proxy
Acts as a relay of application-level traffic(basically a man or system in the middle)

User -> Gateway -> RemoteHost

Must have proxy code for each application
– may restrict application features supported
– tend to be more secure than packet filters

Disadvantage
– Additional processing overhead on each connection

Filtering rules are based on information contained in a network packet:
– source IP address
– Destination IP address
– Source and destination transport-level address:
– IP protocol field
– Interface

Two default policies:
-Discard prohibit unless expressly permitted
more conservative, controlled, visible to users
-Forward – permit unless expressly prohibited
easier to manage and use but less secure

If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work.
Ports > 1024 left open

Packet filtering advantages
– simplicity
– Typically transparent to users and are very fast

Cannot prevent attacks that employ application specific vulnerabilities or functions
limited logging functionality
vulnerable to attacks and exploits that take advantage of TCP/IP
Packet filter firewalls are susceptible to security breaches caused by improper configurations

Firewall Design Goals
– Enforcement of security policies
All traffic from internal network to the Internet, and vice versa, must pass through firewall
Only traffic authorized by policy is allowed to pass
Dependable
The firewall itself is immune to subversion

Lists the types of traffic authorized to pass through the firewall
includes: address ranges, protocols, applications and content types

Developed from the organization’s information security risk assessment and policy, and a broad specification of which traffic types the organization needs to support
– Refined to detail the filter elements that can be implemented within an appropriate firewall topology

firewalls cannot protect..
traffic that does not cross it
– routing around
– internal traffic
When misconfigured

Gives insight into traffic mix via logging
Network address translation
Encryption

Firewalls and Filtering
-packets checked then passed
-inbound & outbound affect when policy is checked

Filtering Types
-Packet filtering
access control list
-Session filtering
dynamic packet filtering
stateful inspection
context based access control

Decision made on a per-packet basis
No state information saved

Applies rules to each incoming and outgoing IP packet
typically a list of rules based on matches in the IP or TCP header
Forwards or discards the packet based on rules match

How can bots contact their master safely?
Simple, naive approach:
victims contact single IP, website, ping a server, etc.
Easily defeated (ISP intervention, blackhole routing, etc.)
still used by script-kiddies, first-time malware authors

Efficient and reliable
– able to reach to a sizable set of bots within a time limit
– hard to detect(i.e., blended with normal/regular traffic)
– Hard to disable or block

Advanced Persistent Threat(APT)
-Advanced:
malware, special operation and operators
-Persistent:
Long-term presence, multi-step, “low-and-slow”
-Threat:
Targeted at high-value organization and information

APT characteristics
– Zero-day exploit or a specially crafted malware
– No readily available signature for its detection

Social-engineering to trick even the most sophisticated users
– First compromise core internal network control elements such as routers and web servers to learn about the valuable targets
– Then play man-in-the-middle on the compromised routers/server to make social-engineering attacks very convincing to even forge answer challenge or inquiry by suspecting users

DNS request for large TCT record;
spoof victim’s IP

Open recursive DNS Servers(anyone can query)

Botnet command and control
Botnet is a network of compromised comuters that the “botmaster” uses for malicious purposes
– There needs to be command & control(C&C) from the botmaster to the bots
Example: a bot reports to the botmaster its status, is directed to a site to download a malware(botcode) update, and/or receives instructions to spam/phish/DDos, etc.

Botnet C&C problem
Naively, we could have victims contact us..
suppose we create malware(vx)
– download vx code; fiddle; compile
– uses email propagation/social engineering

Spreading is easy, but what if we want to use the compromised computers(victims)?

Naively, we could have victims contact us…
problems:VX must include author’s address(not stealthy)
single rallying point(not robust)
VX has hard-coded address(not mobile)

– In the past, often for “fame” and/or “fun”
e.g., defacing web pages
fast and large-scale spreading

Modern Malware
– now, often for profit and political gains
– Technical sophistication based on the latest technologies
– Efficiency, robustness, and evasiveness

Botnet
-Bot(zombie)
A compromised computer under the control of an attacker
Bot code(malware) on the computer communicates with the attacker’s server and carries out malicious activities per attacker’s instructions

Botnet
A network of bots controlled by an attacker to perform coordinated malicious activities
Key platform for most Internet-based attacks and frauds

Attacks and Frauds by Botnets
spam, distributed denial of service attacks, key logging & data/Identity theft, click fraud, phishing& pharming, Cheating in online games/polls, key/password cracking, Anonymized terrorist & criminal communication

DDos using botnets
Attacker, Bots/zombies, Syn flood,etc. Victim

What it did:
– Determine where it could spread
– Spread its infection
– Remain undiscovered and undiscoverable

Effect
Resource exhaustion – repeated infection due to programming bug
Servers are disconnected from the Internet by system admin to stop the infection

Exploit security flaws
– Guess password(encrypted passwd file readable)
– Fingerd: buffer overflow
– Sendmail: trrapdoor(accepts shell command)

spread
– Bootstrap loader to target machine, then fetch
– Rest of code(password authenticated)

Remain un-discoverable
– load code in memory, encrypt, remove file
– Periodically changed name and process ID

What we learned:
– Security scanning and patching
– Computer Emergency Response Team

Prevention: Limit contact to outside world
Detection and Identification
Removal

4 generations of antivirus software:
– simple scanners: Use “signatures” of known virus
– Heuristic scanners: Integrity checking: checksum, encrypted has
– Activity traps
– Full-featured analysis: host-based network-based, sandboxing-based

Macro:
An executable program(e.g.
instructions opening a file, starting an application)
embedded in a word processing document, e.g. MS Word

A common technique for spreading
-A virus macro is attached to a word document
– document is loaded and opened in the host system
– When the macro executes, it copies itself to macro file
– The global macro can be activated/spread when new documents are opened

Rootkit
Resides in opening systems
– Modifies OS code and data structure

Helps user-level malware
– E.g., hide it from user(not listed in “is” or “ps” command)

Inspect all files
FindFisrtFile()
{checkfile, FindNextFile, repeat -> windows API, NTQueryDirectoryObject -> Kernel Native Interface -> Device drive functions <-> Drivers

Worms
– Use network connections to spread from system to system

Four stages of viruses
Dormant Phase, Propagation Phase, Triggering Phase, Execution Phase

Virus structure
virus code -> Physically -> Original Program
Logically Virus code part(a) -> Original Program

First line: go to “main” of virus program
Second line: a special flag(infected or not)
Main: Find uninfected programs^ infect them
Do something damaging to the system
“go to” frist line of the host program
Avoid detection by looking at size of program
compress/ decompress the host program

Type of Virus
– parasitic virus: scan/infect programs
– Memory-resident virus: infect running programs
– Macro virus: embedded in documents, run/spread
– Boot sector virus: run/spread whenever the system is booted
– Polymorphic virus: encrypt part of the virus program randomly generated key

Boot Sector Virus
Bootstrap Loader, System Initialization
Virus code -> System Initialization -> Bootstrap Loader