Day 19

Security Tools• Firewalls

– Host Based– Network based

• IDS/IPS– Host Based– Network based– Signature based detection– Anomaly based detection

• Anti Virus, Anti Spyware, Anti-spam• Forensic tools• Authentication tools• Encryption Tools

What is a firewall• A firewall is a choke point where

network traffic can be permitted or denied.– A set of rules (Access Control List/Policy list)

are used to determin what to allow.• For example:

– A machine is a web server (HTTP only)– Everyone in the world should be able to connect

to the web server on port 80 TCP– All other ports should be blocked by a firewall,

this prevents unintentional services being exposed, and lessens the overall likelyhood that the server would be compromised.

– If nobody should ever use this server as a workstation, you could also limit outbound traffic from this machine» Helpful for preventing the machine from

being used to attack other machines

Network based Firewalls• A network firewall is a network

device which acts like a router, but has a set of policies it enforces in addition to routing.– Sometimes this device is the router

• Most high end routers support ACL listsAccess-list 101 permit tcp any host 100.1.1.1

eq 80

- Sometimes the device is actually a separate firewall:- Juniper, Checkpoint, Sonicwall, etc.

Host based firewalls• Sometimes the firewall is built

into the OS of the machine it is protecting– Windows

• Windows Firewall• Black Ice Firewall

– Unix• IPtables• IPchains• IPF

Should I use host or network based?• How many machines do you have?

– If you are protecting 2 machines host based will probably work fine.

– If you had to install host based on 500 computers, might have been easier to install network.

• Who has access to the machines?– If the machines are publicly accessible what

stops a malicious person from disabling the firewall

– Network based firewalls are typically more difficult to disable.

• What do you want your machine spending its time on.– If a machine is a webserver you want it

spending its time on serving web pages, not denying traffic, that is probably best done by a network device.

Packet Filter Firewalls• Each time you receive a packet,

check:– Who sent it– Where is it going– What port did it come from and what is

it destined for– When did it arrive– What TCP/IP flags are set in the header– Is it part of an established connection

or the start of a new one

• Based on current set of policies either allow or deny this packet.

Proxy based firewalls• When a machine attempts to establish a

connection intercept it.

• When the client attempts to connect to the server, the firewall acts like a server to the client.

• Next the firewall creates a separate connection to the server (thus acting like a client)

• Now the firewall acts like a traffic cop between the client and server be deciding how much of the traffic to pass between them.

Client ServerFirewall

Proxy vs. Packet Filter• A Proxy based firewall can do

much more intelligent filtering because it understands what is being said between the client and the server.– For example, a proxy can alter HTML

pages or eMails (for example, stripping out sensitive information, or adding a signature/disclaimer to the end of each message)

• A packet filter is much more limited because it only understands the header of the packets, not the data in them.

Intrusion Detection System• One of the most basic security

principles is to know when you’ve been compromised.– Worst case is you were compromised

and don’t even know it because more info can be stolen, or more damage can be done.

• In the real world it’s obvious, but with complex computers it’s less obvious.

• IDS systems are designed to help you track intrusions and identify how they were done.

File Integrity Checkers• One way to know if your system

has been compromised is to know if any files on your system were changed without your knowledge.– Hackers frequently install software on

compromised machines to give them a guaranteed way back on, or to do their bidding (send email, attack someone else)

– File integrity monitors hash all the files on your system periodically and notify you of any changes.• Tripwire, GFI LanGuard etc.

Network based IDS• Network based IDSs typically

monitor all packets coming into/out of your network looking for “interesting patterns”.– Interesting patterns are defined by a

set of signatures which either a company or the internet community develop based on previous intrusions.

– When a pattern is noticed it logs it, or possibly notifies someone (pager, email, phone)

– E.G. Snort, ISS Realsecure etc.

Logs/Event Viewer• A frequently overlooked but critical

security tool is logs.– Most things which happen on your

computer are logged• Windows: Event Viewer • Unix/Mac: Logs

– Allow for analysis of what is going on your computer

– Gives you an audit trail after a compromise to see how it was done, and thus prevent it from happening again.• Of course this assumes the logs aren’t

erased by the attacker.

Intrusion Prevention Systems• A sort of combination of IDS and

Firewall.– The smarts of an IDS with the ability

to block traffic like a firewall.– Thing about it as a firewall which can

build its own policies based on what’s happening to it.

– E.g.• You suddenly see a spike of ICMP (ping)

traffic from a single address, perhaps after a few thousand packets you should think about stopping it, the IPS might build a rule to block it.

IDS/IPS False Positive problem• One of the biggest problems with

IPS is the signatures.• If a popular virus happens to send

the string “BLABLA” in an HTTP message to distribute itself, then any webpage with “BLABLA” in it will appear to be an attack.

• False positives are frustrating and counter-productive.

• Worse yet, if your IPS decides that the attack must be stopped and builds a firewall rule to block it.

Anomaly based detection• Another approach which is being

worked on is to watch what is normal and then look for things which are abnormal.– E.g. You use your computer at

clayton from 7:30PM-8:45PM Monday and Wed. If your computer is at clayton on Friday night at 3am, maybe something is up.

• Very difficult to be correct, requires lots more work to get right.

Viruses, Spys• Anti-Virus

– Specialized form of IDS.– Looks for patterns in files on your

hard drive.– Once one is found assume it is a virus,

and remove it• Quarantine it, or delete it at users request

• Anti-Spywear– Look for software which may get

installed without your knowledge• E.g. Here is a free screensaver, you also

get something which monitors all web pages you go to for opportunities to send you ads

VPN• Virtual Private Networks

– Allow users into your private network from across the internet securely.

– VPNs are based on encryption. • All traffic leaving the client are encrypted by

software on their end. • That encrypted traffic is routed across the

internet • The other end decrypts the resulting traffic and

routes it on the private network

• Traffic is typically encrypted with Symmetric cryptography such as AES or TripleDES. Keys are typically exchanged either manually or automatically via IKE.