resources (tbd) intruders and intrusion - wordpress.com · intruders and intrusion security problem...

CS669 Network Security Unit - V

MTech CSE (PT, 2011-14) SRM, Ramapuram 1 hcr:innovationcse@gg

UNIT – V SYSTEM SECURITY Resources – Intruders and Intrusion – Viruses and Worms – OS Security – Firewalls – Design Principles –

Packet Filtering – Application gateways – Trusted systems – Counter Measures

Resources (TBD) TBD

Intruders and Intrusion security problem for networked systems is hostile, or at least unwanted, trespass being unauthorized login

or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse.

One of the two most publicized threats to security is the intruder (or hacker or cracker), which Anderson

identified three classes of:

o Masquerader: An individual who is not authorized to use the computer (outsider)

o Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider)

o Clandestine user: An individual who seizes supervisory control of the system and uses this control to

evade auditing and access controls or to suppress audit collection (either)

Intruder attacks range from the

o benign (simply exploring net to see what is there); to the

o serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system)

two levels of hackers

o high level - sophisticated users - thorough knowledge of the technology;

o low level - "foot soldiers", who merely used the supplied cracking programs

CERTs

Computer Emergency Response Teams

cooperative ventures collect information about system vulnerabilities and disseminate it to managers

Intrusion Techniques

Objective Of The Intruder

To gain access to a system or to increase the range of privileges accessible on a system

o requires the intruder to acquire information that should have been protected

o Example: user password - an intruder can log in to a system and exercise as legitimate user

The password file can be protected in one of two ways

One-way function

o The system stores only the value of a function based on the user's password

o the system usually performs a one-way transformation (not reversible) in which the password is used to

generate a key - a fixed-length output

Access control

o Access to the password file is limited to one or a very few accounts

Techniques Used By Password Crackers For Learning Passwords

1. Try default passwords used with standard accounts that are shipped with the system.

o Many administrators do not bother to change these defaults.

2. Exhaustively try all short passwords (those of one to three characters).

3. Try words in the system's online dictionary or a list of likely passwords.

o Examples of the latter are readily available on hacker bulletin boards.

4. Collect information about users, such as their full names, the names of their spouse and children, pictures

in their office, and books in their office that are related to hobbies.

5. Try users' phone numbers, Social Security numbers, and room numbers.

6. Try all legitimate license plate numbers for this state.

7. Use a Trojan horse to bypass restrictions on access.

8. Tap the line between a remote user and the host system.



Effectiveness

The first six methods use guessing method

o Guessing are feasible and effective

Trojan horse, can be particularly difficult to counter

line tapping, is a matter of physical security

o can be countered with link encryption techniques

Two Principal Countermeasures

Detection

learning of an attack, either before or after its success

Prevention

challenging security goal

Intrusion Detection

Motivation

If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before

any damage is done or any data are compromised.

An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions

Intrusion detection enables the collection of information about intrusion techniques that can be used to

strengthen the intrusion prevention facility

Profiles of Behavior of Intruders and Authorized Users

typical behavior of an intruder differs from the typical behavior of an authorized user

there is an overlap in these behaviors

a loose interpretation of intruder behavior, will also lead to a number of "false positives," or authorized users

identified as intruders.

an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false

negatives, or intruders not identified as intruders



Approaches To Intrusion Detection

Statistical anomaly detection

Involves the collection of data relating to the behavior of legitimate users over a period of time

attempt to define normal, or expected, behavior

statistical test methods

o Threshold detection

This approach involves defining thresholds, independent of user, for the frequency of occurrence of

various events

o Profile based:

A profile of the activity of each user is developed and used to detect changes in the behavior of

individual accounts.

Rule-based detection

define a set of rules that can be used to decide that a given behavior is that of an intruder

attempt to define proper behavior

Methods

o Anomaly detection

Rules are developed to detect deviation from previous usage patterns

o Penetration identification

An expert system approach that searches for suspicious behavior

Audit Records

A fundamental tool for intrusion detection

Some record of ongoing activity by users

Two plans are used

Native audit records

o all multiuser operating systems include accounting software that collects information on user activity

o Adv: no additional collection software is needed

o Disadv: may not contain the needed information or may not contain it in a convenient form

Detection-specific audit records

o A collection facility can be implemented that generates audit records containing only that information

required by the intrusion detection system

o Adv: could be made vendor independent and ported to a variety of systems

o Disadv: extra overhead involved in having, two accounting packages running on a machine

Each audit record contains the following fields

Subject:, Action, Object, Exception-Condition, Resource-Usage, Time-Stamp

Statistical Anomaly Detection Two broad categories

1. Threshold Detection

2. Profile-Based Systems

Threshold Detection

involves counting the number of occurrences of a specific event type over an interval of time.

If the count surpasses a reasonable number, then intrusion is assumed

Drawbacks

o crude and ineffective detector

o Both the threshold and the time interval must be determined

o likely to generate either a lot of false positives or a lot of false negatives

useful in conjunction with more sophisticated techniques



Profile-Based Systems

characterizing the past behavior of individual users or related groups of users and then detecting significant

deviations

A profile may consist of a set of parameters

The foundation of this approach is an analysis of audit records

The audit records provide input to the intrusion detection function in two ways.

1. the designer must decide on a number of quantitative metrics that can be used to measure user behavior

o the audit records serve to define typical behavior

2. current audit records are the input used to detect intrusion.

o the intrusion detection model analyzes incoming audit records to determine deviation

Examples of metrics

Counter:

o number of logins, number of times a given command is executed, number of password failures

Gauge

o used to measure the current value of some entity

o number of logical connections, number of outgoing messages

Interval timer

o time between two related events like successive logins

Resource utilization

o Quantity of resources consumed

o number of pages printed, total time consumed by a program execution

Statistical Tests

Mean and standard deviation

Multivariate

Markov process

Time series

Operational

Mean and standard deviation

measure the mean and standard deviation of a parameter over some period

gives the average behavior and its variability

applicable to a wide variety of counters, timers, and resource measures

too crude for intrusion detection purposes.

Multivariate

model based on correlations between two or more variables

examples: processor time and resource usage, login frequency and session elapsed time

Markov process

used to establish transition probabilities among various states

example: transitions between certain commands

Time series

focuses on time intervals, events that happen too rapidly or too slowly

characterize abnormal timing

Operational

based on a judgment of what is considered abnormal

example: a large number of login attempts over a short period

Advantages of statistical tests

a prior knowledge of security flaws is not required

portable among a variety of systems



Rule-Based Intrusion Detection detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding

whether a given pattern of activity is or is not suspicious

Two approaches

1. Rule-based anomaly detection

2. Rule-based penetration identification

Rule-based anomaly detection

similar to statistical anomaly detection

historical audit records are analyzed to identify usage patterns and to generate automatically rules that

describe those patterns

Rules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on

Current behavior is then observed, and each transaction is matched against the set of rules to determine if

it conforms to any historically observed pattern of behavior

Rule-based penetration identification

based on expert system technology

use of rules for identifying known penetrations or penetrations that would exploit known weaknesses

can also be defined that identify suspicious behavior

specific to the machine and operating system

Rules are generated by experts / system admins

o strength of the approach depends on the skill of those involved in setting up the rules

Examples

heuristic rules that can be found in NIDX system

penetration identification scheme used in IDES

state transition model USTAT implemented on a SunOS

The Base-Rate Fallacy

an intrusion detection system should detect a substantial percentage of intrusions while keeping the false

alarm rate at an acceptable level

If only a modest percentage of actual intrusions are detected, the system provides a false sense of security

if the system frequently triggers an alert when there is no intrusion (a false alarm), they might be ignored or

time wasted

it is very difficult to meet the standard of high rate of detections with a low rate of false alarms

if the actual numbers of intrusions is low, then the false alarm rate will be high

current systems have not overcome this problem of the base-rate fallacy

Distributed Intrusion Detection needs to defend a distributed collection of hosts supported by a LAN or internetwork

coordination and cooperation among intrusion detection systems across the network

Issues In The Design Of A Distributed Intrusion Detection System

need to deal with different audit record formats

o heterogeneous environment

One or more nodes in the network will serve as collection and analysis points for the data from the systems

on the network

o raw audit data or summary data transmitted across the network - requirement to assure the integrity

and confidentiality

Either a centralized or decentralized architecture can be used

o a centralized architecture, there is a single central point of collection and analysis of all audit data

o decentralized architecture, there are more than one analysis centers



Architecture for Distributed Intrusion Detection

three main components:

Host agent module

An audit collection module operating as a background process on a monitored system.

Its purpose is to collect data on security-related events on the host and transmit these to the central

manager.

LAN monitor agent module

Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results

to the central manager.

Central manager module

Receives reports from LAN monitor and host agents and processes and correlates these reports to detect

intrusion.

Agent Architecture

The agent captures each audit record

produced by the native audit collection

system.

A filter is applied that retains only those

records that are of security interest.

These records are then reformatted into

a standardized format referred to as the

host audit record (HAR).

Next, a template-driven logic module

analyzes the records for suspicious

activity

Finally, the agent looks for anomalous

behavior

TBD



Viruses and Worms - Introduction Malicious software is software that is intentionally included or inserted in a system for a harmful purpose.

A virus is a piece of software that can "infect" other programs by modifying them; the modification includes

a copy of the virus program, which can then go on to infect other programs.

A worm is a program that can replicate itself and send copies from computer to computer across network

connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to

propagation, the worm usually performs some unwanted function.

A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that

A distributed denial of service attack is launched from multiple coordinated sources

Terminology of Malicious Programs

Name Description

Virus Attaches itself to a program and propagates copies of itself to other programs

Worm Program that propagates copies of itself to other computers

Logic bomb Triggers action when condition occurs

Trojan horse Program that contains unexpected additional functionality

Backdoor (trapdoor) Program modification that allows unauthorized access to functionality

Exploits Code specific to a single vulnerability or set of vulnerabilities

Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail

Auto-rooter Malicious hacker tools used to break into new machines remotely

Kit (virus generator) Set of tools for generating new viruses automatically

Spammer programs Used to send large volumes of unwanted e-mail

Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial of service (DoS) attack

Keyloggers Captures keystrokes on a compromised system

Rootkit Set of hacker tools used after attacker has broken and gained root-level access

Zombie Program activated on an infected machine to launch attacks on other machines

Malicious software can be divided into two categories:

Those That Need A Host Program

fragments of programs that cannot exist independently of some actual program (app / system), utility

examples: Viruses, logic bombs, and backdoors

Those That Are Independent

self-contained programs that can be scheduled and run by the operating system

examples: Worms and zombie

Differentiation Based On Replication

Those Software Threats That Do Not Replicate

programs or fragments of programs that are activated by a trigger

Examples: logic bombs, backdoors, and zombie programs

Those That Do

either a program fragment or an independent program that, when executed, may produce one or more

copies of itself to be activated later on the same system or some other system.

Examples: Viruses and worms



Viruses

The Nature of Viruses

A virus is a piece of software that can "infect" other programs by modifying them;

the modification includes a copy of the virus program,

which can then go on to infect other programs

The typical virus becomes embedded in a program on a computer

whenever the infected computer comes into contact with an uninfected piece of software, a fresh copy of

the virus passes into the new program.

the infection can be spread from computer to computer

network environment

Once a virus is executing, it can perform any function, such as erasing files and programs

Typical virus goes through the following four phases

Dormant phase

The virus is idle.

The virus will eventually be activated by some event, such as a date, the presence of another program or

file, or the capacity of the disk exceeding some limit.

Not all viruses have this stage.

Propagation phase

The virus places an identical copy of itself into other programs or into certain system areas on the disk.

Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.

Triggering phase

The virus is activated to perform the function for which it was intended.

As with the dormant phase, the triggering phase can be caused by a variety of system events, including a

count of the number of times that this copy of the virus has made copies of itself.

Execution phase

The function is performed.

The function may be harmless, such as a message on the screen, or damaging, such as the destruction of

programs and data files.

Virus Structure

program V :=

{

goto main;

1234567;

subroutine infect-executable :=

{

loop:

file := get-random-executable-file;

if (first-line-of-file = 1234567)

then goto loop

else prepend V to file;

}

subroutine do-damage :=

{

whatever damage is to be done

}

subroutine trigger-pulled :=



{

return true if some condition holds

}

main: main-program :=

{

infect-executable;

if trigger-pulled then do-damage;

goto next;

}

next:

}

Compression Virus

Above such virus is easily detected because an infected version of a program is longer than the

corresponding uninfected one.

A way to thwart such a simple means of detecting a virus is to compress the executable file so that both

the infected and uninfected versions are of identical

Logic for a Compression Virus

program CV :=

{

goto main;

01234567;

subroutine infect-executable :=

{

loop:

file := get-random-executable-file;

if (first-line-of-file = 01234567) then goto loop;

(1) compress file;

(2) prepend CV to file;

}

main: main-program :=

{

if ask-permission then infect-executable;

(3) uncompress rest-of-file;

(4) run uncompressed file;

}

}



1. For each uninfected file P2 that is found, the virus first compresses that file to produce P'2, which is shorter

than the original program by the size of the virus.

2. A copy of the virus is prepended to the compressed program.

3. The compressed version of the original infected program, P'1, is uncompressed.

4. The uncompressed original program is executed.

Types of Viruses

Parasitic virus

The traditional and still most common form of virus.

A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by

finding other executable files to infect.

Memory-resident virus

Lodges in main memory as part of a resident system program.

From that point on, the virus infects every program that executes.

Boot sector virus

Infects a master boot record and spreads when a system is booted from the disk containing the virus

Stealth virus

A form of virus explicitly designed to hide itself from detection by antivirus software.

Polymorphic virus

A virus that mutates with every infection, making detection by the "signature" of the virus impossible.

Metamorphic virus

As with a polymorphic virus, a metamorphic virus mutates with every infection.

a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection

Metamorphic viruses my change their behavior as well as their appearance

Macro Viruses

a macro is an executable program embedded in a word processing document or other type of file

Macro viruses are particularly threatening for a number of reasons

A macro virus is platform independent.

o Virtually all of the macro viruses infect Microsoft Word documents.

o Any hardware platform and operating system that supports Word can be infected.

Macro viruses infect documents, not executable portions of code.

o Most of the information introduced onto a computer system is in the form of a document rather than a

program

Macro viruses are easily spread. A very common method is by electronic mail.

E-mail Viruses

The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded

in an attachment.

If the recipient opens the e-mail attachment, the Word macro is activated, then

o The e-mail virus sends itself to everyone on the mailing list in the user's e-mail package.

o The virus does local damage

Worms A worm is a program that can replicate itself and send copies from computer to computer across network

connections.

Upon arrival, the worm may be activated to replicate and propagate again.

In addition to propagation, the worm usually performs some unwanted function.

An e-mail virus has some of the characteristics of a worm, because it propagates itself from system to

system. However, we can still classify it as a virus because it requires a human to move it forward.



A worm actively seeks out more machines to infect and each machine that is infected serves as an

automated launching pad for attacks on other machines

Network worm programs use network connections to spread from system to system

To replicate itself, a network worm uses

Electronic mail facility:

o A worm mails a copy of itself to other systems.

Remote execution capability

o A worm executes a copy of itself on another system.

Remote login capability

o A worm logs onto a remote system as a user and then uses commands to copy itself from one system

to the other

A network worm exhibits the same characteristics as a computer virus:

a dormant phase,

a propagation phase,

a triggering phase

an execution phase.

The propagation phase generally performs the following functions:

1. Search for other systems to infect by examining host tables or similar repositories of remote system

addresses.

2. Establish a connection with a remote system.

3. Copy itself to the remote system and cause the copy to be run.

Worm Example

The Morris Worm

by Robert Morris in 1998

was designed to spread on UNIX systems and used a number of different techniques for propagation

number of methods for gaining access

It attempted to log on to a remote host as a legitimate user

the worm first attempted to crack the local password file, and then used the discovered passwords and

corresponding user IDs

the worm ran a password-cracking program that tried

Each user's account name and simple permutations of it

A list of 432 built-in passwords that Morris thought to be likely candidates

All the words in the local system directory

It exploited a bug in the finger protocol, which reports the whereabouts of a remote user

It exploited a trapdoor in the debug option of the remote process that receives and sends mail

If any of these attacks succeeded,

the worm achieved communication with the operating system command interpreter.

It then sent this interpreter

o a short bootstrap program,

o issued a command to execute that program,

o then logged off.

The bootstrap program then called back the parent program and downloaded the remainder of the worm.

The new worm was then executed

State of Worm Technology

The state of the art in worm technology includes the following:

Multiplatform

Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular

varieties of UNIX.

Multiexploit



New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file

sharing, and other network-based applications.

Ultrafast spreading

One technique to accelerate the spread of a worm is to conduct a prior Internet scan to accumulate Internet

addresses of vulnerable machines.

Polymorphic

To evade detection, worms adopt the virus polymorphic technique

Each copy of the worm has new code generated on the fly using functionally equivalent instructions and

encryption techniques.

Metamorphic

In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are

unleashed at different stages of propagation.

Transport vehicles

Because worms can rapidly compromise a large number of systems, they are ideal for spreading other

distributed attack tools, such as distributed denial of service zombies.

Zero-day exploit

To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only

discovered by the general network community when the worm is launched.

Virus Countermeasures

Antivirus Approaches

Prevention

The ideal solution to the threat of viruses is prevention

Do not allow a virus to get into the system in the first place.

impossible to achieve

The next best approach is

Detection: Once the infection has occurred, determine that it has occurred and locate the virus.

Identification: Once detection has been achieved, identify the specific virus that has infected a program.

Removal: Once the specific virus has been identified, remove all traces of the virus from the infected

program and restore it to its original state.

o Remove the virus from all infected systems so that the disease cannot spread further

o If detection succeeds but either identification or removal is not possible, then the alternative is to

discard the infected program and reload a clean backup version

Four Generations Of Antivirus Software

1. First generation: simple scanners

2. Second generation: heuristic scanners

3. Third generation: activity traps

4. Fourth generation: full-featured protection

First-Generation

requires a virus signature to identify a virus.

o The virus may contain same structure and bit pattern in all copies.

o limited to the detection of known viruses

Another type maintains a record of the length of programs and looks for changes in length.

Second-Generation Scanner

does not rely on a specific signature

uses heuristic rules to search for probable virus infection

One class of such scanners looks for fragments of code that are often associated with viruses



Another second-generation approach is integrity checking – use of checksum - encrypted hash function

Third-generation

memory-resident programs that identify a virus by its actions rather than its structure in an infected program

Example: Boot sector protection

Fourth-generation

packages consisting of a variety of antivirus techniques used in conjunction

scanning, activity traping, access control capability etc

Advanced Antivirus Techniques (O)

Generic decryption (GD) technology - GD scanner components - CPU emulator - Virus signature scanner -

Emulation control module - Digital Immune System - comprehensive approach to virus protection developed by

IBM - two major trends in Internet technology - Integrated mail systems - Mobile-program systems - Behavior-

Blocking Software - integrates with the operating system

OS Security (TBD) TBD

Firewalls The firewall is inserted between the premises network and the Internet to establish a controlled link and to

erect an outer security wall or perimeter.

The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a

single choke point where security and audit can be imposed.

The firewall may be a single computer system or a set of two or more systems that cooperate to perform

the firewall function

Firewall Characteristics

1. All traffic from inside to outside, and vice versa, must pass through the firewall

o achieved by physically blocking all access to the local network except via the firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed to pass

3. The firewall itself is immune to penetration using a trusted system with a secure operating system

Four General Techniques That Firewalls Use

To Control Access And Enforce The Site's Security Policy

Service control:

Determines the types of Internet services that can be accessed, inbound or outbound.

filter traffic on the basis of IP address and TCP port number;

may provide proxy software that receives and interprets each service request before passing it on; or may

host the server software itself, such as a Web or mail service

Direction control:

Determines the direction in which particular service requests may be initiated & allowed to flow

User control:

Controls access to a service according to which user is attempting to access it.

Example: usage of IPSec for secure authentication of external users

Behavior control:

Controls how particular services are used

Example: spam filter for email

Scope Of A Firewall

1) defines a single choke point of protection from unauthorized users, vulnerable services and various kinds of

IP spoofing and routing attacks



2) provides a location for monitoring security-related events - Audits and alarms

3) convenient platform for several Internet functions that are not security related like network address

translator, network management function

4) can serve as the platform for IPSec - tunnel mode capability for VPN

Limitations Of Firewall

cannot protect against attacks that bypass the firewall

does not protect against internal threats - disgruntled employee / cooperates with an external attacker

cannot protect against the transfer of virus-infected programs or files

o impossible for the firewall to scan all incoming files

Types of Firewalls

Three common types of firewalls:

Packet Filters

Application-Level Gateways

Circuit-Level Gateways

Packet Filters

A packet-filtering router applies a set of rules to each incoming and outgoing IP packet and then forwards or

discards the packet.

filter packets going in both directions (from and to the internal network)

Filtering rules are based on the following information contained in a network packet

Source IP address

Destination IP address

Source and destination transport-level address - e.g., TCP or UDP port number

IP protocol field

Interface

Filter Setup

a list of rules based on matches to fields in the IP or TCP header.

If there is a match, that rule is invoked to determine whether to forward or discard the packet

If there is no match to any rule, then a default action is taken.

Two default policies are possible:

Default = discard

That which is not expressly permitted is prohibited.

more conservative.

Initially, everything is blocked, and services must be added on a case-by-case basis.

more visible to users, may see the firewall as a hindrance.

Default = forward

That which is not expressly prohibited is permitted.

The default forward policy increases ease of use for end users but provides reduced security

the security administrator react to each new security threat as it becomes known



Examples

action ourhost port theirhost port comment

block * * SPIGOT * we don't trust

allow OUR-GW 25 * * connection to our SMTP port

block * * * * default

Advantages

Simplicity

Transparent to users

Very fast

Weaknesses Of Packet Filter Firewalls

cannot prevent attacks that employ application-specific vulnerabilities or functions

logging functionality present in packet filter firewalls is limited

vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and

protocol stack, such as network layer address spoofing

susceptible to security breaches caused by improper configurations

Attacks and Countermeasures

IP address spoofing

o The intruder transmits packets from the outside with a source IP address field containing an address of

an internal host

o The countermeasure is to discard packets with an inside source address if the packet arrives on an

external interface

Source routing attacks

o The source station specifies the route that a packet should take

o countermeasure is to discard all packets that use this option

Tiny fragment attacks

o The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP

header information into a separate packet fragment

o countermeasure is to enforce a rule that the first fragment of a packet must contain a predefined

minimum amount of the transport header

Stateful Inspection Firewalls

when an application that uses TCP creates a session with a remote host, it creates a TCP connection

A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound

TCP connections

There is an entry for each currently established connection.

The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the

profile of one of the entries in this directory

Example

Source Address Source Port Destination Address Destination Port Connection State

192.168.1.100 1030 210.9.88.29 80 Established

Application-Level Gateways

also called a proxy server, acts as a relay of application-level traffic

The user contacts the gateway using a TCP/IP application, such as Telnet or FTP

the gateway asks the user for the name of the remote host to be accessed

user responds and provides a valid user ID and authentication information

the gateway contacts the application on the remote host and relays TCP segments

If the gateway does not implement the proxy code for a specific application, the service is not supported

can be configured to support only specific features of an application while denying all other features

Advantages

more secure than packet filters

need only to scrutinize a few allowable applications



easy to log and audit all incoming traffic at the application level

Disadvantage

additional processing overhead on each connection

Circuit-Level Gateways

can be a stand-alone system

can be a specialized function performed by an application-level gateway for certain applications

does not permit an end-to-end TCP connection;

o the gateway sets up two TCP connections,

o one between itself and a TCP user on an inner host

o one between itself and a TCP user on an outside host.

The security function consists of determining which connections will be allowed

Example SOCKS package

SOCKS consists of the following components:

o The SOCKS server, which runs on a UNIX-based firewall.

o The SOCKS client library, which runs on internal hosts protected by the firewall.

o SOCKS-ified versions of several standard client programs such as FTP and TELNET

Bastion Host

A bastion host is a system identified by the firewall administrator as a critical strong point in the network's

security.

The bastion host serves as a platform for an application-level or circuitlevel gateway

Common characteristics of a bastion host

The bastion host hardware platform executes a secure version of its operating system, making it a trusted

system

Only the services that the network administrator considers essential are installed



may require additional authentication before a user is allowed access to the proxy services

Each proxy is configured to support only a subset of the standard application's command set

Each proxy is configured to allow access only to specific host systems

Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of

each connection

Each proxy module is a very small software package specifically designed for network security

Each proxy is independent of other proxies on the bastion host.

A proxy generally performs no disk access other than to read its initial configuration file - makes it difficult

for an intruder to install Trojan horse sniffers

Each proxy runs as a nonprivileged user in a private and secured directory

Firewall Configurations

Three common firewall configurations

Screened Host Firewall, Single-Homed Bastion

Screened Host Firewall, Dual-Homed Bastion

Screened Subnet Firewall

Screened Host Firewall, Single-Homed Bastion

the firewall consists of two systems:

o a packet-filtering router

o a bastion host.

Typically, the router is configured so that

o For traffic from the Internet, only IP packets destined for the bastion host are allowed in

o For traffic from the internal network, only IP packets from the bastion host are allowed out

The bastion host performs authentication and proxy functions

Advantages

greater security

o configuration implements both packet-level and application-level filtering

considerable flexibility in defining security policy

o an intruder must generally penetrate two separate systems

flexibility in providing direct Internet access

Drawback

if the packet-filtering router is completely compromised, traffic could flow directly through the router between the

Internet and other hosts on the private network

Screened Host Firewall, Dual-Homed Bastion

physically prevents security breaches

Advantages

dual layers of security as like single homed

Flexibility



o information server or other hosts can be allowed direct communication with the router if this is in accord

with the security policy.

Screened Subnet Firewall

most secure

two packet-filtering routers are used,

one between the bastion host and the Internet

one between the bastion host and the internal network.

creates an isolated subnetwork, which may consist of simply the bastion host but may also include one or

more information servers and modems for dial-in capability.

both the Internet and the internal network have access to hosts on the screened subnet, but traffic across

the screened subnet is blocked

Advantages

three levels of defense to thwart intruders.

The outside router advertises only the existence of the screened subnet to the Internet

o the internal network is invisible to the Internet.

the inside router advertises only the existence of the screened subnet to the internal network

o the systems on the inside network cannot construct direct routes to the Internet

Design Principles TBD

Counter Measures TBD

Password Management (O) TBD



Trusted systems protect data or resources on the basis of levels

of security.

commonly found in the military, where

information is categorized as unclassified (U),

confidential (C), secret (S), top secret (TS)

applicable in other areas, where

o information can be organized into gross

categories

o users can be granted clearances to access

certain categories of data.

Example:

the highest level of security might be for

strategic corporate planning documents and

data, accessible by only corporate officers

sensitive financial and personnel data, accessible only by administration personnel, corporate officers

Multilevel Security

When multiple categories or levels of data are defined, the requirement is referred to as multilevel security

a subject at a high level may not convey information to a subject at a lower or noncomparable level

A multilevel secure system must enforce the following:

No read up:

o A subject can only read an object of less or equal security level.

o This is referred as the Simple Security Property.

No write down:

o A subject can only write into an object of greater or equal security level.

o This is referred as the *-Property (Star Property)

Reference Monitor Concept

The reference monitor is a controlling element in the hardware and operating system of a computer that

regulates the access of subjects to objects on the basis of security parameters of the subject and object.

It has access to a file, known as the security kernel database, that lists the access privileges (security

clearance) of each subject and the protection attributes (classification level) of each object

It enforces the security rules (no read up, no write down) and has the following properties:

o Complete mediation

The security rules are enforced on every access, not just, for example, when a file is opened.

o Isolation

The reference monitor and database are protected from unauthorized modification.

o Verifiability

The reference monitor's correctness must be provable

it must be possible to demonstrate mathematically that the reference monitor enforces the security

rules and provides complete mediation and isolation

A system that can provide such verification is referred to as a trusted system

Trojan Horse Defense

One way to secure against Trojan horse attacks is the use of a secure, trusted operating system.

a Trojan horse is used to get around the standard security mechanism used by most file management and

operating systems: the access control list.

In this example, a user named Bob interacts through a program with a data file containing the critically

sensitive character string "CPE170KS."

User Bob has created the file with read/write permission provided only to programs executing on his own

behalf: that is, only processes that are owned by Bob may access the file.



Trojan Horse and Secure Operating System

The Trojan Horse Attack

begins when a hostile user, named Alice, gains legitimate access to the system and installs both a Trojan

horse program and a private file to be used in the attack as a "back pocket."

Alice gives read/write permission to herself for this file and gives Bob write-only permission (Figure a)

Alice now induces Bob to invoke the Trojan horse program, perhaps by advertising it as a useful utility.

When the program detects that it is being executed by Bob, it reads the sensitive character string from

Bob's file and copies it into Alice's back-pocket file (Figure b)

Both the read and write operations satisfy the constraints imposed by access control lists.

Alice then has only to access Bob's file at a later time to learn the value of the string

Use Of A Secure Operating System (figure c)

Security levels are assigned to subjects at logon on the basis of criteria such as the terminal from which the

computer is being accessed and the user involved, as identified by password/ID.

In this example, there are two security levels, sensitive (high) and public (low)

Processes owned by Bob and Bob's data file are assigned the security level sensitive.

Alice's file and processes are restricted to public.

If Bob invokes the Trojan horse program (Figure 5d), that program acquires Bob's security level.

It is therefore able to observe the sensitive character string.

When the program attempts to store the string in a public file (the back-pocket file), however, the policy is

violated and the attempt is disallowed by the reference monitor.

Thus, the attempt to write into the back-pocket file is denied even though the access control list permits it:

The security policy takes precedence over the access control list mechanism

Disclaimer

Intended for educational purposes only. Not intended for any sort of commercial use

Purely created to help students with limited preparation time

Text and picture used were taken from the reference items

Reference

Cryptography and Network Security, Fourth Edition – William Stallings

Credits

Thanks to my family members who supported me, while I spent considerable amount of time to prepare these notes. Feedback is always welcome at [email protected]

http://williamstallings.com/Crypto/Crypto4e.html

resources (tbd) intruders and intrusion - wordpress.com · intruders and intrusion security problem...

Documents