resources (tbd) intruders and intrusion - wordpress.com · intruders and intrusion security problem...
TRANSCRIPT
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 1 hcr:innovationcse@gg
UNIT – V SYSTEM SECURITY Resources – Intruders and Intrusion – Viruses and Worms – OS Security – Firewalls – Design Principles –
Packet Filtering – Application gateways – Trusted systems – Counter Measures
Resources (TBD) TBD
Intruders and Intrusion security problem for networked systems is hostile, or at least unwanted, trespass being unauthorized login
or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse.
One of the two most publicized threats to security is the intruder (or hacker or cracker), which Anderson
identified three classes of:
o Masquerader: An individual who is not authorized to use the computer (outsider)
o Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider)
o Clandestine user: An individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection (either)
Intruder attacks range from the
o benign (simply exploring net to see what is there); to the
o serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system)
two levels of hackers
o high level - sophisticated users - thorough knowledge of the technology;
o low level - "foot soldiers", who merely used the supplied cracking programs
CERTs
Computer Emergency Response Teams
cooperative ventures collect information about system vulnerabilities and disseminate it to managers
Intrusion Techniques
Objective Of The Intruder
To gain access to a system or to increase the range of privileges accessible on a system
o requires the intruder to acquire information that should have been protected
o Example: user password - an intruder can log in to a system and exercise as legitimate user
The password file can be protected in one of two ways
One-way function
o The system stores only the value of a function based on the user's password
o the system usually performs a one-way transformation (not reversible) in which the password is used to
generate a key - a fixed-length output
Access control
o Access to the password file is limited to one or a very few accounts
Techniques Used By Password Crackers For Learning Passwords
1. Try default passwords used with standard accounts that are shipped with the system.
o Many administrators do not bother to change these defaults.
2. Exhaustively try all short passwords (those of one to three characters).
3. Try words in the system's online dictionary or a list of likely passwords.
o Examples of the latter are readily available on hacker bulletin boards.
4. Collect information about users, such as their full names, the names of their spouse and children, pictures
in their office, and books in their office that are related to hobbies.
5. Try users' phone numbers, Social Security numbers, and room numbers.
6. Try all legitimate license plate numbers for this state.
7. Use a Trojan horse to bypass restrictions on access.
8. Tap the line between a remote user and the host system.
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 2 hcr:innovationcse@gg
Effectiveness
The first six methods use guessing method
o Guessing are feasible and effective
Trojan horse, can be particularly difficult to counter
line tapping, is a matter of physical security
o can be countered with link encryption techniques
Two Principal Countermeasures
Detection
learning of an attack, either before or after its success
Prevention
challenging security goal
Intrusion Detection
Motivation
If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before
any damage is done or any data are compromised.
An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions
Intrusion detection enables the collection of information about intrusion techniques that can be used to
strengthen the intrusion prevention facility
Profiles of Behavior of Intruders and Authorized Users
typical behavior of an intruder differs from the typical behavior of an authorized user
there is an overlap in these behaviors
a loose interpretation of intruder behavior, will also lead to a number of "false positives," or authorized users
identified as intruders.
an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false
negatives, or intruders not identified as intruders
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 3 hcr:innovationcse@gg
Approaches To Intrusion Detection
Statistical anomaly detection
Involves the collection of data relating to the behavior of legitimate users over a period of time
attempt to define normal, or expected, behavior
statistical test methods
o Threshold detection
This approach involves defining thresholds, independent of user, for the frequency of occurrence of
various events
o Profile based:
A profile of the activity of each user is developed and used to detect changes in the behavior of
individual accounts.
Rule-based detection
define a set of rules that can be used to decide that a given behavior is that of an intruder
attempt to define proper behavior
Methods
o Anomaly detection
Rules are developed to detect deviation from previous usage patterns
o Penetration identification
An expert system approach that searches for suspicious behavior
Audit Records
A fundamental tool for intrusion detection
Some record of ongoing activity by users
Two plans are used
Native audit records
o all multiuser operating systems include accounting software that collects information on user activity
o Adv: no additional collection software is needed
o Disadv: may not contain the needed information or may not contain it in a convenient form
Detection-specific audit records
o A collection facility can be implemented that generates audit records containing only that information
required by the intrusion detection system
o Adv: could be made vendor independent and ported to a variety of systems
o Disadv: extra overhead involved in having, two accounting packages running on a machine
Each audit record contains the following fields
Subject:, Action, Object, Exception-Condition, Resource-Usage, Time-Stamp
Statistical Anomaly Detection Two broad categories
1. Threshold Detection
2. Profile-Based Systems
Threshold Detection
involves counting the number of occurrences of a specific event type over an interval of time.
If the count surpasses a reasonable number, then intrusion is assumed
Drawbacks
o crude and ineffective detector
o Both the threshold and the time interval must be determined
o likely to generate either a lot of false positives or a lot of false negatives
useful in conjunction with more sophisticated techniques
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 4 hcr:innovationcse@gg
Profile-Based Systems
characterizing the past behavior of individual users or related groups of users and then detecting significant
deviations
A profile may consist of a set of parameters
The foundation of this approach is an analysis of audit records
The audit records provide input to the intrusion detection function in two ways.
1. the designer must decide on a number of quantitative metrics that can be used to measure user behavior
o the audit records serve to define typical behavior
2. current audit records are the input used to detect intrusion.
o the intrusion detection model analyzes incoming audit records to determine deviation
Examples of metrics
Counter:
o number of logins, number of times a given command is executed, number of password failures
Gauge
o used to measure the current value of some entity
o number of logical connections, number of outgoing messages
Interval timer
o time between two related events like successive logins
Resource utilization
o Quantity of resources consumed
o number of pages printed, total time consumed by a program execution
Statistical Tests
Mean and standard deviation
Multivariate
Markov process
Time series
Operational
Mean and standard deviation
measure the mean and standard deviation of a parameter over some period
gives the average behavior and its variability
applicable to a wide variety of counters, timers, and resource measures
too crude for intrusion detection purposes.
Multivariate
model based on correlations between two or more variables
examples: processor time and resource usage, login frequency and session elapsed time
Markov process
used to establish transition probabilities among various states
example: transitions between certain commands
Time series
focuses on time intervals, events that happen too rapidly or too slowly
characterize abnormal timing
Operational
based on a judgment of what is considered abnormal
example: a large number of login attempts over a short period
Advantages of statistical tests
a prior knowledge of security flaws is not required
portable among a variety of systems
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 5 hcr:innovationcse@gg
Rule-Based Intrusion Detection detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding
whether a given pattern of activity is or is not suspicious
Two approaches
1. Rule-based anomaly detection
2. Rule-based penetration identification
Rule-based anomaly detection
similar to statistical anomaly detection
historical audit records are analyzed to identify usage patterns and to generate automatically rules that
describe those patterns
Rules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on
Current behavior is then observed, and each transaction is matched against the set of rules to determine if
it conforms to any historically observed pattern of behavior
Rule-based penetration identification
based on expert system technology
use of rules for identifying known penetrations or penetrations that would exploit known weaknesses
can also be defined that identify suspicious behavior
specific to the machine and operating system
Rules are generated by experts / system admins
o strength of the approach depends on the skill of those involved in setting up the rules
Examples
heuristic rules that can be found in NIDX system
penetration identification scheme used in IDES
state transition model USTAT implemented on a SunOS
The Base-Rate Fallacy
an intrusion detection system should detect a substantial percentage of intrusions while keeping the false
alarm rate at an acceptable level
If only a modest percentage of actual intrusions are detected, the system provides a false sense of security
if the system frequently triggers an alert when there is no intrusion (a false alarm), they might be ignored or
time wasted
it is very difficult to meet the standard of high rate of detections with a low rate of false alarms
if the actual numbers of intrusions is low, then the false alarm rate will be high
current systems have not overcome this problem of the base-rate fallacy
Distributed Intrusion Detection needs to defend a distributed collection of hosts supported by a LAN or internetwork
coordination and cooperation among intrusion detection systems across the network
Issues In The Design Of A Distributed Intrusion Detection System
need to deal with different audit record formats
o heterogeneous environment
One or more nodes in the network will serve as collection and analysis points for the data from the systems
on the network
o raw audit data or summary data transmitted across the network - requirement to assure the integrity
and confidentiality
Either a centralized or decentralized architecture can be used
o a centralized architecture, there is a single central point of collection and analysis of all audit data
o decentralized architecture, there are more than one analysis centers
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 6 hcr:innovationcse@gg
Architecture for Distributed Intrusion Detection
three main components:
Host agent module
An audit collection module operating as a background process on a monitored system.
Its purpose is to collect data on security-related events on the host and transmit these to the central
manager.
LAN monitor agent module
Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results
to the central manager.
Central manager module
Receives reports from LAN monitor and host agents and processes and correlates these reports to detect
intrusion.
Agent Architecture
The agent captures each audit record
produced by the native audit collection
system.
A filter is applied that retains only those
records that are of security interest.
These records are then reformatted into
a standardized format referred to as the
host audit record (HAR).
Next, a template-driven logic module
analyzes the records for suspicious
activity
Finally, the agent looks for anomalous
behavior
TBD
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 7 hcr:innovationcse@gg
Viruses and Worms - Introduction Malicious software is software that is intentionally included or inserted in a system for a harmful purpose.
A virus is a piece of software that can "infect" other programs by modifying them; the modification includes
a copy of the virus program, which can then go on to infect other programs.
A worm is a program that can replicate itself and send copies from computer to computer across network
connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to
propagation, the worm usually performs some unwanted function.
A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that
A distributed denial of service attack is launched from multiple coordinated sources
Terminology of Malicious Programs
Name Description
Virus Attaches itself to a program and propagates copies of itself to other programs
Worm Program that propagates copies of itself to other computers
Logic bomb Triggers action when condition occurs
Trojan horse Program that contains unexpected additional functionality
Backdoor (trapdoor) Program modification that allows unauthorized access to functionality
Exploits Code specific to a single vulnerability or set of vulnerabilities
Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail
Auto-rooter Malicious hacker tools used to break into new machines remotely
Kit (virus generator) Set of tools for generating new viruses automatically
Spammer programs Used to send large volumes of unwanted e-mail
Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial of service (DoS) attack
Keyloggers Captures keystrokes on a compromised system
Rootkit Set of hacker tools used after attacker has broken and gained root-level access
Zombie Program activated on an infected machine to launch attacks on other machines
Malicious software can be divided into two categories:
Those That Need A Host Program
fragments of programs that cannot exist independently of some actual program (app / system), utility
examples: Viruses, logic bombs, and backdoors
Those That Are Independent
self-contained programs that can be scheduled and run by the operating system
examples: Worms and zombie
Differentiation Based On Replication
Those Software Threats That Do Not Replicate
programs or fragments of programs that are activated by a trigger
Examples: logic bombs, backdoors, and zombie programs
Those That Do
either a program fragment or an independent program that, when executed, may produce one or more
copies of itself to be activated later on the same system or some other system.
Examples: Viruses and worms
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 8 hcr:innovationcse@gg
Viruses
The Nature of Viruses
A virus is a piece of software that can "infect" other programs by modifying them;
the modification includes a copy of the virus program,
which can then go on to infect other programs
The typical virus becomes embedded in a program on a computer
whenever the infected computer comes into contact with an uninfected piece of software, a fresh copy of
the virus passes into the new program.
the infection can be spread from computer to computer
network environment
Once a virus is executing, it can perform any function, such as erasing files and programs
Typical virus goes through the following four phases
Dormant phase
The virus is idle.
The virus will eventually be activated by some event, such as a date, the presence of another program or
file, or the capacity of the disk exceeding some limit.
Not all viruses have this stage.
Propagation phase
The virus places an identical copy of itself into other programs or into certain system areas on the disk.
Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
Triggering phase
The virus is activated to perform the function for which it was intended.
As with the dormant phase, the triggering phase can be caused by a variety of system events, including a
count of the number of times that this copy of the virus has made copies of itself.
Execution phase
The function is performed.
The function may be harmless, such as a message on the screen, or damaging, such as the destruction of
programs and data files.
Virus Structure
program V :=
{
goto main;
1234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567)
then goto loop
else prepend V to file;
}
subroutine do-damage :=
{
whatever damage is to be done
}
subroutine trigger-pulled :=
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 9 hcr:innovationcse@gg
{
return true if some condition holds
}
main: main-program :=
{
infect-executable;
if trigger-pulled then do-damage;
goto next;
}
next:
}
Compression Virus
Above such virus is easily detected because an infected version of a program is longer than the
corresponding uninfected one.
A way to thwart such a simple means of detecting a virus is to compress the executable file so that both
the infected and uninfected versions are of identical
Logic for a Compression Virus
program CV :=
{
goto main;
01234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 01234567) then goto loop;
(1) compress file;
(2) prepend CV to file;
}
main: main-program :=
{
if ask-permission then infect-executable;
(3) uncompress rest-of-file;
(4) run uncompressed file;
}
}
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 10 hcr:innovationcse@gg
1. For each uninfected file P2 that is found, the virus first compresses that file to produce P'2, which is shorter
than the original program by the size of the virus.
2. A copy of the virus is prepended to the compressed program.
3. The compressed version of the original infected program, P'1, is uncompressed.
4. The uncompressed original program is executed.
Types of Viruses
Parasitic virus
The traditional and still most common form of virus.
A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by
finding other executable files to infect.
Memory-resident virus
Lodges in main memory as part of a resident system program.
From that point on, the virus infects every program that executes.
Boot sector virus
Infects a master boot record and spreads when a system is booted from the disk containing the virus
Stealth virus
A form of virus explicitly designed to hide itself from detection by antivirus software.
Polymorphic virus
A virus that mutates with every infection, making detection by the "signature" of the virus impossible.
Metamorphic virus
As with a polymorphic virus, a metamorphic virus mutates with every infection.
a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection
Metamorphic viruses my change their behavior as well as their appearance
Macro Viruses
a macro is an executable program embedded in a word processing document or other type of file
Macro viruses are particularly threatening for a number of reasons
A macro virus is platform independent.
o Virtually all of the macro viruses infect Microsoft Word documents.
o Any hardware platform and operating system that supports Word can be infected.
Macro viruses infect documents, not executable portions of code.
o Most of the information introduced onto a computer system is in the form of a document rather than a
program
Macro viruses are easily spread. A very common method is by electronic mail.
E-mail Viruses
The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded
in an attachment.
If the recipient opens the e-mail attachment, the Word macro is activated, then
o The e-mail virus sends itself to everyone on the mailing list in the user's e-mail package.
o The virus does local damage
Worms A worm is a program that can replicate itself and send copies from computer to computer across network
connections.
Upon arrival, the worm may be activated to replicate and propagate again.
In addition to propagation, the worm usually performs some unwanted function.
An e-mail virus has some of the characteristics of a worm, because it propagates itself from system to
system. However, we can still classify it as a virus because it requires a human to move it forward.
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 11 hcr:innovationcse@gg
A worm actively seeks out more machines to infect and each machine that is infected serves as an
automated launching pad for attacks on other machines
Network worm programs use network connections to spread from system to system
To replicate itself, a network worm uses
Electronic mail facility:
o A worm mails a copy of itself to other systems.
Remote execution capability
o A worm executes a copy of itself on another system.
Remote login capability
o A worm logs onto a remote system as a user and then uses commands to copy itself from one system
to the other
A network worm exhibits the same characteristics as a computer virus:
a dormant phase,
a propagation phase,
a triggering phase
an execution phase.
The propagation phase generally performs the following functions:
1. Search for other systems to infect by examining host tables or similar repositories of remote system
addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
Worm Example
The Morris Worm
by Robert Morris in 1998
was designed to spread on UNIX systems and used a number of different techniques for propagation
number of methods for gaining access
It attempted to log on to a remote host as a legitimate user
the worm first attempted to crack the local password file, and then used the discovered passwords and
corresponding user IDs
the worm ran a password-cracking program that tried
Each user's account name and simple permutations of it
A list of 432 built-in passwords that Morris thought to be likely candidates
All the words in the local system directory
It exploited a bug in the finger protocol, which reports the whereabouts of a remote user
It exploited a trapdoor in the debug option of the remote process that receives and sends mail
If any of these attacks succeeded,
the worm achieved communication with the operating system command interpreter.
It then sent this interpreter
o a short bootstrap program,
o issued a command to execute that program,
o then logged off.
The bootstrap program then called back the parent program and downloaded the remainder of the worm.
The new worm was then executed
State of Worm Technology
The state of the art in worm technology includes the following:
Multiplatform
Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular
varieties of UNIX.
Multiexploit
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 12 hcr:innovationcse@gg
New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file
sharing, and other network-based applications.
Ultrafast spreading
One technique to accelerate the spread of a worm is to conduct a prior Internet scan to accumulate Internet
addresses of vulnerable machines.
Polymorphic
To evade detection, worms adopt the virus polymorphic technique
Each copy of the worm has new code generated on the fly using functionally equivalent instructions and
encryption techniques.
Metamorphic
In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are
unleashed at different stages of propagation.
Transport vehicles
Because worms can rapidly compromise a large number of systems, they are ideal for spreading other
distributed attack tools, such as distributed denial of service zombies.
Zero-day exploit
To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only
discovered by the general network community when the worm is launched.
Virus Countermeasures
Antivirus Approaches
Prevention
The ideal solution to the threat of viruses is prevention
Do not allow a virus to get into the system in the first place.
impossible to achieve
The next best approach is
Detection: Once the infection has occurred, determine that it has occurred and locate the virus.
Identification: Once detection has been achieved, identify the specific virus that has infected a program.
Removal: Once the specific virus has been identified, remove all traces of the virus from the infected
program and restore it to its original state.
o Remove the virus from all infected systems so that the disease cannot spread further
o If detection succeeds but either identification or removal is not possible, then the alternative is to
discard the infected program and reload a clean backup version
Four Generations Of Antivirus Software
1. First generation: simple scanners
2. Second generation: heuristic scanners
3. Third generation: activity traps
4. Fourth generation: full-featured protection
First-Generation
requires a virus signature to identify a virus.
o The virus may contain same structure and bit pattern in all copies.
o limited to the detection of known viruses
Another type maintains a record of the length of programs and looks for changes in length.
Second-Generation Scanner
does not rely on a specific signature
uses heuristic rules to search for probable virus infection
One class of such scanners looks for fragments of code that are often associated with viruses
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 13 hcr:innovationcse@gg
Another second-generation approach is integrity checking – use of checksum - encrypted hash function
Third-generation
memory-resident programs that identify a virus by its actions rather than its structure in an infected program
Example: Boot sector protection
Fourth-generation
packages consisting of a variety of antivirus techniques used in conjunction
scanning, activity traping, access control capability etc
Advanced Antivirus Techniques (O)
Generic decryption (GD) technology - GD scanner components - CPU emulator - Virus signature scanner -
Emulation control module - Digital Immune System - comprehensive approach to virus protection developed by
IBM - two major trends in Internet technology - Integrated mail systems - Mobile-program systems - Behavior-
Blocking Software - integrates with the operating system
OS Security (TBD) TBD
Firewalls The firewall is inserted between the premises network and the Internet to establish a controlled link and to
erect an outer security wall or perimeter.
The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a
single choke point where security and audit can be imposed.
The firewall may be a single computer system or a set of two or more systems that cooperate to perform
the firewall function
Firewall Characteristics
1. All traffic from inside to outside, and vice versa, must pass through the firewall
o achieved by physically blocking all access to the local network except via the firewall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass
3. The firewall itself is immune to penetration using a trusted system with a secure operating system
Four General Techniques That Firewalls Use
To Control Access And Enforce The Site's Security Policy
Service control:
Determines the types of Internet services that can be accessed, inbound or outbound.
filter traffic on the basis of IP address and TCP port number;
may provide proxy software that receives and interprets each service request before passing it on; or may
host the server software itself, such as a Web or mail service
Direction control:
Determines the direction in which particular service requests may be initiated & allowed to flow
User control:
Controls access to a service according to which user is attempting to access it.
Example: usage of IPSec for secure authentication of external users
Behavior control:
Controls how particular services are used
Example: spam filter for email
Scope Of A Firewall
1) defines a single choke point of protection from unauthorized users, vulnerable services and various kinds of
IP spoofing and routing attacks
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 14 hcr:innovationcse@gg
2) provides a location for monitoring security-related events - Audits and alarms
3) convenient platform for several Internet functions that are not security related like network address
translator, network management function
4) can serve as the platform for IPSec - tunnel mode capability for VPN
Limitations Of Firewall
cannot protect against attacks that bypass the firewall
does not protect against internal threats - disgruntled employee / cooperates with an external attacker
cannot protect against the transfer of virus-infected programs or files
o impossible for the firewall to scan all incoming files
Types of Firewalls
Three common types of firewalls:
Packet Filters
Application-Level Gateways
Circuit-Level Gateways
Packet Filters
A packet-filtering router applies a set of rules to each incoming and outgoing IP packet and then forwards or
discards the packet.
filter packets going in both directions (from and to the internal network)
Filtering rules are based on the following information contained in a network packet
Source IP address
Destination IP address
Source and destination transport-level address - e.g., TCP or UDP port number
IP protocol field
Interface
Filter Setup
a list of rules based on matches to fields in the IP or TCP header.
If there is a match, that rule is invoked to determine whether to forward or discard the packet
If there is no match to any rule, then a default action is taken.
Two default policies are possible:
Default = discard
That which is not expressly permitted is prohibited.
more conservative.
Initially, everything is blocked, and services must be added on a case-by-case basis.
more visible to users, may see the firewall as a hindrance.
Default = forward
That which is not expressly prohibited is permitted.
The default forward policy increases ease of use for end users but provides reduced security
the security administrator react to each new security threat as it becomes known
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 15 hcr:innovationcse@gg
Examples
action ourhost port theirhost port comment
block * * SPIGOT * we don't trust
allow OUR-GW 25 * * connection to our SMTP port
block * * * * default
Advantages
Simplicity
Transparent to users
Very fast
Weaknesses Of Packet Filter Firewalls
cannot prevent attacks that employ application-specific vulnerabilities or functions
logging functionality present in packet filter firewalls is limited
vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and
protocol stack, such as network layer address spoofing
susceptible to security breaches caused by improper configurations
Attacks and Countermeasures
IP address spoofing
o The intruder transmits packets from the outside with a source IP address field containing an address of
an internal host
o The countermeasure is to discard packets with an inside source address if the packet arrives on an
external interface
Source routing attacks
o The source station specifies the route that a packet should take
o countermeasure is to discard all packets that use this option
Tiny fragment attacks
o The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP
header information into a separate packet fragment
o countermeasure is to enforce a rule that the first fragment of a packet must contain a predefined
minimum amount of the transport header
Stateful Inspection Firewalls
when an application that uses TCP creates a session with a remote host, it creates a TCP connection
A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound
TCP connections
There is an entry for each currently established connection.
The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the
profile of one of the entries in this directory
Example
Source Address Source Port Destination Address Destination Port Connection State
192.168.1.100 1030 210.9.88.29 80 Established
Application-Level Gateways
also called a proxy server, acts as a relay of application-level traffic
The user contacts the gateway using a TCP/IP application, such as Telnet or FTP
the gateway asks the user for the name of the remote host to be accessed
user responds and provides a valid user ID and authentication information
the gateway contacts the application on the remote host and relays TCP segments
If the gateway does not implement the proxy code for a specific application, the service is not supported
can be configured to support only specific features of an application while denying all other features
Advantages
more secure than packet filters
need only to scrutinize a few allowable applications
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 16 hcr:innovationcse@gg
easy to log and audit all incoming traffic at the application level
Disadvantage
additional processing overhead on each connection
Circuit-Level Gateways
can be a stand-alone system
can be a specialized function performed by an application-level gateway for certain applications
does not permit an end-to-end TCP connection;
o the gateway sets up two TCP connections,
o one between itself and a TCP user on an inner host
o one between itself and a TCP user on an outside host.
The security function consists of determining which connections will be allowed
Example SOCKS package
SOCKS consists of the following components:
o The SOCKS server, which runs on a UNIX-based firewall.
o The SOCKS client library, which runs on internal hosts protected by the firewall.
o SOCKS-ified versions of several standard client programs such as FTP and TELNET
Bastion Host
A bastion host is a system identified by the firewall administrator as a critical strong point in the network's
security.
The bastion host serves as a platform for an application-level or circuitlevel gateway
Common characteristics of a bastion host
The bastion host hardware platform executes a secure version of its operating system, making it a trusted
system
Only the services that the network administrator considers essential are installed
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 17 hcr:innovationcse@gg
may require additional authentication before a user is allowed access to the proxy services
Each proxy is configured to support only a subset of the standard application's command set
Each proxy is configured to allow access only to specific host systems
Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of
each connection
Each proxy module is a very small software package specifically designed for network security
Each proxy is independent of other proxies on the bastion host.
A proxy generally performs no disk access other than to read its initial configuration file - makes it difficult
for an intruder to install Trojan horse sniffers
Each proxy runs as a nonprivileged user in a private and secured directory
Firewall Configurations
Three common firewall configurations
Screened Host Firewall, Single-Homed Bastion
Screened Host Firewall, Dual-Homed Bastion
Screened Subnet Firewall
Screened Host Firewall, Single-Homed Bastion
the firewall consists of two systems:
o a packet-filtering router
o a bastion host.
Typically, the router is configured so that
o For traffic from the Internet, only IP packets destined for the bastion host are allowed in
o For traffic from the internal network, only IP packets from the bastion host are allowed out
The bastion host performs authentication and proxy functions
Advantages
greater security
o configuration implements both packet-level and application-level filtering
considerable flexibility in defining security policy
o an intruder must generally penetrate two separate systems
flexibility in providing direct Internet access
Drawback
if the packet-filtering router is completely compromised, traffic could flow directly through the router between the
Internet and other hosts on the private network
Screened Host Firewall, Dual-Homed Bastion
physically prevents security breaches
Advantages
dual layers of security as like single homed
Flexibility
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 18 hcr:innovationcse@gg
o information server or other hosts can be allowed direct communication with the router if this is in accord
with the security policy.
Screened Subnet Firewall
most secure
two packet-filtering routers are used,
one between the bastion host and the Internet
one between the bastion host and the internal network.
creates an isolated subnetwork, which may consist of simply the bastion host but may also include one or
more information servers and modems for dial-in capability.
both the Internet and the internal network have access to hosts on the screened subnet, but traffic across
the screened subnet is blocked
Advantages
three levels of defense to thwart intruders.
The outside router advertises only the existence of the screened subnet to the Internet
o the internal network is invisible to the Internet.
the inside router advertises only the existence of the screened subnet to the internal network
o the systems on the inside network cannot construct direct routes to the Internet
Design Principles TBD
Counter Measures TBD
Password Management (O) TBD
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 19 hcr:innovationcse@gg
Trusted systems protect data or resources on the basis of levels
of security.
commonly found in the military, where
information is categorized as unclassified (U),
confidential (C), secret (S), top secret (TS)
applicable in other areas, where
o information can be organized into gross
categories
o users can be granted clearances to access
certain categories of data.
Example:
the highest level of security might be for
strategic corporate planning documents and
data, accessible by only corporate officers
sensitive financial and personnel data, accessible only by administration personnel, corporate officers
Multilevel Security
When multiple categories or levels of data are defined, the requirement is referred to as multilevel security
a subject at a high level may not convey information to a subject at a lower or noncomparable level
A multilevel secure system must enforce the following:
No read up:
o A subject can only read an object of less or equal security level.
o This is referred as the Simple Security Property.
No write down:
o A subject can only write into an object of greater or equal security level.
o This is referred as the *-Property (Star Property)
Reference Monitor Concept
The reference monitor is a controlling element in the hardware and operating system of a computer that
regulates the access of subjects to objects on the basis of security parameters of the subject and object.
It has access to a file, known as the security kernel database, that lists the access privileges (security
clearance) of each subject and the protection attributes (classification level) of each object
It enforces the security rules (no read up, no write down) and has the following properties:
o Complete mediation
The security rules are enforced on every access, not just, for example, when a file is opened.
o Isolation
The reference monitor and database are protected from unauthorized modification.
o Verifiability
The reference monitor's correctness must be provable
it must be possible to demonstrate mathematically that the reference monitor enforces the security
rules and provides complete mediation and isolation
A system that can provide such verification is referred to as a trusted system
Trojan Horse Defense
One way to secure against Trojan horse attacks is the use of a secure, trusted operating system.
a Trojan horse is used to get around the standard security mechanism used by most file management and
operating systems: the access control list.
In this example, a user named Bob interacts through a program with a data file containing the critically
sensitive character string "CPE170KS."
User Bob has created the file with read/write permission provided only to programs executing on his own
behalf: that is, only processes that are owned by Bob may access the file.
CS669 Network Security Unit - V
MTech CSE (PT, 2011-14) SRM, Ramapuram 20 hcr:innovationcse@gg
Trojan Horse and Secure Operating System
The Trojan Horse Attack
begins when a hostile user, named Alice, gains legitimate access to the system and installs both a Trojan
horse program and a private file to be used in the attack as a "back pocket."
Alice gives read/write permission to herself for this file and gives Bob write-only permission (Figure a)
Alice now induces Bob to invoke the Trojan horse program, perhaps by advertising it as a useful utility.
When the program detects that it is being executed by Bob, it reads the sensitive character string from
Bob's file and copies it into Alice's back-pocket file (Figure b)
Both the read and write operations satisfy the constraints imposed by access control lists.
Alice then has only to access Bob's file at a later time to learn the value of the string
Use Of A Secure Operating System (figure c)
Security levels are assigned to subjects at logon on the basis of criteria such as the terminal from which the
computer is being accessed and the user involved, as identified by password/ID.
In this example, there are two security levels, sensitive (high) and public (low)
Processes owned by Bob and Bob's data file are assigned the security level sensitive.
Alice's file and processes are restricted to public.
If Bob invokes the Trojan horse program (Figure 5d), that program acquires Bob's security level.
It is therefore able to observe the sensitive character string.
When the program attempts to store the string in a public file (the back-pocket file), however, the policy is
violated and the attempt is disallowed by the reference monitor.
Thus, the attempt to write into the back-pocket file is denied even though the access control list permits it:
The security policy takes precedence over the access control list mechanism
Disclaimer
Intended for educational purposes only. Not intended for any sort of commercial use
Purely created to help students with limited preparation time
Text and picture used were taken from the reference items
Reference
Cryptography and Network Security, Fourth Edition – William Stallings
Credits
Thanks to my family members who supported me, while I spent considerable amount of time to prepare these notes. Feedback is always welcome at [email protected]