CS 155 May 24, 2005

Common network devices

Firewalls and Intrusion • Packet and Application-Layer Firewall
Detection • Network Intrusion Detection
• Virtual Private Network (IPSEC/PPTP/SSL)
• Content Filtering and Virus Scanning
• Bandwidth Management (Traffic Shaping)
John Mitchell • Web caching, other caching

Local network Internet

Router

Topics Basic Firewall Concept

‹Firewalls ‹Separate local area net from internet
• Packet filter (stateless, stateful)
• Application-layer gateway
‹Traffic Shaping Firewall

‹Intrusion detection Local network Internet

• Anomaly and misuse detection
• Host and network intrusion detection Router

All packets between LAN and internet routed through firewall

Why firewalls? Two Separable Topics

‹ Need to exchange information ‹ Arrangement of firewall and routers
• Education, business, recreation, social and political • Several different network configurations
‹ Program bugs – Separate internal LAN from external Internet
– Wall off subnetwork within an organization
• All programs contain bugs
• Test networks, financial records, secret projects
• Larger programs contain more bugs!
– Intermediate zone for web server, etc.
• Network protocols contain;
• Personal firewall on end-user machine
– Design weaknesses (SSH CRC)
– Implementation flaws (SSL, NTP, FTP, SMTP...) ‹ How does the firewall process data
• Careful (defensive) programming & protocol design is hard • Packet filtering router
• Application-level gateway
‹ Defense in depth
– Proxy for protocols such as ftp, smtp, http, etc.
• Circuit-level gateway
• Personal firewall also knows which application
– E.g., disallow telnet connection from email client

1
TCP Protocol Stack Data Formats

TCP Header
Application protocol
Application Application Application message - data
Application message
TCP, UDP protocol
Transport Transport Transport (TCP, UDP) segment TCP data TCP data TCP data
IP protocol IP protocol
Network IP Network Network (IP) packet
IP TCP data

Data Network Data

Link Access
Link Link Layer frame ETH IP TCP data ETF
Link Link

IP Header Link (Ethernet) Link (Ethernet)

Header Trailer
Transport layer provides ports, logical channels identified by number

ISO OSI 7 Layer Network Reference Model Screening router for packet filtering

Application Application

Presentation Presentation

Session Session

Transport Transport
Network Network Network

Data Link Data Link Data Link

Physical Physical Physical

Host A Router Host B

Packet Filtering Packet filtering examples

‹ Uses transport-layer information only
• IP Source Address, Destination Address
• Protocol/Next Header (TCP, UDP, ICMP, etc)
• TCP or UDP source & destination ports
• TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
• ICMP message type
‹ Examples
• DNS uses port 53
– No incoming port 53 packets except known trusted servers
‹ Issues
• Stateful filtering
• Encapsulation: address translation, other complications
• Fragmentation
Compare: Tiny Personal Firewall, ZoneAlarm

2
Source/Destination Address Forgery Port numbering
‹ TCP connection
• Server port is number less than 1024
• Client port is number between 1024 and 16383
‹ Permanent assignment
• Ports <1024 assigned permanently
– 20,21 for FTP 23 for Telnet
– 25 for server SMTP 80 for HTTP
‹ Variable use
• Ports >1024 must be available for client to make any
connection
• This presents a limitation for stateless packet filtering
– If client wants to use port 2048, firewall must allow incoming
traffic on this port
• Better: stateful filtering knows outgoing requests
– Only allow incoming traffic on high port to a machine that has
initiated an outgoing request on low port

Filtering Example: Inbound SMTP Filtering Example: Outbound SMTP

Can block external request to internal server based on port number Internal request to external server will use known port out, high port in

Stateful or Dynamic Packet Filtering Telnet

Telnet Server Telnet Client

23 1234

X Client opens channel to

server; tells server its port X
1234”
number. The ACK bit is “PORT
not set while establishing
the connection but will be
set on the remaining
Y
“ACK”
packets

Y Server acknowledges

Stateful filtering can use this pattern to identify legitimate sessions

3
 FTP Normal Fragmentation
FTP Server FTP Client

20 21
X Client opens Data Command 5150 5151
command
channel to server; X
tells server 5151”
“PORT
second port
number
Y Server Y
acknowledges Z “OK”
DATA C
Z Server opens HANNE
L
data channel to
client’s second
port [
[ Client TCP ACK
acknowledges

Abnormal Fragmentation Application-level proxies

‹Use “bastion host”
• Computer running protocol stack
• Several network locations – see next slides
• Will interact/accepts data from the Internet
– Disable all non-required services; keep it simple
– Install/modify services you want
– Run security audit to establish baseline
– Be prepared for the system to be compromised
‹Enforce policy for specific protocols
• E.g., Virus scanning for SMTP
– Need to understand MIME, encoding, Zip archives

Screened Host Architecture Screened Subnet Using Two Routers

4
Dual Homed Host Architecture Firewall mechanism
‹Firewall runs set of proxy programs
• Proxies filter incoming, outgoing packets
• All incoming traffic directed to firewall
• All outgoing traffic appears to come from firewall
‹Policy embedded in proxy programs
‹Two kinds of proxies
• Application-level proxies
– Tailored to http, ftp, smtp, etc.
• Circuit-level proxies
– Decisions based on header information

Proxies Firewall architecture

‹Application level; dedicated proxy (HTTP)
‹Circuit level; generic proxy FTP
• SOCKS Telnet proxy SMTP
• WinSock – almost generic proxy for Microsoft proxy proxy
‹Some protocols are natural to proxy
• SMTP (E-Mail) Telnet FTP SMTP
• NNTP (Net news) daemon daemon daemon
• DNS (Domain Name System) Network Connection
• NTP (Network Time Protocol)
Daemon spawns proxy when communication detected …

Configuration issues Solsoft

5
Securify Problems with Firewalls
‹ Performance
• Firewalls may interfere with network use
‹ Limitations
• They don't solve the real problems
– Buggy software
– Bad protocols
• Generally cannot prevent Denial of Service
• Do not prevent insider attacks
‹ Administration
• Many commercial firewalls permit verycomplex configurations

References Traffic Shaping

‹ Traditional firewall
• Allow traffic or not
‹ Traffic shaping
• Limit certain kinds of traffic
• Can differentiate by host addr, protocol, etc
• Multi-Protocol Label Switching (MPLS)
– Label traffic flows at the edge of the network and let core
routers identify the required class of service

‹ The real issue here on Campus:

• P2P file sharing takes a lot of bandwidth
• 1/3 of network bandwidth consumed by BitTorrent
– And I think you know what BitTorrent, Gnutella, Kazaa, … are
Elizabeth D. Zwicky William R Cheswick used for
Simon Cooper Steven M Bellovin
D. Brent Chapman Aviel D Rubin

Stanford computer use Stanford file-sharing policy?

‹ … Stanford University caught heat two years ago when it set up a server to
manage requests for music files on the popular Gnutella file-sharing service. The
IT department's goal was to cut down on requests leaving the campus by
directing queries internally, to PCs in the dorms, thus easing the strain that music
files were placing on external links to the Internet. But the MPAA complained that
the server effectively handed students a tool to violate copyright laws, and the
university shut it down after six months, recalls Richard Holeton, Stanford's head
of residential computing.
‹ Now Stanford relies on traffic shaping alone; the university has no plans to
impose additional restrictions. There's "nothing illegal" about using the protocols
associated with P2P file sharing, says Holeton, who calls UF's policy draconian.
‹ "To me, to use any kind of network-management tool to identify somebody who
might potentially be doing something is kind of Big Brotherish," Holeston adds.
"It's like pulling over everybody on the highway who is driving a certain kind of
car that could potentially be breaking the law, and giving them a ticket."
‹ Says Fred von Lohmann, a senior staff attorney at the Electronic Frontier
Foundation: "If John Ashcroft asked us to do this, we'd be crying foul, but the
recording industry does it and we roll over."
‹ A spokesman for the RIAA wouldn't disclose how many universities have been
subpoenaed for names of students, but he did say, "Virtually every university has
complied.“
Feb 19, 2004

6
 Sample Traffic shaping functions
‹Classify and analyze traffic
• Classify by IP address and port number
• Use application-specific information (layer 7)
‹Control traffic
• Selectively slow certain classes of traffic
‹Monitor network performance
• Collect performance data, used to improve policies
‹Network resilience
• Active traffic management can provide resilience to
DoS attacks, at least within the enterprise network

Packeteer white paper example; not Stanford data

PacketShaper Classification PacketShaper Controls

A partition:
7 Application Classify 400+ Apps at OSI Layers 2-
2-7 • Creates a virtual pipe within a link for
each traffic class
6 Presentation Peer-to-Peer Apps: Some Other Apps: • Provides a min, max bandwidth
PacketShaper

• Aimster • H.323
5 Session • AudioGalaxy • RTP-I/RTCP-I
• Enables efficient bandwidth use
• CuteMX • PASV FTP
4 Transport • DirectConnect • HTTP
Most Routers

• Gnutella
Switches

• Real
3 Network • Hotline • WinMedia Rate shaped P2P capped ¾
• iMesh • Shoutcast at 300kbps
2 Data Link • KaZaA/Morpheus • MPEG
• Napster • Quicktime Rate shaped HTTP/SSL ¾
1 Physical • ScourExchange • RTSP to give better performance
• Tripnosis…. • Chatting Apps
• Games

PacketShaper report: HTTP Host and network intrusion detection

Outside Web Server Normalized
Network Response Times
No Shaping
Inside Web Server Normalized
Network Response Times
Shaping
‹Intrusion prevention
• Network firewall
– Restrict flow of packets; cover in another lecture
• System security
– Find buffer overflow vulnerabilities and remove them!
‹Intrusion detection
• Discover system modifications

– Tripwire
• Look for attack in progress
– Network traffic patterns
– System calls, other system events

No Shaping Shaping

7
Tripwire Is Tripwire too late?
‹Outline of standard attack ‹Typical attack on server
• Gain user access to system • Gain access
• Gain root access • Install backdoor
• Replace system binaries to set up backdoor – This can be in memory, not on disk!!
• Use backdoor for future activities • Use it
‹Tripwire detection point: system binaries ‹Tripwire
• Compute hash of key system binaries • Is a good idea
• Compare current hash to hash stored earlier • Wont catch attacks that don’t change system files
• Report problem if hash is different • Detects a compromise that has happened
• Store reference hash codes on read-only medium
Remember: Defense in depth

Detect modified binary in memory? Example code and automaton

‹Can use system-call monitoring techniques
f(int x) { open()
‹For example [Wagner, Dean IEEE S&P ’01]
x ? getuid() : geteuid(); Entry(g) Entry(f)
• Build automaton of expected system calls x++
– Can be done automatically from source code }
close() getuid() geteuid()
• Monitor system calls from each program g() {
• Catch violation fd = open("foo", O_RDONLY);
f(0); close(fd); f(1); exit()
exit(0); Exit(g) Exit(f)
}

Results so far: lots better than not using source code!

If code behavior is inconsistent with automaton, something is wrong

General intrusion detectionhttp://www.snort.org/ Misuse example - rootkit

‹Many intrusion detection systems
• Close to 100 systems with current web pages
• Network-based, host-based, or combination
‹Two basic models
• Misuse detection model
– Maintain data on known attacks
– Look for activity with corresponding signatures
• Anomaly detection model
– Try to figure out what is “normal”
– Report anomalous behavior
‹Fundamental problem: too many false alarms
‹ Rootkit sniffs network for passwords
• Collection of programs that allow attacker to install and
operate a packet sniffer (on Unix machines)
• Emerged in 1994, has evolved since then
• 1994 estimate: 100,000 systems compromised
‹ Rootkit attack
• Use stolen password or dictionary attack to get user access
• Get root access using vulnerabilities in rdist, sendmail,
/bin/mail, loadmodule, rpc.ypupdated, lpr, or passwd
• Ftp Rootkit to the host, unpack, compile, and install it
• Collect more username/password pairs and move on

8
Rootkit covers its tracks Detecting rootkit on system
‹Modifies netstat, ps, ls, du, ifconfig, login ‹Sad way to find out
• Modified binaries hide new files used by rootkit • Disk is full of sniffer logs
• Modified login allows attacker to return for ‹Manual confirmation
passwords • Reinstall clean ps and see what processes are
running
‹Rootkit fools simple Tripwire checksum
• Modified binaries have same checksum
‹Automatic detection
• Rootkit does not alter the data structures normally
• But a better hash would be able to detect rootkit used by netstat, ps, ls, du, ifconfig
• Host-based intrusion detection can find rootkit files
– As long as an update version of Rootkit does not disable
your intrusion detection system …

Detecting network attack (Sept 2003) Misuse example - port sweep

‹ Symantec honeypot running Red Hat Linux 9 ‹Attacks can be OS specific
‹ Attack • Bugs in specific implementations
• Samba ‘call_trans2open’ Remote Buffer Overflow (BID 7294) • Oversights in default configuration
• Attacker installed a copy of the SHV4 Rootkit
‹ Snort NIDS generated alerts, from this signature
‹Attacker sweeps net to find vulnerabilities
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 \ • Port sweep tries many ports on many IP addresses
(msg:"NETBIOS SMB trans2open buffer overflow attempt"; \ • If characteristic behavior detected, mount attack
flow:to_server,established; \ – SGI IRIX responds TCPMUX port (TCP port 1)
content:"|00|"; offset:0; depth:1; \
– If machine responds, SGI IRIX vulnerabilities can be
content:"|ff|SMB|32|"; offset:4; depth:5; tested and used to break in
content:"|00 14|"; offset:60; depth:2; \
… ‹Port sweep activity can be detected
More info: https://tms.symantec.com/members/
AnalystReports/030929-Analysis-SHV4Rootkit.pdf

[Hofmeyr, Somayaji, Forrest]

Anomaly Detection Anomaly – sys call sequences

‹Basic idea
• Monitor network traffic, system calls
• Compute statistical properties
• Report errors if statistics outside established range
‹Example – IDES (Denning, SRI)
• For each user, store daily count of certain activities
– E.g., Fraction of hours spent reading email
• Maintain list of counts for several days
• Report anomaly if count is outside weighted norm
‹Build traces during normal run of program
• Example program behavior (sys calls)
open read write open mmap write fchmod close
• Sample traces stored in file (4-call sequences)
open read write open
read write open mmap
write open mmap write
open mmap write fchmod
mmap write fchmod close
• Report anomaly if following sequence observed
open read read open mmap write fchmod close

Big problem: most unpredictable user is the most important

Compute # of mismatches to get mismatch rate

9
Difficulties in intrusion detection Strategic Intrusion Assessment [Lunt]

‹Lack of training data National

Reporting Centers
• Lots of “normal” network, system call data
• Little data containing realistic attacks, anomalies
‹Data drift DoD Reporting
International/Allied
Centers
• Statistical methods detect changes in behavior Regional Reporting Reporting Centers
Centers (CERTs)
• Attacker can attack gradually and incrementally
Organizational
‹Main characteristics not well understood Security Centers
• By many measures, attack may be within bounds
of “normal” range of activities
‹False identifications are very costly Local Intrusion
• Sys Admin spend many hours examining evidence Detectors
www.blackhat.com/presentations/bh-usa-99/teresa-lunt/tutorial.ppt

Strategic Intrusion Assessment [Lunt] Lecture Topics

‹Test over two-week period ‹Firewalls
• AFIWC’s intrusion detectors at 100 AFBs alarmed • Packet filter (stateless, stateful)
on 2 million sessions • Application-layer gateway
• Manual review identified 12,000 suspicious events ‹Traffic Shaping
• Further manual review => four actual incidents
‹Intrusion detection
‹Conclusion • Anomaly and misuse detection
• Most alarms are false positives • Host and network intrusion detection
• Most true positives are trivial incidents
• Of the significant incidents, most are isolated
attacks to be dealt with locally

10