Lecture-7

Intrusion Detection
Firewalls and Intrusion Prevention Systems
Operating System Security
 Classes of Intruders –
Cyber Criminals
 Individuals or members of an organized crime group with
a goal of financial reward
 Their activities may include:
 Identity theft
 Theft of financial credentials
 Corporate espionage
 Data theft
 Data ransoming
 Classes of Intruders –
Activists
 Are either individuals, usually working as insiders, or
members of a larger group of outsider attackers, who
are motivated by social or political causes
 Also known as hacktivists
 Skill level is often quite low
 Aim of their attacks is often to promote and publicize
their cause typically through:
 Website defacement
 Denial of service attacks
 Theft and distribution of data that results in
negative publicity or compromise of their targets
 Classes of Intruders –
State-Sponsored Organizations
 Groups of hackers sponsored by governments to
conduct espionage or sabotage activities
 Also known as Advanced Persistent Threats (APTs) due to
the covert nature and persistence over extended
periods involved with any attacks in this class
 Widespread nature and scope of these
activities by a wide range of countries
from China to the USA, UK, and their
intelligence allies
 Intruder Skill Levels –
Apprentice
 Hackers with minimal technical skill who primarily use
existing attack toolkits
 They likely comprise the largest number of attackers,
including many criminal and activist attackers
 Given their use of existing known tools, these attackers
are the easiest to defend against
 Also known as “script-kiddies” due to their use of existing
scripts (tools)
 Intruder Skill Levels –
Journeyman
• Hackers with sufficient technical skills to modify and
extend attack toolkits to use newly discovered, or
purchased, vulnerabilities
• They may be able to locate new vulnerabilities to
exploit that are similar to some already known
• Hackers with such skills are likely found in all intruder
classes
• Adapt tools for use by others
 Intruder Skill Levels –
Master
• Hackers with high-level technical skills capable of
discovering brand new categories of vulnerabilities
• Write new powerful attack toolkits
• Some of the better known classical hackers are of
this level
• Some are employed by state-sponsored
organizations
• Defending against these attacks is of the
highest difficulty
 Examples of Intrusion
• Remote root compromise
• Web server defacement
• Guessing/cracking passwords
• Copying databases containing
credit card numbers
• Viewing sensitive data without authorization
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access internal
network
• Impersonating an executive to get information
• Using an unattended workstation
 Target
acquisition and Privilege
Initial access
information escalation
gathering

Information
Maintaining
gathering or Covering tracks
access
system exploit
 Host-based IDS (HIDS)
 Monitors the characteristics of
a single host for suspicious
activity

 Network-based IDS Comprises three logical

(NIDS) components:
 Monitors network traffic and
analyzes network, transport,
and application protocols to • Sensors - collect data
identify suspicious activity
• Analyzers - determine if
 Distributed or hybrid IDS
intrusion has occurred
 Combines information from a
number of sensors, often both
host and network based, in a
• User interface - view
central analyzer that is able to
better identify and respond to
output or control system
intrusion activity behavior
 IDS Requirements
Resist
Run continually Be fault tolerant
subversion

Impose a Configured Adapt to

minimal according to changes in
overhead on system security systems and
system policies users

Scale to Provide
monitor large graceful Allow dynamic
numbers of degradation of reconfiguration
systems service
 Host-Based Intrusion
Detection (HIDS)
• Adds a specialized layer of security software
to vulnerable or sensitive systems
• Monitors activity to detect suspicious
behavior
o Primary purpose is to detect intrusions, log suspicious
events, and send alerts
o Can detect both external and internal intrusions
Data Sources and Sensors

Common data
sources include:
A fundamental • System call traces
• Audit (log file) records
component of
• File integrity
intrusion detection checksums
is the sensor that • Registry access
collects data
 LAN Monitor Host Host

Agent
module

Router

Internet
Central Manager

Manager
module

Figure 8.2 Architecture for Distributed Intrusion Detection

 OS audit
OS audit information Filter for Reformat
function security function
interest
Host audit record (HAR)

Alerts
Logic Analysis Central
module Notable
module manager
activity; Query/
Signatures; response
Noteworthy
sessions

Templates
Modifications

Figure 8.3 Agent Architecture

 Network-Based IDS
(NIDS)

May examine network,

Examines traffic packet by
Monitors traffic at selected transport, and/or
packet in real or close to
points on a network application-level protocol
real time
activity

Comprised of a number of
sensors, one or more servers
for NIDS management
functions, and one or more
management consoles for
the human interface
Analysis of traffic patterns
may be done at the sensor,
the management server or a
combination of the two
 Network traffic

Monitoring interface
(no IP, promiscuous mode)

NIDS
sensor

Management interface
(with IP)

Figure 8.4 Passive NIDS Sensor

 internal server
and data resource Internet
networks

3 LAN switch internal

or router firewall 2

LAN switch
or router external
firewall
1
workstation
networks
service network
(Web, Mail, DNS, etc.)
4 LAN switch internal
or router firewall

Figure 8.5 Example of NIDS Sensor Deployment

 Logging of Alerts
• Typical information logged by a NIDS sensor
includes:
o Timestamp
o Connection or session ID
o Event or alert type
o Rating
o Network, transport, and application layer protocols
o Source and destination IP addresses
o Source and destination TCP or UDP ports, or ICMP types and
codes
o Number of bytes transmitted over the connection
o Decoded payload data, such as application requests and
responses
o State-related information
 Honeypots
• Decoy systems designed to:
o Lure a potential attacker away from critical systems
o Collect information about the attacker’s activity
o Encourage the attacker to stay on the system long enough for
administrators to respond
• Systems are filled with fabricated information that a
legitimate user of the system wouldn’t access
• Resources that have no production value
 Honeypot
Classifications
• Low interaction honeypot
o Consists of a software package that emulates particular IT services or
systems well enough to provide a realistic initial interaction, but does
not execute a full version of those services or systems
o Provides a less realistic target
o Often sufficient for use as a component of a distributed IDS to warn of
imminent attack
• High interaction honeypot
o A real system, with a full operating system, services and applications,
which are instrumented and deployed where they can be accessed
by attackers
o Is a more realistic target that may occupy an attacker for an
extended period
o However, it requires significantly more resources
o If compromised could be used to initiate attacks on other systems
 Internet connectivity is essential
 However it creates a threat
 Effective means of protecting LANs
 Inserted between the premises network and
the Internet to establish a controlled link
 Can be a single computer system or a set of two or more systems
working together
 Used as a perimeter defense
 Single choke point to impose security and auditing
 Insulates the internal systems from external networks
Design goals
All traffic from inside to outside, and vice versa, must pass through
the firewall
Only authorized traffic as defined by the local security policy will
be allowed to pass
The firewall itself is immune to penetration
 Firewall Access Policy
• A critical component in the planning and
implementation of a firewall is specifying a suitable
access policy
o This lists the types of traffic authorized to pass through the firewall
o Includes address ranges, protocols, applications and content types

• This policy should be developed from the

organization’s information security risk assessment
and policy
• Should be developed from a broad specification of
which traffic types the organization needs to
support
o Then refined to detail the filter elements which can then be implemented
within an appropriate firewall topology
 Firewall Filter
Characteristics
• Characteristics that a firewall access policy could use to
filter traffic include:
IP address
Application User Network
and protocol
protocol identity activity
values
This type of
filtering is used by This type of
packet filter and filtering is used by
stateful inspection Typically for
an application- Controls access
firewalls inside users who
level gateway that based on
identify
relays and considerations
themselves using
monitors the such as the time or
some form of
exchange of request, rate of
secure
information for requests, or other
authentication
Typically used to specific activity patterns
technology
limit access to application
specific services protocols
• Defines a single choke point
• Provides a location for monitoring
security events
• Convenient platform for several
Internet functions that are not security
related
• Can serve as the platform for IPSec

• Cannot protect against attacks bypassing

firewall
• May not protect fully against internal
threats
• Improperly secured wireless LAN can be
accessed from outside the organization
• Laptop, PDA, or portable storage device
may be infected outside the corporate
network then used internally
 Packet Filtering Firewall
• Applies rules to each incoming and outgoing IP packet
o Typically a list of rules based on matches in the IP or TCP
header
o Forwards or discards the packet based on rules match

Filtering rules are based on information contained in a network packet

• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface

• Two default policies:

o Discard - prohibit unless expressly permitted
• More conservative, controlled, visible to users
o Forward - permit unless expressly prohibited
• Easier to manage and use but less secure
 Application-Level
Gateway
 Also called an application proxy
 Acts as a relay of application-level traffic
 User contacts gateway using a TCP/IP application
 User is authenticated
 Gateway contacts application on remote host and relays TCP segments
between server and user

 Must have proxy code for each application

 May restrict application features supported

 Tend to be more secure than packet filters

 Disadvantage is the additional processing
overhead on each connection
 Host-Based Firewalls
• Used to secure an individual host
• Available in operating systems or can be provided as
an add-on package
• Filter and restrict packet flows
• Common location is a server

Advantages:
• Filtering rules can be tailored to the host
environment
• Protection is provided independent of topology
• Provides an additional layer of protection
 Personal Firewall
 Controls traffic between a personal computer or
workstation and the Internet or enterprise network
 For both home or corporate use
 Typically is a software module on a personal computer
 Can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet
interface
 Typically much less complex than server-based or stand-
alone firewalls
 Primary role is to deny unauthorized remote access
 May also monitor outgoing traffic to detect and block
worms and malware activity
 Intrusion Prevention Systems
(IPS)
 Also known as Intrusion Detection and Prevention
System (IDPS)
 Is an extension of an IDS that includes the capability
to attempt to block or prevent detected malicious
activity
 Can be host-based, network-based, or
distributed/hybrid
 Host-Based IPS
(HIPS)
• Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
• Signature: focus is on the specific content of application
network traffic, or of sequences of system calls, looking for
patterns that have been identified as malicious
• Anomaly: IPS is looking for behavior patterns that indicate
malware
• Examples of the types of malicious behavior addressed by
a HIPS include:
• Modification of system resources
• Privilege-escalation exploits
• Buffer-overflow exploits
• Access to e-mail contact list
• Directory traversal
 Network-Based IPS
(NIPS)
 Inline NIDS with the authority to modify or discard
packets and tear down TCP connections
 Makes use of signature/heuristic detection and
anomaly detection
 May provide flow data protection
 Requires that the application payload in a sequence of
packets be reassembled
 Methods used to identify malicious packets:

Pattern Stateful Protocol Traffic Statistical

matching matching anomaly anomaly anomaly
 Digital Immune System
• Comprehensive defense against malicious behavior
caused by malware
• Developed by IBM and refined by Symantec
• Motivation for this development includes the rising
threat of Internet-based malware, the increasing
speed of its propagation provided by the Internet,
and the need to acquire a global view of the
situation
• Success depends on the ability of the malware
analysis system to detect new and innovative
malware strains
 Internet
Enterprise network Firewall
sensor 1. Malware scans or
infection attempts

2. Notifications Passive
Correlation sensor Honeypot
server
1. Malware
execution
Remote sensor
Application
3. Forward
server
features
6. Application update

Sandboxed Hypothesis testing

and analysis 5. Possible fix generation
environment
Patch
generation
4. Vulnerability
testing and
identification

Instrumented applications

Figure 9.5 Placement of Worm Monitors

 Operating System
Security
• Possible for a system to be compromised during the
installation process before it can install the latest
patches
• Building and deploying a system should be a
planned process designed to counter this threat
• Process must:
o Assess risks and plan the system deployment
o Secure the underlying operating system and then the key applications
o Ensure any critical content is secured
o Ensure appropriate network protection mechanisms are used
o Ensure appropriate processes are used to maintain security
 System Security Planning
Process
The purpose of the
system, the type of Who will administer the Any additional security
information stored, the system, and how they measures required on
applications and will manage the system the system, including
services provided, and (via local or remote the use of host firewalls,
their security access) anti-virus or other
requirements malware protection
mechanisms, and
logging
The categories of users What access the system
of the system, the has to information
privileges they have, stored on other hosts,
and the types of such as file or database
information they can servers, and how this is
access managed

How access to the

How the users are
information stored on
authenticated
the system is managed
 Operating Systems
Hardening
• First critical step in securing a system is to secure the
base operating system
• Basic steps
o Install and patch the operating system
o Harden and configure the operating system to adequately
address the indentified security needs of the system by:
• Removing unnecessary services, applications, and protocols
• Configuring users, groups, and permissions
• Configuring resource controls
o Install and configure additional security controls, such as
anti-virus, host-based firewalls, and intrusion detection
system (IDS)
o Test the security of the basic operating system to ensure
that the steps taken adequately address its security needs
 Overall The integrity
boot and source of
process any additional
must also device driver
be secured code must be
carefully
validated

System
security Initial Should stage
begins with installation and validate all
the installation should install Critical that the patches on the
of the the minimum system be kept
necessary for test systems
operating up to date, with
the desired all critical
before
system system security related deploying
patches them in
installed production

Full installation
Ideally new and hardening
systems process should
should be occur before the
constructed system is
on a deployed to its
protected intended
network location
 Remove
Unnecessary
Services,
• When performing the
Applications, initial installation the
Protocols supplied defaults should
not be used
o Default configuration is set
to maximize ease of use
• If fewer software and functionality rather
than security
packages are available
to run the risk is reduced o If additional packages are
needed later they can be
• System planning process
installed when they are
should identify what is required
actually required for a
given system
 • System planning process
Configure
Users, Groups,
and
Authentication
• Default accounts included
• Not all users with access to
a system will have the
same access to all data
and resources on that
system
• Elevated privileges should
be restricted to only those
users that require them,
and then only when they
are needed to perform a
task
should consider:
o Categories of users on the
system
o Privileges they have
o Types of information they can
access
o How and where they are
defined and authenticated
as part of the system
installation should be
secured
o Those that are not required
should be either removed or
disabled
o Policies that apply to
authentication credentials
configured
 Install
Configure
Additional
Resource
Security
Controls
Controls

• Once the users and groups

are defined, appropriate • Further security possible by
permissions can be set on installing and configuring
data and resources additional security tools:
o Anti-virus software
• Many of the security o Host-based firewalls
hardening guides provide o IDS or IPS software
lists of recommended o Application white-listing
changes to the default
access configuration

Test the
System
Security
• Final step in the process
of initially securing the
base operating system is
security testing
• Goal:
o Ensure the previous security
configuration steps are
correctly implemented
o Identify any possible
vulnerabilities
• Checklists are included in
security hardening
guides
• There are programs
specifically designed to:
o Review a system to ensure
that a system meets the basic
security requirements
o Scan for known vulnerabilities
and poor configuration
practices
• Should be done
following the initial
hardening of the system
• Repeated periodically as
part of the security
maintenance process
 Logging
In the event of a system
Key is to ensure you
Can only inform you about breach or failure, system
capture the correct data and
bad things that have administrators can more
then appropriately monitor
already happened quickly identify what
and analyze this data
happened

Generates significant
Range of data acquired
Information can be volumes of information
should be determined
generated by the system, and it is important that
during the system planning
network and applications sufficient space is allocated
stage
for them

Automated analysis is
preferred
 Data Backup and Archive
Performing regular Needs and policy
backups of data is Backup Archive relating to
a critical control backup and
that assists with archive should be
maintaining the The process of The process of determined
integrity of the making copies of retaining copies of
during the system
data over extended
system and user data at regular
periods of time in planning stage
intervals
data order to meet legal
and operational
requirements to
May be legal or access past data
operational Kept online or
requirements for offline
the retention of
data

Stored locally or
transported to a
remote site
• Trade-offs
include ease of
implementation
and cost versus
greater security
and robustness
against different
threats
 Linux/Unix Security
• Patch management
• Keeping security patches up to date is a widely recognized and critical
control for maintaining security
• Application and service configuration
• Most commonly implemented using separate text files for each
application and service
• Generally located either in the /etc directory or in the installation tree for
a specific application
• Individual user configurations that can override the system defaults are
located in hidden “dot” files in each user’s home directory
• Most important changes needed to improve system security are to
disable services and applications that are not required
 Linux/Unix Security
• Users, groups, and permissions
• Access is specified as granting read, write, and execute
permissions to each of owner, group, and others for each
resource
• Guides recommend changing the access permissions for
critical directories and files
• Local exploit
• Software vulnerability that can be exploited by an attacker to gain
elevated privileges
• Remote exploit
• Software vulnerability in a network server that could be triggered by a
remote attacker
 Windows Security
Patch management
•“Windows Update” and
“Windows Server Update
Service” assist with regular
maintenance and should
be used
•Third party applications
also provide automatic
update support
Users administration
and access controls
•Systems implement
discretionary access controls
resources
•Vista and later systems
include mandatory integrity
controls
•Objects are labeled as being
of low, medium, high, or
system integrity level
•System ensures the subject’s
integrity is equal or higher
than the object’s level
•Implements a form of the
Biba Integrity model
Windows systems also
define privileges
•System wide and granted to user
accounts
User Account Control (UAC)
•Provided in Vista and later systems
•Assists with ensuring users with
administrative rights only use them
when required, otherwise
accesses the system as a normal
user
Combination of share and
NTFS permissions may be
used to provide additional
security and granularity
when accessing files on a
shared resource
Low Privilege Service
Accounts
•Used for long-lived service
processes such as file, print, and
DNS services
Application and service
configuration

•Much of the configuration information

is centralized in the Registry
• Forms a database of keys and values that may be
queried and interpreted by applications
•Registry keys can be directly modified
using the “Registry Editor”
• More useful for making bulk changes