Network security tools

Firewalls and Intrusion Detection

Systems

1
Objectives
› Understand what a firewall is and is not capable of
› Understand what technologies firewalls typically employ
› Discuss the pros and cons of different firewall
technologies

2
What Is a Firewall?
› A device that allows multiple networks to communicate
with one another according to a defined security policy.
› They are used when there is a need for networks of
varying levels of trust to communicate with one another.
– For example, a firewall typically exists between a corporate
network and a public network like the Internet.
› It can also be used inside a private network to limit
access to different parts of the network
› it determines which inside services can be accessed from
the outside, and vice versa.
3
4
The importance of Firewall
› Firewalls are important because they provide a single
“choke point” where security and audits can be imposed.
› A firewall can provide a network administrator with data
about what kinds and amount of traffic passed through it,
how many attempts were made to break into it..
› Effective means of protecting LANs
› Inserted between the premises network and the Internet to
establish a controlled link
› Can be a single computer system or a set of two or more
systems working together
5
› Firewalls perform the following functions:
– It blocks incoming data that might contain a hacker attack.
– It hides information about the network by making it seem that all
outgoing traffic originates from the firewall rather than the
network (Network Address Translation (NAT)
– It screens outgoing traffic to limit Internet use and/or access to
remote sites.
– A firewall’s primary function is to enforce a security policy
– Firewalls provide security mechanisms for permitting and
denying traffic, such as authentication, encryption, content
security, and address translation.

6
Firewalls limitations
1. The firewall cannot protect against attacks that bypass the firewall.
– Internal systems may have dial-out or mobile broadband capability to connect to an ISP.
An internal LAN may support a modem pool that provides dial-in capability for traveling
employees and telecommuters.
2. The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates with an
external attacker.
3. An improperly secured wireless LAN may be accessed from outside the
organization. An internal firewall that separates portions of an enterprise
network cannot guard against wireless communications between local
systems on different sides of the internal firewall.
4. A laptop, PDA, or portable storage device may be used and infected outside
the corporate network and then attached and used internally.
7
Firewall Security Technologies
› Packet filters
› Application layer gateways (proxies)
› Stateful packet inspection firewalls.

8
Packet filters
› Screens all network traffic, checks the address of incoming
traffic and rejects packets that doesn’t match the list of
trusted addresses
› They look at source and destination IP addresses, protocol
number, and, in the case of TCP and UDP, source and
destination port numbers.
› Forwards or discards the packet based on rules match
– Discard - prohibit unless expressly permitted
› More conservative, controlled, visible to users
– Forward - permit unless expressly prohibited
› Easier to manage and use but less secure

9
Advantages

› Packet filtering is built into routers

› Inexpensive
› Requires very little extra memory and processing power,
› Transparent to legitimate users

10
Disadvantages
› Traditional packet filtering is static: the only criteria for allowing packets
are whether or not the IP addresses or port numbers match those
specified in the packet filter configuration
› Difficult to maintain
› Prone to IP spoofing
› They cannot:
– Provide content security (e.g., virus scanning)
– Authenticate services (i.e., make sure only authorized users use a
service)
– Dynamically open and close ports for applications as they require
them
– Validate a particular port that is used only for a specific service (e.g.,
making sure that only valid HTTP traffic traverses port 80)
11
Table 2-3. Packet-Filtering Table

Source Destination IP Protocol

Rule Address Address IP Protocol Information Action
1 Any 200.1.1.2 TCP Port 80 Allow
2 Any 200.1.1.3 UDP Port 53 Allow
3 Any 200.1.1.4 TCP Port 25 Allow
4 Any Any other Any Any Drop
address

12
Application layer gateways (proxies)
› They take requests from clients and make them connect to
servers on the client’s behalf.
› The proxy can do content screening, provide authentication,
and ensure that only the particular service is used
› They use more memory and CPU cycles than packet filtering
› If you want to use application proxies to provide services to
the Internet, each application you want to run through your
firewall must have a proxy written for it, or the application
must be compatible with a “generic” proxy that will work with
simple TCP or UDP connections.

13
Stateful Inspection
› Combines the best features of stateful packet filtering and
application layer gateways.
› The firewall keeps track of all requests for information
that originate from your network.
› Then it scans each incoming communication to see if it
was requested, and rejects anything that wasn’t.
› Requested data proceeds to the next level of screening.

14
› Requires slightly more memory and CPU cycles than
packet filtering because it has to do more, but it takes
substantially less memory and CPU usage than does an
application proxy

15
Additional Firewall Features
› Demilitarized zone (DMZ)
› Content filtering
› Virtual private networking (VPN) encryption support
› Antivirus support

16
Demilitarized Zone Firewalls
› A firewall that provides DMZ protection is effective for
companies that invite customers to contact their network
from any external source, through the Internet or any
other route
– For example, a company that hosts a Web site or sells its
products or services over the Internet.
› A DMZ firewall creates a protected (“demilitarized”)
information area on the network.
› Outsiders can get to the protected area but can’t get to
the rest of the network

17
18
Content Filtering
› A Web site filter or content filter extends the firewall’s capability
to block access to certain Web sites.
› Network administrators can use this add-on to ensure that
employees do not access particular content such as racially
intolerant material
› Network administrators define categories of unwelcome
material and obtain a service that lists thousands of Web sites
that include such material.
› Then choose whether to totally block those sites, or to allow
access but log it.
› Such a service should automatically update its list of banned
Web sites on a regular basis 19
Virtual Private Networks
› A VPN is a private data network that makes use of the
Internet.
› The idea of the VPN is to give the company the same
capabilities as a private leased line but at much lower cost.
› A VPN provides secure sharing of public resources for data by
using encryption techniques to ensure that only authorized
users can view or “tunnel” into a company’s private network.
› It is cost-effective means of securely connecting branch
offices, remote workers, and privileged partners/customers
to organizations’ private LANs

20
21
Choosing a Firewall
› Firewall functions can be implemented as
– Software
– An addition to router/gateway.
– Dedicated firewall appliances

22
Router/Firmware-Based Firewalls
› Certain routers provide limited firewall capabilities.
› These can be improved further with additional software/
firmware options.
› Great care must be taken not to overburden the router by
running additional services like a firewall.
› Enhanced firewall related functionality such as VPN, DMZ,
content filtering, or antivirus protection may not be
available or may be expensive to implement.

23
Software-Based Firewalls
› They are sophisticated, complex applications that run on a
dedicated UNIX or Windows NT server.
› These products become expensive when you account for the
costs associated with the software, server operating system,
server hardware, and continual maintenance required to
support their implementation.
› It is essential that system administrators constantly monitor
and install the latest operating system and security patches
as soon as they become available.
› Without these patches to cover newly discovered security
holes, the software firewall can be useless.
24
Dedicated Firewall Appliances
› Most firewall appliances are dedicated, hardware-based
systems.
› They run on an embedded operating system specifically
tailored for firewall use
› Easier to install and configure than software firewall
products,
› Can offer plug and-play installation, minimal maintenance,
and a very complete solution.
› They are cost effective compared to other firewall
implementations.
25
Intrusion Detection
Systems

26
 › Intrusion detection is the process of
collecting information about events occurring
in a computer system or network and
INTRODUCTION analyzing them for signs of intrusions.
› Intrusions are violations of security policy,
usually characterized as attempts to affect
the confidentiality, integrity, or availability of
a computer or network.
› These violations can come from attackers
accessing systems from the Internet or from
authorized users of the systems who attempt
to overstep their legitimate authorization
levels or who use their legitimate access to
the system to conduct unauthorized activity.

27
 Con’t

› Intrusion prevention is the process of coupling intrusion detection with specified

responses to certain detected intrusion scenarios
› Intrusion detection is a necessary function in most system security strategies.
28
› It is the primary security technology that supports the goal of auditability.
› “Auditability” is the ability to independently review and examine system records
and activities to:
– Determine the adequacy of system controls
– Ensure compliance with established security policy and operational
procedures
– Detect breaches in security
– Recommend any indicated changes
 › An ideal intrusion system has the following
characteristics:
– should be able to run continuously without
human supervision
– Must survive a system crash and not have its
database rebuilt at restart
– It should observe and record deviations from
normal behavior.
– It must resist destruction
INTRUSION – It must deal with changing system behavior over
DETECTION time as new applications are being added
– Must have a very low false negative and false
SYSTEM positive rate.

29
 POSITIVE NEGATIVE
TRUE Alerts when there is Silent when traffic is
malicious traffic benign

FALSE Alerts when traffic is Silent when malicious

benign traffic occurs

30
 › Firewalls can be thought of as a fence or a
security guard placed in front of a house.
They protect a network and attempt to
prevent intrusions
› IDS tools detect whether or not the
network is under attack or has, in fact,
been breached.
IDS vs Firewall

31
 › Three fundamental functional components
› Information Sources –sources can be drawn from
different levels of the system,: network, host, and
application monitoring.
› Analysis – the part of intrusion detection systems that
actually organizes and makes sense of the events
derived from the information sources, deciding when
those events indicate that intrusions are occurring or
have already taken place.
› Response – the set of actions that the system takes
once it detects intrusions.
– Grouped into active and passive measures

Components of – Active measures involving some automated

intervention on the part of the system,
an IDS – Passive measures involving reporting IDS findings to
humans, who are then expected to take action
based on those reports.

32
 Host-
Network-
based
based IDS
IDS CLASSIFICATIO
N OF
INRUSION
DETECTION
Anomaly- Signature SYSTEMS
based -based
Detection Detection

33
 › This IDS looks for packets and compares
them with predefined rules or patterns
known as signatures that are defined in the
database.
› The main advantage is that it is simple and
efficient processing of audit data.
› It has lower rate of false positives.
› Because of the nature of signature-based
detection, it is ineffective against zero-day
attacks for which there may not be a
Signature-based discovered ruleset or established method
IDS of attack yet

34
 › Anomaly-based IDS works by identifying
patterns from already defined users or groups
of users.
› This approach looks for variations and
deviations from an established baseline
behavior which might indicate an attack.
› This baseline is the profile of what a normal
scenario, usage, bandwidth or behavior would
look like in a specific network environment,
such as the average length of a telnet session
› Any activity that deviates from the baseline is
Anomaly-based treated as a possible intrusion and an alert
IDS would be generated.

35
 › The biggest advantage of anomaly-based approach is its ability to detect zero-
day attacks, since it does not depend on an established signature database, but
only deviations from an established baseline.
36
› The behavior of each target system is unique, therefore anomaly-based
approaches use customized profiles which in turn make it difficult for an attacker
to know with certainty what activity it can carry off without setting off an alarm.
› Anomaly-based IDSs have a high false positive rate.
› It requires time to establish a baseline behavior when it is first placed in a new
system.
› Anomaly-based IDSs are more complex and difficult to associate an alarm with
the specific event that triggered that alarm
 › Adaptive systems start with generalized rules for the environment,
then learn, or adapt to, local conditions that would otherwise be
unusual. After the initial learning period, the system understands
37 how people interact with the environment, and then warn operators
about unusual activities
 › Looks for signs of intrusion on the local host system.
› Use the host system’s audit and logging mechanism
as a source of information for analysis
› For example, it can detect logins, improper file access,
unapproved privilege escalation, or alterations on
system privileges
› Can be an extremely powerful tool for analyzing a
possible attack.
– For example, it can sometimes tell exactly what the
attacker did, which commands he ran, what files he
opened, and what system calls he executed
› Encrypted communications can be monitored
because an HIDS inspection can look at the traffic
Host-based IDS before it is encrypted.

(HIDS) – This means that HIDS signatures will still be able to

match against common attacks and not be blinded
by encryption

38
 › Most common approach
› It attempts to discover unauthorized and
malicious access to a LAN by analyzing
traffic that traverses the wire to multiple
hosts
› It reads inbound and outgoing packets and
searches for any suspicious patterns.
› Any alert generated by an NIDS allows it to
notify administrators or take active actions
Network-based such as blocking the source IP address.
IDS (NIDS)

39
 › The network IDS usually has two logical components: the sensor and the
management station.
› The sensor sits on a network segment, monitoring it for suspicious traffic.
40
› The management station receives alarms from the sensor(s) and displays them
to an operator.
› The sensors are usually dedicated systems that exist only to monitor the
network. They have a network interface in promiscuous (ghost)mode, which
means they receive all network traffic, not just that destined for their IP
address, and they capture passing network traffic for analysis. If they detect
something that looks unusual, they pass it back to the analysis station.
› The analysis station can display the alarms or do additional analysis.
41
Type Advantages Disadvantages
HIDS 1. More accurate in intrusion detection 1. Higher cost.
2. Able to detect encrypted attacks. 2. May cause performance issues or resource
3. Does not require additional hardware consumption.
3. rely on the logging and monitoring
capabilities of the server
NIDS 1. Simple to install 1. High fluctuations in network traffic cause
2. Detect network-based attacks such packets to be lost.
as denial-of-service attacks. 2. Requires more CPU power and resources in
a large-scale LAN.
3. Unable to analyze encrypted packets.
Anomaly- 1. Ability to detect zero-day attack 1. Slow to work when placed in a new
based attempts. environment.
2. Low false negative rate. 2. High false positive rate.
Signature- 1. High response time for known 1. Limited capability to detect zero-day
based attacks. attacks.
2. Low false positive rate. 2. Signature database must be updated
frequently
42
 › When classifying IDSs, we can also
categorize them by the way IDSs respond
during an attack.
› A passive IDS records, analyzes, logs and
alerts an administrator about the possibility
of an attack.
› An active IDS can take actions when it
detects a possible intrusion, such as blocking
further traffic from a specific network source
or locking down the system with safe mode.
Passive and › Active IDS is also known as an Intrusion
Active IDS Prevention System (IPS).

43
 Types of › Scanning Attacks
Computer › Denial of service (DOS)
Attacks › System penetration
Commonly
Detected by
IDS

44
 › When an attacker investigates a target network or
system by sending different kinds of packets.
› Using the responses received from the target, the
attacker can learn many of the system’s
characteristics and vulnerabilities
› Scanning attacks may yield:
– The topology of a target network
– The types of network traffic allowed through a
firewall
– The active hosts on the network
– The operating systems those hosts are running
Scanning – The server software they are running
Attacks – The software version numbers for all detected
software

45
 › Denial Of Service (DOS) attacks attempt to slow or shut down
targeted network systems or services. It causes major losses to
electronic commerce operations, whose customers were unable to
46
access them to make purchases
› Penetration attacks involve the unauthorized acquisition and/or
alteration of system privileges, resources, or data