Day4

Network Security

and Hacking Techniques

DAY-4

Network Security and Hacking Techniques – Day 4

Firewalls

Visible IP

Address

InternalNetwork

PC Servers

Linux and windows

HostApplication Servers

Like IDS,Sniffers

We are here


What this paper covers?

Why you need a firewall?

What is firewall?

How does a network firewall interact with OSI and TCP/IP Network models?

Different types of firewall.

Different firewall architectures.

What kind of firewall is best for what infrastructure.


Introduction

Benefits of Internet

Better Communication

Remote Access

Immense source of information

Boosting the efficiency of buisnesses

Network security a major concern.


Why you need a firewall?

What happens when you connect to the Internet?

Your network becomes part of Internet.

Possibility of attack by thieves and vandals.

How do you protect confidential information from those who do not explicitly need to access it?

How do you protect your network and its resources from malicious users and accidents that originate outside of your network?


Types of Attacks

Network Packet sniffers

IP Spoofing

Password Attacks

Distribution of sensitive information to external resources.

Man-in-the-middle attacks

Denial of Service Attacks

Application layer attacks


What is Firewall?


Computer with firewall software


Basic Purpose of a Firewall

It blocks incoming data that might contain a hacker attack.

It hides information about the network by making it seem that all outgoing traffic originates from the firewall rather than the network. This is called Network Address Translation (NAT).

It screens outgoing traffic to limit Internet use and/or access to remote sites.


Other Features of Firewall

Content Filtering

Virtual Private Networks

Antivirus Protection

Demilitarized Zone Firewalls


What can't a firewall do?

They cannot provide complete security

They can do nothing to guard against insider threats.

Employee misconduct or carelessness cannot be controlled by firewalls.

Policies involving the use and misuse of passwords and user accounts must be strictly enforced.


How does a network firewall interact with OSI and TCP/IP Network models?

Network Firewalls operate at different layers to use different criteria to restrict traffic.

The lowest layer at which a firewall can work is layer three.

The higher up in the stack layer at which an architecture examines packets, the greater the level of protection the architecture provides, since more information is available upon which to base decisions.


Types of Firewall

Static Packet Filter

Dynamic (stateful) packet filter

Circuit level Gateway

Application level Gateway

Stateful Multilayer Inspection Firewall


Static Packet Filter


Static Packet Filter(contd.)

Advantages

Low cost – now included with many operating systems.

Disadvantages

Filters are difficult to configure

Static packet filter is not state aware.

Static packet filter does not examine the complete packet.


Dynamic (stateful) packet filter

State awareness

Aware of the difference between a new and an established connection.

Advantage:

State awareness provides measurable performance benefit.

Disadvantage:

Susceptible to IP spoofing.

Only provides for a low level of protection.


Circuit Level Gateway


Circuit Level Gateway(contd.)

Advantages: Information passed to a remote computer

through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks.

Higher level of security than a static or dynamic (stateful) packet filter.

Disadvantage: A circuit level gateway cannot examine the

data content of the packets it relays between a trusted network and an untrusted network. The potential exists to slip harmful packets through a circuit level gateway to a server behind the firewall.


Application Level Gateway


Application Level Gateway(contd.)

Advantages:

Filter application specific commands such as http: post and get, etc.

Inspect the complete packet.

Highest level of security.

Disadvantages:

Vendors must keep up with new protocols. A common complaint of application level gateway users is lack of timely vendor support for new protocols.

Must be written securely.


Stateful Multilayer Inspection Firewall


Stateful Multilayer Inspection Firewall(contd.)

Advantages: Does not break the client server model.

Offer a high level of security.

Disadvantages: The failure to break the client server model creates

an unacceptable security risk as the hacker has a direct connection to the protected server.

They are expensive.

Due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel.


Dual-Homed Host Architecture


Screened Host Architecture


Screened Subnet Architecture


Conclusion

Keeping your software patched and running updated antivirus software are very important pieces, but having a firewall block incoming connections in the first place is definitely a wise idea as well.

No one security solution will solve everything.

The more lines of defense you have in place, the harder it is for hackers to get in and the safer you will be.


Firewalls

Questions


What is Intrusion Detection

Intrusion detection systems (IDSs) are designed for detecting, blocking and reporting unauthorized activity in computer networks.

“The life expectancy of a default installation of Linux Red Hat 6.2 server is estimated to be less than 72 hours.”

“The fastest compromise happened in 15 minutes (including scanning, probing and attacking)”

“Netbios scans affecting Windows computers were executed with the average of 17 per day”

(source: Honeynet Project)


Motivation for Intrusion DetectionMotivation for Intrusion Detection

0

10

20

30

40

50

60

70

80

Yes No Don't Know

Percentage of Respondents

1996

1997

1998

1999

2000

2001

2002

Unauthorized Use of Computer Systems Within Last 12 Months (source Indian ISP’s Study)


Definitions

Intrusion

A set of actions aimed to compromise the security goals, namely

• Integrity, confidentiality, or availability, of a computing and networking resource

Intrusion detection

The process of identifying and responding to intrusion activities


Why Is Intrusion Detection Necessary?

Prevent Detect React/Survive

Security principles: layered mechanisms


Different Types of IDSs

Application based

Host based

Network based.



Application IDS

Watch application logs

Watch user actions

Stop attacks targeted against an application

• AdvantagesEncrypted data can be read

• ProblemsPositioned too high in the attack chain (the

attacks reach the application)



Host IDS

Watch kernel operations

Watch network interface

Stop illegal system operations

Drop attack packets at network driver

• AdvantagesEncrypted data can be readEach host contributes to the detection process

• ProblemsPositioned too high in the attack chain (the

attacks reach the network driver)



Network IDS Watch network traffic Watch active services and servers Report and possibly stop network level

attacks

• AdvantagesAttacks can be stopped early enough (before

they reach the hosts or applications)Attack information from different subnets can be

correlated• Problems

Encrypted data cannot be readAnnoyances to normal traffic if for some reason

normal traffic is dropped


An Adaptive IDS Architecture

FWQuick and Quick and

dirtydirty

Real-time IDS

Best-effort Best-effort in real-timein real-time

Backend IDS

Thorough and Thorough and slow slow

(scenario/trend)(scenario/trend)

Dynamic Cost-sensitiveDecision Making

DetectionModels


Different Ways to put IDS on network

HUB


Different Ways to put IDS on network

TAP


Circuit Diagrams of Taping 100Mb Ethernet Switch

100Mb Ethernet switch

100Mb 100Mb 100Mb

RX

Full Duplex100 Mb traffic

Port A TX trafficout on pins 1,2

Port B TX trafficout on pins 1,2

Transmit data f rom bothdirections is blended

together on single VLAN toenable capturing of f ullduplex traf f ic f or IDS.

Span port combinestransmit traf f ic f rom bothdirections and prov ides

buf f ering of data.Combined transmit dataresembles a f ull-duplex

Ethernet connection withtraf f ic f lowing in both

directions.

Tap prov ides passiv einsertion into data stream.Tap ports carry transmit

data f rom their respectiv eport.

Passiv e snif f inginterf ace has no IP

address and inspectsincoming traf f ic f orIntrusion ev ents.

Reporting interf ace hasa real IP address.

Transmits IDS alerts toIDS console f orprocessing and

aggregation.


To sniffinginterface

To IDS console

TX

RX

TX

100Mb copper tap

A B

Tap A Tap B

Draw ing byJeff Nathan <jeff@w w ti.com>Brian Casw ell <[email protected]>

IDS Sensor

sniff ing interface

alerting interface


Circuit Diagrams of Taping 1Gb Ethernet Switch

100Mb Ethernet switchwith one 1Gb port

100Mb 100Mb 1Gb

RX


Port A TX trafficout on pins 1,2

Port B TX trafficout on pins 1,2

Transmit data f rom bothdirections is blended

together on single VLAN toenable capturing of f ullduplex traf f ic f or IDS.

Span port combines transmit traf f ic f romboth directions and prov ides buf f ering

of data. Combined transmit dataresembles a f ull-duplex Ethernet

connection with traf f ic f lowing in bothdirections.

When operating at f ull-duplex, a 100MbEthernet connection can hav e an

aggregate throughput of 200Mb to bespanned. Using a 1Gb port as a span

port can prev ent ov ersubscription.



Passiv e snif f inginterf ace has no IP

address and inspectsincoming traf f ic f orIntrusion ev ents.

Reporting interf ace hasa real IP address.

Transmits IDS alerts toIDS console f orprocessing and

aggregation.


To sniffinginterface

To IDS console

TX

RX

TX

100Mb copper tap

A B

Tap A Tap B


IDS Sensor

sniff ing interface

alerting interface


Circuit Diagrams of Taping 1Gb Ethernet Switch

IDS load balancer1Gb 1Gb

100Mb 100Mb 100Mb 100Mb 100Mb 100Mb

100Mb 100Mb 100Mb 100Mb 100Mb 100Mb

A IDS Sensor S

Full Duplex1Gb traffic



Passiv e snif f inginterf aces hav e no

IP address andinspect incoming

traf f ic f or Intrusionev ents.

Reporting interf aceshav e real IP addressesand transmit IDS alerts

to IDS console f orprocessing and

aggregation.

To IDS console(s)

Full Duplex1Gb traffic

Analy zer "Y" cable allowsanaly zer port to be

connected to two switchports. Rx connection is

simulated.

A IDS Sensor S

A IDS Sensor S

A IDS Sensor S

A IDS Sensor S

A IDS Sensor S

A IDS Sensor S

To sniffinginterfaces

IDS load balancer distributes high-speed(1Gb) network traf f ic ov er 100Mb links to

IDS sensors. End-to-end connectionstates and TCP streams are maintained f orthe duration of the connection/stream to

only one sensor such that statef ulIntrusion Detection and TCP stream

reassembly are still possible

Gig fiber tap

A B Tap(A+B)



SNORT

Open Source

Just about any platform(Including windows)

Many plugins and external modules.

Frequent rules updates.


Snort Plugins

Databases

mySQL

Oracle

Postgresql

unixODBC

Spade (Statistical Packet Anomaly Detection engine)

FlexResp (Session response/closing)

XML output

TCP streams (stream single-byte reassembly)


Snort Add-ons

Acid(Analysis Console for Intrusion Detection) - PHP

Guardian – IPCHAINS rules modifier.(Girr – remover)

SnortSnarf - HTML

Snortlog – syslog

“Ruleset retreive” – automatic rules updater.

Snorticus – central multi-sensor manager – shell

LogSnorter – Syslog > snort SQL database information adder.

+ a few win32 bits and pieces.


Acid + Snort

Acid is a Cert project.

Pretty simple PHP3 to mySQL

Quite customizable.

Simple GUI for casual browsing.


Snort Web Access - ACID

•Main Console



•Securityfocus

•Whitehats

•CVE



•Rule details



•Incident details

Day4

Technology

Transcript of Day4