8/8/2019 Common Security Attacks and Their Countermeasures
1/46
1
Common security attacks and their
countermeasuresFinding a way into the network Firewalls
Exploiting software bugs, buffer overflows Intrusion Detection Systems
Denial of Service Ingress filtering, IDS
TCP hijacking IPSec
Packet sniffing Encryption (SSH, SSL, HTTPS)
Social problems Education
8/8/2019 Common Security Attacks and Their Countermeasures
2/46
INTRODUCTION
Firewalls are used to create securitycheckpoints at the boundaries of privatenetworks or personal computer
As a result, firewalls are first line of defenseagainst outside attacksFirewalls emerged in the early 1990s andthey became particularly popular around
1996 - the time where some new attacktechniques emerged (buffer overflows,remote exploits)
8/8/2019 Common Security Attacks and Their Countermeasures
3/46
INTRODUCTION (cont.)
INTERNET
Firewall
Secure
Private
Network
WHO ? WHEN ?
WHAT ? HOW ?
My PC
Security Policy
8/8/2019 Common Security Attacks and Their Countermeasures
4/46
CAPABILITIES of FIREWALLS
A firewall, defining a single choke point, simplifies securitymanagement because security capabilities are consolidatedon a single system or set of systems.
They provide a location for monitoring security-relatedevents. Audit and alarms can be implemented on thefirewalls.A firewall is a convenient platform for several function thatare not security related such as Network Address TranslationA firewall can be used to implement VPNs.They can authenticate users with the use of differentauthentication methods in order users reach certainresources
8/8/2019 Common Security Attacks and Their Countermeasures
5/46
TECHNIQUES USED by FIREWALLS
Service ControlAllows or blocks certain types of Internet services
Direction Control
Initiate and allow certain direction in which particularservice requests
User ControlControls access to a service according to which user isattempting to access it.
Behavior ControlControls how particular services are used.Time Control
Controls when some services can be used
8/8/2019 Common Security Attacks and Their Countermeasures
6/46
TYPES of FIREWALLS
Firewalls can be classified according to differentcriterions
Places at where they are deployed : Perimeter Firewalls Internal firewalls Personal Firewalls Distributed Firewalls
The layer in a network protocol stack at which theyare filtering and what they are doing :
Packet Filtering Firewalls @ Circuit Gateways @ Transport Layer Application Gateways @ Application Layer Dynamic Packet Filtering Firewalls
8/8/2019 Common Security Attacks and Their Countermeasures
7/46
PACKET FILTERING FIREWALLS
One of the oldest type of firewallsPacket filters, historically implemented on routers, filter user-definedcontent, such as IP addresses.
They examine a packet a the Network or Transport LayersThey are cheap and useful.
8/8/2019 Common Security Attacks and Their Countermeasures
8/46
PACKET FILTERING FIREWALLS (cont.)
They are application independent; this feature isadvantageous in terms of performanceSince they are not application-aware and can not
understand the context of a given communication, theyare least secure type of firewalls and are good targetsfor intruders.Packet filter is a three-step process :
One must decide on what should and should not be permittedbased on a pre-defined security policyThe allowable types of packets must be specified formally in termsof logical expressions on packet fields.The expression should be rewritten in whatever syntax the vendorof the firewall supports.
8/8/2019 Common Security Attacks and Their Countermeasures
9/46
PACKET FILTERING FIREWALLS (cont.)
Packet filtering is typically set up as a list of rules based on matches tofileds in the IP or TCP header.If there is a match to one of the rules, that rule is invoked andpredefined action is taken, such as dropping that packet or forwardingit but also warning user or admin.The rules are evaluated from top rule to bottom rule, that is also animportant issue that should be carefully considered.Rules are created according to two different policies :
Default = Discard : That which is not expressly permitted is prohibited
Default = Pass : That which is not expressly prohibited is permittedDefault = Discard policiy is more conservative; initially everything isblocked, and services are added on a case-by-case basis.
8/8/2019 Common Security Attacks and Their Countermeasures
10/46
CIRCUIT GATEWAYS
The idea of a circuit gateway is fundamentally different from packetfiltering.Circuit gateways do not permit an end-to-end TCP connection.
Circuit gateway works on TCP level and takes a TCP connection request froma client, authenticates and authorizes the client, and establishes a secondconnection to the origin server on client s behalf.After establishment of the connection, circuit gateways simply relays dataforth and back between two connections.It does not interfere with data stream.The single circuit gateway that is actually widely used is SOCKS.
8/8/2019 Common Security Attacks and Their Countermeasures
11/46
CIRCUIT GATEWAYS (cont.)
Circuit gateways can bridge two networks that do not share
any IP connectivity or DNS processing.
8/8/2019 Common Security Attacks and Their Countermeasures
12/46
APPLICATION GATEWAY
Application gateways are also called proxy servers.Application gateways are deal with the details of the particular servicethey are checking.
Since they are dealing with details, they are usually more complexthan packet filters.Rather than using a general-purpose mechanism to allow manydifferent kinds of traffic to flow, special purpose code is used for eachdesired application.Application gateways have another advantage that since they arecontrolling the content, they can be used as content filters.
8/8/2019 Common Security Attacks and Their Countermeasures
13/46
APPLICATION GATEWAY (cont.)y The main disadvantage is the need for a specializedprogram or user interfaces for different services.This results in supporting only basic services.
8/8/2019 Common Security Attacks and Their Countermeasures
14/46
DYNAMIC PACKET FILTERING FWs(cont.)
New approach to packet filtering is DynamicPacket Filtering based on Stateful Inspection.
What is new with this approach is that beside the
functionalities that stateless packet filters have suchas looking header information is that statefulinspection maintains state information about past IPpackages.
If the first packet in TCP connection is permitted, stateinformation is added to the state table on an internaldatabase.Then the other packets of this connection can pass quicklythrough the firewall.
8/8/2019 Common Security Attacks and Their Countermeasures
15/46
PERIMETER FIREWALLSTraditional firewall in a boxInserted between trusted and untrusted networksegmentsCan support multiple networks (e.g. a Server farm
and a separate DMZ)Mature product, many vendors to choose fromLocal control over firewall policySupport VPNs and user authentication
All devices behind firewall are protected but only from stuff on the outside!Users don t need to manage anythingAn outage affects only the systems behind thefirewall
8/8/2019 Common Security Attacks and Their Countermeasures
16/46
PERIMETER FIREWALLS (cont.)
In ter n et
LAN 2
LAN 3 Secure Servers
LAN 3 Users
LAN 3 DMZ
PerimeterFirewall Structure
8/8/2019 Common Security Attacks and Their Countermeasures
17/46
INTERNAL FIREWALLS
Like the perimeter firewalls; they allow alimited set of traffic through the networksegments.
You may also beprotecting parts of your internal networkfrom other parts.
8/8/2019 Common Security Attacks and Their Countermeasures
18/46
PERSONAL FIREWALLS
Personal firewalls are software-only firewalls thatrun on the computer they protect.Designed for individual users or small networks.(eg. Windows XP comes with a personal firewall)Inexpensive and easy to install and use, wouldoffer clearly explained configuration options.
Allow the user to access all necessary networkand web resources, protect from external"hacking" and alert the user to malicious activity.
8/8/2019 Common Security Attacks and Their Countermeasures
19/46
PERSONAL FIREWALLS (cont.)
In ter n et
LAN 2
PersonalFirewall
Structure
8/8/2019 Common Security Attacks and Their Countermeasures
20/46
DISTRIBUTED FIREWALLS
With distributed firewalls, each individual hostenforces the security policy; however the policy itself isset by a central management node.
Rather than have a separate box on the edge of thenetwork, a rule to reject such connection attempts iscreated by the admininistrator and shipped out toevery host within its management domain.Advantages:
Eliminates the risk of central failureSuitable for mobile usersEasy to customize some special connections
8/8/2019 Common Security Attacks and Their Countermeasures
21/46
DEPLOYEMENT OF FIREWALLS
Firewalls can be deployed in different structures : Screening router structure Screening host structure with Bastion host Screening host structure with dual-homed Bastion host DMZ structure
Bastion host : A bastion host is a secured computer that allows anuntrusted network (such as the Internet) access to a trusted network (yourinternal network). It is typically placed between the two networks and isoften referred to as an application level gateway.Demilitarized zone (DMZ) A DMZ sits between an internal network and
the outside world, and it's the best place to put your public servers.Examples of systems to place on a DMZ include Web servers, FTP servers,SMTP servers and log servers.
8/8/2019 Common Security Attacks and Their Countermeasures
22/46
DEPLOYEMENT OF FIREWALLS(cont.)
Screening router
8/8/2019 Common Security Attacks and Their Countermeasures
23/46
DEPLOYEMENT OF FIREWALLS(cont.)
Screening host structure withBastion host
8/8/2019 Common Security Attacks and Their Countermeasures
24/46
DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with dual-homed Bastion host
8/8/2019 Common Security Attacks and Their Countermeasures
25/46
DEPLOYEMENT OF FIREWALLS
DMZ Demilitarized Zone structure
8/8/2019 Common Security Attacks and Their Countermeasures
26/46
RISKS with FIREWALLSThey are pretty complex piece of software!!!Commercial firewall systems are closed software, which means that noone has really put them under the glass in a search for security problems...Over the last couple of years there has been just several bugs found inthem...
They just filter traffic coming from/to your networkThey can handle dozens of application protocols, but unfortunately cannotprotect you against malicious contentSecurity level of a network protected by a firewall system depends onmany factors (DNS, routing infrastructure, security of client software...)There is always a great risk associated with the so called human error
8/8/2019 Common Security Attacks and Their Countermeasures
27/46
WEAKNESSES of FIREWALLS
Common firewall weaknesses include:Firewalls cannot protect against what is authorized. Firewalls protect applicationsand permit the normal communications traffic to those applications. If theapplications themselves have flaws, a firewall will not stop the attack because, to thefirewall, the communication is authorized.Firewalls are only as effective as the rules they are configured to enforce. An overlypermissive rule set will diminish the effectiveness of the firewall.Firewalls cannot fix poor admin practices or a poorly designed security policy.Firewalls cannot stop attacks in which traffic does not pass through them.Firewalls are bottlenecks, Internet connections are getting faster, and the techniquesfor detecting potential issues are getting more complicated. More and moreprocessing power is required just to stand still and the technologies already exist todo all this stuff. So it may just be the way forward, for large enterprise securitysystems at least.
8/8/2019 Common Security Attacks and Their Countermeasures
28/46
28
Intrusion Detection
Used to monitor for suspicious activity on anetwork
Can protect against known software exploits, likebuffer overflows
Open Source IDS: Snort, www.snort.org
8/8/2019 Common Security Attacks and Their Countermeasures
29/46
2 9
IDS
Introduction to IDSClassification of IDS
IDS ModelsAvailable IDS ToolsConclusion & Future Work
8/8/2019 Common Security Attacks and Their Countermeasures
30/46
3 0
What is Intrusion?
Intrusion: Actions attempting to break into or misuseone s system in violation of an established policyTypes of Intrusion:
Attempted break-ins Masquarade attacks Penetration of the security
control system
Denial of Service Malicious Use
8/8/2019 Common Security Attacks and Their Countermeasures
31/46
3 1
What is an IDS?
IDS: system trying to detect and alert on attemptedintrusions into a system or networkReactive rather than proactive(usually does not prevent unauthorized users from entering thenetwork, only identifies that an intrusion has occurred)
May provide diagnostic information, tooObjective: 100% accuracy
False positive: false alarm False negative: letting an attack pass undetected
8/8/2019 Common Security Attacks and Their Countermeasures
32/46
3 2
Elements of a Basic IDS Model
Audit Data (logs) Keyboard inputs, command-based or application-based
logs
Reference Data Store Intrusion signatures (known attack patterns) Profiles of normal behaviours
Algorithms searching for suspicious behaviour
Alarm
Data Collection Issues
Response Issues
8/8/2019 Common Security Attacks and Their Countermeasures
33/46
33
Classifying IDS s
Offline v.s. OnlineHost-Based v.s. Network-BasedAnomaly Detection v.s. Misuse Detection
8/8/2019 Common Security Attacks and Their Countermeasures
34/46
34
Offline v.s. Online
Offlineaudit data is processed periodically,
not real-time
work on audit logs
data mining
Onlineaudit data is processed real-time
continuously
may react and prevent an intrusionstill going on
8/8/2019 Common Security Attacks and Their Countermeasures
35/46
35
Host-Based v.s. Network-Based (1)
H ost-Based / H IDSA SW installed on each node
Typical Host Based Inrusion Counter Action Account Scans(looking for default accounts withno password set)
Log Auditing(Windows: Event log,Linux/Unix: Syslog)
Trojans locating backdoors Check the integrity of files anduser privileges by digitalfingerprints(calculating more than one hashof the same file)
Disadvantage:
Consume CPU time, storage, memory and other systemresources
8/8/2019 Common Security Attacks and Their Countermeasures
36/46
3 6
Host-Based v.s. Network Based ( 2 )
Network-Based / NIDS Monitors all packets on the network wire
e.g. may watch for large number of TCP connection requests to many differentports
Either runs on a single machine (hub, router, etc.) or is divided intoseveral sensors and one central analysis point
Usually utilize a network adapter Typically host-independent but may be a SW package installed on a
dedicated host
Monitors numerous hosts simultaneously but may suffer fromperformance problems as network speed increases
8/8/2019 Common Security Attacks and Their Countermeasures
37/46
37
Anomaly Detection v.s. MisuseDetection (1)
Anomaly Detection: Assumption: Attacks differ from normal behaviour Analyses the network or system and infers what is normal
(Establishes a normal activity profile ) Interprets deviations from this normal behaviour as an intrusion
A udit Data System ProfileA ttackState
statisticallydeviant?
update profile
generate new profiles dynamically
Activity measures such asCPU time used, number of network connections in a
time period
Profile generation:one-time activitycurrent and previous profiles
may be merged at intervals
Adjustment of threshold levelsis very important
8/8/2019 Common Security Attacks and Their Countermeasures
38/46
3 8
Anomaly Detection v.s. MisuseDetection ( 2 )
Anomaly Detection: Advantages:
May catch novel attacks we have not seen before Disadvantages:
Current implementations do not work very well (too manyfalse positives/negatives)Cannot categorize attacks very well
Difficult to train in highly dynamic environmentsThe system may be gradually trained by intruders
8/8/2019 Common Security Attacks and Their Countermeasures
39/46
3 9
Anomaly Detection v.s. MisuseDetection ( 3 )
Misuse Detection Attacks are known in advance (signatures) Matches signatures against the audit data stream The attack signatures are usually specified as rules
A udit Data System Profile A ttackState
Rule
match?
modify existing rules
add new rules
8/8/2019 Common Security Attacks and Their Countermeasures
40/46
4 0
Anomaly Detection v.s. MisuseDetection ( 4 )
Misuse Detection Advantages:
Easy to implement, deploy, update and understandLow rate of false positivesfast
Disadvantages:Cannot detect previously unknown attacks
Constantly needs to be updated with new rulesAs good as the database of attack signatures
8/8/2019 Common Security Attacks and Their Countermeasures
41/46
4 1
Available IDS Tools
Commercial RealSecure
Public-Domain Shadow Snort
Research Prototypes Emerald
8/8/2019 Common Security Attacks and Their Countermeasures
42/46
4 2
RealSecure
Real-time IDS3 -part architecture
Network-based recognition engineMonitors a network segment and look for packets that match attack
signaturesResponse: terminate connection, send alert, record session, reconfigurefirewall
Host-based recognition engineAnalyses system logsResponse: terminate user processes, suspend user accounts
Administrator s modulewww.iss.net
8/8/2019 Common Security Attacks and Their Countermeasures
43/46
43
Shadow
Composed of Sensors
Reside at key monitoring points in network (outside firewall)Extract packet headers save them to a monitoring file
Analysis stationInside firewallReads the monitoring file periodically
joint venture of Naval Surface Weapons Center Dahlgren,Network Flight Recorder, the National Security Agency, and
the SANS Institutewww.nswc.navy.mil/ISSEC/CID/
8/8/2019 Common Security Attacks and Their Countermeasures
44/46
44
8/8/2019 Common Security Attacks and Their Countermeasures
45/46
45
8/8/2019 Common Security Attacks and Their Countermeasures
46/46
4 6
Snort
open-source public-domain ID toolreal-time traffic analysis and packet logging on IP networks
protocol analysis, content searching / matching
flexible rules language to describe traffic that it should collector passlarge group of users who contribute new signaturesInstallation guides written in Turkish!
www.snort.org
Top Related