Chapter 9

Packet Filtering Firewall Disadvantages

- Cannot prevent attacks that employ application-specific vulnerabilities or functions. - The logging functionality present in packet filter firewalls is limited. - Most packet filter firewalls do not support advanced user authentication schemes. - Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing. - Packet filter firewalls are susceptible to security breaches caused by improper configurations.

Bastion Host Common Characteristics 2

- Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of each connection. - Each proxy module is a very small software package specifically designed for network security. - Each proxy is independent of other proxies on the bastion host. Uninstalling a compromised proxy does not affect the others - A proxy generally performs no disk access other than to read its initial configuration file. So, executable code is made read-only - Each proxy runs as a nonprivileged user in a private and secured directory on the bastion host.

Host-Based Firewall Advantages

- Filtering rules can be tailored to the host environment. - Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall. - Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. - A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration.

Attacks on Packet Filtering Firewalls

- IP Address Spoofing - Source Routing Attacks - Tiny Fragment Attacks

Firewall Access Policy Characteristics

- IP Address and Protocol Values - Application Protocol - User Identity - Network Activity

Malicious Behavior Addressed by a HIPS

- Modification of System Resources - Privilege Escalation Exploits - Buffer-Overflow Exploits - Access to Email Contact List - Directory Traversal

General NIPS Methods to Identify Malicious Packets

- Pattern Matching - Stateful Matching - Protocol Anomaly - Traffic Anomaly - Statistical Anomaly

Motivations for the Digital Immune System

- Rising threat of Internet-based malware - Increasing speed of malware propagation provided by the Internet - The need to acquire a global view of the situation

Packet Filtering Rules

- Source IP Address - Destination IP Address - Source and Destination Transport-Level Address (Port numbers) - IP Protocol Field - Interface (Which interface of the firewall the packet arrived at or left from)

HIPS Desktop Protection Areas

- System Calls - File System Access - System Registry Settings - Host Input/Output

SOCKS Components

- The SOCKS server, which often runs on a UNIX-based firewall. SOCKS is also implemented on Windows systems. - The SOCKS client library, which runs on internal hosts protected by the firewall. - SOCKS-ified versions of several standard client programs such as FTP and TELNET. The implementation of the SOCKS protocol typically involves either the recompilation or relinking of TCP-based client applications, or the use of alternate dynamically loaded libraries, to use the appropriate encapsulation routines in the SOCKS library.

Bastion Host Common Characteristics

- The bastion uses a secure version of its OS (Hardened system) - Only the services considered essential are installed on the bastion host - The bastion host may require additional authentication before a user is allowed access to the proxy services. In addition, each proxy service may require its own authentication before granting user access. - Each proxy is configured to allow access only to specific host systems

Personal Firewall Attributes

- Typically much less complex than either server-based firewalls or stand-alone firewalls - Primary role of the personal firewall is to deny unauthorized remote access to the computer - The firewall can also monitor outgoing activity in an attempt to detect and block worms and other malware

Firewall Capabilities

1. A firewall defines a single choke point that attempts to keep unauthorized users out of the protected network, prohibit potentially vulnerable services from entering or leaving the network, and provide protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management 2. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. 3. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage. 4. A firewall can serve as the platform for IPSec. Using tunnel mode capability the firewall can be used to implement virtual private networks.

Firewall Design Goals

1. All traffic from inside to outside, and vice versa, must pass through the firewall. - This is achieved by physically blocking all access to the local network except via the firewall. - Various configurations are possible 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. - Various types of firewalls are used, which implement various types of security policies. 3. The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. - Trusted computer systems are suitable for hosting a firewall and often required in government applications.

Functions of a Typical UTM

1. Inbound traffic is decrypted if necessary before its initial inspection. If the device functions as a VPN boundary node, then IPSec decryption would take place here. 2. An initial firewall module filters traffic, discarding packets that violate rules and/or passing packets that conform to rules set in the firewall policy. 3. Beyond this point, a number of modules process individual packets and flows of packets at various protocols levels. - In this particular configuration, a data analysis engine is responsible for keeping track of packet flows and coordinating the work of antivirus, IDS, and IPS engines. 4. The data analysis engine also reassembles multipacket payloads for content analysis by the antivirus engine and the Web filtering and antispam modules. 5. Some incoming traffic may need to be re-encrypted to maintain security of the flow within the enterprise network. 6. All detected threats are reported to the logging and reporting module, which is used to issue alerts for specified conditions and for forensic analysis. 7. The bandwidth-shaping module can use various priority and quality-of-service (QoS) algorithms to optimize performance.

Hybrid IDS Architecture Explanation

1. Sensors deployed at various network and host locations detect potential malware scanning, infection or execution. The sensor logic can also be incorporated in IDS sensors. 2. The sensors send alerts and copies of detected malware to a central server, which correlates and analyzes this information. The server determines the likelihood that malware is being observed and its key characteristics. 3. The server forwards its information to a protected environment, where the potential malware may be sandboxed for analysis and testing. 4. The protected system tests the suspicious software against an appropriately instrumented version of the targeted application to identify the vulnerability. 5. The protected system generates one or more software patches and tests these. 6. If the patch is not susceptible to the infection and does not compromise the application's functionality, the system sends the patch to the application host to update the targeted application.

Firewall Limitations

1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out or mobile broadband capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters. 2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. 3. An improperly secured wireless LAN may be accessed from outside the organization. An internal firewall that separates portions of an enterprise network cannot guard against wireless communications between local systems on different sides of the internal firewall. 4. A laptop, PDA, or portable storage device may be used and infected outside the corporate network and then attached and used internally.

Internal Firewalls in a DMZ Configuration

1. The internal firewall adds more stringent filtering capability, compared to the external firewall, in order to protect enterprise servers and workstations from external attack. 2. The internal firewall provides two-way protection with respect to the DMZ. First, the internal firewall protects the remainder of the network from attacks launched from DMZ systems. Second, an internal firewall can protect the DMZ systems from attack from the internal protected network. 3. Multiple internal firewalls can be used to protect portions of the internal network from each other

Host-Based IPS (HIPS)

A ________ can make use of either signature/heuristic or anomaly detection techniques to identify attacks. In the former case, the focus is on the specific content of application network traffic, or of sequences of system calls, looking for patterns that have been identified as malicious. In the case of anomaly detection, the IPS is looking for behavior patterns that indicate malware.

DMZ Networks

A common firewall configuration that includes an additional network segment between an internal and an external firewall - An external firewall is placed at the edge of a local or enterprise network, just inside the boundary router that connects to the Internet or some WAN - One or more internal firewalls protect the bulk of the enterprise network - Between these two types of firewalls are one or more networked devices in a region referred to as a DMZ network. Systems that are externally accessible but need some protections are usually located on DMZ networks. Typically, the systems in the DMZ require or foster external connectivity

Digital Immune System

A comprehensive defense against malicious behavior caused by malware, developed by IBM and subsequently refined by Symantec. - The objective of this system is to provide rapid response time so that malware can be stamped out almost as soon as they are introduced - When new malware enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about it to client systems, so the malware can be detected before it is allowed to run elsewhere.

Directory Traversal

A directory traversal vulnerability in a Web server allows the hacker to access files outside the range of what a server application user would normally need to access

Snort Inline

A modified version of Snort that enhances it to function as an IPS by adding three new rules: - Drop - Reject - Sdrop

Firewall

A single computer system or a set of two or more systems that cooperate to create a controlled link between the premises network and the Internet. The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and auditing can be imposed. It provides an additional layer of defense, insulating internal systems from external networks

Unified Threat Management (UTM) System

A single device that integrates of a variety of approaches to dealing with network-based attacks - Includes products like firewalls, NIPS's, NIDS', VPN's, antispam, antispyware and other normally inline products - At minimum it must perform network firewalling, network intrusion detection and prevention and gateway anti-virus

Single Bastion Inline

A single firewall device between an internal and external router. The firewall may implement stateful filters and/or application proxies - This is the typical firewall appliance configuration for small to medium-sized organizations.

Screening Router

A single router between internal and external networks with stateless or full packet filtering. - This arrangement is typical for small office/home office (SOHO) applications.

Host-Based Firewalls

A software module used to secure an individual host - Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. - A common location for such firewalls is a server

Circuit-Level Gateway

A stand-alone system or specialized function performed by an application-level gateway for certain applications. - does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. - Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed. - Aka circuit-level proxy

Bastion Host

A system identified by the firewall administrator as a critical strong point in the network's security. - Typically, it serves as a platform for an application-level or circuit-level gateway.

Application-Level Gateway

Acts as a relay of application-level traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed - When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. - If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. - Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable - Also called an application proxy

Negative Filter

Allows all packets except those that meet specific criteria

Positive Filter

Allows only packets that meet specific criteria to pass

Replace

An additional Snort Inline option which allows the user to modify packets rather than drop them - Useful for honeypots

Intrusion Prevention System (IPS)

An extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity. Like an IDS, it can be host-based, network-based, or distributed/hybrid. - Similarly, it can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior. - Also known as Intrusion Detection and Prevention System (IDPS)

System Calls

Any exploit code will execute at least one system call. The HIPS can be configured to examine each system call for malicious characteristics.

Application-Level Gateway vs. Packet Filtering Firewalls

Application-level gateway tend to be more secure than packet filters. - Rather than contending with all the combinations at the TCP and IP level, it needs only scrutinize a few allowable applications - Also easier to log and audit all incoming traffic at the application level

Packet Filtering Firewall

Applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. The firewall is typically configured to filter packets going in both directions (from and to the internal network). - Filtering rules are based on information contained in a network packet - If nothing in the packet matches one of the rules a default action is taken

Buffer-Overflow Exploits

Chapter 10

Virtual Private Networks

Consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security - At each corporate site, workstations, servers, and databases are linked by one or more LANs. The Internet or some other public network can be used to interconnect sites, providing a cost savings over the use of a private network and offloading the WAN management to the public network provider. That same public network provides an access path for telecommuters and other mobile employees to log on to corporate systems from remote sites.

Network Activity

Controls access based on considerations such as the time or request, e.g., only in business hours; rate of requests, e.g., to detect scanning attempts; or other activity patterns.

IP Address and Protocol Values

Controls access based on the source or destination addresses and port numbers, direction of flow being inbound or outbound, and other network and transport layer characteristics. - This type of filtering is used by packet filter and stateful inspection firewalls. It is typically used to limit access to specific services.

User Identity

Controls access based on the users identity, typically for inside users who identify themselves using some form of secure authentication technology, such as IPSec

Application Protocol

Controls access on the basis of authorized application protocol data. - This type of filtering is used by an application-level gateway that relays and monitors the exchange of information for specific application protocols, e.g., checking SMTP email for spam, or HTPP web requests to authorized sites only.

Personal Firewall

Controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side - Can be used in the home environment or on corporate intranets - Typically it's a module on a personal computer -- Can also be housed in a router

Default Policies

Default = discard: That which is not expressly permitted is prohibited Default = forward: That which is not expressly prohibited is permitted

Statistical Anomaly

Develops baselines of normal traffic activity and throughput, and alerts on deviations from those baselines.

Host Input/Output

I/O communications, whether local or network based, can propagate exploit code and malware. The HIPS can examine and enforce proper client interaction with the network and its interaction with other devices.

VPN Implementation

In essence, a VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. - Generally cheaper than real private networks using private lines - Relies on having the same encryption and authentication system at both ends - Encryption can be done by firewalls or routers - The most common protocol mechanism used for this purpose is at the IP level and is known as IPSec

Network-Based IPS (NIPS)

In essence, an inline NIDS with the authority to modify or discard packets and tear down TCP connections. - As with a NIDS, it makes use of techniques such as signature/heuristic detection and anomaly detection. - Among the techniques used in a ______ but not commonly found in a firewall is flow data protection. This requires that the application payload in a sequence of packets be reassembled. The IPS device applies filters to the full content of the flow every time a new packet for the flow arrives. When a flow is determined to be malicious, the latest and all subsequent packets belonging to the suspect flow are dropped.

Distributed Firewall

Involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control - Administrators can configure host-resident firewalls on hundreds of servers and workstations as well as configure personal firewalls on local and remote user systems. - Tools let the network administrator set policies and monitor security across the entire network. - These firewalls protect against internal attacks and provide protection tailored to specific machines and applications. Stand-alone firewalls provide global protection, including internal firewalls and an external firewall, as discussed previously.

Firewall Basing

It is common to base a firewall on a stand-alone machine running a common operating system, such as UNIX or Linux. Firewall functionality can also be implemented as a software module in a router or LAN switch

Firewall Access Policy

Lists the types of traffic authorized to pass through the firewall, including address ranges, protocols, applications and content types.

Protocol Anomaly

Looks for deviation from standards set forth in RFCs

Access to Email Contact List

Many worms spread by mailing a copy of themselves to addresses in the local system's e-mail address book

Packet Filtering Firewall Advantages

One advantage of a packet filtering firewall is its simplicity. Also, packet filters typically are transparent to users and are very fast.

UTM Limitations

Performance. Bot throughput and latency loss occur frequently with such machines

SOCKS Package (RFC 1928)

Protocol designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall. The protocol is conceptually a "shim-layer" between the application layer and the transport layer, and as such does not provide network-layer gateway services, such as forwarding of ICMP messages. - Circuit-level gateways implementation

Modification of System Resources

Rootkits, Trojan horses, and backdoors operate by changing system resources, such as libraries, directories, registry settings, and user accounts.

Stateful Matching

Scans for attack signatures in the context of a traffic stream rather than individual packets.

Pattern Matching

Scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks.

Single Bastion T

Similar to single bastion inline but has a third network interface on the bastion to a DMZ where externally visible servers are placed. - Again, this is a common appliance configuration for medium to large organizations

Reject

Snort rejects a packet and logs the result. In addition, an error message is returned. - In the case of TCP, this is a TCP reset message, which resets the TCP connection. - In the case of UDP, an ICMP port unreachable message is sent to the originator of the UDP packet.

Drop

Snort rejects a packet based on the options defined in the rule and logs the result.

Sdrop

Snort rejects a packet but does not log the packet

Double Bastion T

The DMZ is on a separate network interface on the bastion firewall. - This configuration is also common for large businesses and government organizations and may be required.

File System Access

The HIPS can ensure that file access system calls are not malicious and meet established policy

HIPS Sandbox

The HIPS quarantines code in an isolated system area, then runs the code and monitors its behavior. If the code violates predefined policies or matches predefined behavior signatures, it is halted and prevented from executing in the normal system environment. - Especially suited to mobile code like Java applets and scripting languages

Application-Level Gateway Disadvantage

The additional processing overhead on each connection. In effect, there are two spliced connections between the end users, with the gateway at the splice point, and the gateway must examine and forward all traffic in both directions.

Advantages of HIPS

The advantages of the integrated HIPS approach are that the various tools work closely together, threat prevention is more comprehensive, and management is easier.

External Firewalls in a DMZ Configuration

The external firewall provides a measure of access control and protection for the DMZ systems consistent with their need for external connectivity. The external firewall also provides a basic level of protection for the remainder of the enterprise network.

Packet Filtering Firewall Vulnerability

The firewall must permit to some degree all inbound network traffic on all the temporary port numbers between 1,024 and 65,535

IP Address Spoofing

The intruder transmits packets from the outside with a source IP address field containing an address of an internal host. - The attacker hopes that the use of a spoofed address will allow penetration of systems that employ simple source address security - Countermeasure: Discard packets with an internal source address if they arrive at an external interface

Tiny Fragment Attacks

The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. - Designed to circumvent filtering rules that depend on TCP header information. -- Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. - Countermeasure: Rule that the first fragment of a packet must contain a predefined minimum amount of the transport header

System Registry Settings

The registry maintains persistent configuration information about programs and is often maliciously modified to extend the life of an exploit. The HIPS can ensure that the system registry maintains its integrity.

Source Routing Attack

The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information. - Countermeasure: Discard all packets that use this option

Privilege Escalation Exploits

These attacks attempt to give ordinary users root access.

Host-Resident Firewall

This category includes personal firewall software and firewall software on servers. Such firewalls can be used alone or as part of an in-depth firewall deployment

Distributed Firewall Configuration

This configuration is used by some large businesses and government organizations.

Distributed/Hybrid IPS

This gathers data from a large number of host and network-based sensors, relays this intelligence to a central analysis system able to correlate, and analyze the data, which can then return updated signatures and behavior patterns to enable all of the coordinated systems to respond and defend against malicious behavior. A number of such systems have been proposed. One of the best known is the digital immune system.

Stateful Packet Inspection Firewall

Tightens up the rules for TCP traffic by creating a directory of outbound TCP connections. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. - Reviews the same packet information as a normal packet filtering firewall, but also records information about TCP connections; perhaps even sequence numbers and small amounts of application data

The Role of HIPS

Traditionally, endpoint security has been provided by a collection of distinct products, such as antivirus, antispyware, antispam, and personal firewalls. The HIPS approach is an effort to provide an integrated, single-product suite of functions.

Circuit-Level Gateway Use

Typically best for when users are trusted, as its security isn't as strong. A typical implementation is to use an Application-Level Gateway for incoming traffic and a Circuit-Level Gateway for outgoing traffic from internal users. This lets you avoid doubling your overhead from the ALG on a group that's relatively trustworthy

Traffic Anomaly

Watches for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network.

SOCKS Operation

When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is located on TCP port 1080. If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. - The SOCKS server evaluates the request and either establishes the appropriate connection or denies it. - UDP is handled are handled by using a TCP connection to authenticate the user and forward packets

Double Bastion Inline

Where the DMZ is sandwiched between bastion firewalls. - This configuration is common for large businesses and government organizations.