Firewalls and intrusion

detection systems
Bencsáth Boldizsár
Outline
 Firewalls
 Intrusion detection systems (IDS)

2
 Introduction
– A firewall is a system or group of systems that enforces
an access control policy between networks
– Mostly the goal is to protect TCP/IP networks
– Other possible firewalls: between applications on a
windows environment, java card firewalls, etc.

– Functions:
• Blocking traffic
• Permitting traffic
• Enabling secure remote connections (VPN)
• Logging traffic
• Content filtering (blocking): viruses, attacks
• Network management purposes (screening the traffic etc.)
Introduction

3
 Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP
commands can be filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With
firewalling we minimize the accessible points and we are
making it more difficult to deploy an attack
– we can make it more difficult to exploit the vulnerability:
E.g. with tftp denied it is more difficult to send files to
the internet after an attack
– we can separate the network to subnetworks: an
intrusion will not compromise our whole system, just a
Introduction

subnetwork/server

4
 A firewall is not good for…
- Stopping information flow/leakage:
Data can be leaked out even through DNS
applications or e.g. HTTP tunnels. It is
very hard to protect against covert
channels.
- Complete protection against intrusions:
A single open port can be used to gain
privileged access
An application proxy might not stop
attacking through badly formed
parameters, etc.
An industry spy can use the telefax to
Introduction

transport secrets…
5
 Packet filtering – disable access to
unwanted services

Port
9/tcp
State
open
Service
discard
Port State Service
13/tcp open daytime 21/tcp open ftp
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet 22/tcp open ssh
25/tcp open smtp
37/tcp open time
79/tcp
80/tcp
open
open
finger
http
25/tcp open smtp
109/tcp open pop-2
110/tcp open
139/tcp open
pop-3
netbios-ssn
80/tcp open http
143/tcp open imap2
515/tcp open printer
587/tcp open submission 110/tcp open pop-3
1723/tcp open pptp
3128/tcp open squid-http
143/tcp open imap2

3128/tcp filtered squid-

http
Introduction

6
 Packet filtering
 Filtering based on network layer of the IP stack
 Filtering rules described in rule base
 Default permit / default deny design
 Most routers have packet filtering capabilities
 A good packet filter…
-Permits connections to really-needed services
-Also filters internal access – Most of the intrusions come from
employees
-Detects anomalies – TCP packet without SYN handshake etc.
-Filters out all the services what we do not use currently (not
only those we don’t want to show)
-Hides internal network elements and architecture (NAT)
-Filters services available to internal hosts (e.g. filter out
streaming)
Introduction

Main problem:
Stateless? Stateful? How?

7
 Packet filtering
 Packet filtering rules mostly based on:
 IP protocol (UDP, TCP, …)
 Source IP address
 Destination IP address
 Source/Destination port (socket)
 Connection state (TCP: SYN, RST,
established,… or e.g. FTP states)
 (rate control)
 (filter rules based on time schedule –
no streaming before 8 p.m.)
 incoming/outgoing interface
Introduction

 etc.
8
 Application gateway

 Proxies rebuild the whole protocol

(application layer gateway)
 Needs to know the exact specification of
the protocol we use
 Can investigate the content of the flow
 Can protect against protocol errors
 More vulnerable to DoS
 Can be more complicated to (internal)
users (e.g. telnet proxy)
 Lower performance
Introduction

 Higher security
9
 Packet filter vs. Application
gateway

– Packet filtering without states is

insecure
– Stateful packet filtering is fast
– Stateful packet filtering might not
protect against some protocol errors
– Application gateways are more
sophisticated
– Application gateways are (mostly) not
transparent, so an internal webserver
beyond an application gateway can not
log who is downloading the page
Introduction

– Modern solutions mix the two methods.

10
 Rule sets - example
– Linux iptables:
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23
/sbin/iptables -A INPUT -j LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags
SYN,ACK,FIN,RST SYN
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 110
/sbin/iptables -A INPUT -j DROP -p tcp -d 0/0 -v --dport 3128
– Checkpoint Firewall – text:
:rule-base ("##Standard" :rule (
:src ( : Any )
:dst ( : Any )
:services ( : Any )
:action ( : (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
Introduction

:text-rid (61463)
:windows-color (green) ) )
– Graphical tools / ruleset generators help 11
 Architecture / Basic

router

Internet

„filters the traffic”

firewall

it can be a dual-homed gateway or

a simple packet filter –
screening router
Architecture

12
Internal network
 Elements

Dual-homed gateway
single-homed gateway

gateway: application level border element, e.g.: proxy server

Architecture

13
Internal network
 Packet filter only – screening
router
router

Internet

Can be a single
screening router
packet filter
Architecture

14
Internal network
 Packet filter with bastion host

router

Internet
packet filter

Bastion host, here:

a dual-homed gateway
== proxy server
== application level firewall
Architecture

15
Internal network
 Packet filter with bastion host

router

Internet
packet filter

Bastion host, here: a

proxy firewall
internal packet filter
Architecture

16
Internal network
 Packet filter with bastion host,
DMZ, internal pf
many different
router topologies can be
considered
Internet packet filter

Bastion host, here: a

proxy firewall ?

Mail server Web server

internal packet filter

DMZ
De-Militarized Zone
Architecture

17
Internal network
 Platform and other parameters

- Windows, Linux, Solaris, propriaty OS

- Hardened operating system
- With or without hardware

- Working method (stateful inspection, application

proxy)
- No. of interfaces
- Authentication methods
- Maximum traffic
- Ease of use
Firewall - products

- Price

18
 Commercial & free products

– Iptables, netfilter packet filtering

– Windows internal port filtering ( and IPSEC
(policies), network sharing, routing, etc. )
– Checkpoint Firewall (FW-1) Linux, Windows,
Nokia
– Cisco PIX
– Symantec Enterprise Firewall ( <- Raptor )
– Secure Computing Sidewinder (incl. Gauntlet)
– Zorp (Balabit)
– NAI Firewall (Gauntlet->Secure Co)
Firewall - products

– Evaluation: ICSA, Common Criteria, …

19
 Personal firewalls
– Every single host on the Internet is a target
– Most users do not use tight security (no updates,
bad passwords, no security settings)
– Attacked clients might become zombies for a DoS
attack or a relay for spams and other attacks
– They need some protection
– Personal firewalls are mostly simple packet
filters
– Drop incoming service requests (my windows pc
is not a file server)
– Alert on (anomalous) outgoing requests
– Can protect against trojans / information leakage
Personal firewalls

/ privacy problems too

– Can be integrated with virus protection

20
 Intrusion detection systems
– Intrusion detection:
detecting inappropriate, incorrect, or
anomalous activity

misuse detection != intrusion detection

Host-based: operates on a (single) host

Network-based: operates on network data

flows (e.g. promiscuous mode network
card on a dedicated host)
IDS

21
 IDS Categories
 In-Kernel vs. Userspace
 Distributed vs. Atomic
 Host-based vs. Network-based
 Statistical vs. Signature Detection
 Active vs. Passive
 Proactive vs. Retroactive
 Flat vs. Hierarchial
(Justin Lundy)
IDS

22
 Host-based IDS
 Checking log files for traces of attacks
 Checking the condition of processes
 Looking for anomalies of the authentication
system ( Why is X logging in from Thailand?
Why is Z logging in during the weekend?)
 Checking the fingerprints of the installed
binaries (Operating system integrity)
 Checking for malicious user code – possible
hacker tools, rootkits
 Version (and critical security hole) checking
 Checking for invalid www request URLs in
web server’s log files
 Personal firewall?
 …
IDS

23
Network based IDS
 On a single network element (near the firewall)
or can be distributed: more agents are
distributed on the network and a central server
makes the decision
 Problem: Encrypted traffic cannot be analyzed
(traffic analysis, timing only)
 Signature filters: looks for various signatures.
Usual attacks possess some kind of signature
that identifies them
– problem: large number of possible signatures – high
traffic rate (~GBps lines) – large number of dropped
packets – less accurate result
– problem: signatures has to be known. Regular updates
needed and much work to generate “good” signatures
– problem: polymorphic attack: One might change the
attack scenario so that the signature will not match
24
Anomaly detection
 Mostly on statistical basis
 Detects statistically exceptional events
 Learning: Watching activity during ‘normal’ state
and storing patterns (who logs in, what is the
origin, when, etc.)
 Experience shows that 90% of attacks can be
considered as protocol usage anomalies.
 Does not require signatures (except what it learns)
 We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it
needs much work.
 A non-RFC compilant client is not always an
attacker – we need flexibility

25
 CIDF
– Model: Common Intrusion Detection
Framework
intrusion detection components can be
reused in other systems
interface & communication protocols
– Architecture
• Event generators (colloquially "E-boxes")
• Event analyzers ("A-boxes")
• Event databases ("D-boxes")
• Response units ("R-boxes")
IDS

26