410 likes | 636 Views
Network Perimeter Security 2. Firewall Configurations, NIDS, and IPS. Basic Packet Filtering. Direct Access simple to setup But rules can be complex Hard to verify Exceptions are hard to manage Flexible rule sets needed. Stateful Filtering. Maintain state
E N D
Network Perimeter Security 2 Firewall Configurations, NIDS, and IPS
Basic Packet Filtering • Direct Access • simple to setup • But rules can be complex • Hard to verify • Exceptions are hard to manage • Flexible rule sets needed
Stateful Filtering • Maintain state • Alice is talking to Bob on port 2401 • Alice sent a SYN/ACK packet • expect an ACK from Bob
Application Gateway • Virtual Connection • Connect to the proxy • Connect from the proxy to the outside
Application Gateway • Benefits • Information hiding: no nmaps, etc. • Incoming traffic gets pre-authenticated • Less complex packet filtering rules • more conservative filtering • more detailed audit logs
Configuration Options • Packet Filtering Only • Dual-homed Gateway • Screened Host Firewall • Screened Subnet Firewall
Dual-Homed Gateway • App. Gateway • 2 NIC’s • IP forwarding disabled • Info server: Web, FTP, Gopher, etc.
Screened Host • Combines • Packet Filter • App. Gateway • Filter • Routes app. traffic to AG • Rejects non-app. traffic • Rejects outgoing traffic that is not from AG
Screened Host • Flexibility • Can allow “trusted” traffic past AG • concerns? • e.g. DNS • Some Complexity
Screened Subnet (DMZ) • Two packet filters • DMZ: Info server, email, & App. Gateway • Everything goes through the right channels • Benefits • Relatively simple rules at the filters • Router as gate to internal n/w • Potentially faster • Concerns • ?
NIDS • Network-Based Intrusion Detection • Using network-level data • Generally using packet captures
Snort IDS • Snort consists of three subsystems: • packet decoder (libpcap-based) • detection engine • logging and alerting subsystem • Detection engine • Rules form signatures • Some anomaly detection • stealth scans, OS fingerprinting, invalid ICMP codes, etc.
Snort: Sample IDS output Escalation! • Apr 12 01:56:21 ids snort: EXPLOIT sparc setuid 0: 218.19.15.17:544 à xxx.yyy.zzz.41:37987 • Apr 12 01:56:21 ids snort: EXPLOIT x86 NOOP: 23.91.17.7:544 à xxx.yyy.zzz.41:37987 • Apr 12 07:31:03 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 63.26.255.221 à xxx.yyy.zzz.34 • Apr 12 09:59:38 ids snort: RPC portmap request rstatd: 28.11.67.132:1033 à xxx.yyy.zzz.29:111 • Apr 12 13:20:05 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 12.13.1.67 à xxx.yyy.zzz.126 • Apr 12 14:13:22 ids snort: RPC portmap request rstatd: 134.1.5.12:3649 à xxx.yyy.zzz.29:111 • Apr 12 20:19:34 ids snort: BACKDOOR back orrifice attempt: 209.255.213.130:1304 à xxx.yyy.zzz.241:31337 • Apr 12 22:53:52 ids snort: DNS named iquery attempt: 209.126.168.231:4410 à xxx.yyy.zzz.23:53 Buffer Overflow? Network Mapping Trojan Horse DoS: crash BIND
Snort Rules • Snort rules consist of two parts • Rule header • Specifies src/dst host and port • Alert tcp !128.119.0.0/16 any -> 128.119.166.5 any • Rule options • Specifies flags, content, output message • (flags: SFAPR; msg: “Xmas tree scan”) • Using both parts together gives snort great flexibility • Variables are allowed in the ruleset
Writing Snort Rules • Snort uses a simple rules language • http://packetstormsecurity.nl/papers/IDS/snort_rules.htm • Rule header consists of • Rule Actions • Alert, Log, Pass Dynamic, activate, etc… • Protocol • tcp, udp, icmp, etc… • IP Addresses • Source, dest, CIDR mask • Port numbers • Source, dest, range • Direction • Negation
Writing Snort Rules • Rule options consists of • msg • flags • content • dsize • seq • ack • itype/icode • fragbits • ttl • Many others
Making a Snort Rule • FIN Scan • Open ports don’t respond • Closed ports respond with a RST # nmap -sF -v 192.168.0.7 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:17 EDT Initiating FIN Scan against 192.168.0.7 [1663 ports] at 21:17 The FIN Scan took 1.51s to scan 1663 total ports. Host 192.168.0.7 appears to be up ... good. Interesting ports on 192.168.0.7: (The 1654 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open|filtered ftp 22/tcp open|filtered ssh … Nmap finished: 1 IP address (1 host up) scanned in 2.276 seconds Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
Making a Snort Rule • OS fingerprinting • OSes have different implementations • Probe to find these • Examples: • T1: Test 1 sends a SYN frame with a mix of TCP options to an open port. These options consist of a window scale option of 10, a maximum segment size of 265, and a timestamp value of 1061109567. • T2: Test 2 sends a NULL TCP frame (no flags set) to an open port. This frame includes the same TCP options as those in Test 1. • T3: Test 3 sends a TCP frame with the SYN, FIN, PSH, and URG flags to an open port. This frame also includes the same TCP options as those found in test 1 and test 2.
Making a Snort Rule • Smurf Attack • ICMP • 1500 bytes • Spoofed IP • Broadcast Address • Snort options • dsize, itype=8 (echo)
Making Snort Rules • Attacks • SYN FIN scan • OS Fingerprinting • Smurf • Parameters • Network: 202.15.6.0/24 • Variables • $EXTERNAL_NET, $HOME_NET
Intrusion Detection Evasion • Modify standard attack packets • Fragmentation • Re-encoding • Multi-packet attacks • DoS the IDS
IDS Evasion with Unicode • Unicode • Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. • Unicode characters are called code points and can be represented by U+xxxx where x is a hexadecimal digit.
IDS Evasion with Unicode • Why is Unicode a problem? • Multiple representations of a single character. • ‘A’ is the same in Russian • Some code points can be used to modify the previous code point. • Many code points have multiple representations. • 30 different representations for the letter "A". • The string "AEIOU" can be expressed 83,060,640 ways • Re-encode Attacks • “Today it is possible to use UTF-8 encoding to attack an IIS server and evade detection from all vendor's NIDS.”
Snot • Snort requires resources • like anything else • Snot • takes a snort ruleset • generates packets that fit the rules • Clobber snort with hits • DoS the IDS • http://www.sec33.com/sniph/
IPS • Reality of today’s n/w • Automated attacks • Too many alerts! • BRF meaningless • Solution • Use IDS to decide what to block • Fast n/w processing units
Snort Inline • New rules • Drop: no response • Reject • TCP reset or ICMP unreachable • Sdrop: no response, no log
Snort Rules Example alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flags: A+; reference:arachnids,254;) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186;) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*"; reference:arachnids,185;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00:Attacker to Master default startup password";flags: A+; content:"betaalmostdone"; reference:arachnids,197;)
Snort rules examples alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password";flags: A+; content:"gOrave";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password";flags: A+; content:"killme";) alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00:MastertoDaemon( defaultpassdetected!)"; content:"l44adsl"; reference:arachnids,197;)
ICMP Type Information Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 8 Echo [RFC792] 9 Router Advertisement [RFC1256] 10 Router Solicitation [RFC1256] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] …
Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 0 No Code 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 0 Net Unreachable [RFC792] 1 Host Unreachable [RFC792] 2 Protocol Unreachable [RFC792] … 4 Source Quench [RFC792] 0 No Code 5 Redirect [RFC792] 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host … 6 Alternate Host Address [JBP] 0 Alternate Address for Host 7 Unassigned [JBP] 8 Echo [RFC792] 0 No Code
Unicode problems • IDS Evasion with Unicode (Eric Hacker)http://online.securityfocus.com/infocus/1232 • Microsoft Internet Information Server (IIS) comes with unicode extensions that are notoriously exploitable: • http://192.168.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ • %c0%af is unicode for / • More details • in “Microsoft IIS Unicode Exploit” (Nate Miller, lucent white paper)http://www.lucent.com/livelink/197020_Whitepaper.pdf • Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerabilityhttp://online.securityfocus.com/bid/1806
Insertion and Evasion • http://192.168.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ • %c0%af is unicode for / • Making the end-system and the IDS match up is important. • When data reaches the IDS but not the endhost, the type of attack is called insertion. • Fragmentation attacks are a form of insertion because extra data reaches the IDS. • When data is dropped by the IDS but reaches the end-host, then it is called evasion. • The unicode example is evasion in a sense because the important data was “dropped”, that is “wasn’t dectected” by the IDS.
CTF • Capture the Flag • International competition • 30+ other schools • Logistics • 12/5, 10 am to 6 pm. • Pizza & drinks • Goals • Defend your network • Keep services running • Attack!
CTF Team • Need to prepare • Go to • http://www.hackthissite.org • Register • Solve at least 5 out of 10 Basic Missions • Email me to join the team: • mwright@uta.edu
Security Classes • Infosec 2 • Cryptography • Protocols • Labs and Project • 6000-level • Internet Security (Spring) • Intrusion Detection (Fall) • Wireless Security (?)