บทที่ 5 Fundamental of Network...

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

บทที่ 5 Fundamental of Network Security บทที่ 6 TCP/IP Weakness บทที่ 7 Firewall บทที่ 8 Intrusion Detection System บทที่ 9 Security Policy & ISO 27100

บทที่ 5Fundamental of Network Security

อาจารย ดร. ชนันทกรณ จันแดง info@wuITM-742 Network Security Management 1 / 335

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Awareness


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Challenge


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Why security is becoming increasingly difficult

Speed of Attacks▶ Widely available of modern tools : Used to scan systems

▶ To find weaknesses▶ Lunch attacks

▶ Most tools are automated▶ Easy to attack target systems


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Sophistication of attacks▶ Security attacks are becoming more complex

▶ Difficult to detect

Faster detection of weakness▶ Newly discovered system vulnerability double annually

▶ More difficult for software developer to update their products


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Distributed attacks▶ Multiple system can be used to attack against a single computer

or network▶ Impossible to stop an attack by identifying and blocking the

sourceDifficulties in patching


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition

Security▶ Security is about the protection of assets

Protective measures▶ Prevention▶ Detection▶ Reaction


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition

Computer Security▶ Computer security deals with the prevention and detection of

unauthorized actions by users of computer system▶ The goal is to protect data and resources▶ Only an issue on shared systems

▶ Like a network or a time-sharing OS▶ No “global” solution


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition

Computer security▶ No absolute “secure” system▶ Security mechanisms protect against specific classes of attacks

Network security▶ Security of data in transit

▶ Over network link/store-and-forward node▶ Security of data at the end point

▶ Files, Email, Hardcopies


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition

Network security differences from computer security :▶ Attacks can come from anywhere, anytime▶ Highly automated (script)▶ Physical security measures are inadequate▶ Wide variety of applications, services, protocols

▶ Complexity▶ Different constraints, assumptions, goals

▶ No single “authority”/administrators


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Objectives

▶ To protect Confidentiality, Integrity, Availability▶ Confidentiality:

▶ Ensure that only authorized user can view data▶ Or no data is disclosed intentionally or unintentionally


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Objectives

To protect Confidentiality, Integrity, Availability▶ Integrity:

▶ Ensure that▶ No data is modified by authorized person or software▶ No authorized changes are made by authorized person▶ Data remain consistent


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Objectives

To protect Confidentiality, Integrity, Availability▶ Availability:

▶ Ensure that▶ data is available to authorized users


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology

▶ Security Mechanism▶ Service Service▶ Security Attack▶ Risk▶ Risk Analysis▶ Spies▶ Cyberterrorist


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology

▶ Security Mechanism▶ A mechanism that designed to detect, prevent, or recover from a

security attack▶ Security Service

▶ A service that enhances the security of data processing systemsand information transfers

▶ Makes use of one or more security mechanisms▶ Security Attack

▶ Any action that compromises security information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminoloty▶ Attacking Categories


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology

▶ Risk▶ A measure of the cost of a realized vulnerability that incorporates

the probability of a successful attack▶ Risk Analysis

▶ Provides a quantitative means of deterring whether an expenditureon safeguards is warranted


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology

▶ Spies▶ A person who

▶ Has been hired to break into a computer and steal information▶ Do not randomly search for unsecured computers to attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Terminology

▶ Cyberterrorist▶ Terrorists that attack the network and computer infrastructure to

▶ Deface electronic information (such as web sites)▶ Deny service to legitimate computer users▶ Commit unauthorized intrusions into system and network that

result in infrastructure outages and corruption of vital data


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Identification and Authentication


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Ident. and Authen.

▶ Authentication Basics

▶ Password

▶ Biometrics


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Authentication Basic

▶ Authentication▶ A process of verify a user’s identity

▶ Two reason of authentication a user▶ The user identity is parameter in access control decision (for a

system)▶ The user identity is recorded when logging security-relevant events

in an audit trail


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Authentication▶ Binding of an identity to a principal (subject)▶ An identity must provide information to enable the system to

confirm its identity


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Authentication▶ Information (one or more)

▶ What the identity knows (such as password or secret information)▶ What the identity has (such as a badge or card)▶ What the identity is (such as fingerprints)▶ Where the identity is (such as in front of a particular terminal)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Authentication process▶ Obtaining information from the identity▶ Analysis the data▶ Determining if it is associated with that identity

▶ Thus authentication process is▶ The process of verifying a claimed identity


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Username and Password▶ Very common and simple identities▶ Used to enter into a system▶ Username

▶ Announce who a user is▶ This step is called identification

▶ Password▶ To prove that the user is who claims to be▶ This step is called authentication


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Authentication Mechanism

▶ Password

▶ Password Aging

▶ One-Time Password


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Password

▶ Based on what people know▶ Based on what people know▶ Computer validates it▶ If the password is associated with the user, the the user’s identity

is authenticated


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Password

Choosing passwords▶ Password guessing attack is very simple and always works !!

▶ Because users are not aware of protecting their passwords▶ Password choice is a critical security issue

▶ Choose passwords that cannot be easily guessed


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Password

Password defenses▶ Set a password to every account▶ Change default passwords▶ Password length

▶ A minimum password length should be prescribed

Password Format▶ Mix upper and lower case symbols▶ Include numerical and other non-alphabetical system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Password

▶ Password Format▶ Mix upper and lower case symbols▶ Include numerical and other non-alphabetical system

▶ Avoid obvious password


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How to improve password security?

▶ Password checking tools▶ Check password against some dictionary of weak password

▶ Password generation▶ Utility in some system▶ Producing random password for users

▶ Password Aging


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Password Aging▶ A requirement that password be changed after some period of

time▶ Requires mechanism

▶ Forcing users to change to a difference password▶ Providing notice of need to change▶ A user-friendly method to change password


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ One-Time Password▶ The password is validate for only one user

▶ Limit login attempt▶ A system monitors unsuccessful login attempt▶ Reacts by locking the user account if logging in process failed


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Inform user▶ After successful login a system display

▶ The last login time▶ The number of of failed login attempt


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Attacking password

Password guessing▶ Exhaustive search (brute force)

▶ Try all possible combination of valid symbol▶ Dictionary Attack▶ Random Selection of password▶ Pronounceable and other computer-generated password▶ User selection password that base on account names, user name,

computer name


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Biometrics

The automated measurement of biological or behavioural features thatidentifies a personMethod:

▶ A set of measurement of a user is taken when user is given anaccount

▶ When a user access the system▶ The biometric authentication mechanism identify the identity


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Biometrics

▶ Fingerprint▶ Voices▶ Eyes

▶ Faces▶ Keystroke :

interval, presure

▶ Combination


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability

Vulnerability▶ A weakness in a system allowing an attacker to violate the

confidentiality, integrity, availability▶ May result from

▶ Software bugs▶ Software or system design flaws


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability

▶ Buffer overflow▶ Race Condition▶ Unencrypted protocol

▶ Bad/Insufficient sanity check▶ Backdoors


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Attack Type

▶ Passive Attack▶ Active Attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Attack

Eavesdropping on transmissions▶ To obtain information

Release of message contents▶ Outsider learns content of transmission

Traffic analysis▶ By monitoring

▶ Frequency and length of messages▶ Nature of communication may be guessed


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Attack

▶ Difficult to detect▶ Can be prevented▶ Example

▶ Sniffers▶ Wiretap▶ Social Engineering


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Attack

▶ The attacker alter the data▶ Denial of Service▶ Easy to detect▶ Hard to prevent


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Attack

▶ Virus▶ Worm▶ Trojan Horse▶ Trapdoor▶ Logic Bomb

▶ Masquerade▶ Bypassing Control▶ Denial of Service (DoS)▶ Replay


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Virus

Virus: a computer program that▶ can copy itself and infect a computer without permission or

knowledge of the user▶ spreads from one computer to another when its host (such as an

infected files) is taken to that computer▶ virused always infect or corrupt files on a targeted computer


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Worm

Worm: a computer program that▶ is a self-replicating code

▶ resides in active memory (the program is executed)▶ propagates itself

▶ uses a network to send copies of itself to other node▶ can spread itself to other computers without needing to be

transferred as part of an infected file▶ always harm the network


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Trojan

Trojan horse: a program that▶ installs malicious software while under guise of doing something

else▶ differs from a virus in that

▶ a trojan horse does not insert its code into other computer files▶ appear harmless until executed


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Logic Bomb

Logic Bomb: a program that▶ inactive until it is trigged by a specific event, e.g.

▶ a certain date being reached▶ once triggered, the program can perform may malicious activities▶ is difficult to defend against


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


DoS


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


DoS

Denial of Service attack: a threat that▶ Prevents legitimate traffic from being able to access the protected

resource▶ Common DoS

▶ Crashes a targeted service or server▶ Normally done by

▶ Exploiting program buffer overflow problem▶ Sending too many packets to a host -> causing the host crash


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Threat


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Threat

A person, thing, event▶ which poses some danger to an asset in terms of that asset’s

confidentiality, integrity, availability▶ Accident threats▶ Deliberate threats


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Threat

▶ Accident Threat▶ Disaster▶ Physical threats▶ Logical threats: Human error/Program error

▶ Hard to Prevent▶ Can be Protection


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Threat

▶ Deliberate threat▶ Hacker/cracker▶ Script kiddies▶ Spies and Malware▶ Denail of Service▶ Zombies


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Hacker & Cracker

▶ Hacker:▶ a person who uses his/her advances computer skill to attack

computer, but not with a malicious intent, hacker use the skill toexpose security flaw

▶ Cracker:▶ A person who violates system security with malicious intent.▶ Cracker destroy data, deny legitimate users of service, cause

serious problems on computer and networks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Script Kiddies

▶ Want to break into computer skill like cracker/hacker▶ unskilled user▶ download software from web sites use to break into computer


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Spies

▶ A person who▶ Has been hired to break into computer and steal information▶ Do not randomly search for insecure computers to attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Malware

▶ A group of destructive programs such as viruses, worms, Trojan,logic bomb, and spyware


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Awareness

▶ Exploiting passwords▶ Exploiting known vulnerability▶ Exploiting protocol flaws


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Exploiting Password

Password guessing▶ use information▶ default password▶ dictionary attack : password

dictionary▶ social engineering: phishing▶ brute force


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Exploiting Know Vulnerability


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Examples


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ThaiCERT


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Self Check

▶ เคยตั้งรหัสผานดวยขอมูลสวนตัว เชน ชื่อ สกุล วันเดือนปเกิด หรือเบอรโทรหรือไม

▶ เคยจดรหัสไวที่ใดๆ เพื่อกันลืมหรือไม▶ เคยอนุญาตใหคนอื่น ลงทะเบียน เช็คเกรด หรือประเมินอาจารยผานเว็บไซต

หรือไม▶ เครื่องคอมพิวเตอรของทาน เคยรันโปรแกรมหรือทำงานนานจนผิดสังเกตหรือ

ไม


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Self Check

▶ เครื่องคอมพิวเตอรของทานติดตั้งโปรแกรม Antivirus หรือไม▶ หลังจากที่ดาวโหลดโปรแกรมจากอินเตอรเน็ต เคยตรวจสอบความถูกตองของ

ไฟล หรือที่มาของไฟลหรือไม▶ เคยสำรองขอมูลไวใน DVD หรือไม▶ ทุกครั้งที่ใชงานเว็บไซตที่ตอง login หลังจากนั้น ได logout เว็บไซตดังกลาว

กอนปดโปรแกรมหรือไม▶ เคยใชงาน Window Update ของระบบปฏิบัติการที่ใชงานหรือไม


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


“May the Force be with you”

-Star War

Dr.Chanankorn Jundaeng


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


บทที่ 6TCP/IP Weakness


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Overview of TCP/IP


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Overview of TCP/IP

▶ TCP/IP : The de jure standardof Internet

▶ Computer systemcommunication with eachother by sending stream ofdata


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Header

▶ Source IP and Destination IP address▶ Define the end station involved in datagram

▶ if both srcIP and dstIP are in the same network segment▶ data grames are send directly

▶ else▶ there can be multiple paths (sending datagram)▶ the desired path must be selected by routers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Header

IP fragment offset▶ Keeps track of the different path of data gram

▶ A router is able to break large datagram into smaller size▶ Fragment offset value indicates the position of the new fragment

in the context of the original datagram▶ The destination router will reassemble all fragment datagrames


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP/UDP Header

▶ TCP:▶ A connection oriented protocol providing delivery of data segment

in a reliable manner▶ UDP:

▶ A connectionless protocol providing delivery of data segment in afast over unreliable manner


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP/UDP Header

▶ Port numbers▶ Sometime is called socket number▶ Used to pass information to upper layer (application)

▶ Port number mechanism▶ Enables the protocol is multiplex communication between

difference processed in the end station


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP/UDP Header


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP/UDP Header

▶ A established connection between two end system is identifiedby four parameter

▶ source IP▶ destination IP▶ source port number▶ destination port number

▶ These combination is unique


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Three way handshake▶ Three-way handshake connection is required before data

exchange in TCP


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Three way handshake

Information related to previous three-way handshake mechanism▶ Sequence numbers

▶ initialized and used in multiple packet transmission▶ are used to

▶ ensure the ordering of packet▶ ensure that no packets are missing


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Three way handshake

Information related to previous three-way handshake mechanism▶ Acknowledgement numbers

▶ to define the next expected TCP octet▶ for transmission reliability


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Three way handshake

▶ Sequence number + acknowledgement number▶ Serves as a ruler for sliding window mechanism▶ Used the window field to define the receiving size


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Protocol Attacking


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Protocol Attacking

▶ IP Spoofing▶ Convert Channel▶ IP Gragment attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Address Spoofing

▶ Method:▶ The attacjer replces the IP address of sender (source address) with

difference address▶ Used to:

▶ Exploit a target host▶ Start a Denial of Service attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Spoofing and DoS Attack

▶ Attacker must know the trusted host (valid host) IP address(156.100.24.12)

▶ Modifies the IP packet to mislead the wen server into acceptingthe original packet as a packet form a valid user


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IP Spoofing

▶ The spoofed IP address (156.100.24.12) is used (by a a hacker(145.22.10.54)) to request web page from the web server(135.5.11.2)

▶ The web server returns data to the 156.100.24.12▶ 156.100.24.12 receives unwanted connection attempts from the

web server: 156.100.24.12 discards this received data (it did notask for)

▶ RESULT:▶ the web server will not be able to provide valid services to valid

user/requests


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Convert Channel

A convert channel is▶ A pipe or communication channel between two entities▶ be exploited by a process or application transferring information

▶ in a manner that violates the system’s security specification▶ In some case: a convert chananel is secretly used to pass data

between two system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ICMP Header


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Convert Channel

Attacking Method▶ e.g. Using ICMP echo request packet▶ Base on ICMP specification

▶ ICMP echo request messages▶ Nor carry information in its payload


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Convert Channel

BUT▶ These packets are altered slightly to carry secret information▶ Cannot be detected by the protocol mechanism▶ This method gives intruders to attack system, such as

▶ Export confidential information without altering networkadministrator


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Convert Channel


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP Attacking


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP Attacking

▶ TCP Flag Attack▶ SYN Flood Attack▶ Connection Killing


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Three-Way Handshake


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP Flag: Normal Operation▶ r = reserved bits – set to 0▶ U = Urgent bit (value 0x20)▶ A = Acknowledgment bit

(value 0x10)▶ P = Push bit (value 0x08)▶ R = Reset bit (value 0x04)▶ S = Synchronize bit (value

0x02)▶ F = Finish bit (value 0x01)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


TCP Flag Attack

Abuse of normal operation orsetting TCP Flag

▶ Can be used to launch DoSAttack

▶ Example▶ This can cause network

server to crash or hangnot be able to service


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


SYN Flag attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


SYN Flag attack

▶ Result:▶ The victim server number

of TCP sessions mightreach the limitation

▶ The server will deny otherconnection request fromany host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Connection Killing Attack

The normal operation▶ A three way handshake is used to start communication between

two system▶ A four-way handshake used to disconnect connection

Attacking▶ A spoofing TCP FIN segment is sent to the target system

▶ with correct SEQ and ACK numbers▶ The target system will close the current connection


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Computer and Network Attacking


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer Overflow

▶ A buffer refers to▶ a temporary data storage are used to store program code and data▶ normally it is in memory, used while program is running


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer Overflow

▶ An anomaly where a process stores data in a buffer outside thememory that be set aside for then by programmer

▶ The extra data overwrites adjacent menory, which may containother data, including program variable and program flow controldata.

▶ This may result in erratic program behavior, including memoryaccess errors, incorrect results, program termination (crash), or abreach of system security


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer Overflow

▶ Buffer overflow can be triggered by inputs that are designed toexecute code, or alter the way the program operates

▶ They are thus the basis of many software vulnerabilities and canbe maliciously exploited

▶ Bounds checking can prevent buffer overflows


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer OverflowBasic Example

▶ A program has define two data items which adjacey memory: an8-byte-long string buffer, A, and two byte of integer named B.

▶ Initially, A contains nothing but zero bytes, and B contains thenumber 1979.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer Overflow Mechanisms

Common goal for buffer overflow attack▶ To take control of a privileged program

▶ To take control a host▶ Two tasks to accomplish the buffer overflow attack

▶ Inject “dirty code” in a program’s code address space (buffer)▶ Force the privileged program jump to this address space


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Buffer Overflow Mechanisms

▶ Injecting code▶ Using vulnerable program▶ Modify certain parameters to inject “dirty code” to existing

program▶ Forcing a privilege program to jump to the right address space

▶ Required some work to modify the program’s control flow


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Stack buffer overflow

▶ Stack buffer overflow▶ To caused when a program writes more data to a buffer located

on the stack (usually a fixed length) than there was actuallyallocated for that buffer

▶ This almost always results in corruption of adjacent data on thestack, and in cases where the overflow was triggered by mistake,will often cause the program to crash or operate incorrectly.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Exploiting Stack Overflow


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.




...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How to protect

Writing a correct code▶ Software development teams need to understan “How to write a

secure application”▶ DO NOT user insecure function (in C/C++)

▶ gets(), strcpy()


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Spoofing Technique

Definition▶ A situation in which one person or program successfully

masquerades as another▶ By falsify data▶ thereby gaining an illegitimate advantage

▶ Spoofing method▶ Used by attackers to compromise computer systems▶ It is not an actual attack

▶ Just one step in a process to exploit the target system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Spoofing Technique

▶ Domain name service spoofing▶ Address resolution protocol spoofing▶ URL spoofing


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Resolve Mechanism

▶ Domain Name System▶ Domain Name -> IP Address

▶ Address Resolve Protocol▶ IP Address -> MAC Address


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Domain Name System

▶ DNS▶ A mechanism used to provide an IP Address of a requested system

name▶ Used by hosts on the Internet

▶ How it works▶ A host sends a request to a relevant DNS server including a target

system name▶ The DNS server responds with the corresponding IP


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


DNS Spoofing

How to attack?▶ An attacker has to convince the target machine that

▶ The attacker machine is the machine the target ask for an IP▶ Modifying some records related to DNS data so that

▶ The name entries of the hosts correspond to the attacker’s IPAddress or, compromising a DNS Server

▶ THUS, DNS spoofing▶ Tracking DNS server to provide not genuine IP for a requested

name


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Address Resolve Protocol (ARP)

▶ IP Address and MAC address of a machine are both require incommunication between systems

▶ IP address is mostly know before sending data to the targetsystem

▶ NOT the MAC address▶ Need to obtain from the host itself

▶ ARP Provides▶ Mechanism to map a know IP address to MAC address


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ARP: How it works?


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ARP: How it works?

▶ Host A check MAC address of Host B in arp cache▶ if found use it

▶ Or, Broadcast target IP address and its MAC Address into LAN (ARPRequest)

▶ Every host see ARP Request and know MAC Address of Host B willreply with unicast ARP Reply packet

▶ Fill with MAC address of Host B


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ARP Spoofing

▶ Weak point of ARP▶ There are no authentication mechanism of reply▶ All host use MAC from Reply message

▶ THUS, attacker can spoof ARP reply message


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


URL Spoofing

▶ Also known as phishing▶ A legitimate webpage such as a bank’s site is reproduced in “look

and feel” on another server sider control of the attacker▶ The main intent is to fool the uses into thinking that they are

connected to a trusted site, for instance to harvest user namesand passwords


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


URL Spoofing

▶ This attack is often performed with the aid of URL spoofing▶ exploits web browser in order to display incorrect URL in the

browsers location bar;▶ or with DNS cache poisoning in order to direct the user away from

the legitimate site and to the fake one▶ Once the user puts in their password, the attack-code reports a

password error, then resurrected the user back to the legitimatesite


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Social Engineering

▶ What is it?▶ The easiest way to attack a computer▶ Requires almost no technical ability▶ Usually highly successful▶ Difficult security weakness to defend


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Social Engineering

How it works?▶ Relies on tricking and deceiving someone to access to a system.

e.g.▶ Pretending to do some important job, asking for a password

▶ Via▶ Reverse social engineering▶ email, telephone etc


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Social Engineering

Reverse social engineering▶ The legitimate user is persuaded to ask the attacker for help

Example:▶ The attacker breaks an application in the workstation

▶ Then, modifies the error message containing his contactinformation

▶ The user contact the attacker asking for assistance▶ This gives the attacker an easy way to obtain required information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Password Guessing

Many users create weak password words▶ Easily be guessed -> password guessing attack

Example password guessing attack:▶ Brute force attack with program (available on the Internet)▶ Dictionary attack▶ Software exploitation

▶ Take the advantage of software weakness to bypass authenticationprocess


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



-Star War



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


บทที่ 7Firewall


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What is firewall

▶ TCP port 80 is permitted by access control policy but TCP port455 is denied


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Definition

▶ A firewall is:▶ Hardware/software

▶ which is configured to▶ Permit or▶ deny or▶ proxy data

▶ Through a computer network which has difference level of trust


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall System Component

▶ Filter: block transmission ofcertain classes of traffic

▶ A machine or a set ofmachine provide relayservices to compensate forthe effected of the filter


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Other Definitions Related to Firewall

Host▶ A computer system attached to a network

Bastion host▶ A host that must be highly secured because it is vulnerable to

attack, usually▶ It is exposed to the Internet▶ It is a main point of contact for users of internal networks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Dual-homes host▶ A host that has at least two network interfaces

▶ Packet▶ The fundamental unit of communication on the Internet


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Host▶ A computer system attached to a network

Packet-filtering▶ The action a device takes to selectively control the flow of data

to an from a network▶ It allow or block packets▶ A set of rules are required which specify

▶ what types of packets are to be allowed▶ what types of packets are to be blocked (not allowed)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What is firewallPerimeter network

▶ A network added between a protected network and and externelnetwork

▶ Provides an additional layer of security▶ Sometimes called a DMZ (De-Militarized Zone)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Proxy server▶ A program that deals with external servers on behalf of internal

clients▶ Proxy clients talk to proxy servers

▶ Relay client request on to real servers, and▶ Relay answer back to clients


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Costs

▶ Firewall are not free▶ Const include

▶ Hardware purpose▶ Hardware maintenance▶ Software development or purpose▶ Software update costs▶ Administrative setup and training


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Costs

▶ Const include▶ Ongoing administration and trouble-shooting▶ Loss business or inconvenience from broken gateway or blocked

services▶ Loss of some services or convenience that an open connection

would supply


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Functionalities

▶ Const incluFirewall need to be able to perform the followingtasks

▶ Manage and control network traffic▶ Authenticate access▶ Act as intermediary▶ Record and report events


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewalls Manage and Control Traffic

Most fundamental functionality, all firewall must perform▶ To manage and control network traffic

▶ Allow or deny network traffic to access the protected network▶ To do so by inspecting the packet and monitoring the connections


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewalls Manage and Control Traffic

▶ Packet Inspecting▶ Connection and State▶ Stateful packet Inspecting


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Inspection

▶ A process of▶ Interrupting and▶ Processing the data in a packet

▶ To determine whether it should be permitted or denied▶ Defined access policy is required


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Inspection

▶ Data used to allow/deny access▶ Source IP Address▶ Source Port▶ Destination IP address▶ Destination Port


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Inspection

Data used to allow/deny access▶ IP Protocol▶ Packet Header implementation such as:

▶ Sequence numbers▶ Checksums▶ Data Flags. etc


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Stateful Inspection

▶ Firewall monitor connection state information▶ To determine whether to permit or deny traffic

▶ Example:▶ 3 ways handshake


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Authentication Access

Firewall can perform authentication using several mechanisms▶ Extend authentication

▶ Extend authentication▶ The user of certification and public keys

▶ An authentication process can access with no user intervention


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Authentication Access

Firewall can perform authentication using several mechanisms▶ The user of pre-shared key (PSKs)

▶ PKSs are less complex to implement than certificates▶ Authentication is used as an additional method

▶ For ensuring that the connection should be permitted


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Act as an Intermediate

Firewall is used as a proxy▶ To insulate the protected host from threats

▶ By ensuring that and external host can not directly communicatewith the protected host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How it works ?

All communications desired for the protected hosts▶ Occurs with the proxy▶ The proxy receives packets (from a remote host)

▶ trips out the relevant data▶ creates a new packet▶ forwards the packet to the protected host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How it works ?

All communications desired for the protected hosts▶ The protected host responds to the proxy

▶ Reverse the process▶ Forwards the response to the originating host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Protect Resources

▶ The most important responsibility of a firewall▶ To protect resource from threat

▶ Achieved through the use of▶ Access control rules▶ Stateful packet inspection▶ Application proxies▶ Combination of the above


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Firewall are not an infallible methods of protecting a resource▶ Do not relay exclusively on firewalls▶ A firewall can not protect an unpatched host

▶ Explicitly if an attacker uses traffic that is allowed by a firewall


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Example:▶ If a packet-inspecting firewall permits HTTP traffic to an

unpatched web server▶ A malicious user could attack a HTTP-based exploit to compromise

a web server


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Record and Report Event

▶ Two popular methods used to record firewall events▶ Using a syslog, or▶ Using a proprietary logging format

▶ Firewall logs can be used to▶ Interrogate to determine security violation events▶ Used to troubleshoot a firewall


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Two popular methods used to record firewall events▶ Using a syslog, or▶ Using a proprietary logging format

▶ Firewall logs can be used to▶ Interrogate to determine security violation events▶ Used to troubleshoot a firewall


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Alarms:▶ Firewalls support several types of alarms

▶ Console notification▶ SNMP notification▶ SMS notification▶ E-Mail notification


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What can a firewall do?

A firewall is a focus for security decision▶ All traffic (in/out) must pass through firewall

A firewall can enforce security policy▶ Enforces the site security policy

▶ Allow only approved service to pass through


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ A firewall can log internal activities efficiently▶ It is a good place to collect information about system and network

use (and misuse)▶ A firewall can’t systems against malicious insiders

▶ If the attacker is already inside the network (behind a firewall), afirewall cannot protect


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



A firewall can’t protect a network against connections that do not gothrough it

▶ If there is another way in and out the network▶ Dial-in model service▶ Other external connection

▶ A firewall cannot protect these alternate way outs


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ A firewall can’t protect against completely new threats (unknownbefore)

▶ A firewall can’t protect against viruses


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Situating Firewalls

Traditionally, firewalls are placed between an organization and theoutside networksLarge organization may need internal firewalls

▶ Separate security domains▶ A set of machines under common administrative control with

▶ Common security policy▶ Common security level


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Firewall Categories

▶ Packet Filtering▶ Circuit-Level gateways▶ Application gateways▶ Stateful Inspection Firewall


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

▶ A packet filter providers▶ Cheap and useful level of gateway security▶ Filtering abilities come with router software


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

A packet filtering firewall▶ A router or a computer

▶ Running software that has been configured to▶ Screen incoming and outgoing packets▶ Special rules are required to make a decision

-- To accept or deny (drop) each packet


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

A packet filtering firewall▶ Accept or denies packets also based on the packet full

association▶ Consists of following information fields (TCP/IP header fields)

▶ Source/Destination Address▶ Application/Protocol▶ Source/Destination port number


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

How it works?: On arriving of a packet

▶ Compares the full association against a table▶ Containing rules that dictates whether the firewall should

▶ Deny or drop a packet▶ Permit the packet to pass -> forward to the next hop


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

On arriving of a packet▶ Rule-scanning method

▶ A firewall scans a rule from the first line of the table until▶ If find a line that agrees with the information

-- Accept the packet▶ OR, the last line is encountered

-- Apply the default rule


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

▶ A default rule should▶ be explicitly defined in the firewall’s table▶ instruct the firewall to drop a packet that meets one of the other

rules


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

▶ Block packets from a site called “DARK”▶ Allow inbound mail (SMTP, 25) to gateway machine


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

▶ Advances of packet filtering▶ One screening router can help protect an entire network▶ Packet filtering does not require user knowledge or cooperate▶ Packet filtering is highly available in many routers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Packet Filtering

Disadvantages:▶ Packet filtering tools are not perfect

▶ Rules tend to be hard to configure▶ Once configured, rules tend to be hard to test

▶ Some policies can’t be enforced by normal packet filtering routers▶ Filtering incoming/outgoing packets always take CPU times of the

routers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Circuit-Level Gateways

Circuit gateway:▶ Relays TCP connections▶ Monitors TCP handshake between packets

▶ From trusted client/servers to untrusted hosts, or▶ From untrusted host to trusted clients/servers▶ To determine whether a requested session is legitimate

▶ Relies on information contained in the packet header▶ TCP header


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Circuit-Level Gateways

The caller connect to a TCP Port on the gateway▶ This gateway connect to some destination on the other side of

the gateway▶ During the call

▶ The gateway acts as a wire▶ The gateway relay (copy) the bytes back and forth

▶ This relay service do not examine information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Application-Level Gateway

Similar to a circuit-level gateway▶ Intercepts incoming and outgoing packets▶ Run proxies that copy and forward information across the gateway▶ Function as proxy server

▶ Preventing any direct connection between client/server


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Different from a circuit-level gateway

▶ The proxies are application specific▶ The proxies can filter packets at the application layer


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Application-specific proxy▶ Accepts only packets generated by services they are designed to

▶ Example: A telnet proxy can copy/forward and filter Telnet traffic▶ Other services would be block

▶ Examines and filters individual packets▶ Not blindly copy and forward bytes like circuit-level gateway


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Application-specific proxy▶ Proxy can filter particular types of command or information in the

application protocols they are designed to work on▶ Can also restrict specific actions from being perfumes

▶ Example: The gateway could be configured to prevent users fromperforming the FTP put command—> to prevent serious damageof the information stored on the server


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Stateful Inspection Firewall

▶ Stateful inspection firewall: combines aspects of▶ A packet-filetering firewall▶ A circuit-level gateway, and▶ An application-level gateway


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Like a packet-filetering firewall▶ Operate at the network layer▶ Filtering all incoming and outgoing packets based on source and

destination IP addresses and port numbers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Also functions as a circuit-level gateway▶ Determining whether the packets in a session are appropriate▶ For example:

▶ A stateful inspection firewall verified that SYS and ACK flags andsequence numbers are logical


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Like a application-level gateway▶ The firewall evaluated the contents of each packet

▶ up through the application layer▶ Ensured that these contents match the rules is a network security

policy


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptables(1)

▶ iptables on linux▶ iptables(1) is s firewall, installed by default on all official Linux▶ When you install ubuntu, iptable is there, but it allow all traffic by

default


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptable▶ basic command

▶ sudo iptables -L▶ list your current rules in iptables▶ If you have just setup server, you will have no rules and you

should see


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptable

▶ Allowing incoming traffic on specific ports▶ sudo iptables : execute iptables with specifically privileged▶ -A INPUT : append new rules to incoming traffic▶ -p tcp : filter protocol tcp▶ -dport ssh : specific ssh destination port▶ -j ACCEPT : accept all incoming packet


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptable


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptable Rules

▶ Block traffic▶ Once a decision is made to accept, no more rules affect it▶ As our rules allowing ssh and wen traffic come first, as long as our

rule to block all traffic comes after them, we can still accept thetraffic .

▶ All we need to do is put the rule to block all traffic at the end.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


iptable Rules


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


'End'



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


บทที่ 8Intrusion Detection System


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Objectives

▶ To understand basic of intrusion detection system▶ To protect computer and network from intrusion▶ To install an configure SNORT


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Outlines

▶ Introduction to intrusion detection system▶ Types of Intrusion detection system

▶ Host based, Network Based▶ Anomaly Detection, Misuse Detection

▶ IDS Components▶ Example IDS : SNORT

▶ Overview▶ Installation


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Intrusion Detection System

Intrusions▶ Attempts

▶ To compromise the confidentiality, integrity, and availability, or▶ To by pass security mechanisms of a computer or a network

▶ Activities caused by▶ Attackers accessing the systems from the Internet▶ Authorized users of the systems who attempt to gain additional

privileges-- For which they are not authorized

▶ Authorized users who misuse the privileges given to them


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Intrusion Detection System

▶ Intrusion detection is the process of▶ Monitoring the events occurring in a computer system or network,

and▶ Analyzing them for signs of intrusions

▶ Intrusion Detection Systems (IDSs) are software or hardwareproducts that

▶ automate this monitoring and analysis process


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Why Should We Need IDSs

▶ To detect attacks and other security violations▶ that are not prevented by other security measures

▶ To detect and deal with the preambles to attacks▶ commonly experienced as network probes and other “doorknob

rattling” activities


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Why Should We Need IDSs

▶ To document the existing threat to an organization▶ To act as quality control for security design and administration,

especially of large and complex enterprises▶ To provide useful information about intrusions that do take place,

allowing improved diagnosis, recovery, and correction of causativefactors


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Process Models for an IDS

▶ Three fundamental functional components▶ Information source▶ Analysis▶ Response


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS ComponentInformation source

▶ To determine intrusion activities/event, the source can be fromdifferent level, such as

▶ A host▶ A network▶ An application monitoring common activities

Analysis▶ deciding when those events indicate that

▶ intrusions are occurring, or▶ have already taken place

▶ The most common analysis approaches▶ misuse detection▶ anomaly detection


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS Component

Response▶ The set of actions that the system takes once it detects intrusions▶ grouped into

▶ active response▶ passive response

▶ active response: involving some automated intervention on thepart of the system

▶ passive response involving reporting IDS findings to humans▶ to take action based on those reports


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Types of Intrusion Detection Systems

▶ IDSs can be classified by several factors, such as▶ Based on Source of Information▶ Based Analysis Methods


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Types of IDSs : Based on Source of Information

Common ways to classify the IDSs▶ Grouped by information source

▶ Network packets, captured from network backbones or LANsegments

▶ Information sources generated by the operating system▶ Information sources generated by an application software


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Types of IDSs : Based on Source of Information

▶ Well known intrusion detection systems are :▶ Network-based intrusion detection system (NIDS)▶ Host-based intrusion detection system (HIDS)▶ Application protocol-based intrusion detection system (APIDS)▶ Anomaly-based intrusion detection system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Network-Based Intrusion Detection System (NIDS)

NIDS :▶ An intrusion detection system that tries to detect malicious

activity such as▶ denial of service attacks▶ port scans▶ attempts to crack into computers

▶ An independent platform which identifies intrusions by▶ examining network traffic and▶ monitors multiple hosts


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Network Intrusion Detection System (NIDS)

The NIDS detects attacks by▶ Capturing and analyzing all incoming packets▶ Trying to find suspicious patterns

-- For example:▶ A large number of TCP connection requests to a very large number

of different ports are observed>> It can be assumed that there is someone committing a "portscan" at some of the computer(s) in the network


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ The NIDS gains access to network traffic by connecting to▶ a hub▶ network switch

▶ One network-based IDS▶ can monitor the network traffic affecting multiple hosts

▶ An example of a NIDS▶ SNORT


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Network-based IDS components▶ Often consist of

▶ A set of single-purpose sensors or hosts▶ And a central management host

▶ Sensors are▶ Placed at various points in a network▶ Monitor network traffic▶ Performing local analysis of that traffic, and▶ Reporting attacks to a central management console


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Securing sensor nodes▶ They must be secured against attack

▶ Many of these sensors are designed to run in “stealth” mode-- in order to make it more difficult for an attacker to determinetheir presence and location


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ NIDS is also able to inspect outgoing network traffic▶ To detect attacks that might be staged from the inside of the

monitored network


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Advantages of network-based IDSs▶ A few well-placed network-based IDSs can monitor a large

network▶ The deployment of network-based IDSs has little impact upon an

existing network▶ They are usually passive devices

-- listen on a network wire without interfering with the normaloperation of a network

▶ NIDSs can be made very secure against attacks▶ Can be made invisible to attackers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages of network-based IDSs▶ May have difficulty processing all packets in a large network

▶ Fail to recognize an attack launched during high traffic period▶ Cannot analyze encrypted information▶ Most NIDSs cannot tell whether or not the attack was successful


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Host-based Intrusion Detection System (HIDS)Host-based intrusion detection system

▶ Operates on information collected from within an individualcomputer system

▶ Monitors and analyzes the internals of a computing system▶ Monitors all or parts of the dynamic behaviour and of the state of

a computer system▶ Might detect which program accesses what resources and assure

that▶ For example:

-- A word-processor hasn't suddenly and inexplicably startedmodifying the system password-database


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Host-based Intrusion Detection System (HIDS)

Sometimes HIDS is said to be▶ An agent that monitors

▶ Whether anything/anyone - internal or external-- has circumvented the security policy that the operating systemtries to enforce


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Component▶ A software agent (sensor)

=> Installed on a host▶ Monitors all activity of the host on which it is installed and▶ Identifies intrusions by analyzing

-- system calls logs (kernel logs)-- Application logs (audit trails)-- File-system modifications (binaries, password files, capability/acldatabases)-- And other host activities and state


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Example of HIDS▶ OSSEC*

▶ Is an Open Source Host-based Intrusion Detection System▶ Performs

-- log analysis-- integrity checking-- Windows registry monitoring-- rootkit detection-- real-time alerting and active response

▶ ------> From : http://www.ossec.net/


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Advantages of HIDSs▶ Can detect attacks that cannot be seen by a network-based IDS▶ Can operate in an environment in which network traffic is

encrypted▶ When Host-based IDSs operate on OS audit trails they can help

detect▶ Trojan Horse, or▶ Other attacks that involve software integrity breaches


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages▶ HIDSs are harder to manage

▶ Information must be configured and managed for every monitoredhost

▶ The IDS itself may be attacked▶ Since it resides on the same host (targeted)

▶ HIDSs are not well suited for detecting network scan attacks▶ It sees only network traffic received by its host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages▶ When it uses the operating system audit trails as its source

information▶ Requires additional storage on the system

-- Because of the sheer amount of the information▶ HIDS uses the computing resources on the host it resides

▶ Might be able to reduce the performance of the monitored host


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Application-based Intrusion Detection System (APIDS)

▶ Special subset of HIDSs▶ Analyze the events transpiring within a software application▶ Common information sources used by application-based IDSs

-- application’s transaction log files▶ APIDS component

▶ Consists of an analysis engine implemented in a system-- Interfaces directly with an application


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



How it works?▶ The ability to interface with the application directly▶ And a significant domain or application-specific knowledge

included in the analysis engine▶ Allows application-based IDSs to detect suspicious behaviour

▶ due to authorized users exceeding their authorization


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Example of how to use a APIDS▶ An APIDS is placed between a web server and the database

management system▶ monitoring the SQL protocol specific to the middleware/business

logic as it interacts with the database


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Advantages▶ APIDSs can monitor the interaction between user and application

▶ Allows them to trace unauthorized activity to individual users▶ APIDSs works in encrypted environment

▶ Information between a user and an application is presented inunencrypted form


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages▶ APIDSs may be more vulnerable to attacks than host-based IDSs

▶ The applications logs are not as well-protected as the OS audittrails used for host-based IDSs

▶ Cannot detect Trojan Horse or other similar attack=> It is advisable to use application-based IDS in combination withhost-based IDSs or network-based IDSs


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Types of Intrusion Detection Systems

▶ IDSs can be classified by several factors, such as▶ Based on Source of Information▶ Based Analysis Methods


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Types of IDSs : Based Analysis Methods

▶ Two primary approaches▶ Signature-based detection▶ Anomaly detection


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Signature-based Detection

▶ A signature is a pattern that corresponds to a known threat▶ Signature-based detection

▶ is a process of comparing signatures against observed events toidentify possible incident


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Signature-based detection:▶ A simplest detection method

▶ It just compares a current unit of activities to a list of signatures-- Using string comparison operations

▶ Sometimes it is called a “misuse detection”


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Signature-based DetectionExamples of signatures*

▶ A telnet attempt with a username of “root”▶ Which is a violation of an organization’s security policy

▶ An e-mail with a subject of “Free pictures!” and an attachmentfilename of “freepics.exe”

▶ Which are characteristics of a known form of malware▶ An operating system log entry with a status code value of 645

▶ Which indicates that the host’s auditing has been disabled▶ ----->* From : Guide to intrusion detection and prevention system,

special publication 800-94, http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Advantages▶ Effective at detecting attacks

▶ without generating an many number of false alarms▶ Quickly and reliably diagnose the use of a specific attack tool

▶ Can help security managers prioritize corrective measures


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages▶ Can only detect attacks “known-activities”

▶ known signatures must be constantly updated for new attacks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Anomaly Detection System

Anomaly detector:▶ Identifies abnormal unusual behaviour (anomalies) on an host or

network▶ Functions on the assumption that attacks are different from

“normal” or “legitimate” activity▶ They can be detected by systems that identify these differences


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Measures used in many anomaly detection systems▶ Threshold detection▶ Statistical measures▶ Rule-based measures▶ Other measures


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Threshold detection:▶ Certain attributes of users and system behaviour profile are set

(threshold value)▶ In term of acceptable level/counts

For example:-- The number of files accessed by a user in a given period of time-- The number of failed attempts to login to the system-- The amount of CPU utilized by a process

▶ These counts can be static or heuristic (designed to change withactual values observed over time)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Rule-based measure:▶ Similar to non-parametric statistical measure▶ In that

▶ Observe data defines acceptable usage patterns▶ Differs in that

▶ Those patterns are specified as rules, not numeric quantities


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Other measures:▶ Such as methods using

▶ Neural networks▶ Genetic algorithms▶ Immune system models, etc.

**Your own research**▶ Find out what measures are used in most commercial systems

using anomaly detection analysis


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Advantages:▶ Detects unusual behaviours (not known/seen before)

▶ No specific knowledge of attack details required▶ Can produce information that can be used to define signatures for

misuse detectors


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Disadvantages:▶ Produces a large number of false alarms

▶ Due to unpredictable behaviours of users and networks▶ Often requires extensive “training sets” of system records

▶ In order to characterize normal behaviour patterns


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



How it works : the detector▶ Collects historical data over a period of normal operation▶ Constructs profiles corresponding to normal behavior of , such as

▶ Users▶ Hosts▶ Network connections

▶ To determine the attack, the detector▶ Collects event data▶ Uses a variety of measures to determine

-- Whether the monitored activity deviates from the normal profile


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Response Options of IDS Active response & Passive response

▶ Active response▶ Automated actions taken by and IDS when certain types of

intrusions are detected▶ Common actions are

▶ Collect additional information▶ Change the environment▶ Take action against the intruder


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Active Response

Collection additional information▶ From the suspected activities▶ Normally involves

▶ Increasing the level of sensitivity of information sources, i.e.-- Turning up the number of events logged by an OS audit trail, or-- Increasing the sensitivity of a network monitor to capture allpackets

▶ Not just packets targeting a particular port or target system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Active Response

Collecting additional information helps▶ Resolve the detection of attack

▶ Assisting the system in diagnosing▶ The information can be used to

▶ Support investigation and apprehension of the attacker▶ Support criminal and civil legal remedies


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Active Response

Change the environment▶ To halt an attack in progress, and▶ Then block subsequent access by

▶ Blocking packets from the same hosts as the original of the attacker


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Active Response

Some actions used to block further attack access▶ Terminating the connection by injecting TCP reset packet into the

attacker connection▶ Reconfiguring routers and firewalls to block

▶ packets from the attacker site (IP address)▶ Ports, services being used by an attacker


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Active Response

Take action against the intruder▶ Launching attacks against, or▶ Attempting to actively gain information about the attacker’s host

or site▶ It is called “strike-back” option

▶ It is the most aggressive action of active responses-- NOT recommend-- May be illegal


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Response

▶ Intrusion detection system does not take action against theattacker, but

▶ Provides information to users or system administrators▶ Relies on humans to take action

▶ Many commercial IDSs use passive response▶ Some methods used in passive response

▶ Alarms and notifications▶ SNMP trap and plug-in


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Response

Alarms and notifications▶ Generated by IDS when intrusion is detected▶ Common forms of alarms

▶ Onscreen alert▶ Popup window

▶ Alarm information might be▶ Displayed on IDS console, or▶ Other systems specified at the configuration time▶ Sent to a specific user via a mobile phone or e-mail system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Response

Alarm information can be▶ Notification message that intrusion has occurred, or▶ More detailed message such as

▶ IP addresses of source (attacker) and target hosts▶ Tool used to gain attack▶ Outcome of the attack, etc.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Passive Response

SNMP trap and plug-ins▶ Alarms and alert are sent to a network management system using

▶ SNMP traps and▶ SNMP messages

Benefit of using this scheme▶ To shift the processing load associated with an active response to

other systems rather than the targeted system (the system beingattacked)

▶ The ability to use common communication channels


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How are IDSs Organized?▶ Involves basic components of IDSs▶ How they are interconnected and organized into a coherent


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS Components

Sensor :▶ provide necessary information about the system targeted for

intrusion detection▶ Sometimes referred as probe, monitor, feed, tap▶ Can be physically remote from the rest of the system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS Components

System management :▶ Function to maintain control over the internal components▶ To provide a means for communications with other IDSs▶ Can be centralised/decentralised


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS Components

▶ Processing engine (algorithms) :▶ Analysis box !!! (main part of the decision making)

▶ Knowledge bases :▶ Knowledge information used by the IDS▶ Data box

▶ Audit archive :▶ Audit logs/archives


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


IDS Components

Alarm :▶ Methods to alarm/alert human▶ Should have the capability to

▶ Automatically initiate intruder traps▶ Initiate some sort of trace back capability , etc.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Tools that Compliment IDSs

▶ Several tools are used to complement IDSs▶ Vulnerability analysis systems▶ File integrity checkers▶ Honey pots▶ Padded cells


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis Systems

▶ Vulnerability analysis is sometimes called assessment systems▶ Test to determine whether a network or hosts are vulnerable to

known attacks▶ Vulnerability assessment represents a special case of the intrusion

detection process▶ It is basically a batch mode misuse IDS

▶ The assessment engine collect information sources from a targetsystem

▶ The information sources are system state attributes and outcomesof attempted attacks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis System Process

▶ A specific set of system attributes is sampled▶ The results of the sampling are

▶ stored in a secure data repository▶ Compared to at least one reference set of data

-- This set can be an “ideal configuration” template▶ Reports any difference between these two sets of information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis Types

▶ Host-based vulnerability analysis▶ Network-based vulnerability analysis


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Host-based vulnerability analysis▶ Sometimes is called “passive assessment”▶ Queries and inspects system attributes to obtain data source such

as▶ file contents▶ Configuration settings, or▶ Other status information

▶ Determines vulnerability by using these data source▶ The vulnerabilities best revealed by this analysis

▶ Those involving privileged escalation attacks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis TypesNetwork-based vulnerability analysis

▶ Sometimes is called “active” vulnerable assessment▶ Actively attacking or scanning the target system

▶ Requires a remote connection to a target system▶ May

▶ actually reenact system attacks-- Noting and recording responses to these attacks

▶ Or▶ probe targets to infer weaknesses from their responses

▶ The analysis engine might not have permission to access thetarget system


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



Two methods used in network-based vulnerability analysis▶ Testing by exploit

▶ Performs an actual attack▶ Returns a status flag

-- Whether the attack was successful▶ Inference method

▶ Looks for the technical errors such as-- Ports that are open


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis SystemsAdvantages :-- Vulnerability analysis system

▶ Is of significant value as a part of a security monitoring system▶ Allowing the detection of problems on systems that cannot

support an IDS▶ Provides security-specific testing capabilities for documenting the

security state of systems▶ When it is used on a regular schedule

▶ It can reliably spot changes in the security state of a system-- Alerting security managers to problems that require correction


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis SystemsDisadvantages :

▶ Host-based vulnerability analyzers are tightly bound to specific OSand applications

▶ They are costly to build, maintain, and manage▶ Network-based vulnerability analyzers are platform-independent,

but▶ Less accurate▶ Subject to more false alarms

▶ Some network-based checks can crash the systems they aretesting, such as

▶ Denial-of-service attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Vulnerability Analysis Systems

Disadvantages :▶ When conducting vulnerability assessment of networks on

systems running intrusion detection▶ The IDSs can block subsequent assessments▶ Repeated network-based assessments can

-- “train” certain anomaly-detection-based IDSs to ignore realattacks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


File Integrity Checkers

File integrity checkers are useful for detecting attacks patterns asfollows

▶ Attacking using the following three stages of the attack▶ Attackers alter system files as the goal for the attack

-- E.g. Trojan Horse placement▶ Attackers attempt to leave back doors in the system

-- They can reenter the system at later time▶ Attackers attempts to cover their tracks

-- System owners will be unaware of the attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



File integrity checkers are used to determine▶ Whether attackers have altered

▶ System files or executables▶ Whether vendor-supplied bug patches or other desired changes

have been applied to system binaries


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



How it works?▶ File integrity checkers

▶ Used checksum mechanism for critical files and objects▶ Comparing these values to reference values▶ Flagging differences or changes


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Honey Pots

▶ Honey pots are decoy systems that are designed to trying toattract attackers with tempting data

▶ Divert an attacker from accessing critical systems▶ Collect information about attacker’s activity▶ Encourage the attacker to stay on the system long enough for

administrators to respond


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Honey Pots

System components:=> How it works?

▶ Systems that filled with fabricated information designed to▶ appear valuable, but▶ a legitimate user of the systems would not access

▶ Any access to the honey pot is suspect▶ The system is equipped with sensitive monitors and event loggers

that▶ Detect these accesses and▶ Collect information about attacker’s activities


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Padded Cells

Padded cells:▶ A system designed to work together with IDS▶ When the IDS detects attackers

▶ It quietly transfers them to a special padded cell host▶ Once the attackers are in a padded cell system

▶ They are contained within a simulated environment-- Filled with interesting data designed to convince an attacker thatthe attack is going according to plan, but-- In reality, they can cause no harm

▶ The padded cell then monitors and logs attacker’s activities


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Honey Pots and Padded Cells

Advantages:▶ Attackers are diverted to system targets that they cannot damage▶ Administrators have additional time to decide how to respond to

the attack▶ Attacker’s actions can be monitored, logged data can be used to

▶ Refine threat models▶ Improve system protections

▶ Honey pots may be effective at catching insiders▶ Who are snooping around a network


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Honey Pots and Padded Cells

Disadvantages:▶ The legal implications of using these two devices are not well

defined▶ An expert attacker, once diverted into a decoy system

▶ May become angry and▶ Launch a more hostile attack against an organization’s systems

▶ A high level of expertise is needed for administrators and securitymanagers

▶ In order to use these systems


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Strengths and Limitations of IDSsStrengths:=> IDSs perform the following functions well

▶ Monitoring and analysis of system events and user behaviours▶ Testing the security states of system configurations▶ Baselining the security state of a system

▶ Then tracking any changes to that baseline▶ Recognizing patterns of system events that correspond to known

attacks▶ Recognizing patterns of activity that statistically vary from normal

activity


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Strengths and Limitations of IDSsStrengths:

▶ Managing operating system audit and logging mechanisms and thedata they generate

▶ Alerting appropriate staff by appropriate means when attacks aredetected

▶ Measuring enforcement of security policies encoded in theanalysis engine

▶ Providing default information security policies▶ Allowing non-security experts to perform important security

monitoring functions


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Strengths and Limitations of IDSs

Limitations:=> IDSs cannot perform the following functions

▶ Compensating for weak or missing security mechanisms such as▶ Firewalls▶ Identification and authentication▶ Link encryption▶ Access control mechanisms▶ Virus detection

▶ Detecting newly published attacks or variants of existing attacks


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Strengths and Limitations of IDSsLimitations:=> IDSs cannot perform the following functions

▶ Instantaneously detecting, reporting, and responding to an attack▶ When there is heavy network or processing load

▶ Effectively responding to attacks launched by sophisticatedattackers

▶ Automatically investigating attacks without human intervention▶ Resisting attacks that are intended to defeat or circumvent them▶ Compensating for problems with the fidelity of information

sources


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What is SNORT?

SNORT is▶ An open source free NIDS▶ A signature-based NIDS : analyzes traffic by using a combination of

▶ Rules and▶ Preprocessors


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What is SNORT?SNORT (Cont.)

▶ Rules▶ Offer a simple and flexible means of creating signatures to

examine a single packet▶ Preprocessors

▶ Performs several tasks such as-- IP defragmentation-- Portscan detection-- Web traffic normalization-- TCP stream reassembly

▶ Give SNORT the capability-- to look at streams-- and manipulate streams


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What is SNORT?

SNORT (Cont.)▶ Portable, runs on many platforms, such as

▶ Linux▶ Solaris▶ BSD▶ IRIX▶ HP-UX▶ Mac OS X▶ Win32▶ And many more


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


How it works?

It is easily configurable and flexible; allowing users to▶ Create their own signatures▶ Alter the base functionality through the use of plug-ins

▶ Can optionally be compiled into SNORT at installation timeOffer features such as an active response to malicious traffic


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



-Star War



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


บทที่ 9Security Policy & ISO 27100


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Security Policy


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Objectives

▶ To understand security policy▶ To understand auditing tools (syslog and syslog-ng)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Outlines

▶ Understanding security policy▶ Writing a security policy▶ Monitoring the network▶ Auditing the network

▶ Syslog▶ Syslog-ng


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Computer Security Policy

A documentation of Security decisions▶ An aggregate of

▶ Directives▶ Rules▶ Practices

▶ That prescribes how an organization▶ Protects its resource, and▶ Distributes information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Purposes of a security policy

▶ Describes what is being protect and why▶ Sets priorities about what must be protects first and at what cost▶ Allows an explicit agreement to be made with various parts of the

organization regarding the value of security


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Purposes of a security policy (2)

▶ Provides the security department with a valid reason to say “no”when that is need

▶ Provides the security department with the authority to back upthe “no”

▶ It prevents the security department from acting frivolously


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Writing a Security Policy

▶ Identify what you are trying to protect▶ Determine what you are trying to protect it from▶ Determine how likely the threats are▶ Implement measures which will protect your assets in a

cost-effective manner▶ Review the process continuously and make improvements each

time a weakness is found


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Risk Assessment

▶ Identifying the assert▶ Identifying the threats


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Identify the Assets

▶ List all of assets to protected▶ Hardware▶ Software▶ Data▶ People▶ Documents▶ Supplies


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


List of all assert

Hardware

▶ CPUs▶ Main boards▶ Keyboards▶ Terminals▶ Communication line▶ Switches

▶ Workstations▶ Personal computer▶ Printers▶ Disk drives▶ Terminal servers▶ Routers


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


List of all assert

Software

▶ Source programs▶ Object programs▶ Utilities

▶ Diagnostic programs▶ Operating systems▶ etc.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


List of all assert

Data

▶ During execution▶ Stored on-line▶ Archived off-line▶ Backups

▶ Audit logs▶ Database▶ In transit over

communication media


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


List of all assertData

▶ Programs▶ Systems▶ Hardware

▶ Local administrativeprocedure

People▶ Users▶ Administrators▶ Hardware maintainers

Supplies▶ Paper▶ Ribbons▶ Magnetic media


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Identifying the Threats

▶ Examples:▶ Unauthorized access to resources and/or information▶ Unintended and/or unauthorized disclosure of information▶ Denial of service


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Who should be Involved When Forming Policy?▶ Site security administrator▶ Information technology technical staff

▶ e.g. staff from Computer center▶ Administrators of large user groups within the organization

▶ e.g. computer science department within a university▶ Business divisions within a business organization

▶ Security incident response team▶ Representatives of the user groups affected by the security policy▶ Responsible management▶ Legal counsel (if appropriate)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What Makes a Good Security Policy?

1) Must be implementable through▶ System administration procedures▶ Publishing of acceptable use guidelines▶ Other appropriate methods


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


What Makes a Good Security Policy?

2) Must be enforceable with security tools, where appropriate▶ and with sanctions , where actual prevention is not technically

feasible3) Must clearly define the areas of responsibility for

▶ the users▶ administrators, and▶ management


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


The Components of Security Policy

1) Guidelines for Computer technology purchasing▶ Specify required security features▶ Should supplement existing purchasing policies and guidelines


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



2) A privacy policy▶ defines reasonable expectations of privacy regarding issues such

as▶ monitoring of E-mail▶ logging of keystroke▶ access to users’ files


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



3) An access policy (cont.)▶ provides guidelines for

▶ external connection▶ data communications▶ connecting devices to a network▶ adding new software to systems

▶ specifies any required notification messages▶ i.e. connect message should provides warning about authorized

usage and line monitoring (not just say “welcome”)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



4) An accountability policy▶ defines the responsibilities of

▶ Users▶ operation staff▶ Management

▶ specifies audit capability▶ provides incident handling guidelines, i.e., if a possible intrusion is

defected▶ what to do▶ who to contact


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



5) An authentication policy▶ setting guidelines for authentication and the use of authentication

deices such as one-time password , etc.6) An availability statement

▶ sets users’ expectation for the availability of resources▶ should address redundancy and recovery issues▶ specifies operating hours and maintenance down-time periods▶ specifies contact information for reporting system and network

failures


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



7) An information technology system & network maintenance policy.▶ describes how external and internal maintenance people are

allowed to handle and access technology▶ Whether remote maintenance is allowed

-- how to control the access?▶ Maintenance outsourcing?

-- how to manage?


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



8) A violation reporting policy▶ indicates which types of violations must be reported

▶ report to whom▶ a possibility of anonymous reporting

▶ provides a greater probability that a violation will be reported if itis detected


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



9) Supporting information▶ provides contact information for each type of policy violations▶ provides guidelines

▶ how to handle outside queries about a security incident▶ provides cross-reference to security procedures and related

information, such as▶ organization policies and government laws


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


After the Security Policy Has Been Established

▶ Make an announcement▶ To all parties : users, IT staff , management

▶ Have everyone sign a statement indicating that they have▶ Read▶ Understood ,and▶ Agreed to abide by the policy

▶ Review the policy on a regular basis▶ Whether it is successfully supporting the organization security

needs


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Suggestion of Writing Policy▶ Suggestion: to get a decent policy for an organization (which

currently no security policy)1) Write a security policy for your organization

▶ Say nothing specific▶ State generalities▶ Should cover no more than 5 pages▶ Should not take more than 2 days to write▶ Don’t ask for help, do it yourself▶ Don’t try to make it perfect, just try to get some key issues written

down▶ It doesn’t have to be complete▶ It doesn’t have to be crystal clear

▶ ---->*From : T. A. Wadlow, The process of network securityอาจารย ดร. ชนันทกรณ จันแดง info@wuITM-742 Network Security Management 316 / 335

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Suggestion of Writing Policy

▶ Suggestion (cont.)2) find 3 people who are willing to become “security committee”: their job is

▶ To make ruling and amendment to the policy▶ To be judges, not enforcers

3) create an internal web site▶ with

▶ policy page▶ Committee contact information

▶ Amendments▶ Approved and added to the web site as quick as possible


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Suggestion (cont.)4) treat the policy as if it were absolute rule of the law

▶ Do not violate the policy▶ Allow no violation to occur

5) if someone has a problem with the policy▶ Have the person propose an amendment▶ The policy committee members need to agree

▶ Make an amendment


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Suggestion (cont.)6) schedule a regular meeting to consolidate policy andamendments

▶ Once a year, for example▶ Involve

-- You and the security committee-- Current security policy and the amendments

▶ Make a new policy statements7) repeat the processes 3-6


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Contents of Security Policy

▶ Contents1) What are we protecting?

▶ Describe in detail-- The types of security levels expected to have in an organization-- Characterize the machines on the network (for example)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Contents (cont.)▶ Red : contains extremely confidential information or provide

mission-critical service▶ Yellow : contains sensitive information or provides important

service▶ Green : able to access red or yellow machines but does not

directly store sensitive information or perform crucial function▶ White : unable to access red, yellow, or green systems but not

externally accessible. No sensitive information or function▶ Black : externally accessible. Unable to access red, yellow, green

or white systems


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Contents (cont.)2) Methods of protection

▶ Describe-- Levels for protection-- Priorities for protection-- For example


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Contents (cont.)▶ Organization priorities :

1. health and human safety2. compliant with applicable local, state, and federal laws3. Preservation of the interests of the organization4. Preservation of the interests of partners of the organization5. Free and open dissemination of nonsensitive information


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Contents of Security PolicyContents (cont.)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.




...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Contents of Security Policy▶ Contents (cont.)

3) Responsibility▶ Describes the responsibilities, privileges that are accorded each

class of system user : e.g.▶ General

▶ Knowledge of this policy▶ All actions in accordance with this policy▶ Report any known violations of this policy to security▶ Report any suspected problems with this policy to security

▶ System admin/operations▶ All user information to be treated as confidential▶ No authorised access to confidential information▶ Indemnified for any action consistent with systems administrator

code of conductอาจารย ดร. ชนันทกรณ จันแดง info@wuITM-742 Network Security Management 326 / 335

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Security Administrator▶ Highest level of ethical conduct▶ Indemnified for any action consistent with security officer code of

conduct▶ Contractor

▶ Access to specifically authorised machine in specifically authorisedfashion

▶ Request advance authorisation in writing for any actions whichmight be interpreted as security issue

▶ Guest▶ No access to any computing facilities except with written advance

notice to securityอาจารย ดร. ชนันทกรณ จันแดง info@wuITM-742 Network Security Management 327 / 335

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Contents (cont.)4) Appropriate Use

▶ Describe the ways in which employees should not use the network▶ General

▶ Minimal personal use during normal business hours▶ No use of network for outside business activity▶ Access to Internet resource consistent with HR policies

▶ System admin▶ Responsible access to sensitive or personal information on the

network▶ All special access justifiable for business operations


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Security Personal▶ General

▶ Responsible access to sensitive information on the network▶ All special access justifiable for business operations▶ Use of security tools for legitimate business purpose only

▶ Contractor▶ No personal access any time▶ Minimal use of the network and only for specific reasons relating to

specific contracts▶ Guest

▶ No use of the network at any time


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



▶ Contents (cont.)5) Consequence

▶ Describe the way in which the magnitude of a policy violation isdetermined and the categories of consequences. e.g.

▶ Security review board▶ Penalties

-- Critical-- Serious-- limited


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Monitoring Your Network

▶ The Shape of Logging System▶ What to Log▶ Logging Mechanisms▶ Time▶ Sensor▶ Log Management


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Monitoring Your Network

▶ Goals of a monitoring system:Logging▶ Reduce the likelihood of an attack going unlogged▶ Increase the likelihood that the events logged for an attack will be

recognized as an attack


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ISO27001 : 2013


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Outlines

▶ ภาพรวมและขอกำหนดมาตรฐาน ISO27001:2013▶ Writing a security policy▶ Monitoring the network▶ Auditing the network

▶ Syslog▶ Syslog-ng


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.



-Star War



บทที่ 5 Fundamental of Network...

Documents

Transcript of บทที่ 5 Fundamental of Network...