Cyberdefense Technologies

1
Cyberdefense Technologies

• Firewalls
• Intrusion detection
• And beyond

2
Defensive Strategy

• Deceive the attacker
• Frustrate the attacker
• Resist the attacker
• Recognize and Respond to the attacker

3
Security Desires

• Logging of successful connections, rejected
  packets and suspected attacks
• Immunity to Denial of Service attacks
• Protection against information gathering probes

4
Defenses against DOS

• The best defense against DDos attacks is to
  prevent initial system compromises
• However, even vigilant hosts can become targets
  because of lesser prepared, less security aware
  hosts
• It is difficult to specifically defend against
  becoming the ultimate target of a DDos attack but
  protection against being used as a daemon or
  master system is more easily attainable

5
Ingress Filtering

• Ingress filtering manages the flow of traffic as
  it enters a network under your administrative
  control
• Servers are typically the only machines that
  need to accept inbound connections from the
  public Internet
• Ingress filtering can be performed at the border
  to prohibit externally initiated inbound
  connections to non-authorized services

6
Egress Filtering

• Egress filtering manages the flow of traffic as
  it leaves a network under your administrative
  control
• Egress filtering from sources like university
  campuses can make a difference
• Egress filtering alone does not provide a
  complete solution to the problem

7
Firewalls

• Defensive middle ground between public and
  protected network
• The demands from a firewall can differ
  significantly
• An internal network, where a balance has to be
  found between what can come in and out, a website
  publicly accessible or a virtual Private Network
  pose very different problems

8
Firewalls are for policy control

• They permit a sites administrator to set a
  policy on external access
• Just as file permissions enforce an internal
  security policy, a firewall can enforce an
  external security policy

9
Firewall Technologies

• Network Address Translation (NAT)
• Most use packet filtering rules to determine
  packet access
• Some use stateful inspection to manage
  connections
• Some application proxy support
• A few allow custom proxy creation BONUS

10
Static Packet Filtering

• Uses information in Packet headers
• Destination IP address
• Source IP subnet
• Destination service Port
• Information compared with Access Control List
  (ACL)
• Flag (TCP) stop Anything with SYN1, but port
  scanners can choose to have ACK1,FIN1, all
  other flags set to 0
• Flag Not an option with UDP

11
Example Attack
Hackers Objective Gain control of internal NT
server from Internet
12
Dynamic Packet Filtering (Stateful Inspection)

• Acts on the same principle as Static Packet
  Filtering, but maintains a connection or state
  table in order to monitor communication session
• Less easy to abuse
• Filtering hard to configure to full satisfaction
  and reduces routers performance

13
Problems with Firewalls

• Conventional firewalls rely on the notions of
  restricted topology and control entry points to
  function
• Everyone on one side of the firewall is to be
  trusted
• Anyone on the other side is potentially an enemy
• extranets can allow outsiders to reach the
  inside of the firewall
• Some machines need more access to the outside
  than do others
• End-to-end encryption firewalls generally do not
  have the necessary keys to inspect traffic
• Log review, software currency, (high
  maintenance)

14
Distributed Firewalls

• In such a scheme, policy is still centrally
  defined enforcement, however, takes place on
  each endpoint
• Helps control trust issues

15
Distributed Firewalls
16
Distributed Client/Server
17
What are Honeypots?

• Honeypots are one of the methods used in
  intrusion detection
• Setup a "decoy" system
• Non-hardened operating system
• Appears to have several vulnerabilities
• Similar configuration to production
• Fake content
• Deceive intruder for alert and study

18
(No Transcript)
19
Attracting Blackhats

• What do you do to attract blackhats to your
  Honeypot?
• Absolutely nothing, that is the scary part. You
  have to sit back and wait.
• The blackhat community is extremely aggressive,
  you would be surprised at what they will find.

20
Honeypot as attack host

• Once compromised, can't the bad guys use one of
  your honeypots to attack someone else?
• That risk exists !
• use several layers of access control devices that
  limit and control what type of outbound
  connections are allowed, and how many

21
The Honeynet project

• Distributed team of security experts
• Hardware to capture and analyze intruder activity
• Evolving honeypot technology and attack analysis

22
Whats wrong with honeypots?

• The insurance model will not allow you to take
  unnecessary risks without a substantial increase
  in premium
• Risk management says that honey pots increase
  risk for demonstrably invalid reasons
• You can learn more by using better
  instrumentation
• Transient effectiveness

23
Transient Effectiveness

• The threat reality is that most attackers are
  morons and will attack with DoS if denied real
  access
• Honey pots must be kept up to date but in general
  arent
• Honey pots must act like the host operating
  system
• Fix current problems rather than generating new
  ones

24
Too many hosts to secure

• Virtually all operating systems and network
  devices are insecure out of the box
• This must change
• Operating systems maintained by normal users must
  be set to take care of themselves by default
• Growth of the net will be the single largest
  factor as to why there are so many vulnerable
  systems
• It is unrealistic to assume that the net will
  ever be safe

25
Where does IDS fit?

• IDS are useful as an additional layer of defense,
  no more
• IDS are not helpful when advanced attackers are
  attacking you with new attacks
• Two major types today network IDS (snort) and
  host IDS (AIDE, log watcher, etc)
• Missing IDS type application IDS
• High false alarm rates (wasted admin time)

26
IDS and Policy

• Security Policy is the first step (defining what
  is acceptable and what is being defended)
• Notification
• Who, how fast?
• Response Coordination

27
Jane did a port sweep!
NMAP
28
IDS Implementation Map
29
Detection Engine

• Rules form signatures
• Modular detection elements are combined to form
  these signatures
• Wide range of detection capabilities
• Stealth scans, OS fingerprinting, buffer
  overflows, back doors, CGI exploits, etc.
• Rules system is very flexible, and creation of
  new rules is relatively simple

30
Learning More

• www.snort.org
• Writing Snort Rules
• www.snort.org/snort_rules.html
• FAQ, USAGE file, README file, man page
• Snort mailing lists
• Books
• Intrusion Detection An Analysts Handbook by
  Northcutt
• Intrusion Signatures and Analysis by Northcutt
• The Practical Intrusion Detection Handbook by
  Paul Proctor

31
But What Slips Through?

• Signatures based on traffic model
• Attacks stay with same source IP set
• Signature assume fixed characteristics
• Packets involving attack stay with similar
  content
• Signature assume obvious distinction from
  legitimate traffic
• What is legitimate is never malicious

32
How do We Catch the Slips?

• Non-signature based collection
• Short-term (hours, max) packet collection,
  rotating -gt libpcap
• Medium-term (weeks, max) headerscontent summary
  -gt expanded flow
• Long-term (years) headerssizes -gt flow
• Privacy concerns
• Efficiency concerns
• Sampling concerns

33
What can You Do with Just Flows?

• Indicative, not probative
• Time-series, with departures
• DDoS ramp-up
• Scanning worms/virus
• Threashold violations
• Spam vs. email
• Streaming media vs. web browsing
• Locality violations
• Malware beaconing
• Worms/virus
• Spyware

34
Automated Response

• Ongoing work
• Local indicators fused to alert
• Firewalls/IDS exchange intrusion information
• IODEF standard
• Dynamically alter firewall rules
• Dynamically alter routing tables to reconfigure
  network

35
Layered Architecture
36
Layered Defenses
Source Shawn Butler, Security Attribute
Evaluation Method
Goal 1
Goal 8
Goal 2
Goal 7
Goal 3
Goal 6
Goal 5
Goal 4