What is Firewall? - PowerPoint PPT Presentation

About This Presentation

Title:

What is Firewall?

Description:

What is Firewall? Design goals All traffic from inside to outside and vice versa must pass through the firewall A single checking point that keeps unauthorized ... – PowerPoint PPT presentation

Number of Views:916

Avg rating:3.0/5.0

Slides: 56

Provided by: jlin83

Category:

more less

Transcript and Presenter's Notes

Title: What is Firewall?

1
What is Firewall?

Design goals
All traffic from inside to outside and vice
versa must pass through the firewall
A single checking point that keeps unauthorized
traffic (i.e., worm) out of the protected network

Internet
2
How it functions?

Technique
Control access via security policy
Types
Packet filter router
Application-level gateway
Stateful filter vs. stateless filter
Personal firewall

3
Packet-Filtering Router

Packet-Filtering Router
Applies a set of rules to each incoming IP packet
Decides forwarding or discarding the packet
Only examine the header, do not see inside a
packet
Pros Cons
Simple
No application-specific protection

HTTP
Internet
Telnet
129.10.10.1
209.10.10.1
4
Packet-Filtering Router

Filtering rules
Src/dest IP address src/dest port protocol
field etc.
Default
Discard vs. forward

action Internal host address Internal port External host address External port function
block 192.10.. Block all packets from 192.10..
action Internal host address Internal port External host address External port function
allow 129.10.10.3 25 Allow inbound mail to 129.10.10.3
5
Packet-Filtering Router

The dangerous services
finger (port 79)
telnet (port 23)
ftp (port 21)
rlogin (port 513)
ICMP

finger
Internet
Telnet
ftp
rlogin
6
Stateful Inspection Firewall

Stateful Inspection Firewall
Maintains state information from one packet to
another in the input stream
Tightens up the rules for TCP traffic

Source address Source port Destination address Destination port State
192.10.10.16 3321 216.10.18.123 80 established
7
Application-level gateway

Application level proxy/gateway
Relay of application traffic
Run pseudoapplications
Looks to the inside as if it is the outside
connection
Looks to the outside as if it is the inside
Pros Cons
Processing overhead
Diverse functionality

HTTP
Internet
SMTP
FTP
TELNET
8
Deployment

Considerations
Performance
Security of firewall itself
Runs on minimized OS
non-firewall functions should not be done on the
same machine
Network Topology

HTTP
Internet
SMTP
FTP
TELNET
Packet filter
Application gateway
9
Personal Firewall

Personal Firewall
An application that runs on a personal computer
to block unwanted traffic
Product
ZoneAlarm
www.zonelabs.com
BlackICE Defender
blackice.iss.net
Tiny Personal Firewall
www.tinysoftware.com
Norton Personal Firewall
www.symantec.com
Windows

10
Benefit Limitation

Benefit
Provides a location for monitoring
security-related events
Provides a platform for security-related
functions NAT, IPSec
Limitations
Attacks that bypass firewall
Internal threats
Performance
Usability vs. security

11
Intrusion Detection System

12
Background

What is Intrusion
An intrusion can be defined as any set of actions
that attempt to compromise the integrity,
confidentiality or availability of a resource.
Heady R. 1990
Three classes of intruder
Masquerader illegitimate user penetrates the
system using a legitimate users account
Misfeasor legitimate user misuses his/her
privileges, accessing resources that is not
authorized
Clandestine user -- privileged user uses
supervisory control to suppress audit control

13
Background

What is Intrusion Detection System
An Intrusion Detection System (IDS) must
identify, preferably in real time, unauthorized
use, misuse and abuse of computer systems
It is a reactive, rather than proactive, form of
system defense.
Classification
Misuse intrusion detection vs. Anomaly intrusion
detection
Misuse intrusion detection -- detect attacks on
known weak points of a system.
Anomaly intrusion detection -- detect by building
up a profile of the system being monitored and
detecting significant deviations from this
profile.
Host-based detection vs. Network-based detection

14
History

Conventional approach to system security
Authentication, Access control and Authorization.
In 1980, James Anderson first proposed that audit
trails should be used to monitor threats.
In 1987, Dorothy Denning presented an abstract
model of an Intrusion Detection System.
In 1988, IDES (Intrusion Detection Expert System)
host-based IDS is developed.
In 1990, Network Security Monitor is developed
network-based IDS is developed.
In 1994, Mark Crosbie and Gene Spafford suggested
the use of autonomous agents in order to improve
the scalability, maintainability, efficiency and
fault tolerance of an IDS.

15
Structure of IDS
Classifier
Alerting System
Agent Manager

Data collection system
Data reduction system
Classifier
Alerting system

Agent I
Agent III
Agent II
Agent IV
Data reduction
Data collection
System Call
Audit Files
16
Data Collection and Reduction

Data source
Audit files
system audit files messages,xferlog,syslog,sulog,
.bash_ history...
application audit files Web server log files,.
System Call
Audit record Denning 87
Subject, Action, Object, Exception, Resource
usage, Time stamp
User operation ? elementary actions
COPY GAME.EXE to /usr/GAME.EXE

Smith exec COPY.EXE 0 CPU 00002 1058721678
Smith read GAME.EXE 0 RECORDS 1 1058721679
Smith exec COPY.EXE Write-viol RECORDS 0 1058721680
17
Misuse intrusion detection

Misuse intrusion detection
Use patterns of well-known attacks or weak spots
of the system to match and identify intrusions
Perform pattern matching
Used in the environment where a rule can be
recognized.
Example
Misuse Intrusion Detection (Purdue) using Patten
Matching
USTAT, a real-time IDS (UCSB) using State
Transition Analysis
IDES using rule - based expert system

18
(No Transcript)
19
Port scan
Password guessing
20
Anomaly Intrusion Detection

Anomaly Intrusion Detection
Establish normal usage profiles
Observe deviation from the normal usage patterns
Example profiles loginfrequency,
locationfrequency, UseofCPU,UseofIO,
ExecutionFrequencyFileReadFails?FileWriteFails
Metrics
Mean and standard deviation
Multivariate
Markov process
Time Series
Approaches
Data Mining Approaches
Neural Networks
Colored-petri-net

21
(No Transcript)
22
Distributed IDS
23
Honey Pot

Honeypots are closely monitored network decoys
Distract adversaries from more valuable machines
on a network
Provide early warning about new attack and
exploitation trends
Example
Honeypot can simulate one or more network
services that you designate on your computer's
ports.

24
Product

http//www.snort.org/
Snort is an open source network intrusion
prevention and detection system utilizing a
rule-driven language, which combines the benefits
of signature, protocol and anomaly based
inspection methods.
http//www.dshield.org/
A distributed intrusion detection system, or a
distributed firewall system. ? an attempt to
collect data about cracker activity from all over
the internet. This data will be cataloged and
summarized. It can be used to discover trends in
activity and prepare better firewall rules.
Right now, the system is tailored to simple
packet filters. As firewall systems that produce
easy to parse packet filter logs are now
available for most operating systems, this data
can be submitted and used without much effort.
NFR Security Inc.
NFR Security provides a comprehensive, integrated
intrusion detection system that protects networks
and hosts from known/unknown attacks, misuse,
abuse and anomalies.http//www.nfr.com
Real Secure by ISShttp//www.iss.net/products_ser
vices/enterprise_protection/

25
Outline

Introduction
A Frame for Intrusion Detection System
Intrusion Detection Techniques
Ideas for Improving Intrusion Detection

26
What is the Intrusion Detection

Intrusions are the activities that violate the
security policy of system.
Intrusion Detection is the process used to
identify intrusions.

27
Types of Intrusion Detection System(1)

Based on the sources of the audit information
used by each IDS, the IDSs may be classified into
Host-base IDSs
Distributed IDSs
Network-based IDSs

28
Types of Intrusion Detection System(2)

Host-based IDSs
Get audit data from host audit trails.
Detect attacks against a single host
Distributed IDSs
Gather audit data from multiple host and possibly
the network that connects the hosts
Detect attacks involving multiple hosts
Network-Based IDSs
Use network traffic as the audit data source,
relieving the burden on the hosts that usually
provide normal computing services
Detect attacks from network.

29
Intrusion Detection Techniques

Misuse detection
Catch the intrusions in terms of the
characteristics of known attacks or system
vulnerabilities.
Anomaly detection
Detect any action that significantly deviates
from the normal behavior.

30
Misuse Detection

Based on known attack actions.
Feature extract from known intrusions
Integrate the Human knowledge.
The rules are pre-defined
Disadvantage
Cannot detect novel or unknown attacks

31
Misuse Detection Methods System
Method
Rule-based Languages
State Transition Analysis
Colored Petri Automata
Expert System
Case Based reasoning
32
Anomaly Detection

Based on the normal behavior of a subject.
Sometime assume the training audit data does not
include intrusion data.
Any action that significantly deviates from the
normal behavior is considered intrusion.

33
Anomaly Detection Methods System
Method
Statistical method
Machine Learning techniques Time-Based inductive Machine Instance Based Learning Neural Network
Data mining approaches
34
Anomaly Detection Disadvantages

Based on audit data collected over a period of
normal operation.
When a noise(intrusion) data in the training
data, it will make a mis-classification.
How to decide the features to be used. The
features are usually decided by domain experts.
It may be not completely.

35
Misuse Detection vs. Anomaly Detection
Advantage Disadvantage
Misuse Detection Accurately and generate much fewer false alarm Cannot detect novel or unknown attacks
Anomaly Detection Is able to detect unknown attacks based on audit High false-alarm and limited by training data.
36
The Frame for Intrusion Detection
37
Intrusion Detection Approaches

Define and extract the features of behavior in
system
Define and extract the Rules of Intrusion
Apply the rules to detect the intrusion

Audit Data
3
Training Audit Data
Features
Rules
Pattern matching or Classification
3
2
1
38
Thinking about The Intrusion Detection System

Intrusion Detection system is a pattern discover
and pattern recognition system.
The Pattern (Rule) is the most important part in
the Intrusion Detection System
Pattern(Rule) Expression
Pattern(Rule) Discover
Pattern Matching Pattern Recognition.

39
(No Transcript)
40
Rule Discover Method

Expert System
Measure Based method
Statistical method
Information-Theoretic Measures
Outlier analysis
Discovery Association Rules
Classification
Cluster

41
Pattern Matching Pattern Recognition Methods

Pattern Matching
State Transition Automata Analysis
Case Based reasoning
Expert System
Measure Based method
Statistical method
Information-Theoretic Measures
Outlier analysis
Association Pattern
Machine Learning method

42
Intrusion Detection Techniques
43
Intrusion Detection Techniques

Pattern Matching
Measure Based method
Data Mining method
Machine Learning Method

44
Association Pattern Discover

Goal is to derive multi-feature (attribute)
correlations from a set of records.
An expression of an association pattern

The Pattern Discover Algorithm
Apriori Algorithm
FP(frequent pattern)-Tree

45
Association Pattern Detecting

Statistics Approaches
Constructing temporal statistical features from
discovered pattern.
Using measure-based method to detect intrusion

46
Machine Learning Method

Time-Based Inductive Machine
Like Bayes Network, use the probability and a
direct graph to predict the next event
Instance Based Learning
Define a distance to measure the similarity
between feature vectors
Neural Network

47
Classification

This is supervised learning. The class will be
predetermined in training phase.
Define the character of classes in training
phase.
A common approach in pattern recognition system

48
Clustering

This is unsupervised learning. There are not
predetermined classes in data.
Given a set of measurement, the aim is that
establishes the class or group in the data. It
will output the character of each class or group.
In the detection phase, this method will get more
time cost (O(n2)). I suggest this method only use
in pattern discover phase

49
Association Pattern Detecting

Using the pattern matching algorithm to match the
pattern in sequent data for detecting intrusion.
No necessary to construct the measure.
But its time cost depends on the number of
association patterns.
Constructs a pattern tree to improve the pattern
matching time cost to linear time

50
Discover Pattern from Rules

The existing rules are the knowledge from experts
knowledge or other system.
The different methods will measure different
aspects of intrusions.
Combine these rules may find other new patterns
of unknown attack.
For example
Snort has a set of rule which come from different
people. The rules may have different aspects of
intrusions.
We can use the data mining or machine learning
method to discover the pattern from these rule.