Intrusion Prevention Flashcards
Firewall
controlled link to erect a security wall or perimeter. Single choke point -> defense in depth
definite rules on what can pass through
rules can use:
- ip address/protocol for specific services
- access controls by application
- access based on user’s identity (ipsec)
- time or request
Scope
single choke point, monitors -> audits, logs, platform for IPSec or VPNs, cannot protect if firewall is bypassed, or if device is infected outside and then attached
Types of firewalls - Packet filtering
Rules on incoming/outgoing IP packet -> discards/forwards
Can define source/dest IP, transport-level protocol, interface
Default policies
discard what is not explicitly allowed, forward which is not explicitly disallowed
discard more conservative -> gov org, businesses
forward more user-friendly -> reduced security, univ
Adding a need to have the ACK flag activated will filter only on requests that have an established connection
cannot prevent application-level vulnerabilities
vulnerable to TCP/IP spec and protocol attacks. Network layer address spoofing. cannot detect Layer 3 address information when altered.
Attacks and countermeasures
IP spoofing, intruder transmits packets from the outside with an address of an internal host -> discard packets with an inside source address that arrive from external interfaces
Source routing attack, source station specifies route a packet takes -> discard all packets that use this option
tiny fragment attacks, intruder uses IP fragmentation to create extremely small fragments and force TCP header into separate packet fragment -> enforce all packets must contain predefined min amount of transport header
Types of firewalls - Stateful inspection
Creates a directory of outbound TCP connections, allows incoming traffic only for packets that fir a profile of one of the entries
Some keep track of TCP seq numbers to prevent attacks like session hijacking
FTP, IM, SIPS commands
Types of firewalls - Application-Level Gateway/Proxy
Relay of application-level traffic.
User contacts gateway -> user authenticates -> gateway relays TCP segments between the two endpoints -> if gateway does not implement the application proxy code is discarded -> explicitly define allowable applications
Adds overhead on each connection
Types of firewalls - Circuit-level gateway/proxy
Sets up two TCP connections, one between itself and a TCP user on inner host and one itself and a TCP user on outside host.
It decides which connections will be allowed
Internal users are trusted -> application-level proxy for inbound and circuit-level for outbound.
SOCKS - Circuit-level gateway
Framework for client-server applications (TCP/UDP)
shim-layer between app and transport layers
TCP Port 1080
socks server -> unix and windows based firewalls
socks client -> internal hosts protected by firewall
socks-ified client programs -> FTP/TELNET recompilation or encapsulation routines
Socks server receives a request to establish an appropriate connection otherwise it denies it. TCP/UDP packets are forwarded as long as the connection remains established.
Firewall basing
Most common -> stand-alone machine runnig Unix or Linux
or a software module in a router/LAN switch or in a server.
Bastion Host
critical strong point + platform for app-level circuit-level gateways or IPSec
executes a secure version of the OS, making it a hardened system
only essential services installed
additional authentication/user allowed to proxy services
can execute only subset of app’s command set
access to only specific host systems
maintains detailed audit information
small sw packages, easier to analyze and check for vulnerabilities
proxies are separate modules that can be uninstalled without affecting operation
No disk access only to read initial config file. Executable code can be made read-only
each proxy runs as a non-privileged user in a private and secured directory
Host-based
rules tailored to host, internal and external attacks must pass through
used along stand-alone it is an additional layer of protection
Network Device
packet filtering, stateful inspection already inside routers/switches monitor and filter packet flows
Virtual Firewall
virtualized versions of server, swtiches, routers, firewall bastion hosts, etc.
Personal Firewall
between personal computer and internet or LAN
deny unauth remote access to computer and monitor outgoing activity (worms, malware)
netfilter (linux) pf (macOS) windows firewall
stealth mode drops unsolicited communication packets
Firewall location
External firewall between internet DMZ and internal firewall
basic protection for enterprise network
Internal firewall protecting workstations, app and db servers
stringent filtering capability
protects the remainder of the network from attacks launched from DMZ systems (worms, rootkits, bots or other malware)
protects DMZ systems from internal attack
Virtual Private Networks
computers interconnect by means of unsecure networks using encryption and special protocols to provide security
VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an insecure network
encryption done by firewall or routers
most common mechanism is at IP level known as IPSec
IPSec networking device will typically encrypt and compress all traffic going into the WAN and decrypt and uncompress traffic coming from WAN
IPSec might be part of firewall but some filtering capabilities are lost; if its in router device is less secure
Distributed Firewalls
stand-alone firewall devices plus host-based firewalls under central administrative control
set policies and monitor security across the entire network
monitoring includes log aggregation and analysis, firewall statistics and fine-grained remote monitoring
Intrusion Prevention
Attempts to block or prevent detected malicious activity
Can use anomaly detection to identify illegitimate behavior, signature/heuristic detection to identify malicious behavior
Responds by modifying and blocking (network -> packets across perimeter; programs -> system calls)
Like a firewall but uses specialized algorithms
Host-based identify
- modification of system resources -> trojan, backdoors, rootkits can change sys resources, libraries, directories, registry settings user accounts
- privilege-escalation exploits -> ordinary users root access
- buffer-overflow exploits
- access to e-mail contact list -> mailing copy of worm to spread
- directory traversal -> allows hacker to traverse web server outside of permitted range
can be used as a sandbox, quarantines code by isolation, runs and monitors its behavior if violation, it is halted and prevented from executing in the normal system environment.
protects system calls, file system access, registry settings and input/output communications.
Network based IPS
inline NIDS can modify or discard packets and tear down TCP connections
does anomaly and signature/heuristic but also flow data protection
application payload in a seq of packets be reassembled -> filters content of flow if suspects is malicious
does pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly.
Distributed or Hybrid IPS
gather data from a large number of hosts or network sensors. Correlate, analyze with updated signatures and behavior patterns.
Digital immune system (IBM) defend against malicious behavior
Snort inline
Drop -> rejects packet based on rules and logs
Reject -> rejects packet and logs result if TCP TCP reset message if UDP/ICMP port unreachable
Sdrop -> rejects a packet but does not log
Replace option modify packets rather than drop them -> good use in combination with a honeypot, attacks fail and attacker does not know why
Unified Threat Management System
replace all inline network products (firewall, IPS, IDS, VPN, antispam, antispyware) with UTM
Includes multiple sec features integrated into one box must be able to perform network firewalling, network ID and IP and gateway anti-virus.
Downside, performance, throughput and latency
Functions
- inbound decrypted if VPN boundary IPSec decryption is performed
- initial firewall filters traffic, discard packets violate rules pass packet that conform
- multiple modules process packets at multiple protocol levels
- data analysis engine reassembles multipacket payloads
- some traffic may need to be reencrypted
- all detected threads reported to logging and reporting module
- bandwidth-shaping module can use various priority and QoS algorithms to optimize performance
