Computer Science CSC/ECE 574 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) CSC/ECE 574 Dr. Peng Ning 1 Computer Science Outline • Firewalls – Filtering firewalls – Proxy firewalls • Intrusion Detection System (IDS) – Rule-based IDS – Anomaly detection IDS – Host-based vs. network-based IDS CSC/ECE 574 Dr. Peng Ning 2 Computer Science Overview of Firewalls CSC/ECE 574 3 Dr. Peng Ning Computer Science Internet Security Mechanisms • Goal: prevent if possible; detect quickly otherwise; and confine the damage CSC/ECE 574 4 Prevent:!Firewall, IPsec, SSL"Detect:!Intrusion Detection"Survive/"Response:!Recovery, Forensics"Dr. Peng Ning Computer Science Basic Terms • Vulnerabilities • Intrusions (attacks) and Intrusion Detection Systems (IDS) • Alert or alarm: message generated by IDS CSC/ECE 574 5 Dr. Peng Ning Computer Science Example Attacks • Disclosure, modification, and destruction of data • Compromise host and then attack other systems • Monitoring and capture of user passwords, then masquerade as authorized user CSC/ECE 574 6 Dr. Peng NingComputer Science Firewalls • Provides secure connectivity between networks • Implements and enforces a security policy for communication between networks CSC/ECE 574 Dr. Peng Ning 7 Computer Science Firewalls (Cont’d) • Many organizations have distinct needs – access by anyone to public data concerning the company – access only by employees to internal data • Solution: inner and outer (DMZ) networks CSC/ECE 574 8 Trusted Networks Untrusted Networks & Servers Firewall Router Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users Internet Dr. Peng Ning Computer Science Firewall Capabilities • Controlled access – restrict incoming and outgoing traffic according to security policy • Other functions – log traffic, for later analysis – network address translation – encryption / decryption – application (payload) transformations CSC/ECE 574 9 Dr. Peng Ning Computer Science Limitations of Firewalls • Cannot protect against traffic that does not cross it – i.e., there may be other ingress points to the network, such as modems or wireless access points, that bypass the firewall – doesn’t protect against “inside” attacks • Configuration of firewalls to accomplish a desired high-level security policy is non-trivial CSC/ECE 574 10 Dr. Peng Ning Computer Science Filtering and Proxy Firewalls CSC/ECE 574 11 Dr. Peng Ning Computer Science Filtering • Compare traffic to patterns, then process traffic according to rules if matched • Two styles – packet filtering – session filtering CSC/ECE 574 12 Dr. Peng NingComputer Science Packet Filtering • Patterns specify values in the header of a single packet, e.g., – source IP address and port number – destination IP address and port number – transport protocol type CSC/ECE 574 13 Dr. Peng Ning Computer Science Packet Filtering (cont’d) • Decisions made on a per-packet basis – no state information (about previous packets) is maintained or used • Assessment – easy to implement – but limited capabilities • May be subject to tiny-fragment attack – first fragment has only a few bytes – rest of TCP header in a second fragment, not examined by firewall CSC/ECE 574 14 Dr. Peng Ning Computer Science Session Filtering • Packet decisions are made in the context of a connection or flow of packets • If packet is the start of a new connection… – check against rules for new connections • If packet is part of an existing connection… – check against state-based rules for existing connections – update state of this connection CSC/ECE 574 15 Dr. Peng Ning Computer Science Session Filtering (cont’d) • Assessment – more powerful than packet filtering, can recognize more sophisticated threats or implement more complex policies – also more expensive to implement CSC/ECE 574 16 Applications Presentations Sessions Transport DataLink Physical DataLink Physical Applications Presentations Sessions Transport DataLink Physical Network Network Network Presentations Sessions Transport Dynamic State Tables Dr. Peng Ning Computer Science Application: Telnet CSC/ECE 574 17 “USE PORT 1234”   “ACK” Telnet Client Telnet Server port=23 port=1234  Client opens channel to server; tells server its port number. The ACK bit is not set when initiating the connection but will be set on the remaining packets.  Server acknowleges. Dr. Peng Ning Computer Science CSC/ECE 574 18 Example: Firewall Access for Telnet Format: access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>] The following allows user to telnet from an IP address (172.168.10.11) to any destination, but not vice-versa: access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets out to remote Telnet servers access-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows returning packets to come back in. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply the first rule to outbound traffic access-list 101 in ! Apply the second rule to inbound traffic Note: any packets not explicitly permitted in an access list assumed to be denied or dropped. Dr. Peng NingComputer Science CSC/ECE 574 19 Application: FTP “USE PORT 5151”   “OK”  DATA CHANNEL  TCP ACK FTP Client FTP Server port=20 Data port=21 Command port=5150 port=5151  Client opens command channel to server; tells server second port number.  Server acknowledges.  Server opens data channel to client’s second port.  Client acknowledges. Dr. Peng Ning Computer Science Example: Firewall Access for FTP CSC/ECE 574 20 Allow a user to FTP (not passive FTP) from any IP address to the FTP server (172.168.10.12) : access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit