In this chapter, we will learn about Intrusion Detection Systems, ways to detect an intrusion, and various types of Intrusion Detection Systems. This chapter focuses on firewalls, types of firewalls, honeypots, and types of honeypots. This chapter covers firewall evading tools and firewall and IDS penetration testing.
16.1 Understand Intrusion Detection Systems (IDS)
Exam Focus: Understand Intrusion Detection Systems (IDS). Objective includes:
-
Understand Intrusion Detection Systems (IDS).
-
Learn ways to detect an intrusion.
-
Acquire knowledge on various types of Intrusion Detection Systems.
Intrusion Detection System
An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and its computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device.
The following is the working of an IDS:
Types of IDS
The following are the types of IDS:
-
Network-based IDS: A Network-based Detection System (NIDS) analyzes data packets flowing through a network. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. It is responsible for detecting anomalous or inappropriate data that may be considered 'unauthorized' on a network. An NIDS captures and inspects all data traffic, regardless of whether it is permitted for checking or not.
-
Host-Based IDS: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to be monitored. HIDS monitors only the data that is directed to or originating from that particular system on which HIDS is installed. Besides network traffic for detecting attacks, it can also monitor other parameters of the system such as running processes, file system access and integrity, and user logins for identifying malicious activities. BlackICE Defender and Tripwire are good examples of HIDS. Tripwire is an HIDS tool that automatically calculates the cryptographic hashes of all system files as well as any other files that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected.
-
Log file monitoring: It is generally a program that parses log files after the occurrence of an event such as failed log in attempts.
-
File integrity checking: It checks for Trojan horses, or files that have otherwise been modified, indicating that an intruder has already been there.
Types of IDS responses
The following are the different types of responses generated by an IDS:
-
True Positive: A valid anomaly is detected, and an alarm is generated.
-
True Negative: No anomaly is present, and no alarm is generated.
-
False Positive: No anomaly is present, but an alarm is generated. This is the worst case scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and not used.
-
False Negative: A valid anomaly is present, and no alarm is generated.
IDS detection methods
The following are IDS detection methods:
-
Statistical Anomaly Detection: The Statistical Anomaly Detection method, also known as behavior-based detection, compares the current system operating characteristics on many base-line factors such as CPU utilization, file access activity and disk usages, etc. In this method, the Intrusion Detection System provides the facility for either a Network Administrator to make the profiles of authorized activities or place the IDS in learning mode so that it can learn what is to be added as normal activity. A large amount of time needs to be dedicated to ascertain whether the IDS is producing few false negatives or not. Hence, the main drawback of an IDS is that if an attacker slowly changes his activities over time, the IDS might be fooled into accepting the new behavior.
-
Pattern Matching Detection: The Pattern Matching IDS, also known as knowledge-based or signature-based IDS, is mainly based on a database of known attacks. These known attacks are loaded into the IDS as signatures. When this happens, the IDS begins to guard the network. These signatures are usually given a number or name so that the network administrator can easily identify the occurring attack. Alerts from this IDS can be triggered for fragmented IP packets, streams of SYN packets (DoS), or any malformed Internet Control Message Protocol (ICMP) packets. The main disadvantage of the Pattern Matching System is that such an IDS can only trigger on signatures that are stored in the database of the IDS. However, any new or any obfuscated attack performed by an attacker will be undetected.
-
Protocol Detection Method: In the Protocol Detection Method, an IDS keeps state information and can detect abnormal activities of protocols such as IP, TCP, and UDP protocols. If there is any violation in an incoming protocol rule, the IDS sends an alert message to the Network Administrator. Such an IDS is usually installed on the Web server and monitors the communication between a user and the system on which it is installed.
Ways to detect an intrusion
The following ways are used to detect an intrusion:
-
Signature recognition: It is also referred to as misuse detection. It tries to recognize events that misuse a system.
-
Anomaly detection: It detects the intrusion depending on the fixed behavioral characteristics of the users and components in a computer system.
-
Protocol anomaly detection: It involves building of models on TCP/IP protocols using their specifications.
Indications of intrusions
The following are indications of file system intrusions:
-
Presence of new, unfamiliar files, or programs
-
Changes in file permissions
-
Unexplained changes in the size of the file
-
Rogue files on the system that do not correspond to the master list of signed files
-
Unfamiliar file names in directories
-
Missing files
The following are indications of network intrusions:
-
Repeated probes of the available services on the machines
-
Connections from unusual locations
-
Repeated log in attempts from remote host
-
Arbitrary data in log files, indicating an attempt of creating either a Denial of Service or a crash service
The following are indications of system intrusions:
-
Modifications to system software and configuration files
-
Gaps in the system accounting
-
Unusually slow system performance
-
Crashing or rebooting of system
-
Short or incomplete logs
-
Missing logs or logs with incorrect permissions or ownership
-
Unfamiliar processes
-
Unusual graphic displays or test messages
Snort
Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
The three main modes in which snort can be configured are as follows:
-
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.
-
Packet logger mode: It logs the packets to the disk.
-
Network intrusion detection mode: It is the most complex and configurable configuration, allowing snort to analyze network traffic for matches against a user-defined rule set.
Working of snort
The following image shows the working of snort:
Decoder performs the following functions:
-
It saves the captured packets into heap.
-
It identifies link level protocols.
-
It decodes IP.
Detection Engine matches packet against rules previously charged into memory since snort initialization. Output Plug-ins format the notifications for a user so that the user can access them in different ways.
Snort rules
Snort's rule engine enables a user to write rules in order to meet the requirements of the network. Snort rules are useful in differentiating between normal Internet activities and malicious activities. Snort rules must be included on a single line. Rules on multiple lines are not handled by the snort rule parser. Rule header and rule options are two logical parts of snort rules. Rule header identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. Rule options identifies rule's alert messages.
Rule action: The rule header stores the complete information of a packet and finds the action that is to be carried out and what rule to be applied. When the rule action finds a packet that matches the rule criteria, it alerts snort. The following actions are available in snort:
-
Alert: The selected alert method is used to generate an alert.
-
Log: The packet is logged.
-
Pass: The packet is dropped.
IP protocols: TCP, UDP, and ICMP are available IP protocols that that are supported by snort for suspicious behavior.
Direction operator: It indicates the direction of the traffic. The traffic can flow either in one direction or bi-directionally. The following is an example of snort rules using the bidirectional operator:
log !192.168.1.0/24 any <> 192.168.1.0/24 23
IP addresses: The "any" keyword is used to identify any IP address. Addresses that are formed by straight numeric IP address is accepted by snort. Netmask is applied to the rule's address and to incoming packets that are verified against the rule by a CIDR block.
Port numbers: Port numbers can be listed in various ways, including "any" ports, static port definitions, ranges, and by negation. The range operator ":" is used to indicate port ranges. The following is an example of Port Negation:
log tcp any any -> 192.168.1.0/24 !6000:6010
Tipping Point
Tipping Point IPS is an inline device. It is placed seamlessly and transparently into the network. Each packet is thoroughly inspected in order to determine whether they are malicious or legitimate. It delivers performance, application, and infrastructure protection at gigabit speeds via total packet inspection.
Intrusion detection tools
The following are intrusion detection tools:
-
Security Network Intrusion Prevention System
-
Strata Guard
-
Peek & Spy
-
CRCMd5 Data Validation
-
Cisco IDS 4250 Appliance
-
DiskSearch 32
-
INTOUCH INSA-Network Security Agent
-
IDP8200
-
OSSEC
-
AIDE (Advanced Intrusion Detection Environment
-
Netifera
-
Tripwire
-
eXpert-BSM
-
SNARE (System iNtrusion Analysis & Reporting Environment)
-
Cisco Intrusion Detection
-
Vanguard Enforcer
Tripwire
Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes made by an intruder. The tripwire utility can be used to check the file size, the file signature, and the integrity of a file. Tripwire is a tool that automatically calculates the cryptographic hashes of all system files as well as any other file that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected.
BlackICE Defender
BlackICE Defender is a Host-Based Intrusion Detection System (HIDS). It provides a firewall that detects, reports, and blocks all suspected access attempts. It provides a notification by flashing tray icons when any intrusion is detected. It also provides detailed information regarding the different types of attacks that can harm the security of the network.
IPS
Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that use particular patterns of messages, and other factors. The IPS tools sit in the packet's forwarding path and then rate and report each potential threat by analyzing the traffic. The IPS tool has the ability to react and filter the traffic. There are two types of IPS:
-
Host intrusion prevention system (HIPS)
-
Network intrusion prevention system (NIPS)
Anti-x
Anti-x is a component of Cisco Adaptive Security Appliance (ASA). Anti-x provides in-depth security design that prevents various types of problems such as viruses. The security provided by the tool includes the following:
-
Anti-virus: It scans network traffic and prevents the transmission of known viruses. It detects viruses through their virus signatures.
-
Anti-spyware: It scans network traffic and prevents the transmission of spyware programs. As spyware does a lot of damage, this tool becomes very critical for any organization. Spyware eats a lot of precious bandwidth too.
-
Anti-spam: It deletes and segregates all junk e-mails before forwarding them to users. It examines all e-mails that arrive in the network.
-
Anti-phishing: It prevents phishing attacks from reaching network users.
-
URL filtering: It filters Web traffic based on URL to prevent users from connecting to inappropriate sites.
-
E-mail filtering: Apart from providing anti-spamming feature, it also filters e-mails containing offensive material, potentially protecting an organization from lawsuits.
Cisco ASA appliance can be configured for network-based role for all functions of Anti-x.
16.2 Understand what is a firewall, types of firewalls, and identify firewall identification techniques
Exam Focus: Understand what is a firewall, types of firewalls, and identify firewall identification techniques. Objective includes:
-
Understand what is a firewall.
-
Types of firewalls.
-
Identify firewall identification techniques.
Firewall
A firewall is a combination of software and hardware that prevents data packets from coming in or going out of a specified network or computer. It is used to separate an internal network from the Internet. It analyzes all the traffic between a network and the Internet, and provides centralized access control on how users should use the network. A firewall can also perform the following functions:
-
Block unwanted traffic.
-
Direct the incoming traffic to more trustworthy internal computers.
-
Hide vulnerable computers that are exposed to the Internet.
-
Log traffic to and from the private network.
-
Hide information, such as computer names, network topology, network device types, and internal user IDs from external users.
The firewall is placed at the junction point or gateway between the two networks. It may be concerned with the type of traffic or with the source or destination addresses and ports.
The firewall architecture includes bastion host, screened subnet, and multi-homed firewall.
Bastion host
A bastion host is a computer that must be made secure because it is accessible from the Internet, and hence is more vulnerable to attacks. A bastion host is placed at the protected network's point of penetration, often in front of the screening router. It provides security to an internal network against unauthorized access and misuse.
Screened subnet
A screened subnet is a firewall architecture that offers additional advantages over the bastion host architecture. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). An example of this topology is shown in the figure below:
The screened subnet provides a solution that allows organizations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ), which is separated from both the Internet and the trusted network by a firewall. Therefore, if a malicious user does manage to compromise the firewall, he does not have access to the Intranet (providing that the firewall is properly configured).
Multi-homed firewall
In a multi-homed firewall, more than three interfaces are available that permit further subdivision of system on the basis of specific security objectives of an organization.
Demilitarized zone
A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external networks, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients. In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network such as the Internet.
Types of firewalls
The following are the types of firewalls:
-
Packet filtering firewall: Packet filtering firewalls work on the first three layers of the OSI reference model, which means that all the work is done between the network and physical layers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. In a software firewall, packet filtering is done by a program called a packet filter. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks packets at a network interface based on source and destination addresses, ports, or protocols. The process is used in conjunction with packet mangling and Network Address Translation (NAT). Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion. This type of firewall can be best used for network perimeter security.
-
Circuit-level gateway firewall: Circuit-level gateways work at the session layer of the OSI model or the TCP layer of the TCP/IP. They determine whether a requested session is legitimate or not by monitoring TCP handshaking between packets. Information passed to a remote computer via a circuit level gateway appears to have originated from the gateway. Circuit-level gateways hide information regarding the private network that they protect. They do not filter individual packets.
-
Application-level firewall: Application-level gateways can filter packets at the application layer of the OSI model. Services for which there is no proxy cannot be accessed by incoming or outgoing packets. Any FTP, gopher, telnet, or other traffic will not be allowed by an application-level gateway that is configured as a Web proxy. The application-level gateway can filter application specific commands, such as http:post and get, as it examines packets at the application layer.
-
Stateful multilayer inspection firewall: The stateful multilayer inspection firewall combines the aspects of the other three types of firewalls. It filters packets at the network layer in order to find whether session packets are legitimate and evaluate the contents of packets at the application layer.
Firewall identification techniques
The following are firewall identification techniques:
|