firewall firewall firewall firewall firewall firewall firewall firewall

Module 4 Security Countermeasures ( Firewalls, IDS and IPS )

1. Introduction to Firewalls Definition : A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules . It acts as a barrier between a trusted internal network and untrusted external networks , such as the internet . Purpose : To protect networks from unauthorized access, threats, and malicious attacks by enforcing a security policy . How Firewalls Work : Firewalls examine packets of data being transmitted across the network . They use predefined rules to allow or block traffic based on IP addresses, protocols, ports , and other criteria . Role in Cybersecurity : Firewalls act as the first line of defense against external threats . They are essential in preventing unauthorized access, monitoring traffic, and filtering potentially harmful data .

There are two main types of firewalls : Hardware Firewalls : Physical devices that connect between your network and internet connection . Often come with built-in features and can handle multiple devices . Commonly used in business environments , but also applicable for home use . Software Firewalls : Programs installed on a computer or server to monitor and control network traffic. Offer flexibility and can be customized for individual devices . Firewalls function by using a set of rules to filter traffic . They can block or allow traffic based on IP addresses, domain names, protocols, ports , and other criteria . Help prevent malicious activities, unauthorized access, and attacks such as hacking or viruses .

2. DESIGN OF FIREWALLS Firewalls are simple devices that rigorously and effectively control the flow of data to and from a network . Effectiveness depends on: A well-understood traffic flow policy . A trustworthy design and implementation .

Traffic flow policy A firewall implements a security policy , which is a set of rules that determine what traffic can or cannot pass through the firewall. Ideally, a simple policy like allowing " good " traffic and blocking " bad " traffic would be preferred, but defining " good " and " bad " is neither simple nor algorithmic . Firewalls come with example policies , but each network administrator must decide what traffic to allow into a particular network . A simple firewall configuration follows a rule table that is processed top-down , where the first matching rule determines the firewall’s action .

The * character matches any value in that field. Inbound traffic to port 25 ( mail transfer ) and port 69 ( trivial file transfer ) is allowed to/from any host on the 192.168.1 subnetwork . Rule 3 allows any inside host to send outbound traffic on port 80 ( web page fetches ) to any destination . Rule 4 allows outside traffic to reach the internal host at 192.168.1.18 ( presumably a web server ). All other traffic to the 192.168.1 network is denied . Example Firewall Configuration

Trustworthy design and implementation A firewall is an example of a reference monitor , a key concept in computer security . A reference monitor has three characteristics: Always invoked Tamperproof Small and simple enough for rigorous analysis Proper firewall placement ensures that all network accesses requiring control pass through it. A firewall serves as the single physical connection between a protected (internal) network and an uncontrolled (external) network . This placement guarantees the “always invoked” condition.

A firewall is typically well isolated , making it highly immune to modification . It is usually implemented on a separate computer with direct connections only to the outside and inside networks , ensuring tamperproof security . The firewall platform runs a stripped-down operating system with minimal services to prevent compromise . It may generate a log of denied traffic , but lacks tools to view or edit the log directly, ensuring modifications occur in a protected environment . Even if an attacker compromises the firewall, there are no tools available to disguise or delete log entries . Firewall designers recommend keeping the firewall functionality simple for security . A firewall functions as a reference monitor , monitoring all traffic , not accessible to outside attacks , and implementing only access control . Trustworthy design and implementation

Firewalls have a wide range of capabilities , but generally fall into a few types . Each type performs different functions ; no single type is necessarily superior or inferior to others. Different firewall types enforce different policies ; for example, screening routers rely solely on header data like addresses . More complex firewalls analyze the content of communication to make access decisions . Simplicity in a security policy is not inherently bad; the key consideration is identifying the threats that need to be countered . 3. Types of Firewalls

In this model , data are generated at the top layer ( 7—Application ) by an application program . The data pass through the six layers , where they are reformatted, packaged, and addressed . The transport layer performs error checking and correction to ensure reliable data flow . The network layer handles addressing to determine how to route data . The data link layer divides data into manageable blocks for efficient transfer . The physical layer deals with electrical or other technology to transmit signals across a physical medium . At the destination , the data enter at the bottom of a similar stack and travel up through the layers , where addressing details are removed and data are repackaged and reformatted . Finally, the data are delivered to an application on the destination side . Each layer plays a well-defined role in communication . OSI Reference Model

Types of Firewalls Different firewall types correspond to different threats . If an attacker probes your system multiple times, blocking all outside traffic from their address can prevent future attacks. Port scans work by sending probes sequentially to different ports (services). Some services must remain accessible for external clients , but legitimate clients don’t attempt connections to all ports . Firewalls can detect and block probes from sources attempting to scan the network. Attackers may scramble the probe order to evade detection. A firewall should record and correlate multiple connection attempts to identify and stop an attack .

Types of Firewalls Packet filtering gateways or screening routers : Filter packets based on IP addresses, ports, and protocols at the network layer . Stateful inspection firewalls : Monitor active connections and allow packets based on state information rather than just rules. Application-level gateways ( proxies ): Act as intermediaries between clients and servers , filtering traffic based on application-layer data . Circuit-level gateways : Monitor TCP handshakes and session establishment , ensuring a secure connection before forwarding traffic. Guards : Apply strict security policies by analyzing and modifying data before allowing transmission. Personal firewalls : Software-based firewalls installed on individual devices to block unauthorized access and protect personal data .

Packet filtering gateways A packet filtering gateway or screening router is the simplest and most effective type of firewall . A packet filtering gateway controls access based on packet address ( source or destination ) or specific transport protocol type (such as HTTP web traffic ) by examining the control information of each single packet . A firewall can screen traffic before it reaches the protected network . If a port scan originates from address 100.200.3.4 , the packet filtering gateway firewall can be configured to discard all packets from that address . A packet filter can block access from (or to) addresses in one network , allowing HTTP traffic while blocking Telnet protocol traffic . Packet filters operate at OSI level 3 . Packet Filter

Packet filters (also called screening routers ) limit traffic based on packet header data , specifically addresses and ports . They do not “see inside” a packet; they block or accept packets solely based on the IP addresses and ports . Packet filters cannot inspect the data field inside packets (e.g., Telnet commands ). They ensure the validity of inside addresses , as inside hosts trust each other because outside networks are uncontrolled and risky . Source addresses can be forged , making an inside application mistakenly trust an outside attacker . A packet filter acts as a barrier between the inside network and the outside network , detecting forged inside addresses in incoming packets. Packet filtering gateways

Packet filtering gateways Packet Filter Screening Outside Hosts

Packet filtering gateways The filter “sits between” two networks by connecting to both the inside and outside networks using two separate interface cards . The packet filter distinguishes inside from outside traffic based on the interface a packet arrives on. A screening packet filter can be configured to block packets from the outside that claim to have a source address from the inside . In an example, the packet filter blocks packets claiming to originate from 100.50.25.x but permits packets destined for 100.50.25.x . A packet filter makes decisions solely based on header information such as address, size, and protocol type . Packet filtering is simple, efficient, and fast , making it an effective firewall to block unwanted traffic quickly.

Packet filtering gateways The primary disadvantage of packet filtering routers is a mix of simplicity and complexity . The router’s inspection is simplistic ; for sophisticated filtering , the rules set must be very detailed . A detailed rules set becomes complex and is prone to error . Example : Blocking all port 23 traffic (Telnet) is simple and straightforward . However, if some Telnet traffic is to be allowed , each IP address must be explicitly specified in the rules .

Stateful Inspection Firewall Filtering firewalls process packets individually , without considering state or context . A stateful inspection firewall maintains state information across multiple packets in the input stream. Stateful inspection firewalls analyze multiple packets to make security decisions. A single probe against port 1 may be legitimate or the beginning of a port scan attack . The firewall logs connection attempts (e.g., address 100.200.3.4 connecting to port 1 at 01:37.26 ). If multiple connection attempts occur in a short time (e.g., ports 1, 2, 3, 4 ), the firewall detects a pattern . When the connection threshold is exceeded , the firewall blocks further connections from the source address. The firewall progresses through several states before making a blocking decision. Stateful inspection refers to accumulating threat evidence across multiple packets .

Stateful Inspection Firewall Attackers use a classic approach by breaking an attack into multiple packets . They force some packets to have very short lengths , making it difficult for a firewall to detect the attack split across two or more packets . A stateful inspection firewall tracks the sequence of packets and their conditions to thwart such an attack . Stateful Inspection Blocking Multiple Probes

Application Proxy Packet filters examine only the headers of packets, not the data inside them. A packet filter will allow traffic to port 25 if its screening rules permit inbound connections . Applications are complex and may contain errors , which can be exploited . Some applications (e.g., email delivery agents ) act on behalf of all users , requiring elevated privileges . A flawed application with all-users privileges can cause significant damage . An application proxy gateway (also called a bastion host ) functions as a firewall that simulates proper application behavior at Layer 7 . The proxy gateway ensures that the application only processes legitimate requests. A proxy gateway is a two-headed device : Internally , it appears as the external connection (destination). Externally , it responds as if it were the internal user . It behaves like a man-in-the-middle while ensuring secure communication .

An application proxy simulates the behavior of a protected application on the inside network , allowing in only safe data . An application proxy runs pseudoapplications . Example: In electronic mail transfer , a sending process and a receiving process communicate through a protocol that verifies legitimacy before transferring the mail message . The protocol between sender and destination is carefully defined . A proxy gateway intrudes in the protocol exchange , appearing as: A destination to the sender (outside the firewall). A sender to the real recipient (inside the firewall). The proxy in the middle screens the mail transfer , ensuring only acceptable email protocol commands and content are sent in either direction. Application Proxy

To understand the real purpose of proxy gateway , let us consider several examples. Company's Online Price List: Ensures outsiders cannot modify prices or product lists. Restricts outsiders' access to only the price list, protecting sensitive files . School's Internet Access: Allows students to retrieve World Wide Web resources. Monitors visited sites and fetched files for efficiency. Caches popular files locally for faster access. Government Agency's Database Queries: Uses a database management system for responses. Screens results to prevent names or identification from being returned. Provides only counts in categories instead. Company's Encrypted Emails: Encrypts email data for communication between multiple offices. Uses a proxy at the remote end to remove encryption.

Proxy Firewall Functions Each of these requirements can be met with a proxy . In the first case, the proxy would monitor the file transfer protocol data to ensure that only the price list file was accessed and that the file could only be read, not modified . The school’s requirement could be met by a logging procedure as part of the web browser . The agency’s need could be satisfied by a special-purpose proxy that interacted with the database management system , performing queries but filtering the output . A firewall application could encrypt and decrypt specific email messages for the last situation. Proxy Firewall Functions

Proxies on the firewall can be tailored to specific requirements , such as logging details about accesses. They can present a common user interface to dissimilar internal functions . If the internal network has a mixture of operating system types that lack strong authentication , the proxy can: Demand strong authentication ( name, password, and challenge–response ). Validate the challenge–response itself. Pass on simplified authentication (name and password) in the required format for a specific internal host’s operating system . Key distinction between a proxy and a screening router : Proxy interprets the protocol stream like an application , controlling actions based on protocol content , not just external header data .

Circuit-Level Gateway A circuit-level gateway is a firewall that allows one network to be an extension of another. It operates at OSI level 5 ( session level ) and acts as a virtual gateway between two networks . A circuit is a logical connection that is maintained temporarily and then disconnected . The firewall verifies the circuit when it is first created . After verification, subsequent data transferred over the circuit are not checked . Circuit-level gateways can limit connections made through the gateway .

A circuit-level gateway connects two separate subnetworks as if they were one contiguous unit. Circuit-Level Gateway

Circuit-Level Gateway One use for a circuit-level gateway is to implement a virtual private network (VPN) . A company with two offices at 100.1.1.x and 200.1.1.x wants to ensure private communication between them. A network administrator installs encryption devices to protect communication. The circuit-level gateway separates all traffic between the 100 and 200 networks . On the 100 network , the circuit gateway routes all traffic to the 200 network through an encryption device . When traffic returns, the firewall on the 100 subnetwork routes it through an encryption unit for decryption before reaching the 100 gateway . This setup ensures traffic screening and encryption , preventing unauthorized access. Users are unaware of the cryptography , while management is assured of confidentiality protection .

Guard A guard is a sophisticated firewall . Like a proxy firewall , it receives , interprets , and emits protocol data units to achieve the same or a modified result . The guard determines what services to perform based on available information , such as the user’s identity and previous interactions . The degree of control a guard can provide is limited only by what is computable . The distinction between guards and proxy firewalls is sometimes fuzzy . A proxy firewall can gain additional functionality until it resembles a guard .

Guard Examples University Email Restrictions: A university sets a limit on the number of messages or characters in emails over a specific period. Instead of modifying email handlers , it monitors the mail transfer protocol to enforce limits. School Web Access Control: A school restricts students’ access to the World Wide Web due to limited bandwidth . Allows only text mode and simple graphics , blocking complex graphics, video, and music . Library Document Access: A library restricts access to certain documents to support fair use . Users can retrieve a limited number of characters , after which they must pay a fee forwarded to the author . Company Data Masking: A company working on a new product ( light oil ) applies data masking . Outbound data flows ( file transfers, email, web pages ) replace sensitive words like “petroleum,” “helium,” and “light oil” with “magic .” Demonstrates that a firewall or guard can filter outbound traffic , not just inbound .

Guard A company wants to allow its employees to fetch files via FTP but will first pass all incoming files through a virus scanner to prevent the introduction of viruses . Even though many files are nonexecutable text or graphics , the company administrator believes the expense of scanning will be negligible . A guard can implement any programmable set of conditions , even if they are highly sophisticated . Each scenario can be implemented as a modified proxy , which is referred to as a guard because the proxy decision is based on the quality of communication data . Since the security policy implemented by the guard is more complex than a typical proxy , its code is also more complex and therefore more exposed to error .

Personal Firewalls Firewalls typically protect a (sub)network of multiple hosts. University students and employees in offices are behind a real firewall . Home users , individual workers , and small businesses use cable modems or DSL connections with unlimited, always-on access . These people need a firewall , but a separate firewall computer for a single workstation can seem too complex and expensive . These people need a firewall’s capabilities at a lower price . A personal firewall is an application program that runs on the workstation it protects. A personal firewall can complement a conventional firewall by screening the kind of data a single host will accept . It can also compensate for the lack of a regular firewall , as in a private DSL or cable modem connection .

A personal firewall is a program that runs on a single host to monitor and control traffic to that host. It requires support from the operating system to function. Similar to a network firewall , a personal firewall screens traffic on a single workstation . A workstation can be vulnerable to: Malicious code or malicious active agents ( ActiveX controls or Java applets ). Leakage of personal data stored on the workstation. Vulnerability scans that identify weaknesses . Commercial implementations of personal firewalls include: SaaS Endpoint Protection from McAfee . F-Secure Internet Security . Microsoft Windows Firewall . Zone Alarm from CheckPoint . Personal Firewalls

The personal firewall is configured to enforce some policy . The user may classify certain sites, like company network computers , as highly trustworthy , while most others are not. Vendors may provide and update lists of unsafe sites , which their products block access to by default. The user defines a policy that allows: Download of code , Unrestricted data sharing , Management access from the corporate segment , But restricts access from other sites. Personal firewalls can generate logs of accesses , useful for analysis if harmful content bypasses the firewall. Combining a malware scanner with a personal firewall is both effective and efficient . Users often forget to run scanners regularly , but they occasionally remember , such as once a week . Personal Firewalls

However, Leaving the scanner execution to the user’s memory means the scanner detects a problem after the fact , such as when a virus has been downloaded in an email attachment . A combination of a virus scanner and a personal firewall ensures that the firewall directs all incoming email to the virus scanner , which examines every attachment immediately upon reaching the target host and before it is opened . A personal firewall runs on the same computer it protects, making it vulnerable to clever attackers who may attempt an undetected attack to disable or reconfigure the firewall for future breaches . Personal Firewalls

Comparison of Firewall Types Firewall types are arranged from least sophisticated to more sophisticated from left to right, with the exception of personal firewalls , which are similar to an enterprise packet filter . Least sophisticated does not mean weakest or least desirable . Packet filtering firewalls are essential in enterprise networks , effectively and quickly blocking undesirable traffic .

Firewall Type Layer Security Level Performance Features Use Case Packet Filtering Network/Transport Low Fast - Inspects headers (IP, port, protocol)- Basic filtering- No content inspection - Small networks- Basic traffic filtering Stateful Inspection Network/Transport Moderate Moderate - Tracks connection state- Makes decisions based on connection context- Can inspect some traffic beyond headers - Enterprise networks- Moderate security needs Proxy (Application-Level) Application High Slower - Acts as intermediary- Inspects full content- Can filter specific applications like HTTP, FTP - Web traffic filtering- High security for specific applications Circuit-Level Gateway Session Low Fast - Monitors TCP handshake- Inspects connection setup- Does not inspect packet data - Connection-level filtering- Less complex security for specific services Guard (Multilayer Gateway) Multiple Layers Very High Resource-Intensive - Combines multiple security layers- Inspects data, context, and applications- Often integrates intrusion detection/prevention - Highly secure environments- Sensitive data protection Personal Firewall Host (Device) Low to Moderate High - Filters traffic to and from individual devices- Simple rule-based filtering - Personal devices- Small business protection

Example Firewall Configurations The simplest use of a firewall is shown in a figure. Screening router is positioned between the internal LAN and the outside network connection . This installation is adequate when the need is to screen only the address of a router . Screening Router

Example Firewall Configurations However, Proxy machine : The screening router’s placement is not ideal for its use. Router configuration : Configuring a router for a complex set of approved or rejected addresses is challenging. Firewall vulnerability : If the firewall router is successfully attacked, all traffic on the LAN connected to the firewall is visible. Firewall setup : To reduce exposure, a firewall is often installed on its own LAN . Traffic flow : The firewall’s LAN feeds traffic to a router for a separate protected LAN for user machines. External traffic visibility : The only traffic visible to the outside is on the firewall’s LAN , which either came from or is destined for the outside . Firewall on Separate LAN

Proxying leads to a slightly different configuration . The proxy host–firewall communicates with both internal systems and the outside because it appears as an internal host to the outside. Examples of proxied applications include email , web page service , and file transfer . A more-detailed example involves a proxy application for web page servers : A company has an internal web structure with pages describing products , customers , and internal contact information . The company maintains a protected database of products but does not want to release exact stock numbers . The firewall queries the database and adds a message to the product page like "available now" , "a few left" , or "out of stock" . Firewall acts as a proxy for the user to access the database on behalf of the outside user but limits the information returned from the query . A typical architecture for this situation is shown in Figure . The web page server , also known as a bastion host , is on its own LAN , isolated from the main internal LAN by a second firewall . Application Proxy

The same architecture can be extended , as shown in the figure. Externally accessible services such as web pages , email , and file transfer are on servers in the demilitarized zone (DMZ) . The DMZ is named after the military buffer space , often called the " no man’s land " between territories held by two competing armies. Network architecture is critical in firewall protection. A firewall can only protect what it can control; it cannot protect traffic on an unscreened connection . An example of an unscreened connection is a device with a direct Internet connection (e.g., a rogue wireless connection ). A rogue wireless connection can provide an attacker visibility and access to other devices. Every protected network device must have a path that passes through the network's firewall . These examples show the kinds of configurations firewalls protect . Outside users can access tools and data in a firewall’s demilitarized zone but cannot access sensitive resources in the more protected inside network . Demilitarized Zone

What Firewalls Can and Cannot Block? Firewalls are not complete solutions to all computer security problems . A firewall protects only the perimeter of its environment against attacks from outsiders who want to execute code or access data on the machines in the protected environment. Firewalls are effective only if they control the entire perimeter ; if even one inside host connects to an outside address, the entire inside network is vulnerable. Firewalls do not protect data outside the perimeter; outbound data that passes through the firewall remains exposed. Firewalls are the most visible part of an installation to the outside, making them an attractive target for attack. Defense in depth , using multiple layers of protection, is better than relying on just a single firewall .

What Firewalls Can and Cannot Block? Firewalls must be correctly configured , updated as the internal and external environment changes, and activity reports should be reviewed periodically for evidence of attempted or successful intrusion . Firewalls are targets for penetrators . While designed to withstand attack, they are not impenetrable . Designers keep firewalls small and simple to minimize the potential for continued attack if breached, avoiding tools like compilers, linkers , and loaders . Firewalls have minor control over the content admitted, meaning inaccurate data or malicious code must be controlled by other measures inside the perimeter. Firewalls are important in protecting environments connected to a network but must be part of a larger, comprehensive security strategy . Firewalls alone cannot secure an environment.

4. Network Address Translation (NAT) Firewalls protect internal hosts against unacceptable inbound or outbound data flows . An outsider can sometimes gain valuable information by learning the architecture , connectivity , or even the size of the internal network . When an internal host presents its IP address to an outsider (necessary for reply), the outsider can infer some of the network structure from the pattern of addresses . Once released, the IP address will forever be known and exploitable by outsiders.

Network Address Translation (NAT) Every packet between two hosts contains the source host’s address and port and the destination host’s address and port . Port 80 is the number conventionally used for HTTP ( web page ) access. Internal host 192.168.1.35:80 is sending a packet to external host 65.216.161.24:80 . Using a process called Network Address Translation (NAT) , the source firewall converts the source address 192.168.1.35:80 to the firewall’s own address, 173.203.129.90 . The firewall makes an entry in a translation table showing the destination address , the source port , and the original source address to forward any replies to the original source. The firewall converts the address back on any return packets. Network Address Translation

Network Address Translation (NAT) Network address translation (NAT) conceals real internal addresses , preventing outsiders from directly accessing them without knowing the real addresses. The complication arises when two internal hosts access the same destination address on the same port (e.g., visiting www.google.com ). In this case, the firewall rewrites the source port number of one requesting host to a random different number to ensure proper retranslation of the return. Example: Internal host 192.168.1.35 might be translated to 173.203.129.90 port 4236 , and 192.168.1.57 might be translated to 173.203.129.90 port 4966 . The outside world sees only one external address, 173.203.129.90 , representing the entire secured internal network , hiding the internal network structure from outsiders. Firewall rejects any incoming traffic from an outsider to the same address later, as the sender’s address is no longer in the translation table . NAT primarily solves limited public address numbers but also plays an important security role by protecting internal network structure.

5. Data Loss Prevention (DLP) Data loss prevention (DLP) refers to technologies designed to detect and prevent unauthorized data transfers. Typical data of concern include classified documents , proprietary information , and private personal information (e.g., social security numbers , credit card numbers ). DLP can be implemented in various ways: Agent-based systems installed as OS rootkits that monitor user behavior , including network connections , file accesses , and applications run . Network-based solutions that monitor network connections , particularly file transfers . Application-specific solutions , such as software agents for monitoring email .

Data Loss Prevention (DLP) DLP solutions will typically look for various indicators : Keywords : Words or phrases like "secret," "classified," or "proprietary" are strong indicators of sensitive data . DLP solutions may also allow customers to search for business-specific keywords , such as a codename for a new product. Traffic patterns : Suspicious behavior could include bulk file transfers , connections to outside email or file sharing services , emails to unknown recipients , and connections to unknown network services . Encoding/encryption : DLP can be bypassed by strong encryption , as it cannot determine the sensitivity of files it cannot read . To mitigate this, DLP solutions may block outgoing files that cannot be decoded or decrypted . Malware scanners also treat encrypted files, like email attachments , similarly.

Data Loss Prevention (DLP) DLP solutions are useful for preventing accidental data leakage , but they are more fragile than other security solutions. A determined attacker can often find a way to transfer data, although an effective DLP solution may slow the process or alert security personnel in time to prevent it. Firewalls are sometimes called edge devices , positioned at the boundary of a subnetwork . DLP approaches can be integrated into a firewall , installed in an operating system , or joined to another application program that manipulates sensitive data . DLP technologies are not restricted to the edge of a protected subnetwork . The focus shifts to intrusion detection and protection systems (IDPS) , which are monitoring products placed inside a subnetwork .

6. Intrusion Detection and Prevention Systems Perimeter controls, firewalls, authentication, and access controls block certain actions to admit users to a system. Most of these controls are preventive , blocking known bad things from happening. Many studies show that most computer security incidents are caused by insiders or impersonators , who wouldn't be blocked by a firewall. Insiders require access with significant privileges for daily tasks. The majority of harm from insiders is not malicious ; it is caused by honest mistakes . Potential malicious outsiders may pass through firewalls and access controls. Prevention is necessary, but not a complete computer security control. Intrusion Detection Systems (IDS) complement preventive controls as the next line of defense. An IDS is typically a separate device that monitors activity to identify malicious or suspicious events .

Intrusion Detection and Prevention Systems IDS is a sensor , similar to a smoke detector , that raises an alarm if specific things occur. Detecting danger requires action , similar to how smoke alarms work. The response could involve calling the fire department , activating a sprinkler system , sounding an evacuation alarm , or alerting the control team , depending on the advance plans for handling the incident. IDSs also have a response function . Often, this involves alerting a human team to decide on further action. In some cases, the IDS goes into protection mode to isolate a suspected intruder and constrain access, becoming an Intrusion Protection System (IPS) .

Model of an Intrusion Detection System The components in the figure represent the four basic elements of an intrusion detection system (IDS) , based on the Common Intrusion Detection Framework . An IDS receives raw inputs from sensors . The IDS saves those inputs, analyzes them, and takes some controlling action .

Intrusion Detection and Prevention Systems Intrusion Detection Systems (IDSs) perform various functions: Monitoring users and system activity Auditing system configuration for vulnerabilities and misconfigurations Assessing integrity of critical system and data files Recognizing known attack patterns in system activity Identifying abnormal activity through statistical analysis Managing audit trails and highlighting user violations of policy or normal activity Correcting system configuration errors Installing and operating traps to record information about intruders No single IDS performs all these functions.

Types of IDSs Two general types of intrusion detection systems : signature-based and heuristic . Signature-based intrusion detection systems perform pattern-matching and report situations matching a signature of a known attack type. Heuristic intrusion detection systems , also known as anomaly-based , build a model of acceptable behavior and flag exceptions to that model. For future detections, the administrator can mark flagged behavior as acceptable , so the system treats it as non-anomalous . Heuristic IDS systems "learn" what constitutes anomalies or improper behavior . Learning occurs through the inference engine , an AI component , which identifies attack components and rates their association with malicious behavior .

Types of IDSs Here’s the summary with key terms highlighted in bold : Signature-based IDSs look for patterns . Heuristic IDSs learn characteristics of unacceptable behavior over time. Intrusion detection devices can be network-based or host-based . A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network. A host-based IDS runs on a single workstation , client , or host to protect that one host.

Signature Based Intrusion Detection A simple signature for a known attack type might describe a series of TCP SYN packets sent to many different ports in succession and at times close to one another, which is characteristic of a port scan . An intrusion detection system would probably find nothing unusual in the first SYN packet to port 80 , and then another from the same source address to port 25 . However, as more ports receive SYN packets , especially ports that usually receive little traffic, this pattern reflects a possible port scan . The main issue with signature-based detection is that the signatures can be altered. Attackers may modify an attack to bypass the signature, such as converting lowercase to uppercase letters or changing a symbol like "blank space" to its character code equivalent .

Signature Based Intrusion Detection Drawbacks of Signature-Based IDS: The IDS must work from a canonical form of the data stream to recognize that 20% matches a pattern with a blank space . Attackers may insert spurious packets or shuffle the order of reconnaissance probes to intentionally cause a pattern mismatch . More signatures require additional work for the IDS, reducing its performance . A signature-based IDS cannot detect a new attack for which no signature has been installed in the database . Every attack type starts as a new pattern , and the IDS is helpless to warn about it. Attackers may change their signature to evade detection. Signature-based IDSs tend to use statistical analysis to obtain sample measurements of key indicators, such as amount of external activity , number of active processes , and number of transactions . Signature-based IDSs are limited to known patterns .

Heuristic Intrusion Detection Heuristic intrusion detection focuses on identifying abnormal behavior rather than searching for matches . For example, a user's typical activities might include reading email, writing documents, and occasionally backing up files, which are considered normal . This user typically does not use administrator utilities . If the user attempts to access sensitive system management utilities , it could signal that someone else is acting under the user's identity.

Heuristic Intrusion Detection Compromised system starts clean, with no intrusion, and ends dirty , fully compromised. There may be no need to trace when the system changed from clean to dirty , as small dirty events occurred gradually. Each individual event might be acceptable , but the accumulation of them, along with their order and speed , could signal something unacceptable . The inference engine of an intrusion detection system continuously analyzes the system, raising an alert when the system’s dirtiness exceeds a threshold or when a combination of factors signals likely malicious behavior .

Heuristic Intrusion Detection Let’s consider an example. Ana's network computer starts inspecting other network computers for storage areas (files) available to other users. When Ana probes Boris’s computer , the IDS classifies the act as unusual , but Boris’s computer denies access . The IDS only notes the denied access request . When Ana probes Chen’s machine , the second attempt becomes more unusual . Chen’s machine has a file structure open to the network , and Ana obtains a directory listing of all accessible files, which the IDS flags as suspicious . When Ana tries to copy all of Chen’s files , the IDS recognizes it as a likely attack and triggers an alarm to an administrator . Each individual action by Ana is not significant by itself, but the accumulation of actions leads to greater suspicion and eventually triggers an alarm.

State based and Model based IDS Inference engines work in two ways: State-based intrusion detection systems : Monitor the system for changes in overall state or configuration . Aim to detect when the system veers into unsafe modes . Model-based intrusion detection systems : Raise alarms when current activity matches a model of known bad activity . The model indicates a certain degree of similarity with the known bad activity. A dynamic model of behavior is built to accommodate the evolution of a person’s actions over time. The technique compares real activity with a known representation of normality . For example, attempts to access a password file (except for certain utilities like logging in, changing passwords, creating users) are deemed suspicious . This form of intrusion detection is known as misuse intrusion detection .

Heuristic intrusion detection system classifies all activity into three categories: good/benign , suspicious , or unknown . Over time, specific actions may move between categories based on the system's inference of whether the actions are acceptable or not. Similar to pattern-matching , heuristic detection is limited by the amount of information the system has seen and how well the actions fit into a given category. Heuristic intrusion detection infers attacks by tracking suspicious activity .

Stateful Protocol Analysis Intrusion detection using pattern matching is challenging for long or variable patterns. A SYN flood attack follows a simple pattern ( SYN , SYN ACK , no corresponding ACK ). The attack involves three separate steps spread over time: recognizing step one , finding step two , and waiting a reasonable amount of time to confirm step three . The intrusion detection system (IDS) is modeled as a state machine , with a state for each step of the attack. The IDS needs to record the current state . The system must handle hundreds of thousands of concurrent connections across multiple users, making the logic of the IDS complex . Multiple handshakes may occur simultaneously, and the IDS must maintain the state of each. IDS State Machine

Stateful Protocol Analysis Other protocols have similar stateful representations . As the IDS monitors traffic , it will build a similar state representation , matching traffic to the expected nature of the interchange . The different protocols with their different states and transition conditions are multiplied by the number of instances (e.g., the number of concurrent TCP connections being established), making the IDS bookkeeping complex. IDS State Machine

Front End Versus Internal IDSs An IDS can be placed either at the front end of a monitored subnetwork or on the inside . A front-end device monitors traffic as it enters the network and can inspect all packets . It can take as much time as needed to analyze the packets and block harmful ones before they enter the network . A front-end IDS may be visible from the outside , making it a potential target of attack . Skillful attackers know that disabling an IDS weakens the network's defenses , making it easier to attack .

Front End Versus Internal IDSs A front-end IDS does not have visibility inside the network , so it cannot identify attacks originating internally . An internal device monitors activity within the network and can detect attacks from compromised internal machines . If an attacker sends unremarkable packets to a compromised internal machine , instructing it to perform a denial-of-service attack , a front-end IDS will not detect it. If one internal computer starts sending threatening packets to another, the internal IDS will detect the attack . An internal IDS is better protected from external attacks . An internal IDS can learn typical behavior of internal machines and users. If user A suddenly tries to access protected resources after never doing so before , the IDS can record and analyze the anomaly .

Host Based and Network based IDS Host-based Intrusion Detection (HIDS) protects a single host against attacks by collecting and analyzing data for that host. The operating system provides HIDS with approved and denied access requests , logs of applications , timestamps of actions , and other security-relevant data . The device either analyzes data itself or forwards it to another machine for analysis and correlation with other HIDSs . The goal of HIDS is to protect one machine and its data , but if disabled , it can no longer protect its host. Since it runs as a process on the target computer , HIDS is vulnerable to detection and attacks . Network-based Intrusion Detection System (NIDS) is a separate network appliance that monitors traffic across an entire network . NIDS receives data from firewalls, operating systems , traffic volume monitors, load balancers , and administrator actions on the network.

Host Based and Network based IDS The goal of a NIDS is to protect the entire network or specific sensitive resources , such as servers holding critical data . The detection software can monitor the content of packets to detect unusual actions by a compromised host against another. A network IDS is better at avoiding detection or compromise than a host-based IDS (HIDS) because it can operate in stealth mode , observing without sending data. Its network interface card (NIC) can be configured to receive data only , preventing any network exposure . A HIDS monitors host traffic , while a NIDS analyzes network-wide activity to detect attacks on any host . A NIDS can send alarms on a separate network , ensuring the attacker remains unaware that the attack has been recognized.

Other Intrusion Detection Technology Intrusion detection capabilities are sometimes embedded in other devices (such as routers and firewalls ). Companies claim that many tools or products are intrusion detection devices , introducing new terms to gain a competitive edge by highlighting fine distinctions . Code Modification Checkers Some security engineers consider other devices to be IDSs as well. To detect unacceptable code modification , programs compare the active version of software code with a saved version or a digest of that code. The Tripwire program is a static data comparison tool that detects changes to executable programs and data files that should never or seldom change . Vulnerability Scanners System vulnerability scanners , such as ISS Scanner or Nessus , can be run against a network . They check for known vulnerabilities and report flaws found .

7. Intrusion Prevention Systems(IPS) Intrusion Detection Systems (IDS) detect an attack after it has begun , but system or network owners aim to prevent attacks before they occur . Similar to house burglars , locks can prevent intrusions , but a determined attacker may find a way through other means . Attackers are unpredictable —they may strike at any time , act alone or in groups , be human or automated (robots, drones, etc.) , or even disguise their presence . House alarms can detect motion, pressure, or heat to alert the police or owner , but they assume an attacker is human , which may not always be true. Alarms can also produce false positives , as household pets or moving objects like balloons might trigger them.

Intrusion Prevention Systems Computer systems are subject to many possible attacks , and preventing all of them is virtually impossible . Outguessing all attackers is also virtually impossible . An Intrusion Prevention System (IPS) tries to block or stop harm . It is essentially an Intrusion Detection System (IDS) with a built-in response capability . The response is not just raising an alarm but includes: Cutting off a user’s access . Rejecting all traffic from a specific address . Blocking all users' access to a particular file or program . Everything said about Intrusion Detection Systems (IDSs) also applies to Intrusion Prevention Systems (IPSs) . IPSs extend IDS technology with built-in protective response .

Responding to Alarms Monitoring is appropriate for an attack of modest (initial) impact . The real goal may be to watch the intruder to see what resources are being accessed or what attempted attacks are tried. Another monitoring possibility is to record all traffic from a given source for future analysis . This approach should be invisible to the attacker . Protecting can involve increasing access controls or making a resource unavailable (e.g., shutting off a network connection or making a file unavailable ). The system can even sever the network connection the attacker is using. In contrast to monitoring , protecting may be very visible to the attacker . Calling a human allows for individual discrimination . The IDS can take an initial defensive action immediately, possibly an overly strong one, while also generating an alert to a human. The human may take seconds, minutes, or longer to respond but can apply a more detailed and specific counteraction .

Alarm The simplest and safest action for an IDS is to generate an alarm to an administrator , who will determine the next steps . Humans are most appropriate to judge the severity of a situation and choose among countermeasures . Humans can remember past situations and recognize connections or similarities that an IDS may not detect . Generating an alarm requires a human to be constantly available to respond and ensure the response is timely and appropriate . If multiple sensors generate alarms simultaneously , the human can become overloaded , miss new alarms , or delay response to a second alarm . A second alarm can distract or confuse the human , jeopardizing the action on the first alarm .

Adaptive Behavior Due to the limitations of humans , an IDS can be configured to take action to block the attack or reduce its impact . Actions an IDS can take: Continue to monitor the network. Block the attack by redirecting attack traffic , discarding the traffic , or terminating the session . Reconfigure the network by bringing other hosts online (to increase capacity) or adjusting load balancers . Adjust performance to slow the attack , e.g., by dropping some incoming traffic . Deny access to specific network hosts or services . Shut down part of the network. Shut down the entire network .

Counterattack A final action on attack detection is to mount an offense or strike back . Offensive action must be taken with great caution due to several reasons: The apparent attacker may not be the real attacker since determining the true source of Internet traffic is not foolproof . Counterattacks can result in a real-time battle , requiring quick defense and offense without proper assessment. Retaliation in anger may not be well thought out . Legality can be complex; while self-protection is legally accepted, offensive action can lead to legal jeopardy , similar to the attacker . Provoking the attacker can cause escalation , as they may see the counterattack as a challenge .

Goals for Intrusion Detection Systems The two styles of intrusion detection — pattern matching and heuristic —represent different approaches, each with advantages and disadvantages . Actual IDS products often blend both approaches. Ideally, an IDS should be fast, simple, accurate, and complete . It should detect all attacks with negligible performance penalty . An IDS could use some—or all—of the following design approaches : Filter on packet headers . Filter on packet content . Maintain connection state . Use complex, multipacket signatures . Use minimal number of signatures with maximum effect . Filter in real time, online . Hide its presence . Use optimal sliding-time window size to match signatures .

Stealth Mode An IDS is a network device or a program running on a network device (in the case of a host-based IDS ). Any network device is vulnerable to network attacks . An IDS can be overwhelmed by a denial-of-service attack , reducing its effectiveness. If an attacker gains access to a protected network , they may attempt to disable the IDS . To counter these threats, most IDSs run in stealth mode with two network interfaces : One for monitoring the network or network segment . Another for generating alerts and handling administrative tasks . The monitored interface is input-only , meaning it never sends packets . This interface is often configured with no published address , making it undetectable to routers. This setup makes the IDS a passive wiretap , allowing it to monitor traffic without being easily targeted.

Stealth Mode If the IDS needs to generate an alert, it uses only the alarm interface on a completely separate control network. Such an architecture is shown in Figure. Stealth mode IDS prevents the attacker from knowing an alarm has been raised. Fig. IDS Control Network

Accurate Situation Assessment Intrusion detection systems (IDS) are not perfect , and their biggest problem is mistakes . An IDS can make two types of errors : False positive ( Type I error ): Raising an alarm for a non-attack . False negative ( Type II error ): Not raising an alarm for a real attack. Too many false positives (e.g., the Target breach ) can make administrators lose confidence in the IDS, potentially causing them to ignore real alarms . False negatives are dangerous because real attacks go undetected . The balance between false positives and false negatives defines the sensitivity of the IDS. Administrators can adjust an IDS’s sensitivity to find an acceptable balance between the two errors.

8. IDS Strengths and Limitations Intrusion Detection Systems (IDSs) are evolving products . Upside : IDSs detect an ever-growing number of serious problems . New attack signatures can be added to the IDS model, leading to continuous improvement . IDSs are becoming cheaper and easier to administer . Downside : Avoiding IDSs is a high priority for attackers . Poorly defended IDSs are useless . Stealth mode IDSs are hard to locate and difficult to compromise on an internal network. IDSs detect known weaknesses through attack patterns or models of normal behavior . Identical vulnerabilities may exist in similar IDSs , leading to missed attacks . Attackers share intelligence on how to evade specific IDS models . Manufacturers fix shortcomings once they become aware of them. Commercial IDSs are generally effective at identifying attacks .

IDS Strengths and Limitations Another IDS limitation is its sensitivity , which is difficult to measure and adjust . IDSs will never be perfect , so finding the proper balance is critical . An IDS does not run itself ; someone has to monitor its track record and respond to its alarms . An administrator is foolish to buy and install an IDS and then ignore it . In general, IDSs are excellent additions to a network’s security . Firewalls block traffic to particular ports or addresses ; they also constrain certain protocols to limit their impact . Firewalls must allow some traffic to enter a protected area by definition. Watching what traffic does inside the protected area is an IDS’s job , which it does quite well .

firewall firewall firewall firewall firewall firewall firewall firewall

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

firewall firewall firewall firewall firewall firewall firewall firewall

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77