16.1 IDS, Firewall and Honeypot Concepts
Intrusion Detection Systems (IDS) and their Placement
- An intrusion detection system (IDS) inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach.
- The IDS checks traffic for signatures that match known intrusion patterns, and signals an alarm when a match is found.
How IDS Works
Ways to Detect an Intrusion (?)
- Signature Recognition: It is also knwon as misues detection. Signature recognition tries to identify events that indicate misuse of a system resource.
- Anomaly Detection: It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system.
- Protocol Anomaly Detection: In this type of detection, models are built to explore anomalies in the way vendors deploy the TCP/IP specification.
General Indications of Intrusions
- System Intrusions:
- The presence of new, unfamiliar files, or programs.
- Changes in file permissions.
- Unexplained changes in a file's size.
- Rogue files on the system that do not correspond to your master list of signed files.
- Unfamiliar file names in directories.
- Missing files.
- Network Intrusions:
- Repeated probes of the available services on your machines.
- Connections from unusual locations.
- Repeated login attempts from remote hosts.
- Arbitrary data in log files, indicating attempts to cause a DoS or to crash a service.
General Indications of System Intrusions
- Short or incomplete logs
- Unusual graphic displays or text messages
- Unusually slow system performance
- Modifications to system software and configuration files
- Missing logs or logs with incorrect permissions or ownership
- System crashes or reboots
- Gaps in the system accounting
- Unfamiliar processes
Types of Intrusion Detection Systems (重要)
- Network-Based Intrusion Detection Systems:
- These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion.
- It detects malicious activity such as Denial-of-Service attacks, port scans, or even attempts to crack into computers by monitoring network traffic.
- Host-Based Intrusion Detection Systems:
- These mechanisms usually include auditing for events that occur on a specific host.
- These are not as common, due to the overhead they incur by having to monitor each system event.
System Integrity Verifiers (SIV)
- System Integrity Verifiers detect changes in critical system components which help in detecting system intrusions.
- SIVs compares a snapshot of the file system with an existing baseline snapshot.
- Firewall are hardware and/or software designed to prevent unauthorized access to or from a private network.
- They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet.
- Firewall examine all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria.
- Firewalls may be concerned with the type of traffic or with the source or destination addresses and ports.
用途：Packet Filtering, Connection Logging
Firewall Architecture (?)
- Bastion host is a computer system designed and configured to protect network resources from attack.
- Traffic entering or leaving the network passes through the firewall, it has two interfaces:
- public interface directly connected to the Internet.
- private interface connected to the Intranet.
DMZ與內網結合 → 不安全
Screened Subnet: (屏蔽式子網路防火牆)
- The screened subnet or DMZ (additional zone) contains hosts that offer public services.
- The DMZ zone responds to public requests, and has no hosts accessed by the private network.
- Private zone can not be accessed by Internet users.
- Demilitarized zone (DMZ)；又稱為Screened Subnet 或 Perimeter Network
- When using a three-homed firewall, connect the first interface to the Internet, the second interface to the DMZ, and the third to the intranet.
- Multi-homed Firewall:
- In this case, a firewall with two or more interfaces is present that allows further subdivision of the network based on the specific security objectives of the organization.
A multi-homed firewall is a node with multiple NICs that connects to two or more networks.
DeMilitarized Zone (DMZ)
- DMZ is a network that serves as a buffer between the internal secure network and insecure Internet.
- It can be created using firewall with three or more network interfaces assigned with specific roles such as Internal trusted network, DMZ network, and external un-trusted network.
Types of Firewall
- Packet Filters
- Circuit Level Gateways
- Application Gateways
- Stateful Multilayer Inspection Firewalls
Packet Filtering Firewall (重要)
- Packet filtering firewalls work at the network layer of the OSI model (or the IP layer or TCP/IP), they are usually a part of a router.
- In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded.
- Depending on the packet and the criteria, the firewall can drop the packet and forward it, or send a message to the originator.
- Rules can include the source and the destination IP address, the source and the destination port number, and the protocol used.
Traffic allowed based on source and destination IP address, packet type, and port number.
Circuit-Level Gateway Firewall (重要)
- Circuit-level gateways work at the session layer of the OSI model (or the TCP layer of TCP/IP)
- Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway.
- They monitor requests to create sessions, and determine if those sessions will be allowed.
- Circuit proxy firewalls allow or prevent data streams, they do not filter individual packets.
Traffic allowed based on session rules, such as when a session is initiated by a recognized computer.
Application-Level Firewall (重要)
- Application-level gateways (proxies) can filter packets at the application layer of the OSI model (or the application layer of TCP/IP).
- Incoming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied.
- Application-level gateways configured as a web proxy prohibit FTP, gopher, telnet, or other traffic.
- Application-level gateways examine traffic and filter on application-specific commands such as http:post and get.
- Traffic allowed based on specified application (such as a browser) or a protocol, such as FTP, or combinations.
- Application-layer firewalls can function in one of two modes:
- Active application-level firewalls: They examine all incoming requests, including the actual message that exchanged against known vulnerabilities, such as SQL injeciton, parameter and cookie tampering, and cross-site scripting. The requests deemed genuine and allowed to pass through them.
- Passive application-level firewalls: They work similarly to an IDS, in that they also check all incoming requests against known vulnerabilities, but they do not actively reject or deny request if a potential attack is discovered.
Stateful Multilayer Inspection Firewall (?)
- Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls.
- They filter packets at the network layer of the OSI model (or the IP layer of TCP/IP), to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer.
Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules.