# IT Security 2 (Ch9~Ch10) ## Chapter 9: Firewalls ### :cactus: What is a firewall and what does it do - :droplet: 定義: - internal 和 external網路的access control - 可以接受或拒絕 - :droplet: 服務: - Filter IP - 進階 - Network Address翻譯 - 分辨緊急(time critical)封包 - 檢查內容 ### :cactus: Security Policies - rules - 檢查封包header是否符合rules - 若header是rules的**subset**則符合 ### :cactus: Match Policy - :droplet: **First-Match** - match list中第一個符合的 - default通常在list後面 - :droplet: **Best-Match** - 最接近 - 需掃描整個list - :droplet: **Last-Match** - list最後一個符合的 ### :cactus: Modeling - **P** : packet - **R** : rules - **A\(R\)** 接受 - **D\(R\)** 拒絕 - **U\(R\)** 沒有對應的rules - **comprehensive** 對應到至少一個rules ### :cactus: Shadowing/ half shadowing/ optimizing firewalls - :droplet: Shadowing - **first-match policies** - 先對應到的rules範圍較廣 - 後對應到的rules範圍較窄但被忽略 - :droplet: Half shadowing - **first-match policies** - 後面的rules不會全部被忽略 > 只有system administrator知道是否此行為是故意的 - :droplet: Optimization - 因為過多的rules會影響performance - **reordering** rules / 刪除不必要的rules - 不能影響封包的接受/拒絕 ### :cactus: Default Accept or Deny - debate - 假設administrator定義一個，則default是另一個 - **define what is accepted and default deny** 最常見 ### :cactus: Firewall Types - :droplet: Packet filters - network/ transport layer - 像router - 檢查 - IP - port - tranport protocol type - 檢查packet的header，不檢查content - **攻擊** - IP address spoofing - 偽裝成internal IP address - 從externel送訊息 - **防止:** 丟棄ingress packets - **Tiny fragment attack** - split IP packet，使TCP　header不在第一個fragment中 - 若filter接受第一個fragment則預設接受其他fragment - **防止:** 要求IP packet符合最小size(包含TCP header) > 為何不夠? > 無法知道每個connection的 **state** - :droplet: Stateful packet firewalls - 額外maintain **state** - 允許connection tracking - 允許關聯(associate) - 允許associated return packets通過 - 設定動態rule - 通常用timer決定connection是否關閉 - incoming traffic是為了回應使用者需求(request by users) - FTP connection - 兩種connection: - 被使用者初始化 - 被server初始化 - 內部使用者初始化的connection才能允許incoming data通過 - Forms of state - **New** connection的第一個packet - **Established** 在雙方都有此packet - **Related** 與established的packet相關的connection - :droplet: Application Layer Firewalls - filter network/tranport/**application layer**的traffic - 通常用**Proxy** - 若要連到外部，則proxy連出去 - 會檢查packet **Content** - Application layer firewalls/ intrusion prevention systems/ intrusion detection system通常結合成one device - 檢查patterns/ signatures/ spam/ intrusion attamps - 提供differentiated services (multimedia) - content**不被加密**下才能運作 ### :cactus: 分類 - Where/ What to protect - Host firewall: 保障個人電腦 - Network firewall: 保障整個network - 通常只能有相同的security policy - Placement of webserver - 在firewall外 - 沒被保護到 - 在firewall內 - 難以到達 - **Solution: Demilitarized Zone(DMZ)** - 用internal firewall和external firewall 中間稱為DMZ (放webserver) - internal firewall可以比external firewall嚴格控制 - 檢查雙向traffic ### :cactus: Handling important administrative protocols - :droplet: Routing protocols - 決定device接收routing information - :droplet: Internet Control Message Protocol(ICMP) - errors/ echo requests - 攻擊者可以利用ping取得host - 通常不允許ping通過firewall - :droplet: Network Time Protocol - 同步時間 - :droplet: Dynamic Host Configuration Protocol - 通常不允許egress通過firewall ### :cactus: Network Address Translation (NAT) - firewall通常都有NAT - firewall內部用一組IP，**對外都用一公開IP** - host用不同port分別incoming和outgoing的traffic ### :cactus: Load Balancing and Firewall Arrays - 有一組firewalls array和通常兩個balancer - 每個firewall都相同 - load balancer會分配packet給loading較少的firewall > State ? > 1. 在Load balancer儲存，工作量增加 > 2. 在firewall儲存，複製n個state且firewall需連線 - 缺點: - 難以預測哪個firewall會先完成工作 - state難以maintain - 優點: - scalable - robustness (一個壞了其他還能用) - easy update rules ### :cactus: Problems - 仍無法避免overflow, DoS, insider攻擊 - Encrypted data(IPsec)難以決定是否能通過 - Application在HTTP之上 - HTTP通常pass即使用application的proxy ## Chapter 10: Intrusion Detection ### Typical attack methodology - 取得資訊 - 取得權限 - 權限提升 - 取得系統資訊 - 維持權限 - 掩蓋蹤跡 ### :cactus: What is Intrusion Detection - :droplet: Security Intrusion - 一個安全事件，未經過authorization，取得或嘗試取得access to a system(or resource) - :droplet: Intrusion Detection - 一安全服務，監視系統事件以real-time通知入侵行為 ### :cactus: Components of a Intrusion Detection System (IDS) - **Sensors** 紀錄行為、蒐集資料 - **Analyzers** 根據資料分析、決定 - **User Interface** 輸出結果 ### :cactus: Detection rate - :droplet: 因為intruder和authorized user行為有overlap，detection有可能偵測錯誤 - :alarm_clock: $\text{Detection rate = Recall = }\frac{TP}{TP+FN}$ $TP=\text{True Positive (攻擊導致alarm)}$ $FN=\text{False Negative (攻擊沒有導致alarm)}$ 越大越好 - :alarm_clock: $\text{False alarm rate = False Positive rate = }\frac{FP}{FP+TN}$ $FP=\text{導致alarm的良性行為}$ $TN=\text{沒有alarm的良性行為}$ 越小越好 ### :cactus: **Base Rate Fallacy** - 難以達到detection rate越大、false alarm rate越小 - 因為**攻擊機率低**，若有alarm，則低機率是attack - :droplet: Bayes Theorem $$Pr(A|B)=\frac{Pr(A\cap B)}{Pr(B)}$$$$Pr(B|A)=\frac{Pr(A|B)P(B)}{Pr(A)}$$ ### :cactus: IDS Approaches - :droplet: Anomaly Detection - 蒐集資料 - 建立model - 檢查與model不符的行為 > false alarm rates可能很高 - 方法 - **Statistical** univariate, multivariate, time-series - **Knowledge-based** expert system 提供的 rules - **Machine-learning** Bayesian networks, Markov models, fuzzy logic, clustering... - :droplet: Signature or Heuristic detection (**Misuse Detection**) - 惡意的data pattern(signatures) - Signature越大越能減少false alarm rate - low cost - attack rules(heuristics) - 利用 rules 辨別可疑行為 (針對各OS, machine) - 經過分析 - eg. **SNORT** 是rule-based IDS - rules: - buffer overflow (eg. `setuid` program產生特定的arguments) - SYN flooding (eg. 有很多SYN packets但沒有ACK) - 只能檢查**已知**的attack - Extracting Misuse Signatures - attack不變的特徵 - Honeypots - :droplet: Host-based IDS (HIDS) - 在特定的host觀察 - 只提供local view - 只有在被攻擊時能偵測 - 可觀察的資料: - System call - 看誰呼叫system call - 但Windows的DLL使用會隱藏誰呼叫 - Audit recored(log files) - 攻擊者也可能修改log file或不紀錄 - File integrity checksums - 用MAC計算checksums - Registry access - 檢查registry - :droplet: Network-based IDS (NIDS) - network中選定的一群節點 - 通常包含如firewall - 越少節點能包含完整網路越好 - Sensor - Inline sensor: traffic必須通過 - Passive sensor: 複製traffic - Sensor Placement - with external firewall - DMZ - with internal firewall - internal ### 可偵測的攻擊 - :droplet: Anomaly detection - DoS - scanning attack - worm - bot - :droplet: Misuse-based detection - application layer attack (DHCP, DNS, FTP, IMAP...) - Transport layer attack (SYN floods) - Network layer (IPv4, IPv6...) - host running SMTP server - :droplet: Distributed IDS - **結合** HIDS及NIDS - 溝通並交換資訊 - **Intrusion Detection Exchange Protocol (IDXP)** - 如何交換資訊的protocol ### :cactus: Snort - Highly configurable host-based/network-based IDS - packet/ protocol/ content - 針對 TCP/ UDP/ ICMP - based on rules - inline/ passive - :droplet: Architecture -  - **Decoder** 識別並隔離(isolate)封包 (各layer的header) - **Detection Engine** 根據rules分析，找第一個對應的rule - **Logger** 儲存packet - **Alerter** 通知file/ UNIX socket/ database - :droplet: Rules - simple, flexible rule definition language - 有**header**, **option** - | Header | description | example | | ------ | ----------- | --- | | Action | what to do | alert/ log/ pass/ drop/ reject | |Protocol||TCP/ UDP/ ICMP/ IP| |Source IP address||| |Source port||| |Direction||unidirectional/ bidirectional| |Destination IP address and port||| - | Options | | --------| | keyword | |arguments| - Categories of rule options - Metadata - Payload - Non-payload - Post-detection > Snort 有 remote buffer overflow 的漏洞 > 會執行 remote code > 之後被修正了 ### :cactus: Attacking and Evading NIDS - :droplet: Overload NIDS - 用大量資料overload，以入侵NIDS - Solution: watchdog timer - :droplet: Encrypt - :droplet: split packets - :droplet: 偵測困難 - scanning (可能split封包) - recording (可能reorder封包) - fully reassembly of TCP state (用TCP tricks) - 都不夠