changed 5 years ago
Linked with GitHub

IT Security 2 (Ch9~Ch10)

Chapter 9: Firewalls

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
What is a firewall and what does it do

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    定義:
    • internal 和 external網路的access control
    • 可以接受或拒絕
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    服務:
    • Filter IP
    • 進階
      • Network Address翻譯
      • 分辨緊急(time critical)封包
      • 檢查內容

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Security Policies

  • rules
  • 檢查封包header是否符合rules
  • 若header是rules的subset則符合

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Match Policy

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    First-Match
    • match list中第一個符合的
    • default通常在list後面
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Best-Match
    • 最接近
    • 需掃描整個list
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Last-Match
    • list最後一個符合的

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Modeling

  • P : packet
  • R : rules
  • A(R) 接受
  • D(R) 拒絕
  • U(R) 沒有對應的rules
  • comprehensive 對應到至少一個rules

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Shadowing/ half shadowing/ optimizing firewalls

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Shadowing
    • first-match policies
      • 先對應到的rules範圍較廣
      • 後對應到的rules範圍較窄但被忽略
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Half shadowing
    • first-match policies
      • 後面的rules不會全部被忽略

      只有system administrator知道是否此行為是故意的

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Optimization
    • 因為過多的rules會影響performance
    • reordering rules / 刪除不必要的rules
      • 不能影響封包的接受/拒絕

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Default Accept or Deny

  • debate
  • 假設administrator定義一個,則default是另一個
  • define what is accepted and default deny 最常見

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Firewall Types

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Packet filters
    • network/ transport layer
    • 像router
    • 檢查
      • IP
      • port
      • tranport protocol type
    • 檢查packet的header,不檢查content
    • 攻擊
      • IP address spoofing
        • 偽裝成internal IP address
        • 從externel送訊息
        • 防止: 丟棄ingress packets
      • Tiny fragment attack
        • split IP packet,使TCP header不在第一個fragment中
        • 若filter接受第一個fragment則預設接受其他fragment
        • 防止: 要求IP packet符合最小size(包含TCP header)

    為何不夠?
    無法知道每個connection的 state

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Stateful packet firewalls
    • 額外maintain state
    • 允許connection tracking
      • 允許關聯(associate)
        • 允許associated return packets通過
        • 設定動態rule
        • 通常用timer決定connection是否關閉
      • incoming traffic是為了回應使用者需求(request by users)
    • FTP connection
      • 兩種connection:
        • 被使用者初始化
        • 被server初始化
      • 內部使用者初始化的connection才能允許incoming data通過
    • Forms of state
      • New connection的第一個packet
      • Established 在雙方都有此packet
      • Related 與established的packet相關的connection
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Application Layer Firewalls
    • filter network/tranport/application layer的traffic
    • 通常用Proxy
      • 若要連到外部,則proxy連出去
    • 會檢查packet Content
    • Application layer firewalls/ intrusion prevention systems/ intrusion detection system通常結合成one device
    • 檢查patterns/ signatures/ spam/ intrusion attamps
    • 提供differentiated services (multimedia)
    • content不被加密下才能運作

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
分類

  • Where/ What to protect
    • Host firewall: 保障個人電腦
    • Network firewall: 保障整個network
      • 通常只能有相同的security policy
    • Placement of webserver
      • 在firewall外
        • 沒被保護到
      • 在firewall內
        • 難以到達
      • Solution: Demilitarized Zone(DMZ)
        • 用internal firewall和external firewall
          中間稱為DMZ (放webserver)
        • internal firewall可以比external firewall嚴格控制
        • 檢查雙向traffic

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Handling important administrative protocols

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Routing protocols
    • 決定device接收routing information
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Internet Control Message Protocol(ICMP)
    • errors/ echo requests
    • 攻擊者可以利用ping取得host
    • 通常不允許ping通過firewall
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Network Time Protocol
    • 同步時間
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Dynamic Host Configuration Protocol
    • 通常不允許egress通過firewall

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Network Address Translation (NAT)

  • firewall通常都有NAT
  • firewall內部用一組IP,對外都用一公開IP
  • host用不同port分別incoming和outgoing的traffic

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Load Balancing and Firewall Arrays

  • 有一組firewalls array和通常兩個balancer
  • 每個firewall都相同
  • load balancer會分配packet給loading較少的firewall

    State ?

    1. 在Load balancer儲存,工作量增加
    2. 在firewall儲存,複製n個state且firewall需連線
  • 缺點:
    • 難以預測哪個firewall會先完成工作
    • state難以maintain
  • 優點:
    • scalable
    • robustness (一個壞了其他還能用)
    • easy update rules

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Problems

  • 仍無法避免overflow, DoS, insider攻擊
  • Encrypted data(IPsec)難以決定是否能通過
  • Application在HTTP之上
    • HTTP通常pass即使用application的proxy

Chapter 10: Intrusion Detection

Typical attack methodology

  • 取得資訊
  • 取得權限
  • 權限提升
  • 取得系統資訊
  • 維持權限
  • 掩蓋蹤跡

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
What is Intrusion Detection

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Security Intrusion
    • 一個安全事件,未經過authorization,取得或嘗試取得access to a system(or resource)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Intrusion Detection
    • 一安全服務,監視系統事件以real-time通知入侵行為

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Components of a Intrusion Detection System (IDS)

  • Sensors 紀錄行為、蒐集資料
  • Analyzers 根據資料分析、決定
  • User Interface 輸出結果

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Detection rate

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    因為intruder和authorized user行為有overlap,detection有可能偵測錯誤
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    \(\text{Detection rate = Recall = }\frac{TP}{TP+FN}\)
    \(TP=\text{True Positive (攻擊導致alarm)}\)
    \(FN=\text{False Negative (攻擊沒有導致alarm)}\)
    越大越好
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    \(\text{False alarm rate = False Positive rate = }\frac{FP}{FP+TN}\)
    \(FP=\text{導致alarm的良性行為}\)
    \(TN=\text{沒有alarm的良性行為}\)
    越小越好

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Base Rate Fallacy

  • 難以達到detection rate越大、false alarm rate越小
  • 因為攻擊機率低,若有alarm,則低機率是attack
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Bayes Theorem
    \[Pr(A|B)=\frac{Pr(A\cap B)}{Pr(B)}\]\[Pr(B|A)=\frac{Pr(A|B)P(B)}{Pr(A)}\]

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
IDS Approaches

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Anomaly Detection
    • 蒐集資料
    • 建立model
    • 檢查與model不符的行為

    false alarm rates可能很高

    • 方法
      • Statistical univariate, multivariate, time-series
      • Knowledge-based expert system 提供的 rules
      • Machine-learning Bayesian networks, Markov models, fuzzy logic, clustering
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Signature or Heuristic detection (Misuse Detection)
    • 惡意的data pattern(signatures)
      • Signature越大越能減少false alarm rate
      • low cost
    • attack rules(heuristics)
      • 利用 rules 辨別可疑行為 (針對各OS, machine)
      • 經過分析
      • eg. SNORT 是rule-based IDS
      • rules:
        • buffer overflow (eg. setuid program產生特定的arguments)
        • SYN flooding (eg. 有很多SYN packets但沒有ACK)
    • 只能檢查已知的attack
  • Extracting Misuse Signatures
    • attack不變的特徵
    • Honeypots
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Host-based IDS (HIDS)
    • 在特定的host觀察
    • 只提供local view
    • 只有在被攻擊時能偵測
    • 可觀察的資料:
      • System call
        • 看誰呼叫system call
        • 但Windows的DLL使用會隱藏誰呼叫
      • Audit recored(log files)
        • 攻擊者也可能修改log file或不紀錄
      • File integrity checksums
        • 用MAC計算checksums
      • Registry access
        • 檢查registry
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Network-based IDS (NIDS)
    • network中選定的一群節點
    • 通常包含如firewall
    • 越少節點能包含完整網路越好
    • Sensor
      • Inline sensor: traffic必須通過
      • Passive sensor: 複製traffic
    • Sensor Placement
      • with external firewall
      • DMZ
      • with internal firewall
      • internal

可偵測的攻擊

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Anomaly detection
    • DoS
    • scanning attack
    • worm
    • bot
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Misuse-based detection
    • application layer attack (DHCP, DNS, FTP, IMAP)
    • Transport layer attack (SYN floods)
    • Network layer (IPv4, IPv6)
    • host running SMTP server
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Distributed IDS
    • 結合 HIDS及NIDS
    • 溝通並交換資訊
    • Intrusion Detection Exchange Protocol (IDXP)
      • 如何交換資訊的protocol

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Snort

  • Highly configurable host-based/network-based IDS

  • packet/ protocol/ content

  • 針對 TCP/ UDP/ ICMP

  • based on rules

  • inline/ passive

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Architecture

    • Decoder 識別並隔離(isolate)封包 (各layer的header)
    • Detection Engine 根據rules分析,找第一個對應的rule
    • Logger 儲存packet
    • Alerter 通知file/ UNIX socket/ database

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Rules

    • simple, flexible rule definition language
    • header, option
    Header description example
    Action what to do alert/ log/ pass/ drop/ reject
    Protocol TCP/ UDP/ ICMP/ IP
    Source IP address
    Source port
    Direction unidirectional/ bidirectional
    Destination IP address and port
    Options
    keyword
    arguments
    • Categories of rule options
      • Metadata
      • Payload
      • Non-payload
      • Post-detection

    Snort 有 remote buffer overflow 的漏洞
    會執行 remote code
    之後被修正了

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Attacking and Evading NIDS

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Overload NIDS
    • 用大量資料overload,以入侵NIDS
    • Solution: watchdog timer
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Encrypt
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    split packets
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    偵測困難
    • scanning (可能split封包)
    • recording (可能reorder封包)
    • fully reassembly of TCP state (用TCP tricks)
    • 都不夠
Select a repo