intrusion detection system

Published on June 2016 | Categories: Types, Presentations | Downloads: 42 | Comments: 0 | Views: 462
of 41
Download PDF   Embed   Report

Target acquisition and information gatheringinitial accessPrivilege escalationCovering tracks

Comments

Content

1. INTRUDERS
One of the publicized threats to security is the intruders generally referred to as hackers or
crackers.
There are three classes of intruders
Significant issue for networked systems is hostile or unwanted access either via network
or local.
Can identify classes of intruders
Masquerader: - An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a
legitimate user’s account.
Misfeasor: - A legitimate user who accesses data, program, or resources for
which such access is not authorized, or who is authorized for
such access but misuse his or her privileges.
Clandestine user: - An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls
or to suppress audit collection
Intrusion Techniques
Aim to increase privileges on system
Basic attack methodology





Target acquisition and information gathering
Initial access
Privilege escalation
Covering tracks

Key goal often is to acquire passwords so then exercise access rights of owner
Intrusion Detection
Inevitably will have security failures
So need also to detect intrusions so can
– Block if detected quickly act as deterrent
– Collect info to improve security
Assume intruder will behave differently to a legitimate user
– But will have imperfect distinction between

Approaches to Intrusion Detection
a. Statistical Anomaly Detection
Threshold detection
– Count occurrences of specific event over time
– If exceed reasonable value assume intrusion alone is a crude &
ineffective detector
Profile based
– Characterize past behavior of users
– Detect significant deviations from this profile usually multi-parameter.
b. Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if activity is
Suspicious or not.
Rule-based anomaly detection
– Analyze historical audit records to identify usage patterns & autogenerate rules for them
– Then observe current behavior & match against rules to see if
conforms.
– Like statistical anomaly detection does not require prior knowledge of
security flaws
Audit Records
Fundamental tool for intrusion detection
Native audit records
– Part of all common multi-users O/S already present for use.
– May not have info wanted in desired form.
Detection-specific audit records
– Created specifically to collect wanted info at cost of additional overhead on
system.
Audit Record Analysis
Foundation of statistical approaches
Analyze records to get metrics over time

– Counter, gauge, interval timer, resource use
Use various tests on these to determine if current behavior is acceptable
– Mean & standard deviation, multivariate, markov process, time
series, operational
Key advantage is no prior knowledge used.
Statistical Anomaly Detection
Threshold detection
– Counting the number of occurrences of a specific event type over an
interval of time.
– Threshold analysis is a crude and ineffective detector of even
moderately sophisticated attacks.
Profile based
– Characterize past behavior of users
– Detect significant deviations from this
– Profile usually multi-parameter.
Metrics are useful foe profile based intrusion detection are the following
Counter:O

A non-negative integer that may be incremented.

O

A count of certain event types is kept over a particular
period of time.

Gauge: - Gauge is used to measure the current value of
some entity.
Interval timer: - The length of time between two related
Events.
Resource utilization: - Quantity of resources consumed
during a specified period.
Various tests can be performed to determine whether current activity fits within acceptable limits.
Mean and Standard Deviation:To measure the mean and SD of a parameter over some historical period.
The use of mean and SD is applicable to a
Wide variety of counters 

Timers and 
Resource measures 



Multivariate:Model is based on correlations between to or more variables.
Markov Process:Used to establish transition probabilities among various states.
Time Series:- 



Model focuses on time intervals 
looking for sequences of events that happen too rapidly or too slowly. 
Operational:Is based on a judgment of what is considered abnormal rather than an
automated analysis of past automated analysis of past audit records. 

Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if activity is suspicious or not
a.Rule-based anomaly detection
– Analyze historical audit records to identify usage patterns & autogenerate rules for them
– Then observe current behavior & match against rules to see if
conforms
– Like statistical anomaly detection does not require prior knowledge
of security flaws
b.Rule-based penetration identification
– Uses expert systems technology
– With rules identifying known penetration, weakness patterns, or
suspicious behavior.
– Rules usually machine & O/S specific
– Rules are generated by experts who interview & codify knowledge
of security admins.
– Quality depends on how well this is done.

– Compare audit records or states against rules
Base-Rate Fallacy
Practically an intrusion detection system needs to detect a substantial percentage of
intrusions with few false alarms
– If too few intrusions detected  False security
– If too many false alarms
Ignore / waste time
This is very hard to do existing systems seem not to have a good record
Distributed Intrusion Detection
Traditional focus is on single systems but typically have networked systems
More effective defense has these working together to detect intrusions
Issues
– Dealing with varying audit record formats
– Integrity & Confidentiality of networked data
– Centralized or Decentralized architecture.
Distributed Intrusion Detection - Architecture

The overall architecture which consists of three main components
Host agent Module:-

An audit collection module operating as a background process on a monitored
system.
The purpose is to collect data on security related events on the host and transmit
these to the central manager.
LAN monitor agent module:Operates in the same fashion as a host agent module except that it analyses LAN
traffic and reports the results to the central manager.
Central manger module:Receives reports from LAN monitor and host agents and processes and correlates
these reports to detect intrusion.
Distributed Intrusion Detection – Agent Implementation

Honey pots

Decoy systems to lure attackers
– Away from accessing critical systems
– To collect information of their activities
– To encourage attacker to stay on system so administrator can respond
These system are filled with fabricated information
Instrumented to collect detailed information on attackers activities
may be single or multiple networked systems.

2. PASSWORD MANAGEMENT
Password Protection


Front-line defense against intruders is the password system.



Virtually all multi-user systems require that a user provide not only a name or identifier
(ID) but also a password.



The password serves to authenticate the ID of the individual logging on to the system
The ID provides security in the following ways
The ID determines whether the user is authorized to gain access to system. 




The ID determines the privileges accorded to the user. 
The ID is used in what is referred to as discretionary access control. 
Managing Passwords


Need policies and good user education



Ensure every account has a default password



Ensure users change the default passwords to something they can remember



Protect password file from general access



Set technical policies to enforce good passwords
– Minimum length (>6)



– Require a mix of upper & lower case letters, numbers, punctuation
– Block know dictionary words
May reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group



May enforce periodic changing of passwords



Have system monitor failed login attempts, & lockout account if see too many in a short
period.



Do need to educate users and get support



Balance requirements with user acceptance



Be aware of social engineering attacks

Password selection strategies
Many user shares password that is too short or too easy to guess.
At the other extreme, if the user is assigned password consisting of eight randomly selected
printable characters, password cracking is effectively impossible.
Four basic techniques are in use:






User education 
Computer generated passwords 
Reactive password checking 
Proactive password checking. 
a. User Education :- 


User can be told the important of using hard to guess password and can be
provided with the guidelines for selecting the strong passwords.
This user education strategy is likely to succeed at more installation,
particularly where there is large user population or lot of turnover.
b.Computer Generated Passwords :Computer generated passwords also create problems.
If the password is quite random in nature user will not be able to remember
them.
Even if the password is pronounceable, the user may have difficult in
remembering it and so be tempted to write it down.

c.Reactive Password checking:A reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords
. The system cancels any password that is guessed by the user.
d. Proactive Password Checking
The most promising approach to provide password security is proactive password
checker.
In this a user is allowed to select his/her own password.
The possible approaches to proactive password checking are
All passwords must be at least eight characters long. 



In the first eight characters, the password must include atleast one
each of uppercase, lowercase, numeric digits and punctuation marks. 
Usually user password or password file is essential to intrude.
Protection of password file
– One-way encryption: - The system stores an encrypted form of the user’s
password, and compares it with the encrypted output of presented
password.
– Access control: - Access to the password file is limited to one or a very
few accounts.

UNIX PASSWORD SCHEME

Techniques for learning passwords
Try default passwords used with standard accounts that are shipped with the
system.
Exhaustively try all short passwords ( 1~3 characters).
Try words in the system’s on-line dictionary of a list of likely passwords.
Collect information about users (names, books, hobbies, etc)
Try users’ phone numbers, Social Security numbers, and room numbers.
Try all legitimate license plate numbers.
Use a Trojan horse.
Tap the line between a remote user and the host system.

– Crypt(3)
»

25 times DES encryptions

»

Related to time

– Salt



»

Prevents duplicate passwords from being visible in the password file

»

Increase the length of the passwords ( 2 characters)

»

Prevent the use of a hardware implementation of DES, which would ease the
difficulty of a brute-force guessing attack

The vulnerability of Passwords
– Two threat to the UNIX password scheme
»

Gaining access on a machine and then run a password guessing program on
that machine with little resource consumption

»

Obtaining a copy of the password file, then a cracker program can be run on
another machine

– Not yet feasible to use a brute-force technique of trying all possible combinations of
characters
– Passwords must NOT be too short, NOT be too easy to guess


Access Control
– Denies the opponent access to the password file
– Has several flaws
» Many systems are susceptible to unanticipated break-ins
» An accident of protection might render the password file readable
» Some users use the same password on other machines.



Eliminate guessable passwords, while allow memorable passwords.



Four basic techniques
– User education
» Ignoring guidelines, misunderstanding what a strong password is
– Computer-generated passwords
» Hard to remember even if they are pronounceable.
– Reactive password checking
» The system periodically runs its password cracker to find guessable
passwords
» Resource intensive
» Unchecked passwords remains vulnerable.
– Proactive password checking
» When a user selects his or her own password, the system checks to see if the
password is allowable.

Proactive Password Checking


Rule enforcement
– All passwords must be at least eight characters long
– In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.



Compiling a large dictionary of “bad” passwords
– When a user selects a password, the system checks
– Large space (storage) and time consumption.



Two techniques for developing an effective and efficient password checker
– Markov model
– Bloom filter
– Based on rejecting words on a list show promise

Markov Model



[m, A, T, k]
where
m : number of states
A : state space
T : matrix of transition prob.
k : order of the model
prob. depends on previous k
characters

2nd order Markov Model


Calculating transition matrix
– When a dictionary of guessable passwords is constructed.


Determine the freq. matrix f(i,j,k) which is the number of occurrences of the
trigram consisting of the ith, jth ,and kth character.

– For each bigram ij, calculate f(i,j,¥) as the total number of trigrams
beginning with ij


Compute the entries of T
T(i,j,k) = f(i,j,k) / f(i,j,¥)



T reflects the structure of the words in the dictionary.



“Is this a bad password?”
◊ “Was this password generated by this model?”



Passwords likely to be generated by the model are rejected.

3. VIRUSES AND RELATED THREATS
Malicious Programs
An overall of software threats or malicious programs
These threats can be divided into 2 categories
a. Needs host program
b. Independent

Taxonomy of Malicious Programs
a. Backdoor or Trapdoor


Secret entry point into a program allows those who know access bypassing usual
security procedures.



Have been commonly used by developers.



A threat when left in production programs allowing exploited by attackers very hard
to block in OS

b. Logic Bomb


One of oldest types of malicious software



Code embedded in legitimate program



Activated when specified conditions met
– E.g. Presence/absence of some file
– Particular date/time
– Particular user



When triggered typically damage system.
– Modify/delete files/disks, halt machine, etc.

c. Trojan Horse


Program with hidden side-effects



When invoked it performs some unwanted or harmful function.



Which is usually superficially attractive
– E.g., game, s/w upgrade, etc.



When run performs some additional tasks
– allows attacker to indirectly gain access they do not have directly



Often used to propagate a virus/worm or install a backdoor or simply to destroy
data.



Mail the password file.

d. Zombie


Program which secretly takes over another networked computer



Then uses it to indirectly launch attacks (difficult to trace zombie’s creator)



Often used to launch distributed denial of service (DDoS) attacks



Exploits known flaws in network systems.



A piece of self-replicating code attached to some other code



Attaches itself to another program and executes secretly when the host program is
executed.



Propagates itself & carries a payload

e.Viruses

– Carries code to make copies of itself.
– As well as code to perform some covert task.
Virus Operation
Virus phases
Dormant Phase:The virus is idle.




The virus will eventually be activated by some event
Such as
Date 
Presence of another program or file and or 
The capacity of the disk exceeding some limit Waiting on
trigger event. 

Propagation Phase:The virus places an identical coy of itself into other programs or into
certain system areas on the disk.
Each infected program will now contain a clone of the virus which
will itself propagation phase.
Triggering Phase :The virus is activated to perform the function for which it was
intended.
It can be caused by a variety of system events including a count of
the number of times that this copy of the virus has made copies of
itself.
Execution Phase:The function is performed
The function may be harmless Such as Message on the screen or
Damaging such as the destruction of programs and data files.
Virus Structure 
Program V :=
{
goto main;
1234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :=
{return true if condition holds}
main: main-program := {infectexecutable;
if trigger-pulled then do-damage;
goto next;}

next:
}
Types of Viruses
Can classify on basis of how they attack


Parasitic virus
-- attaches itself to executable files and replicates



Memory-resident virus
-- Lodges in the main memory and infects every program
that executes.



Boot sector virus
-- Infects a boot record and spreads when the system is
booted from the disk.



Stealth
-- Designed to hide itself from antivirus software.



Polymorphic virus
-- A virus that mutates with every infection, making
detection very difficult.



Metamorphic virus
-- Mutates with every infection, making detection by the
“signature” of the virus impossible..

f. Email Virus


Spread using email with attachment containing a macro virus



Triggered when user opens attachment



or worse even when mail viewed by using scripting features in mail agent



Hence propagates very quickly



Usually targeted at Microsoft Outlook mail agent & Word/Excel documents



Replicating but not infecting program (does not attach itself to a program)



Typically spreads over a network

g.Worms

– Morris Internet Worm in 1988


Using users distributed privileges or by exploiting system vulnerabilities



Worms perform unwanted functions



Widely used by hackers to create zombie PC's, subsequently used for further
attacks, esp DoS.



Major issue is lack of security of permanently connected systems, esp PC's
To replicate itself a network worms uses some sort of network vehicles
Electronic mail facility : A worm mails a copy of itself to
otherprograms.
Remote execution capability: - A worm executes a copy of itself
onanother system.
Remote Login capability :- A worm logs onto a remote system as
auser and then uses commands to
copy itself from one system to the other

Worm Operation 



Worm has phases like those of viruses
– Dormant
– Propagation




Search for other systems to infect
Establish connection to target remote system
Replicate self onto remote system.

– Triggering
– Execution
h.Morris Worm


Best known classic worm



Released by Robert Morris in 1988



Targeted Unix systems



Using several propagation techniques
– Simple password cracking of local pw file
– Exploit bug in finger daemon
– Exploit debug trapdoor in send mail daemon



If any attack succeeds then replicated self

4. VIRUS COUNTERMEASURES



Best countermeasure is prevention (Do not allow a virus to get into the system in the
first place.)
But in general not possible Hence need to do one or more of
– Detection - of viruses in infected system
– Identification - of specific infecting virus
– Removal - restoring system to clean state

Anti-Virus Software


First-generation:- Simple Scanners
– Scanner requires a virus signature to identify a virus.
– The virus may contain “wildcards” but essentially the same structure
and bit pattern in all copies such Signature-specific scanners are
limited to the detection of known viruses.
– Another type scanner maintain a record maintains a record of the
length of programs and looks for changes in length.



Second-generation :- Heuristic Scanners
– Scanner does not rely on a specific signature.
– The scanner uses heuristic rules to search for probable virus
infection.

– Such as scanners looks for fragments of code that are often
associated with viruses.


Third-generation :- Activity Traps
– Programs are memory-resident programs that identify a virus by its
actions rather than its structures in an infected program.



Fourth-generation :- Full-Featured protection
– Packages with a variety of antivirus techniques
– These include scanning and activity trap components.
– In addition it includes access control capability


Which limits the ability of viruses to penetrate a system and



Then limits the ability of a virus to update files in order to
pass on the infection.

Advanced Anti-Virus Techniques
Generic decryption
Generic Decryption (GD) Technology:Enables the antivirus program to detect easily even the most complex polymorphic
viruses while maintaining fast scanning speeds.
When a file containing a polymorphic virus is executed the virus must decrypt itself to
activate.
To detect such a structure, executable files are run through a GD scanner which
contains the following elements.
CPU Emulator: - 

A software-based virtual computer. 

Instructions in an executable file are interpreted by the emulator rather than
executed on the underlying processor. 

The emulator includes 



Software versions of all registers and other processor hardware so that
the underlying processor is unaffected by programs interpreted on the
emulator. 
Virus Signature Scanner:- 


A module that scans the target code looking for known virus signatures.
Emulation Control Module:- 

Controls the execution of the target code.
Digital immune system (IBM)
The Digital immune system is a comprehensive approach to virus protection
developed by IBM.
The motivation for this development has been the rising threat of Internet-Based
virus propagation.

Two major trends in Internet Technology have had an increasing impact on the
rate of virus propagation in recent years

Integrated mail Systems :- Systems such as Lotus Notes and
MicrosoftOutlook make it very simple to send
anything to anyone and to work with objects that
are received.
Mobile-program systems:- Capabilities such as Java and ActiveX
allowprograms to move on their own
from one system to another.

 A monitoring program on each PC uses a variety of heuristics based on system
behaviour, suspicious changes to programs, or family signature to infer that a virus
may
be present.
The monitoring program forwards a copy of any program thought to be infected to
an administrative machine within the organization.

The administrative machine encrypts the sample and sends it to a central virus analysis
machine. 

This machine creates an environment in which the infected program can be safely run
for analysis. 

 Techniques used for this purpose include 
Emulation or the creation of a protected environment within which the suspect
program can be executed and monitored. 

The virus analysis machine then produces a prescription for identifying and
removing the virus. 

The resulting prescription is sent back to the administrative machine. 

The administrative machine forwards the prescription to the infected client. 

The prescription is also forwarded to other clients in the organization. 


Subscribers around the world receive regular antivirus updates that protect them from
the new virus. 

Behavior-Blocking Software


Integrated with host OS



Monitors program behavior in real-time
Attempts to open, view, delete and /or modify files. 



Attempts to format disk drives and other unrecoverable disk operations 



Modifications to the logic executable files, scripts of macros. 



Modifications of critical system settings such as start-up settings 



Scripting of e-mail and instant messaging clients to send executable content. 





Initiation of network communications. 


For possibly malicious actions
– If detected can block, terminate, or seek ok



Has advantage over scanners but malicious code runs before detection

5. FIREWALLS
5.1 FIREWALLS


Firewall can be an effective means of protecting a local system or network of systems from
network-based security threats while affording access to the outside world via WAN’s and
the Internet.

5.2 FIREWALL DESIGN PRINCIPLES


Evolution of information systems
– Centralized data processing system
»

A central mainframe + directly connected terminals

– LAN ( Local Area Network )
»
»

Interconnecting PCs ,terminals & mainframe.
servers, terminals & mainframe

– Premises network
»

Consisting of a number of LANs,Interconnecting PCs,Servers and perhaps a
mainframe or two.

– Enterprise-wide network
»

Consisting of distributed premises networks interconnected by a private
WAN

– Internet connectivity
»


Consisting of various premises networks all hook into the Internet.

Internet & firewalls
– Internet connectivity is no longer an option for most organizations
– Strong security features for all workstations and servers not established (not practical)
– The firewall is inserted between the premises network and the Internet to establish a
controlled link.



Aims of firewall
– Protecting the premises network from Internet-based attacks
– Providing a single choke point (where security & audit can be imposed)

5.3 FIREWALL CHARACTERISTICS
Design goals
– All traffic from inside to outside, and vice versa, must pass through the firewall
(physically blocking all access to the local network except via the firewall)
– Only authorized traffic (defined by the local security police) will be allowed to pass
– The firewall itself is immune to penetration (use of trusted system with a secure
operating system)
General techniques
– Service control


Determines the types of Internet services that can be accessed, inbound or
outbound (filtering with IP address & service port #, e.g. Web or email
service).

– Direction control


Determines the direction in which particular service requests are allowed to
flow thru the firewall.

– User control


Controls access to a service according to which user is attempting to access
it (both local users and external users).

– Behavior control


Controls how particular services are used (e.g. filtering e-mail to eliminate
spam)

Firewall capabilities

O

Defines a single choke point (security capabilities are consolidated on a single
system)

O

Provides a location for monitoring security-related events (auditing & alarming)

O

Provides convenient platform for some Internet functions (e.g. address translation,
logging Internet usage)

O

Can serves as the platform for IPSec (used to implement VPN)

Firewall Limitations
O

Cannot protect against attacks that bypass it (e.g. dial-up access)

O

Does not protect against internal threats (e.g. a disgruntled employee)

O

Cannot protect against the transfer of virus-infected programs or files (because
various OS & applications are supported inside, it is impractical to scan all
incoming files, emails, etc)

5.4 TYPES OF FIREWALLS


Three common types of firewalls
a. Packet-filtering routers
b. Application-level gateways
c. Circuit-level gateways and
d. Bastion Host

a. Packet-Filtering Router


Filtering by rules
– Applies a set of rules to each IP packet and then forwards or discards the packet (in
both directions)
– The packet filter is typically set up as a list of rules based on matches to fields in the
IP or transport (TCP or UDP) header



Source IP address:- The IP address of the system that originated the IP packet. 
Destination IP address :- The IP address of the system the IP packet is trying 
to reach.
Source & Destination transport-level address :- The transport level(e.g
TCPor UDP) port numbers which defines
applications such as SNMP or TELNET.
IP protocol field :- Defines the transport protocol.

Interfaces: - For a router with three or more ports which interface of the
routerthe packet came from or which interface of the router the
packet is destined for .
»

If a match to a rule is found, the rule is invoked.

»

If no match is found, a default policy is taken

»

Default policies


Discard : Discard, if not expressly permitted (tradeoff : ease of use↓,
security↑)



Forward : Forward, if not expressly prohibited (tradeoff : ease of
use↑, security↓)



Example A : Inbound mail is allowed, but only to a gateway host. However, mail from host
SPIGOT is blocked.



Example B : Explicit statement of the default policy.



Example C : Any inside host can send mail to the outside. The problem with this rule is
that the use of port 25 for SMTP receipt is only a default.



Example D : This rule set achieves the intended result that was not achieved in C taking
advantage of a feature of TCP connections (ACK flag of a TCP segment).



Example E : This rule set is one approach to handling FTP-like services with two
connections (using control connection port and data connection port). The 3rd rule allows
packets destined for a high-numbered port (nonservers) on an internal machine.

Advantages
– Simplicity
– Transparency to users
– High speed
Disadvantages
– Difficulty of dealing with applications at the packet-filtering level
– Difficulty of setting up packet filter rules correctly
– Lack of Authentication
Possible attacks vs. countermeasures (Possible attacks on Packet filtering routers and the
appropriate countermeasures)
– IP address spoofing

»

The attacker replaces source address of packets with an address of trusted
internal host

»

Discards packets with an inside source address if the packet arrives on an
external interface

– Source routing attacks
»

The source station specifies the route that a packet should take as it crosses
the Internet (in the hope that this will bypass security measures)

»

Discards all packets that use the source route option.

– Tiny fragment attacks
»

The intruder uses IP fragmentation option to create extremely small
fragments and force the TCP header information into a separate packet
fragment (in the hope that only the first fragment is examined and the
remaining are passed thru).

»

Discards all packets where the protocol type is TCP and the IP Fragment
Offset is equal to 1

b. Application-Level Gateway


Also called a proxy server
– Acts as a relay of application-level traffic
– If the gateway does not implement the proxy code for a specific application, the
service is not supported
– The gateway can be configured to support only application-specific features
– Authentication : The user is asked for the name of the remote host, valid user ID and
authentication information

Advantages
– More secure than packet filters.
– Only need to scrutinize a few allowable applications (rather than trying to deal with
the numerous possible combinations that are to be allowed and forbidden at the TCP
and IP level).
– Easy to log and audit all incoming traffic at the application level.
Disadvantages
– Additional processing overhead on each connection (as the splice point, the gateway
must examine and forward all traffic in both directions)

c. Circuit-Level Gateway


Types of circuit-level gateway
– A stand-alone system

– A specialized function performed by an application-level gateway.


Security function
– The gateway relays TCP segments without examining the contents
– The gateway determines which connections will be allowed.



Use of circuit-level gateway
– A situation in which the system admin trusts the internal users.
– The gateway can be configured to support
»

Application-level or proxy service on inbound connections
◊ Incurs examining overhead for incoming application data for
forbidden functions.

»

Circuit-level functions for outbound connections
◊ Does not incur overhead on outgoing data.



Example implementation : SOCKS package

– Defined in RFC 1928 (SOCKS version 5)
– SOCKS components
»

The SOCKS server (runs on UNIX-based firewall)

»

The SOCKS client library (runs on internal hosts)

»

SOSKS-ified versions of several client (such as FTP and TELNET).

– SOCKS procedures
»

The client opens a TCP connection to the SOCKS port (TCP 1080) on the
SOCKS server

»

The client performs authentication with negotiated method

»

The client sends a relay request

»

After evaluating the request, the SOCKS server either establishes the
connection or denies it

d. Bastion Host


A system identified by the firewall administrator as a critical strong point in the network’s
security



It serves as a platform for an application-level or circuit-level gateway.



Common characteristics


A trusted system with secure OS.



Only the services considered essential are installed.



Additional authentication required to access the proxy service.



Each proxy is configured to support only a subset of the standard application’s
command set.



Each proxy is configured to allow access only to specific hosts.



Each proxy maintains detailed audit information.



Each proxy module is a very small SW package specifically designed for network
security.



Each proxy is independent of other proxies.



A proxy generally performs no disk access other than to read its initial configuration
file.



Each proxy runs as a nonprivileged user in a private and secured directory.

5.5 FIREWALL CONFIGURATIONS


In addition to the use of simple configuration of a single system (single packet filtering
router or single gateway), more complex configurations are possible.



Three common configurations
a. Screened host firewall with single-homed bastion
b. Screened host firewall with dual-homed bastion
c. Screened subnet firewall

a. Screened Host Firewall, Single-Homed Bastion


Consists of two systems
– A packet-filtering router
»

Configured so that only packets from and to the bastion host are allowed to
pass thru

– A bastion host
»

Performs authentication and proxy functions.

Advantages
– Greater security than single configurations
»

This configuration implements both packet-level and application-level
filtering (allowing for flexibility in defining security policy).

»

An intruder must generally penetrate two separate systems

– Flexibility in providing direct Internet access

»

For public information server (such as a Web server), the router can be
configured to allow direct traffic from the Internet.

Disadvantages
– If the router is completely compromised, traffic could flow directly thru the
router between the Internet and the private network.
b. Screened Host Firewall, Dual-Homed Bastion


Physically prevents security breach of the previous configuration
– Traffic between the Internet and other hosts on the private network has to flow
through the bastion host.
– The advantages of the previous configuration are present here as well.

c.Screened Subnet Firewall


The most secure configuration of the these are
– Two packet-filtering routers are used (creation of an isolated subnet)
Advantages
– Three levels of defense to thwart intruders.
– The outside router advertises only the existence of the screened subnet to the Internet
(internal network is invisible to the Internet).
– The inside router advertises only the existence of the screened subnet to the internal
network (the systems on the inside network cannot construct direct routes to the
Internet).

5.6 TRUSTED SYSTEMS


One way to enhance the ability of a system to defend against intruders and malicious
programs is to implement trusted system technology.
Data Access Control
• Access control by OS
– Through the user access control procedure (log on), a user can be
identified to the system
– Associated with each user, there can be a profile that specifies
permissible operations and file accesses
– The operating system can enforce rules based on the user profile (and
may grant a user permission to access a file or use an application,
no
further security checks)
• Access control by DBMS
– Previous scheme is not sufficient for a system including sensitive data
in its database
– The DBMS must control access to specific records or even portions of
records in the database
• Access control models
a. Access matrix
b. Access control list
c. Capability list (Capability tickets).

a. Access Matrix


A general model of access control



Basic elements
– Subject : An entity capable of accessing objects (generally a process
representing any user or application that gains access to an object).
– Object : Anything to which access is controlled (e.g. files, portions of
files, programs and segments of memory)
– Access right : The way in which an object is accessed by a subject
(e.g. read, write and execute)

b. Access
Control List
Decomposition of the access matrix by columns
– An access control list lists users (processes) and their permitted access
Rights
– The list may contain a default or public entry : defines default set of
rights)

c. Capability List


Decomposition of the access matrix by rows
– A capability list (ticket) specifies authorized objects and operations
for a user (process)
– Each user has a number of tickets and may be authorized to loan or
give them to others



Management of tickets
– Tickets may be dispersed around the system ◊ great security
problem
– The ticket must be unforgeable
– A solution : the OS holds all tickets in a region of memory
inaccessible to users

The

Concept

of
Trusted Systems

• Multilevel security
– Definition of multiple categories or levels of data
– Commonly found in the military (information category : unclassified, confidential,
secret, top secret)
– A subject at a high level may not convey information to a subject at a lower level
or noncomparable level unless that flow accurately reflects the will of an
authorized user.
– Two rules of multilevel security

» No read up : a subject can only read an object of less or equal security level
(simple security property)
» No write down : a subject can only write into an object of greater or equal
security level (*-Property)
• Reference monitor concept
– Multilevel security for a data processing system



Reference monitor
– Controlling element in the HW and OS of a computer that regulates the access of
subjects to objects on basis of security parameters.
– Accesses security kernel database
– Enforces the security rules (no read up & no write down)



Security kernel database
– A file that lists
»
»



Security clearance : the access privileges of each subject
Classification level : the protection attributes of each object.

Audit file
– Stores important security events such as
» Detected security violations
» Authorized changes to the security kernel database.



Reference monitor properties
– Complete mediation : the security rules are enforced on every access
»
»

Every access to data in memory, disk and tape must be mediated
Pure SW implementation : too high performance penalty

– Isolation : The reference monitor and database are protected from unauthorized
modification
»

It must not be possible for an attacker to change the logic of the reference
monitor or the contents of the security kernel database.

– Verifiability : the reference monitor’s correctness must be provable
»


It must be possible to demonstrate mathematically that the reference monitor
enforces the security rules and provides complete mediation and isolation

Trusted system
– A system that can provide such verification



The Commercial Product Evaluation Program
– The Computer Security Center (within the NSA) evaluates commercially available
products as meeting the security requirement.
– The center classifies evaluated products according to the range of security features.
– The evaluations are needed for DoD procurements but are published and freely
available.
– The evaluations can serve as guidance to customers for the purchase of commercial
equipment

Trojan Horse Defense
Trojan horse attack



Secure, trusted operating systems
– One way to secure against Trojan Horse attacks

Security level assignment
• Bob and Bob’s data file : Sensitive (higher)
• Alice and Alice’s data file : Public (lower)
When the Trojan horse program attempts to store the string in the Back-pocket file
• *-Property (no write down rule) is violated
• The attempt is disallowed by the reference monitor

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close