Chapter 16 Evading IDSs, Firewalls, and Honepots Flashcards
IDS
application used to gather and analyze info that passes through a NW or host
designed to analyze, identify, and report any violations or misuse of NW
main purpose: to detect and alert admin about attack
NIDS vs packet sniffer
NW IDS is a packet sniffer at its core, but an NIDS includes a rules engine to determine malicious vs legit traffic
Four types of IDS: Each of these perform something the other does not
NIDS
HIDS
LFM IDS
FILE INTEGRITY CHECKING MECHANISMS
1) NIDS //inspect every packet entering the NW for malicious activity and to throw an alert if found; can monitor from router to host; can be in form of dedicated computer or black box design (dedicated device)
2) HIDS //host-based IDS// installed on server or computer //monitoring activities on a specific system or host; detects misuse of system, insider abuse
3) LFM IDS //Log file monitors //monitors log files created by NW services, identifies malicious events; (tool: swatch)
4) FILE INTEGRITY CHECKING MECHANISMS //checks for trojans or altered files indicating an intruder has been there (tools: tripwire)
IDS Detection Methods (how does it rule out what is an attack and what is not?)
SIGNATURE
ANOMALY DETECTION
PROTOCOL
SIGNATURE or MISUSE DETECTION //compares traffic to known models or attacks;
PROS effective for known attacks
CONS poor at detecting attacks not in its DB, other traffic could trigger false positive; improper signatures could result in false positive or false negative; as signature DB increases, time to analyze increases, traffic may be dropped, evolution of attacks, signature files must be updated often
ANOMALY DETECTION //any activity that matches something in the DB is considered an anomaly; any deviation from normal activity is regarded as an attack;
must be set up to understand what normal activity is, if not configured correctly false + and false - become a prob
//a learning type mode is available to allow the system to learn and observe how your specific nw looks over time
PROTOCOL DETECTION //uses known specifications for a protocol to determine anomalies; new attacks can be discovered before signature or anomaly detection; this is the ONLY method where signature updates are not required
False Negative vs False Positive
A false negative is an alert that should’ve happened, but didn’t
A false positive is an alert that happened, but shouldn’t have
Types of Intrusions
HOST SYSTEM INTRUSIONS
NW INTRUSIONS
HOST SYSTEM INTRUSIONS //unknown files, altered files
NW INTRUSIONS //increased or unexplained use of NW bandwidth, connection requests from unknown IPs, repeated login attempts from remote host, unknownlog files
NONSPECIFIC SIGNS OF INTRUSION //buncha random jibberish
IPS
works like IDS, but with added capability to shut down an attack by reconfiguring FWs and routers or lock down a system at the host level
Firewalls
represent a barrier between two zones (private and public NW)
//collection of programs and services located at the CHOKE POINT (or the location where traffic enters and exits the NW); designed to filter all traffic flowing in and out, determines if traffic should be allowed to continue
//form of IDS
Firewalls and Routers and NIDS
placing a router in front of a firewall can help reduce the load placed on the router allowing it to perform more efficiently
can also install NIDS alongside FW to monitor and identify how well the FW is functioning
Firewall Configs
BASTION HOST
SCREENED SUBNET
MULTHOMED FIREWALL
BASTION HOST //hosts nothing other than what it needs to perform its defined role (to protect resources from attack) This host has two interfaces: one connected to the public NW and the other to the internal NW
SCREENED SUBNET //uses single firewall with 3 built-in interfaces: internet, DMZ, intranet; each area is separated from one another, they are connected to its own interface;
PRO - prevents one area from affecting another
MULTIHOMED FIREWALL //two or more NWs; each interface is connects to its own NW segment logically and physically; used to increase efficiency and reliability of an IP nw; more then 3 interfaces are present
DMZ - Demilitarized Zone
buffer zone between public and private NWs in an organization;
also a way to host services that a company wishes to make publicly available without allowing direct access to their own internal nw
always constructed through firewall; 3 or more interfaces such as internal trusted NW, DMZ NW, and external untrusted NW
Types of Firewalls
PACKET FILTERING FIREWALL
CIRCUIT-LEVEL GATEWAY
APPLICATION-LEVEL FIREWALL
STATEFUL MULTILAYER INSPECTION FIREWALL
PACKET FILTERING FIREWALL //works at NW layer, typically built directly into router; compares properties of packet such as source and destination address, protocol, port;
CIRCUIT-LEVEL GATEWAY //works at session layer; detects whether requested session is valid by checking TCP handshake; do not filter individual packets
APPLICATION-LEVEL FIREWALL //analyze application info to make decisions about whether to transmit packets
(((PROXY-BASED FIREWALL //works at applications layer, asks for authentication to pass packets
//content caching proxy optimizes performance by caching frequently access info instead of sending new requests for same data to servers)))
STATEFUL MULTILAYER INSPECTION FIREWALL //combines the aspect of other three types of FWs; Filters packets at the NW layer to determine whether session packets are legit, and evaluate contents of packets at app layer; (The inability of the packet filter firewall to check header of packets is overcome by stateful packet filter) //analyzes status of traffic
What’s that firewall running?
general
FIREWALKING
To determine type of FW or brand, use port scanning and see what ports the FW is listening on
or use Telnet to perform banner grabbing (enumeration to see what services are running on open ports)
FIREWALKING //probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall; packets are set to have one more hop in their TTL to get them past firewall
to perform, you need 3 components:
1) Firewalking - hosting system outside target nw
2) Gateway - host system on NW connect to internet
3) Destnation - host system on NW packets are addressed to
**Tools: command-line tool called firewalk
can use packet crafters or port redirection to evade configuration on firewall
Honeypots
Two main categories:
Low-interaction honeypots
High-interaction honeypots
used to attract and trap attackers training to gain access to system, also used to just gain information, not used to address security problems
LOW-INTERACTION HONEYPOTS // rely on the emulation of service and programs that would be found on a vulnerable system; if attacked, system throws error
HIGH-INTERACTION HONEYPOTS //more complex; no longer just single system that looks vulnerable but an entire NW aka HONEYNET; in addition to emulation, real systems with real apps are present
IDS Evasion Techniques
DoS vs IDS
OBFUSCATING
CRYING WOLF
SESSION SPLICING
(Fun with Flags)
BOGUS RST
SENSE OF URGENCY
ENCRYPTION (MOST EFFECTIVE)
DoS vs IDS //use enumeration techniques and system hacking to determine what resources are under load or are vital to proper functioning of IDS, now clog up resources to make IDS not function properly
OBFUSCATING //IDS relies on reading information, if we manipulate info so that IDS cannot understand it but the target can; can be done through manual manipulation of code or use of an OBFUSCATOR;
(One example that is successful against older IDSs is use of Unicode; by changing standard code such as HTTP requests/responses to their unicode equiv, web server understands but IDS does not)
CRYING WOLF //as the story states, an attacker can target the IDS with an actual attack causing IDS to alert owner; if done repeatedly, but nothing happening on the system, owner will eventually ignore it; (will become false positives to the owner) eventually attacker will actually strike
SESSION SPLICING //some IDSs do not reassemble or rebuild sessions before analyzing traffic; possible to tamper with fragment packets in a way IDS cannot analyze them and forwards them to host //adjust fragmentation so IDS takes longer to reassemble fragments or adjust fragments such that when reassembled they overlap causing problems for IDS
(Fun with flags: TCP uses flags to describe status of packet)
BOGUS RST //RST is used to end 2 way communications between endpoints; in addition checksums are used to verify integrity of packet to ensure what was received was sent originally; an attacker can alter checksum, IDS will not process packet, and the traffic passes by IDS without raising an alert
SENSE OF URGENCY //URG flag used to mark data urgent; all info before is ignored to process urgent data; some IDSs do not take previous data into account and let it pass
ENCRYPTION //MOST EFFECTIVE, some IDSs cannot process encrypted traffic and let it pass
