Lecture 5: Firewalls, intrusion detection Flashcards
Explain the “Principle of Complete Mediation”
It is required that all accesses to objects are to be checked, in order to ensure that they are allowed
Explain what a “Reference monitor” is
It is a module in operating systems, that:
- Checks requests against table of allowed requests, only lets authorised ones go through
- Monitor is itself tamper proof, and
- Verifiable
What does “ingress” and “egress” mean in the context of firewalls
Ingress: incoming traffic
Egress: outgoing traffic
List some capabilities that a firewall provides
- Defines a single choke point
- Provides a location for monitoring security events
- Convenient platform for some internet functions, such as NAT, usage monitoring, IPSEC VPNs
List some limitations of a firewall
- Cannot protect against attacks bypassing the firewall
- May not protect fully against internal threats
- Improperly secure wireless LAN
- Laptop, PDA, and portable storage devices could be infected outside then used inside
List four different types of firewalls
- Packet filtering firewall
- Stateful inspection firewall
- Application proxy firewall
- Circuit-level firewall
Explain what a “Packet filtering firewall” does, and where it is used
- Applies rules to packets in/out of firewall
- Based on information in packet header
- E.g., Src/dest, IP address & port, IP protocol, interface
- Typically, a list of rules of matches on fields
- If match, rule says if forward or discard packet
- Two default policies:
- Discard – prohibit unless expressly permitted
- Forwards – permit unless expressly prohibited
Give some examples of weakness’ with “Packet Filter firewalls”
- Cannot prevent attack on application bugs
- Limited logging functionality
- Does not support advanced user authentication
- Vulnerable to attacks on TCP/IP protocol bugs
- Improper config can lead to breaches
Explain what a “Stateful inspection firewall” does, and how it works
Reviews packet header information BUT also keeps info on TCP connections
- Typically have low, “known” port number for server, and
- High, dynamically assigned client port number
- Compared to simple packet filtering, stateful inspection tightens rules for TCP traffic by using a directory of TCP connections
- Only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
Explain what an “Application-level gateway” does, and how it works
- Acts as a relay of application-level traffic:
- User contacts gateway with remote host name
- Authenticates themselves
- Gateway contacts application on remote host and relays TCP segments between server and user
- Must have proxy code for each application
- More secure than packet filters, but
- Higher overheads
Explain what a “Circuit-level gateway” is , and how it works
- Sets up two TCP connections, one to and inside user and one to an outside host
- Relays TCP segments from one connection to the other without examining contents
- Hence independent of application logic
- Just determines whether relay is permitted
- Typically used when inside users trusted
- May use application-level gateway inbound and circuit-level gateway outbound
- Hence lower overheads
List three different ways of basing a firewall
- Bastion host
- Individual host-based firewall
- Personal firewall
Explain what a “Bastion host” is, and how it works
• Used to secure individual host
• Available in/add-on for many O/S
• Filter packet flows
• Often used on servers
• Advantages:
o Tailored filter rules for specific host needs
o Protection from both internal/external attacks
o Additional layer of protection to org firewall
Explain what a “Personal firewall is”, and how it works
- Controls traffic flow to/from PC/workstation
- For both home or corporate use
- May be software module on PC
- Or in home router/gateway
- Typically, much less complex
- Primary role to deny unauthorized access
- May also monitor outgoing traffic to detect/block worm/malware activity
Give some examples of different intrusions
- Remote root compromise
- Web server defacement
- Guessing/cracking passwords
- Copying viewing sensitive data/databases
- Running a packet sniffer
Give some examples of how to defend against “Insider attacks”
• IDS/IPS may help but also need:
o Least privilege, monitor logs, strong authentication, termination process to block access & mirror data
List two classes of “Intrusion Detection Systems”
o Host-based IDS: monitor single host activity
o Network-based IDS: monitor network traffic
List the logical components that constitute “Intrusion Detection Systems”
o Sensors – collect data
o Analyzers – determine if intrusion has occurred
o User interface – manage/direct/view IDS
Give some examples of requirements for an “Intrusion Detection System”
- Run continually
- Be fault tolerant
- Resist subversion
- Impose a minimal overhead on system
- Configured according to system security policies
- Adapt to changes in systems and users
- Scale to monitor large numbers of systems
- Provide graceful degradation of service
- Allow dynamic reconfiguration
Explain what a “Host-based IDS” is, and how it works
• Specialized software to monitor system activity to detect suspicious behavior
o Primary purpose is to detect intrusions, log suspicious events, and send alerts
o Can detect both external and internal intrusions
List two different approaches used by “Host-based IDS”
• Two approaches, often used in combination:
o Anomaly detection – defines normal/expected behavior
♣ Threshold detection
♣ Profile based
o Signature detection – defines proper behavior
Explain what “Audit Records” are, and specify the two variants
• A fundamental tool for intrusion detection
• Two variants:
o Native audit records – provided by O/S
♣ Always available but may not be optimum
o Detection-specific audit records – IDS specific
♣ Additional overhead but specific to IDS task
♣ Often log individual elementary actions
♣ E.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp
Explain the two types of “Anomaly Detection”
• Threshold detection
o Checks excessive event occurrences over time
o Alone a crude and ineffective intruder detector
o Must determine both thresholds and time intervals
• Profile based
o Characterize past behavior of users/groups
o Then detect significant deviations
o Based on analysis of audit records
♣ Gather metrics: counter, gauge, interval timer, resource utilization
♣ Analyze: mean and standard deviation, multivariate, Markov process, time series, operational model
Explain what “Signature Detection” is, and how it works
• Observe events on system and applying a set of rules to decide if intruder
• Rule-based penetration identification
o Rules identify known penetrations/weaknesses
o Often by analyzing attack scripts from internet
o Supplemented with rules from security experts
Explain how a “Network-based IDS” works
- Monitor at selected points on a network
- In (near) real time to detect intrusion patterns
- May examine network, transport and/or application level protocol activity directed toward systems
Comprises several sensors:
- Inline (possibly as part of other net device)
- Passive (monitors copy of traffic)
Give some examples of “Intrusion Detection Techniques”
- Signature detection:
- At application, transport, network layers; unexpected application services, policy violations
- Anomaly detection
- Of DOS attacks, scanning, worms
- When potential violation detected, sensor sends an alert and logs information
- Used by analysis module to refine params and algos
- By security admin to improve protections
Explain what “Honeypots” are, and how they work
- Decoy systems
- Fabricated info
- Instrumented with monitors/event loggers
- Divert and hold attacker to collect activity info
- Without exposing production systems
- Initially were single systems
- More recently emulate entire networks
List some examples of limitations of “Intrusion detection”
- Response can lead to DOS
- False alarms, users/attackers get around them
- Rules: citizens are entitled to know protection algorithms
- “too few attacks” – base rate fallacy
- Constant need for updates
- Encrypted traffic hard to analyse
- Constant trade-offs
