Week 8 Flashcards
What can a firewall do? what can it not do
Firewalls cannot prevent all attackers, viruses or intruders.
They can
Permit authorised traffic
Block or deny unauthorised traffic
Log accesses in and out
Provide a VPN link
Authenticate users and give access to appropriate services
Shield hosts
Cache data to improve web site performance
Filter content
firewall problems?
No protection
against attacks based on bugs
against internal attackers
inside once an internal machine is compromised.
There are ”Accidental” routes around the firewall – dialup servers, cross
links.
They can be too restrictive and interfere with wanted traffic.
Encryption prevents the firewall blocking malicious traffic.
A lot of services are done through HTTP so the firewall just sees web
traffic.
A firewall is not a total solution, it is unlikely to stop a determined or
competent attacker but it can stop the low motivation or generalised
attacks.
what is an IDS
One common series of protection tools/ mechanisms is the Intrusion
Detection System (IDS) based at either the network or the host. These are
response mode tools but are useful for deterrence, detection and damage
assessment as well as attack anticipation.
Many IDS provide only one or two of event logging, traffic analysis,
integrity checking and configuration management but most will offer alert
notification, network tapping/ sensors and a response system. They should
handle and contain an intrusion. Technically they are Intrusion Detection
and Prevention Systems (IDPS).
Misuse detection - Knowledge-based IDS - Rule Based
tell me more
Misuse Detection/ Knowledge Based IDPS: Attack Signatures are network
traffic patterns, logfile patterns that indicate suspicious behaviour, e.g.
login attempts, time of access, SYN flooding, escalation of privileges,
unknown access, target acquisition
Knowledge-based IDS looks for patterns of network traffic or activity in log
files that indicate suspicious behaviour, using information such as:
known vulnerabilities of particular OS and applications;
known attacks on systems;
given security policy
!!!!
Only as good as database of attack signatures:
!!!!
New vulnerabilities not in the database are constantly being
discovered and exploited;
Vendors need to keep up to date with latest attacks and issue
database updates; customers need to install these;
Large number of vulnerabilities and different exploitation methods, so
effective database difficult to build;
Large database makes IDS slow to use.
Anomaly detection - Behaviour-based IDS - Statistical anomaly
tell me more
Anomaly Detection: or Behaviour Based: This is usually statistical, based
on normal traffic flows, or system behaviour.
Thresholds are established above and below the normal levels outwith
which an alarm is raised. These IDS are not updated with known
vulnerabilities, they look at traffic flows. The stats are built up over time
to produce profiles of users or system workload.
Problem 1 : False Acceptance Rate, False Rejection Rate.
Problem 2: what sort of environment would they work best in? A
University? A Bank? A Commercial Organisation? A Cloud?
How do you detect new attacks?
Statistical anomaly detection uses statistical techniques to detect attacks;
phase 1 : establish the base-line behaviour: what is “normal” for this
system
phase 2: gather new statistical data and measure deviation from the
base-line.
If a threshold is exceeded, issue an alarm. (amber warning)
So, generally, rule based systems try to define normal behaviour, and
anomaly based systems attempt to find abnormal behaviour.
Monitor a number of failed login attempts at a sensitive host over time;
if a burst of failures occurs, an attack may be under way;
or maybe an admin problem?
False positives (false alarm): attack flagged when none is taking place.
False negatives: attack missed because it fell within the bounds of normal
behaviour.
This issue also applies to knowledge-based systems. Behaviour, or anomaly
based systems require a lot of data to profile, or do statistical analysis.
They need a lot of metrics – counts, intervals, Resource profiles, mean +
sd, markov models, time series, machine learning etc.
describe ids architecture. vulns?
Distributed set of sensors – either located on hosts or on network – to
gather data.
Centralised console to manage sensor network, analyze data (cc. data
mining), report and react. This is a CIDS
Ideally:
Protected communications between sensors and console;
Protected storage for signature database/logs;
Secure console configuration;
Secured signature updates from vendor;
Otherwise, the IDS itself can be attacked and manipulated; IDS
vulnerabilities have been exploited
a downside of IDS? 2
drifts
Concept Drift is when a data distribution varies over time (abrupt,
incremental, gradual or recurring drifts) and describes the ntaure of
network traffic.
Feature Drift is when features change over time as changes in data
patterns dictate different levels of features (packet types)
WPA2 vulnerabilities
DOS can be frequency jamming, data flooding, Layer 2 session hijacking.
Deauthentication can happen by forcing the client to reauthenticate. The
attacker could spoof MAC addresses.
Disassociation is when the authenticated client with multiple APs
disassociate from some of them.
