Day 19

1
Day 19
2
Security Tools

• Firewalls
• Host Based
• Network based
• IDS/IPS
• Host Based
• Network based
• Signature based detection
• Anomaly based detection
• Anti Virus, Anti Spyware, Anti-spam
• Forensic tools
• Authentication tools
• Encryption Tools

3
What is a firewall

• A firewall is a choke point where network traffic
  can be permitted or denied.
• A set of rules (Access Control List/Policy list)
  are used to determin what to allow.
• For example
• A machine is a web server (HTTP only)
• Everyone in the world should be able to connect
  to the web server on port 80 TCP
• All other ports should be blocked by a firewall,
  this prevents unintentional services being
  exposed, and lessens the overall likelyhood that
  the server would be compromised.
• If nobody should ever use this server as a
  workstation, you could also limit outbound
  traffic from this machine
• Helpful for preventing the machine from being
  used to attack other machines

4
Network based Firewalls

• A network firewall is a network device which acts
  like a router, but has a set of policies it
  enforces in addition to routing.
• Sometimes this device is the router
• Most high end routers support ACL lists
• Access-list 101 permit tcp any host 100.1.1.1 eq
  80
• Sometimes the device is actually a separate
  firewall
• Juniper, Checkpoint, Sonicwall, etc.

5
Host based firewalls

• Sometimes the firewall is built into the OS of
  the machine it is protecting
• Windows
• Windows Firewall
• Black Ice Firewall
• Unix
• IPtables
• IPchains
• IPF

6
Should I use host or network based?

• How many machines do you have?
• If you are protecting 2 machines host based will
  probably work fine.
• If you had to install host based on 500
  computers, might have been easier to install
  network.
• Who has access to the machines?
• If the machines are publicly accessible what
  stops a malicious person from disabling the
  firewall
• Network based firewalls are typically more
  difficult to disable.
• What do you want your machine spending its time
  on.
• If a machine is a webserver you want it spending
  its time on serving web pages, not denying
  traffic, that is probably best done by a network
  device.

7
Packet Filter Firewalls

• Each time you receive a packet, check
• Who sent it
• Where is it going
• What port did it come from and what is it
  destined for
• When did it arrive
• What TCP/IP flags are set in the header
• Is it part of an established connection or the
  start of a new one
• Based on current set of policies either allow or
  deny this packet.

8
Proxy based firewalls

• When a machine attempts to establish a connection
  intercept it.
• When the client attempts to connect to the
  server, the firewall acts like a server to the
  client.
• Next the firewall creates a separate connection
  to the server (thus acting like a client)
• Now the firewall acts like a traffic cop between
  the client and server be deciding how much of the
  traffic to pass between them.

Firewall
Client
Server
9
Proxy vs. Packet Filter

• A Proxy based firewall can do much more
  intelligent filtering because it understands what
  is being said between the client and the server.
• For example, a proxy can alter HTML pages or
  eMails (for example, stripping out sensitive
  information, or adding a signature/disclaimer to
  the end of each message)
• A packet filter is much more limited because it
  only understands the header of the packets, not
  the data in them.

10
Intrusion Detection System

• One of the most basic security principles is to
  know when youve been compromised.
• Worst case is you were compromised and dont even
  know it because more info can be stolen, or more
  damage can be done.
• In the real world its obvious, but with complex
  computers its less obvious.
• IDS systems are designed to help you track
  intrusions and identify how they were done.

11
File Integrity Checkers

• One way to know if your system has been
  compromised is to know if any files on your
  system were changed without your knowledge.
• Hackers frequently install software on
  compromised machines to give them a guaranteed
  way back on, or to do their bidding (send email,
  attack someone else)
• File integrity monitors hash all the files on
  your system periodically and notify you of any
  changes.
• Tripwire, GFI LanGuard etc.

12
Network based IDS

• Network based IDSs typically monitor all packets
  coming into/out of your network looking for
  interesting patterns.
• Interesting patterns are defined by a set of
  signatures which either a company or the internet
  community develop based on previous intrusions.
• When a pattern is noticed it logs it, or possibly
  notifies someone (pager, email, phone)
• E.G. Snort, ISS Realsecure etc.

13
Logs/Event Viewer

• A frequently overlooked but critical security
  tool is logs.
• Most things which happen on your computer are
  logged
• Windows Event Viewer
• Unix/Mac Logs
• Allow for analysis of what is going on your
  computer
• Gives you an audit trail after a compromise to
  see how it was done, and thus prevent it from
  happening again.
• Of course this assumes the logs arent erased by
  the attacker.

14
Intrusion Prevention Systems

• A sort of combination of IDS and Firewall.
• The smarts of an IDS with the ability to block
  traffic like a firewall.
• Thing about it as a firewall which can build its
  own policies based on whats happening to it.
• E.g.
• You suddenly see a spike of ICMP (ping) traffic
  from a single address, perhaps after a few
  thousand packets you should think about stopping
  it, the IPS might build a rule to block it.

15
IDS/IPS False Positive problem

• One of the biggest problems with IPS is the
  signatures.
• If a popular virus happens to send the string
  BLABLA in an HTTP message to distribute itself,
  then any webpage with BLABLA in it will appear
  to be an attack.
• False positives are frustrating and
  counter-productive.
• Worse yet, if your IPS decides that the attack
  must be stopped and builds a firewall rule to
  block it.

16
Anomaly based detection

• Another approach which is being worked on is to
  watch what is normal and then look for things
  which are abnormal.
• E.g. You use your computer at clayton from
  730PM-845PM Monday and Wed. If your computer
  is at clayton on Friday night at 3am, maybe
  something is up.
• Very difficult to be correct, requires lots more
  work to get right.

17
Viruses, Spys

• Anti-Virus
• Specialized form of IDS.
• Looks for patterns in files on your hard drive.
• Once one is found assume it is a virus, and
  remove it
• Quarantine it, or delete it at users request
• Anti-Spywear
• Look for software which may get installed without
  your knowledge
• E.g. Here is a free screensaver, you also get
  something which monitors all web pages you go to
  for opportunities to send you ads

18
VPN

• Virtual Private Networks
• Allow users into your private network from across
  the internet securely.
• VPNs are based on encryption.
• All traffic leaving the client are encrypted by
  software on their end.
• That encrypted traffic is routed across the
  internet
• The other end decrypts the resulting traffic and
  routes it on the private network
• Traffic is typically encrypted with Symmetric
  cryptography such as AES or TripleDES. Keys are
  typically exchanged either manually or
  automatically via IKE.