Network Security-2

Denial of Service Attacks

The first type of attack to examine is the denial of service (DoS). A denial of service attack is any attack that aims to deny legitimate users of the use of the target system. This class of attack does not actually attempt to infiltrate a system or to obtain sensitive information. It simply aims to prevent legitimate users from accessing a given system.

This type of attack is one of the most common categories of attack. Many experts feel that it is so common because most forms of denial of service attacks are fairly easy to execute. The ease with which these attacks can be executed means that even attackers with minimal technical skills can often successfully perform a denial of service.

The concept underlying the denial of service attack is based on the fact that any device has operational limits. This fact applies to all devices, not just computer systems. For example, bridges are designed to hold weight up to a certain limit, aircraft have limits on how far they can travel without refuelling, and automobiles can only accelerate to a certain point. All of these various devices share a common trait: They have set limitations to their capacity to perform work. Computers are no different from these, or any other machine; they, too, have limits. Any computer system, web server, or network can only handle a finite load.

How a workload (and its limits) is defined varies from one machine to another. A workload for a computer system might be defined in a number of different ways, including the number of simultaneous users, the size of files, the speed of data transmission, or the amount of data stored. Exceeding any of these limits will stop the system from responding. For example, if you can flood a web server with more requests than it can process, it will be overloaded and will no longer be able to respond to further requests. This reality underlies the DoS attack. Simply overload the system with requests, and it will no longer be able to respond to legitimate users attempting to access the web server.

2.1.1 SYN Flood

Simply sending a flood of pings is the most primitive method of performing a DoS. More sophisticated methods use specific types of packets. One popular version of the DoS attack is the SYN flood. This particular attack depends on the hacker’s knowledge of how connections are made to a server. When a session is initiated between the client and server in a network using the TCP protocol, a small buffer space in memory is set aside on the server to handle the “hand-shaking” exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange.

A SYN flood attempts to disrupt this process. In this attack, an attacker sends a number of connection requests very rapidly and then fails to respond to the reply that is sent back by the server. In other words, the attacker requests connections, and then never follows through with the rest of the connection sequence. This has the effect of leaving connections on the server half open, and the buffer memory allocated for them is reserved and not available to other applications. Although the packet in the buffer is dropped after a certain period of time (usually about three minutes) without a reply, the effect of many of these false connection requests is to make it difficult for legitimate requests for a session to be established.

2.1.2 Smurf Attack

The Smurf attack is a popular type of DoS attack. It was named after the application first used to execute this attack. In the Smurf attack, an ICMP packet is sent out to the broadcast address of a network, but its return address has been altered to match one of the computers on that network, most likely a key server. All the computers on the network will then respond by pinging the target computer.

ICMP packets use the Internet Control Message Protocol to send error messages on the Internet. Because the address of packets are sent to is a broadcast address, that address responds by echoing the packet out to all hosts on the network, who then send it to the spoofed source address.

Continually sending such packets will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is both clever and simple. The greatest difficulty is getting the packets started on the target network. This can be accomplished via some software such as a virus or Trojan horse that will begin sending the packets.

2.1.3 Ping of Death

The Ping of Death (PoD), is perhaps the simplest and most primitive form of DoS attack and is based on overloading the target system. TCP packets have limited size. In some cases by simply sending a packet that is too large, can shut down a target machine.

The aim of this attack is to overload the target system and cause it to quit responding. The PoD works to compromise systems that cannot deal with extremely large packet sizes. If successful, the server will actually shut down. It can, of course, be rebooted.

The only real safeguard against this type of attack is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities in the way a particular operating system or application handles abnormally large TCP packets. When such vulnerabilities are discovered, the vendor customarily releases a patch. The possibility of PoD is one reason, among many, why you must keep patches updated on all of your systems.

This attack is becoming less common as newer versions of operating systems are better able to handle the overly large packets that Ping of Death depends on. If the operating system is properly designed, it will drop any oversized packets, thus negating any possible negative effects a PoD attack might have.

2.1.4 UDP Flood

UDP (User Datagram Protocol) is a connectionless protocol and it does not require any connection setup procedure to transfer data. TCP packets connect and wait for the recipient to acknowledge receipt before sending the next packet. Each packet is confirmed. UDP packets simply send the packets without confirmation. This allows packets to be sent much faster, making it easier to perform a DoS attack.

A UDP flood attack occurs when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that no application is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on the victim, the system goes down.

2.1.5 DoS Tools

One reason that DoS attacks are becoming so common is that a number of tools are available for executing DoS attacks. These tools are widely available on the Internet, and in most cases are free to download. This means that any cautious administrator should be aware of them. In addition to their obvious use as an attack tool, they can also be useful for testing your anti-DoS security measures.

Low Orbit Ion Cannon (LOIC) is probably the most well know and one of the simplest DoS tool. You first put the URL or IP address into the target box. Then click the Lock On button. You can change settings regarding what method you choose, the speed, how many threads, and whether or not to wait for a reply. Then simply click the IMMA CHARGIN MAH LAZER button and the attack is underway.

High Orbit Ion Cannon (HOIC) is a bit more advanced than LOIC, but actually simpler to run. Click the + button to add targets. A popup window will appear where you put in the URL as well as a few settings.

IP Spoofing

IP spoofing is essentially a technique used by hackers to gain unauthorised access to computers. Although this is the most common reason for IP spoofing, it is occasionally done simply to mask the origins of a DoS attack. In fact DoS attacks often mask the actual IP address from which the attack is originating.

With IP spoofing, the intruder sends messages to a computer system with an IP address indicating that the message is coming from a different IP address than it is actually coming from. If the intent is to gain unauthorised access, then the spoofed IP address will be that of a system the target considers a trusted host.

To successfully perpetrate an IP spoofing attack, the hacker must first find the IP address of a machine that the target system considers a trusted source. Hackers might employ a variety of techniques to find an IP address of a trusted host. After they have that trusted IP address, they can then modify the packet headers of their transmissions so it appears that the packets are coming from that host.

IP spoofing, unlike many other types of attacks, was actually known to security experts on a theoretical level before it was ever used in a real attack. The concept of IP spoofing was initially discussed in academic circles as early as the 1980s. Although the concept behind this technique was known for some time, it was primarily theoretical until Robert Morris discovered a security weakness in the TCP protocol known as sequence prediction.

IP spoofing attacks are becoming less frequent, primarily because the venues they use are becoming more secure and in some cases are simply no longer used. However, spoofing can still be used, and all security administrators should address it.

A couple of different ways to address IP spoofing include:

  • Do not reveal any information regarding your internal IP addresses. This helps prevent those addresses from being “spoofed.”
  • Monitor incoming IP packets for signs of IP spoofing using network monitoring software. One popular product is Netlog. This and similar products seek incoming packets to the external interface that have both the source and destination IP addresses in your local domain, which essentially means an incoming packet that claims to be from inside the network, when it is clearly coming from outside your network. Finding one means an attack is underway.

The danger from IP spoofing is that some firewalls do not examine packets that appear to come from an internal IP address. Routing packets through filtering routers is possible if they are not configured to filter incoming packets whose source address is in the local domain.

Examples of router configurations that are potentially vulnerable include:

  • Routers to external networks that support multiple internal interfaces
  • Proxy firewalls where the proxy applications use the source IP address for authentication
  • Routers with two interfaces that support subnetting on the internal network
  • Routers that do not filter packets whose source address is in the local domain

 

 

 

IP Spoofing

IP spoofing is essentially a technique used by hackers to gain unauthorised access to computers. Although this is the most common reason for IP spoofing, it is occasionally done simply to mask the origins of a DoS attack. In fact DoS attacks often mask the actual IP address from which the attack is originating.

With IP spoofing, the intruder sends messages to a computer system with an IP address indicating that the message is coming from a different IP address than it is actually coming from. If the intent is to gain unauthorised access, then the spoofed IP address will be that of a system the target considers a trusted host.

To successfully perpetrate an IP spoofing attack, the hacker must first find the IP address of a machine that the target system considers a trusted source. Hackers might employ a variety of techniques to find an IP address of a trusted host. After they have that trusted IP address, they can then modify the packet headers of their transmissions so it appears that the packets are coming from that host.

IP spoofing, unlike many other types of attacks, was actually known to security experts on a theoretical level before it was ever used in a real attack. The concept of IP spoofing was initially discussed in academic circles as early as the 1980s. Although the concept behind this technique was known for some time, it was primarily theoretical until Robert Morris discovered a security weakness in the TCP protocol known as sequence prediction.

IP spoofing attacks are becoming less frequent, primarily because the venues they use are becoming more secure and in some cases are simply no longer used. However, spoofing can still be used, and all security administrators should address it.

A couple of different ways to address IP spoofing include:

  • Do not reveal any information regarding your internal IP addresses. This helps prevent those addresses from being “spoofed.”
  • Monitor incoming IP packets for signs of IP spoofing using network monitoring software. One popular product is Netlog. This and similar products seek incoming packets to the external interface that have both the source and destination IP addresses in your local domain, which essentially means an incoming packet that claims to be from inside the network, when it is clearly coming from outside your network. Finding one means an attack is underway.

The danger from IP spoofing is that some firewalls do not examine packets that appear to come from an internal IP address. Routing packets through filtering routers is possible if they are not configured to filter incoming packets whose source address is in the local domain.

Examples of router configurations that are potentially vulnerable include:

  • Routers to external networks that support multiple internal interfaces
  • Proxy firewalls where the proxy applications use the source IP address for authentication
  • Routers with two interfaces that support subnetting on the internal network
  • Routers that do not filter packets whose source address is in the local domain

Session Hijacking

Another form of attack is session hacking or hijacking. TCP session hijacking is a process where a hacker takes over a TCP session between two machines. Because authentication frequently is done only at the start of a TCP session, this allows the hacker to break into the communication stream and take control of the session. For example, a person might log on to a machine remotely. After establishing a connection with the host, the hacker might use session hacking to take over that session and thereby gain access to the target machine.

One popular method for session hacking is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through the hacker’s machine.

The most common sort of session hacking is the “man-in-the-middle attack.” In this scenario, a hacker uses some sort of packet-sniffing program to simply listen the transmissions between two computers, taking whatever information he or she wants but not actually disrupting the conversation. A common component of such an attack is to execute a DoS attack against one end point to stop it from responding. Because that end point is no longer responding, the hacker can now interject his own machine to stand in for that end point.

The point of hijacking a connection is to exploit trust and to gain access to a system to which one would not otherwise have access.

 

 

 

Firewall Types

Packet filtering firewalls are the simplest and often the least expensive type of firewalls. Several other types of firewalls offer their own distinct advantages and disadvantages. The basic types of firewalls are:

  • Packet filtering
  • Application gateway
  • Circuit level gateway
  • Stateful packet inspection

3.2.1 Packet Filtering Firewall

The packet filtering firewall is the most basic type of firewall. In a packet filtering firewall, each incoming packet is examined. Only those packets that match the criteria you set are allowed through. Many operating systems, such as Windows clients (such as Windows 8 and 10) and many Linux distributions, include basic packet filtering software with the operating system.

Packet filtering firewalls are also referred to as screening firewalls. They can filter packets based on packet size, protocol used, source IP address, and many other parameters. Some routers offer this type of firewall protection in addition to their normal routing functions.

Packet filtering firewalls work by examining a packet’s source address, destination address, source port, destination port, and protocol type. Based on these factors and the rules that the firewall has been configured to use, they either allow or deny passage to the packet. These firewalls are very easy to configure and inexpensive. Some operating systems, such as Windows 10 and Linux, include built-in packet filtering capabilities.

There are a few disadvantages of packet filtering firewalls. One disadvantage is that they do not actually examine the packet or compare it to previous packets; therefore, they are quite susceptible to either a ping flood or SYN flood. They also do not offer any user authentication. Because this type of firewall looks only at the packet header for information, it has no information about the packet contents.

It also does not track packets, so it has no information about the preceding packets. Therefore, if thousands of packets came from the same IP address in a short period of time, a host would not notice that this pattern is unusual. Such a pattern often indicates that the IP address in question is attempting to perform a DoS attack on the network.

To configure a packet filtering firewall, simply establish appropriate filtering rules. A set of rules for a given firewall would need to cover the following:

  • What types of protocols to allow (FTP, SMTP, POP3, etc.)
  • What source ports to allow
  • What destination ports to allow
  • What source IP addresses to allow (you can block certain IP addresses if you wish)

These rules will allow the firewall to determine what traffic to allow in and what traffic to block. Because this sort of firewall uses only very limited system resources, is relatively easy to configure, and can be obtained inexpensively or even for free. Although it is not the most secure type of firewall, you are likely to encounter it frequently.

3.2.2 Stateful Packet Inspection

The stateful packet inspection (SPI) firewall is an improvement on basic packet filtering. This type of firewall will examine each packet, denying or permitting access based not only on the examination of the current packet, but also on data derived from previous packets in the conversation.

This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as being less susceptible to spoofing. SPI firewalls are less susceptible to these attacks for the following reasons:

  • They can tell whether the packet is part of an abnormally large stream of packets from a particular IP address, thus indicating a possible DoS attack in progress.
  • They can tell whether the packet has a source IP address that appears to come from inside the firewall, thus indicating IP spoofing is in progress.
  • They can also look at the actual contents of the packet, allowing for some very advanced filtering capabilities.

Most quality firewalls today use the stateful packet inspection method; when possible, this is the recommended type of firewall for most systems. In fact, most home routers have the option of using stateful packet inspection.

The name stateful packet inspection derives from the fact that in addition to examining the packet, the firewall is examining the packet’s state in relationship to the entire IP conversation. This means the firewall can refer to the preceding packets as well as those packets’ contents, source, and destination. As you might suspect, SPI firewalls are becoming quite common.

3.2.3 Application Gateway

An application gateway (also known as application proxy or application-level proxy) is a program that runs on a firewall. This type of firewall derives its name from the fact that it works by negotiating with various types of applications to allow their traffic to pass the firewall. In networking terminology, negotiation is a term used to refer to the process of authentication and verification. In other words, rather than looking at the protocol and port the packet is using, an application gateway will examine the client application and the server-side application to which it is trying to connect.

It will then determine if that particular client application’s traffic is permitted through the firewall. This is significantly different from a packet filtering firewall, which examines the packets and has no knowledge of what sort of application sent them. Application gateways enable the administrator to allow access only to certain specified types of applications, such as web browsers or FTP clients.

When a client program, such as a web browser, establishes a connection to a destination service, such as a web server, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to gain access to the destination service.

In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This process actually creates two connections. There is one connection between the client and the proxy server and another connection between the proxy server and the destination.

Once a connection is established, the application gateway makes all decisions about which packets to forward. Since all communication is conducted through the proxy server, computers behind the firewall are protected.

With an application gateway, each supported client program requires a unique program to accept client application data. This sort of firewall allows for individual user authentication, which makes them quite effective at blocking unwanted traffic. However, a disadvantage is that these firewalls use a lot of system resources. The process of authenticating client applications uses more memory and CPU time than simple packet filtering.

Application gateways are also susceptible to various flooding attacks (SYN flood, ping flood, etc.) for two reasons. The first potential cause of a flooding attack may be the additional time it takes for an application to negotiate authenticating a request. Remember that both the client application and the user may need to be authenticated. This takes more time than simply filtering packets based on certain parameters.

For this reason, a flood of connection requests can overwhelm the firewall, preventing it from responding to legitimate requests. Application gateways may also be more susceptible to flooding attacks because once a connection is made, packets are not checked. If a connection is established, then that connection can be used to send a flooding attack to the server it has connected to, such as a web server or e-mail server.

This vulnerability is mitigated somewhat by authenticating users. Provided the user logon method is secure (appropriate passwords, encrypted transmission, etc.), the likelihood that someone can use a legitimate connection through an application gateway for a flooding attack is reduced.

3.2.4 Circuit Level Gateway

Circuit level gateway firewalls are similar to application gateways but are more secure and generally implemented on high-end equipment. These types of firewalls also employ user authentication, but they do so earlier in the process.

With an application gateway, first the client application is checked to see if access should be granted, and then the user is authenticated. With circuit level gateways, authenticating the user is the first step. The user’s logon ID and password are checked, and the user is granted access before the connection to the router is established. This means that each individual, either by username or IP address, must be verified before any further communication can take place.

Once this verification takes place and the connection between the source and destination is established, the firewall simply passes bytes between the systems. A virtual “circuit” exists between the internal client and the proxy server. Internet requests go through this circuit to the proxy server, and the proxy server delivers those requests to the Internet after changing the IP address. External users only see the IP address of the proxy server.

Responses are then received by the proxy server and sent back through the circuit to the client. It is this virtual circuit that makes the circuit level gateway secure. The private secure connection between the client application and the firewall is a more secure solution than some other options, such as the simple packet filtering firewall and the application gateway.

While traffic is allowed through, external systems never see the internal systems.

 

 

Firewall Implementation

Administrators must be able to evaluate implementation issues to achieve a successful security solution for their systems. Understanding the type of firewall means knowing how the firewall will evaluate traffic and decide what to allow and what not to allow. Understanding the firewall’s implementation means understanding how that firewall is set up in relation to the network it is protecting. The most widely used configurations include:

  • Network host-based
  • Dual-homed host
  • Router-based firewall
  • Screened host

3.3.1 Host Based

In the host-based (sometimes-called network host-based) scenario the firewall is a software solution installed on an existing machine with an existing operating system. The most significant concern in this scenario is that, no matter how good the firewall solution is, it is contingent upon the underlying operating system. In such a scenario, it is critical that the machine hosting the firewall have a hardened operating system. Hardening the operating system refers to taking several security precautions including:

  • Ensuring all patches are updated
  • Uninstalling unneeded applications or utilities
  • Closing unused ports
  • Turning off all unused services

In the network host-based implementation, you install the firewall software onto an existing server. Sometimes, the server’s operating system may come with such software. It is not at all uncommon for administrators to use a machine running Linux, configure its built-in firewall, and use that server as a firewall. The primary advantage to this option is cost. It is much cheaper to simply install firewall software onto an existing machine, and use that machine as your firewall.

3.3.2 Dual-Homed Hosts

A dual-homed host is a firewall running on a server with at least two network interfaces. This is an older methodology. Most firewalls today are implemented in actual routers, rather than servers. The server acts as a router between the network and the interfaces to which it is attached.

To make this work, the automatic routing function is disabled, meaning that an IP packet from the Internet is not routed directly to the network. The administrator can choose what packets to route and how to route them. Systems inside and outside the firewall can communicate with the dual-homed host, but cannot communicate directly with each other.

The dual-homed host configuration is simply an expanded version of the network host firewall implementation. That means it is also dependent on the security of the underlying operating system. Any time a firewall is running on a server of any kind, the security of that server’s operating system becomes even more critical than normal.

This option has the advantage of being relatively simple and inexpensive. The primary disadvantage is its dependency on the underlying operating system.

3.3.3 Router-Based Firewall

Administrators can implement firewall protection on a router. In fact, even the simplest, low-end routers today have some type of firewall included. In larger networks with multiple layers of protection, this is often the first layer of protection. Although various types of firewalls can be implemented on a router, the most common type uses packet filtering. Users of a broadband connection in a home or small office can get a packet filtering firewall router to replace the basic router provided by the broadband company.

In many cases, this solution is also ideal for the firewall novice. A number of vendors supply router-based firewalls that can be preconfigured by the vendor based on the customer’s needs. The customer can then install it between the network and external Internet connection. In addition, most of the widely known brands (Cisco, 3Com, etc.) offer vendor-specific training and certifications in their hardware, making it relatively easy to find qualified administrators or to train current staff.

Another valuable way to implement router-based firewalls is between subsections of a network. If a network is divided into segments, each segment needs to use a router to connect to the other segments. Using a router that also includes a firewall significantly increases security. If the security of one segment of the network is compromised, the rest of the network is not necessarily breached.

Perhaps the best advantage of router-based firewalls is the ease of setup. In many cases, the vendor will even configure the firewall for you, and you simply plug it in. Most home-based routers today, such as those from Linksys, Belkin, or Netgear, have a built-in firewall. And in fact virtually all higher-end routers include firewall capability.

3.3.4 Screened Hosts

A screened host is really a combination of firewalls. In this configuration, a combination of a bastion host and a screening router is used. The combination creates a dual firewall solution that is effective at filtering traffic. The two firewalls can be different types. The bastion host might be an application gateway and the router packet screener (or vice versa). This approach gives the advantages of both types of firewalls and is similar in concept to the dual-homed host.

The screened host has some distinct advantages over the dual-homed firewall. Unlike the dual-homed firewall, the screened host needs only one network interface and does not require a separate subnet between the application gateway and the router. This makes the firewall more flexible but perhaps less secure because its reliance on only one network interface card means that it might be configured to pass certain trusted services to the application gateway portion of the firewall and directly to servers within the network.

The most significant concern when using the screened host is that it essentially combines two firewalls into one. Therefore, any security flaw or misconfiguration affects both firewalls. When you use a DMZ there are physically two separate firewalls, and the likelihood of any security flaw being propagated to both is low.

 

 

 

 

Proxy Servers

A proxy server is often used with a firewall to hide the internal network’s IP address and present a single IP address (its own) to the outside world. A proxy server is a server that sits between a client application, such as a web browser, and a real server. Proxy servers prevent hackers from seeing the IP addresses of internal machines, knowing how many machines are behind the proxy server, or learning anything about the network configuration.

Proxy servers also provide a valuable control mechanism because most proxy servers log all outgoing traffic. This enables network administrators to see where employees go on the Internet. A proxy server normally runs as software on the same machine as your firewall.

The proxy server is configured to redirect certain traffic. For example, incoming traffic using the HTTP protocol is usually allowed through the proxy server but is redirected to the web server. That means that all outgoing and incoming HTTP traffic first goes through the proxy server. A proxy server can be configured to redirect any traffic you want. If an e-mail server or FTP server is on the network, all incoming and outgoing traffic for that network will run through the proxy server.

Using a proxy server means that when a machine inside the network visits a website, the website will only detect that the proxy server visited it. In fact, if dozens of different machines on the network visit a site that logs the IP addresses of incoming connections, they will all be logged with the same IP address—that of the proxy server.

For the most part this sort of proxy server has been supplanted by network address translation. However, the term proxy server is still used, but with a different application. Now proxy servers work with the firewall to filter things such as web content. They allow a network administrator to block certain sites and to record all the websites a given user visits.

This hiding of the network is a very valuable service because knowledge of internal IP addresses can be used to execute certain forms of attack. For example, IP spoofing is contingent upon knowing the IP address of some internal server. Hiding those IP addresses is an important step in network security. It can also be very useful to know where employees go on the Internet.

Proxy servers track such information, and many network administrators use this to restrict employees from using the company Internet connection for illicit purposes. This can also be a useful tool for stopping attacks. An employee who visits hacker websites might be a potential security risk. They may elect to try some of the techniques they read about on the network. Administrators can also detect potential industrial espionage. An employee who spends a lot of time on a competitor’s website might be considering a job change and might consider taking valuable data with him.

3.4.1 NAT (Network Address Translation)

For many organisations, proxy servers have been superseded by a newer technology known as network address translation (NAT). Today what we call proxy servers don’t do what proxy servers originally did (i.e., translate a private IP address into a public IP address). Primarily, NAT translates internal addresses and external addresses to allow communication between network computers and outside computers. The outside sees only the address of the machine running NAT (often the firewall). From this perspective, it is functioning exactly like a proxy server.

NAT also provides significant security because, by default, it allows only connections that are originated on the inside network. This means that a computer inside the network can connect to an outside web server, but an outside computer cannot connect to a web server inside the network. You can make some internal servers available to the outside world via inbound mapping, which maps certain well-known TCP ports (80 for HTTP, 21 for FTP, etc.) to specific internal addresses, thus making services such as FTP or websites available to the outside world. However, this inbound mapping must be done explicitly; it is not present by default.

 

 

 

Windows Firewalls

Windows first started shipping a primitive firewall, called Internet Connection Firewall (ICF), with Windows 2000. It was very simple. Each version of Windows since then has expanded upon this idea. Windows 10 ships with a fully functioning firewall. This firewall can block inbound and outbound packets. To access the Windows 10 firewall, click the Start button and type Firewall.

Beginning with Windows Server 2008 and all versions after that, Windows Firewalls are stateful packet inspection firewalls. With the Windows 10 Firewall, you can set different rules for outbound and inbound traffic. For example, your standard workstation will probably allow outbound HTTP traffic on port 80, but you might not want to allow inbound traffic (unless you are running a web server on that workstation).

You can also set up rules for a port, a program, a custom rule, or one of the many predefined rules that Microsoft has for you to select from. You can also choose not only to allow or block the connection, but to allow it only if it is secured by IPSec. That provides you with three options for any connection.

Rules allow or block a given application or port. You can also have different rules for inbound and outbound traffic. The rules allow you to decide whether a particular type of communication is blocked or allowed. You can have different settings for inbound and outbound traffic. You can set rules for individual ports (all 65,554 available network ports) and for applications. The rules in the Windows firewall give you a lot of flexibility.

More importantly, you can apply rules differently depending on where the traffic comes from. You can set up rules for three areas or profiles:

  • Domain: For those computers authenticated on your domain.
  • Public: For computers from outside your network. You would treat outside traffic more carefully than traffic coming from another machine in your domain.
  • Private: Private refers to traffic from your own computer, thus the term private.

Administrators should always follow these rules with all packet filtering firewalls:

  • If you do not explicitly need a port, then block it. For example, if you are not running a web server on that machine, then block all inbound port 80 traffic. With home machines, you can usually block all ports. With individual workstations on a network, you may need to keep some ports open in order to allow various network utilities to access the machine.
  • Unless you have a compelling reason not to, always block ICMP traffic because many utilities such as ping, tracert, and many port scanners use ICMP packets. If you block ICMP traffic, you will prevent many port scanners from scanning your system for vulnerabilities.
  • Occasionally, I would suggest continuing to write out acronyms such as ICMP just to make sure this is reinforced.

The Windows Firewall also has a logging feature, but it is disabled by default. Turn this feature on (when you configure the firewall you will see a place to turn on logging). Check this log periodically. You can find more details on the Windows 10 Firewall at https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.

 

Linux Firewalls

Linux has firewall capabilities built into the operating system. This has been a part of the Linux operating system for many years, with occasional improvements in the technology.

3.7.1 Iptables

The first widely used Linux firewall was called ipchains. It was essentially a chain of rules for filtering traffic. It was first introduced in version 2.2 of the Linux kernel and superseded the previous ipfwadm (which was not widely used). The more modern iptables replaced ipchains and is the primary firewall for Linux. The iptables service was first introduced in Linux kernel 2.4.

On most Linux systems, iptables is installed as /usr/sbin/iptables. However, if it was not included in your particular Linux installation, you can add it later.

An iptables firewall is made up of three different kinds of objects: tables, chains, and rules. Basically, the tables contain chains of rules. Put another way, iptables is an expansion on the concept of ipchains. Each chain has a series of rules that define how to filter packets. There are actually three tables and each has some standard rule chains in it. You can, of course, add your own custom rules. The three tables and their standard chains are as follow:

  • Packet filtering: This table is the essential part of the firewall. It is a packet filtering firewall and it contains three standard chains: INPUT, OUTPUT, and Forward. The INPUT chain processes incoming packets, and the OUTPUT chain processes traffic sent out from the machine. If the firewall system is also acting as a router, only the FORWARD chain applies to routed packets.
  • Network address translation: This table is used for performing network address translation on outbound traffic that initiates a new connection. This is used only if your machine is serving as a gateway or proxy server.
  • Packet alteration: This table is used only for specialized packet alteration. It is often called the mangle table because it alters, or mangles, packets. It contains two standard chains. This table might not even be needed for many standard firewalls.

3.7.2 Iptables Configuration

Iptables requires some configuration. You can do it through the GUI (KDE, GNOME, etc.) but the shell commands are common to most distributions. Let’s take a look at some common basic configuration.

To cause iptables to function as a basic packet filtering firewall, you need these commands:

  • iptables -F
  • iptables -N block
  • iptables -A block -m state –state ESTABLISHED,RELATED -j ACCEPT

Obviously, that is the most basic and essential iptables configuration. However, here are some others.

To list the current iptables rules use:

  • iptables –L

To allow communication on a specific port, SSH port 22 and HHTP port 80 for example use:

  • iptables –A INPUT –p tcp –dport ssh –j ACCEPT
  • iptables –A INPUT –p tcp –dport 80 –j ACCEPT

Also there are several flags that can be passed to the iptables command. Below are listed the most common flags and what they do. Several other flags exist but are not listed.

A: Append this rule to a rule chain

-L: List the current filter rules

-p: The connection protocol used

–dport: The destination port required for the rule. A single port can be given or a range.

-i: Only match if the packet is coming in on the specified interface.

-v: Verbose output

-s, –source: address source specification

-d, –destination: address destination specification

 

 

Guided Exercise: Configuring iptables Rules

Resources
Files None
Machines Ubuntu Server

In this exercise, you are required to write custom iptables rules.

Login to Ubuntu Server and then run the command “sudo iptables -L”. It will ask for the user password. Enter the user password which is “Pa$$w0rd”, press enter and then it will show the current iptables rules.

Write the command “sudo iptables –A INPUT –p tcp –dport ssh –j ACCEPT” and if sudo asks for the user password enter “Pa$$w0rd”.  Then run the command sudo iptables –L to list the iptables rules.

Write the command “sudo iptables –A INPUT –p tcp –dport 80 –j ACCEPT” and if sudo asks for the user password enter “Pa$$w0rd”.  Then run the command sudo iptables –L to list the iptables rules.

To save the iptables rules run the command “sudo iptables-save”.

Guided Exercise Video

 

IDS Concepts

There are six basic approaches to intrusion-detection and prevention. Some of these methods are implemented in various software packages, and others are simply strategies that an organisation can employ to decrease the likelihood of a successful intrusion.

Historically, when IDSs were first developed, hubs were used very frequently. Today, switches are used rather than hubs. With a hub, after a packet has travelled from its source network to the destination network (being routed by its destination IP address), it finally arrives at the network segment on which the target is located. After it gets to that final segment, the MAC address is used to find the target. All the computers on that segment can see the packet, but because the destination MAC address does not match the MAC address of their network card, they ignore the packet.

At some point, enterprise individuals realized that if they simply chose not to ignore packets not destined for their network card, they could see all the traffic on the network segment. In other words, one could look at all the packets on that network segment. Thus the packet sniffer was born. After that it was just a matter of time before the idea came about of analysing those packets for indications of an attack, thereby giving rise to intrusion-detection systems.

4.1.1 Pre-emptive Blocking

Pre-emptive blocking seeks to prevent intrusions before they occur. This is done by observing any danger signs of imminent threats and then blocking the user or IP address from which these signs originate. Examples of this technique include attempts to detect the early Footprinting stages of an imminent intrusion, then blocking the IP or user that is the source of the Footprinting activity. If you find that a particular IP address is the source of frequent port scans and other scans of your system, then you would block that IP address at the firewall.

This sort of intrusion detection and avoidance can be quite complicated, and there is the potential of blocking a legitimate user by mistake. The complexity arises from distinguishing legitimate traffic from that indicative of an impending attack. This can lead to the problem of false positives, in which the system mistakenly identifies legitimate traffic as some form of attack.

Usually, a software system will simply alert the administrator that suspicious activity has taken place. A human administrator will then make the decision whether or not to block the traffic. If the software automatically blocks any addresses it deems suspicious, you run the risk of blocking out legitimate users. It should also be noted that nothing prevents the offending user from moving to a different machine to continue the attack. This sort of approach should only be one part of an overall intrusion-detection strategy and not the entire strategy.

4.1.2 Anomaly Detection

Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. This is what many people think of when they talk about intrusion-detection systems. The general process is simple: The system looks for any abnormal behaviour. Any activity that does not match the pattern of normal user access is noted and logged. The software compares observed activity against expected normal usage profiles. Profiles are usually developed for specific users, groups of users, or applications. Any activity that does not match the definition of normal behaviour is considered an anomaly and is logged. Sometimes we refer to this as “trace back” detection or process. We are able to establish from where this packet was delivered. The specific ways in which an anomaly is detected include:

  • Threshold monitoring
  • Resource profiling
  • User/group work profiling
  • Executable profiling

4.1.2.1 Threshold Monitoring

Threshold monitoring pre-sets acceptable behaviour levels and observes whether these levels are exceeded. This could include something as simple as a finite number of failed login attempts or something as complex as monitoring the time a user is connected and the amount of data that user downloads. Thresholds provide a definition of acceptable behaviour. Unfortunately, characterizing intrusive behaviour only by the threshold limits can be somewhat challenging. It is often quite difficult to establish proper threshold values or the proper time frames at which to check those threshold values. This can result in a high rate of false positives in which the system misidentifies normal usage as a probable attack.

4.1.2.2 Resource Profiling

Resource profiling measures system-wide use of resources and develops a historic usage profile. Looking at how a user normally utilizes system resources enables the system to identify usage levels that are outside normal parameters. Such abnormal readings can be indicative of illicit activity underway. However, it may be difficult to interpret the meaning of changes in overall system usage. An increase in usage might simply indicate something benign like increased workflow rather than an attempt to breach security.

4.1.2.3 User/Group Work Profiling

In user/group work profiling, the IDS maintains individual work profiles about users and groups. These users and groups are expected to obey to these profiles. As the user changes his activities, his expected work profile is updated to reflect those changes. Some systems attempt to monitor the interaction of short-term versus long-term profiles. The short-term profiles capture recent changing work patterns, whereas the long-term profiles provide a view of usage over an extended period of time. However, it can be difficult to profile an irregular or dynamic user base. Profiles that are defined too broadly enable any activity to pass review, whereas profiles that are defined too narrowly may inhibit user work.

4.1.2.4 Executable Profiling

Executable profiling seeks to measure and monitor how programs use system resources with particular attention to those whose activity cannot always be traced to a specific originating user. For example, system services usually cannot be traced to a specific user launching them. Viruses, Trojan horses, worms, trapdoors, and other software attacks are addressed by profiling how system objects such as files and printers are normally used not only by users, but also by other system subjects on the part of users. In most conventional systems, for example, any program, including a virus, inherits all of the privileges of the user executing the software. The software is not limited by the principle of least privilege to only those privileges needed to properly execute. This openness in the architecture permits viruses to covertly change and infect totally unrelated parts of the system.

Executable profiling enables the IDS to identify activity that might indicate an attack. Once a potential danger is identified, the method of notifying the administrator, such as by network message or e-mail, is specific to the individual IDS.

 

Components and Processes of IDS

Regardless of what IDS you select, they all have certain components in common. It is important to have a general understanding of these components.

The following terms will familiarize you with basic components and functions in all IDSs:

  • An activity is an element of a data source that is of interest to the operator.
  • The administrator is the person responsible for organisational security.
  • A sensor is the IDS component that collects data and passes it to the analyser for analysis.
  • The analyser is the component or process that analyses the data collected by the sensor.
  • An alert is a message from the analyser indicating that an event of interest has occurred.
  • The manager is the part of the IDS used to manage, for example a console.
  • Notification is the process or method by which the IDS manager makes the operator aware of an alert.
  • The operator is the person primarily responsible for the IDS. This is often the administrator.
  • An event is an occurrence that indicates a suspicious activity may have occurred.
  • The data source is the raw information that the IDS uses to detect suspicious activity.

Beyond these basic components, IDSs can be classified either based on how they respond to detected anomalies or based on how they are deployed. An active IDS, now called an IPS (Intrusion Prevention System), will stop any traffic deemed to be malicious. A passive IDS simply logs the activity and perhaps alerts an administrator. The problem with IPS/active IDS is the possibility of false positives. It is possible to have activity that appears to be an attack, but really is not. You can also define IDS/IPS based on whether a single machine is monitored or an entire network segment is monitored. If it is a single machine, then it is called a HIDS (host-based intrusion-detection system) or HIPS (host-based intrusion prevention system). If it is a network segment then it is called a NIDS (network-based intrusion-detection system) or NIPS (network-based intrusion prevention system).

 

 

 Implementing IDS

Many vendors supply IDSs, and each of these systems has its own strengths and weaknesses. Deciding which system is best for a particular environment depends on many factors, including the network environment, security level required, budget constraints, and the skill level of the person who will be working directly with the IDS.

4.3.1 Snort

Snort is perhaps the most well-known open source IDS available. It is a software implementation installed on a server to monitor incoming traffic. It typically works with a host-based firewall in a system in which both the firewall software and Snort run on the same machine. Snort is available for UNIX, Linux, Free BSD, and Windows. The software is free to download, and documentation is available at the website: www.snort.org. Snort works in one of three modes: sniffer, packet logger, and network intrusion-detection.

4.3.1.1 Sniffer

In packet sniffer mode, the console (shell or command prompt) displays a continuous stream of the contents of all packets coming across that machine. This can be a very useful tool for a network administrator. Finding out what traffic is traversing a network can be the best way to determine where potential problems lie. It is also a good way to check whether transmissions are encrypted.

4.3.1.2 Packet Logger

Packet logger mode is similar to sniffer mode. The difference is that the packet contents are written to a text file log rather than displayed in the console. This can be more useful for administrators who are scanning a large number of packets for specific items. Once the data is in a text file, users can scan for specific information using a word processor’s search capability.

4.3.1.3 Network Intrusion-Detection

In network intrusion-detection mode, Snort uses a heuristic approach to detecting anomalous traffic. This means it is rule-based and it learns from experience. A set of rules initially governs a process. Over time, Snort combines what it finds with the settings to optimize performance. It then logs that traffic and can alert the network administrator. This mode requires the most configuration because the user can determine the rules that wishes to implement for the scanning of packets. Snort works primarily from the command line (Shell in Unix/Linux, command prompt in Windows).

Configuring Snort is mostly a matter of knowing the correct commands to enter and understanding their output. Anyone with even moderate experience with either Linux shell commands or DOS commands can quickly master the Snort configuration commands. Snort is a good tool when used in conjunction with host-based firewalls or as an IDS on each server to provide additional security.

4.3.2 Cisco Intrusion Detection and Prevention

The Cisco brand is widely recognised and well respected in the networking profession. Along with their firewalls and routers, Cisco has several models of intrusion detection, each with a different focus/purpose. In the past, Cisco had two specific, widely used IDS products, the Cisco IDS 4200 Series Sensors and Cisco Catalyst 6500 Series Intrusion-Detection System (IDSM-2) Services Module.

There are a number of products in this group, notably the Firepower 4100 series, the Firepower 8000 series, and the Firepower 9000 series. All the products include malware protection as well as sandboxing. These Cisco products also integrate cyber threat intelligence features.

The 4100 series is meant for small networks and the 9000 series is designed for large scale networks. One of the chief benefits of using Cisco security products is their widespread use across the industry and the availability of good training. The fact that so many organisations use Cisco indicates a high level of successful field testing, which generally indicates a reliable product. Cisco also sponsors a range of certifications on its products, making it easier to determine whether someone is qualified on a particular Cisco product.

 

Guided Exercise: Implementing an IDS

Resources
Files None
Machines Windows Server, Ubuntu Server

In this exercise you are required to install Snort on Windows Server and capture data for analysis.

Login to Windows Server and open the desktop folder Exercises -> Snort. Double click the Snort Installer file to install it.

Accept the License Agreement by clicking I Agree.

Click Next on the Choose Components window.

Click Next on the Choose Install Location.

Click Close once the installation finishes and then OK on the Snort Setup.

Copy the file snort.conf from the Desktop folder Exercises -> Snort to C:\Snort\etc and overwrite the file that is already there. Copy the file local.rules from the Desktop folder Exercises -> Snort to C:\Snort\rules.

Open the file local.rules using WordPad. Under the LOCAL RULES section there are different rules having a header and a body. The first rule detects a SYN scan and the second rule detects an ACK scan. 

On the folder Exercises -> Snort double click the file WinPcap to install it. Click Next on the WinPcap Setup window and then click I Agree. Click Install on the next window and leave the check mark on Automatically start the WinPcap driver at boot time. 

Once the installation finishes click on Finish.

Open a command prompt by right clicking the Start button and select Command Prompt (Admin).

Type cd C:\Snort\bin where bin is the default directory where the snort executable resides.

Type the following command “snort –c C:\Snort\etc\snort.conf –i1 –l C:\Snort\log –A console” and press enter. The option –c tells Snort to find the configuration file. The option –i1 tells Snort to capture on interface 1. The –l option tells Snort to log alerts and where to save them. The –A console option tells Snort to send alerts also to the console. This option is normally not used because it slows down detection and Snort may drop packets. Login to Ubuntu Server and run the comannd nmap –A 192.168.1.20. Allow the scan to complete and then check the Snort command prompt on Windows Server.

Switch to the Windows Server and on the Snort command prompt you should see 5 SYN scan alerts and 5 ACK scan allerts. Press Control + C to stop Snort. 

Once you stop Snort a list with different statistics will be revealed. 

Guided Exercise Video

Honeypots

A honeypot is a single machine set up to simulate a valuable server or even an entire subnetwork. The idea is to make the honeypot so attractive that if a hacker breaches the network’s security, to be attracted to the honeypot rather than to the real system. Software can closely monitor everything that happens on that system, enabling tracking and perhaps identification of the intruder.

The underlying premise of the honeypot is that any traffic to the honeypot machine to be considered suspicious. Because the honeypot is not a real machine, no legitimate users should have a reason to connect to it. Therefore, anyone attempting to connect to that machine can be considered a possible intruder. The honeypot system can entice him to stay connected long enough to trace where is connecting from. Figure 5-3 illustrates the honeypot concept.

4.5.1 Specter

Specter is a software honeypot solution. Complete product information is available at http://www.specter.com. The Specter honeypot is comprised of a dedicated PC with the Specter software running on it. The Specter software can emulate the major Internet protocols/services such as HTTP, FTP, POP3, SMTP, and others, thus appearing to be a fully functioning server. The software was designed to run on Windows 2000 or XP but will execute on later versions of Windows, but it can simulate AIX, Solaris, UNIX, Linux, Mac, and Mac OS X.

Specter works by appearing to run a number of services common to network servers. In fact, in addition to simulating multiple operating systems, it can also simulate the following services:

  • SMTP
  • FTP
  • TELNET
  • FINGER
  • POP3
  • IMAP4
  • HTTP
  • SSH
  • DNS
  • SUN-RPC

Even though Specter appears to be running these servers, it is actually monitoring all incoming traffic. Because it is not a real server for your network, no legitimate user should be connecting to it. Specter logs all traffic to the server for analysis. Users can set it up in one of five modes:

  • Open: In this mode, the system behaves like a badly configured server in terms of security. The downside of this mode is that you are most likely to attract and catch the least skilful hackers.
  • Secure: This mode has the system behaving like a secure server.
  • Failing: This mode is interesting in that it causes the system to behave like a server with various hardware and software problems. This might attract some hackers because such a system is likely to be vulnerable.
  • Strange: In this mode, the system behaves in unpredictable ways. This sort of behaviour is likely to attract the attention of a more talented hacker and perhaps cause him to stay online longer trying to figure out what is going on. The longer the hacker stays connected, the better the chance of tracing him.
  • Aggressive: This mode causes the system to actively try to trace back the intruder and derive his identity. This mode is most useful for catching the intruder.

In all modes, Specter logs the activity, including all information it can derive from the incoming packets. It also attempts to leave traces on the attacker’s machine, which can provide clear evidence for any criminal action. Users can also configure a fake password file in all modes. These are particularly useful because most hackers attempt to access a password file to crack the passwords. If they are successful, they can then log on as a legitimate user. The holy grail of hacking is getting the administrator’s password. There are multiple ways to configure this fake password file:

  • Easy: In this mode the passwords are easy to crack, leading an intruder to believe that she has actually found legitimate passwords and usernames. Often a hacker with a legitimate logon will be less careful covering her tracks. If you know that logon is fake and the system is set up to monitor it, you can track it back to the hacker.
  • Normal: This mode has slightly more difficult passwords than the easy mode.
  • Hard: This mode has even harder passwords to crack. There is even a tougher version of this mode called mean, in which the passwords are very difficult to break so that the hacker can be traced while he is taking time to crack the passwords.
  • Fun: This mode uses famous names as usernames.
  • Warning: In this mode the hacker gets a warning telling him he has been detected if he is able to crack the password file. The theory behind this mode is that most hackers are simply trying to see if they can crack a system and do not have a specific objective. Letting this sort of hacker know he has been detected is often enough to scare him off.

4.5.2 Symantec Decoy Server

Because Symantec is such a prominent vendor for both antivirus software and firewall solutions, it should come as no surprise that it also has a honeypot solution. The first Symantec honeypot product was Decoy Server. It simulated a real server by simulating many server functions, such as incoming and outgoing e-mail traffic.

As the Decoy Server works as a honeypot, it also works as an IDS monitoring the network for signs of intrusion. If an attack is detected, all traffic related to that attack is recorded for use later in whatever investigative, criminal, or civil procedures that may arise.

Decoy Server is designed to be part of a suite of enterprise security solutions that work together, including enterprise versions of Symantec’s antivirus software, firewall software, and antispyware.

 

 

 

 

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.