Intrusion Detection and Prevention

Intrusion Detection and Prevention
Related Chapters
•
•
•
•
Chapter 3, Detecting System Intrusions
Chapter 4, Preventing System Intrusions
Chapter 5, Guarding Against Network Intrusions
Chapter 26, Intrusion Prevention and Detection
Systems
• Chapter 27, TCP/IP Packet Analysis
• Chapter 28, The Enemy (The Intruder’s Genesis)
2
Defense in Depth
Prevent
Detect
React/
Survive
3
Defense in Depth in Practice
Firewall
Intrusion
Detection
Logging/
Auditing
4
Intrusion detection systems v.s. Firewalls
• Intrusion detection systems (IDSs)
– Detect unauthorized intrusions
• Anomaly-based learn “normal”
• Signature-based look for slight variations
• Hybrid combines best characteristics
• Firewalls offer first line of defense
– Secure Firewall combines the five most necessary security
systems—firewall, antivirus/spyware/spam, VPN, application
filtering, and intrusion prevention/detection systems—into a
single appliance.
5
RECAP: BASICS OF NETWORK TECHNOLOGY
6
TCP/IP
• Transmission Control Protocol/Internet Protocol
–
–
–
–
Ubiquitous networking protocol
Uses freely available open protocol standards
Independent of device and transmission media
Consistent addressing scheme
• Globally scalable
• Vast majority of attacks utilize TCP/IP
7
TCP/IP Data Architecture
• Layered stack of functions
• Each layer provides services and capabilities to
layers above and below
– Modular functionality
– Details within a function are hidden from other functions
• Application layer
– Concerned with applications and processes
8
Figure 26.1
TCP/IP Layers
Each layer communicates with the layer above and below it.
9
TCP/IP Data Architecture (cont.)
• Transport layer
– Handles data flow between applications on different
network hosts
– There are two transport protocols: TCP and UDP
• Network layer
– Responsible for packet addressing and routing
• Physical layer
– Responsible for interaction with physical network
medium
10
Data Encapsulation
• As data handed down the stack:
– Each layer adds its own header
• IP header
• TCP header
• UP header
• Network attacks can occur at every layer of the
TCP/IP stack
• Effective intrusion prevention and detection system
must inspect each layer
11
Figure 26.2
IP, TCP, and UDP
headers
Each layer adds its own
header, and formats are
different.
12
Outgoing
Incoming
Figure 26.3
TCP/IP encapsulation
Headers are added as data packets move through the layers.
13
Figure 26.4
Application and
network interaction
example
The example uses email
messages to illustrate
header information.
14
15
Definitions
• Intrusion
– A set of actions aimed to compromise the security
goals, namely
• Integrity, confidentiality, or availability, of a computing and
networking resource
• Intrusion detection
– The process of identifying and responding to intrusion
activities
16
Intrusions
• An intrusion is any action taken by an adversary
• Negatively impacts information:
– Confidentiality
– Integrity
– Availability
• Commonly occurring types of intrusions
– Physical theft
– Abuse of privileges (insider threat)
– Unauthorized access by outsider
17
Intrusion Monitoring and Detection
• Must detect and diagnose malicious activities
• Monitoring and analysis: passive techniques
• Typical IDS response: alert to administrators
– Presumes incidents need human expertise and judgment for
follow-up
• Detection accuracy: critical problem
– Minimize false positives and false negatives
• Two analysis approaches
– Misuse detection and anomaly detection
18
ATTACKS
19
Attackers and Motives
• Script kiddy
– Attacker with little or no skill using another’s published
“script” to perform attack
• Joy rider
– Attack motive: exploring, usually not malicious
• Mercenary
– Selling skills to compromise computer systems
– Organized crime
• Nation-state backed
– Espionage against other nations
20
Malicious Software
•
•
•
•
•
•
•
Virus
Worm
Backdoor
Trojan horse
User-level rootkit
Kernel-level rootkit
Blended malware
21
**Refer to pages 486-487
Malicious Software
• Infectious: viruses and worms
– Carry a payload (malicious code)
• Concealed: Trojan horses and rootkits
– Stealth: important feature for malware
• Remote control: remote access Trojans (RATs) and bots
– Enable covert communications
• Data theft: keyloggers and spyware
– Record keystrokes or monitor and report user activity
22
Stack-Based Overflow Attacks
• Take advantage of poorly-written applications
• When a called function is executing, it stores data in
the stack (memory buffer)
– If this memory region is overwritten, program will crash
• Instruction pointer (IP) points to stack location for
program to return if it crashes
– Attacker can manipulate IP to direct program to execute
malware
23
Password Attacks and DDoS Attack
• Attacker attempts to locate the file with encrypted
passwords
• Password cracking tools
– Example: “John the Ripper”
• Distributed denial of service (DDoS) attack
– Generating multiple requests to flood a server
– Multiple servers make half-connections to the target
server
– Usually carried out via botnets of compromised systems
24
Sniffing
• Packet sniffing tool
– Examples: Wireshark, TCPDump
– Placed on a network node
– Captures every packet sent to or from that node
• Once the data traffic is captured, the hacker would have
analyzed the contents of the packets
– Hackers would be able to draw inferences about what is being
captured.
– Hackers would thus have access to port numbers, IP
addresses, and application details.
25
IP Address Spoofing
• Fools perimeter router into accepting a packet with
a spoofed IP address
• Difficult to trace back to attacker’s node
• Done by IP packet crafting
• Ethernet address can also be spoofed
• DNS spoofing
– Sends Web traffic to attacker’s site instead of legitimate
IP address
26
Session Hijacking
• Taking over an ongoing active connection between
two nodes on a network
• Two types
– TCP session hijacking
– UDP session hijacking
• Route table modification
– Attacker blocks packets by modifying routing tables
27
Lures and “Pull” Attacks
• Network attacks trending towards stealthier attacks
– Wait for victims to visit malicious Web sites
• Advantages for attackers
– Not as “noisy” as active attacks
– Web servers have stealthy intelligence
– Web server can serve up different attacks
• Web-based attack types
– Phishing, drive-by download
• Challenge: attracting visitor to malicious site
28
Lures and “Pull” Attacks
Figure 5.2
Stealthy attacks lure victims to malicious servers.
The Web has become the primary vector for infecting computers, in large part because email has become
29
better secured.
Reconnaissance
• Traditional attacks use sequential steps
– Reconnaissance tools
• Ping, traceroute, port scan, OS discovery, vulnerability scanner
– Compromise tools
• Password attacks, exploit attack code, buffer overflows,
Structured Query Language (SQL) injection, automated
customized attack toolkits, social engineering
– Cover-up methods
• Change system logs, rootkits, tunneling, encryption, fragment IP
packets
30
Reconnaissance
Figure 5.1
Steps in directed attacks.
Attempt to hit as many targets as quickly as possible without caring about who or what the targets
31are.
Active Reconnaissance
• The steps of a hacker
– Search domain names for those that would contain valuable
information
– Map domain names to network addresses
– Map out the detailed network infrastructure
– Discover IP addresses of the network nodes
– Attempt to identify different server types
• DNS, email, database, Web
• Use network tools to gather information about the servers
– Design a scheme to attack the network
32
Reconnaissance: Network Mapping
• Network mapping is the process of discovering
information about the topology of the target network.
– finding the IP addresses of gateways, routers, email, Web, FTP
servers, and database servers
• Sweep the network to find live nodes (pinging target
nodes)
• Can use traceroute to find paths to each host
– Provides information about routers and gateways
• Find more information with Nmap
– Nmap: Security/network exploration tool and port scanner
33
Figure 28.2
Switched Ethernet network
Nanjun is a Linux server, kalidas is an XP Workstation, and kailash is a Windows 2000 server.
34
Figure 28.3
Network mapping of
computers in Figure
28.2
Screenshot from
network security
scanner from GFI
Languard.
35
Covering Tracks
• Attacker must disguise the fact that there has been an
attack
• Trojan horse
– Disguised as a benign program
– Usually has malicious intent
• Backdoor
– Method to allow attacker to return and continue attack
• Rootkit
– Run with system privileges
36
INTRUSION DETECTION
37
Intrusion Detection Approaches
• Modeling
– Features: evidences extracted from audit data
– Analysis approach: piecing the evidences together
• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
• Development and maintenance
– Hand-coding of “expert knowledge”
– Learning based on audit data
38
Host-Based and Network-Based
• Host-based IDS
– System objects, processes, memory
– Concern for possible tampering by an attacker
– Drawbacks
• Visibility limited to a single host; IDS process consumes resources;
attacks not seen until they reached the host
• Network-based
– Use network packets for reconnaissance, exploits, DoS attacks,
malware checks
– Complements host-based IDSs
39
Monitoring Hosts vs Network Traffic
Network Packets
tcpdum
p
Operating System
Events
BSM
40
Elements of Intrusion Detection
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct evidence
• Components of intrusion detection systems:
– From an algorithmic perspective:
• Features - capture intrusion evidences
• Models - piece evidences together
– From a system architecture perspective:
• Audit data processor, knowledge base, decision engine, alarm
generation and responses
41
Components of Intrusion Detection System
system activities are
observable
Audit Records
Audit Data
Preprocessor
Activity Data
Detection
Models
Detection Engine
normal and intrusive activities have
distinct evidence
Alarms
Decision
Table
Decision Engine
Action/Report
42
Misuse vs Anomaly Detection
Figure 5.5
Misuse detection and anomaly detection.
These two views are complementary and are often used in combination.
43
Misuse Detection
pattern
matching
intrusion
Intrusion
Patterns
activities
Example: if (src_ip == dst_ip
&& src_port == dst_port) then “land attack”
Can’t detect new attacks
44
Misuse Detection: Signature Based
• Look for an incident matches a known signature
– Signature identifies a specific attack
• Central issue
– How to define signatures or model attacks
• Three inherent drawbacks
– Attacks missed if matching signature not known
– New signatures require time to develop
– New signatures must be distributed continually
• Signature-based IDS example
– Snort program
45
Figure 26.5
Anti-malware file scanning
Signature-based analysis is only as effective as its signature information.
46
Anomaly Detection
activity
measures
probable
intrusion
90
80
70
60
50
40
30
20
10
0
normal profile
abnormal
CPU
Process Size
Relatively high false positive rate can just be new normal activities.
anomalies
47
Anomaly Detection: Behavior Based
• Potential to recognize new attacks without a known
signature
• Define normal behavior in statistical terms
– Anything outside definition: suspicious
• Challenges
–
–
–
–
Normal behavior based on past behavior
Behavior can and does change over time
Anomalies are just unusual events
Not good at discerning exact nature of attacks
48
INTRUSION DETECTION
@ HOST LEVEL
49
Host-based IDSs
• Using OS auditing mechanisms
– E.G., BSM on Solaris: logs all direct or indirect events
generated by a user
– strace for system calls made by a program
• Monitoring user activities
– E.G., Analyze shell commands
• Monitoring executions of system programs
– E.G., Analyze system calls made by sendmail
50
Monitoring Key Files in the System
• Monitor any changes on the key files (system files)
– Eg. /etc/passwd and /etc/shadow in Linux systems
• One way is to Log everything happening inside the file
system (Example product: LoggedFS).
• File integrity monitoring (FIM):
–
–
–
–
–
Internal control or a process
Validates operating system and application software integrity
Verifies current state versus a baseline
Calculates known cryptographic checksum
Process generally automated
51
Security Objectives
• Watch for changes impacting file or configuration
integrity
– Credentials, privileges and security settings, content, core
attributes and size, hash values, configuration values
– Legitimate or somewhat legitimate file names
– Additional accounts that do not belong
– Events with out of order timestamps
• Hide system files and directories
– Reduces accidental damage or deletion
– Prevents casual snooping
52
Figure 3.1
Screen shot of the nCircle file integrity monitor panel.
One of many open-source and commercial software products available to perform file integrity monitoring.
53
Figure 3.2
The wrong symbol.
The hacker has a directory on the system named ‘. ‘ Note that one bit or one symbol in the output may make
the difference between a compromised and clean system.
54
Figure 3.3
Additional account DBNET.
After a compromise, hackers may create a new account on the server and try to mimic some legitimate
accounts that should exist.
55
Figure 3.4
Folder modification.
Windows malware just loves this folder! Look for any folders or files with a different date modified timestamp.
56
Zero-Day Attacks
• A zero-day attack is an attack that exploits a
previously unknown vulnerability
– meaning that the attack occurs on “day zero” of
awareness of the vulnerability.
– the developers have had zero days to address and patch
the vulnerability
• Attack vectors (directions):
– Web browsers, e-mail attachments, common file types
57
Zero-Day Attacks (cont.)
• Vulnerability window is the time between first exploit
and published fix.
• Vulnerability management life cycle phases
– Analyze, test, report, and mitigate
• Many OSs provide protection mechanisms against 0day
memory corruption vulnerabilities, such as buffer
overflows.
• Multiple layers, port knocking, whitelisting, and keeping
OS updated are some mechanisms for 0day protection.
58
Good Known State
• Watch for backdoors installed by hackers
– removing backdoords is not enough
• Restore hacked system to a good, clean system
– Typically done via OS reinstallation
• Monitor running processes for hacker software
– May look legitimate
• Watch for weird-looking file names
59
Rootkits
• Stealthy type of malicious software
• Automated or installed with root access
• Kernel-mode rootkits
– Highest operating system privileges (ring 0)
– Add code or replace portions of the OS core
– difficult to detect.
• User-mode rootkits
– Run with other applications as a user (ring 3)
• Rootkit search software for live systems (rootkit detection)
– Example: “rootkit hunter”
60
Low Hanging Fruit
• Deter intrusions
– Protect your system better than your neighbor
• Hacker will select easier target
– Use snow flaking (differentiate your system from normal)
• Takes more time to analyze a particular system to gain access
• Example: move an SSH port from default TCP/22 to TCP/31234
– Ignore pings to the host
• Takes less time to detect those live IPs and scan them for
vulnerabilities
61
Homegrown Intrusion Protection
• To defeat a hacker; think like a hacker
– Examine common files a hacker may look at
– Deter a hacker from using information in the file
• Subtly hide important directories or file names
• Set up dummy directories
– If hacker persists
• Examine access logs to dummy files to identify the enemy
62
Out-of-band Attack Vectors
• People: weak link in corporate security plans
– Fall into social engineering attacks
– Connect personal devices to corporate network is a huge risk
– Demyo plug
• Full-blown Linux-based OS with many penetration testing tools
preinstalled
• Prevention method
– Strong policy disallowing connection of non-approved devices
– Must be enforceable and be understood by all
63
Figure 3.8
The Demyo plug.
Once connected, penetration testers can use it as a jump box to do further penetration testing inside the
local area network (LAN) of the corporation.
64
Security Event Management
• Real-time analysis of security alerts generated by
network hardware and applications
• Security Event Management (SEM)
– Real-time monitoring, correlation of events, notifications, and
console views
• Security Information Management (SIM)
– Long-term storage, analysis, and reporting
• Security Information Event Management (SIEM)
– Data Aggregation, correlation, alerting, dashboards,
compliance, retention
65
Other Weird Stuff on the System
• Possible system compromises
– Missing log files
– Network interface in promiscuous mode
• Controller passes all traffic to the central processing unit (CPU)
• Normally used for packet sniffing
• Computer may read frames intended for other machines or
network devices
• Usually requires super user privileges
• Often used to diagnose network problems
– Stay away from insecure protocols
66
INTRUSION DETECTION
@ NETWORK LEVEL
67
Network IDS
• Deploying sensors at strategic locations
– E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual connection
patterns
• Monitoring user activities
– Look into the data portions of the packets for malicious
command sequences
• May be easily defeated by encryption
– Data portions and some header information can be encrypted
• Other problems …
68
Network IDS
• Sensors
– Monitor and analyze network activity on one or more network
segments
– Appliance-based and software-only sensors
• Provide variety of security capabilities
• Collect information on hosts
– Operating systems and application versions
• Perform extensive logging of data related to detected
events
69
Figure 5.6
IDSs monitoring various network zones. (Network-based IDSs)
Place outside a firewall for learning about malicious activities on the Internet. Place in the DMZ to see
attacks originating from the Internet that are able to get through the outer firewall to public servers. Place in
the private network to detect any attacks that are able to successfully penetrate perimeter security.
70
Figure 26.6
Network-based IDS device scanning packets flowing past sensor interface
Anomaly detection is accomplished by comparing with a stored baseline.
71
Packet Data Pre-processing
tcpdump packet data
10:35:41.5 A > B : . 512:1024(512) ack 1 win 9216
10:35:42.2 C > D: . ack 1073 win 16384
10:35:45.6 E > F: . ack 2650 win 16225
...
connection records
tim e
dur
src
d st
b y te s
srv
fla g
…
1 0 : 3 5 : 3 9 .1
5 .2
A
B
42
h ttp
SF
…
1 0 : 3 5 : 4 0 .4
2 0 .5
C
D
22
u ser
REJ
…
1 0 : 3 5 : 4 1 .2
1 0 .2
E
F
1036
ftp
SF
…
…
…
…
…
…
...
…
…
72
Firewall Versus Network IDS
• Firewall
– Active filtering
– Fail-close
• Network IDS
– Passive monitoring
– Fail-open
IDS
FW
73
INTRUSION PREVENTION
74
Preventive Measures
•
•
•
•
•
•
•
•
Access Control
Vulnerability Testing and Patching
Closing unnecessary ports
Firewalls
Antivirus and Antispyware Tools
Spam Filtering
Honeypots
Network Access Control
75
Defense in Depth
• Hinder attacker as much as possible
– Use multiple defense layers
• Each layer might be surmountable
– More valuable assets should be protected behind more layers of
defense
• Combination of multiple layers
– Increased cost for attacker success (time, effort, or equipment)
• Cost must be proportional to asset value
– Effective against unpredictable attacks
• Involves people, technology, operations
• Risk assessment determines:
– Asset value, possible threats, threat likelihood and impact
76
Know your Enemy
•
•
•
•
Unauthorized network penetration
Types: active and passive
Intrusions come from outside and within the network
Intruder’s purposes
– Make their presence known
– Extract critical information
• One-time or ongoing parasitic relationship
• Access is gained physically, externally or internally
77
Know your Enemy (Hacker vs. Cracker)
• Traditional hacker performed good deeds
– Built and made the Internet run, created Unix
• Crackers’ intentions are normally malicious/criminal in
nature
• Crackers steal data or create havoc
– Lone-wolves, disgruntled employees, hostile governments
– Seek out and exploit vulnerabilities
• Underground organizations and code available
• Cyber ninjas sneak around
– Create chains of exploits
– Use multiple layers to hide
78
Understand Motives
• Goal differs from motive
– Goal: penetrate network defenses
– Motive: hurt organization or steal information
• Grab and dash
– Steal credit-card information and resell
– Breach network and siphon off data
79
Our “Unsecured” Wireless World
• Public wireless activity can affect corporate
network security by stealing information from users
– Firesheep: a tool used to steal browser cookie
information
• What tools can crackers use to test for network
weak spots?
– Wireless sniffers, packet sniffers, port scanners, port
knocking, keystroke loggers, remote administration tools,
network scanners, password crackers
80
Symptoms of Intrusions
• Large numbers of unsuccessful login attempts
• Packet inconsistencies
• Packets coming from the outside that have local
network addresses (IP spoofing)
• Odd or unexpected system behavior can be a sign.
– changes to system clocks, servers going down, unusually
high CPU activity, overflows in file systems
81
What Can You Do?
• Balance network security and user needs
• Use strong multilayer perimeter defense
– Implement dynamic and effective response policy
• Educate users: Why is this crucial?
• Implement intrusion detection system (IDS)
– Must detect and stop intrusion
– Can be inline or based on firewall scheme
82
Know Today’s Network Needs
• Traditional networks use preventative measures
(firewalls) to protect the infrastructure from intrusion.
• Mobile computing expanded boundaries
• Unified threat management (UTM) system
–
–
–
–
“Blacklist” approach: game of catch-up
“Whitelist” approach: specifies what gets in
Specifically allow applications and devices
Offer policy-based approach
• Recognize remote technologies and the risks
• Best practice: educate users on security policy
83
Figure 4.1
Network diagram
Key to managing several hundred (or several thousand) users is a good security policy.
84
Security Policies
• Security policy is designed to get everyone involved
with your network, always a work in progress
– must evolve with technology
• Conglomeration of policies
– computer and network use, forms of authentication,
email policies, remote/mobile technology use, and Web
surfing policies
85
Security Policies (cont.)
• Simplicity works best
– Draft policies defining network architecture
– Spell out responsibilities, communicate your expectations
to users, and lay out the role(s) for your network
administrator
– Establish a security team
• Provide clear policy for handling changes to overall network
security
86
Risk Analysis and Vulnerability Testing
• Risk analysis determines risk faced based on operations. It
may influence network design.
• Security policy should include regular vulnerability testing.
• Some very good vulnerability testing tools allow you to
conduct your own security testing
– Eg. WebInspect, Acunetix, GFI LANguard, Nessus, HFNetChk, and
Tripwire
• Third party companies can be contracted to scan your
network for open and/or accessible ports, weaknesses in
firewalls, and Web site vulnerability.
87
Digital Forensics
• Digital forensics is the “application of computer
science and investigative procedures for a legal
purpose involving the analysis of digital evidence”
• Can be divided into two subfields
– Network forensics
• Captured network traffic and session information
– Host-based forensics
• collection and analysis of digital evidence collected from
individual computer systems
88
Intrusion Prevention Systems (IPSs)
• Configurable for autonomous decisions
– Application-level threats, IP address or port-level attacks
• Threat response mechanisms
– Automatically drop suspicious packets
– Place intruder into “quarantine” file
• Access control pass/fail decisions
• Several IPS types
– Network-based, host-based, content-based, rate-based
• What are characteristics of a good IPS?
89
Intrusion Prevention Capabilities
• Agenda for Action for Intrusion Prevention Activities
checklist
–
–
–
–
–
–
–
–
–
Code analysis
Network traffic analysis
Network traffic filtering
Filesystem monitoring
Removable media restriction
Audiovisual device monitoring
Host hardening
Process status monitoring
Network traffic sanitization
90
Reactive Measures
• When an attack is detected/analyzed, a system
admin. must exercise an appropriate response.
– responses depend on the circumstances
– block, slow, modify, or redirect any malicious traffic.
• It is not possible to delineate every possible
response.
91
Reactive Measures: Quarantine and Traceback
• Quarantine in the context of malware
– Prevents infected host from contaminating other hosts
– Block traffic using firewalls or routers with access control
lists (ACLs)
• Almost impossible to discover attacker (Why?)
– May trace packet’s route back to intermediary
• Store hash of a packet for some amount of time
• Stamp packets with a unique router identifier
92
Figure 5.7
Tracking information stored at routers or carried in packets to enable packet traceback.
To trace a packet’s route, some tracking information must be either stored at routers when the packet is
forwarded or carried in the packet.
93
Reactive Measures: Audits and Recovery
• Regular and detailed audits are needed with emphasis
on activities near or outside established norm
• Ensure clearly established rules
– Security, use, and/or policy violations
– Attempted or actual intrusions
• Recovery of network after attack
– Reconfigure to close off exploited opening
– Estimate damage
• Ensure preemptive disaster recovery plan is available
94
IDS IN PRACTICE
95
Tools of the Trade
•
•
–
–
–
–
–
–
–
–
–
–
–
–
Host-based IDS
TCPWrappers (http://coast.cs.purdue.edu/pub/tools/unix)
NukeNabber
(http://www.amitar.com.au/DOWNLOADS/INTERNET/PROTECTION/NukeNab
ber_2_9b.html
WRQ's AtGuard (http://www.atguard.com)
AXENT (www.axent.com)
CyberSafe, (www.cybersafe.com)
ISS, (www.iss.net)
Tripwire (www.tripwiresecurity.com)
Network-based IDS
AXENT (www.axent.com)
Cisco (www.cisco.com)
CyberSafe (www.cybersafe.com)
ISS (www.iss.net)
Shadow (www.nswc.navy.mil/ISSEC/CID)
96
Snort
•
Try snort—a nice tool
–
–
–
Packet sniffer – outputting all viewed network data to a
console device
Packet logger – logging of all network packets to a disk
Network IDS – performing a variety of functions from
analyzing traffic, to filtering and performing actions
based on packet analysis.
97
Defend Your hosts with Freeware
• Install the most current release of Redhat Linux, Debian
Linux, FreeBSD etc.
• OS hardening
– To protect against misconfiguration-based attacks, install the very
good hardening utility Bastille (http://sourceforge.net). Bastille
essentially closes all the doors left open in a default installation.
• Network services access control
– Install Wietse Venema’s TCP Wrapper
(ftp://ftp.porcupine.org/pub/security/index.html). This is a simple
tool, simple to install, simple to configure and simple in operation. It
is an access control list for services run under the control of the
Internet daemon.
98
Defend Your hosts with Freeware
• Snort --- Intrusion Detection Tool Snort
(http://www.snort.org/).
– There are both Linux version and Windows version. It will let you see
what kinds of messages are observed by your network card and let
you to write your own rules for IDS. It is almost infinitely
configurable.
• Shorewall (http://shorewall.net/)
– a freeware firewall/gateway based on linux iptables/ipchains. You
may also try Astaro’s Security Linux (http://astaro.com/), which is a
freeware sateful inspection gateway that provides proxy and VPN
services.
99
Defend Your hosts with Freeware
• Secure Remote Access
• Never try telnet or ftp. Install OpenSSH
(http://www.openssh.com/) for remote access
tools (there are both Linux and Windows versions).
100
Defend Your hosts with Freeware
• Penetration Testing
• After your system is set
up, now try to break it.
– Install OpenVAS
– Test each port to
determine what sort
of listener is active
• Finally, once your security
suite is complete, install
the freeware version of
Tripwire
– Tripwire takes a “snapshot”
of a large number of critical
binaries on your system, and
– stores that information
encrypted and in an obscure
place.
101
Defend Your hosts with Freeware
NMAP = Network Mapper
Wireshark
•
•
• Freeware for network protocol
analysis
Open source security scanner
Identify
– Which hosts
– What services are open
• potentially vulnerable to attacks
– Example of usage: OS
fingerprinting
• sudo nmap -O -v xyz.com
•
– Analyze packets & protocols
– Used
• Primarily for trouble shooting
• To a lesser extent for detecting
certain (low-grade) malware
• www.wireshark.org
Web site
– www. nmap.org
102
Honeypots/Honeynets
• Divert an attacker from accessing critical systems
– Collect information about the attackers’ activity
– Learn about attacker techniques by attracting attacks to a seemingly
vulnerable host.
• Encourage the attacker to stay on the system long enough
for administrators to respond
• Can be passive or active (honey-monkey).
• Not used for legitimate services.
• A honeypot should have comprehensive and reliable
capabilities for monitoring and logging all activities.
• Usually monitor unused address space (isolated).
103