CEHv8 module 17 evading IDS, firewalls, and honeypots

Học viện Công Nghệ Thông Tin Bach Khoa mm Module Objectives Types of Intrusion Detection Systems Honeypot Tools... Học viện Công Nghệ Thông Tin Bach Khoa Intrusion Detection Systems I

Trang 2

to be controlled via a graphical user interface

The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline “The whole world in one service” and is advertised on multiple underground cybercrime forums It serves as an

online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide

Trang 3

Học viện Công Nghệ Thông Tin Bach Khoa

mm Module Objectives

Types of Intrusion Detection Systems Honeypot Tools

Trang 4

IDS, Firewall and

Trang 5

Intrusion Detection Systems (IDS) and their Placement

An intrusion detection system (IDS) from within a computer or a network, to

the possible violations of security policy, including unauthorized access, as well as misuse

J An IDSs also referred to as a “ which intercepts packets traveling along various Communication mediums

and protocols, usually TCP/IP The packets are analyzed after they are

“4 The IDS - for signatures that match intrusions, and & when a match is found

Trang 7

(ae Ways to Detect an Intrusion

it is also known as misuse detection Signature recognition tries to v

Anomaly Detection

of the users and components in a computer system

way vendors deploy the

Trang 8

Types of Intrusion Detection

that is placed on the network in the events that occur ona promiscuous mode, listening for patterns © These are not as common, due to the overhead

—— evertt

cử Ì — Khi >>

or files that have otherwise been modified,

that | after an event has already

occurred, such as failed log in attempts indicating an intruder has already been there,

for example, Tripwire

Trang 9

J Tripwire isa that monitors system files and

detects changes by an intruder

Trang 10

Connections from unusua! locations

Repeated login attempts from

The presence of new, unfamiliar

remote nmosts

files, or prog programs Arbitrary data in log files, indicating

Changes in file permissions

attempts to cause a oS or to crash

Unexplained changes in a file's size

a service

Rogue files on the system that do

not correspond to your master list

Trang 11

Modifications to

Trang 12

Firewalls are hardware and/or software Firewalls

criteria

ý mm of traffic or with the s‹ ‘ore

a private network and a public network such =F 2

Trang 13

Firewall Architecture

Bastion Host:

Bastion host is a computer system designed and

configured to protect r orl from attack

Traffic entering or leaving the network passes through

the firewall, it has two interfaces:

° : connected to the lIntranet

Screened Subnet:

The screened subnet or DMZ {additional zone)

contains that offer public services

The DMZ zone , and

has no hosts accessed by the private network

Private zone can not be accessed by

Multi-homed Firewall:

= inthis case, a firewall with three or more

interfaces is present that allows for further

subdividing the systems based on the :

Trang 14

= nh

~ it can be created using firewal! with three or more network interfaces assigned with specific roles

such as Internal trusted network, DMZ network, and external un-trusted network (Internet)

Trang 15

Application Level

Gateways

Stateful Multilayer Inspection Firewalls

Trang 16

—— speeds: do neo work at the

i model (or the IP ees of TCP/IP), they Te ee, a part of

@ router

Depending on the ; the firewall can Pe the packet and IRR

it, or send a message to the originator

Ti TT T ` + ated — ke TNG spUrce and the

destination port tber, and the ¡

Trang 17

Circuit-level gateways work at the

Circuit proxy firewalls data streams, they do not filter individual packets

Corporate Network

, such as when a session is initiated by a recognized computer

Trang 18

Application-Level Firewall

Application-level gateways (proxies) can filter Application-level gateways configured as a web `

traffic incoming and outgoing traffic is

supported by proxy; all other service

requests are denied

Application-level gateways examine traffic and

Trang 19

Stateful Multilayer Inspection

Firewall

and they evaluate the contents of packets at the application layer

Trang 20

Firewall Identification: Port scanning

đ®>

For example: í

| listens on TCP

ports 256, 257, 258, and 259, NetGuard GuardianPro firewall listens on TCP 1500 and UDP 1501

Some firewalls will uniquely

identify themselves in response to Wy

Trang 21

Attackers send a TCP or UDP packet to the targeted firewall with

than that of the firewall

if the packet makes it through the gateway, itis forwarded to the next hop where the TTL equals one and elicits an ICMP" * to be returned, as the original packet is discarded

Trang 22

Firewall Identification: Banner Grabbing

Banners are service announce ments provided by services in response to connection requests, and often carry vendor version Irforrnation

mã Microsoft

Trang 23

ww sBK ACAD

A honeypot is an information system resource that is expressly

who attempt to penetrate an organization’s network

ee It has no authorized activity, does not have any production value, and any traffic to it is

Trang 24

services and applications

High-interaction Honeypots

Can not be compromised completely Can be completely compromised by

attackers to get full access to the y

Generally, set to collect higher

system in a controlled area

level information about attack |

` vectors such as network probes Capture complete information

techniques, tools and intent of the

= Ex: Specter, Honeyvd, and

attack + Ex: Symantec Decoy Server and

Trang 25

IDS, Firewall and

Trang 26

<< BK AcCAD

= xa

i a_i

—_

Snort is an open source network intrusion

detection system, capable of performing real-

time traffic analysis and packet logging on IP

networks

it can perform protocol analysis and content

searching/matching, and is used to detect a

variety of attacks and probes, such as buffer

overfiows, stealth port scans, CGI attacks, SMB

probes, and OS fingerprinting attempts

it uses a flexible rules language to describe

traffic that it should collect or pass, as well as a

detection engine that utilizes a modular plug-in

architecture

Uses of Snort

Straight packet sniffer like tcpdump Packet logger (useful for network traffic Gebugging, etc.)

Network intrusion prevention system

Oeing ELITR vereice 1 7 3

Trang 27

sniffing Sela ae Output Plugins packets against rules previously

format notifications so operators

can access in a variety of ways (console, extern files, databases,

— > ” ee These are plain text files which etc.)

contain a list of rules with a known syntax

Trang 28

Snort's rule engine enables ‹c to meet the needs of the network

Snort rules must be contained on a si , the Snort rule parser

Trang 29

Snort Rules: Rule Actions and

IP Protocols

Rule Actions

The rule header stores the complete to identify a packet, and determines the action

to be performed or what rule to be applied

The rule action t when it finds a packet that matches the rule criteria

- Three available actions in Snort:

e Generate an alert using the selected alert method, and then log the packet

e Log the packet

Đ Đrop (tgnore} the packet

iP Protocols

` Three available IP protocols that Snort supports

Trang 30

Snort Rules: The Direction Operator and IP Addresses

The Direction Operator

This operator indicates the direction of interest for the traffic; traffic can flow in either MAAY

single direction or bi-directionally

¬ ¡ Example of a Snort rule using the Bidirectional Operator:

> ) Use numeric IP addresses qualified with a CIDR netmask

=~ Example IP Address Negation Rule:

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content:

"100 O01 86 aS5i"; msg: “external mountd access"; )

Trang 31

Snort Rules: Port Numbers

0g UDP any any -> 92.168.1.0/24 1:10 ports ranging from 1 to 1024

Log TCP traffic from any port going to ports

Trang 32

Intrusion Detection System:

Tipping Point

determine whether it is sor 5 ok

ầ Mon 16:00 Mon 20:00 Tue 00:00 Tue 04:00 Tue 06:60 Tue 12: GO

it provides : Prom 2009/09/21 12:22:52 To 2009/09/22 12:22:52

and protection at gigabit @ Pereitted Last 27.39 k Ava 13.79 k Mar 40 3® k

speeds through total packet inspection © Discarded Invalid Last 69.38 A S 66.91 Max 81 33

Graph tast Updated Tue 22 Sep 17:20:02 CEST 2009

XXXXXXXX - Attacks Per Protocol

Bice Last 3.67 k Avg 3.%C k Max 6.06 k

= ule Last 686.08 Avg 1.c4 k Max 6.61 k

Oo TC Last 22.90 k Avg ® $4 k Mex 3s 8S k

Graph Last Updates: Tue 22 Sep 12:20:02 CEST 2009 http://h17007.wwwl.hp.com

Trang 33

IBM Security Network Intrusion Prevention System

ht†p://www-01.ibm com

Peek & Spy

http://networkingdynamics.com

INTOUCH INSA-Network Security Agent

Attp://www.ttinet.com

Strata Guard

http://www still‹secure com

IDP8200 Intrusion Detection

and Prevention Appliances

SNARE (System iNtrusion Analysis

& Reporting Environment)

Attp://www_intersectailiance.com

Vanguard Enforcer http-//www.go2vanguord.com

Trang 34

Intrusion Detection Tools

(Cont’d)

Check Point Threat

Prevention Appliance Attp://www.checkpoint.com

McAfee Host Intrusion

Prevention for Desktops http://www rmcoƒfee com

Trang 35

v v Sched *(ei Ê K S tư «x c

— " — A v ®àx sec cá đong NetBice rare meu]:

v Maret 0 apy be everte

v META At) ay Be Caw eros

Trang 36

(WN

rey —

Check Point Firewall Software Blade

Trang 37

DAI HOC

C)

ww sBK ACAD

% KF Sensor Professional - Evaluaton Trail - 3 Gas

Fle view Sc eriari« Soqnatures Settengs Help

Pele, 4 =f oO: 3 = L4

w Me A itt ¥ ` o Y,iggaanckoa xxx» ^

TCP @i2 | 2 12:44:32 PM.$32 K UOP 591067 UDP Pecket 157.% 149 0O 01 O0 O0 %0 1A ( ;

đG* 2+ crp

SS ct FTP @ 127 44-31 P! ` p $1067 UDP Packet 1575%6.149 [0O 01 OO CO EZ EF ES

& 25 SMTP

OP 115 2 GS PP DF S10 JOP Packet ' Sé 149 K O 00 15 &c

4 ` % ite & PM DP 510 IDP Pecket 157.34.149

i ` ‹ ® KFSensor ¡is a host-based Intrusion Detection System (IDS)

; vulnerable system services and Trojans

Trang 38

aetna

Honeypot Tool: SPECTER cae

m™ SPECTER ts a smart intrusion detection system that offers common such as SMTP, FTP

POP3, HTTP, and TELNET which appear perfectly normal to the attackers but in fact are traps

™ SPECTER provides massive amounts of including images, MP3 files, email messages, password files,

documents, and all kinds of software

a "5 : Ptiewmce * sa se 1N IT “s «` ssC.ằa-rcsa< oo man

httpD:⁄⁄www.specter com

Trang 39

Trang 41

Insertion Attack

pen This attack occurs when Hence, the (DS gets

that an end system rejects

An attacker sends one-character

packets to the target system via the

IDS with i such thatsome |

packets reach to the IDS but not the |

target system

x) Esc

End System Attackers Data Stream target system having E£

Trang 42

Attacker sends portions of the request in packets that the IDS mistakenly rejects, allowing the removal of parts of

the stream from the IDS

4) For example, if the malicious sequence is sent byte-by-byte, and one byte is rejected by the IDS, the IDS cannot f

detect the attack

xui Here, the IDS gets fewer packets than the destination

Figure: Insertion of the letter ‘A’

Trang 43

LR Denial-of-Service Attack (DoS)

m™ if attackers know the IP address of the centralized server they can perform lí or other hacks to

slow down or crash the server

™ Asaresult, attackers’ intrusion attempts will not be logged

Causes personnel to

all the alarms ` Ị a

Định dạng
Số trang	96
Dung lượng	6,32 MB