Net work Management Tasks Prot ect ing t he net work (e.g. int - PDF document

Net work Management Tasks � Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net work Management and � Det ect ing f ailed component s (int erf aces, links, host s, rout ers) Monit oring � Monit oring t raf f ic pat t erns (recommend needed upgrades, cap cert ain t ypes of t r af f ic) Last Modif ied: � Det ect abnormal t raf f ic (rapid changes in 4/ 21/ 2003 2:46:25 PM rout ing t ables, huge spikes in BW usage) 8: Net wor k Management 1 8: Net wor k Management 2 Snort Snort I DS � Snort consist s of t hree subsyst ems: packet decoder ( libpcap-based) � � Det ect ion/ logging of packet s mat ching f ilt er s/ r ule det ect ion engine � set s similar t o Et her eal capt ur e/ display f ilt er s � logging and aler t ing subsyst em � Det ect ion engine: � Thr ee pr imar y uses Rules f or m signat ur es � Modular det ect ion element s are combined t o f orm t hese � Packet snif f er � signat ur es � Packet logger � Anomalous act ivit y det ect ion is possible: st ealt h scans, OS f inger pr int ing, invalid I CMP codes, et c. � I nt r usion Det ect ion Syst em Rules syst em is very f lexible, and creat ion of new rules is � relat ively simple 8: Net wor k Management 3 8: Net wor k Management 4 Snort Rules Writ ing Snort Rules � Snort uses a simple rules language � Snor t r ules consist of t wo par t s � ht t p:/ / www.snort .org/ writ ing_snort _rules.ht m � Rule header � Specif ies src/ dst host and por t � Rule header consist s of � Alert t cp !128.119.0.0/ 16 any -> 128.119.166.5 � Rule Act ions � Alert , Log, Pass Dynamic, act ivat e, et c… any � Pr ot ocol � Not ice: negat ion, any in net wor k 128.119.0.0 � Tcp, udp, icmp, et c… � I P Addresses � Source, dest , CI DR mask � Rule opt ions � P ort numbers � Source, dest , r ange � Specif ies f lags, cont ent , out put message � Dir ect ion � (f lags: SFAPR; msg: “Xmas t r ee scan”) � Negat ion 8: Net wor k Management 8: Net wor k Management 5 6 1

Simple examples P rewrit t en Ruleset s � Snor t comes packaged wit h a number of � log t cp any any -> $SMTP 23 (msg: “t elnet pr ewr it t en r uleset s t o t he mail server!”;) include bad-t r af f ic.r ules � � include exploit .r ules � alert t cp $HOME_NET 23 -> � include scan.r ules $EXTERNAL_NET any (msg: “TELNET � include f inger .r ules � include f t p.r ules login incorrect ”; cont ent : “Login incorrect ”; include t elnet .r ules � include smt p .r ul es � f lags: A+;) � include r pc.r ul es � include r ser vices .r ul es � alert icmp any any -> any any (msg:”I CMP � include dos.r ules � include ddos.r ules Source Quench”; it ype: 4; icode: 0;) include dns.r ul es � � include tf tp .r ules � include web -cgi.r ul es � include web -coldf usion.r ules � include web -f r ont page.r ul es … … … . � 8: Net wor k Management 7 8: Net wor k Management 8 Vulnerabilit y dat abases Firewalls � Rules correlat ed t o common dat abases � Gat eway machines t hrough which all t raf f ic passes � Bugt raq � Can *st op* rat her t han simply log t raf f ic � ht t p:/ / www.secur it yf ocus.com/ cgi-bin/ vulns.pl t hat mat ches rules/ f ilt ers � Ex. Bugt r aq id 2283: 23-01-2001: Lot us Domino Mail Ser ver ' Policy' Buf f er Over f low Vulner abilit y � Ar achNI DS � ht t p:/ / www.whit ehat s.com/ ids/ index.ht ml � Common Vulnerabilit ies and Exposures � ht t p:/ / cve.mit r e.or g 8: Net wor k Management 9 8: Net wor k Management 10 Types of f ir ewalls Packet Filt ering Firewall � P acket Filt ering f irewall � Operat e on t ransport and net work layers of t he TCP / I P � Operat e on t ransport and net work layers st ack of t he TCP / I P st ack External Internal Network Network � Decides what t o do wit h a packet Packet Filtering Firewall Proxy Client depending upon t he f ollowing crit eria: Proxy Firewall Actual Server � Tr anspor t pr ot ocol (TCP,UDP,I CMP), � Applicat ion Gat eways/ P roxies � Sour ce and dest inat ion I P addr ess � Operat e on t he applicat ion prot ocol level � The sour ce and dest inat ion por t s � I CMP message t ype/ code � Var ious TCP opt ions such as packet size, f r agment at ion et c � A lot like Et hereal capt ure/ display f ilt ers 8: Net wor k Management 8: Net wor k Management 11 12 2

Packet Filt ering Packet Filt ering Firewall: Terminology � Example 1: block incoming and out going dat agrams wit h I P pr ot ocol f ield = 17 and wit h eit her sour ce � St at eless Fir ewall: The f ir ewall makes a decision or dest por t = 23. on a packet by packet basis. � All incoming and out going UDP f lows and t elnet connect ions are blocked. � St at ef ul Fir ewall : The f ir ewall keeps st at e � Example 2: Block inbound TCP segment s wit h inf or mat ion about t r ansact ions (connect ions). ACK=0 or wit h SYN bit set and ACK bit unset . � P revent s ext ernal client s f rom making TCP connect ions � NAT - Net wor k Addr ess t r anslat ion wit h int ernal client s, but allows int ernal client s t o connect t o out side. � Tr anslat es public I P addr ess(es) t o pr ivat e I P addr ess(es) on a pr ivat e LAN. � We looked at t his alr eady (must be st at ef ul) 8: Net wor k Management 13 8: Net wor k Management 14 Packet Filt ering Firewall: Funct ions Applicat ion Gat eway (Pr oxy Ser ver ) � Forward t he packet (s) on t o t he int ended dest inat ion � Operat e at t he applicat ion prot ocol level. (Telnet , FTP , HTTP ) � Rej ect t he packet (s) and not if y t he sender (I CMP dest unreach/ admin prohibit ed) � Drop t he packet (s) wit hout not if ying t he sender. � Filt ers packet s on applicat ion dat a as well as on I P / TCP / UDP f ields � Log accept ed and/ or denied packet inf ormat ion � NAT - Net work Address Translat ion � Applicat ion Gat eways “Underst and” t he prot ocol and can be conf igured t o allow or deny specif ic prot ocol operat ions. � Typically, proxy servers sit bet ween t he client and act ual service. Bot h t he client and server t alk t o t he proxy rat her t han direct ly wit h each ot her. 8: Net wor k Management 15 8: Net wor k Management 16 Applicat ion gat eways Firewall Hardware/ Sof t ware gat eway-to -r emot e host t elnet session host -to-gat eway t elnet session � Example: allow select � Dedicat ed har dwar e/ sof t war e applicat ion such as int er nal user s t o t elnet applicat ion rout er and f ilt er Cisco PI X Fir ewall which f ilt er s t r af f ic passing gat eway out side. t hr ough t he mult iple net wor k int er f aces. � A Unix or Windows based host wit h mult iple net wor k int er f aces, r unning a f ir ewall sof t war e package which f ilt er s incoming and out going t r af f ic acr oss t he int er f aces. 1. Require all t elnet users t o t elnet t hrough gat eway. � A Unix or Windows based host wit h a single 2. For aut horized users, gat eway set s up t elnet connect ion t o net wor k int er f ace, r unning a f ir ewall sof t war e dest host . Gat eway relays dat a bet ween 2 connect ions 3. Firewall f ilt er blocks all t elnet connect ions not originat ing package which f ilt er s t he incoming and out going f rom gat eway. t r af f ic t o t he individual int er f ace. 8: Net wor k Management 8: Net wor k Management 17 18 3