Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer - PDF document

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements intermission Day 21: Firewalls, NATs, and IDSes Stephen McCamant Intrusion detection systems University of Minnesota, Computer Science & Engineering Internet addition: middleboxes Security/connectivity tradeoff A lot of security risk comes from a Original design: middle of net is only network connection routers Attacker could be anywhere in the world End-to-end principle Reducing connectivity makes security Modern reality: more functionality in the easier network Connectivity demand comes from end Security is one major driver users What a firewall is Inbound and outbound control Most obvious firewall use: prevent Basically, a router that chooses not to attacks from the outside forward some traffic Often also some control of insiders Based on an a-priori policy Block malware-infected hosts More complex architectures have Employees wasting time on Facebook multiple layers Selling sensitive info to competitors DMZ : area between outer and inner Nation-state Internet management layers, for outward-facing services May want to log or rate-limit, not block

Default: deny IPv4 address scarcity Design limit of ✷ ✸✷ hosts Usual whitelist approach: first, block Actually less for many reasons everything Addresses becoming gradually more Then allow certain traffic scarce over a many-year scale Basic: filter packets based on headers Some high-profile exhaustions in 2011 More sophisticated: proxy traffic at a IPv6 adoption still quite low, occasional higher level signs of progress Network address translation (NAT) Packet filtering rules Middlebox that rewrites addresses in Match based on: packets Source IP address Main use: allow inside network to use Source port Destination IP address non-unique IP addresses Destination port RFC 1918: 10.*, 192.168.*, etc. Packet flags: TCP vs. UDP , TCP ACK, etc. While sharing one outside IP address Action, e.g. allow or block Inside hosts not addressable from outside Obviously limited in specificity De-facto firewall Client and server ports Stateful filtering In general: firewall rules depend on TCP servers listen on well-known port previously-seen traffic numbers Often ❁ 1024, e.g. 22 for SSH or 80 for Key instance: allow replies to an HTTP outbound connection Clients use a kernel-assigned random See: port 23746 to port 80 high port Allow incoming port 23746 Plain packet filter would need to allow To same inside host all high-port incoming traffic Needed to make a NAT practical

Circuit-level proxying Application-level proxying Knows about higher-level semantics Firewall forwards TCP connections for Long history for, e.g., email, now HTTP inside client most important Standard protocol: SOCKS More knowledge allows better filtering Supported by most web browsers decisions Wrapper approaches for non-aware apps But, more effort to set up Not much more powerful than Newer: “transparent proxy” packet-level filtering Pretty much a man-in-the-middle Tunneling Outline Any data can be transmitted on any Firewalls and NAT boxes channel, if both sides agree E.g., encapsulate IP packets over SSH Announcements intermission connection Compare covert channels, steganography Intrusion detection systems Powerful way to subvert firewall Some legitimate uses Note to early readers Outline Firewalls and NAT boxes This is the section of the slides most likely to change in the final version Announcements intermission If class has already happened, make sure you have the latest slides for Intrusion detection systems announcements

Basic idea: detect attacks Network and host-based IDSes The worst attacks are the ones you Network IDS: watch packets similar to don’t even know about firewall Best case: stop before damage occurs But don’t know what’s bad until you see it More often implemented offline Marketed as “prevention” Host-based IDS: look for compromised Still good: prompt response process or user from within machine Challenge: what is an attack? Signature matching Anomaly detection Learn pattern of normal behavior Signature is a pattern that matches “Not normal” is a sign of a potential known bad behavior attack Typically human-curated to ensure Has possibility of finding novel attacks specificity Performance depends on normal See also: anti-virus scanners behavior too Recall: FPs and FNs Signature and anomaly weaknesses False positive: detector goes off Signatures without real attack Won’t exist for novel attacks Often easy to attack around False negative: attack happens without Anomaly detection detection Hard to avoid false positives Any detector design is a tradeoff Adversary can train over time between these (ROC curve)

Base rate problems Adversarial challenges If the true incidence is small (low base FP/FN statistics based on a fixed set of rate), most positives will be false attacks Example: screening test for rare disease But attackers won’t keep using Easy for false positives to overwhelm techniques that are detected admins Instead, will look for: E.g., 100 attacks out of 10 million Existing attacks that are not detected packets, 0.01% FP rate Minimal changes to attacks How many false alarms? Truly novel attacks Wagner and Soto mimicry attack Next time Host-based IDS based on sequence of syscalls Compute ❆ ❭ ▼ , where: Malware and network denial of service ❆ models allowed sequences ▼ models sequences achieving attacker’s goals Further techniques required: Many syscalls made into NOPs Replacement subsequences with similar effect