1 Guide to Network Defense and Countermeasures Chapter 9.

1

Guide to Network Defense and Countermeasures

Chapter 9

2

Chapter 9 - Intrusion Detection: Preventative Measures

Explain the benefits of the Common Vulnerabilities and Exposures (CVE) standard

Understand why logging network traffic is an integral part of intrusion detection

Analyze intrusion signatures so that you can block unauthorized access to resources

Identify suspicious events when they are captured by an intrusion detection device

Develop filters so that you can take a proactive approach to intrusion detection

3

CVE enables security devices (router, firewall, IDS) to share information about attacks and other vulnerabilities so they can work together CVE enables hardware and security devices that

support it to draw from the same databases of vulnerabilities, which are all presented in the same standard format

If an IDS that supports CVE transmits an alarm message, the attack signature will be compared to the report of current vulnerabilities to see if an attack has actually occurred

Common Vulnerabilities and Exposures (CVE)

4

5

Scanning CVE vulnerability descriptions CVE vulnerabilities can be viewed online and can

even be downloaded The CVE list is not a vulnerabilities database that

can be used with an IDS system; it is simply an informational tool, its listings are brief, and it refers to listings in other databases

CVE references contain: the name of the vulnerability; a short description; and references to the event in other databases

Common Vulnerabilities and Exposures (CVE)

6

7

Network security devices generate substantial amounts of log file information over time The task of analyzing log data manually becomes

virtually impossible, so this can be automated by the installation of log analysis software

A shareware program called ZoneLog is designed to analyze the log file information compiled from the firewall ZoneAlarm; the data is color coded to help in determining which ones are possible attacks

Snort is an IDS program, common to UNIX/Linux, that creates log files organized by IP address

Logging and Intrusion Detection

8

9

10

Signature analysis is the practice of assessing TCP/IP communications to determine whether they are legitimate or suspicious

Suspicious packets fall into these categories: Bad header information - packets that contain

malformed header data, where IP or port data is affected; packet alteration commonly occurs here

Suspicious data payload - packets may contain payload text that reveals hacker tactics and/or known attack information

Analyzing Intrusion Signatures

11

12

Suspicious packets (cont.): Single-packet attacks can be completed by sending

a single network packet from client to host; no connection is required when one packet is sent like this; if IP Options settings are manipulated, a server can be forced to freeze or provide data to a hacker

Multiple-packet attacks require a series of packets to be received and executed in order for the attack to be completed; these attacks, also called composite attacks, are especially difficult to detect; DoS attacks are an example of a composite attack


13

14

Capturing packets is an effective way to become familiar with their contents Studying packets helps you better understand

signatures, since the two are close in format The goal is to begin to identify features that tell you

what type of connection is underway and whether the attack is legitimate or suspicious

Packet sniffers monitor network device traffic; they capture information about each detected packet

Two examples of packet capture software: Ethereal for Windows and Linux; The IDS program Snort


15

16

17

18

19

To recognize suspicious traffic signatures, first learn to recognize normal traffic signatures One aspect of normal TCP signatures that is easiest to

identify is the use of TCP flags (SYN, ACK, PSH, URG, RST, FIN, the numbers 1 and 2)

The placement and use of these flags is very definite and strictly defined; deviations from normal usage mean that the communication is suspicious

The SYN flag appears at the beginning of a connection, the FIN flag at the end; it is suspicious if both of these flags appear in the same packet


20

Normal traffic signatures (cont.): Ping signatures reveal an extensive amount about the

systems involved in ICMP echo requests; the type of computers involved (their OS) can be determined from the Time to Live, the IP length, the datagram length, and certain payload characters

FTP signatures of a normal connection between a client and an FTP server includes a three-way handshake; three separate packets contain different TCP flags that enable you to track the connection; in particular, if the MSS option is seen in an ACK or ACK/PSH packet, the packet could be falsified


21

22

23

24

25

Normal traffic signatures (cont.): WWW signatures consist of packets that are sent back

and forth from a Web browser to a Web server as a connection is made; a signature of a normal handshake between two Web browsers consists of a sequence of packets that are distinguished by their TCP flags: the first packet has the SYN flag set, the second packet has the ACK flag set, the ACK flag is exchanged to acknowledge that a connection has been made, the PSH flag is used along with the ACK flag that data is going to be pushed (sent) from a buffer


26

27

Categories of suspicious traffic signatures: Informational - may not be malicious itself, but could

be used to verify a successful attack Reconnaissance - may represent an attempt to gain

information about a network as a prelude to attack Unauthorized access - may be caused by someone

who has gained unauthorized access to the system and is attempting to retrieve data from it

Denial of Service - may be part of an attempt to slow or halt all connections on a network device, such as a Web server or mail server


28

Suspicious traffic signatures (cont.): Ping sweeps involves sending a series of ICMP Echo

Request packets in a range of IP addresses; this is one method of determining the location of a host in order to gain network access; the ping sweep does not cause harm to the network, but the IP address should be noted to track further activity

Port scans are attempts to connect to a computer’s ports to see if any are active and listening; hackers perform once they’ve obtained the IP address; port scans typically include a SYN packet sent to each port on an IP address, one after the other


29

30

31

Suspicious traffic signatures (cont.): Random back door scans involve finding an

undocumented or unauthorized opening (such as a port) through which a computer, program, or other resource can be accessed

One type of port scan probes a computer to see if any ports are open and listening that are used by well-known Trojan horses, which are programs that seem harmless but can cause harm to a computer or its files; each sent SYN packet attempts to contact a different port used by a Trojan horse


32

33

34

35

Suspicious traffic signatures (cont.): Specific Trojan scans reflect the fact that port scans

can be performed in several ways: vanilla scans are where all of the ports from 0 to 65,535 are probed in succession; strobe scans are where a hacker only scans ports that are used by specific programs, in an attempt to see if such a program is present and can be utilized

Port 31337 is used by The Back Orifice Trojan horse, as well as the Trojans ADM worm, Back Fire, and BlitzNet


36

37

Suspicious traffic signatures (cont.): Nmap is a program that is a popular tool for

scanning networks; Nmap enables hackers to send packets that circumvent the normal three-way handshakes performed by two computers that establish a connection; an example of this type of scan is the FIN scan

Nmap enables a hacker to send packets for which an IDS might not be configured to send an alarm, especially if there is no rule to trigger an alarm when a certain combination of TCP flags is seen


38

39

Once an IDS transmits an alarm, you should look for suspicious characteristics and events

Packet header discrepancies seen in TCP, IP, ICMP, or UDP headers can provide warnings Falsified IP address alarms could indicate that a

network device has been misconfigured or is malfunctioning; or it could indicate IP spoofing

A port number could be falsified if the source or destination port in a TCP or UDP header is set to 0; protocol numbers could be falsified if they are set to 134 or greater

Identifying Suspicious Events

40

Packet header discrepancies (cont.): Illegal TCP flags are one of the most obvious ways to

detect an abnormal packet signature Common misuses of the SYN and FIN flags: having

both flags together in a packet; packets containing a FIN flag by itself; SYN only packets containing data

Another misuse of flags involves a null packet, which is a packet that has no flags set

TCP or IP options present in packets can be attacks Fragmentation abuses can occur when a large number

of fragmented packets are encountered


41

Advanced IDS attacks involve those that are especially complex, such as: Polymorphic buffer overflow attacks change their code

so that the do not match the known signatures used by many IDS systems; once they reach their intended target, they reassemble into original form

Path obfuscation involves altering the directory path statement in a packet payload by adding forward slashes; this keeps signatures from matching

CGI scripts - a series of packets is sent to a series of well-known Common Gateway Interface scripts


42

Remote Procedure Call (RPC) is a standard set of communication rules that allow one computer to request a service from another

RPC-related events that should trigger alarms: RPC dump - a target host receives an RPC dump

request, which is a request to report the presence and port usage of any RPC services

RPC set spoof - a target host receives and RPC set request from a source IP address of 127.x.x.x

RPC NFS sweep - a target host receives a series of requests for the NFS program


43

Respond to IDS alarms by adjusting packet filtering rules, and creating rules on the IDS Configure an IDS to take action (not just alert) as part of

its rules when detecting suspicious packages Rule actions add another layer of network defense; rule

actions are alert, log, pass, activate (which alerts, but also creates a rule to cover subsequent logging), dynamic (enables logging of subsequent packages when a particular packet is detected)

Rule data applies to the rule after a signature match occurs; it includes protocols, source and destination IP addresses, port number, direction of traffic

Developing IDS Filter Rules

44

Adjusting packet filtering rules (cont.): Rule options allow rules to become quite granular;

options follow rule data in the rule specification Rule options cause specific actions: ttl matches on Time

to Live; id matches on fragment ID number; flags match to specific TCP flags; ack matches the ACK flag; content matches on a defined data payload string; logto causes data to be logged to a specified file name instead of the default log files

The rule base for an IDS is different from the packet filter rule base and will help you analyze what traffic is getting through the filter

Developing IDS Filter Rules

45

Chapter Summary

This chapter discussed how to prevent intrusions by understanding how to interpret the signatures of both normal and abnormal network traffic. By being able to recognize the characteristics of a possible intrusion, you gain the ability to read log files and alert messages and react to them effectively. You can adjust filter rules to reduce the number of false alarms you receive from your IDS. More importantly, you are able to prevent intrusions before they occur or keep intrusions that are already underway from causing excessive damage

46

Chapter Summary

It is important to have your network security hardware and software work cooperatively by being able to share information. A standard called the Common Vulnerabilities and Exposures (CVE) enables IDS systems, firewalls, and other devices to share attack signatures and information about network vulnerabilities so they can better protect a network. A list of current vulnerabilities is maintained as an online database by MITRE, and you can use the list to update your own CVE database and learn about new attacks

47

Chapter Summary

Examination and analysis of the log files complied by your IDS and other devices can help tell you whether remote computers are scanning your network as a prelude to an attack. However, reviewing the log files manually can be tedious and time consuming. A log file analysis program automates the process and helps you identify which external hosts have been attempting to gain unauthorized access. The log files can also reveal patterns of access attempts that may represent intrusion attempts

48

Chapter Summary

The analysis of intrusion signatures is an integral aspect of intrusion prevention. A signature is a set of characteristics such as IP address, port numbers, TCP flags, and options. Normal traffic makes valid use of such settings. Note that possible intrusions are marked by invalid settings that are sometimes unable to interpret and that are allowed to pass through the internal network. Those invalid settings include bad header information, suspicious contents in the payload of packets, IP options settings, and a succession of packets such as a Denial of Service attempt

49

Chapter Summary

You can set up the freeware IDS Snort as a packet sniffer so that you can capture packets and study their contents. Parts of a packet header indicate whether a Windows or Linux system is being used. The TCP flags are used in sequence to create a normal three-way handshake between two computers. By learning how normal traffic signatures look, you are able to identify suspicious signatures. Monitor suspicious events such as ping sweeps, port scans, random back door scans, and scans for specific Trojan horse programs. The characteristics of packets crafted with with the popular network mapping tool Nmap were also discussed

50

Chapter Summary

You can identify a variety of other suspicious network events. These include orphaned packets, Land attacks, LocalHost Source Spoofs, falsified protocol number, and illegal combination of TCP flags

51

Chapter Summary

Advanced IDS attacks are especially difficult to detect. Certain complex attacks called polymorphic buffer overflow attacks can be altered so they don’t match a known intrusion signature and elude the IDS. Others use confusing path names or other keywords in the data payload. Still others attempt to connect with and abuse common CGI scripts that may be present, or remote procedure calls that also enable remote users to access services

52

Chapter Summary

IDS devices can have their own set of filter rules, like packet filtering routers and firewalls. You can configure a set of rules to send alert messages if ICMP packets or other suspicious packets pass through a packet filter on the perimeter of the network and reach the IDS. Such rules can also be configured to log events or a range of subsequent packets. Rule options such as messages that can be associated with suspicious events can greatly assist you in interpreting log files and determining how to react to attack attempts

1 Guide to Network Defense and Countermeasures Chapter 9.

Documents

log data

attack information

databases of vulnerabilities

occurredcommon vulnerabilities

vulnerabilities database

singlepacket attacks

contentsstudying packets

series of packets