e-Security Page 1 Requirements Analysis (Kreugel C. et al, 2005) state that with the explosion in use of the internet, companies have increasingly put critical resources on line. This makes these resources vulnerable because no system connected to the internet is 100% secure. System administrators therefore need to be aware of any malicious or unusual activity occurring on the network. They must be aware of any threat to critical resources. The usual solution is an Intrusion Detection System. An Intrusion Detection System is a device or application used to monitor network traffic and to report any violation of security policies or suspicious activity. They are passive systems, which inspect network traffic for violations and report these with alerts or logs (Julish 2003, p444). The seminal paper by Dorothy Denning (Denning, 1987) suggested a model for intrusion detection systems which is followed by most of those currently available. However any detection tool is only worthwhile if you have time to look at what it's telling you. Therefore an alerting system that will scan logs and give timely alerts is necessary. In this coursework, I am required to design and create an outline implementation of an Intrusion Detection System which will illustrate the use of an agent based approach and provide useful alerts. Since this is an outline implementation I will restrict the detection to a few threats to the server in each category, describing them, and illustrating how they will be detected in the implementation. Since we are not interested in all network traffic - only traffic to this host - I will base all detection of threats on the hosts IP/ MAC address only and promiscuous mode will not be required of the network interface card. For the purpose of this exercise the system to be protected is running FTP, Telnet and Web servers. These are characterised below. FTP Server File Transfer Protocol (FTP) is a network protocol used to transfer files over a TCP/IP network such as the Internet. FTP is built on a client-server architecture and has separate control and data connections between the client and server applications. The FTP protocol was originally defined in (RFC 959, 1985). (RFC 959, 1985) states that a client makes a connection to the server using TCP port 21 on the server. This connection, called the control connection, remains open for the duration of the session. Commands are sent by the client over the control connection in ASCII. Server responses on the control connection are three digit status codes in ASCII and an optional text message. For example '200' or '200 OK.' shows that the last command completed successfully.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
e-Security Page 1
Requirements Analysis
(Kreugel C. et al, 2005) state that with the explosion in use of the internet, companies have
increasingly put critical resources on line. This makes these resources vulnerable because no
system connected to the internet is 100% secure.
System administrators therefore need to be aware of any malicious or unusual activity occurring
on the network. They must be aware of any threat to critical resources. The usual solution is an
Intrusion Detection System.
An Intrusion Detection System is a device or application used to monitor network traffic and to
report any violation of security policies or suspicious activity. They are passive systems, which
inspect network traffic for violations and report these with alerts or logs (Julish 2003, p444).
The seminal paper by Dorothy Denning (Denning, 1987) suggested a model for intrusion
detection systems which is followed by most of those currently available.
However any detection tool is only worthwhile if you have time to look at what it's telling you.
Therefore an alerting system that will scan logs and give timely alerts is necessary.
In this coursework, I am required to design and create an outline implementation of an Intrusion
Detection System which will illustrate the use of an agent based approach and provide useful
alerts.
Since this is an outline implementation I will restrict the detection to a few threats to the server
in each category, describing them, and illustrating how they will be detected in the
implementation.
Since we are not interested in all network traffic - only traffic to this host - I will base all
detection of threats on the hosts IP/ MAC address only and promiscuous mode will not be
required of the network interface card.
For the purpose of this exercise the system to be protected is running FTP, Telnet and Web
servers.
These are characterised below.
FTP Server
File Transfer Protocol (FTP) is a network protocol used to transfer files over a TCP/IP network
such as the Internet.
FTP is built on a client-server architecture and has separate control and data connections
between the client and server applications.
The FTP protocol was originally defined in (RFC 959, 1985).
(RFC 959, 1985) states that a client makes a connection to the server using TCP port 21 on the
server. This connection, called the control connection, remains open for the duration of the
session.
Commands are sent by the client over the control connection in ASCII. Server responses on the
control connection are three digit status codes in ASCII and an optional text message. For
example '200' or '200 OK.' shows that the last command completed successfully.
e-Security Page 2
In active mode, a second connection on port 20 on the client is opened by the server to transfer
data. However many firewalls are set to reject incoming TCP requests and so passive mode
(PASV command) can be used. In this mode the server supplies the IP address and port to
connect to for the transfer and the client opens the connection to the server. This connection
will be allowed by the firewall.
FTP is specifically designed for users to upload or download files to and from the server. If an
attacker could access the password file (/etc/passwd in Linux) and download it then they could
try a brute force decryption at their leisure. Similarly the windows SAM file (Security Account
Manager) in the registry could yield invaluable information to any attacker.
Alert: Our system must alert any access to „sensitive‟ folders or files.
Detection: The text „root‟, „cwd root‟, „passwd‟ or „cd c:\‟ in a packet contents would
indicate unusual activity. Any directory traversal to the System32 folder in Windows, or any
other sensitive folder, should be flagged.
( Saliou et al, p2) state that intruders often target poorly secured FTP servers. They attempt to
gain privileged access by trying multiple combinations of username and password.
Alert: Our system must alert any multiple attempted passwords as this is unusual activity.
Detection: This can be detected by counting the number of bad password attempts in a given
time. A threshold can be set according to the expected usage of the server, however I would
set it at a very low level. A user might mistype their password and this is to be expected, but
“Once is happenstance. Twice is coincidence. The third time it’s enemy action.”
Fleming (1959)
Also FTP server versions may be susceptible to buffer overflow attacks. (Microsoft 2009(1))
reports a buffer overflow vulnerability in the FTP server within IIS 5.x and IIS 6.x and IIS 7
which will allow arbitrary code to be run with SYSTEM privileges.
Alert: Our system must alert for possible buffer overflow attempts.
Detection: (Snort Rules, 2010) characterises the above FTP server NLST buffer overflow
attempt as a packet containing the text NLST, containing at least 200 further characters and,
from a decode of the given regular expression, within these 200 characters the text NLST
again, the newline character followed by a space and any non-newline character.
Telnet Server
The Telnet server is an application which uses TCP on port 23 to provide a command line
interface for a remote computer.
Telnet does not encrypt any traffic – not even passwords – and so anyone intercepting a logon
by using a packet sniffer could use these credentials to maliciously log on.
Telnet is also, like any software, vulnerable to exploits. Despite being a venerable (1969)
protocol, exploits are still being found in particular implementations. Recently (Microsoft,
e-Security Page 3
2009(2)) announced a vulnerability in their Telnet implementation which allowed an attacker to
obtain credentials of a logged on user and to log back in with identical user rights.
If an attacker can log on with an identity which has sufficient privileges, then they can do
virtually anything on the server. They can move to any directory and run any executable file,
create user accounts for subsequent logons, delete files and directories and so on.
Alert: Our system must alert when a user logs on or attempts to log on with privileged
access.
Detection: A login as root or administrator can be detected with the username in the content
of a packet.
Also multiple failed logins are unusual other than an attempted brute force password crack
attempt and so will be alerted as noted in the FTP section.
Web Server
The web server is an application which sends content requested by a client program using the
HTTP protocol. The client usually connects on port 80. HTTP, an application layer protocol,
usually uses the TCP/IP protocols to establish a reliable connection between the client and the
server.
HTTP is a stateless protocol which means that the server does not keep information about the
client between requests. If an application needs to track a clients progress from page to page
then this can be done using cookies or using URL encoded parameters e.g.
index.php?user_id=1234. Unfortunately these methods allowed by HTTP can be exploited.
Recently SQL injection attacks have been one of the top exploits against web applications
(sans.org, 2009).
SQL Injection occurs when a web application acting as a front end to a database accepts user
input, either by URL encoded parameters or by form input, which is not validated. This could
allow an attacker not only to modify, add or delete data but compromise the whole machine.
“Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended
Procedures (database server functions). If an attacker can obtain access to these
Procedures it may be possible to compromise the entire machine.” (CGISecurity.com (2)
2008)
We must therefore alert any attempt at SQL Injection.
Alert: Our system must alert at any attempt at SQL Injection.
Detection: Applications that are vulnerable to this attack build their query string by
concatenating the application SQL query with the user input e.g.
SELECT * FROM ITEMS WHERE ( ItemName =" & userinput & "COLOUR = ORANGE);
If userinput isn‟t validated then it may contain invalid „dangerous‟ characters.
If I included a single quote in the userinput in the web page, such as „fred, then if the
database returns an error, since quotes must be paired, then we know immediately that the
application is vulnerable - the input hasn‟t been validated.
e-Security Page 4
If I then try X OR 1=1;-- as the user input then I‟ll retrieve the whole table – because the
application will build the query:
SELECT * FROM ITEMS WHERE ItemName = X OR 1 = 1; -- (rest of applications SQL)
The -- comments out the rest of the applications SQL. Since 1=1 always evaluates as true,
every record will match this query. It is easy to move on from here to compromise the whole
database.
We therefore need to check packet contents for these „dangerous‟ characters or their hex
equivalents that would indicate an attempted SQL Injection – a single quote, double hyphen
or a semicolon.
In addition to server vulnerabilities, in this illustration of agent based IDS, alerts have to be
generated for:
Detection of user administration access over the network.
Reconnaissance of the system, including host scans and port scans.
Detection of attacks against the Web server, including a possible Denial-of-Service (DoS)
attack.
User administration access
This is already covered in depth in the previous FTP and Telnet Server sections.
Reconnaissance of the system
System reconnaissance from outside the system is the first stage of any possible attack on a
system (Buchanan, 2010).
The attacker wants to find out which hosts are live, which ports are open on those hosts, which
services are running and the software versions of running services.
Once the attacker has this information then exploits against particular software versions (often
older unpatched versions) and services are widely available via the WWW.
Host Scan Attack Summary
A host scan is where an attacker is trying to reduce a list of possible IP addresses in a network
into a list of available hosts.
(Lyon, 2009) lists several methods used for host discovery. As well as the usual ICMP ping,
host discovery can also be achieved by variety of methods such as a TCP SYN packet to port
443 (https port). Any response - SYN/ACK or RST – would indicate that that host is live.
Similarly any reply from TCP packets sent to port 80 is significant. UDP packets can also be
used for host scanning. When a UDP packet is sent to a closed port it will receive a „Port
Unreachable‟ ICMP reply which indicates that the host is live and running.
It is typically characterised by one host to many hosts, usually in a short time scale. However
this is a „network‟ scan and since we are detecting traffic to our host system only, these would
not be detected.
e-Security Page 5
Port Scan Attack Summary
A port scan is used to determine which ports in a host are open or „Listening‟.
In a port scan there are many attempted port connections to a single machine from a single
source, often to unusual ports.
(Whitaker, 2005) lists several scan types including the following:
3.2.1 Protecting Microsoft Windows from a SYN Flood attack
Microsoft Windows has a mechanism to detect and start SYN Flood protection. The SYN
flooding attack protection feature detects symptoms of SYN flooding and responds by reducing
the time the server spends on connection requests that it cannot acknowledge.
Specifically, TCP shortens the required interval between SYN-ACK (connection request
acknowledgements) retransmissions. TCP retransmits SYN-ACKS when they are not answered.
As a result, the allotted number of retransmissions is consumed more quickly and the
unacknowledgeable connection request is discarded faster.
When enabled, the system monitors the connections maintained by TCP and starts the SYN
attack flooding protection when the any of the following conditions, symptomatic of SYN
flooding, are found:
The total number of connections in the half-open (SYN-RCVD) state exceeds the value of TcpMaxHalfOpen
The number of connections that remain in the half-open (SYN-RCVD) state even after a connection request has been retransmitted exceeds the value of TcpMaxHalfOpenRetried
The number of connection requests the system refuses exceeds the value of TcpMaxPortsExhausted. The system must refuse all connection requests when its reserve of open connection ports runs out.
Microsoft suggests the following registry settings: