CSE 127: Lecture 17

This lecture is an introduction to firewalls, DMZ and intrusion detection  systems.


Traditionally, a firewall is a wall separating two areas, in a building, a car, etc., to prevent fire from propagating from one area to another. By extension, it is used to separate two networks, to prevent hostile packets from one network from reaching the other. The most common firewall configuration protects a company's private network from the Internet. Firewalling traditionally operates by inspecting packet headers and discarding packets with undesirable header info.

corporate n/w <------> firewall <--------->  Internet

Firewall is a special purpose m/c with at least two network interfaces. Firewall has rules to forward the packets. It is expensive to put security patches on every machine in the corporate n/w. Firewalls are not fail-safe and are central point of failure. A  strong firewall wont allow any incoming packets and will allow outgoing packets to only trusted machines.

The most common boundary where firewalls are applied today is between an organization's internal networks and the Internet. When establishing an Internet firewall, the first thing you must decide is its basic architecture (assuming you have previously established your firewall requirements and the security policy it is intended to implement). In this context, architecture refers to the inventory of components (hardware and software), and the connectivity and distribution of functions among them. There are two classes of firewall architectures, which we refer to as the single layer and the multiple layer architectures.

In a single layer architecture, one network host is allocated all firewall functions and is connected to each network for which it is to control access. This approach is usually chosen when containing cost is a primary factor or when there are only two networks to interconnect. It has the advantage that everything there is to know about the firewall resides on that one host.The greatest disadvantage of the single layer approach is its susceptibility to implementation flaws or configuration errors -- depending on the type, a single flaw or error might allow firewall penetration

In a multiple layer architecture, the firewall functions are distributed among a small number of hosts, typically connected in series, with DMZ networks between them. This approach is more difficult to design and operate, but can provide substantially greater security by diversifying the defenses you are implementing.The most common design approach for this type of architecture is an Internet firewall composed of two hosts interconnected with one DMZ network.

corporate n/w <--------> firewall <-------> DMZ <------> firewall<------->  Internet
             (web servers)


A Demilitarized Zone is used by a company that wants to host its own internet services without sacrificing unauthorized access to its private network.

The DMZ sits between the Internet and an internal network's line of defense, usually some combination of firewalls and bastion hosts.

Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers.

Intrusion Detection Systems

An intrusion detection system, or IDS for short, attempts to detect an intruder breaking into your system or a legitimate user misusing system resources. The IDS will run constantly on your system, working away in the background, and only notifying you when it detects something it considers suspicious or illegal. Whether you appreciate that notification depends on how well you've configured your intrusion detection system. There are two types of potential intruders: Outside Intruders and Inside Intruders.Intrusion Detection Systems are like a burglar alarm for your computer network, they detect unathorized access attempts. Analogy: a security guard watching for the attack.

There are basically two main types of IDS being used today: Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time)and Network based (a packet monitor).

Host-Based IDS (HIDS)

Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris' BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept, to name a few.

Network-Based IDS (NIDS)

As opposed to monitoring the activities that take place on a particular network, Network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. They have n/w interface in promiscuous mode. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like "packet-sniffing" to pull data from TCP/IP or other protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities:

    * Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
    * Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.

Some possible downsides to network-based IDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network-based IDS include Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler.

There are two approaches to build intrusion detection systems:

Anomaly Detection : Anomaly detection techniques assume that all intrusive activities are necessarily anomalous. This means that if we could establish a "normal activity profile" for a system, we could, in theory, flag all system states varying from the established profile by statistically significant amounts as intrusion attempts. However, these systems have higher rate of false positives (Anomalous activities that are not intrusive are flagged as intrusive).
Misuse Detection or Signature-Based: The concept behind misuse detection schemes is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. This means that these systems are not unlike virus detection systems -- they can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods.