Objectives: Understanding IDS, Firewall, and Honeypot Concept : IDS, Firewall and Honeypot Solutions: Understanding different techniques to bypass IDS : Understanding different techniques to bypass firewalls, IDS/Firewall Evading Tools : Understanding different techniques to detect honeypots : Overview of IDS and Firewall Penetration Testing
- An IDS inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network security breach
- Checks traffic for signatures that match known intrusion patterns
- Anomaly Detection (behavior detection)
- Protocol Anomaly Detection
- Indications of Intrusions
- System Intrusions
- Presence of new files/programs
- Changes in file permissions
- Unexplained changes in file size
- Rogue Files
- Unfamiliar file names in directories
- Missing files
- Network Intrusions
- Repeated probes of the available services on your machines
- Connections from unusual locations
- Repeated login attempts from remote hosts
- Arbitrary data in log files
- Firewall Architecture
- Bastion Host
- Computer system designed and configured to protect network resources from attack
- Screened Subnet
- Also known as the DMZ contains hosts that offer public services. DMZ zone only responds to public requests, and has no hosts accessed by the private network
- Multi-homed Firewall
- A firewall with two or more interfaces
- DeMilitarized Zone (DMZ)
- A network that serves as a buffer between the internal secure network and insecure internet
- Can be created using firewall with three or more main network interfaces
- Types of Firewall
- Packet Filters: works on the network layers of OSI. Can drop packets if needed
- Circuit Level Gateways: Works at the sessions layer. Information passed to a remote computer through a circuit-level gateway appear to have originated from the gateway. They monitor requests to create sessions, and determines if the session will be allowed. They allow or prevent data streams
- Application Level Gateways: App-level proxies can filter packets at the application later of the OSI
- Stateful Multilayer Inspection Firewalls: combines the aspects of the other three types of firewalls
- Honeypot
- Information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network
- Honeypot can log port access attempts, monitor attacker’s keystrokes, show early signs etc
- 2 Types of Honeypots
- Low-interaction Honeypots: simulate only a limited number of services and apps. Cannot be compromised
- High-interaction Honeypots: simulates all services and apps. Can be completely compromised by attackers.
- Captures complete information about an attack vector such attack techniques
- Snort
- Insertion Attack: IDS blindly believes and accepts the packet
- Evasion: End system accepts a packet that an IDS rejects. Attacker is exploiting the host computer
- DoS Attack: Attackers intrusion attempts will not be logged
- Obfuscating: encoding the attack payload in a way that the target computer understands but the IDS will not (polymorphic code, etc)
- False Positive Generation: Attackers w/ knowledge of the target IDS, craft packets just to generate alerts. Causes IDS to generate large number of false positive alerts. Then use it to hide real attack traffic
- Session Splicing
- Unicode Evasion Technique: Attackers can convert attack strings to unicode characters to avoid pattern and signature matching at the IDS
- Fragmentation Attack: Attackers will keep sending fragments with 15 second delays until all attack payload is reassembled at the target system
- TTL attacks require attacker to have a prior knowledge of the topology of the victim's network
- Invalid RST Packets
- Uses a checksum to communicate with host even though the IDS thinks that communication has ended
- Urgency Flag
- A URG flag in the TCP header is used to mark the data that requires urgent processing
- Many IDS do not address the URG pointer
- Polymorphic Shellcode: Most IDSs contains signatures for commonly used strings within shellcode. This can be bypassed by using encoded shellcode containing a stub that decodes the shell code
- App Layer Attacks: IDS cannot verify signature of a compressed file
- Port Scanning is used to identify open ports and services running on these ports
- Open ports can be further probed to identify the version of services, which helps in finding vulnerabilities in these services
- Firewalking: A technique that uses TTL values to determine gateway ACL filters
- Attacker sends a TCP or UDP packet to the targeted firewall with a TTL set to one hop greater
- Banner Grabbing: Banners are service announcements provided by services in response to connection requests, and often carry vendor version information
- IP address spoofing to a trusted machine
- Source Routing: Allows sender of a packet to partially or completely specify the route of a packet through a network, going around a firewall
- Tiny Fragments: Forcing some of the TCP packet’s header info into the next fragment
- ICMP Tunneling: Allows tunneling a backdoor shell in the data portion of ICMP echo packets
- Ack Tunneling: Allows tunneling a backdoor application with TCP packets with the ACK bit set
- HTTP Tunneling Method: allows attackers to perform various internet tasks despite restrictions imposed by firewalls. Method can be implemented if the target company has a public web server with port 80 used for HTTP traffic
- Attackers craft malicious probe packets to scan for services such as HTTP over SSL, SMTP over SSL, and IMAP
- Ports that show a particular service running but deny a three-way handshake indicate the presence of a honeypot
- Shut down switch ports associated with the known attack hosts
- Reset (RST) malicious TCP sessions