1. Introduction tp Firewalls, IDS and IPS WAF
In this section we’ll talk about firewall types IDs, IPS and FPS Overview. We’ll also talk about web application firewalls as well.
2. Firewall – Your First Line of Defense
Okay, so the next thing we want to talk about in our series is the section on firewalls IDS’s and IPs’s and then a few new age protection as well. Firewalls actually have always been known as our first line of defense. And in reality in computing, a firewall is really a software or hardware based network security system that controls incoming and even outgoing network traffic, analyzing the data packets and determining whether they should be allowed through or not. It’s basically a filter. It’s based upon an applied rule set. Now, a firewall establishes the barrier between a trusted or secure internal network and another network, for example, the Internet that’s not assumed to be secured or trusted.
Many personal computer systems include software based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components, and conversely, many firewalls can perform basic routing functions. The term firewall originally referred to a wall intended to combine a fire or potential fire within a building. The layer between the engine compartment and the inside of a car is known as a firewall as well. Firewall technology emerged in the late 1980s when the Internet was fairly new technology in terms of its global use and connectivity. Now, predecessors to firewalls for network security were the routers used in the late 1980s. Now, firewalls come in various generations. The first generation is basically packet filters.
Or the first paper published on firewall technology was in 1988 when engineers from Digital Equipment Corporation developed filtering systems known as packet filter firewalls. This is a fairly basic system and was the first generation of what is now known as a highly involved in technical internet security feature. This type of packet filtering pays no attention to whether a packet is part of an existing stem of traffic. For example, it stores no information on connection state. Instead, it filters each packet based only on information contained in the packet itself, most commonly using a combination of the packet source and destination address, its protocol, and for TCP and UDP traffic, the port number. This is also known as the five tuple rule set.
TCP and UDP protocols constitute most communication over the Internet. And because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a stateless packet filter can distinguish them and thus control these types of traffic, such as web browsing, remote printing, things like email transmission, and even file transfer. Unless machines on each side of the packet filter are both using the same nonstandard ports. Packet filtering firewalls work mainly on the first three layers of the OSI model, which means most of the work is done between the network and physical layers with little bit of peeking into the transport layer to figure out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly.
Then we came up with a second generation firewall and this is what’s known as stateful firewalls. And this is very, very common today. It recognizes the state, or you might think of it as a circuit. The second generation firewalls perform the work of their first generation predecessors, but operate up to the layer four transport layer of the OSI model. This is achieved by retaining packets until enough information is available to make a judgment about its state.Knowing. Known as a stateful packet inspection, it records all the connections passing through it and then determines whether the packet is the start of a new connection, a part of an existing connection.
Because, remember, we may break up packets as they go through the Internet based upon the maximum transmission unit of any particular connection. Though the static rules are used, these rules can now contain a connection state as one of their test criteria. Certain denial of service attacks bombarding the firewall with thousands of fake connections in an attempt to overwhelm it by fulfilling its connection. State memory could also happen. Then we have something called a third generation or an application layer firewall. An application layer firewall, also known as a WAP or a web application firewall, was developed in part by Marcus Random and is known as the first transparent application firewall.
It was released as a current product of Gauntlet Firewall at Tis. Now, Gauntlet Firewall was rated one of the number one firewalls during the 1990 519 98 era. The key benefit of it of an application firewall filtering is that it can understand certain applications and protocols, like the File Transfer Protocol, a domain name service. Http is also useful as it’s able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port or detective of protocols being abused or harmful in some way. Now, as of 2012, the so called next generation firewall, or basically third generation firewall, is nothing more than a widened or deepened inspection at an application stack.
For example, the existing deep packet inspection functionality of modern firewalls can be extended to include intrusion detection systems, where it basically tells the firewall to block something in user identity integration by binding user IDs or Mac addresses for repudiation and even web application firewalls. And they may be implemented in the tool, the WAP fingerprinting and timing side channel. Now, on a curious note, when PCI came of age, they basically gave the individuals who took credit cards, which PCI stands for Payment Card Industry, and they basically gave them two alternatives you can bring your web servers up to Osp standards, or you can install a web application firewall. Now, what do you suppose they did if you guessed they installed a web application firewall? Well, you’re absolutely correct. And they become very, very popular.
3. IDS Your Second Line of Defense
Now our second line of defense known as an intrusion detection system and basically an intrusion detection system is a device or a software application that monitors network or system activities for malicious activities or policy violations perhaps and produces a report to some kind of a management station. IDs come in a number of different flavors with the goal of detecting suspicious traffic, traffic in different ways. There are what are called network intrusion detection systems and host based intrusion detection systems or Nids or Hids. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
This is more along the lines of an IPS which we’ll talk about in the next slide. The way I like to explain an IDs in class is the scenario if there were two farmers and one farmer had his barn full of cows. The other farmer was watching the other farmer’s barn and noticed that all the cows got out. He calls the other farmer on the telephone and says hey, by the way, your cows are out of the barn. The farmer might say, well gosh, it’d be nice if you’d have told me when the first one got out. I could have closed the door and the rest of them wouldn’t have gotten out. Well, that is the function of an IPS. And an IPS works in conjunction with an IDs and a firewall.
So the IPS notices some kind of an unwanted event and then it will send a message back to the firewall to block a particular IP address or perhaps a network address. Now, intrusion prevention systems can be classified into four different types. Network based intrusion prevention systems that monitors the entire network for suspicious activity by analyzing protocol activity. Something called a Wips or a wireless intrusion prevention system where they monitor naturally a wireless for suspicious traffic and something that’s a little bit more New age called a Network Behavior Analysis. What it does is it examines network traffic to identify threats that generate unusual traffic flows such as distributed denial of service attacks, certain forms of malware and policy violations.
Then we also have host based intrusion prevention systems which is actually installed software on our host itself which monitors a single host for suspicious activity by analyzing events occurring within that host. Most of the detection mechanisms we use today are signature based detection and unfortunately, signature based detection. It’s, it’s kind of like if you were to look at a goalkeeper on a soccer match and he’s trying to stop the ball but there’s not just one ball, there’s 1000 balls being thrown at him. He may grab one and say, oh, got one. A number of other ones are getting through. I’m not trying to say that IPS is not useful. I’m saying there are ways that you can get around signature based detection.
Statistical anomaly based detection is a better solution and it basically determines the normal network activity what sort of bandwidth is being used, what protocols are being used, what ports and devices generally connect to each other and alert the administrator or user traffic when something anomalous happens, something that’s not normal. If you had teachers like I did back in college, and I hated these kind of features, the first day of class, they would come in and they would kind of survey the class and they would say, okay, I’m only giving out four A’s in this class. I don’t care if you get a 98 on your paper. I’m only giving out four A’s. I hated teachers like that.
What they’re trying to do is they’re trying to make sure everyone falls within the standard bell curve. So the bell curve, where we have so many A’s, so many BS, so many CS, DS, and FS things that fall outside of that are not normal, that’s the concept of a statistical anomaly based type detection. And this is getting to be more and more the rage, because there are a number of different ways that we can manipulate signatures these days. And if you heard me in some previous sections talk about signature based anti malware or antivirus software as being dead, I’m going to do a bonus video on that. Now, for your test, that’s a good thing. In reality, I’m going to question that in my bonus video.
4. Web Application Firewall and Evasion Techniques’
The next thing we’ll talk about is the Waff or the Web application firewall. We’ve already kind of alluded to this, but what the Web application firewall does is it looks at things at a higher level. So it’s trying to look at things that are known to be abnormal. So, for example, if we see things in here with user input where script alert, you’re seeing clearly that we’re doing some kind of a cross site scripting here. It matches the rule, does whatever it is going to do to throw that away and that kind of stuff. So this has nothing to do with the five Tuple rule set. For example, the Web application firewall is what is required, as I talked about before, to have PCI or you have to redevelop all of your web applications to match the Owa standard.
Now, our topic wouldn’t be complete unless we talked about ways of evading the firewall. Now, with the advent of a stateful packet inspection where we recognize the state of a packet not looking at each one of the packets as they fall through if they belong to the same IP ID. In other words, if the packet was broken up, we’re going to be using a fragmented approach so we can evade the firewall with fragmented packets or malformed packets or possibly encrypting tunnels using allowed protocols. So we’ll talk about those in a little bit more detail here. Fragmentation itself is the ability to break up a single IP packet into multiple smaller packets due to a smaller maximum transmission unit.
For example, if we have Ethernet on our environment, you’re going to have a maximum transmission unit of about 1500 bytes. Going out onto the Internet, you may have a maximum transmission unit of say, 512 bytes. Well, it’s kind of like my wife’s trip to the shoe store. That foot is not going to fit in that space, so you’re going to have to chop it up. So the fragmentation mechanism actually is done right there. So the receiving TCP IP stack reassembles the packet back again before forwarding it up to the application. And this is where the Achilles heel kind of is. Reassembly is typically done by the end client. It really should be done at the firewall. And I’m going to explain why packet fragmentation can be done by using the fragmentation offset.
The trick is to set the value on the second packet so it actually overwrites a portion of the first header of the first packet. Now, let me go ahead and do a real quick demonstration for you here. So what I’ve done is I’ve pulled up our XP attacker in our online lab and I opened up that little utility that I talked about earlier called Engage Packet Builder. And I described this as being the Lego blocks builder for packets. You could basically build whatever kind of package you want to scapey is another one. But this just simply is what I have. Now what I want you to notice right here is we can change all of these values. But the part that I’m wanting you to make sure that you’re aware of is the fragmentation.
Right here we have a DF bit and an MF bit. The DF bit says it may fragment. The MF bit can either say that it’s the last fragment or more fragments are coming. It also can offset the first fragment by up to eight bytes. So this is the part that I’m wanting you to understand of what I’m going to try and do with packet fragmentation. So what I’m going to use is a little animation that I have and I want you to notice. This is our firewall and our packet filter. This is a stateful firewall and it allows port 25, 53, 80 and 443. Okay, so here comes our first pack. It’s going to be denied because it’s port 21. It throws it down in the bit bucket. It basically assigns unauthorized the state of the IP to IP pairing. All right, great. Let’s go into our next one. This is an example in the evasive technique used by a product called Frag Router.
Now we have our same ports that are allowed and our first packet comes in and naturally it’s allowed because port 25 is part of the allow. You may recall where I showed you the DF bid and it’s set to be equal to zero, which means it may fragment and the Mfd is set to one, meaning more fragments are coming. The state connection, or the circuit, if you will, is set to allow. All right, so here comes the next one. And I want you to notice what happened here on the next one. The next one here itself was the destination. Port was set to 23. And that was because the fragmentation offset of one told it to overwrite all but the first eight bites of packet one, which included everything but the port it’s then set may fragment is zero and it’s the last fragment.
Now the firewall allows the first packet in the network as the sin packet on the network allowed port 25. The second packet is allowed on the network as the firewall has already assigned the authorized state to that connection. Now the victim will bind the interface on port 23, which is actually disallowed. Now if we had enough memory in our firewall where we could basically say, okay, this one says it’s fragmented. Fragmented. You could think of this kind of as a large parking area. All right, you guys go up here to this parking area. So the rest of your guys get here. Then I’m going to assemble them all together and I’m going to step back, kind of like the Mr. Clean commercials where it’s going to step back and look at things and then allow it to go through or not go through that would stop this.
Although older firewalls, especially the hardware based firewalls memory was very expensive and it didn’t allow it to actually reassemble the fragments until it got all the way to the destination. So consequently, this can happen. Another technique of invading IDs is by using encrypted tunnels. So for example, in this animation right here, I’m going to use the sister utility called Cryptcat. We showed you netcat earlier, if you recall. But this one’s Cryptcat, it’s exactly the same thing, but we’re just simply encrypting it. So we’ve got the victim right here where I’ve got a connection to and I’m going to try and do net user hacker, add this particular user, and so on and so forth. Well, the IDs sees it as this, but the victim up here actually executes the command.
5. Behavioural Firewalls and IPS Systems
Now the next thing I want to talk about is some new age protection. Because most of our connections to and from servers on the internet are now encrypted. It really throws a monkey wrench to try and inspect what’s going on from the perspective of an IDs. So some of this new age protection allows us to break open that particular connection. Some popular vendors are Blue Coat, spyware interceptor, cloudflare service. Now, the problem with this is that it basically takes the TLS connection, breaks it open, which means we have to have a trusted certificate that’s trusted on our client device already installed for this to work. This means we’re able to see, well, basically anything that the user is putting in.
Now, some users may even get upset when they find out that they’re doing this because their bank account password, their credit card numbers are being revealed. More than likely what’s happened is you have signed this right away when you signed up for your job on the very first day when they have a big stack of papers for you to sign. Others that don’t understand that this has happened may march up to the network administrator and say, I’m not going to stand for this. I’m not going to let you read my bank account password. And you know what he’s going to say? Don’t use our equipment to do your personal business. Didn’t really think about it like that. That’s actually the only way that they have to be able to inspect what’s going on.
And when things come in, the next thing I want to talk about is something called profiling or baselining. We want to be able to detect when something goes awry out of the normal. I gave the example earlier in this, in this section when I talked about one of my teachers only giving out four A’s because she was wanting to make sure we all fell in the bell curve for that class. If we look at the normal flow of activities of what an application would do, then we could see when something goes awry. For example, a normal connection may go to the web server and from the web server it may go to the application server. From the application server it may go to the database, and from the database may go out to the file system.
This is normal profile behavior. Now a nefarious person may connect to the web server directly from the web server, goes to the file system. That’s not normal. That would deviate from the baseline and consequently we could send up a flag, report it to the IPS, block the port, whatever we’re going to do with this. So what happens is the profiler learns normal behavior. By observing code pads and programs characterized by system call sequences, they’ve been able to prevent zero day exploits. Vulnerabilities generally are not normal behavior. Software bugs disconfiguration injected code exploits create unexpected code pass. Because our behavior learn type mechanisms don’t rely on signature matching. They don’t even need to be updated to be able to stop an attack.