Firewalls and Intrusion Detection Systems

Firewalls

A firewall is a network device that operates at the network layer to permit or deny access to a network. Firewalls are important since they are often the first line of defense against network-based attacks.

As shown on the right, firewalls are usually deployed at the perimeter of an internal network, where the internal network connects to the untrusted Internet.

Firewalls are usually effective to centrally turn off servers that are running but should not be. It may be because

The server is buggy or
The server is running by default with no reason.

General Attributes

The general attributes of firewalls are as follows: (if any one of the aspects is broken, the firewall becomes much less effective)

(Complete Mediation) All traffic must pass through the firewall.
(Verifiable) The firewall rules are correctly defined so that only authorized traffic will be allowed to pass.
(Tamper resistant) The firewall itself is hardened against attack.

Types of Firewalls

Simple packet filtering firewalls (or stateless firewalls).
Stateful packet inspection (SPI) firewalls: These firewalls maintain a state based on IP/TCP header information of the packets in transit.
Deep packet inspection (DPI) firewals: These firewalls examine not only headers but also application data.

Note: A host-based firewall runs on a user's computer. Unlike network-based firewalls, a host-based firewall can associate network traffic with individual applications. Its goal is to prevent malware from accessing the network.

Stateless Firewalls

Security policy

The purpose of a firewall is to keep bad things out from the internal network. In order to accomplish this goal, the system needs a good security policy that well defines "what is bad".

A firewall can act on packets following through in one of the following ways:

Allow: The packet passes through the firewall.
Block: The packet is dropped at the firewall.

Typically, the firewall applies different rules depending on:

Incoming packets: from the external Internet to the internal network.
Outgoing packets: from the internal network to the external Internet.

Rules for incoming packets
Action	Source addr	Destination addr	Source port	Destination port	Type
Block	*.usma.edu	*	*	*	*
Allow	*	*	*	25	TCP
Block	*	*	*	*	*

Example rules

Firewall rules for incoming packets are shown above as an example:

Given an incoming packet, the rules are checked from top to bottom, and the first matching rule determines the firewall's action.
* means any.
Port 25 is used for SMTP (i.e., Simple Email Transfer Protocol).

Let's consider some scenarios.

Consider an incoming SMTP request from the external network to the email server in the internal network.
- If the request is coming from the West Point:
```
The first matching rule is rule 1, and so the packet will be blocked
```
- If the request is not coming from the West Point:
```
The first matching becomes now rule 2, and so the packet will be allowed.
```
Now, consider any non-SMTP request from the external network.
- If the request is coming from the West Point:
```
The first matching rule is rule 1, and so the packet will be blocked.
```
- If the request is not coming from the West Point:
```
The first matching becomes now rule 3, and so the packet will be blocked as well. 
```

DMZ

The above rules can be applied to the firewall FB (the bottom one) in the following network architecture.

The outbound email server smtp.usna.edu is outside the internal firewalls FA and FB, i.e., in a place called DMZ (demilitarized zone). This is OK since the this server doesn't contain any sensitive information, and it needs to freely connect to the external hosts.

Let's check your understanding!

Suppose that a network administrator wrote the following rules:

Rules for incoming packets
Action	Source addr	Destination addr	Source port	Destination port	Type
Block	*.usma.edu	*	*	*	TCP
Allow	*	*	*	25	TCP
Allow	*	*	25	*	TCP
Block	*	*	*	*	TCP

That is, rule 3 is quite similar to rule 2, but in rule 3, the source port is 25. To see the implications of the change, we need to answer the following question:

Question: Will this change allow a new vulnerability, e.g., allowing the attacker to access a buggy webserver running inside the network?

The answer:

Yes!

Attacker: source port 25, destination port 80  -------- FW: OK -------->  email server: destination port 80 (HTTP)

Stateful packet inspection (SPI) firewalls

To see why it is sometimes beneficial for a firewall to remember states, supposea the following:

A user on the internal network would like to connect to a web server as shown below.
Of course, the firewall would like the inside user to connect the outside web server on the Internet. This means that the second SYN+ACK packet from the web server should be allowed. But, then, what should be the firewall rule for it?

The port number of a client socket is randomly chosen (e.g., 25123), which means that any port number is possible. Now, when the server sends a packet back to the client, for a stateless firewall to accept this reply packet, it has to allow every destination port number!

You could think that requiring the source port to be 80 would be fine. However, that's risky? Why?

The attacker
  can connect to any internal server by spoofing the packets so that source port
  number is 80.

In summary, the firewall must check the three packets together in order to see whether the sequence numbers and ack numbers in the 3-way handshake are all consistent. This implies that the firewall has to remember the first SYN packet so that any incoming SYN+ACK packet is legitimate. The firewall hast to be stateful rather than stateless.

The SPI firewalls are useful for the following scenarios:

As shown above, SPI firewalls useful for allowing inside users to connect outside web servers.
They can track DNS queries and ping requests (coming from the internal network) and allow responses to be sent back to clients correctly.

Deep packet inspection (DPI)

More sophisticated firewalls perform deep packet inspection (DPI); that is, the firewalls examine not only headers but also application data and make decisions based on its contents. For example, DPI firewalls can monitor HTTP traffic in order to block access to suspicious URLs or to disallow the download of certain web plugins.

This DPI technique is often used with the intrusion detection systems (IDS) and the intrusion prevention systems (IPS) to come up with more sophisticated policies.

Great Firewall of China (From Wiki)

The Great Firewall (GFW) is the combination of legislative actions and technologies enforced by China to regulate the Internet domestically which include

blocking access to selected foreign websites and
slowing down cross-border internet traffic.

Some techniques deployed by the Chinese government include:

GFW maintains a list of IP ranges that are automatically dropped.
There are liar DNS servers and DNS hijackers returning incorrect IP addresses. Studies seem to point out that this censorship is keyword-based.
GFW also filters web traffic based on the URL and the keyword of the web page.

Firewalls: Limitations and Cautions

Firewalls are not complete solutions to all computer security problems. A firewall protects only the perimeter of its environment against attacks from outsiders who want to penetrate the machines in the protected environment.

(Complete mediation?) Firewalls are effective only if the complete mediation principle is maintained.

For example, suppose an inside host connects to an outside address by a wireless connection. Then, the attacker may obtain access to that inside host through the wireless connection. If the host is compromised, then the entire internal network is vulnerable through this unprotected host.

(Correct policy?) Firewall rules must be correctly configured, that configuration must be updated as the internal and external environment changes. In addition, firewall activity must be reviewed periodically to see if there has been any attempted or successful intrusion.

(Tamper resistance?) Firewalls are targets for penetrators. While a firewall is designed to withstand attack, it is not impenetrable. For this reason, several different layers of protection, called defense in depth, are better than relying on the strength of just a single firewall.
Firewalls are useless against malicious insiders.

Intrusion Detection Systems (IDSes)

Using firewalls and IDS in tandem

We stress that both mechanisms should be used in tandem.

Although firewalls are a good mechanism protecting the system from intrusion, it's not perfect. Therefore, you should expect a sophisticated attacker to somehow penetrate into the system even in the presence of the firewall. Following the principle of defense in depth, it's important to put another line of defense, i.e., detecting intrusion.
In particular, firewalls are not effect against insider attacks.
The sooner intrusion is detected, the less the damage.
An IDS can serve as a deterrent against intrusion; the attacker would not penetrate into the system unless he is certain about being undetected of the penetration.
An IDS can be used to detect weaknesses in other security mechanisms.

Depending on how to detect the bad behavior, an IDS can be either signature-based or anomaly-based.

Signature-based IDS (Rule-based IDS)

A signature-based IDS defines a set of rules for bad patterns of behavior (e.g., known exploit characteristics, known bad events).

Example rules include:

Incoming packets are bad if they match a certain known exploit (e.g., known virus codes).
Users should not log in with a username of "root", which is a violation of an organization’s security policy
Users should not read files in other users' directories.
Users should not be logged in simultaneously from more than one location.
Users do not make copies of system programs.
Desktop computers may not be used as HTTP servers.
An operating system log entry with a status code value of 645, which indicates that the host's auditing has been disabled.

Signature-based detection is simple and very effective at detecting known threats but largely ineffective at detecting previously unknown threats, threats disguised by the use of evasion techniques, and many variants of known threats.

Snort

Snort is a famous IDS/IPS (intrusion prevention system). It's open source, and you can install it for free in Ubuntu. An example of Snort IDS Rule is shown below. Possible rule actions are as follows:

alert, log, pass, drop, reject, sdrop

The rule options are formatted as follows:

(keyword_1:argument_1; ...; keyword_n:argument_n)

Snort can inspect the http traffic as well. See an example below.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(
 msg: "PDF File Detected";
 file_type: PDF;
 sid:8;
)

Anomaly-based IDS (Statistical IDS)

Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. An IDS using anomaly-based detection has profiles that represent the normal behavior of such things as users, hosts, network connections, or applications. The profiles are developed by monitoring the characteristics of typical activity over a period of time.

Some possible metrics are given in the following:

Metric	Reasoning
Frequency of login by date and time	Intruders are more likely to login during off-hours
Frequency of login at different locations	Intruders may login from a location that a legitimate user doesn't
Length of session	Attackers may run a much shorter or longer session
Amount of data copied to some location	Detect attempt to copy large amounts of sensitive data

The major benefit of anomaly-based detection methods is that they can be very effective at detecting previously unknown threats.

Inadvertently including malicious activity as part of a profile is a common problem with anomaly-based IDS products. Another problem with building profiles is that it can be very challenging in some cases to make them accurate, because computing activity can be so complex. Anomaly-based IDS products often produce many false positives because of benign activity that deviates significantly from profiles, especially in more diverse or dynamic environments.

False Positives and Negatives

An IDS is based on the assumption that attacker behavior is (sufficiently) different from legitimate user behavior. However, in reality, there will be overlap:

Some legitimate behavior may appear malicious.
Intruders can attempt to disguise their behavior as that of an honest user.

Due to the aforementioned overlap, it's inevitable that IDS have false positives and false negatives.

True positives (TP) correspond to the following events:
- The events are actual attacks ("positive events")
- The IDS correctly issues alarm ("positive alarm").
False negatives (FN) correspond to the following events:
- The events are actual attacks ("positive events")
- The IDS falsely issues no alarm ("falsely negative alarm").

True negatives (TN) correspond to the following events:
- The events are authorized behaviors ("negative events")
- The IDS correctly issues no alarm ("negative alarm").
False positive (FP) correspond to the following events:
- The events are authorized behaviors ("negative events")
- The IDS falsely issues alarm ("falsely positive alarm").

FPR and FNR

Important

False positive rates (FPR) = FP/(#ground negative events) = FP/(FP+TN)
False negative rates (FNR) = FN/(#ground positive events) = FN/(FN+TP)

Quick check

Question
There have been 1,000 events, among which 100 events were actual attacks. Suppose an IDS system that worked as follows:
- It detected only 90 attacks (out of 100).
- Furthermore, it additionally issued a false alarm 20 times.
Give FPR and FNR for this IDS.

Answer (drag your mouse)

TP: 90   FN: 10   TN: 880   FP: 20

FPR = 20/(880+20) = 2.22%
FNR = 10/100 = 10%

Tradeoff Between FNR and FPR

Quick check

What would be the easiest way to build a system with the false positive rate 0%?
Answer (drag your mouse)
```
An IDS that never issues an alarm.
```
In this case, what would be the false negative rate?
Answer (drag your mouse)
```
100%
```
What would be the easiest way to build a system with the false negative rate 0%?
Answer (drag your mouse)
```
An IDS that always issues an alarm.
```
In this case, what would be the false positive rate?
Answer (drag your mouse)
```
100%
```

The above example question shows that there is always a tradeoff between these rates.

You may tune the IDS parameter such that it alarms less often In this way, you effectively decreases false positive rates, but at the same time you increase false negative rates.
You may tune the IDS parameter such that it alarms more often In this way, you effectively decreases false negative rates, but at the same time you increase false positive rates.

Quality of IDS and the Rate of Attacks

The quality of your detector also depends on the rate of attacks.

Question
Suppose that there is an IDS system A with the following feature:

False positive rate: 0.1%
False negative rate: 0%

Is Detector A good enough to be deployed?

The answer is "it depends".

Suppose that we receive 1,000 requests a day and 5 of them are attacks. How many false alarms will be issued in expectation?

FP = FPR * (#negative events) 
#ground negative events = 995, that is, 1000 - 5
FP = 0.1% x 995 ≈ 1

About 1 false alarms will be issued

Suppose that we receive 10,000,000 (10 million) requests a day and 5 of them are attacks. How many false alarms will be issued in expectation?
```
FP = FPR * (#negative events) 
#ground negative events = 9,999,995, that is, 10,000,000 - 5
FP = 0.1% x 9,999,995 ≈ 10,000

About 10K false alarms will be issued 
```
Note that nothing has changed about the IDS. The only thing that changed was the number of requests received per day (and thus the rate of attacks). However, in the second scenario, the IDS is much less useful, because we have to hear 10,000 false alarms.

False positive rates as an annoyance level

FPR tells you how many cases were just annoying false alarms out of all alarms. The higher the false positive rate is, the more annoying the IDS is.

The above example shows that accurate detection is very challenging when there are so many events while attacks are rare.

Even a very good detector will flag so many false positives that it becomes impractical and very annoying to manually review every single false positive.