|
ru.internet.security
- RU.INTERNET.SECURITY ---------------------------------------------------------
From : Marхnais 2:5020/2173.2 18 Nov 2005 17:10:05
To : All
Subject : Desktop Firewalls and Intrusion Detection
--------------------------------------------------------------------------------
textsection 2 of 12 of file WUESTE.TXT
textbegin.section
1.3.2 Reasons for desktop firewalls
The main purpose of a desktop firewall is to monitor and eventually block
an incoming and outgoing network traffic on a machine according to the wishes
of the user. This is normally done by applying some filter rules to the pac-
kets. So far, the behavior does not differ much from a standard network fire-
wall, except that network firewalls filter a traffic dedicated to multiple ma-
chines and desktop firewalls check only the packets targeting a one local ma-
chine.
Desktop firewalls can, additionally, check the name of the application
that opens the connection. This enables them to filter certain applications in
the rules. This means that filtering rules not only may contain IP addresses
but also may refer to trusted or untrusted application names, offering a finer
tuning of the rules.
The purposes of a desktop firewall can be classified in two categories.
First, it should protect from attacks that come from outside and are targeting
the monitored machine. This includes attacks such as port scans, misuse of
open daemons, like network shares, and DoS attacks. The second category is the
attacks or threats originating from the inside of the system, such as a trojan
horse server that tries to connect home or an adware tool that wants to send
some personal information back to its vendor. This should be blocked or at
least monitored and alerted by the desktop firewall.
There are a lot of reasons why we should use a desktop firewall solution,
even if we are considering it for a machine that is located behind a full-fea-
tured network firewall.
The first reason is employing a second line of defense to prevent attacks
and to secure the system. Given the fact that desktop firewalls have a diffe-
rent configuration and also different vulnerabilities than network-based fire-
walls, an attacker would have to breach two security systems. Searching for
two different exploits that work together decreases the chance of a successful
attack. Furthermore, those external firewalls which normally are placed on the
network border will not help if the attacker is coming from the inside of the
network. According to several surveys, most attacks come from the local net-
work [13]. Even if we fully trust our co-workers, we can never be sure that
their machines have not been broken into and are used against us.
Another benefit of a personal firewall is that it makes use of the local
context. Furthermore, it has access to data such as the name of the applica-
tion that opens a connection and not only to the IP address of the machine.
Taking this additional information into account it is possible to make deci-
sions on subtle distinctions. For example, assume that some adware has managed
to install itself on the machine and is trying to send some personal data back
to a marketing company by HTTP transmission. The majority of external firewall
products are configured to permit this traffic, as it looks like a legitimate
HTTP traffic. On the other hand, a properly configured desktop firewall would
at least alert us before sending the packets and tell us the name of the of-
fending application. However, not only with minor threats, like adware, a des-
ktop firewall is useful, in fact also with computer worms they help. As recent
cases show, computer worms spread so fast that most users will not have a
chance to update their anti-virus signatures to catch them. For example, the
computer worm "SQL.Slammer" (also known as "Hellkern" or "Sapphire") doubled
the number of the infected machines every 9 s in the first minutes of its out-
break [8]. After 11 min it was spread all over the Internet. Desktop firewalls
do a fairly good job in preventing those computer worms from spreading in the
network, as they block outgoing connections to the network for unknown appli-
cations. So, if the worm would try to send itself out from an infected machi-
ne, it would be blocked by the desktop firewall and would be prevented from
infecting other machines. Although in this scenario the infection of the first
machine was not prevented, the danger is still stemmed.
Many home users think they are safe at home. They often argue: "Why
should someone be interested in my data, it is nothing valuable and if I loose
some of the data, I don't really care". Even when agreeing with these points,
it still makes sense to install a desktop firewall. Especially home users with
a permanent Internet connection, such as DSL users, are more and more the tar-
get of attackers. They are not after secret data, but they can use those sys-
tems as stepping stones to obfuscate their true origin while attacking other
systems. For example, these systems could be used as sources for DoS flood at-
tacks.
Most of the above mentioned scenarios could also be detected using an in-
trusion detection system (IDS). The difference is that an IDS is normally used
for detecting attacks and not for preventing or protecting against them. An
IDS can tell if a trojan horse is trying to call home from the machine, but it
may not block a traffic, as it is not intended to do so. This means that IDSs
are not a replacement for desktop firewalls. Still most desktop firewall ven-
dors have started to include features to report known attacks that have been
detected, similar to intrusion detection systems. So they present the user
with an additional information about the recorded events. Another added fea-
ture is content filtering, which enables the desktop firewall to control the
information that is stored in cookies, block advertisement pop-ups or control
the execution of an active content like ActiveX in webpages on an individual
basis for the user.
Finally, as this report will show, another reason for using desktop fire-
walls is to use them as an additional information source that could help in
getting a better view of the overall security state. The log files provide an
information that can be used in the process of correlating alarms and respond-
ing to attacks.
1.4 Approach
The approach followed in this thesis is to first think of possible attack
scenarios on different levels targeting the desktop firewalls. For these rea-
sons a small test network is set up, with all the desktop firewall products to
be tested running in parallel on identically configured machines. By running
the chosen attacks set we can verify if the desktop firewalls are able to pro-
tect against those specific attacks. This experiment gives an overview of the
capabilities of desktop firewalls. The generated log files are collected for
further inquiries.
Analyzing the logged events leads to a generic event log format for desk-
top firewalls. Three Perl scripts are developed in this thesis, which trans-
late the log files into the generic event log format. In order to find corre-
lation rules for these alarms, the generated log files are analyzed. To verify
the made conclusions, a real world experiment is made with multiple desktop
firewalls running in a network.
Chapter 2
Specification of desktop firewalls
In this chapter the products chosen for testing are introduced and their
features are explained.
2.1 Selected products
Most Unix systems or Linux derivatives have already full featured fire-
walls included, that have little in common with desktop firewalls on Windows
systems. Therefore, I decided to choose only Windows-based desktop firewalls
for my test series. Non-Windows desktop firewall would probably distort the
result of the tests, because they are implemented like normal network fire-
walls and lack some of the special features that are common among the other
desktop firewalls. As the purpose of this thesis is to reflect a real user si-
tuation, products from the whole range of the market segment are chosen. The
selected desktop firewalls are the following:
. Name: Zonealarm
Version: 3.1.395
Vendor: Zonelabs
Website: http://www.zonelabs.com
Type: freeware
Supported OS: Win98/ME/NT/2K/XP
. Name: Symantec Desktop Firewall
Version: 2.01
Vendor: Symantec
Website: http://www.symantec.com
Type: commercial
Supported OS: Win95/98/ME/NT/2K/XP
. Name: Sygate Personal Firewall
Version: 5.0.1150
Vendor: Sygate
Website: http://soho.sygate.com
Type: free for personal use
Supported OS: Win95/98/ME/NT/2K/XP
They where chosen because they represent a good overview of what can be
found on the market, regarding the small office and home user market. If any-
where in this thesis one of the names above appears without further indication
of the version, then the specific versions listed above, are assumed.
2.2 Features of desktop firewalls
In this section some of the interesting features of the desktop firewalls
chosen will be explained. The focus will be set on the logging and rule op-
tions, as they play the main rule in this thesis, but also other helpful fea-
tures will be mentioned. This list is not meant to be complete, as some fea-
tures like "live update" are not explained here.
2.2.1 "Zonealarm"
"Zonelabs's" desktop firewall provides two different zones of trust, the
"Internet zone" and the "trusted zone". For each zone the user can add IP ad-
dresses or networks. Both the zones may have different security settings. The
provided security can be one of three levels, either high, medium or low. In
the program control settings for each application we can define the rights in
the Internet zone and the rights in the trusted zone. Further, we can specify
if the application should be able to act as a server, making it possible for
it to wait for incoming connections. The possible options are: "allow",
"block" or "ask".
A feature that is not related to the main firewall but still interesting
is "mailsafe". It is a basic protection from Visual Basic script viruses in
e-mails. The idea is to move a script to a safe location and make sure, that
it does not execute automatically. This is achieved by monitoring the e-mail
traffic.
As an additional feature, a panic button is implemented, that switches
the desktop firewall into the "block all" mode when pressed. This can be use-
ful if the user notices some abnormal behavior of the system.
There is no possibility to add advanced custom rules which use filtering
options based on port numbers. This means each application will have the
rights to use all ports, when allowed to communicate with the network.
2.2.2 "Symantec desktop firewall"
The "Symantec Desktop Firewall" has two main categories: security and
privacy.
In "security" the user has an option to select one of the three predefi-
ned levels: high, medium or low. These three levels are settings for the in-
ternal options. They are split in three topics: desktop firewall, Java applets
and ActiveX. For each of these groups we can once more choose one of the three
protection levels. For desktop firewall this means: high Д block everything
until the user allows it; medium Д block known malicious applications; none Д
allow any traffic. The other two groups can be set to either block, prompt
each time or allow the traffic.
Additionally, there are two more options. One for enabling alerts which
will be displayed in the task bar icon and one for silently blocking unused
ports. The latter means that a traffic which is directed to an unused port and
not matched by any filtering rule will be blocked, as if there was a rule to
do so.
The second category is privacy. A slider allows the user to set one of
three predefined levels of security: high, medium or minimal. These are bound
to the internal settings for cookie blocking (block, prompt or allow) and for
confidential information blocking (block, prompt or allow). A "confidential"
information can be any information that we enter in a custom field, for examp-
le, the last 4 digits of the credit card number. If enabled, the desktop fire-
wall attempts to make sure that this information does not leave the machine.
"Symantec Desktop Firewall" has, further, an ability to block an IGMP
traffic and also to block fragmented IP packets. Both the ones are often used
in DoS or Nuke attacks, which try to crash the system with intentionally craf-
ted packets.
"Symantec Desktop Firewall" offers a possibility to enable an automatic
firewall rule creation wizard. This wizard tool has an internal database of
known applications and corresponding default rules. If the desktop firewall
notices a new application that wants to access the network, the automatic fi-
rewall rule creating wizard will look up the name in the database and check if
it is a known application. When it is a known application, it will create the
corresponding rules automatically, without asking us. This can lead to prob-
lems if we want to have non-standard rules for standard applications like
browsers.
In the advanced option section we are able to set some more privacy rules
on a per-domain name basis. This allows blocking user-agent strings, cookies,
referrer and e-mail names from being submitted to websites.
Connections can be filtered by setting up rules in the rule editor. These
rules can match incoming or outgoing packets and filter them according to cri-
teria like: protocol, application name, port numbers or the IP addresses used.
The action on a filtered packet can be to allow it, block it or ignore
it. Ignoring means that the packet will be logged but not blocked.
For special events an alarm flag can be raised, which will be displayed
in the system tray icon.
textend.section
* Origin: 2:5020/1317.8, /2024.2, /2173.2, /2613.5, /5413.3 (2:5020/2173.2)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
Desktop Firewalls and Intrusion Detection |
Marхnais |
18 Nov 2005 17:10:05 |
|
|
