|
ru.internet.security
- RU.INTERNET.SECURITY ---------------------------------------------------------
From : Marõnais 2:5020/2173.2 18 Nov 2005 17:10:08
To : All
Subject : Desktop Firewalls and Intrusion Detection
--------------------------------------------------------------------------------
textsection 3 of 12 of file WUESTE.TXT
textbegin.section
2.2.3 "Sygate Personal Firewall"
"Sygate Personal Firewall" offers three different modes of operating le-
vels: "block all", "allow all" and normal.
Block All means that all transmissions incoming and outgoing are
prevented.
Allow All means that any traffic will be allowed from and to the
protected machine. Still it will write a log event if a
rule was matched.
Normal means that custom defined filtering rules will be applied.
There is an application table that remembers all the rights that we have
given the applications on a per-application basis. It has the following
fields:
FileName: the name of the application;
Version: the version (build number) of the application;
Access: the access status that was applied to this application
(either Block, Ask or Allow);
Path: the location of the application.
For all applications it is also possible to create an advanced rule. Tho-
se rules can filter a traffic of the applications with additional fields like
IP addresses or port numbers. Each application can be granted the right to
send or receive a traffic during screensaver mode or during specified time pe-
riods.
Further, it is possible to define advanced rules for connections. Each
rule can be set to filter packets according to the protocol, the IP addresses,
the MAC addresses or the port numbers they use. All rules can be bound to mul-
tiple applications. The action on a filtered packet can be to allow it or to
block it. A rule can be set to apply only during a specified time period or
during screensaver mode.
Instead of logging to a file, the firewall can inform about unusual
events by sending an e-mail. This can be done immediately when the alarm oc-
curs or regularly on a time interval basis.
"Sygate Personal Firewall" provides a driver-level protection. This fea-
ture blocks protocol stacks from accessing the network unless the user allows
it. If some application installs its own protocol stack and tries to bypass
the personal firewall, it will be detected.
The feature called "DLL authentication" provides a method to determine
which DLLs are associated with an application and mark them in an internal
table. All DLLs not marked will be blocked from accessing the network.
2.3 Logging capabilities
2.3.1 "Zonealarm"
"Zonealarm" provides a possibility of logging into a plain text file in a
straightforward format. It is not in real time, because it goes through an
internal buffer before getting flushed, but it is nearly real time because the
delay is less than a second. Each event is reported on a separated line con-
taining the fields separated by commas. Below is shown the format and a sample
fragment of a "Zonealarm" log file.
ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³field name ³ example ³ content format ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³Type ³FWIN ³FWIN|FWOUT|FWLOOP|LOCK|PE|ACCESS|FWROUTE|MS³
³Date ³2002/11/26 ³YYYY/MM/DD ³
³Time ³11:38:02 +1 GMT ³HH:MM:SS +n GMT ³
³Source ³192.168.0.66:3244³IP address:Port ³
³Destination³192.168.0.10:80 ³IP address:Port ³
³Transport ³TCP(flags:s) ³TCP(flags:x)|UDP|ICMP|IGMP|N/A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
FWIN,2002/11/26,13:21:22 +1:00 GMT,10.10.50.42:63348,10.10.50.2:17978,TCP (flú
ags:S)
FWIN,2002/11/26,14:07:22 +1:00 GMT,192.168.0.9:0,10.10.50.2:0,ICMP (type:8/suú
btype:0)
FWIN,2002/11/26,14:22:00 +1:00 GMT,10.10.50.4:0,10.10.50.2:0,IGMP
FWIN,2002/11/25,13:41:36 +1:00 GMT,192.168.0.9:0,10.10.50.2:0,IGMP (type:2/suú
btype:31)
FWIN,2002/11/26,15:31:46 +1:00 GMT,192.168.0.9:7617,10.10.50.2:42,UDP
ACCESS,2002/11/28,14:05:58 +1:00 GMT,,N/A,N/A
ACCESS,2002/11/28,14:05:58 +1:00 GMT,flood.exe was temporarily blocked from cú
onnecting to the Internet (10.10.50.3).,N/A,N/A
PE,2002/11/28,14:09:06 +1:00 GMT,flood.exe,10.10.50.3:0,N/A
PE,2002/11/28,10:10:46 +1:00 GMT,Internet Explorer,192.168.0.9:80,N/A
FWOUT,2002/11/28,14:09:08 +1:00 GMT,10.10.50.2:96,10.10.50.3:66,TCP (flags:S)
FWOUT,2002/11/28,14:09:36 +1:00 GMT,10.10.50.2:0,10.10.50.3:0,IGMP
FWOUT,2002/11/25,14:37:40 +1:00 GMT,10.10.50.2:53,10.10.50.2:53,UDP
FWROUTE,2002/11/28,14:09:58 +1:00 GMT,0.0.0.0:96,10.10.50.3:66,UDP
FWROUTE,2002/11/28,14:11:28 +1:00 GMT,0.0.0.0:0,10.10.50.3:0,ICMP (type:8/subú
type:0)
2.3.2 "Symantec Desktop Firewall"
"Symantec Desktop Firewall" logs six different things in separate log fi-
les, which will be explained later. The internal representation is encoded in
hexadecimal and uses a proprietary format. Unfortunately, "Symantec" does not
provide any explanation about the format of these files. There exists a func-
tion to export the log files to plain text, but there is some information dis-
carded from the original log file, like the subtype of the protocol. The fol-
lowing sample extracts are all taken from the exported log files and, there-
fore, are in plain text. The six different log files are explained in the next
subchapters.
Content blocking log
Stored in the file iamtdi.log. This file records the information about
blocked ActiveX or Java applets. The user has an option to enable this filter-
ing in three different levels: low, medium and high. This feature is not di-
rectly relevant for the experiments of this thesis, because the events do not
contain an information about intrusion attempts. Therefore, this log file was
not further inspected.
Connections log
Stored in the file iamtcp.log. This file records all incoming and outgo-
ing connections including ports, time stamp and number of bytes sent. Especi-
ally the last information could be interesting, for example, for checking if
an attack was successful or not. This logging is not influenced by the filter
rules. Below is shown an example of "Symantec Desktop Firewall's" connection
log.
1/28/2003 18:00:48 Connection: 192.168.0.33: http from 192.168.0.2: 1802, 537ú
bytes sent, 1380 bytes received, 3:35.268 elapsed time
1/28/2003 18:00:12 Connection: 192.168.0.66: http from 192.168.0.2: radius, 3ú
162 bytes sent, 8352 bytes received, 21.451 elapsed time
1/28/2003 17:59:54 Connection: 192.168.0.66: http from 192.168.0.63: radacct,ú
503 bytes sent, 221 bytes received, 0.650 elapsed time
Firewall log
Stored in the file iamfw.log. This is the main log file. It records all
incoming and outgoing connections as specified with the filter rules. Each
event is reported on multiple lines. As observed, the number of lines can vary
from three to six. As the table below shows, the event records do not follow
any strict formatting rules. This fact makes it a bit elaborate to parse the
events into the generic event log format which is introduced in Chapter 6.
11/25/2002 14:39:05 Rule "Default Outbound ICMP" permitted (10.10.50.4,systatú
). Details:
Outbound ICMP request
Local address is (10.10.50.1)
Remote address is (10.10.50.4)
Message type is "Time Exceeded for a Datagram"
Process name is "N/A"
11/26/2002 14:14:30 Blocked inbound IGMP packet. Details:
Remote address (10.10.50.4)
Local address (10.10.50.1)
11/27/2002 16:39:53 Rule "block all" blocked (10.10.50.1,441). Details:
Inbound TCP connection
Local address,service is (10.10.50.1,441)
Remote address,service is (10.10.50.4,44614)
Process name is "N/A"
1/27/2003 14:08:45 Rule "Eudora HTTP" blocked (192.168.0.7,http). Details:
Outbound TCP connection
Local address,service is (0.0.0.0,2683)
Remote address,service is (192.168.0.7,http)
Process name is "C:\Program Files\Qualcomm\Eudora\Eudora.exe"
11/26/2002 15:24:28 Rule "block all" blocked (10.10.50.1,nameserver). Details:
Inbound UDP packet
Local address,service is (10.10.50.1,nameserver)
Remote address,service is (192.168.0.2,15897)
Process name is "N/A"
Privacy log
Stored in the file iampriv.log. This file records privacy-related events,
for example, sending cookies or the browser user-agent identifier. Because
these data are not directly related to intrusion attacks, this log file will
not be further analyzed.
System log
Stored in the file iamsys.log. This file records operational messages,
such as starting and stopping a service. In the scope of the experiments of
this thesis these alarms where not analyzed as they have no direct impact. In
future work it would make sense to include this log file for completeness. In
some scenarios it could be of interest to have this information. For example,
when an attack has successfully shut down the desktop firewall even if the at-
tacker should not be able to do so.
Web-history log
Stored in the file iamwebh.log. Similar to a web-browser history file,
this log file records all the visited URLs with time and date. Unless we want
to keep track of people who visit blocked webpages, this file will not be of
interest for the further experiments and, therefore, is not analyzed.
2.3.3 "Sygate Personal Firewall"
"Sygate Personal Firewall" logs events into four different log files:
system log, security log, traffic log and packet log. The log files itself are
encoded in hexadecimal, but there is a function to export them into plain text
messages from the log view console.
Additionally, there is a debug log file named debug.log in the same cata-
log, which contains an information like when the GUI was started or which dri-
ver where loaded with the firewall. As the name implies, it is just for debug-
ging reason and was not used in the experiments of this thesis.
All of these log files can be displayed in two different modes: "local
view" or "source view". The only difference is that they call two fields "re-
mote host" & "local IP" in the first mode and "destination host" & "source IP"
in the other mode. Actually, I could not figure out why this feature was imp-
lemented, since the information stays the same. It is just that these two
fields are swapped. A normal end user might get irritated and confused by this
option. To simplify matters I have made the tests always using the "source
view" mode.
System log
Stored in the file syslog.log. This file records all operational changes,
such as the starting and stopping of services, detection of network applica-
tions, software configuration modifications and software execution errors. The
system log is especially useful for troubleshooting but is not used for corre-
lation aspect. For the scope of this thesis this aspect was not included. In
future work it would make sense to include this log file for completeness. In
some scenarios it could make sense to have this kind of information, like when
the service started and stopped. Below is an example "Sygate Personal Fire-
wall" system log file.
*************** Windows Version info ***************
Operating System: Windows 2000 (5.0.2195 Service Pack 2)
*************** Network info ***************
No.0 "Local Area Connection" 00-04-ac-44-ab-ba "Intel 8255x-based PCI Ethernet
Adapter (10/100)" 10.10.50.3
96 01/22/2003 16:00:38 Information 12070202 Start Sygate Personal Firewall...
97 01/22/2003 16:00:38 Information 12070202 Sygate Personal Firewall has beenú
started.
98 01/22/2003 16:00:38 Information 12070305 Security level has been changed tú
o Normal
99 01/22/2003 16:00:54 Information 12070305 New Option Settings is applied
100 01/22/2003 16:01:14 Information 12070305 New Advance rule has been applied
101 01/22/2003 16:01:20 Information 12070204 Stopping Sygate Personal Firewalú
l....
102 01/22/2003 16:01:24 Information 12070204 Sygate Personal Firewall is stopú
ped
103 01/22/2003 17:02:08 Information 12070201 Sygate Personal Firewall 5.0.1150
textend.section
* Origin: 2:5020/1317.8, /2024.2, /2173.2, /2613.5, /5413.3 (2:5020/2173.2)
Âåðíóòüñÿ ê ñïèñêó òåì, ñîðòèðîâàííûõ ïî: âîçðàñòàíèå äàòû óìåíüøåíèå äàòû òåìà àâòîð
| Òåìà: |
Àâòîð: |
Äàòà: |
|
Desktop Firewalls and Intrusion Detection |
Marõnais |
18 Nov 2005 17:10:08 |
|
|
