ru.internet.security

 
 - RU.INTERNET.SECURITY ---------------------------------------------------------
 From : Marхnais                             2:5020/2173.2  18 Nov 2005  17:10:01
 To : All
 Subject : Desktop Firewalls and Intrusion Detection
 -------------------------------------------------------------------------------- 
 

 
  * Copied to: PVT.MARINAIS, RU.HACKER, XSU.HACKER
 
 textsection 1 of 12 of file WUESTE.TXT
 textbegin.all
                   Desktop Firewalls and Intrusion Detection
                   (abridged edition by Marinais, 03.11.2005)
 
                                 Candid W\"uest
 
                 Swiss Federal Institute of Technology Zurich,
                  Computer Engineering and Networks Laboratory
 Diploma Thesis DAД2003.22 Winter Term 2002/2003
 
 Tutors:
      Diego Zamboni (IBM R\"uschlikon Res. Lab),
      Marc Rennhard
 
 Supervisor:
      Prof. Dr. Bernhard Plattner 28.02.2002Д08.02.2002
                                    Abstract
 
      The use of desktop firewalls has become more and more popular these days.
 The goal of this thesis is to analyze the use of desktop firewalls in  detail,
 to get a better understanding of their capabilities, strengths and weaknesses.
 Because they are installed on end-user machines together with  other  applica-
 tions, the question arises whether they can add security or whether they  open
 new security holes in the controlled machine. An interesting idea is to analy-
 ze the cooperation of multiple instances of desktop firewalls  with  intrusion
 detection systems (IDSs). Therefore, rules for detecting attacks with the  log
 files gathered will be established and a generic  desktop  firewall  log  file
 format will be introduced that enables to correlate the  corresponding  events
 from the different log files.
                                   Chapter 1
 
                                  Introduction
                                 1.1 Motivation
 
      It has become common to have an Internet connection at an every location.
 Often it is running during day and night. Even at home many people have  a  PC
 that is connected to the Internet 24 hours a day. During these long time peri-
 ods the machines are exposed to the threats of the Internet. The longer a  ma-
 chine is connected, the more likely it is to be affected by a malicious  acti-
 vity. New technologies like wireless networks increase even more the  risk  of
 getting attacked, as they introduce new possibilities of it. With all the  re-
 cent events of computer viruses and worms spreading through the  Internet  and
 causing damage, users slowly but surely realize that there is a danger in  the
 Internet and that they need a protection against it [7].
      In small companies the level of security is often not that high, and even
 in big enterprises with good security policies it is not unusual that the  em-
 ployees take their laptops from their office back home  and  connect  them  to
 their local Internet connections. At this moment all the data, which were pro-
 tected through the enterprise security measures before, are exposed to a  pos-
 sible attacker. After a successful breaking into this  machine  it  can,  when
 brought back into the corporation's network, infect other machines in the int-
 ranet. Therefore, people have started using desktop firewalls to protect them-
 selves against attackers. Having an anti-virus product  installed  is  nothing
 unusual today, but having a desktop firewall running is still not so common.
      In contrast to the traditional model, where firewalls are recommended  to
 be installed on a dedicated and well-controlled machine, desktop firewalls are
 installed on end-user machines together with a wide variety of tools and  app-
 lications. Therefore, the question arises whether they provide additional  se-
 curity or whether they are also vulnerable to new  attacks  and  decrease  the
 overall security. To provide more security the log files of the desktop  fire-
 walls should be analyzed and considered when monitoring a network for attacks.
 There has been no effort yet in the direction of correlating the logged events
 of desktop firewalls, and also good detailed tests on the capabilities of des-
 ktop firewalls are rare [1]. The available test results are normally consumer-
 oriented and do not go into much detail [4].
      This thesis is not intended to be another  comparison  study  of  desktop
 firewalls regarding their ease of use or how nice they look. Rather, it should
 as the first phase provide information about the concept of desktop  firewalls
 in general and whether using them to protect user machines makes sense from  a
 security point of view. In the second phase the thesis provides mechanisms  to
 correlate the generated events, making it possible to  integrate  the  desktop
 firewalls into a security framework. Until now the logged data are nearly  al-
 ways discarded and not further used in any way. Only if there occurred a prob-
 lem that needs further investigation, these log files might be analyzed. Thin-
 king of all the possibly valuable  logged  information,  that  is  unused,  is
 enough motivation to take a closer look at the further use  of  this  informa-
 tion.
                                1.2 Related work
 
      By the time of writing this thesis I was not aware of any  work  that  is
 directly related to the idea of this topic. Most of the works  on  correlating
 log files target only network firewalls and not desktop  firewalls  themselves
 [12]. We can find some log file analyzers that are able to process desktop fi-
 rewall log files. A good example for this is "Symantec's Deep Sight" tool, al-
 so used at "Security Focus", which is able to look through some desktop  fire-
 walls log files, for example, "Zonelabs Zonealarm" [2]. "DShield"  is  another
 tool that lets users submit their log files for a collective examination  [6].
 Normally they are limited to a few widely-used desktop firewalls  and  do  not
 support many different versions of them. Another problem with these  tools  is
 that the users will often not get a detailed analysis of the attacks on  their
 home network. The information is just added to a pool and  analyzed  over  all
 the events of all the submitters.
      If we already have a security infrastructure, then we probably want to be
 able to further process the events with all their relevant information on  our
 own. Submitting data to others might also not be compliant with  the  security
 policies. Tools like "DShield" cover more or less just the idea of sending the
 log files to a third party, which will then generate statistics, such  as  the
 ports scanned most frequently, but they will not provide a detailed report  of
 the attacks that have been run against the machines. In addition, we  are  not
 able to integrate the results easily into the correlation engine for the deci-
 sion process.
      There are few short articles about the topic of this thesis pointing  out
 the idea of using desktop firewalls as cheap sensors in an intrusion detection
 network. One of them is by Marcus J. Ranum [1], but it does not  go  into  de-
 tails on how it would be implemented and what could be  gained  out  of  using
 desktop firewalls as intrusion detection sensors. It  only  mentions  that  it
 would probably make sense to do so.
      On the other side, there have been plenty of examinations of desktop  fi-
 rewalls, and nearly every PC user magazine has published a review of a desktop
 firewall examination. The problem with those articles is that they are  mainly
 dedicated to help an end-user to choose a product that is easy to manage. This
 means the focus seldom lies on the core technology and the  real  capabilities
 of the desktop firewalls but rather on how nice the graphical  user  interface
 (GUI) looks or how fast the support hotline is. This kind of test is  valuable
 for a consumer, but still missing are tests that analyze the concept  of  "be-
 hind the curtain". One of the more technical examinations of desktop firewalls
 can be found at Boran's website [3]. Some websites have done generic tests  of
 desktop firewalls with so called "leak test tools" to see if it is possible to
 send out an information from a protected system. Many of them are very succes-
 sful and claim that desktop firewalls are unsafe and  useless.  Unfortunately,
 some of them used attacks from which a desktop firewall  was  never  meant  to
 protect and, thus, failed. Therefore, some of the applied techniques have been
 taken into account in the examination part of this thesis. The causes of fail-
 ing to protect from certain attacks are investigated later in Chapter  5.  The
 mentioned websites can be found at PC flank [5] or in the article [4].
                             1.3 Desktop firewalls
 
                       1.3.1 Desktop firewall technology
 
      For quite a long time people in the IT security  field  have  been  using
 network firewalls to secure their networks. A network firewall can be a  hard-
 ware device or a software program running on a dedicated  machine.  In  either
 case it must have at least two network interfaces: one for the network  it  is
 intended to protect and one for the network it is exposed to. A network  fire-
 wall sits at the junction point or gateway between the two networks, usually a
 private network and a public network such as the Internet. The earliest compu-
 ter firewalls were simple routers. All a traffic that is passing  the  network
 firewall is inspected, and, if it fulfills the defined criteria,  it  will  be
 allowed or otherwise blocked [17]. But for a normal computer user  at  home  a
 network firewall is usually too complex or too expensive. This  is  often  the
 reason, why the common home users would not use a  network  firewall  even  if
 they wanted to protect themselves. This has led to the idea of  desktop  fire-
 walls.
      Desktop firewalls, sometimes also referred to as "personal firewalls"  or
 "distributed firewalls", target end users and do not try  to  replace  network
 firewalls. They intend to be easy to set up and maintain. Most  desktop  fire-
 walls are preconfigured so that the user is not bothered with  difficult  rule
 programming, and, if later an unknown event occurs, a wizard will help in cre-
 ating the necessary rules.
      As the name implies, desktop firewalls are  host-based  applications  and
 run on the user's machine. Therefore, they are only able to see a traffic that
 is directed to the monitored machine.
      A desktop firewall is usually  a  stateless  packet  filter.  "Stateless"
 means the filter does not track the state of a connection, it decides for each
 packet on an individual basis to either permit it or to block it [17]. On  the
 other side, stateful filters do accept packets only if they  are  possible  in
 the actual connection state. Therefore, a stateless packet filter is an appli-
 cation that can accept packets, examine their headers independently  and  then
 decide whether to forward them, depending on whether they meet the rules defi-
 ned by the user. They work on the level of IP packets. Disadvantage of  state-
 less inspection is that packets which would not be possible in a certain state
 of communication still may pass the desktop firewall.
      Desktop firewalls typically do not implement packet content filter.  This
 means they do not inspect the payload of the packet to see if it consists of a
 malicious content. Only the headers of the packets are  inspected  by  desktop
 firewalls.
 textend.section
 
  * Origin: 2:5020/1317.8, /2024.2, /2173.2, /2613.5, /5413.3 (2:5020/2173.2)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор