CIS 551 / TCOM 401

30 March 2006

Lecture 19: Firewalls (continued); Worms & Viruses

Scribed by Justin Waring



Encouraged to start Project 3 early.
It may take a while to get it up to speed.

Questions on Project 3:

Q: It's on IP protocol.  Are there other protocols to worry about?
A: The Internet is built on IP.  There are othesr on that layer in the suite, but IP is the only one typically seen in the real world.

Q: Difference between TCP Stream and Protocol?
A: We're building a network intrusion detection system (IDS).  It's like a firewall in that it monitors the network for patterns of bad behavior.  Unlike a firewall, an IDS actually looks at the contents of packets more meaningfully.  For the project there are (1) stream rules and (2) protocol rules.

sequence of packets    /----------\    rules
-------------------->  |   IDS    |  <-----------

A stream rule asks you to look at a TCP stream to a particular port on this host.  To process a stream rule, you need to reconstruct the TCP stream from the packet stream.  You have to look at TCP info (sequence numbers) to reconstruct the bytestream.  Then, search for a suspicious pattern.

We're doing an off-line version of a real-world IDS.  You have the whole sequence of data; it's not real-time.

For the project, reconstruct the TCP stream as one big (reassembled) bytestream, and then run the ruleset against them.

For extra credit, you can try to do an incremental version (i.e., feed one packet in at a time rather than one big bytestream) of the pattern matching part.

For protocol rules, you're watching a sequence of messages going between the monitored host and the remote machine.  You can monitor the protocol messages for suspicious messages that we want to alert on.  We assume that each protocol message will fit in a single IP packet.

Next week, we'll talk about IDS.

Q: Is the rules file we use to test going to be graded on how well it alerts on exploits?
A: No, the graders will supply their own rules file.

Q: You can have multiple rules in one file, but the examples don't show any like that.
A: It's okay to scan the whole file inefficiently, but extra credit is to do it fancier.  Be sure to comment and document well to make it easier for grading.

Note: Exams will be finished grading and returned on Tuesday.

Firewalls (continued)

Last time: when to filter?

  |                 |
  |            /---------\
  |     +----->|  Router |<-----+
  |     |      \---------/      |
  |     |           |           |
  V     |           V           |
/---------\       /--------------\
|  Inside |       |    Outside   |
\---------/       \--------------/

On Input or Output?

Recommended: Filter ASAP

Let's you detect as soon as possible.  The trade-off is loss of efficiency.

The example from the slide:

Action  src port    dest    port    comment
block   BAD *       *       *       we don't trust them
allow   *   *       GW      25      connect to our SMTP
allow   GW  25      *       *       our reply packets

is preferred over

Action  src port    dest    port    comment
block   *   *       BAD     *       subtle difference
allow   *   *       GW      25      connect to our SMTP
allow   GW  25      *       *       our reply packets

Example of a Pitfall

[An example setting was shown on the slide here.]

Another problem with filtering

Proxy-based Firewalls

+--------------+                  +---------------+               +--------------+
|              |                  |               |               |              |
| External     |   Ext TCP/HTTP   | Firewall      | Int TCP/HTTP  |  Local       |
|  client      |    connection    |               |  connection   |   web        |
|              |<-----------------+->[Web Proxy]<-+-------------->|   server     |
|              |                  |               |               |              |
+--------------+                  +---------------+               +--------------+
A FreeBSD firewall config script example was shown.

Principles for Firewall Configuration

Benefits of Firewalls

Drawbacks of Firewalls

Worms & Viruses

Malicous Code

Examples of trapdoors/backdoors are debug code used by developers that remains in fielded applications.  You may be familiar with these from games like where inputting the Konami Code gets you 30 lives.

Examples of Trojan Horses are phishing exploits and games or executables that appear to be legitimate but have nefarious purposes.

The distinction between worms and viruses is somewhat fuzzy.



Virus/Worm Writers' Goals

Kinds of Virsues

Melissa Macro Virus

*** EOF ***