firewalls

8/18/2010

1

Chapter 6

Copyright Pearson Prentice-Hall 20102

1.Legitimate hosts send innocent packets.

Attackers send attack packets.

2.Ingress packets come into a site.Egress packets go out from a site.

8/18/2010

2


Firewalls drop and logprovable attack packets


Firewalls do not drop packets unless they are provably attack packets.

This means that some attack packets that are not provably attack packets

get through the firewall.

8/18/2010

3


� The ProblemThe ProblemThe ProblemThe Problem

◦ If a firewall cannot filter all of the traffic passing through it, it drops packets it cannot process

◦ This is secure because it prevents attack packets from getting through

◦ But it creates a self-inflicted denial-of-serviceattack by dropping legitimate traffic

5


� Firewall CapacityFirewall CapacityFirewall CapacityFirewall Capacity

◦ Firewalls must have the capacity to handle the incoming traffic volume

◦ Some can handle normal traffic but cannot handle traffic during heavy attacks!

◦ They must be able to handle incoming traffic at wire speed—the maximum speed of data coming into each port

6

8/18/2010

4

� Performance – must have sufficient processing capacity and RAM to process all packets.

� Packets that do not get processed must be dropped.

� Two factors drive performance requirement

1. Volume of traffic to be filter

2. Complexity of filtering

� Ensuring adequate performance – Check log file everyday

Performance

Requirements

Traffic Volume (Packets per Second)

Complexity

of Filtering:

Number of

Filtering

Rules,

Complexity

Of rules, etc.If a firewall cannot inspect packets

fast enough, it will drop unchecked

packets rather than pass them

6-2: The Danger of Traffic Overload

8/18/2010

5


� Processing Power Is Increasing RapidlyProcessing Power Is Increasing RapidlyProcessing Power Is Increasing RapidlyProcessing Power Is Increasing Rapidly

◦ As processing power increases, more sophisticated filtering methods should become possible

◦ We can even have unified threat management (UTM), in which a single firewall can use many forms of filtering, including antivirus filtering and even spam filtering. (Traditional firewalls do not do these types of application-level malware filtering)

◦ However, increasing traffic is soaking up much of this increasing processing power

9


� Firewall Filtering MechanismsFirewall Filtering MechanismsFirewall Filtering MechanismsFirewall Filtering Mechanisms

◦ There are many types

◦ We will focus most heavily on the most important firewall filtering method, stateful packet inspection (SPI)

◦ Single firewalls can use multiple filtering mechanisms, most commonly, SPI with other secondary filtering mechanisms

10

8/18/2010

6

11


� Static Packet FilteringStatic Packet FilteringStatic Packet FilteringStatic Packet Filtering

◦ This was the earliest firewall filtering mechanism

◦ Limits

� Examines packets one at a time, in isolation

� Only looks at some internet and transport headers

� Consequently, unable to stop many types of attacks

12

8/18/2010

7

Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Only IP, TCP, UDP and ICMP

Headers Examined

Permit

(Pass)

Deny

(Drop)

Corporate Network The Internet

Log

File

Static

Packet

Filter

Firewall

ICMP Message

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Arriving Packets

Examined One at a Time, in Isolation;

This Misses Many Attacks

Permit

(Pass)

Deny

(Drop)

Corporate Network The Internet

Log

File

Static

Packet

Filter

Firewall

ICMP Message

Static Packet Filter Firewall

8/18/2010

8


� Inspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in Isolation

◦ If it receives a packet containing a SYN/ACK segment, this may be a legitimate response to an internally initiated SYN segment

� The firewall must pass packets containing these segments, or internally initiated communications cannot exist

15


� Inspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in Isolation

◦ However, this SYN/ACK segment could be an external attack

� It could be sent to elicit an RST segment confirming that there is a victim at the IP address to which the SYN/ACK segment is sent

� A static packet filtering firewall cannot stop this attack

16

8/18/2010

9


� However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop Certain Attacks Very EfficientlyCertain Attacks Very EfficientlyCertain Attacks Very EfficientlyCertain Attacks Very Efficiently

◦ Incoming ICMP Echo packets and other scanning probe packets

◦ Outgoing responses to scanning probe packets

◦ Packets with spoofed IP addresses (e.g., incoming packets with the source IP addresses of hosts inside the firm)

◦ Packets that have nonsensical field settings —such as a TCP segment with both the SYN and FIN bits set

17


� Market StatusMarket StatusMarket StatusMarket Status

◦ No longer used as the main filtering mechanism for border firewalls

◦ May be used as a secondary filtering mechanism on main border firewalls

18

8/18/2010

10


� Market StatusMarket StatusMarket StatusMarket Status

◦ Also may be implemented in border routers, which lie between the Internet and the firewall

� Stops simple, high-volume attacks to reduce the load on the main border firewall

19

20

8/18/2010

11


� Connections have distinct states or stages

� Different states are subject to different attacks

� Stateful firewalls use different filtering rules for different states

21

Connection OpeningState

Ongoing Communication

State

Connection ClosingState


8/18/2010

12


� Default Behavior

◦ Permit connections initiated by an internal host

◦ Deny connections initiated by an external host

◦ Can change default behavior with ACL

Internet

Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

8/18/2010

13



8/18/2010

14

� Static Packet Filter Firewalls are Stateless

◦ Filter one packet at a time, in isolation

◦ If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection

◦ But stateful firewalls can

Attacker

Spoofing

External

Webserver

10.5.3.4

Internal

Client PC

60.55.33.12

Stateful Firewall

2.

Check

Connection Table:

No Connection

Match: Drop

1.

Spoofed

TCP SYN/ACK Segment

From: 10.5.3.4.:80

To: 60.55.33.12:64640

Type

TCP

UDP

Internal

IP

60.55.33.12

60.55.33.12

Internal

Port

62600

63206

External

IP

123.80.5.34

222.8.33.4

External

Port

80

69

Status

OK

OK

Connection Table

8/18/2010

15

� Static Packet Filter Firewalls are Stateless

◦ Filter one packet at a time, in isolation

◦ Cannot deal with port-switching applications

◦ But stateful firewalls can

External

FTP Server

123.80.5.34

Internal

Client PC

60.55.33.12

1.

TCP SYN Segment

From: 60.55.33.12:62600

To: 123.80.5.34:21

2.

To Establish

Connection 3.

TCP SYN Segment

From: 60.55.33.12:62600

To: 123.80.5.34:21

Stateful Firewall

Type

TCP

Internal

IP

60.55.33.12

Internal

Port

62600

External

IP

123.80.5.34

External

Port

21

Status

OK

State Table

Step 2

8/18/2010

16

External

FTP

Server

123.80.5.34

Internal

Client PC

60.55.33.12

6.

TCP SYN/ACK Segment

From: 123.80.5.34:21

To: 60.55.33.12:62600

Use Ports 20

and 55336 for

Data Transfers

5.

To Allow,

Establish

Second

Connection

4.

TCP SYN/ACK Segment

From: 123.80.5.34:21

To: 60.55.33.12:62600

Use Ports 20

and 55336 for

Data Transfers

Stateful

Firewall

Type

TCP

TCP

Internal

IP

60.55.33.12

60.55.33.12

Internal

Port

62600

55336

External

IP

123.80.5.34

123.80.5.34

External

Port

21

20

Status

OK

OK

State Table

Step 2

Step 5


Port Primary

Protocol*

Application

20 TCP FTP Data Traffic

21 TCP FTP Supervisory Connection

22 TCP Secure Shell (SSH)

23 TCP Telnet

25 TCP Simple Mail Transfer Protocol (SMTP)

53 TCP Domain Name System (DNS)

*In many cases, both TCP and UDP can be used by an application. In such cases, the same port number is used for both. Typically, however, the use of either TCP or UDP will be predominant.

8/18/2010

17


Port Primary

Protocol

Application

69 UDP Trivial File Transfer Protocol (TFTP)

80 TCP Hypertext Transfer Protocol (HTTP)

110 TCP Post Office Protocol (POP)

135-

139

TCP NETBIOS service for peer-to-peer file sharing in older

versions of Windows

143 TCP Internet Message Access Protocol (IMAP)

161 UDP Simple Network Management Protocol (SNMP)

443 TCP HTTP over SSL/TLS


� Access Control List OperationAccess Control List OperationAccess Control List OperationAccess Control List Operation

◦ An ACL is a series of rules for allowing or disallowing connections

◦ The rules are executed in order, beginning with the first

� If a rule DOES NOT apply to the connection-opening attempt, the firewall goes to the next ACL rule

� If the rule DOES apply, the firewall follows the rule, no further rules are executed

◦ If the firewall reaches the last rule in the ACL, it follows that rule

34

8/18/2010

18


� Ingress ACL’s PurposeIngress ACL’s PurposeIngress ACL’s PurposeIngress ACL’s Purpose

◦ The default behavior is to drop all attempts to open a connection from the outside

◦ All ACL rules except for the last give exceptions to the default behavior under specified circumstances

◦ The last rule applies the default behavior to all connection-opening attempts that are not allowed by earlier rules are executed by this last rule

35

� 1. If source IP address = 10.*.*.*, DENY [private IP address range]

� 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

� 3. If source IP address = 192.168.*.*, DENY [private IP address range]

� 4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]

Access Control List (ACLs)

8/18/2010

19

� 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]

� 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

� 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]

� 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]


� 9. If TCP destination port = 20, DENY [FTP data connection]

� 10. If TCP destination port = 21, DENY [FTP supervisory control connection]

� 11. If TCP destination port = 23, DENY [Telnet data connection]

� 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]


8/18/2010

20

� 13. If TCP destination port = 513, DENY [UNIX rlogin without password]

� 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]

� 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]

� 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

� 17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

� DENY ALL


� DENY ALL

◦ Last rule

◦ Drops any packets not specifically permitted by earlier rules

8/18/2010

21


� Low CostLow CostLow CostLow Cost

◦ Most packets are not part of packet-opening attempts

◦ These can be handled very simply and therefore inexpensively

◦ Connection-opening attempt packets are more expensive process but are rare

41


� SafetySafetySafetySafety

◦ Attacks other than application-level attacks usually fail to get through SPI firewalls

◦ In addition, SPI firewalls can use other forms of filtering when needed

42

8/18/2010

22


� DominanceDominanceDominanceDominance

◦ The combination of high safety and low cost makes SPI firewalls extremely popular

◦ Nearly all main border firewalls today use statefulpacket inspection

43

44

8/18/2010

23


� Sniffers on the Internet cannot learn internal IP addresses and port numbers

◦ Only learn the translated address and port number

� By themselves, provide a great deal of protection against attacks

◦ External attackers cannot create a connection to an internal computers

8/18/2010

24

47


8/18/2010

25



Topic Application

Proxy

Firewalls

Stateful

Packet

Inspection

Firewalls

Remarks

Can examine

application layer

content

Always As an Extra

Feature

Capabilities for

application layer

content filtering

Somewhat

More

Somewhat

Less

8/18/2010

26


Topic Application

Proxy

Firewalls

Stateful

Packet

Inspection

Firewalls

Remarks

Uses Relay

Operation with

two

connections

per

client/server

pair?

Yes No Maintaining two

connections is highly

processing intensive.

Cannot support many

client/server pairs.

Consequently,

application proxy

firewalls cannot be used

as main border firewalls

Speed Slow Fast

Intrusion Detection Systems and

Intrusion Prevention Systems

52

8/18/2010

27


� PerspectivePerspectivePerspectivePerspective

◦ Growing processing power made stateful packet inspection possible

◦ Now, growing processing power is making a new firewall filtering method attractive

◦ Intrusion prevention systems (IPSs)

53


� Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)

◦ Firewalls drop provable attack packets only

◦ Intrusion detection systems (IDSs) look for suspicious traffic

� Cannot drop because the packet is merely suspicious

◦ Sends an alarm message if the attack appears to be serious

54

8/18/2010

28



◦ Problem: Too many false positives (false alarms)

� Alarms are ignored or the system is discontinued

� Can reduce false positives by tuning the IDSs

� Eliminate inapplicable rules, such as a Unix rule in an all-Windows company

� Reduce the number of rules allowed to generate alarms

� Most alarms will still be false alarms

55



◦ Problem: Heavy processing requirements because of sophisticated filtering

� Deep packet inspection

� Looks at application content and transport and internet headers

� Packet stream analysis

� Looks at patterns across a series of packets

� Often, patterns cannot be seen unless many packets are examined

56

8/18/2010

29


� Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)

◦ Use IDS filtering mechanisms

◦ Application-specific integrated circuits (ASICs) provide the needed processing power

57


� Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)

◦ Attack confidence identification spectrum

� Somewhat likely

� Very likely

� Provable

◦ Firm may allow firewall to stop traffic at the high end of the attack confidence spectrum

◦ Firm decides which attacks to stop

◦ This allows it to manage its risks

58

8/18/2010

30


� Possible ActionsPossible ActionsPossible ActionsPossible Actions

◦ Drop packets

� Risky for suspicious traffic even with high confidence

◦ Bandwidth limitation for certain types of traffic

� Limit to a certain percentage of all traffic

� Less risky than dropping packets

� Useful when confidence is lower

59

60

8/18/2010

31


� Traditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus Filtering

� They Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus Server


� Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Go Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall Filtering

◦ SPI

◦ Antivirus Filtering

◦ VPNs

◦ DoS Protection

◦ NAT

62

8/18/2010

32

63

� Introduction

◦ Attack on availability

◦ Act of vandalism

1. Single-Message DoS Attacks

◦ Crash a host with a single attack packet

◦ Examples: Ping-of-Death, Teardrop, and LAND

◦ Send unusual combination for which developers did not test

8/18/2010

33

2. Flooding Denial-of-Service Attacks

i. SYN flooding

� Try to open many connections with SYN segments

� Victim must prepare to work with many connections

� Victim crashes if runs out of resources; at least slows down

� More expensive for the victim than the attacker

Denial-of-Service (DoS) Attacks

SYN SYN SYN SYN SYN

Attacker

1.34.150.37Victim

60.168.47.47

Attacker Sends Flood of SYN Segments

Victim Sets Aside Resources for Each Victim

Crashes or Victim Becomes Too Overloaded

to Respond to the SYNs from Legitimate

Uses


i. SYN flooding

8/18/2010

34

“Innocent” Firm

Attacker

1.34.150.37

1.

Single ICMP Echo Message

Source IP: 60.168.47.47

(Victim) Destination IP:

Broadcast

Echo

4.

Echo

Replies

Victim

60.168.47.47

2.

Router with

Broadcasting

Enabled

3.

Broadcast

Echo

Message


ii. Smurf flooding

Attacker

1.34.150.37

Attack

Command

Handler

Attack

Command

Zombie

Attack Packet

Victim 60.168.47.47

Attack Packet

Attack Packet

Zombie

ZombieHandler

Attack

Command

Attack

Command

Attack

Command


ii. Distributed DoS flooding

8/18/2010

35

� Stopping DoS Attacks

◦ Ingress filtering to stop attack packets

◦ Limited ability of ingress filtering because link to ISP might become overloaded

◦ Egress filtering by attacker’s company or ISP

◦ Requires cooperating from attacker’s company or ISP

◦ Requires a community response; victim cannot do it alone


� PerspectivePerspectivePerspectivePerspective

◦ Done by most main border firewalls

◦ DOS attacks are easy to detect but difficult to stop because their traffic looks like legitimate packets

70

8/18/2010

36


� TCP HalfTCP HalfTCP HalfTCP Half----OpeningOpeningOpeningOpeningAttacksAttacksAttacksAttacks

◦ Attacks

� Attacker sends a TCP SYN segment to a port

� The application program sends back a SYN/ACK segment and sets aside resources

� The attacker never sends back an ACK, so the victim keeps the resources reserved

� The victim soon runs out of resources and crashes or can no longer serve legitimate traffic

71

SYN

SYN/ACK

No ACK

SYN


� TCP HalfTCP HalfTCP HalfTCP Half----Opening AttacksOpening AttacksOpening AttacksOpening Attacks

◦ Defenses

� Firewall intercepts the SYN from an external host

� Firewall sends back an SYN/ACK without passing the segment on to the target host

� Only if the firewall receives a timely ACK does it send the original SYN the destination host

72

SYN

SYN/ACK

No ACK

8/18/2010

37


� Rate LimitingRate LimitingRate LimitingRate Limiting

◦ Set a limit on all traffic to a server—both legitimate and DoS packets

◦ Keeps the entire network from being overloaded

◦ Not perfect—does not protect the target server or allow legitimate traffic

73


� DoS Protection Is a Community ProblemDoS Protection Is a Community ProblemDoS Protection Is a Community ProblemDoS Protection Is a Community Problem

◦ If an organization’s access line to the Internet becomes overloaded, it cannot solve the problem itself

◦ Its ISP or other upstream agencies must help

74

8/18/2010

38

75


A Firm Has Many Firewalls:Screening border routersMain border firewallsInternal firewalls

Host firewalls on clients and servers

The Firewall Architecture Describeshow These Firewalls Work Together

8/18/2010

39


� DMZs Use TriDMZs Use TriDMZs Use TriDMZs Use Tri----HomedHomedHomedHomedMain FirewallsMain FirewallsMain FirewallsMain Firewalls

◦ One subnet to theborder router

◦ One subnet to the DMZ (accessible to the outside world)

◦ One subnet to the internal network

� Access from the internal subnet to the Internet is nonexistent or minimal

� Access from the internal subnet to the DMZ is also strongly controlled

77

DMZ

InternalNetwork

BorderRouter


� Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)

◦ Subnet for servers and application proxy firewalls accessible via the Internet (Figure 6-22)

◦ Hosts in the DMZ must be especially hardened because they will be accessible to attackers on the Internet

78

8/18/2010

40


� Hosts in the DMZHosts in the DMZHosts in the DMZHosts in the DMZ

◦ Public servers (public webservers, FTP servers, etc.)

◦ Application proxy firewalls to require all Internet traffic to pass through the DMZ

◦ External DNS server that knows only host names in the DMZ

79

80

8/18/2010

41


� Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Ongoing ManagementOngoing ManagementOngoing ManagementOngoing Management

� Defining Firewall PoliciesDefining Firewall PoliciesDefining Firewall PoliciesDefining Firewall Policies

◦ Policies are high-level statements about what to do

◦ E.g., HTTP connections from the Internet may only go to servers in the DMZ

81


� Defining Firewall PoliciesDefining Firewall PoliciesDefining Firewall PoliciesDefining Firewall Policies

◦ Policies are more comprehensible than actual firewall rules

◦ There may be multiple ways to implement a policy

� Defining policies instead of specific rules gives implementers freedom to choose the best way to implement a policy

82

8/18/2010

42


� ImplementationImplementationImplementationImplementation

◦ Firewall hardening

� Firewall appliances are hardened at the factory

� Vendors sell software plus a server with a pre-hardened operating system

� Firewall software on a general-purpose computer requires the most on-site hardening

83



◦ Central firewall management systems (Figure 6-24)

� Creates a policy database

� Changes policies into ACL rules

� Sends ACL rules out toindividual firewalls

84

PolicyServer

FirewallAdministrator

Policy

ACL RuleACL Rule

8/18/2010

43


Policy Source Destination Service Action Track Firewalls

1 Internal DNS

Servers

UDP dns Pass None All

2 External Internal TCP http Drop Log All

3 External DMZ

webserver

TCP http Pass None Border

4 Internal External TCP http Pass Log Border

5 Internal External ICMP Drop None Border

6 Internal Mail Server TCP smtp Authenticate Log if

Fail

Central

7 Marketing Plans

Server

TCP http Authenticate Alert if

Fail

Marketing

8 Any Plans

Server

TCP http Drop Log Marketing

9 Any Any Any Drop Log All



◦ Vulnerability testing after configuration

� There will be problems

� Tests, like firewall configuration, should be based on policies

86

8/18/2010

44



◦ Change authorization and management

� Limit the number of people who can make change requests

� Limit the number of authorizers even more

� Require requesters and authorizers to be different people

� Implement the rule in the most restrictive way possible —� To pass the least number of packets

87



◦ Change authorization and management

� Document all changes carefully

� Do vulnerability testing after every change� The change should work

� All previous behaviors should still work (regression testing)

� Audit changes frequently� Focus especially on asking if each change opens the firewall in the most restrictive way possible

88

8/18/2010

45



◦ Reading the firewall logs

� Should be done dailyor more frequently

� The most labor-intensive part of firewall management

� Strategy is to find unusual traffic patterns� Top ten source IP addresses whose packets were dropped

� Number of DNS failures today versus in an average day

� Attackers can be black holed (have their packets dropped)

89

Death of the Perimeter

The Need for Anomaly Detection

90

8/18/2010

46


� Protecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer Possible

◦ There are too many ways to get through the perimeter

� Avoiding the Border FirewallAvoiding the Border FirewallAvoiding the Border FirewallAvoiding the Border Firewall

◦ Internal attackers are inside the firewall already

◦ Compromised internal hosts are inside the firewall

◦ Wireless LAN drive-by hackers enter through access points that are inside the site

◦ Home notebooks, mobile phones, and media brought into the site

◦ Internal firewalls can address some of these threats

91


� Extending the PerimeterExtending the PerimeterExtending the PerimeterExtending the Perimeter

◦ Remote employees must be given access

◦ Consultants, outsourcers, customers, suppliers, and other subsidiaries must be given access

◦ Essentially, all of these tend to use VPNs to make external parties “internal” to your site

92

8/18/2010

47


� Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature DetectionDetectionDetectionDetection

◦ Each attack has a signature

◦ This attack signature is discovered

◦ The attack signature is added to the firewall

◦ But zero-day attacks are attacks without warning, occur before a signature is developed

◦ Signature defense cannot stop zero-day attacks

93


� Anomaly DetectionAnomaly DetectionAnomaly DetectionAnomaly Detection

◦ Detects an unusual pattern indicating a possible attack

◦ This is difficult, so there are many false positives

◦ Shrinking time needed to define signatures

◦ Anomaly detection is necessary in today’s firewalls

94

8/18/2010

48

95

firewalls

Documents

probe packets packets

incoming packets

firm packets

innocent packets

ingress packets

egress packets

unchecked packets

traffic volume packets