Means of information flow analysis.

Information flow analysis tools.

Information flow analysis tools

The use of data flow inspection methods to protect the information resources of an organization's network allows identifying information impacts at the earliest stages. Since overcoming the vulnerabilities of the basic TCP/IP protocols by making changes to the software implementations of network services is associated with significant difficulties, it seems advisable to protect against attacks «outside» the information system. Firewalls used to separate information flows often themselves become targets of attacks, since they either use a network OS with vulnerabilities at the operating system level as a software basis, or an implementation of the TCP/IP protocol stack with weaknesses inherent in the protocols.

Given the above, there is a predetermined interest in using inspection methods to detect intruders directly in communication channels. However, given the complexity of implementing the required methods, many studies carried out by well-known research organizations do not go beyond the scope of projects [5]. At the same time, there are commercial implementations of this approach, an example of which is the RealSecure product from Internet Security Systems Inc.

This section provides a brief description of RealSecure based on the experience of practical use of the commercial version of the product.

RealSecure can operate under AIX 3.2.5, HP-UX 9.0.5, 10.1, SunOs 4.1.x, Solaris 2.x, Linux 1.2/1.3, and Windows NT 3.51 and 4.0 in two main modes: local (i.e., only on a specific workstation) and distributed. In the distributed mode, the main software modules (agents) operate on remote workstations, usually located in different networks or network segments, and the agent management program operates on the central workstation.

The architecture of the RealSecure software can be divided into the following main components:

• the main software module that monitors and controls network events;

• the mechanism for configuring the main module;

• a database of recorded network events;

• a program for managing the specified components, which has a graphical user interface;

• databases of reports on recorded network events in HTML format (these reports are created by the management program based on the network event databases).

The main module is a program that monitors and manages network events according to the established configuration. Below is a list of recognized and controlled network events. The mechanism for configuring the main RealSecure software module is a set of files that describe the user-defined configuration and includes (in the RealSecure implementation for Solaris):

1) filter.cfg file — a filter of monitored network events corresponding to the network and transport layers of the OSI model. This filter is implemented as a set of rules for monitoring events and actions for each event. The following set of actions can be specified:

• do not monitor this event;

• view the session of this event in real time;

• interrupt the execution of this event (possible only when the connection is established via TCP);

• display this event on the control panel;

• record the event to a file with the ability to enter a note about the event in the database, record text information or all data transmitted during the event (the last property can be used to “play” the information exchange corresponding to this event);

• call the specified program when the event is recorded;

• send an email to a specific user when an event is recorded;

• set the importance level of the event, as a result of which each event will be displayed in a specific window and stored for a specified period of time (RealSecure allows you to sort all events by three importance levels).

2) File features.cfg— is a set of descriptions of recognizable attacks and network events controlled by RealSecure, as well as a description of actions performed when an attack or event is recorded (the set of actions is completely identical to that described above). In addition, it is possible to transfer some corrective parameters to the attack recognition mechanism.

3) File general.cfg— this file defines the time intervals during which events are displayed, specified for each level of importance of the event. In addition, this file defines the program for viewing the RealSecure user manual and reports on recorded network events (in HTML format), as well as the option to disable the mechanism for converting an IP address to a symbolic name (converting an IP address to a DNS name requires time)

The auxiliary file ethereodes contains a list of correspondences between the channel layer addresses of network adapters and the names of the manufacturers of these devices.

Databases of recorded network events are files, the recording of which is performed according to a set of actions performed when recording specified network events.

RealSecure software allows you to recognize more than one hundred network attacks and events, the full list of which is contained in the documentation. Below is an overview of the most important, in our opinion, typical attacks recognized by RealSecure, as well as other capabilities of this product.

RealSecure allows you to recognize the following attacks:

When transmitting an IP protocol data packet over a network, it can be divided into several fragments, from which the packet is subsequently restored upon reaching the addressee. An attacker can initiate the sending of a large number of fragments, which leads to an overflow of software buffers on the receiving side and, in some cases, to an abnormal termination of the system.

The attacker sends a long series of echo requests via the ICMP protocol. The attacked system spends its computing resources responding to these requests. Thus, the system performance is significantly reduced and the channel load increases

The transmitted UDP packet contains an incorrectly formatted service zeros. When receiving such a packet, some old versions of network software cause the system to crash.

When establishing a connection via TCP, the receiving side, having received a connection request (a packet with the SYN flag), sends a response to the source (a packet with the SYN ACK flags) about its readiness to establish this connection. In this case, the system places a service record about the connection being established in its memory and stores it until the source sends an acknowledgment packet or the waiting time for this packet expires. An attacker sends a large number of connection requests without transmitting acknowledgment packets. As a result, there is a sharp decrease in performance and, under certain circumstances, an abnormal termination of the system.

The attack consists of unnoticeable detection of information impact channels on the system. The attacker sends connection establishment packets and upon receiving responses from the system, resets the connection (packet with the RST flag). In this case, standard tools do not record the attempt to establish a connection, while the attacker determines the presence of services on certain ports.

RealSecure records the following information exchange:

This type of request can be used by attackers to determine functioning systems in local network segments.

The IP packet contains a field that defines the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use a non-standard value of this field to transmit data that will not be recorded by standard means of monitoring information flows.

The fact of scanning the system with the ISS product, commercial or freely distributed version, is recorded.

The system scan is recognized by Satan in the «heavy» and «normal» modes.

This protocol does not contain authentication mechanisms, which makes it attractive to attackers.

This service in some of its versions contains a vulnerability expressed in the possibility of overflow of the software buffer, which can lead to execution of arbitrary code on the remote machine.

The authentication and identification mechanisms in this protocol are based on trust relationships between remote systems and correspond to the required level of reliability. The use of the -froot option is recorded (implementation of this option on a remote system allows any user to obtain administrator rights).

In addition, RealSecure allows decoding the following information exchange:

Decoding of user name and password during authentication, session commands, files transferred via GET and PUT commands, etc., as well as execution of commands via FTP protocol using wu-ftpd server.

When decoding, the user name and password, attributes and contents of the letters are highlighted.

RealSecure is a system for monitoring network information flows in real time. The main task performed by this product is the timely detection of attacks. The idea of ​​their detection is simple: any attack corresponds to a certain network traffic, therefore traffic analysis allows you to identify the attack and detect the «traces» of the attacker, that is, to determine the IP addresses from which the information impact was carried out. Thus, attacks are detected by monitoring information flows.

Unlike passive information flow control systems, RealSecure views network traffic and analyzes network activity «on the fly», which allows to minimize the personnel response time to an attack or malfunction. In addition, the product has attack protection capabilities.

It is obvious that the effectiveness of RealSecure can be assessed by the completeness, accuracy and reliability of recognizing certain information impacts. The RealSecure testing scheme was as follows: this product was installed on Solaris 2.5 and Windows NT 4.0 workstations. Attacks were carried out on servers and workstations running various operating systems, including workstations on which RealSecure was installed. Below is a report on the tests performed.

It is known that before starting an attack, attackers identify the computers that will be the victims of the attack, as well as the computers that exchange information with the victims. One way to identify targets is to poll the name server and receive all available information about the domain from it. To detect such scanning in a timely manner, it is necessary to analyze DNS requests (address and name), which may come from different DNS servers, but over a certain period of time. In this case, it is necessary to view what information is transmitted in them and track the enumeration of addresses. RealSecure does not recognize this attack and does not have the means to describe information flows in the above manner; the reaction of this software to this attack was to display the DNS traffic from the attacking computer to the name server.
The attack was not detected.

Ping sweep, or target detection using the 1CMP protocol, is also an effective method. To determine the fact of ping scanning of targets located within the subnet, it is necessary to analyze the source and destination addresses of 1CMP packets. RealSecure did not detect this attack: as a reaction to it, ICMP traffic was observed from the attacking computer to the detected machines. Moreover, in the RealSecure database containing attack signatures, this attack is not described and there are no means of describing network activity of this kind. This type of scanning was successfully carried out, and the RealSecure real-time information flow monitoring system showed only ping activity.
The attack was not detected.

Port scanning is a well-known method of recognizing a computer's configuration and available services. In order to successfully carry out attacks, attackers need to know what services are installed on the victim computer.

There are several TCP scanning methods, some of which are called stealth, since they exploit vulnerabilities in TCP/IP stack implementations in most modern operating systems and are not detected by standard tools. RealSecure successfully detects all of these methods, which is achieved by fully intercepting TCP traffic and analyzing port numbers. Thus, using RealSecure ensures that TCP scanning is detected in real time. This allows you to prepare for possible future attacks, take timely protective measures, notify staff and management, etc.

In addition to detecting the fact of scanning, RealSecure analyzes all TCP connections and can, at the administrator's discretion, inspect them and, if necessary, terminate them. This allows the administrator to read mail transmitted over the network, see the contents of TCP sessions, including user passwords, etc. Studying TCP network traffic with RealSecure allows the administrator to identify users who do not comply with security requirements: they are careless with passwords, use machine resources for other purposes, etc.

It is necessary to emphasize the product's capabilities in counteracting TCP scanning. This counteraction can be carried out, for example, by transmitting TCP packets with the RST flag set on behalf of the scanned computer to the attacker's computer, thus misleading it. However, during testing, a discrepancy with the specifications of this product was discovered: despite the installation of counteraction to scanning in the configuration, no RST packets resetting the connection were detected and the scan was successful.
Attack detected.

Another type of port scanning is based on the use of the UDP protocol and consists of the following: a UDP packet addressed to a port that is checked for availability is sent to the computer being scanned. If the port is unavailable, then an ICMP message about its unavailability (destination port unreachable) is received in response, otherwise there is no response.

This type of scanning is quite effective. It allows you to scan all ports on the victim computer in a short time. In addition, this type of scanning is widely known on the Internet. We were even more surprised that RealSecure does not recognize this type of scanning, and the product does not provide tools for describing this type of scanning. RealSecure's reaction to UDP scanning is to display UDP activity on the network.

At the same time, it is possible to counteract this type of scanning by sending messages about port unavailability to the attacker's computer.
The attack was not detected.

This type is a denial of service attack, which results in the inability to provide services. The attack is usually aimed at a specific service, such as telnet or ftp, and consists of sending connection establishment packets to the port corresponding to the service being attacked. SYN flooding is characterized by a large number of connection establishment packets to one of the services on one computer. Counteraction to this attack consists of sending connection reset packets to the required port.

RealSecure not only successfully detects such an attack, but also counteracts it. It should be noted that RealSecure itself opens two TCP ports (by default 900 and 901), providing attackers with an additional opportunity for attack.
Attack detected.

These attacks use the ICMP protocol, which is used on the Internet to determine the reachability of computers and perform other diagnostic and control tasks.

A ping flooding attack involves sending a large number of ICMP requests to the attacked computer. The result of the attack is a decrease in the performance of the attacked computer, as well as a decrease in the bandwidth of the communication channel.

RealSecure successfully detects this attack and records the source addresses of the packets, which allows you to identify the attacker and take the necessary measures against him.
Attack detected.

The smurf attack consists of transmitting broadcast 1CM.R requests to the network on behalf of the victim computer. As a result, computers that have received such broadcast packets respond to the victim computer, which leads to a significant decrease in the communication channel capacity and, in some cases, to complete isolation of the attacked network.

To detect this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput. Smurf is not detected by RealSecure, which is a significant drawback of this product, since this type of attack is extremely effective and is used quite often.
The attack was not detected.

The number of implementations of attacks that use the possibility of IP packet fragmentation is quite large. For example, the jolt program transmits several fragmented IP packets to the victim computer, which, when assembled, form one packet larger than 64K (the maximum IP packet size is 64K minus the header length). This attack is effective against computers with Windows NT. Upon receiving such a packet, Windows NT, which does not have a special icmp-fix patch, «hangs» or crashes. Other variants of such attacks use incorrect offsets in IP fragments, which leads to incorrect memory allocation, buffer overflows and, ultimately, to system failures.

To detect fragmentation attacks, it is necessary to implement and analyze the assembly of packets «on the fly», and this significantly increases the requirements for the hardware (processor performance, memory, etc.) of the information flow control tool.

RealSecure does not detect similar attacks that we have conducted, although fragmentation attacks are present in the RealSecure attack signature database.
The attack was not detected.

The Land attack exploits vulnerabilities in TCP/IP stack implementations in some operating systems. It involves sending a TCP packet with the SYN flag set to an open port on the victim's computer, with the source address and port of such a packet correspondingly equal to the address and port of the attacked computer. This causes the victim computer to attempt to establish a connection with itself, which greatly increases the processor load and may cause a «freeze» or reboot. This attack is very effective on some Cisco Systems router models, and a successful attack on a router can disable the entire organization's network.

You can protect yourself from this attack, for example, by installing a packet filter between the internal network and the Internet, setting a filtering rule on it that specifies suppressing packets coming from the Internet with the source IP addresses of computers on the internal network.

We conducted a series of Land attacks against individual computers in the testbed, including the computer on which RealSecure was installed. This attack was not detected. In addition, the product under test does not have the means to describe attacks that use forgery of source addresses as internal network addresses, which Land is.
The attack was not detected.

DNS flooding is an attack on Internet name servers. It involves sending a large number of DNS queries, which results in users being unable to access the name service and, therefore, their work becoming impossible. To detect this attack, it is necessary to analyze the DNS server load and identify the sources of the queries.

RealSecure does not analyze the name server load. To protect DNS servers, queries are checked to detect attacks related to exceeding the length of the domain name, but DNS flooding attacks are not detected.
The attack was not detected.

The result of this attack is the introduction of an imposed correspondence between the IP address and the domain name into the DNS server cache. As a result of a successful attack, all DNS server users will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name, which is due to the need to select some DNS exchange parameters.

To detect it, it is necessary to analyze the contents of DNS traffic. However, the tested product does not have the means to describe the contents of DNS exchange, therefore, attacks of this class are not recognized. During testing, a successful attack was carried out on a working DNS server and on a computer on which RealSecure was installed.
The attack was not detected.

A large number of attacks on the Internet are associated with the substitution of the original IP address. This includes syslog spoofing, which is the transmission of a message to the victim's computer on behalf of another computer on the internal network. Since the syslog protocol is used to maintain system logs, by transmitting false messages to the victim's computer, information can be imposed or traces of unauthorized access can be covered.

Attacks involving IP address spoofing can be detected by monitoring the receipt of a packet with the source address of the same interface on one of the interfaces or by monitoring the receipt of packets with IP addresses of the internal network on the external interface.

The following experiment was conducted during testing: a syslog message with the source address of the same computer was sent to a computer with RealSecure installed. The reaction was to display a message from the computer with RealSecure to itself in the current activity window, i.e. the attack was not detected.

In addition, the product does not have any means of describing network events that reflect IP address spoofing. Obviously, the developers of RealSecure did not set themselves the goal of counteracting such attacks, leaving the implementation of protection to other means (for example, router-based packet filters).
The attack was not detected.

An important feature of RealSecure is its reliable detection of the use of automated security assessment tools. During testing, the Satan and ISS programs were tested, which was successfully detected and recorded by RealSecure.
Attack detected.

As a result of evaluating the capabilities of the RealSecure product using the method of practical implementation of attacks, the advantages of this product were identified, allowing us to conclude that it is advisable to use it to protect sections of the Internet. At the same time, RealSecure does not contain any means of identifying and countering attacks that have become widespread recently. Apparently, this feature of the product is due, on the one hand, to the lack of a mechanism for adding signatures of new attacks and, on the other hand, to the relatively recent dissemination of information about new attacks and identified vulnerabilities.

According to information from ISS, in subsequent versions of the RealSecure product it is planned to include a mechanism for updating the database of attack signatures and software vulnerabilities.

Test keys for studying full-featured commercial versions of SAFEsuite family products were kindly provided by the official representative of ISS in Russia and the CIS — JSC NIP Informzashita. L.