Signature-based detection really is more along the lines of intrusion detection than firewalls. However, many personal firewalls and some corporate firewalls contain this functionality. Essentially, the system can be configured to look for specific patterns, known to be malicious, and block the traffic. This would help with something like the Code Red worm, for example. If packets destined for your Web server (on port 80) are found to be Code Red packets, they could be dropped while allowing normal Web requests to continue through to the server (Figure 313).
FIGURE 313 Attack detection. Client A is sending normal Web requests to the server protected by a signature-based firewall. The traffic is allowed to the Web server. Client B sends Code Red packets to the Web server and is stopped by the firewall.
In order for this method to be effective, the signatures must be updated regularly. Just as new virus threats are released regularly, creating the need for signature updates, new threats against your hosts are discovered regularly.
BlackICE shows the type of attack in its logs. Even if you block all incoming traffic, it can still identify the pattern that this traffic matches. This can help you adjust your firewall rules if necessary. Figure 314 shows some examples of the types of traffic that match the intrusion signatures. RealSecure® Desktop Protector, shown in Figure 314, is the version of the BlackICE product that works with ICEcap®a product designed for the centralized management demanded in a corporate environment. We discuss ICEcap further in Chapter 5. BlackICE PC Protection, the consumer version of the product, is nearly identical, lacking only the support for centralized management.
FIGURE 314 Alert logs. Log entries in RealSecure showing attack pattern matches. Copyright © 2002, Internet Security Systems, Inc. All rights reserved worldwide.
The contents of each packet must be examined and compared against the signature file. We cannot look solely at the source and destination ports to establish a match; it is the payload of the packet that contains the interesting information in most cases. As shown in Figure 313, the data in a Code Red packet is very different from the data normally expected when Web pages are requested.
Updating signatures requires a mechanism just as signature updates for antivirus software requires a mechanism. Unless you are lucky enough to find a product that allows you to edit signatures yourself, you will be relying on a vendor to provide the signatures and can expect to pay for them. Normally you would pay a yearly subscription fee to retain access to the vendor's signature updates.
How Signature-Based Detection Is Implemented in Personal Firewalls
BlackICE is probably the first, and certainly the most well known, personal firewall product to use this method. In fact, Internet Security Systems, the makers of BlackICE, consider their product to be an intrusion detection system, not a firewall. I found this quote in response to a user question on their Web site:
Our product is not a "personal firewall" in the classic sense, though it does have some personal firewall functionality. The product was designed to do dynamic intrusion detection, intruder identification, and intruder blocking. As normally defined, firewalls do not "detect" intrusions, though they do indicate when traffic has been sent at a machine that is blocked by the firewall (which is one symptom of an intrusion).4
An option for Linux users is to tie the snort intrusion detection system in with the iptables firewall. snort does not modify the behavior of iptables, but it can alert you to emerging trends, allowing you to modify your firewall rules accordingly. For larger organizations, this is generally the preferred method; it avoids the possibility of altering firewall rules based on a false attack detection.
snortA Lightweight Intrusion Detection System
snort is a network intrusion detection system that is fully functional yet is both easy to use and light on computer resources. Originally available for Unix systems only, it has now been ported to Windows. snort uses patterns to look for many common attacks and probes such as buffer overflows, stealth scans, common backdoor programs, and OS fingerprinting attempts. It can then issue real-time alerts to the Unix syslog, pop-up dialogs on a computer, or to a user-defined file.
Visit http://www.snort.org to obtain the product and instructions on using it in different environments.
Products That Use This Method
Any product that can recognize abnormal traffic sent to normal ports and adjust the firewall reaction accordingly could be said to use this method. Internet Security Systems has designed BlackICE to stop attacks matching known signatures, even if the firewall settings would normally allow the traffic. Other software vendors are packaging their personal firewall products in suites that include intrusion detection, but few are using known attack signatures to modify the behavior of the firewall.
Some hardware appliances are integrating this capability, but not the ones aimed at the home market. You're really looking at products for the corporate office environment, combining an antivirus gateway, firewall, and intrusion detection system in one. They tend to be expensive, and require greater specialized IT skills than the average home user possesses.
The major advantage to this method lies in the fact that you can block attacks even when your rule set would allow the traffic. If you are providing services, such as a Web site, then you must allow traffic for that service in to your computer. Rather than being at the mercy of every packet destined to port 80, with a product that can detect specific attacks, you know that you are protected from known malicious actions. You can expect that while port 80 is allowed, Nimda traffic will not make it to your server.
Like antivirus software, detecting new attacks requires that you update the signature files regularly. If this can be automated, then it is likely to happen, at least for as long as your subscription to the service lasts. But if you have to remember to go out and pick up the signatures, how often will you remember?
Not only do you need a way to update the signatures, you need to know that signatures are being created quickly enough. There will always be a gap between the time that a new attack is developed and launched and the time that a vendor has a new signature available for download. During this time period, you may be vulnerable to the attack. For this reason, it is not enough to rely on a signature-matching firewall to protect you, you must also remain current on operating system and application patches.
One big concern with intrusion detection systems is the possibility of a false positive. A "false positive" refers to the case where your intrusion detection system mistakenly identifies a traffic pattern as malicious. If your firewall rules are automatically changed based on a false detect, you could be denying access to legitimate traffic.
Knowing that you use a signature-based detection method on your personal firewall, I could set up a situation to cause a denial of service to you or your clients.
Let's say I send Nimda packets, but I spoof my IP address to be that of your largest customer. Your firewall rules change to block all traffic from your customer, ignoring your normal settings.
FIGURE 315 DOS attack. Attacker sends Nimda traffic to the Web server at http://www.example.com, spoofing the source IP address to be that of Customer. The firewall rules on the Web server are altered. Customer tries to access the Web server and is denied.
As we can see, your firewall rules now deny access from your customer. This is a concern when you allow automatic adjustment of your rule sets. Regular review of the rule sets may help uncover such issues.
Where Signature-Based Detection Fits in the Design of a Secure Environment
In combination with other methods, as a "free" add-on to your personal firewall, this is a good layer. Alone, it's risky. At least with viruses, you often have to do something before you become infected. When someone is hacking at your computer, you will have no idea until it's too late. So, out-of-date signatures are a higher risk with firewalls.
Relying solely on this method to protect your systems would be a little like relying on a burglar alarm system that is only activated for certain activities. You leave your doors open, and if someone comes in and watches your television, that's okay. However, if they try to leave with your television, the alarm system activates. Now, what if they decide to smash your TV instead? Does the alarm already recognize this as bad? A wise person would have locked their doors as well as set the fancy signature-based alarm system. Using a firewall is like locking your door.