1 examples for break-in attempts – Lancom Systems LCOS 3.50 User Manual

LANCOM Reference Manual LCOS 3.50

̈

Chapter 8: Firewall

160

Fi

rew

a

ll

8.4

Protection against break- in attempts: Intrusion
Detection

A Firewall has the task to examine data traffic across borders between net-
works, and to reject those packets, which do not have a permission for trans-
mission. Beside attempts to access directly a computer in the protected
network, there are also attacks against the Firewall itself, or attempts to out-
wit a Firewall with falsified data packets.

Such break-in attempts are recognized, repelled and logged by the Intrusion
Detection system (IDS). Thereby it can be selected between logging within the
device, email notification, SNMP traps or SYSLOG alarms. IDS checks the data
traffic for certain properties and detects in this way also new attacks proceed-
ing with conspicuous patterns.

8.4.1

Examples for break- in attempts

Typical break-in attempts are falsified sender addresses ("IP Spoofing") and
port scans, as well as the abuse of special protocols such as e.g. FTP in order
to open a port on the attacked computer and the Firewall in front of it.

IP Spoofing

With IP Spoofing the sender of a packet poses itself as another computer. This
happens either in order to trick the Firewall, which trusts packets from the
own network more than packets from untrusted networks, or in order to hide
the author of an attack (e.g. Smurf).

The LANCOM Firewall protects itself against spoofing by route examination,
i.e. it examines, whether a packet was allowed to be received over a certain
interface at all, from which it was received.

Portscan Detection

The Intrusion Detection system tries to recognize Portscans, to report and to
react suitably on the attack. This happens similarly to the recognition of a ’SYN
Flooding’ attack (see ’SYN Flooding’

→

page 162): The "half-open" connec-

tions are counted also here, whereby a TCP RESET, which is sent by the
scanned computer, leaves a "half-open" connection open again.

If a certain number of half-open connections between the scanned and the
scanning computer exist, then this is reported as a port scan.

Likewise, the receipt of empty UDP packets is interpreted as an attempted port
scan.