Intrusion Detectionand
Intrusion Prevention
Ed SaleVP of Security
Pivot Group, LLC
Presentation Goals
• Describe IDS and IPS• Why They Are Important• Deployment and Use• Major Players
Intrusion DetectionThe IT Security Camera
– Two types: Network (NIDS) and Host (HIDS)– Looks at network traffic and host logs for signs of
intrusion– Alerts bring potential intrusions to the attention of
administrators– Data is useful in forensic investigations– Issues include false positives and negatives, large
amounts of data, requires full-time monitoring, signature updates, encrypted traffic
Passive Monitoring – Not Inline
WAN Router
Network
Tap
Proxy
Server
ServerNetwork
Tap
Network
Tap
DMZ
Outside
IDS
Sensor
DMZ IDS
Sensor
Inside
IDS
Sensor
Intranet
IDS
Console
IDS Deployment
Types of DetectionRule-Based Detection
– Signatures produced for known attacks– Traffic scanned for matches to signatures
Anomaly Detection– Baseline of “normal” traffic produced– Deviations from baseline flagged as intrusions
HIDS Detection Types– Executable file checksums– System call monitoring– Log file monitoring
Types of Detection (cont’d)Target-based Alerting (new)
– Combines knowledge of system vulnerabilities with type of incoming attack to reduce # of alerts
– Only alerts when attack has chance of success
IDS ManagementReactive Response to Attack
Centralized Monitoring and Management– Critical for multi-sensor environments
Tuning RequiredConstant Monitoring
Large Data Store BackupsFrequent Signature Updates (if rule-based)
Software Upgrades
Intrusion PreventionThe IT Security Guard
– Two types: Network (NIPS) and Host (HIPS)– Looks at network traffic and host logs for signs of
intrusion– Automatically takes action to protect networks and
systems from attack– Helps reduce patch update urgency– Issues include false positives and negatives, in-
line operation can create bottlenecks or single point of failure, signature updates , encrypted traffic
IPS DeploymentInline Network Device(s)
WAN Router
Proxy
Server
Server
DMZ
Outside
IPS
DMZ
IPS
Inside
IPS
Intranet
IPS
Console
IPS ManagementProactive Response to Attack
Centralized Monitoring and Management– Critical for multi-sensor environments
Tuning RequiredRedundancy / Fail-open Required
Constant Monitoring not NecessaryFrequent Signature Updates (if rule-based)
Software Upgrades
Common NIDS Pitfalls• Deployed where it does not have access to
all network traffic• Output and/or alerts are ignored
• Inadequate incident response planning• Administrators become overwhelmed by an
un-tuned system
• Limitations of IDS/IPS are not well understood (updates, zero-day attacks, IDS blinding and evasion techniques)
Types of ProtectionNetwork Resets
– Passive monitors may not get connections reset before damage is done
– Not all attacks are connection based
IP Address Blocking– Passive monitors may not get address blocked before
damage is done– Address spoofing may cause DoS of legitimate user
Packet Drop– Decision has to be made real-time (0.5 usec for 1 GB link)
Product SelectionWhat types of protection do I need?
– Zero-day attacks– Network Segments to Monitor– Bandwidth– Tuning Flexibility
How do I want to manage it?– Few False Positives and False Negatives– Constant Monitoring– Reporting Capabilities
Pivot Group Recommends Evaluation
IDS/IPS SolutionsHost IDS/IPS : Cisco (Okena), Sana Security,
Network Associates (Enterasys)Network IDS : Snort, Cisco, ISS, SecureWorks,
Symantec, Lancope, Tenable, NetScreen, Computer Associates, NFR Security, McAfee, Sourcefire, Lucid Technologies
Network IPS : Tipping Point, Captus, TopLayer, DeepNines, EcoNet.com, Lucid, StillSecure, Vsecure Technologies
Final Words• IDS is evolving, not dead
• IDS/IPS required in some industries• Network IDS data has forensic and other
uses• Correlation, Analysis, Alerting, Reporting • IDS and IPS adds to defense in depth
More Information
For additional references on IDS/IPS, see:
http://www.pivotgroup.net/
http://www.sans.org/rr/papers/30/1028.pdf
http://www.infosecwriters.com/texts.php?op=display&id=117
http://www.nss.co.uk/