1

IDS and IPS

Pehr SödermanCSC

Pehrs@kth.se

2

Fundamental issue

How many here think they can keep all attackers out of their network?

3

Proposed solution

Lets atleast detect the attackers...

It's easy, right?

4

The behaviour of an intruder● Assume I am attacking your home network● What unusual behaviour would you expect?

5

Type I and II errors● Lets take an example from the juridical system● We have a man charged of murder. There are 4

possible outcomes:– The man is guilty and he hangs– The man is guilty and he goes free– The man is innocent and he hangs– The man is innocent and he goes free

6

Type I and II errors

Hangs Free

Guilty True positive

Innocent True negative

Type II error(False Negative)

Type I Error(False Positive)

7

We need to minimize both errors● A false positive might prevent us from using the

system– Or, even worse, can mask a real attack

● Typical example: Burglars● A false negative means we missed an attack...● What is a 0.0001% false positive rate on a

gigabit line? (assuming 500byte packets)

8

IDS or IPS● An IDS only detects attacks

– It is up to the administrator to act when he gets the report

● An IPS detects and blocks attacks– It's a complete solution for preventing attacks– Firewalls and AV can be described as IPS

● IPS typically assumes IDS

9

● We can do Anomality detection– Logs– Counters– Apply statistical methods and compare to old data– Can detect unknown threats

● We can do Signature detection– Compare actions to signatures– If we match a rule we have a positive– Typically much better performance against known

threats

Host based IDS

10

Log parsers● You can not hope to spot important data in logs● There are plenty of packets doing log parsing

and creating reports● Examples:

– Sawmill– Logparser– Hatchet

● A logparser can often illustrate the log

11

What needs urgent attention?

12

What needs urgent attention?

13

What needs urgent attention?

14

What are the advantages and disadvantages of this approach?

15

Antivirus● AV is the basic example of Signature Detection● Effective against known threats

– Works only against viruses and tools– Typically no protection against active attackers

● Many AV companies are developing additional IDS to improve the performance against unknown threats

● Some AV software has Anomality detection functionality

16

Blacklight (FSecure)

17

Tripwire● Tripwire builds a database over all files in the

computer● Files protected by tripwire will trigger the IDS if

changed● Tripwire can enforce limitations on the software

that may run● Can we trust tripwire on a rooted computer?

– Any other issues?

18

Honeyfiles● Lets spread out some interesting looking files

– A few programs for viruses– ”My credit cards.txt”– Etc.

● Any access attempt to these files is considered hostile by the IDS

● Several AV programs implements this to capture viruses

● Read ”The Cuckoo's Egg”

19

Distributed Host IDS● In most cases an attacker will use the network● If we can combine information from several

systems we might be able to track the attacker– Example: Block portscans– Example: Track intrusion attempts

● Read: ”A Distributed Host-based Worm Detection System”– Cheetancheri, Agosta, Dash

20

Network IDS● All HIDS have a common weakness

– The host● We want to track intrutions on a network wide

scale● Therefor we need network equipment with IDS

functionality

21

Placement of the NIDS● We can place it in-line

– Lets us do IPS● We can place it out-

of-line– Lets it be totally

transparent● Other placement

issues very similar to firewalls

22

Honeypots● Computers intended to be rooted by the

attacker● Allows us to monitor attackers and capture data● Especially efficient against bot-nets and

automated attack tools● See: Honeynet.org

23

Snort● The major free NIDS in use today● Large community supporting the application● Can handle line speed up to 1gbit

– Using reasonable rulesets (and tweaking)● Several steps for each packet

– Decoding– Preprocessing– Detection– Output

24

Demo of Snort

25

How do we handle intrusions?● Four steps:

– Containment– Eradicction– Recovery– Follow-up

● Typically done by IRT (Incidence Responce Team) in larger organizations

● Pulling the plug is not always the right answer!

26

Recommended reading● Security Visualization

– How to make security easy to understand– Some of the illustrations come from there– http://secviz.org/

● HoneyNet project– Lets setup IDS systems to track hackers!– http://www.honeynet.org

● Halting State (Charles Stross)– A thriller starting with Orcs robbing a bank in an

MMORPG...

27

Questions?

28

Extra: Fragmentation attacks(Pictures from Security Focus)

29

Fragmentation attacks

30

Fragmentation attacks

31

Fragmentation attacks