ids
TRANSCRIPT
1
Intrusion Detection Systems
2
Intrusion Detection
• Intrusion is any use or attempted use of a system that exceeds authentication limits
• Intrusions are similar to incidents– An incident does not necessarily involve an active system
or network device, an intrusion does
• Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity
3
Intrusion Detection
• Security policies are either prohibitive or permissive• An IDS is sensitive to configuration• Possible types of IDS errors:
– False positive (unauthorized user let in)
– False negative (authorized user denied access)
– Subversion error (compromised the system from detecting intrusion)
4
Dealing with Intruders
• Intruders can be external or internal– External intruders are hackers or crackers
– Internal intruders are more common and very dangerous
• Security policy should state what steps will be taken to handle intrusions
• Block and ignore– Simplest tactic for handling intrusions
– Block the intruder and address the vulnerability
– Don’t take any further action
5
Dealing with Intruders
• Block and investigate– Block the intruder and address the vulnerability
– Collect evidence and try to determine intruder’s identity
– Investigate
• Honeypot (bait the intruder)– Allow the intruder to access a part of your network
– Try to catch the intruder while he/she explores
– This is a potentially dangerous approach• The intruder does have at least partial access
• Crackers may become interested in your site
6
Detecting Intruders
• An IDS monitors system activity in some way • When it detects suspicious activity, it performs an
action• Action is usually an alert of some type
– E-mail, cell phone, audible alert, etc. to a person or process
– For highly sensitive systems, out-of-band channel is used
• All IDS systems continuously sample system activity and compare the samples to a database
7
IDS Principles
• Run unattended for extended periods of time• Stay active and secure• Recognize unusual activity• Operate without unduly affecting the system’s
activity• Configurable
8
IDS Principles
Sample current activity
Compare with database
Decide what to do
9
IDS Taxonomy
• Misuse intrusion– an attack against a known vulnerability
– Relatively easy to detect
• Anomaly intrusion– an attack against a new vulnerability or one using an
unknown set of actions
– Relatively difficult to detect
• Types of IDS that correspond to intrusion types:– Signature-based
– Knowledge-based
10
IDS Taxonomy
• Signature-based IDS– Detects misuse intrusions– Maintains a database of attack signatures– Compares current activity to database– Database must be current and complete to be effective
• Knowledge-based IDS– Detects anomaly intrusions– Builds a profile of “normal” system activity over time– Produces more false positives and requires more
administration– Requires careful initial configuration
11
Thresholds
• A rule tells the IDS which packets to examine and what action to take– Similar to a firewall rule
– Alert tcp any any -> 192.168.1.0/24 111
(content:”|00 01 86 a5|”;msg:”mountd access”;)• Alert specifies the action to take
• Tcp specifies the protocol
• Any any 192…. specifies the source and destination within the given subnet
• 111 specifies the port
• Content specifies the value of a payload
• Msg specifies the message to send
12
Thresholds
• Threshold is a value that represents the boundary of normal activity
• Example: Maximum three tries for login • Common thresholds:
– file I/O activity
– network activity
– administrator logins and actions
13
Snort IDS
• Snort is an example of an IDS– Freeware
– UNIX and Windows
• A highly configurable packet sniffer• Analyzes network traffic in real time• www.snort.org
14
Snort IDS
• Snort sniffs a packet from the network– Preprocessor looks at the packet header and decides
whether to analyze it further
– Detection engine compares pattern from rules to the packet payload
– If payload matches, then appropriate action is taken
• Snort can be used in a plain packet sniffer mode or in full IDS mode
• Snort has numerous configurable options
15
Snort IDS
16
Snort IDS
17
Snort IDS
18
Network-Based vs Host-Based
• IDS systems are classified by their intended locations• A network-based IDS monitors all traffic on a
network segment– Can detect intrusions that cross a specific network segment
– Administrators sometimes place one inside and one outside of a firewall
– Will not see traffic that passes between LAN computers
19
Network-Based vs Host-Based
• Host-based IDS examines all traffic and activity for a particular machine– Can examine system log files as well as inbound and
outbound packets
– Each system requires its own IDS
• Best choice is to use both network-based and host-based IDS in an organization
• Many firewalls provide some IDS functionality
20
Network-Based IDS
21
Choosing an Appropriate IDS
• Determine organizational security needs• Review the different IDS packages available• medium to large organizations commonly use both
network-based and host-based IDS
22
Security Auditing with an IDS
• Must have periodic security audits– Sometimes mandated by law or by corporate structure
• IDS can contribute to a complete audit• Many host-based IDS can scan and analyze system
log files– They can act as a filter for various behaviors
• Port-sniffing IDS can help to profile network activity
23
Intrusion Prevention System
• IPS combines the knowledge of IDS in an automated manner
• Usually IPS is a combination of a firewall and an IDS• IPSs come in different forms:
– NIDS with two NICs
– Inline NIDS
– Inline NIDS with scrubber
24
Intrusion Prevention System
• IPS with two NICs configured as follows:– One NIC has an IP address and handles traffic management
– Second NIC has no IP address and performs detecting attacks only
25
IPS with two NICs
Network Traffic
Server
with IPS
NIC1
NIC2
No IP address
Has IP address
Copy of traffic Copy of traffic
26
IPS with inline NIDS
Server
with IPS
NIC
NIC NIC
No IP addre
ssNo IP addressHas IP address
Network traffic Network traffic
27
IPS with scrubber
Server
with IPS
NIC
NIC NIC
No IP addre
ssNo IP addressHas IP address
Network traffic Network traffic
Malicious packet
$%&&^#@@*&*&^%$$#+!!*(+%%^^$##@*&&^
Scrubbed packet
Malicious code rendered inactive
28
IPS Enhancements
• Traditionally switches work in OSI layer 2• Most vulnerabilities are on applications• Layer 7 switches control which applications go to
which server• Layer 7 switches also help with load balancing• Layer 7 switch inspects applications such as HTTP,
SMTP and DNS and decide which server to route the application packets to
• Handles DoS and DDoS attacks
29
IPS Enhancements
• IPS systems first profile applications• Helps identify normal behavior of access and
functionality from applications
30
IPS Scenario
Traffic from internet
User: GET /
User: GET /default.asp
Attacker: GET /passwd.txt
User: GET /login.asp
Policy:
Allow: GET /Allow: GET /default.aspAllow: GET /login.aspAllow: /public/default.html
Implicitly deny other requestsTraffic to internal network
User: GET /
User: GET /default.asp
User: GET /login.asp
31
Commercial IPSs
• Hogwash (http://hogwash.sourceforge.net/oldindex.html)
• ISS Guard (http://www.iss.net/products_services/enterprise_protection/rsnetwork/guard.php)
• Netscreen (http://www.juniper.net/products/)
• Tipping Point (http://www.tippingpoint.com/products_ips.html)
• Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/category.htm?cid=10355)
32
References
• IPS http://www.securityfocus.com/infocus/1670• IBM’s IPS
http://www-1.ibm.com/services/us/index.wss/offering/bcrs/a1002441