internet security intrusion detection systems
TRANSCRIPT
Internet Security
Intrusion Detection Systems
© 2002 Enterprise Security Solutions, LLC.
Overview
• Need for Security - Regulations and Policy• Logging and IDS Basics• Architecture• NIDS Issues
– Speed and Management– Database– Technical Considerations
• NIDS Sampling• Costs• Configuration Issues• HIDS and other IDS-like products
© 2002 Enterprise Security Solutions, LLC.
Why Security?
• Protect Investment• Maintain Service• Protect Reputation• Protect against Unauthorized Disclosure• Insurance Requirement• Required by Regulations• Lawsuits• Regulatory Sanctions
© 2002 Enterprise Security Solutions, LLC.
Regulations• Gramm-Leach-Bliley Act
– Title V – Privacy
• FTC - Standards for Safeguarding Customer Information– 16 CFR Part 314
• Office of the Comptroller of the Currency (OCC)– Guidelines Establishing Standards For Safeguarding Customer Information
• FDIC– Guidelines Establishing Standards for Safeguarding Customer Information
• Federal Reserve– Guidelines Establishing Standards for Safeguarding Customer Information
• Department of the Treasury– Office of Thrift Supervision (OTS) Information
© 2002 Enterprise Security Solutions, LLC.
Items Covered in Regulations
• Manage and Control Risk by developing an information security program to control the identified risks (Policies and Procedures)
• Apply appropriate security measures:– Access controls– Encryption – Monitoring systems– Response programs– Disaster recovery measures– Training– Regular testing
© 2002 Enterprise Security Solutions, LLC.
Logical Steps of Security
Prevention
Detection
Response
© 2002 Enterprise Security Solutions, LLC.
Policy• Acceptable use policy
• No expectation of privacy
• A requirement for successfully prosecuting those unauthorized users who improperly use a computer is that the computer must have a warning banner displayed at all access points. That banner must warn authorized and unauthorized users:
1) about what is considered the proper use of the system,2) that the system is being monitored to detect improper use and other illicit activity,3) that there is no expectation of privacy while using this system.
• If no policy is in place, defaults to Personal Privacy Act (PPA) and 4th Amendment*
• Intrusion Response Policy
*Always consult your legal staff as regulations differ from state to state
© 2002 Enterprise Security Solutions, LLC.
Sample Warning Banner
This system is for the use of authorized users only. These systems and equipment are This system is for the use of authorized users only. These systems and equipment are subject to monitoring to ensure proper functioning, to protect against improper or subject to monitoring to ensure proper functioning, to protect against improper or
unauthorized use or access, and to verify the presence or performance of applicable unauthorized use or access, and to verify the presence or performance of applicable security features or procedures, and for other like purposes. Such monitoring may security features or procedures, and for other like purposes. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals transmitted, processed or stored in this system by a user. If monitoring reveals
evidence of possible criminal activity, such evidence may be provided to law evidence of possible criminal activity, such evidence may be provided to law enforcement personnel. Use of this system constitutes consent to such monitoring.enforcement personnel. Use of this system constitutes consent to such monitoring.
© 2002 Enterprise Security Solutions, LLC.
Common Sources of Logs
• Router (and many network elements)
• Firewall
• Host• operating system• application• file: hashing or digital signature
• Intrusion detection system (IDS)
© 2002 Enterprise Security Solutions, LLC.
Security Provided by IDS
• Detect Attacks
• More cost-effective to deal with attacks using intrusion detection than other methods
• Provide “Forensic Readiness”– Maximizing an environment’s ability to collect credible
digital evidence– Minimizing the cost of forensics in an incident response
© 2002 Enterprise Security Solutions, LLC.
Types of IDS
• Network (NIDS) • Host (HIDS) • Hybrid
© 2002 Enterprise Security Solutions, LLC.
Types of NIDS
• Signature vs. Anomaly– Signature
raw data matching
preprocessors
– Anomaly
CPU/device/process utilization
standard deviation
© 2002 Enterprise Security Solutions, LLC.
Protocols used by NIDS
IPExcept for encrypted protocols: SSL (tcp 443) SSH (tcp 22) telnet-SSL (tcp 992) other encrypted protocols
IPSec IPX and other protocols
• use a protocol analyzer and filters
Architecture• The placement of the IDS within the institution's system architecture
should be carefully considered.
• The primary benefit of placing an IDS inside a firewall is the detection of attacks that penetrate the firewall as well as insider abuses.
• The primary benefit of placing an IDS outside of a firewall (Attack Sensor) is the ability to detect such activities as sweeping, which can be the first sign of attack; repeated failed log-in attempts; and attempted denial of service and spoofing attacks.
• Placing an IDS outside the firewall will also allow the monitoring of traffic that the firewall stops.
© 2002 Enterprise Security Solutions, LLC.
Architectural Issues
• Attack sensor
• Intrusion detection sensor
• Stealth vs. non-stealth
• Management networks
• Hubs vs. switches• Switch firmware• Taps
© 2002 Enterprise Security Solutions, LLC.
Internet
Router
Internet Firewall
External subnet
Internet DMZ
Internal Firewallor
Choke Router
Protected DMZ
Internal subnet
Internet DMZIDS
IDS Database
Typical IDSDeployment
Internal SubnetIDS
Attack Sensor
Attack Database
Protected DMZIDS
Stealth
Stealth
© 2002 Enterprise Security Solutions, LLC.
Some NIDS products
• Cisco Catalyst IDS Module • Cisco Secure IDS Network Sensor• Computer Associates eTrust Intrusion Detection• Enterasys Dragon IDS• Internet Security Systems RealSecure• Martin Roesch Snort• NFR Network Intrusion Detection• Symantec (Axent) Net Prowler
© 2002 Enterprise Security Solutions, LLC.
Speed and Management Issues
• Speed– Pre-processors – Signature matching
• Management– GUI– encrypted communications– heart-beat/watchdog– time synchronization – version updates– rule updates– Configuration
© 2002 Enterprise Security Solutions, LLC.
Alerting/Logging Issues• Alerting capabilities
– Log– Record session– Alert– Run program– Trigger secondary rules– SNMP– Page– WinPopUp
© 2002 Enterprise Security Solutions, LLC.
Database Issues• Type
– SQL– Access– Flat file– Proprietary
• Size– Maximum database size– Size vs. speed
• Centralized/de-centralized– Data forwarding
© 2002 Enterprise Security Solutions, LLC.
Technical Issues
• Resets (RSKill, FlexResp, etc.)• Router/FW automated reconfiguration• ARP spoof detection• Fragment reassembly on different stacks
© 2002 Enterprise Security Solutions, LLC.
ARP Spoofing
Server00:60:00:dd:ee:ff
192.168.0.10
Client00:60:00:aa:bb:cc
192.168.0.5
Attacker00:60:00:12:34:56
192.168.0.100
ARP Spoofing
Server00:60:00:dd:ee:ff
192.168.0.10
Client00:60:00:aa:bb:cc
192.168.0.5
Attacker00:60:00:12:34:56
192.168.0.99
00:60:00:12:34:56192.168.0.10
00:60:00:12:34:56192.168.0.5
Fragment Reassembly
C
A
ATAKT
CATT K
15 263 4
Arrival Order
Intended Order
Fragment Reassembly
Solaris 2.6
Data Stream15 263 43
A CATT K
C
A
ATAKX
CAXT K
Windows NT 4.0
T
© 2002 Enterprise Security Solutions, LLC.
Snort
.
Snort
Snort
ISS RealSecure
• ISS was one of the first to produce a commercial Network Intrusion Detection System and RealSecure still tends to be the standard by which other NIDS products are measured.
© 2002 Enterprise Security Solutions, LLC.
ISS RealSecure
ISS RealSecure
ISS RealSecure
Beyond IDS
• Network Forensics Analysis Tools (NFAT)
• Raytheon Silent Runner
© 2002 Enterprise Security Solutions, LLC.
Silent Runner
Silent Runner
Silent Runner
Costs
• Hardware purchase• Software purchase• Software maintenance fees• Maintenance costs• Training
© 2002 Enterprise Security Solutions, LLC.
Configuration Issues
• Creating your own signature rules
• Signature rule for CodeRed v2:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 1257; rev: 1;)
• Sample rule for mail about “Project X”:
alert tcp $EXTERNAL_NET 25 -> $MAIL_SERVERS 25 (msg: “Project X correspondence"; content:“Project X"; nocase;)
• Local rules© 2002 Enterprise Security Solutions, LLC.
Sample Local Rules
Ethernet
Router
SQL Server192.168.0.100
TCP 1433
IDS
Web Server192.168.0.200
TCP 80TCP 443
Stealth
alert tcp any any <> 192.168.0.100 1:1432 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.100 1434:65535 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert udp any any <> 192.168.0.100 any (msg:"UNAUTHORIZED CONNECTION ATTEMPT;)alert tcp any any <> 192.168.0.200 1:79 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.200 81:442 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.200 444:65535 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert udp any any <> 192.168.0.200 any (msg:"UNAUTHORIZED CONNECTION ATTEMPT;)
© 2002 Enterprise Security Solutions, LLC.
Additional Issues
• Installation ease• Support• Rule updates• Monitoring services
© 2002 Enterprise Security Solutions, LLC.
Host-based IDS (HIDS)
• File Integrity Checkers– MD5 signature– Checks for changes
• Log Parsers– Windows event log– Unix syslog– Novell logs– Flat files
© 2002 Enterprise Security Solutions, LLC.
Some HIDS Products
• ISS RealSecure
• Symantec (Axent) Intruder Alert (ITA)
• TripWire
© 2002 Enterprise Security Solutions, LLC.
Other types of pseudo-IDS
• Personal firewalls• Sniffers• Performance monitoring• SNMP-based network monitoring• Policy enforcement software• ARP watch• Honeypots
© 2002 Enterprise Security Solutions, LLC.
HEADQUARTERS:
FIVE HUNTERDON BOULEVARDMURRAY HILL, N.J. 07974-2768
TELEPHONE (TOLL FREE IN US & CANADA): 1-866-563-6362OUTSIDE OF THE US: 908-508-9825
E-mail: [email protected]
NORTHEAST - NEW ENGLAND REGIONAL OFFICE: PO BOX 468
RICHMONDVILLE, NY 12149518-294-6338
Enterprise Security Solutions, LLC
ReferencesBOOKS• Mandia, Kevin, and Prosise, Chris. Incident Response: Investigating Computer
Crime, Osborne/McGraw-Hill, 2001.• Northcutt, Stephen, and Novak, Judy. Network Intrusion Detection: An Analyst's
Handbook, Second Edition. New Riders Publishing, 2000.
PAPERS• Internet Security Systems. “Evaluating an Intrusion Detection Solution: A Strategy
for a Successful IDS Evaluation,” ISS, 1999.• NSS Group. “Intrusion Detection Systems, Group Test (Edition 2),” December, 2001.• Ptacek, Thomas H., and Newsham, Timothy N. “Insertion, Evasion, and Denial of
Service: Eluding Network Intrusion Detection,” Secure Networks, Inc., January, 1998.
• Tan, John. “Forensic Readiness,” @stake, Inc., July 17, 2001.
STANDARDS• ISO-17799 (Formerly BS-7799)
© 2002 Enterprise Security Solutions, LLC.
References
WEB SITES
• http://www.ihs.gov/Cio/ITSecurity/Posters/• http://web.mit.edu/security/www/gassp1.html#dowlnoad• http://banking.senate.gov/conf/fintl5.pdf• http://www.ftc.gov/os/2001/07/stansafecustinfofrn.htm• http://www.occ.treas.gov/ftp/bulletin/2001-8.txt• http://www.occ.treas.gov/netbank/ebguide.htm• http://www.occ.treas.gov/fr/fedregister/66fr8616.htm
References
WEB SITES• http://www.federalreserve.gov/boarddocs/SRLetters/2001/sr0111a1.pdf
• http://www.occ.treas.gov/ftp/bulletin/2000-14.doc
• http://www.occ.treas.gov/ftp/bulletin/2001-35a.pdf
• http://www.occ.treas.gov/ftp/bulletin/2001-35b.pdf
• http://www.occ.treas.gov/ftp/alert/2001-4.doc
• http://www.occ.treas.gov/ftp/alert/2001%2D4.txt
• http://www.fdic.gov/regulations/information/ebanking/Internet&NationalBankChrtr.pdf
• http://ciac.llnl.gov/ciac/bulletins/j-043.shtml