Intrusion Detection System(IDS) Overview

Download Report

Transcript Intrusion Detection System(IDS) Overview

Intrusion Detection System(IDS)
Overview
Manglers
Gopal Paliwal
Roshni Zawar
SenthilRaja Velu
Sreevathsa Sathyanarayana
VijayaPriya Mani
Agenda










What is IDS
Why do I need IDS, I have a firewall?
Types of IDS
IDS Techniques
Common ID Framework
Issues in IDS
Popular IDS
Demo
References
Q&A
What is IDS



A system that detects break-ins or
misuse of a system in network.
In short, its ‘burglar alarm’ for the
network.
An IDS can detect network scans, DoS,
unauthorized attempt to connect to
services in the network, improper
activity etc..
Why do I need IDS, I have a
firewall?



Today’s security infrastructure include
firewalls, virus scanners, authentication
systems, VPN etc..
Given their role, these are prime targets
and being managed by humans, they
are error prone.
Failure of one of these tools will
jeopardize the security!.
Why do I need IDS, I have a
firewall? – Contd..


Firewall is just not enough. Not all
traffic go through them.
Firewall does not protect against
application level weaknesses and are
subject to attack themselves.
Where should IDS go?
Depends primarily on the network setup
 In a DMZ area immediately inside
firewall.
 Important locations in network
 On a service host (like a webserver)
Types of IDS

Host Based


Network Based


Collect and analyze data that originate from a host
(e.g., web server)
Collect and analyze packets that travel over
network
Stack Based (recent)

Integrated into TCP/IP stack, so that the malicious
packets are caught even before packets reach
application
IDS Techniques

Anomaly Detection


Misuse Detection (or) Signature Detection


Generates an alert when a known intrusion matches existing signatures.
Predict and Detect subsequent similar attempts.
Target Monitoring


Establish a baseline pattern and generates an alert when a flow of traffic
deviates from baseline pattern.
Corrective control designed to uncover unauthorized action (file
modification) after it occurs.
Stealth Probes


Checks for methodical attacks over a prolonged period of time.
Discover correlating attacks.
Common ID Framework
Issues in IDS




Large number of ‘false positives’.
Very difficult to configure the security
rules.
Continuous update of signature
database is must.
NIDS is unreliable on high-speed and
switched networks.
Popular IDS Tools









Snort
Cisco IDS
RealSecure, by Internet Security Systems
Dragon, by Enterasys
NFR, by Flight Recorder (also available in a
free research version)
Tripwire, by the Tripwire Open Source team
Tcpwrappers, by Wietse Venema
PortSentry, by Psionic Technologies
AIDE (Advanced Intrusion Detection
Environment)
Demo


Snort – is a light weight open source
NIDS, capable of performing real time
traffic analysis and packet logging.
Snort works in various modes:



sniffer mode (acts as protocol analyzer)
packet-logger mode
NIDS mode.
Network Topology
SNORT
• Internal Node
• Web server
• FTP server
milkyway
supernova
(192.168.1.103)
(192.168.1.102)
The Intruder
trudy
(192.168.6.201)
References






Book: Intrusion detection system with snort by Jack koziol
Snort IDS (www.snort.org)
Intrusion Detection Systems
(www.certiguide.com/secplus/cg_sp_34IntrustionDetectionSystem.htm)
An introduction to IDS (http://www.securityfocus.com/infocus/1520)
Intrusion Detection FAQ: Why is intrusion detection required in today’s
computing environment?
(http://www.sans.org/resources/idfaq/id_required.php?
IDS, what is it and why do we need it?
(http://www.ixact.ch/english/pagesnav/IN.htm)
Q&A