Transcript NETWORK SECURITY - Clarkson University

NETWORK SECURITY
INTRUSION DETECTION SYSTEMS (IDS)
KANDIAH.M
Clarkson University, Potsdam, New York.
Introduction to IDS
• Why we need IDS?
– Fire Walls and IDS.
– Analogy Based Example
• Classification of IDSs
• Models of IDS
– Anomaly based model
– Signature based model.
A Typical Fire Wall Deployment
Source:http://www.scs-ca.com/images/topos/2-AV-01.gif
Anomaly Based IDS
•
General Functional Mechanism
•
Behavioral Anomaly
– Statistical Approach
• Example: Traffic analysis
•
Protocol Anomaly
– Based on Protocols and communication Structure
• Example : Insecure Protocols
•
Pros
–
–
–
–
–
Captures all the headers of IP
Filters out respective (Mail, Web, DNS,. etc) legal traffic
More Pro- active.
Quickly Identifies Probes and Scans towards Network Hardware
Best Suited for Larger networks and Networks vulnerable to
frequent hacking.
Anomaly Based IDS
• Cons
– Often makes False Alarms (False Positives)
– Need skilled personnel to analyze the
possible intrusions.
– Need Sophisticated Hardware and Software
– Creates large amount of Log data
– Increase network traffic (some)
Signature Based IDS
•
Based on known Attack patterns
•
There are two (Basic) kinds of
Signature Based IDSs:
1. NIDS (Network Intrusion Detection System)
2. HIDS (Host Intrusion Detection System)
What is an attack Signature?
• Sequence of Events
A->B->C, D->E
• Examples of Signature (Unix Systems)
– Gaining root privileges
– Suspected repetitive actions
» Using the command “sudo –s” or “su – root”
– Using Cgi scripts to access the file by fetching arguments.
http://www.host.com/~xxxx or
http://www.host.com/../../etc/passwd
Signature Based IDS
• General Functional Mechanism
• Pros:
– Ease of Use
– Looks for O/S level changes (Biggest Advantage)
– No need for skilled personal
– Commercial and Open Source
– Regular updates of new signatures to the signature
database
Signature Based IDS
• Cons:
– More Re-active
– More reliable updates only for Commercial versions
– More suited for Hosts than Networks
• Why?
– Depends on Network Traffic
– Consumes CPU time
– Can be hacked easily.
Network Intrusion Detection
Systems (NIDS).
• Functional Mechanism
– Uses huge standby databases with
signatures
• Components of NIDS
– Sensors and Consoles
NIDS....
A typical Deployment
NIDS ……
• Selection Criteria
– Deployment of NIDS
• Interference with Net work Traffic
• Commercial NIDS
– Example : Snort
• Open Source NIDS
– Example : Bro
» Monitors network in Passive mode
» No Direct Interference with the Network.
HIDS
• Functional Mechanism
– Analogy example…
– O/S level Changes
– Sensors and Killing the session
• Most efficient Among all IDSs
– Strips down all the packets including encrypted ones.
• Commercial Vs Open Source
– Example Tripwire
HIDS..
A typical Deployment
Advancements in IDS
• Hybrid IDS
– Combination of NIDS functionality and HIDS.
• Decoy Based IDS
– Example: Our Honey Pot machine
– *No problem with False Positive
–
–
Captures only unauthorized activities
All traffic are considered to be suspected ones
On Progress….
• Circumstances where unnoticed attacks
take place
• Hybrid NIDS
• Detection Points.