Transcript presentation (MS Powerpoint)

Distributed IDS
• The implementation of a
Distributed Intrusion
Detection System over a
medium scale open
network where the focus is
availability of services.
•
Darian Jenik - Network Management
Queensland University of Technology
What IDS is:
• IDS is a combination of methods for determining
the presence and location of unauthorized activity
on the computer network.
• IDS is the detection and reporting of security
vulnerabilities.
• IDS is the logging and detection of internal users
“misdemeanors” to protect liability
What IDS is not:
• IDS in NOT security –
• For security you need:
• Good security policy that is both documented and adhered to.
• Good security practice by system administrators.
• Hardened perimeter firewalls and “DMZ” firewalls.
• IDS is not a product.
• IDS is not a sensor.
The scale of the problem
• Approximately
10000 hosts
100 web servers
300 “servers” of
other type
• Students
• System
Administrators
• IAS
IDS should perform the following tasks
• Detect known violations to host integrity by passively
•
•
•
•
•
watching network traffic.
Respond to attempted violations by blocking external IP
addresses.
Respond to probes from outside by blocking external IP
addresses.
Find and report usage inconsistencies that indicate
account/quota theft.
Detect violations by monitoring information (web pages
etc….)
Help log and establish traffic/host usage patterns for future
reference and comparison
Detect known violations to host integrity by
passively watching network traffic.
• Just one type of sensor?
• IDS sensors:
• Gateways – Traditionally
• Put IDS sensors on hosts to look after specific
services running on the hosts and detect port
scans.
Respond to attempted violations by blocking
external IP addresses.
• Make sure the IDS is able to respond and
send commands to firewalls and/or hosts.
• IDS sends RST packets to both ends of the
connection.
• IDS is able to insert rules into border firewall.
Respond to probes from outside by blocking
external IP addresses.
• Attempts to open ports on servers that are
not enabled. (Collate multiple servers to
report to single location.)
• Make “flypaper” IP addresses that have
never been used for anything that serve to
pickup slow probes.
Find and report usage inconsistencies that
indicate account/quota theft.
• Determine that the accounts authorized at
the locations (dial in/pc) are the same
accounts using other services
(mail/proxy/other logins).
• Failed attempts to login to services that are
not successful.
• Accounts being used simultaneously at
various locations.
Detect violations by monitoring information.
(web pages etc….)
• Graffiti, DNS spoofing, wares repositories.
• Ensure that the monitoring is external as
well as internal.
• http://forced.attrition.org/mirror/attrition/
Help log and establish traffic usage patterns for
future reference and comparison.
• Central syslog collecting and analysis.
• Tripwire
• Nmap database
• Performance and Usage analysis.
• Open Source
• Just about any
platform(Including
windows)
• Many plugins and
external modules.
• Frequent rules
updates.
Snort Plugins
• Databases
•
•
•
•
•
•
•
•
mySQL
Oracle
Postgresql
unixODBC
Spade (Statistical Packet Anomaly Detection engine)
FlexResp (Session response/closing)
XML output
TCP streams (stream single-byte reassembly)
Snort Add-ons
•
•
•
•
•
•
•
Acid(Analysis Console for Intrusion Detection) - PHP
Guardian – IPCHAINS rules modifier.(Girr – remover)
SnortSnarf - HTML
Snortlog – syslog
“Ruleset retreive” – automatic rules updater.
Snorticus – central multi-sensor manager – shell
LogSnorter – Syslog > snort SQL database information
adder.
• + a few win32 bits and pieces.
Acid + Snort
•
•
•
•
Acid is a Cert project.
Pretty simple PHP3 to mySQL
Quite customizable.
Simple GUI for casual browsing.
•
Main
Console
•
Individual
alerts
•
Securityfocus
•
Whitehats
•
CVE
• Rule details
• Incident
details
• Incident
Details
Questions ?
URLS
•
•
•
•
•
•
www.snort.org
http://www.cert.org/kb/acid/
www.whitehats.com (Intrusion signatures data)
www.securityfocus.com (Intrusion signatures data)
http://cve.mitre.org/ (Intrusion signatures data)
http://www.psionic.com/ (logcheck + hostsentry)