Transcript set 2 - of Manish Mehta

Intrusion Detection
Presentation : 2 OF n
by Manish Mehta
02/07/03
What will we discuss?
• Network-Based Detection
• Network-based Architecture
Traditional Sensor-based
Distributed Network-node
• Network Intrusion Detection Engine
Signatures
• Operational Concepts for network-based detection
• Benefits of network-based ID
• Challenges for network-based Technologies
Introduction
• Why you call it ‘network-based’?
- used to analyze network packets.
- packets are ‘sniffed’ off the network.
• TCP/IP is the most common protocol
targeted by commercial IDS.
• Different technologies can resolve different
levels of protocols through the application
layer.
Network-based Detection
• Most network-based attacks are directed at
OS vulnerabilities.
• These can be exploited mainly towards
following means
– Unauthorized Access
– Data/Resource Theft
– Denial of Service
Unauthorized Access
Unauthorized Login
- Key is to detect before/while logging in.
- TFTP is well-known for lack of security.
- SunOS 4.1.x had security problems with file
sharing protocol.
Jump-off Point
- They are ‘bad’ and not ‘stupid’.
- A compromised computer can open up several
other computers in the same organization.
- Why is my mail server contacting DoD?
Data/Resource Theft
Information theft
- Password file download
gives attacker the ability to compromise
other systems. (look for ‘/etc/passwd’)
- Secret Data file download
Credit card numbers, Employee HR data
Bandwidth Theft
- Firms with lot of bandwidth not used at all times.
- If the business of the attacker grows, he will be
caught.
Denial of Service
Malformed Packets
- Not all error conditions are taken care of while coding the
protocol stack.
- Code is not prepared to handle impossible situations in
argument fields.
Packet Flooding
- Not a very sophisticated attack.
- If source address is spoofed, it can be hard to deal with.
Distributed DoS
-Special case of Flooding (several machines attack at once)
- ID is not a very good tool against this attack, but it can be
helpful
NID Architecture
• Two types of NID
Traditional Sensor-based (Promiscuous mode)
- obtain packets, search for patterns, report
alarms to the central command console.
Network-node (Distributed)
- Agent on each computer (for individual
target)
Traditional Sensor-based
Architecture
• Ethernet Chip in Promiscuous mode
• “sniffed” packets are fed to the detection
engine (typically on the same machine)
• Taps are distributed to all mission-critical
segments (generally one per segment)
• Central command console correlates alarms
from multiple sensors.
Life cycle of a Packet
• Packet is born.
• “sniffed” off the wire in real-time by the
sensor. (a stand-alone machine or a network
device in promiscuous mode)
• Detection engine matches the predefined
patterns. If matched, Alert is generated and
forwarded to central console.
• Security officer is notified.
Life cycle of a Packet (Contd.)
• Response is generated.
- Reconfiguring of routers/firewall rules
- Terminate session
• Alert is stored for later review and
correlation.
• Reports are generated.
• Data forensics for long-term trends.
Distributed Network-node
Architecture
• Sensor on every computer.
• Every sensor is concerned about the target it
resides on.
• Now confused between host and network
based??
- the difference between host and network
based ID is the source of data
• Network-node agents communicate with each
other on the network to correlate alarms at the
console.
Life cycle of a Packet
• Packet is born.
• The packet is read in real-time through a
sensor resident on the destination machine.
• A Detection Engine is used to match
signatures of misuse. If a pattern is found,
an alarm is generated and forwarded to
central console or other sensors on the
network.
Life cycle of a Packet (Contd.)
• Security officer is notified.
• Response is generated.
- Reconfiguring of routers/firewall rules
- Terminate session
• Alert is stored for later review and
correlation.
• Reports are generated.
• Data forensics for long-term trends.
Misconception 
Real-Time ID
“I need Intrusion Detection”
“Are you interested in network-based or host
based?”
“Oh, I need real-time Intrusion Detection”
“Great, on the host or the network”
“What???”
Network Intrusion Detection Engine
• This is where the real magic is !!
• A stream of time sequential TCP/IP packets
is processed to detect predetermined
sequences and patterns (signatures).
• Speed – An Issue.
Network Signatures
• Packet Content Signatures
- based on contents of packets (smart ??)
• Traffic Analysis Signatures
- based on Header information and flow
of traffic
• More on detection mechanisms in future
talks.
Packet Content Signatures
• Simple Example
- Copy password file over FTP.
- Look for pattern “passwd” in the
packet.
(Output of Snoop)
Source.com  dest.com
ETHER Type=0800(IP), size = 67 bytes
IP D= 134.193.22.26 S=134.193.18.3 LEN=53, ID=34704
TCP D=21 S=2095 Ack=21233432 Seq=21342876 Len=13 Win=4096
FTP C port=2095 RETR \etc\passwd\r\n
Traffic Analysis Signature
• Simple Examples
- A lot of packets destined to one machine in
relatively short period of time.
(An attempt of DoS attack)
- A packet coming from outside the network
with Source IP address as that of the inside
network.
Operational Concept
• A NIDS only performs as well as it is
operated. (configured)
• The value of the system depends on the
skills of the operator.
• Network based ID may be used in a manner
that requires very few resources.
How do I use NIDSs?
• The specific use of a NIDS is dependent on the
environment-specific requirement.
• Sensor placement plays an important role.
Example:
Sensor placed outside the firewall will identify
source addresses attempting to attack you.
Sensors placed inside the firewall will detect attacks
that successfully circumvent your firewall.
(IF you don’t have a Firewall, YOU SHOULDN’T
BE HERE ! GO INSTALL IT FIRST !!)
Operational Modes
• Operational mode describes the manner in
which you will operate your NIDS and
partially describe the end goals of
monitoring.
• Two primary operational modes:
- Tip-Off
- Surveillance
Tip-Off and Surveillance
• The defining characteristic for tip-off
The system is detecting something
previously unsuspected.
• Unlike tip-off, Surveillance takes place
when misuse is already indicated or
suspected. It is an increased effort to
observe the behavior of a small set of
objects.
Benefits of NID
• Outside Deterrence
- A notification to the hacker can enhance the
deterrent value of an IDS.
• Threat Detection
- Can be used deterministically or in a Decision
Support Context.
• Automated Response and Notification.
- Pager, SNMP trap, On Screen, Audible, E-mail.
Challenges for Network-based
Technologies (promiscuous-mode)
• Packet Reassembly (IP fragmentation)
- can only search for patterns after
reassembly.
• High-speed networks (Gig E?)
• Sniffer Detection Programs (Antisniff)
• Switched Networks (IP over ATM?)
• Encryption (IPSec, VPN)
Questions ?
Until then ..