Transcript Document

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY
Welcome to
Intrusion Detection and
Incidence Response
Course Name – IT390-01 Intrusion Detection and Incidence Response
Instructor – Jan McDanolds, MS, Security+
Contact Information: AIM – JMcDanolds
Email – [email protected]
Office Hours: Tuesday, 8:00 PM ET or Thursday, 8:00 PM ET
UNIT 2
Agenda for Unit 2
Overview of Unit 1
Chapter 1 in Intrusion Prevention Fundamentals – Cisco book
Chapter 1 Implementing Intrusion Detection System – Wiley ebook
Unit 2 – Reading: Chapter 2 in Cisco book
Signatures: types, triggers and actions
UNIT 1 – CHAPTER 1
Intrusion Prevention Overview
Why is an IPS is necessary?
Technology adoption – client-server, Internet, wireless
connectivity, mobile computing
Target value – information theft, zombie acquisition
Attack characteristics – delivery mechanism, attack
complexity, attack target and attack impact
UNIT 1
Intrusion Detection Technology
versus
Intrusion Prevention System
Intrusion Detection System (IDS) – an intrusion
monitoring system that passively monitors network traffic
looking for malicious activity.
Intrusion Prevention Systems (IPS) – an intrusion
monitoring system that examines network traffic while it
acts as a forwarding device for that traffic.
Two types: Host and Network
UNIT 1
Attack Examples
Review attacks - See pages 17 to 22
Year
Delivery Mechanism
Complexity
Replacement Login
The Morris Worm
CIH Virus
Loveletter Worm
Nimda
SQL Slammer
Why do we need to study these?
Target
Impact
UNIT 2
Intrusion Detection Technology
Technology designed to monitor computer activities for the
purpose of finding security violations.
IDS is similar to an alarm system. An alarm means there is some sort of
potential malicious activity (fire, break-in, etc).
Example: When a fire alarm goes off, it does not put out the fire. If there are
people in the building, the alarm alerts them to leave. If there is a sprinkler
system, it may have already activated due to heat or smoke. The two systems
may not even be connected.
Alarm systems for buildings would not be effective if fire sensors were the
only triggers. Sensors on windows and doors protect against a physical
intrusion. Carbon monoxide sensors warn of hazardous gas.
False alarms are common. Burnt toast in the faculty lounge or smoke in the
chemistry lab may trigger an alarm, but do not set off the sprinkler system.
UNIT 2
Intrusion Detection Technology (cont.)
IDS systems use rules (dynamic or static) to allow or deny
(block) activity. This is similar to a lock on a door, similar
but not the same as a firewall.
Example: The activity from an IP address indicates it is attempting to scan for
open ports. One of the ports it is scanning is FTP - listen on port 21. The IDS
has a rule indicating that any outside scan for port 21 should be blocked.
The IDS dynamically logs the IP address indicating any activity from this
address should be blocked. All packets from this IP address are dropped.
Examples:
TCP Kill with Linux – using tcpkill not netstat
http://www.cyberciti.biz/howto/question/linux/kill-tcp-connection-using-linux-netstat.php
Windows Firewall
http://windows.microsoft.com/en-US/windows-vista/Understanding-Windows-Firewall-settings
Open a port in Windows Firewall
http://windows.microsoft.com/en-US/windows-vista/Open-a-port-in-Windows-Firewall
UNIT 2
Intrusion Detection Technology (cont.)
Physical Intrusion Detection
Example: ADT
http://www.adt.com/commercial-security/products/intrusion-detection
“Our intrusion detection systems are designed to help protect your people and
property. After all, while your property is valuable, nothing is more precious
than the lives of your employees, customers, and clients.”
Intrusion Detection Service Features:
Burglar alarm system monitoring (off site)
Hold-up and panic button/signal monitoring
Critical condition monitoring
UNIT 2
Intrusion Detection Technology (cont.)
SecureWorks – Dell Company
http://www.secureworks.com/services/managed_ids_ips
“Network Intrusion Detection and Prevention (IDS/IPS) devices can provide a highly
effective layer of security designed to protect critical assets from cyber threats.
Organizations can detect attempts by attackers to compromise systems, applications
and data by deploying network IDS; however, keeping the devices tuned and up-todate so they are effective is a challenge for many organizations.
Dell SecureWorks team of security device management experts can help alleviate this
burden and enable more effective operation.”
Managed IDS/IPS service provides
Expert signature tuning
Real-time threat monitoring and response
Integrated Counter Threat Unit intelligence
On-demand security and compliance reporting
Auditable and accurate change management
UNIT 2
Intrusion Detection Technology (cont.)
SecureWorks
“Malicious attacks that use encryption
can easily bypass firewalls and network
intrusion prevention systems. Host
intrusion prevention provides another
layer of defense to protect your
infrastructure from internal and external
attacks that use encryption techniques.
However, host intrusion prevention
systems (HIPS) are complex and difficult
to configure. If implemented incorrectly,
HIPS can cripple an application on the
host server.”
“Dell SecureWorks' Host Intrusion
Prevention System (Host IPS) service is
a fully managed service that decrypts
and inspects encrypted traffic to
prevent external and internal attacks on
your critical servers in real time.”
http://www.secureworks.com/services/host_intrusion_prevention/
Host Intrusion Prevention-Host IPS
UNIT 2
Issue with Zero-Day
“Careful, that zero-day signature you just got from your IPS vendor could
be used against you: Researchers from Errata Security at Black Hat USA
this week will show how an attacker can easily reverse-engineer these zeroday filters that IPS (intrusion prevention system) vendors distribute, and
then use them to leverage an attack.
Errata CEO Robert Graham and CTO David Maynor will demonstrate this using
TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS
vendor's zero-day signatures. The company was also able to do the same with
signatures from Cisco, Juniper Networks, and McAfee, he says, although they will
only demonstrate their research on TippingPoint's IPS in its Thursday morning
session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s
Handbook."
The researchers will show how these signatures basically give an
attacker the ammunition to do damage using bugs that wouldn't have
otherwise been known about yet. "The point is that if you're a black hat, it's
easier to get a zero-day from the vendor than to develop your own,"
Graham says.”
http://www.darkreading.com/security/security-management/208804656/index.html
UNIT 2
Chapter 2 in Cisco book
Unit 2 – Reading: Chapter 2
Signatures: types, triggers and actions
What is a signature?
http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-one
Signature Basics: A network IDS signature is a pattern that we want
to look for in traffic.
Examples:
Connection attempt from a reserved IP address.
Packet with an illegal TCP flag combination.
Email containing a particular virus.
DNS buffer overflow attempt contained in the payload of a query.
Denial of service attack on a POP3 server caused by issuing the same command thousands of times.
File access attack on an FTP server by issuing file and directory commands to it without first logging in.
UNIT 2
Signatures and Actions
Signatures: types, triggers and actions
Signature types: atomic and stateful
Signature triggers: pattern detection, anomaly-based
detection, behavior-based detection
Signature actions: generating an alert, dropping,
logging, resetting TCP connection, blocking future activity,
allowing (page 45)
UNIT 2
Six Integral Steps to Selecting the Right
IPS for Your Network (Opus article)
Step 1: Why am I buying an IPS?
Every IPS has a different set of design goals and features targeted
to address a limited set of questions.
Step 2: Determine the Level of Security and Coverage you
require
Three approaches in current IPS products: signature-based (including
protocol anomaly) IPS, rate-based IPS, and behavioral IPS
Step 3: Determine Your Performance Requirements
Step 4: Determine Your Form Factor Requirements
IPS is not a product; IPS is a function and a technology…many kinds of devices
including standalone IPS appliances, inside of firewalls and switches, and in
other types of security appliances, such as SSL VPNs.
Step 5: Determine your Management Requirements
Step 6: Evaluate an IPS
UNIT 2
Readings
Unit 2 Readings:
Chapter 2 in
Intrusion
Prevention
Fundamentals
ALSO
Web Readings listed
(Black Hat – How to
Hack IPS Signatures
and Opus white
paper – Six Integral
Steps)
UNIT I
Unit 2 Assignment
Essay on 5 actions:
“Our text describes 5 actions an IPS is capable of
performing (drop, log, block, reset, and allow). In a
2-3 page paper, using good APA formatting, briefly
review each of the 5 actions. Next, create a
hypothetical situation where each action (one
situation for each action) is implemented. For each
situation explain why the action is the correct choice for
the situation.”
Page 45 – Intrusion Prevention Fundamentals
UNIT I
Unit 2 Assignments
Download chapters from Doc Sharing
Read chapters and web readings
Post to Discussion
Attend Seminar
Complete Assignment
Email any questions: [email protected]
Or you can call me 641-649-2980