Transcript Lesson15
Monitoring, Logs, and Intrusion Detection Systems Lesson 15 Are Firewalls Enough? You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe? Maybe not. In 1998, a news story asserted that the firewall for the New York Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's network e-mailed reporters: ...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F ART. 1F 1T D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R ADMINZ HAD S0M3 W3IRD CR0NTABZ OR S0METHING. 0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T. UNT1L THE N3XT T1M3... No one at the Times had noticed weeks worth of the Hacking for Girliez gang on their network. The intruders finally chose to go public by defacing the opening page of their Web site—on the day the Times expected millions of visitors to view the Monica Lewinsky transcripts. Instead, visitors encountered soft porn . . . Intrusion and Misuse Detection Remember the operational model of security protection = prevention + (detection + response) Access controls and filters seek to prevent unauthorized or damaging activity. Intrusion and misuse detection mechanisms aim to detect it at its outset or after the fact. Has its roots in audit log files Operate on the principle that it is neither practical nor feasible to prevent all attacks. Intrusion Detection Can be manual (review of logs), automated, or a combination. Closely related to monitoring. Workplace monitoring used to – Ensure quality – Assess performance – Comply with regulations (e.g. ensure stockbrokers aren’t using high-pressure tactics in violation of stock exchange rules) Audit Trails Early intrusion detection involved reviewing system log or audit files. What events can be audited varies from system to system. Examples of auditable events include Reading/opening of a file Writing to or modifying a file Creation or deletion of an object Logins and Logouts Other administrative actions Special operations (e.g. changing a password) NT and 2000 Logging Primarily 3 types of event logs found in \WINNT\system32\config AppEvent.evt – the application log SecEvent.evt – the security events log SysEvent.evt – the system log Logs viewable by the Event Viewer found in the Administration Tools directory Files have a maximum size. When that size is reached the system can Overwrite events older than a certain number of days Overwrite events as needed Halt the system Unix Logging Several sources of log files in Unix syslog – the system log sulog – records actions to switch users (su) utmp – keeps track of users currently logged on wtmp – stores historical data on login, logout, shutdown, and restart events. lastlog – tracks each user’s most recent login time and the point of origin of the user. Successful and unsuccessful logins can be tracked. – At login, this information (about the last login) is often displayed Intrusion Detection Systems Various types of activities that an IDS checks for Attempted/successful break-ins Masquerading Penetration by legitimate users Leakage by legitimate users Inference by legitimate users Trojan horses Viruses Denial-of-service Approaches to IDS Attempt to define and detect abnormal behavior Attempt to define and detect anomalous activity Methods to perform IDS Four major methods attempted to perform intrusion detection: User Profiling Intruder Profiling Signature Analysis Action-based (attack “signatures”) User Profiling Basic Premise: the identity of any specific user can be described by a profile of commonly performed actions. The user’s pattern of behavior is observed and established over a period of time. Each user tends to use certain commands more than others, access the same files, login at certain times and at specific frequencies, and Execute the same programs. A user profile can be established based on these activities and maintained through frequent updating. A masquerading intruder will not match this profile. User Profiling Types of activity to record may include CPU and I/O usage Connect time and time of connection as well as duration Location of use Command usage Mailer usage Editor and compiler usage Directories and files accessed/modified Errors Network activity Initial profile takes time and can generate many alarms. Weighted actions often used (more recent activities more important than activities accomplished in past) Intruder Profiling Concept similar to criminal profiles used in the Law Enforcement community. Attempt to define the actions that an intruder will take when unauthorized action is obtained. For example: when an intruder first gains access the action often taken is to check to see who else is on, will examine files and directories, … Can also apply to insiders gaining access to files they are not authorized to access. Problem with this method is that it is hard to define all possible intruder profiles and often the actions of a new user will appear similar to the actions of an intruder. Signature Analysis Just as an individual has a unique written signature which can be used for identification purposes, individuals also have a “typing signature”. This characteristic first noticed in telegraph days. The time it takes to type certain pairs or triplets of letters can be measured and the collection of these digraphs and trigraphs together form a unique collections used to characterize individuals. This technique requires special equipment. Variation on this is to watch for certain abbreviations for commands and common errors. Action Based Also sometimes referred to as signature based. Specific activities or actions (attack signatures) known to be indicative of intrusive activity are watched for. E.g. attempts to exploit known security holes. Can also be used to look for unauthorized activity by insiders. Problem is that not all methods are known so new signatures are constantly being created and thus intrusion detection systems constantly need to be updated. Haystack Canonical 9-track Tape Audit trail Preprocessor Statistical Analysis Z-248 PC Audit Data Unisys 1100 Reports Intrusion Detection Expert System (IDES) Audit Records Active Data Collector Receiver Audit Data Expert System Active Data Profile Updater Profile Data Anomaly Detector Anomaly Data Security Admin Interface Multics Intrusion Detection and Alerting System (MIDAS) Command Monitor Audit Records Preprocessor Network Interface Fact Base Multics Statistical Data Base System Security Monitor Rule Base Symbolics Different Levels of IDS Host-based Intrusion Detection Will catch users logged directly into a system Will miss network actions (the network as a whole) Network-based Intrusion Detection Will miss individual actions on the host the user is logged directly into. Will be able to see attacks on multiple hosts (“door knob rattling”). Where do you place the IDS? On the LAN or on the outside of the router (the connection to the Internet)? Network Security Monitor (NSM) Network Traffic Packet Catcher Filter Object Detector & analyzer Report Generator Traffic Archive Network Profile – which systems normally connect to which others using what service. During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly identified over 300 intrusions, only 1% had been detected by admins. Distributed IDS (DIDS) Monitored Host Unmonitored host DIDS Director Monitored Host Unmonitored host LAN Monitor Monitored Host Cooperating Security Monitors (CSM) Command Monitor Local IDS Intruder Handler User Interface CSM Other CSM’s Common IDS’s Intruder Alert from AXENT/Symantec “NetRanger” (Cisco Secure IDS) from Cisco Systems RealSecure from Internet Security Systems Network Flight Recorder from NFR Kane Security Analyst (KSA) from Security Dynamics Snort an open source IDS IDS evaluation (from Network Computing 8.20.2001) IDS evaluation (integrated) (from Network Computing 8.20.2001) IDS evaluation (host based) (from Network Computing 8.20.2001) IDS evaluation (signatures) (from Network Computing 8.20.2001) Discussion on current IDS How are signature updates accomplished? How often are signatures updated? How many are there? What is the maximum bandwidth the IDS can monitor? What network protocols can be monitored? What OS platforms does the IDS work on? Does the IDS platform interact with other devices (e.g. firewalls, routers…)? What type of reporting tools are available? How is the security manager notified of events? Host or network based? Enterprise deployable? What training is required to operate and how much time does it take to operate the IDS? 50 ways to defeat an IDS 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance. 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell. 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected. 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’. From 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates 50 ways to defeat an IDS 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X. 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate. 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’. 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack. 11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell. 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’. 50 ways to defeat an IDS 15 - Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS. 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs. 22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted. 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected. 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity. Monitoring and the Law Issue is expectation of privacy – does the individual have one? You generally need to inform individuals using the system that their actions are subject to monitoring. Government systems have the warning banner. This advice also issued by CERT (CA-92:19) for anybody wanting to monitor keystrokes. Note that it is considered not enough to notify all authorized users (when they are issued their initial password for example), it must be displayed each time at login. And what about IDS and the PSTN? Two aspects Detection of intrusions into the IP network from the PSTN Detection of intrusions into the PSTN and its systems Do you Have a separate system, or Feed current IDS with data from the PSTN? Intrusion Detection –vsIntrusion Prevention Often viewed as a blending of firewalls and IDS Definition: A device (HW or SW) that has the ability to detect an attack and to prevent the attack from being successful. Must handle known and unknown attack methods Will look at 4 general types of IPS Inline NIDS Layer Seven Switches Application Firewall/IDS Deceptive Applications Inline NIDS Offers the capabilities of a regular NIDS with the blocking capabilities of a firewall. Examines traffic, decides whether to send it on or not. Generally needs to know what it is looking for (e.g. signatures). From: http://www.securityfocus.com/infocus/1670 Layer Seven Switch Usually think of switching as a layer 2 function. Due to bandwidth intensive content, some switching now going on a layer seven (e.g. load balancers) where application traffic can be examined. Decisions can be made as to whether data is sent. Generally needs to know what it is looking for. One of best uses is to address DoS attacks. Application Firewall/IDS Loaded on each server to be protected. Customized for the application to be protected. Don’t look at packets, look at API calls, memory management (for overflows), and interaction of user with OS. Can help prevent new attacks since it is not looking for signatures but rather attempted actions. Deceptive Applications Idea has been around for a while Concept is to first watch network to determine profile of normal traffic If traffic comes along later, such as scan for a service on a system that doesn’t exist, then respond with bogus data so packets are “marked” and future traffic from attacker will be noticed and handled easily. Deceptive Applications No system 10.1.1.20! From: http://www.securityfocus.com/infocus/1670 Sample Commercial IPS Summary What is the Importance and Significance of this material? How does this topic fit into the subject of “Voice and Data Security”?