Intrusion Detection Systems:
Download
Report
Transcript Intrusion Detection Systems:
Intrusion Detection
Systems:
Snort & Tripwire
Becky Newell-Nicosia
June 4, 2004
COEN 150
Intrusion Detection Systems (IDS)
Complexities of networking technologies result
in multiple vulnerabilities at all layers of the
network.
Instruments for intrusion detection, intrusion
prevention, and forensic analysis are needed.
IDS designed to monitor networking and
computing activities for the purpose of detecting
and potentially preventing security violations.
2 Types of IDS:
Network-based (NIDS) – (e.g. Snort)
Host-based (HIDS) – (e.g. Tripwire)
IDS Analogy
An intrusion detection system is not a
firewall. It is designed to sound alarms
when malicious activity occurs but does
not necessarily stop it from happening.
You can think of a firewall as the lock on a
door and the intrusion detection system as
the alarm that notifies the police of an
intruder break-in.
IDS: A Brief History
Origins of intrusion detection traced back to electronic
data processing (EDP) auditing – DoD’s Tan Book of
the Rainbow Series, A Guide to Understanding Audit in
Trusted Systems (lasted updated June 1, 1988)
(1980) James Anderson published paper for Air Force
(1987) Dorothy Denning & Peter Neumann – published
paper explaining the correlation between anomalous
activity and an indication of potential security
breaches.
(1988 – 1995) UC Davis developed and enhanced the
Network Security Monitor (NSM), one of the first
network-based intrusion detection systems.
IDS Preparedness
There does not exist a true “out-of-the-box” solution for
intrusion detection - avoid being misled by vender
“hype” about a panacea solution.
1st Step: Establish firm, realistic goals
2nd Step: Prioritize specific requirements needed for
an organization’s unique networking environment.
3rd Step: Budget & Resources
Proper understanding of capabilities and limitations of
signature-based intrusion detection requires relatively
solid understanding of TCP/IP protocol.
IDS Architecture & Design
Every network is unique and there are
many types of IDS deployments.
Determine good rule selection
(signature-based alerting) for
environment being monitored:
Ensure good performance
Ensure good detection capabilities
Ensure a reasonable number of alerts.
IDS Deployment Example
Network-Based IDS (NIDS)
Uses hardware, software or both to
analyze network activity by capturing data
packets traveling on network.
Some NIDS are anomaly-based:
All activity measured against a baseline of “normal”
activity
Most NIDS are signature-based.
Signature-Based NIDS
Each specific attack is examined to find a
sequence of data in a network packet that
matches a previously uniquely-defined type of
attack or “signature”.
All known signatures stored in database or
library for IDS software to cross-reference and
compare with internet traffic in real-time.
When match is made, IDS program processes
the alert information and creates log entry or
initiates some notification mechanism (i.e.
email or pager alert).
NIDS Challenges
Overwhelming amount of information is logged
by IDS and is common to generate thousands
of alerts per day.
Attackers continuously developing strategies to
bypass intrusion detection systems just about
as fast as IDS is being further developed and
improved.
The use of switches, gigabit Ethernet, firewalls,
and encryption present architectural
challenges.
OSI & TCP/IP Model
TCP Handshake Process
TCP Disconnection Process
TCP/IP 4-Layer Model &
Associated Threats
Network Interface Layer:
Media Access Control (MAC) Spoofing
Internet Layer:
IP Spoofing
ICMP “Ping” Reconnaissance Probing
Transport Layer:
Stealth Port Scanning (e.g. SYN-ACK & FIN)
SYN Flood Attacks
Application Layer:
FTP Bounce Attack – Port Scanning
Vulnerability Exploitation (e.g. Blaster Worm)
Snort
Open-source network-based IDS.
One of the most popular NIDS because it is
free and highly customizable.
Complete installation of Snort makes use of
other software packages
MySQL provides database server to store Snort
logs
ACID (Analysis Control for Intrusion Database) is an
output module that uses Apache web server to
display Snort analysis data.
Snort Components
ACID Web Interface
Host-Based IDS (HIDS)
Application installed on the system being monitored.
Analyzes system logs or activity to detect intrusions.
Advantages over NIDS:
Actual results of attack recorded after packets have left the
network.
Less reliant on signatures and can catch unknown attacks.
Analyzes traffic after decryption.
Disadvantages:
Cannot guarantee integrity of log files if they reside on
compromised system.
Reactive – alerts when a breach has already occurred.
Can substantially degrade performance on monitored
system.
HIDS Logging
System and application attributes monitored for potential
indicators of malicious activity.
Computer misuse can be defined as:
Data modification, deletion, or access
System modification
Program execution
Privilege escalation (i.e. root or system access)
Program installations (i.e. Trojan horse programs)
Avoidance of detection by modifying files to cover intruder’s tracks
Useful logs available with UNIX/Linux & Windows
Router logging useful when IP spoofing events occur.
Cisco routers can be configured to send log events to remote syslog
server for analysis.
Other useful log files: firewalls, web servers, FTP servers, etc.
UNIX/Linux & Windows Log Files
UNIX/Linux:
File types: simple plaintext, binary (i.e. TCP-Dump), and database files
Wtmp – logs all logins, logouts, system startups and shutdowns.
Lastlog – list of most recent successful or unsuccessful logins for each user.
Syslog – extensive log of system and application information; syslog daemon can
run with –r option to accept logs from other systems. (It is best to encrypt the log
files while in transit over the network.)
Windows:
Logs kept in Application, Security, and System message repositories
System and user-level logon events
Account management
Directory service access
Object access
Audit policy changes
Privilege usage
Process tracking
System events
Tripwire
Target-based host monitoring system.
Popular for its relative ease of deployment
Freely available for UNIX-based systems.
Creates database of message digests (i.e.
one-way hashes) for files or directories that it
is configured to monitor.
Recalculates every message digest at a preset
interval (usually daily).
Alert is generated if calculated digest differs
from database.
Tripwire Challenges
Protection of database, configuration, and
policy files.
Current versions of Tripwire encrypt these files and
a passphrase is required if changes are needed to
be made to any of them.
Plaintext versions of the configuration and policy
files are available for making modifications, but
should be deleted after implementing those
changes.
Frequent software patches = frequent
database updates
Initial setup requires a manual configuration of
the entire policy file.
Tripwire Report Example
Conclusion
Network and host-based intrusion detection systems provide a
significant level of accountability and damage prevention or
mitigation.
Snort is a network-based intrusion detection system that performs
network packet analysis by each packet to identify malicious activity
based on previously-designed rule sets.
Tripwire is a host-based intrusion detection system that can alert
administrators to successful intrusions by discovering modifications
of system files.
With proper preparation, implementing Snort and Tripwire in a
particular computing environment provides a complete intrusion
detection solution by analyzing both successful and unsuccessful
intrusion attempts over any network topology.