Intrusion Detection Systems
Download
Report
Transcript Intrusion Detection Systems
Intrusion Detection
cs490ns - cotter
1
Outline
• What is it?
• What types are there?
– Network based
– Host based
– Stack based
•
•
•
•
Benefits of each
Example Implementations
Difference between active and passive detection
HoneyPots
cs490ns - cotter
2
Intrusion Detection System
(IDS)
• Detects malicious activity in computer
systems
– Identifies and stops attacks in progress
– Conducts forensic analysis once attack
is over
cs490ns - cotter
3
The Value of IDS
• Monitors network resources to detect
intrusions and attacks that were not
stopped by preventative techniques
(firewalls, packet-filtering routers, proxy
servers)
• Expands available options to manage risk
from threats and vulnerabilities
cs490ns - cotter
4
Negatives and Positives
• IDS must correctly identify intrusions and
attacks
– True positives
– True negatives
• False positives
– Benign activity reported as malicious
• False negatives
– IDS missed an attack
cs490ns - cotter
5
Dealing with False Results
• False positives
– Reduce number using the tuning process
• False negatives
– Obtain more coverage by using a combination
of network-based and host-based IDS
– Deploy NICS at multiple strategic locations in
the network
cs490ns - cotter
6
Types of IDS
• Network-based (NIDS)
– Monitors network traffic
– Provides early warning system for attacks
• Host-based (HIDS)
– Monitors activity on host machine
– Able to stop compromises while they are in
progress
cs490ns - cotter
7
Network-based IDS
• Uses a dedicated platform for purpose of
monitoring network activity
• Analyzes all passing traffic
• Sensors have two network connections
– One operates in promiscuous mode to sniff passing
traffic
– An administrative NIC sends data such as alerts to a
centralized management system
• Most commonly employed form of IDS
cs490ns - cotter
8
NIDS Interfaces
NIDS
Management
Console
no IP
Address
Data Link
Data Flow
cs490ns - cotter
9
NIDS Architecture
• Place IDS sensors strategically to defend
most valuable assets
• Typical locations of IDS sensors
– Just inside the firewall
– On the DMZ
– On the server farm segment
– On network segments connecting mainframe
or midrange hosts
cs490ns - cotter
10
Connecting the Monitoring
Interface
• Using Switch Port Analyzer (SPAN)
configurations, or similar switch features
• Using hubs in conjunction with switches
• Using taps in conjunction with switches
cs490ns - cotter
11
SPAN
• May be built into configurable switches
(high end)
• Allows traffic sent or received in one
interface to be copied to another
monitoring interface
• Typically used for sniffers or NIDS sensors
cs490ns - cotter
12
How SPAN Works
Monitored
Host
Duplicated
Traffic
IDS
Switch
Monitored
Port
cs490ns - cotter
SPAN
Port
Data
Link
13
Monitor Network Segment
Duplicated
Traffic
IDS
Switch
Data
Link
Monitored
Hosts
cs490ns - cotter
14
Limitations of SPAN
• Traffic between hosts on the same
segment is not monitored; only traffic
leaving the segment crosses the
monitored link
• Switch may offer limited number of SPAN
ports or none at all
cs490ns - cotter
15
Hub
• Device for creating LANs that forward
every packet received to every host on the
LAN
• Allows only a single port to be monitored
cs490ns - cotter
16
Using a Hub in a Switched
Infrastructure
Data
Link
Switch
Switch
IDS
Monitored
Host
Hub
cs490ns - cotter
17
Tap
• Fault-tolerant hub-like device used inline
to provide IDS monitoring in switched
network infrastructures
cs490ns - cotter
18
Using a Tap
IDS
Monitored
Host
Tap
Tap acts like a 3 way hub
where monitoring port is
read only
cs490ns - cotter
Monitoring
Port
Data
Link
19
Typical 10/100 8 port Tap
Loss of power
has no effect
on traffic
NetOptics
Networktaps.com
cs490ns - cotter
20
NIDS Signature Types
• Signature-based IDS
• Port signature
• Header signatures
cs490ns - cotter
21
Network IDS Reactions
• TCP resets
• IP session logging
• Shunning or blocking
cs490ns - cotter
22
Strengths of NIDS
• Cost of Ownership
– Lower because IDS is shared
• Packet Analysis
– Can look at all network traffic
• Evidence Removal
– Packets are captured in a separate machine
• Real-Time Detection and Response
– Can detect (and block) DDoS attacks
• Operating System Independence
cs490ns - cotter
23
Host-based IDS
• Primarily used to protect only critical servers
• Software agent resides on the protected system
• Detects intrusions by analyzing logs of operating
systems and applications, resource utilization,
and other system activity
• Use of resources can have impact on system
performance
cs490ns - cotter
24
HIDS Method of Operation
• Auditing logs (system logs, event logs, security
logs, syslog)
• Monitoring file checksums to identify changes
• Elementary network-based signature techniques
including port activity
• Intercepting and evaluating requests by
applications for system resources before they
are processed
• Monitoring of system processes for suspicious
activity
cs490ns - cotter
25
HIDS Software
• Host wrappers
– Inexpensive and deployable on all machines
– Do not provide in-depth, active monitoring
measures of agent-based HIDS products
• Agent-based software
– More suited for single purpose servers
cs490ns - cotter
26
HIDS Active Monitoring
Capabilities
•
•
•
•
Log the event
Alert the administrator
Terminate the user login
Disable the user account
cs490ns - cotter
27
Advantages of Host-based IDS
• Verifies success or failure of attack by reviewing
HIDS log entries
• Monitors use and system specific activities;
useful in forensic analysis of the attack
• Can monitor network encrypted traffic
• Near real-time detection and response
– Analysis is log based, but good design mitigates
much of the delay.
• Can focus on key system components
• No additional Hardware
cs490ns - cotter
28
Stack based IDS
• IDS is integrated with TCP/IP protocol
stack
• Allows system to provide real-time
analysis and response
• Intended to have low enough overhead so
that each system can have its own IDS
cs490ns - cotter
29
Passive Detection Systems
• Can take passive action (logging and
alerting) when an attack is identified
• Cannot take active actions to stop an
attack in progress
cs490ns - cotter
30
Active Detection Systems
• Have logging, alerting, and recording features of
passive IDS, with additional ability to take action
against offending traffic
• Options
– IDS shunning or blocking
– TCP reset
• Used in networks where IDS administrator has
carefully tuned the sensor’s behavior to
minimize number of false positive alarms
cs490ns - cotter
31
Signature-based and
Anomaly-based IDS
• Signature detections
– Also know as misuse detection
– IDS analyzes information it gathers and compares it
to a database of known attacks, which are identified
by their individual signatures
• Anomaly detection
– Baseline is defined to describe normal state of
network or host
– Any activity outside baseline is considered to be an
attack
cs490ns - cotter
32
Intrusion Detection Products
•
•
•
•
•
•
•
•
•
Aladdin Knowledge Systems
Entercept Security Technologies
Cisco Systems, Inc.
Computer Associates International Inc.
CyberSafe Corp.
Cylant Technology
Enterasys Networks Inc.
Internet Security Systems Inc.
Intrusion.com Inc. family of IDS products
cs490ns - cotter
33
Intrusion Detection Products
(cont.)
•
•
•
•
•
•
•
•
•
NFR Security
Network-1 Security Solutions
Raytheon Co.
Recourse Technologies
Sanctum Inc.
Snort
Sourcefire, Inc.
Symantec Corp.
TripWire Inc.
cs490ns - cotter
34
Honeypots
• False systems that lure intruders and
gather information on methods and
techniques they use to penetrate
networks—by purposely becoming victims
of their attacks
• Simulate unsecured network services
• Make forensic process easy for
investigators
cs490ns - cotter
35
Honeypot Architecture
Honeypot
Data
Link
Switch
Router
Servers
cs490ns - cotter
36
Commercial Honeypots
• KFSensor
– www.keyfocus.net/kfsensor
• NetBait
– www2.netbaitinc.com:5080
• Specter
– www.specter.com
• Decoy Server
– www.symantec.com
cs490ns - cotter
37
Open Source Honeypots
• Argos
– www.few.vu.nl/argos
• HoneyNet Project
– http://www.honeynet.org
• Honeyd
– www.honeyd.org
• The Deception Toolkit
– http://all.net/dtk/download.html
cs490ns
cs490ns
- cotter
- cotter
3838
Honeypot Deployment
• Goal
– Gather information on hacker techniques,
methodology, and tools
• Options
– Conduct research into hacker methods
– Detect attacker inside organization’s network
perimeter
cs490ns - cotter
39
Honeypot Design
• Must attract, and avoid tipping off, the
attacker
• Must not become a staging ground for
attacking other hosts inside or outside the
firewall
cs490ns - cotter
40
Honeypots, Ethics, and the Law
• Nothing wrong with deceiving an attacker
into thinking that he/she is penetrating an
actual host
• Honeypot does not convince one to attack
it; it merely appears to be a vulnerable
target
• Doubtful that honeypots could be used as
evidence in court
cs490ns - cotter
41
References
• Security+ Guide to Network Security
Fundamentals
– Campbell, Calvert, Boswell – Course
Technology, 2003
• HowTo Guide for IDS
– http://www.snort.org/docs/iss-placement.pdf
cs490ns - cotter
42
Summary
• What is Intrusion Detection?
• What types are there?
– Network based
– Host based
– Stack based
•
•
•
•
Benefits of each
Example Implementations
Difference between active and passive detection
HoneyPots
cs490ns - cotter
43