Transcript NIDS

Network Security
Monitoring
COEN 250
Indicators and Warnings

Indicator
 “an
item of information which reflects the intention or
capability of a potential enemy to adopt or reject a
course of action”*

Indications and Warnings
 “the
strategic monitoring of world military, economic,
and political events to ensure that they are not the
precursor to hostile or other activities which are
contrary to U.S. interests”**
*
DoD Dictionary of Military Terms
**
U.S. Army Intelligence, Document on Indicators in Operations Other Than War
Indicators and Warnings

Indicators generated by an Intrusion Detection System
(IDS) are alerts

Examples:



Warnings


Web server initiates outbound FTP to a site in Russia
Spike in ICMP messages
Result of analyst’s interpretation of indicator
Escalation of warning


Conclusion that warning warrants further analysis
Conclusion that warning is indeed an incident

Triggers Incident Response
Intrusion Detection Systems

Intrusion Detection
 Process
of monitoring events occurring in a computer
system or network
 Analyzing them for signs of possible incidents

Incident
 Violation or imminent threat
 computer security policies
 acceptable use policies
 standard security practices
 Arise from
 Malware
 Attacks
 Honest errors
of violation of
Intrusion Detection Systems

Intrusion Detection System
 Software
that automatizes the detection
process

Intrusion Prevention System
 Additionally
has the capacity to stop some
possible incidents
Intrusion Detection Systems

Key functions of IDS Technology
 Recording
information related to observed
events
 Notifying security administrators of important
observed events
 Producing reports

IDPS technology can be augmented by
human analysis
Intrusion Detection Systems

Key functions of IPS technology
 IPS stops attack itself
 Terminate network connection
 Terminate user session
 Block access to target from



offending user account
IP address
Block all access to target
 IPS changes security environment
 IPS changes configuration of other security controls to
disrupt attack



Reconfiguring a network device
Altering a host based firewall
Apply patches to a host it detects is vulnerable
Intrusion Detection Systems

Key functions of IPS technology
 IPS

changes attack’s contents
Remove or replace malicious portions of an attack


Remove an infected file attachment from e-mail, but
allow e-mail sans attachment to reach destination
IPS acts as proxy and normalizes incoming
requests
Intrusion Detection Systems

Current IDPS technology has false
positives and false negatives.

Attackers use evasion techniques
 E.g
using escaping
Intrusion Detection Systems
Common Detection Methodologies

Signature Based Detection
 Signature
is a patterns corresponding to a
known threat.
 Examples
Telnet attempt with user name “root”
 e-mail with “You received a picture from a *”
 OS system log entry indicating that host’s auditing
has been disabled

Intrusion Detection Systems
Common Detection Methodologies

Signature-Based Detection
 Very
effective against known threats
 Basically ineffective against unknown threats
 Subject to evasion by polymorphic attacks
Intrusion Detection Systems
Common Detection Methodologies

Anomaly-Based Detection
 Relies
on defining normal activity against observed
events
 Identifies significant deviations

Anomaly-Based IDPS has profiles
 Representing normal
 Users
 Hosts
 Network connections
 Applications
 Developed
behavior of actors and activities
through observation over time
Intrusion Detection Systems
Common Detection Methodologies

Anomaly-Based Detection Profile
Examples:
 Amount
of email a user sends
 Bandwidth of web activities
 Number of failed login attempts for a host
 Level of processor utilization for a host
Intrusion Detection Systems
Common Detection Methodologies

Anomaly-Based Detection
 Can
be effective at detecting unknown threats
 Depend on accuracy of profiles



Inadvertent inclusion of malicious activity in a profile
Dynamic profiles can be subverted by an attacker increasing
slowly activity
Static profiles generate false positives if usage patterns differ
 Subject
to stealth attacks
 Make it difficult for human analyst to find reason for
an alert
Intrusion Detection Systems
Common Detection Methodologies

Stateful Protocol Analysis
 Sometimes
known as “deep packet
inspection”
 Compares predetermined profiles of generally
accepted definitions of benign protocol activity
for each protocol state against observed
events to identify deviations
 “Stateful” refers to IDPS capability of
understanding protocols
Intrusion Detection Systems
Common Detection Methodologies

Stateful Protocol Analysis
 Can
identify unexpected sequences of
commands
 Allows tracking of authenticators for each
session

Helpful for human analysis of suspicious activity
 Typically
includes reasonableness check for
individual commands

E.g. minimum and maximum length of arguments
Intrusion Detection Systems
Common Detection Methodologies

Stateful Protocol Analysis
 Uses
protocol models based on standards
But most standards are underspecified
 Many implementations are not completely
compliant

 Very
resource intensive
 Cannot detect attacks that do not violate a
protocol
 Detects protocol bending attacks
Intrusion Detection Systems
Network Based IDPS
 Wireless IDPS
 Network Behavior Analysis (NBA)
 Host-Based IDPS

Intrusion Detection Systems
Components

Sensors / Monitors


Agent


Used for network activity monitoring
Used for host-based IDPS
Management Server


Centralized component that receives data from agents and
monitors
Perform correlation:


Database server


Matching event information from different monitors
Repository for previously recorded event information
Console

Interface for IDPS
Network Monitors

Deployment
 Depends

on monitoring zones
Perimeter

External firewall through boundary router to internet
DMZ
 Wireless
 Intranet(s)

Network Monitors

Data Collection Tools
 Hubs
 SPAN
(Switched Port Analyzer)
 TAPs (Test Access Port)
 Inline Devices
Network Monitors

Sensor Management
 Console access
 Hard to manage
 In-band remote access
 Potential for loss of data confidentiality
 Not functioning during a successful DoS attack
 Virtual LAN
 Potential for loss of data confidentiality
 Not functioning during a successful DoS attack
 Out-of-band remote access
 E.g. modem
Intrusion Detection Systems
Networks

Security Capabilities
 Information Gathering
 OS identification of hosts
 General characteristics of networks
 Logging
 to confirm alerts
 to investigate incidents
 to correlate events with other sources
 need to be protected against an attacker
 need to deal with clock drift
Intrusion Detection Systems
Networks

Security Capabilities
 Detection

Capabilities
Typically require tuning and customization
Thresholds
 Blacklists and Whitelists
 Alert Settings
 IDPS code viewing and editing

 Prevention

Capabilities
Vary with technology / field
Intrusion Detection Systems
Management

Implementation
 Architecture Design
 Placement of sensors
 Reliability of sensors
 Location of other components
 System interfaces



Systems to which IDPS provide data
Systems which IDPS resets for prevention
Systems that manage IDPS components
 Patch management software
 Network management software
Intrusion Detection Systems
Management

Implementation
 Component

Testing and Deployment
Consider deployment in a test environment

E.g. to prevent surge of false positives
IDPS deployment usually interrupts networks or
systems for component installation
 Configuration typically a major effort

Intrusion Detection Systems
Management

Implementation

Securing IDPS components

IDPS are often targeted by attackers



Because of effects on security
Because of sensitive data collected by IDPS
System hardening




Usual means
Separate accounts for each IDPS user and administrator
Configure firewalls, routers, etc to limit direct access to IDPS
components
Protect IDPS management communication
 Physically
 Logically
 Encryption
 Strong Authentication
Intrusion Detection Systems
Management

Operations and Maintenance
 Typically GUI, but sometimes command lines
 Typical capabilities
 Drill down
 Reporting functions
 Database open to scripted searches
 Need for ongoing solution maintenance
 Monitor IDPS components for operational and security issues
 Periodic test of proper functioning
 Regular vulnerability assessments
 Receipt of notifications of security problems from vendor
 Receipt of notifications for updates
Intrusion Detection Systems
Management

Operations and Maintenance
 Acquiring
and Applying Updates
Of signature files
 Of IDPS software components

Intrusion Detection Systems
Management

Building and maintaining personnel skills
 Basic
security training
 Vendor training
 Product documentation
 Technical support
 Professional services (consulting by vendors)
 User communities
Network Based IDPS

Typical components
 Appliance

Specialized hardware and sensor software /
firmware
 Host-based

Only software
Network Based IDPS
Architecture and Sensor Locations

Inline
 All
traffic monitored must
pass through it
 Typically placed where
firewalls etc. would be placed
 Either hybrid devices
 Or placed on the more secure
side
Network Based IDPS
Architecture and Sensor Locations

Passive

Monitors a copy of actual
network traffic



Spanning Port
Network Tap
IDS Load Balancer




Receives copies of traffic
from several sensors
Aggregates traffic from
different networks
Distributes copies to one or
more listening devices
Typically not capable of
prevention
Network Based IDPS

Typical detection capabilities
 Application
layer reconnaissance and attacks
Typically analyze several dozen application
protocols
 Detect

Banner grabbing
 Buffer overflows
 Format string attacks
 Password guessing
 Malware transmission

Network Based IDPS

Typical detection capabilities
 Transport

Detects



Port scanning
Unusual packet fragmentation
SYN floods
 Network

layer reconnaissance and attacks
layer reconnaissance and attacks
Detects


Spoofed IP addresses
Illegal IP header values
Network Based IDPS

Typical detection capabilities

Unexpected application services

Detects




Uses



Tunneled protocols
Backdoors
Hosts running unauthorized application services
Stateful protocol analysis
Anomaly detection
Policy violations

Detects


Use of inappropriate Web sites
Use of forbidden application protocols
Network Based IDPS

Detection Accuracy
 High degree of false
 Difficulty based on


positives and false negatives
Complexity of activities monitored
Different interpretation of meaning of traffic between IDPS
sensor and client / server
 Cannot deal with encrypted
 VPN, HTTP over SSL, SSH
 Have limited capacity
 Number of connections
 Depth of analysis
 Longevity of connections
network traffic
Network Based IDPS

Attacks on network based IDPS
 DDoS
attacks generate unusually large
volumes of traffic
 Generate loads of anomalous traffic to
exhaust IDPS resources
 Blinding
Generates many IDPS alerts
 Real attack is separate, but contemporary

Network Based IDPS

Prevention capabilities
 Passive sensors only
 Ending current TCP session

Session sniping: sending resets to both partners
 Inline only
 Perform inline firewalling
 Throttle bandwidth usage
 Alter malicious content
 Both passive and inline
 Reconfigure other network security devices
 Run a third party program or script
Wireless IDPS

Wireless attacks typically require proximity
to access points or stations
 Typically,
need access to radio link between
stations and access points

Many WLANs are configured with no or
weak authentication
Wireless IDPS

Components
 Same as for network-based
 Consoles
 Database servers
 Management servers
 Sensors


IDPS
These function differently than for wired IDPS
 Needs to monitor two bands (2.4 GHz and 5 GHz)
 Divided into channels
Sensor only models a single channel
 Channel scanning (monitor a channel for seconds at most)
Wireless IDPS

Wireless sensors
 Dedicated
sensors
Typically completely passive
 Fixed or mobile

 Bundled
with an access point
 Bundled with a wireless switch
 Host-based IDPS sensor to be installed on a
station
Wireless IDPS
Wireless IDPS

Sensor Locations
 Physical

security
Often deployed in open locations because of
greater range than in closed locations
 Sensor
range
 Cost
 AP

and wireless switch locations
Consider bundling or collocation
Wireless IDPS

Security capabilities
 Information

Identifying WLAN devices


gathering
Typically based on SSIDs and MAC addresses
Identifying WLANs

Keep track of observed WLANs identified by SSID
 Logging
capability
Wireless IDPS

Security capabilities
 Detection

capability
Events
Unauthorized WLANs and WLAN devices
 Poorly secured WLAN devices
 A station is using WEP instead of WPA2
 Unusual usage patterns
 The use of (active) wireless network scanners
 Denial of service (DoS) attacks and conditions
 Impersonation and man-in-the-middle attacks

Wireless IDPS

Detection accuracy
 Usually

quite high due to limited scope
Tuning and Customization
 Specify
authorized WLANs, access points,
stations
 Set thresholds for anomaly detection
 Some use blacklists and whitelists
Wireless IDPS

Wireless IDPS cannot detect:
 Attacker
passively monitoring traffic
 Attackers with evasion techniques

Attacker can identify IDPS product



Physical survey
Fingerprinting by prevention actions
Attacker takes advantage of product’s channel scanning
scheme


Short bursts of attack packages on channels not currently
monitored
Attack on two channels at the same time
Wireless IDPS

Attacks on wireless IDPS
 Same
DDoS techniques
 Physical attacks

Jamming
Wireless IDPS

Prevention capabilities
 Wireless

Terminate connections between rogue or
misconfigured stations and rogue or misconfigured
access point

Send discontinue messages to endpoints
 Wired

prevention
prevention
Block network activity involving a particular station
or access point
Network Behavior Analysis (NBA)

Examines
 Network
traffic or
 Statistics on network traffic

Identifies unusual traffic flows
Host Based IDPS

Monitors a single host and events occuring
within that host
 Wired
network traffic
 Wireless network traffic
 System logs
 Running processes
 File access and modification
 System and application configuration changes
Host Based IDPS

Components and architectures
 Agents




(typically detection software)
Monitor activity on a single host
Transmit date to management servers
Agents can be implemented as dedicated appliances
Monitors:



Servers
Clients
An application service ( application based IDPS)
Host Based IDPS
Host Based IDPS

Agent locations
 Commonly
deployed to critical hosts
 But could be in a majority of systems
including laptops and desktops
Host Based IDPS

Host architecture
 Agents
often alter internal architecture of
hosts

Done by a shim
Layer of code placed between existing layers of code
 Shim intercepts data when it is passed between different
layers
 Shim analyzes data and determines whether data is
allowed or not

Host Based IDPS

Security capabilities
 Logging
 Detection
 Code analysis




Code behavior analysis in a sandbox
Buffer overflow detection through detecting tell-tale sequences
of instructions or memory accesses
System call monitoring
 Keylogger
 COM object loading
 Driver loading
Application and library lists
Host Based IDPS

Security capabilities
 Detection
 Network traffic analysis


Network traffic filtering





Host based IDPS contains a host based firewall
File system monitoring


Basically the same a network or wireless IDPS would do
File integrity checking
File attribute checking
File access attempts
Log analysis of OS and application logs
Network configuration monitoring
Host Based IDPS

Technology limits
 Alert
generation delays
 Centralized reporting delays
 Host resource usage
 Conflicts with existing security controls
 Rebooting hosts to update IDPS
Host Based IDPS

Prevention capabilities









Code analysis
Network traffic analysis
Network traffic filtering
File system monitoring
Removable media restrictions
Audio-visual device monitoring
Automatic host hardening
Process status monitoring
Network traffic sanitization