Intrusion detection
Download
Report
Transcript Intrusion detection
Intrusion Detection, Access
Control & Other Security Tools
Principles of Information Security
Chapter 7 Part 1
References
NIST Intrusion Detection Systems
◦ http://csrc.nist.gov/publications/nistpubs/800-31/sp80031.pdf#search=%22NIST%20SP%20800-31%22
http://en.wikipedia.org/wiki/Intrusion-detection_system
http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
http://sectools.org/ids.html
http://www.softpanorama.org/Security/integrity_checkers.shtml
http://www.sans.org/resources/idfaq/index.php
http://www.sans.org/resources/idfaq/integrity_checker.php
http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system
http://sourceforge.net/projects/tripwire/
http://sourceforge.net/projects/integrit/
http://freshmeat.net/projects/integrit/
2
Topic Objectives
Upon completion of this chapter you should
be able to:
◦ Identify and describe the categories and operating models of intrusion
detection systems.
◦ Identify and describe honey pots, honey nets, and padded cell systems
◦ List and define the major categories of scanning and analysis tools
◦ Describe the tools used in each major category of scanning and analysis
tools
◦ Discuss various approaches to access control, including the use of biometric
access mechanisms
3
Role of Technology in Information Security
Technical solutions, properly implemented,
can enhance the confidentiality, integrity
and availability of an organization's
information assets.
4
Intrusion
An attempt to gain entry into a system or disrupt normal
operations of a system
Usually, but not always, with malicious intent
5
Incident Response
Identification of, classification of, response to, and recovery from an
incident (intrusion).
Includes
◦ Intrusion prevention
Efforts to deter intrusions via policy, security programs, technology
based countermeasures
◦ Intrusion detection
Use of procedures and systems created to detect intrusions
◦ Intrusion reaction
Actions taken when an intrusion is detected including limiting losses and
initiating procedures to return to normal operations
◦ Intrusion correction
Finalizing restoration to a normal state, identifying source and methods
used for intrusion, and taking action to prevent the same type of
intrusion from occurring again.
6
Intrusion Detection Systems (IDSs)
Similar to burglar alarms
Detect violations of configuration and
activates an alarm
◦ audible (noise)
◦ visual (lights, etc.)
◦ silent (email msg, pager alert)
NIST SP 800-31 Intrusion Detection
Systems
◦ http://csrc.nist.gov/publications/nistpubs/800-31/sp80031.pdf#search=%22NIST%20SP%20800-31%22
7
IDS is not a firewall
Firewall is software/hardware that prevents
access
◦ Firewall examines each packet, checks if the packet
satisfies the “rules” for acceptance, and either drops it
or lets it in
◦ Like a guard at the gate – you must show the guard
the ID to get in, or you are turned back
Firewall rules are not all that sophisticated, they
are the most basic and most crude level of
sorting packets.
ACL tables should have 30-50 rules, typically
8
Add the camera to the security
guard
IDS is software that monitors the network
quietly, logs activities, and alerts if it sees
anything “wrong.”
◦ Like a burglar alarm, or an alarmed security camera at
the gate.
◦ IDS will have rather sophisticated rules because it has
signatures of many different types of attack, e.g. SYN
flood, etc.
“Secure perimeters” will have both an
IDS and firewall
9
Key Terminology for IDSs
Alert or alarm
◦ indication that an attack/intrusion has been detected and may be
in progress
False Negative
◦ a failure to detect an actual attack
◦ a major problem for an IDS
False Positive
◦ a false indication of an attack occurring
◦ can lead users to become insensitve to alarms
Noise
◦ activity that is not particularly significant, such as unsuccessful
intrusion attempts
10
Key Terminology (2)
Site Policy
◦ organizational rules and guidelines with respect to use of IDSs
Site Policy Awareness
◦ ability of an IDS to dynamically modify site policies
◦ SMART IDSs can adapt reaction to activity
Confidence Value
◦ measure of ability of IDS to detect and identify an attack correctly
Alarm Filtering
◦ similar to packet filters --- can filter alarms based on source/dest
IP addresses, OS, confidence value, alarm type or severity
◦ used to filter out known false positives from actual attacks
11
Reasons to Use an IDS
Deterrence
◦ deter attacks by increasing perceived risk of discovery and
punishment
Detection
◦ detect attacks and violations not prevent by other means such as
scanning tools or vulnerability assessments
◦ detect preambles (precursors) to attacks such as footprinting or
fingerprinting activities
Documentation
◦ document existing threats to organization for justification of
defensive measures and tools
Quality Assurance
◦ Verify adequacy and improve security design and administration
Information
◦ Determine causes and methods used in attacks to prevent the same
attack strategy being used again.
◦ Obtain forensic evidence for legal action.
12
Types of IDSs
Network-based (NIDS)
◦ Monitor network traffic to look for recognizable attack patterns
Host-based (HIDS)
◦ Focus on server or host assets, such as files
Application-based
◦ Focus on one application, either on one or more hosts/servers.
◦ E.g., distributed database system
13
Detection Methods
Signature-based
◦ Recognize characteristics of a particular type of attack
Statistical anomaly-based
◦ Recognize anomalies in operation or performance that may signal
an attack.
14
**Network-Based IDS (NIDS)
Monitors traffic on a network segment
◦ Sends alerts when an attack pattern is recognized.
◦ May use the monitoring port or switched analysis port
(SPAN) of a hub or switch
Specially configured connection capable of viewing all traffic
traversing the device
Necessary for switches in particular
Snort is an example of a NIDS
15
NIDS Signature Matching
Must compare observed activity to known attack patterns
◦ Uses special implementation of TCP/IP stack to reassemble
packets for use with verification and comparison techniques
Protocol stack verification
◦ Look for invalid (malformed)TCP/IP data packets
◦ Exploits of packet structure
◦ Example: DoS and DDoS frequently use malformed packets to
exploit vulnerabilities in the protocal
Application protocol verification
◦ Application layer protocols (HTTP, FTP, etc.) are examined for
unexpected behavior, or improper use
◦ Exploits of protocol use
◦ Example: DNS cache poisoning
◦ Can significantly affect system throughput.
May be necessary to use separate systems for protocol stack
verification and application protocol verification
16
**Pros & Cons of NIDS
Pros
◦ Conservation of equipment through strategic design and placement
◦ Little or no disruption to normal network operations because of passive
monitoring
◦ Not usually susceptible to attack and may not be detectable by attackers
Cons
◦ Easily overwhelmed by network traffic -> fail to recognize attacks
◦ Must be able to monitor all network traffic. May not be possible if switches
to not have adequate monitoring ports.
◦ Cannot analyze encrypted packets (e.g., ssh)
◦ Cannot reliably determine whether an attack was successful
◦ Cannot recognized all forms of attacks. E.g., malformed packets
17
**Host-Based IDS (HIDS)
Monitors activity only on a single server or host
AKA, system integrity verifiers
◦ benchmark and monitor status of key system files and detect changes or
deletions to these files.
◦ capable of monitoring system configuration files and databases such as
Windows registry, .ini, .cfg and .dat files.
◦ based on change or configuration management
record sizes, locations, attributes of system files
triggers alert when changes occur
◦ monitor system logs for predefined events
Very reliable.
Integrit and Tripwire are examples of HIDS
18
**Pros & Cons of HIDS
Pros
◦ Can detect events missed by NIDS
◦ Files on host system decrypted and available to HIDS for analysis
(compared to NIDS)
◦ Not affected by switched networking
◦ Able to detect inconsistencies in use of applications and system
programs
Cons
◦ Administration overhead because of host-based configuration
◦ Vulnerable to direct attacks and attacks against the OS
◦ Not optimized for multi-host or multi-device scanning
◦ Susceptible to some DoS attacks
◦ Can require large amounts of disk space
◦ Can impose a performance penalty on host systems
19
**Application-Based IDS (AppIDS)
Variation of HIDS
Examines one application for abnormal events
◦ users exceeding authorization, invalid file executions, etc
Pros
◦ Able to track users (accountability)
◦ Ability to view encrypted data while unencrypted
Cons
◦ May be more susceptible to attack because of not being as well protected
as network and host based systems
◦ Less capable of detecting software tampering. Should be used in
conjunction with NIDS and HIDS
20
Signature-Based IDS
AKA, knowledge-based IDS
looks for traffic patterns that match known signature --attack patterns
◦ footprinting and fingerprinting activities
◦ exploits that use a known sequence of activities
Cons
◦ Signatures must continually be updated as new attack
strategies develop
◦ May not detect attacks that are purposely slow and
methodical --- e.g., sneaky or paranoid attacks
21
**Statistical Anomaly-Based IDS
(stat IDS)
AKA, behavior-based IDS
based on frequency with which certain network activities occur
Establish baseline performance by collecting statisical summaries of normal
network traffic
Periodically sample network traffic and use statistical methods to compare
sampled activity with the baseline.
◦ Measured activity outside baseline parameters - exceeds the clipping
level & triggers alert
Pro
◦ IDS can detect new types of attacks
Cons
◦ Require more overhead and processing capability
Must constantly compare patterns of activity against baseline
◦ May not detect minor changes to system variables and may generate false
positives
◦ May not be suitable for networks with wide variations in usage and traffic
patterns
22
**Log File Monitors (LFM)
Similar to NIDS
Look for patterns and signatures in log files, including system log files, network
log files, IDS log files.
Able to examine log files from multiple systems
Resource intensive to support collection, movement, storage and analysis of
large quantities of data
23
IDS Response
Be careful that the response does not make the problem worse, e.g.
◦ shut down network connection (leads to loss of business, i.e. “we
attacked ourselves successfully”
◦ go after/attack the attackers (it is illegal!)
◦ make a huge negative advertisement (e.g. reporters, police, etc.)
Active response
◦ A clear action is initiated when certain types of alerts are triggered
--- data collection, modify environment, block intruders
Passive response
◦ Report information and wait for administrator to take some action
- administrator becomes the active component
24
Examples of IDS Response Options
Audible / visual alarm
SNMP traps and plug-ins
◦ send message to SNMP management console
E-mail message
◦ Problem - intruder may block email system
Page or phone message
Log entry
◦ IDS system log file on separate device
Evidentiary packet dump
◦ Allow further analysis on data for possible legal use
Action against intruder
◦ traceback to identify source of attack
◦ ill-advised may not be legal
Launch program, reconfigure firewall
Terminate connection or session
25
**Some Limitations of IDS
Cannot compensate for weaknesses or holes in security
mechanisms
◦ firewalls, identification and authentication methods, link
encryption, etc.
Do not respond instantaneously in heavy network load
scenarios
Cannot detect new attacks or variations of existing attacks
Cannot automatically investigate attacks
Do not work effectively in switched networks
26
27
**Honey Pots, Honey Nets, and Padded
Cell Systems
Powerful security tools that go beyond intrusion detection
Honey Pots or Honey Pot Systems
◦ Decoy systems designed to lure potential attackers away from critical
systems and encourage attacks against the decoy
◦ Designed to divert attackers from critical systems, collect information about
their activity, and encourage attackers to stay on the system long enough to
be documented.
Honey Net
◦ A collection of several honey pot systems on one subnet.
◦ Contains pseudo-devices configured in ways to make it look vulnerable.
Padded Cell
◦ A honey pot that has been protected so it cannot be easily compromised --a hardened honey pot.
◦ When IDS detects attackers, it transfers them to a specialized environment
where they can do no harm.
Use of these techniques may be construed as illegal.
28
**Pros & Cons of Honey Pot Systems
Pros
◦ Attackers diverted to targets where they can do no damage
◦ Allows time to decide how to respond to an attacker
◦ Attacks can be monitored to obtain useful information that can be used to
develop better defensive methods
◦ May be effective for identifying insiders who are snooping around the
network
Cons
◦ Legal implications not well defined
◦ Not yet shown to be generally useful technologies
◦ May provoke expert hackers to more hostile attacks
◦ High level of expertise required to use these types of systems
29
**Trap and Trace Systems
Trace incidents back to source similar to caller ID
◦ If originator is inside the organization, individual can be dealt with
internally or externally.
◦ If originator is outside the organization, numerous legal issues must be
addressed
back-hacking --- reverse hacks
◦ deemed unethical by most codes of professional conduct
◦ vigilante justice
Enticement vs Entrapment
◦ Enticement
attract attention to a system by placing tantalizing bits of information in key
locations
legal and ethical
◦ Entrapment
lure an individual into committing a crime to get a conviction
not legal and not ethical
30
Active Intrusion Detection
LaBrea
(in “real life” this is the name of a famous ancient large tar (i.e.
asphalt) pit in LA full of dinosaurs bones, because they would get stuck in
tar and die http://www.tarpits.org/education/guide/geology/entrap.html)
◦ Uses the unused IP address space on a network
◦ Monitors ARP requests for invalid destination IP addresses
Responds as if it were the target device
Completes TCP 3-way handshake, then reduces sliding window to
very small size to slow down data connection.
Allows time for network administrator response
31
**Access Control Mechanisms
Process for controlling access to protected systems
◦ User (supplicant) seeks to use a protected system
◦ User must be identified and authenticated before being authorized to use the
protected system
**Identification
◦ Provide an identity (username)
**Authentication
◦ Provide some form of evidence that the supplicant is in fact the stated user
Password, passphrase, biometric, key, etc.
**Authorization
◦ Allow the user access to authorized systems, once the identification and authentication
requirements have been met.
◦ Domain based (single-sign on) systems frequently issue a "token" that is then used on
other devices in the domain
32
**Authentication
Process that validates the user's identity
**4 general methods for authentication
◦ Knowledge
something the supplicant KNOWS
password, passphrase, personal identification code
◦ Possession
something the supplicant HAS
mag stripe cards, smart cards, tokens
synchronous tokens - generate one-time password used to complete authentication
asynchronous tokens - challenge response mechanisms
◦ Unique Characteristics
who the supplicant IS
biometrics
◦ Distinguishable Characteristics
what the supplicant PRODUCES
signature recognition, voice recognition
33
**Biometrics
Process of using unique body characteristics of the supplicant for
authentication
Includes
◦ Fingerprint comparisons
◦ Palm print comparisons
◦ Hand geometry comparisons
◦ Facial recognition using photo ID
◦ Retinal print comparison
◦ Iris pattern comparison
Only 3 bodily characteristics considered truly unique
◦ Fingerprints
◦ Retina (blood vessel pattern)
◦ Iris
34
**Effectiveness of Biometrics
**Criteria for evaluation
◦ false rejection rate
% of authorized supplicants who are falsely rejected
Type I error
nuisance to authorized users, but no threat to security
◦ false acceptance rate
% of unauthorized supplicants who are falsely accepted
Type II error
clear breach of security, unacceptable to security professionals
◦ crossover error rate (CER)
level at which false rejections = false acceptances
most common measure of accuracy for biometric systems
indicator of optimal balance between false rejection and false acceptance rates.
1% CER is superior to a 5% CER
35
**Effectiveness and Acceptance of Biometrics
Many highly effective and reliable biometric systems are considered intrusive to
users.
Preference for using systems that are effective and acceptable to users.
Table 7-3 Effectiveness vs Acceptance
Effectiveness
Most to Least Secure
Acceptance
Most to Least Accepted
Retinal scans
Keystroke patterns
Fingerprint
Signature recognition
Handprint
Voice pattern
Voice pattern
Handprint
Keystroke patterns
Fingerprint
Signature
Retinal scans
36