Transcript What is IDS
Intrusion Detection System
Alan TAM
Program Committee, PISA
Definition and Needs
• IDS = Intrusion Detection System
• Not firewall
• Content inspection
Technology
• Signature detection
• Anomaly detection
General IDS Model
Sensor
Analyzer
Alerts
Response
Events
Operator
Notifications
Sensor
Administrator
Security Policy
Security Policy
Manager
Security Policy
Sensor
Analyzer
Manager
Administrator
Operator
Security Policy
•
•
•
•
•
Activity
Events
Data Source
Basic Classification
• NIDS - Network Based
– e.g. Cisco Secure IDS , Axent Netpowler,
Snort, ISS RealSecure Network Sensor, NAI
Cybercop Monitor
• HIDS - Host Based
– e.g. Axent Intruder Alert, ISS RealSecure OS
Sensor, Tripwire
Functional Classification
•
•
•
•
•
Packet capturing + Pattern matching
Log parser
Host firewall
File integrity checker
Activity monitor
Deployment Tips (1)
• Dual NIC
– No TCP/IP binding
– Network Performance
– Security
• NIC optimization settings
• Promiscuous mode
Deployment Tips (2)
• Locations
–
–
–
–
–
DMZ
In front of firewall
Behind firewall
Server segments
“Power user” segments
Deployment Tips (3)
• Generic OS hardening & optimization
–
–
–
–
–
TCP/IP services
NetBIOS services
File & directory permission
Useless background process
Peripherals
Deployment Tips (4)
• Miscellaneous
–
–
–
–
–
Automatic mass deployment of HIDS
Downtime against SLA
Tuning of false alarms
Do policy customization (no kidding)
Monitor log grow-up rate
Problem Scenarios (1)
• Signature quality
–
–
–
–
False POSITIVES
False NEGATIVES
Threshold values
Duplicates elimination
• Encrypted traffic
– SSL, IPSEC & PPTP tunnels, PGP attachment
Problem Scenarios (2)
• Switch instead of Hub
– Collision domain
– Port Spanning/Mirroring/Monitoring
– Performance degrade
• High speed network
– Packet drop
– DoS
How to choose an IDS (1)
• Attack Signature
– Quality
– Update frequency
– Update mechanism
How to choose an IDS (2)
• Scalability
– Traffic handling capacity
– Shutdown mechanism
– Supported platforms (HIDS)
How to choose an IDS (3)
• Manageability
–
–
–
–
Examining log
Cross reference
Archiving
Centralized console
How to choose an IDS (4)
• Hardware platform
– Intel based
– SPARC based
Response Actions (1)
• Log
– Header, significant application data
– Raw packet
• Alert
– Console
– Email
– SNMP Traps
Response Actions (2)
• Termination
– TCP kill
– Kernel drop
• Third-party Integration
– Firewall
– Router
Response Actions (3)
• User Script
–
–
–
–
Increase log level
Modem to Pager
Email to SMS
Redirect to Honey Pot
Previous Battlefield
• IP defragmentation
• TCP stream reassembly
Today…
• IDS load balancing
• Hardware IDS
– ASIC IDS module in a Chassis
– ASIC Switch appliance
Standards
• CVE (Common Vulnerabilities and
Exposures)
• IDMEF (Intrusion Detection Message
Exchange Format)
CVE (1)
• Standardized name
• Interoperability between tools
• Tool comparison guidelines
– CVE-Compatible
– No. of signatures
CVE (2)
• Version
Discovery
Assign candidate
number
– As of August 2001: 20010507
• Classification
– CVE candidate
(CAN-YYYY-XXXX)
– CVE entry
(CVE-YYYY-XXXX)
Editor propose to the
board
Modification votes
Accepted or Rejected
then Published
Data Sources
• Security Focus - SecurityFocus.com weekly
Newsletters
(http://www.securityfocus.com/vdb)
• Network Computing and the SANS Institute weekly Security Alert Consensus
(http://archives.neohapsis.com/archives/securityexpres
s/current/)
• ISS - monthly Security Alert Summary
(http://xforce.iss.net/alerts/summaries.php)
• NIPC CyberNotes - biweekly issues
(http://www.nipc.gov/cybernotes.htm)
Reference Source
AIXAPAR
ALLAIRE
ASCEND
ATSTAKE
AUSCERT
BID
BINDVIEW
BUGTRAQ
CALDERA
CERT
CERT-VN
CHECKPOINT
CIAC
CISCO
COMPAQ
CONECTIVA
CONFIRM
DEBIAN
EEYE
EL8
ERS
FREEBSD
FarmerVenema
FreeBSD
HERT
HP
IBM
INFOWAR
ISS
KSRT
L0PHT
MANDRAKE
MISC
MS
MSKB
NAI
NETBSD
NETECT
NTBUGTRAQ
NetBSD
OPENBSD
REDHAT
RSI
SCO
SEKURE
SF-INCIDENTS
SGI
SNI
SUN
SUNBUG
SUSE
TURBO
URL
VULN-DEV
WIN2KSEC
XF
Tips for using CVE
• Do not use general terms (e.g. buffer
overflow) to search
• Use exact process name (e.g. sendmail)
• Go to the “references” for Fix
IDWG
• Intrusion Detection Working Group
• Aims
– Define data format
– Define exchange procedure
• Outputs
– Requirement document
– Common intrusion language specification
– Framework document
IDMEF
• Standard data format (using XML)
• Interoperability
• Typical deployments:
–
–
–
–
Sensor to Manager
Database
Event correlation system
Centralized console
IDMEF Addressed Problems
•
•
•
•
•
Inherently heterogeneous information
Different sensor types
Different analyzer capabilities
Different operation systems
Different objectives of commercial vendors
Message Classes (1)
• IDMEF-Message Class
• Alert Class
– ToolAlert
– CorrelationAlert
– OverflowAlert
• Heartbeat Class
Message Classes (2)
• Core Classes
–
–
–
–
–
Analyzer
Source
Target
Classification
Additional Data
Message Classes (3)
• Time Class
– CreatTime
– DetectTime
– AnalyzerTime
Message Classes (4)
• Support Class
–
–
–
–
Node
User
Process
Service
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFCxxxx IDMEF
v0.3//EN"
"idmef-message.dtd">
<IDMEF-Message version="0.3">
<Alert ident="abc123456789" impact="successful-dos">
<Analyzer analyzerid="hq-dmz-analyzer01">
<Node category="dns">
<location>Headquarters DMZ Network</location>
<name>analyzer01.bigcompany.com</name>
</Node>
</Analyzer>
<CreateTime ntpstamp="0x12345678.0x98765432">
2000-03-09T10:01:25.93464-05:00
</CreateTime>
<Source ident="a1b2c3d4">
<Node ident="a1b2c3d4-001" category="dns">
<name>badguy.hacker.net</name>
<Address ident="a1b2c3d4-002" category="ipv4-netmask">
<address>123.234.231.121</address>
<netmask>255.255.255.255</netmask>
</Address>
</Node>
</Source>
<Target ident="d1c2b3a4">
<Node ident="d1c2b3a4-001" category="dns">
<Address category="ipv4-addr-hex">
<address>0xde796f70</address>
</Address>
</Node>
</Target>
<Classification origin="bugtraqid">
<name>124</name>
<url>http://www.securityfocus.com</url>
</Classification>
</Alert>
</IDMEF-Message>
Summary
•
•
•
•
IDS Classification
IDS Deployment Considerations
How to choose an IDS
Industry standards
HKCERT/CC
• Web - http://www.hongkongcert.org
• Telephone - 2788 6060
• Fax - 2190 9760
• Email - mailto:[email protected]
Reference
• http://cve.mitre.org/cve
• http://www.silicondefense.com/idwg/
• http://www.securityfocus.com/
Thank You
• For suggestions and corrections, please send
email to
[email protected]
or
[email protected]
Discussion
• SLA - cannot stop service immediately
• Switch to standby system if possible
• Contingency planning
• Trace the source; Track its activity