Transcript Chap 12
Intrusion Detection
Chapter 12
Learning Objectives
Explain what intrusion detection systems
are and identify some major characteristics
of intrusion detection products
Detail the differences between host-based
and network-based intrusion detection
Identify active detection and passive
detection features of both host- and
network-based IDS products
continued…
Learning Objectives
Explain what honeypots are and how they
are employed to increase network security
Clarify the role of security incident
response teams in the organization
Intrusion Detection System (IDS)
Detects malicious activity in computer
systems
Identifies and stops attacks in progress
Conducts forensic analysis once attack is
over
The Value of IDS
Monitors network resources to detect
intrusions and attacks that were not
stopped by preventative techniques
(firewalls, packet-filtering routers, proxy
servers)
Expands available options to manage risk
from threats and vulnerabilities
Negatives and Positives
IDS must correctly identify intrusions and
attacks
False negatives
True positives
True negatives
IDS missed an attack
False positives
Benign activity reported as malicious
Dealing with False Negatives and
False Positives
False negatives
Obtain more coverage by using a combination
of network-based and host-based IDS
Deploy NIDS at multiple strategic locations in
the network
False positives
Reduce number using the tuning process
Types of IDS
Network-based (NIDS)
Host-based (HIDS)
Network-based IDS
Uses a dedicated platform for purpose of
monitoring network activity
Analyzes all passing traffic
Sensors have two network connections
One operates in promiscuous mode to sniff passing
traffic
An administrative NIC sends data such as alerts to a
centralized management system
Most commonly employed form of IDS
NIDS Architecture
Place IDS sensors strategically to defend
most valuable assets
Typical locations of IDS sensors
Just inside the firewall
On the DMZ
On network segments connecting mainframe
or midrange hosts
Switch Port Analyzer (SPAN)
Allows traffic sent or received in one
interface to be copied to another
monitoring interface
Typically used for sniffers or NIDS sensors
How SPAN Works
Limitations of SPAN
Traffic between hosts on the same segment
is not monitored; only traffic leaving the
segment crosses the monitored link
Switch may offer limited number of SPAN
ports or none at all
Hub
Device for creating LANs that forward
every packet received to every host on the
LAN
Allows only a single port to be monitored
Using a Hub in a Switched
Infrastructure
Tap
Fault-tolerant hub-like device used inline
to provide IDS monitoring in switched
network infrastructures
NIDS Signature Types
Signature-based IDS
Port signature
Header signatures
Network IDS Reactions
TCP resets
IP session logging
Shunning or blocking
Host-based IDS
Primarily used to protect only critical servers
Software agent resides on the protected system
Detects intrusions by analyzing logs of operating
systems and applications, resource utilization,
and other system activity
Use of resources can have impact on system
performance
HIDS Method of Operation
Auditing logs (system logs, event logs, security
logs, syslog)
Monitoring file checksums to identify changes
Elementary network-based signature techniques
including port activity
Intercepting and evaluating requests by
applications for system resources before they are
processed
Monitoring of system processes for suspicious
activity
HIDS Software
Host wrappers
Inexpensive and deployable on all machines
Do not provide in-depth, active monitoring
measures of agent-based HIDS products
Agent-based software
More suited for single purpose servers
HIDS Active Monitoring Capabilities
Log the event
Alert the administrator
Terminate the user login
Disable the user account
Advantages of Host-based IDS
Verifies success or failure of attack by
reviewing HIDS log entries
Monitors use and system activities; useful
in forensic analysis of the attack
Protects against attacks that are not
network based
Reacts very quickly to intrusions
continued…
Advantages of Host-based IDS
Not reliant on particular network
infrastructure; not limited by switched
infrastructures
Installed on protected server itself; requires
no additional hardware to deploy and no
changes to network infrastructure
Passive Detection Systems
Can take passive action (logging and
alerting) when an attack is identified
Cannot take active actions to stop an attack
in progress
Active Detection Systems
Have logging, alerting, and recording features of
passive IDS, with additional ability to take action
against offending traffic
Options
IDS shunning or blocking
TCP reset
Used in networks where IDS administrator has
carefully tuned the sensor’s behavior to minimize
number of false positive alarms
TCP Reset
Signature-based and
Anomaly-based IDS
Signature detections
Also know as misuse detection
IDS analyzes information it gathers and compares it to
a database of known attacks, which are identified by
their individual signatures
Anomaly detection
Baseline is defined to describe normal state of
network or host
Any activity outside baseline is considered to be an
attack
Intrusion Detection Products
Aladdin Knowledge Systems
Entercept Security Technologies
Cisco Systems, Inc.
Computer Associates International Inc.
CyberSafe Corp.
Cylant Technology
Enterasys Networks Inc.
Internet Security Systems Inc.
Intrusion.com Inc. family of IDS products
Honeypots
False systems that lure intruders and gather
information on methods and techniques
they use to penetrate networks—by
purposely becoming victims of their
attacks
Simulate unsecured network services
Make forensic process easy for
investigators
Commercial Honeypots
ManTrap
Specter
Smoke Detector
NetFacade
Open Source Honeypots
BackOfficer Friendly
BigEye
Deception Toolkit
LaBrea Tarpit
Honeyd
Honeynets
User Mode Linux
Honeypot Deployment
Goal
Gather information on hacker techniques,
methodology, and tools
Options
Conduct research into hacker methods
Detect attacker inside organization’s network
perimeter
Honeypot Design
Must attract, and avoid tipping off, the
attacker
Must not become a staging ground for
attacking other hosts inside or outside the
firewall
Honeypots, Ethics, and the Law
Nothing wrong with deceiving an attacker
into thinking that he/she is penetrating an
actual host
Honeypot does not convince one to attack
it; it merely appears to be a vulnerable
target
Doubtful that honeypots could be used as
evidence in court
Incident Response
Every IDS deployment should include two
documents to answer “what now”
questions
IDS monitoring policy and procedure
Requires well-documented monitoring procedures
that detail actions for specific alerts
Incident response plan
Responsible for assigning personnel to assemble
resources required to handle security incidents
Typical SIRT Objectives
Determine how incident happened
Establish process for avoiding further
exploitations of the same vulnerability
Avoid escalation and further incidents
Assess impact and damage of the incident
Recover from the incident
continued…
Chapter Summary
Two major types of intrusion detection
Network-based IDS (monitor network traffic)
Host-based IDS (monitor activity on
individual computers)
Honeypots
Incident response