Transcript 06-IDS
Intrusion Detection Systems
1
Intrusion Detection
• Intrusion is any use or attempted use of a system that
exceeds authentication limits
• Intrusions are similar to incidents
– An incident does not necessarily involve an active system
or network device, an intrusion does
• Intrusion Detection System (IDS) can be either
software or hardware based that monitors network
activity and delivers an alert if it notices suspicious
activity
2
Intrusion Detection
• Security policies are either prohibitive or permissive
• An IDS is sensitive to configuration
• Possible types of IDS errors:
– False positive (unauthorized user let in)
– False negative (authorized user denied access)
– Subversion error (compromised the system from detecting
intrusion)
3
Dealing with Intruders
• Intruders can be external or internal
– External intruders are hackers or crackers
– Internal intruders are more common and very dangerous
• Security policy should state what steps will be taken
to handle intrusions
• Block and ignore
– Simplest tactic for handling intrusions
– Block the intruder and address the vulnerability
– Don’t take any further action
4
Dealing with Intruders
• Block and investigate
– Block the intruder and address the vulnerability
– Collect evidence and try to determine intruder’s identity
– Investigate
• Honeypot (bait the intruder)
– Allow the intruder to access a part of your network
– Try to catch the intruder while he/she explores
– This is a potentially dangerous approach
• The intruder does have at least partial access
• Crackers may become interested in your site
5
Detecting Intruders
• An IDS monitors system activity in some way
• When it detects suspicious activity, it performs an
action
• Action is usually an alert of some type
– E-mail, cell phone, audible alert, etc. to a person or process
– For highly sensitive systems, out-of-band channel is used
• All IDS systems continuously sample system activity
and compare the samples to a database
6
IDS Principles
•
•
•
•
Run unattended for extended periods of time
Stay active and secure
Recognize unusual activity
Operate without unduly affecting the system’s
activity
• Configurable
7
IDS Principles
Sample current
activity
Decide what to
do
Compare with
database
8
IDS Taxonomy
• Misuse intrusion
– an attack against a known vulnerability
– Relatively easy to detect
• Anomaly intrusion
– an attack against a new vulnerability or one using an
unknown set of actions
– Relatively difficult to detect
• Types of IDS that correspond to intrusion types:
– Signature-based
– Knowledge-based
9
IDS Taxonomy
• Signature-based IDS
–
–
–
–
Detects misuse intrusions
Maintains a database of attack signatures
Compares current activity to database
Database must be current and complete to be effective
• Knowledge-based IDS
– Detects anomaly intrusions
– Builds a profile of “normal” system activity over time
– Produces more false positives and requires more
administration
– Requires careful initial configuration
10
Thresholds
• A rule tells the IDS which packets to examine and what action
to take
– Similar to a firewall rule
– Alert tcp any any -> 192.168.1.0/24 111
(content:”|00 01 86 a5|”;msg:”mountd access”;)
• Alert specifies the action to take
• Tcp specifies the protocol
• Any any 192…. specifies the source and destination within the given
subnet
• 111 specifies the port
• Content specifies the value of a payload
• Msg specifies the message to send
11
Thresholds
• Threshold is a value that represents the boundary of
normal activity
• Example: Maximum three tries for login
• Common thresholds:
– file I/O activity
– network activity
– administrator logins and actions
12
Snort IDS
• Snort is an example of an IDS
– Freeware
– UNIX and Windows
• A highly configurable packet sniffer
• Analyzes network traffic in real time
• www.snort.org
13
Snort IDS
• Snort sniffs a packet from the network
– Preprocessor looks at the packet header and decides
whether to analyze it further
– Detection engine compares pattern from rules to the packet
payload
– If payload matches, then appropriate action is taken
• Snort can be used in a plain packet sniffer mode or in
full IDS mode
• Snort has numerous configurable options
14
Snort IDS
15
Snort IDS
16
Snort IDS
17
Network-Based vs Host-Based
• IDS systems are classified by their intended locations
• A network-based IDS monitors all traffic on a
network segment
– Can detect intrusions that cross a specific network segment
– Administrators sometimes place one inside and one outside
of a firewall
– Will not see traffic that passes between LAN computers
18
Network-Based vs Host-Based
• Host-based IDS examines all traffic and activity for a
particular machine
– Can examine system log files as well as inbound and
outbound packets
– Each system requires its own IDS
• Best choice is to use both network-based and hostbased IDS in an organization
• Many firewalls provide some IDS functionality
19
Network-Based IDS
20
Choosing an Appropriate IDS
• Determine organizational security needs
• Review the different IDS packages available
• medium to large organizations commonly use both
network-based and host-based IDS
21
Security Auditing with an IDS
• Must have periodic security audits
– Sometimes mandated by law or by corporate structure
• IDS can contribute to a complete audit
• Many host-based IDS can scan and analyze system
log files
– They can act as a filter for various behaviors
• Port-sniffing IDS can help to profile network activity
22
Intrusion Prevention System
• IPS combines the knowledge of IDS in an automated
manner
• Usually IPS is a combination of a firewall and an IDS
• IPSs come in different forms:
– NIDS with two NICs
– Inline NIDS
– Inline NIDS with scrubber
23
Intrusion Prevention System
• IPS with two NICs configured as follows:
– One NIC has an IP address and handles traffic management
– Second NIC has no IP address and performs detecting
attacks only
24
IPS with two NICs
Network Traffic
Copy of traffic
Copy of traffic
NIC1
No IP address
Server
with IPS
NIC2
Has IP address
25
IPS with inline NIDS
Network traffic
NIC
Server
Network traffic
NIC
with IPS
NIC
Has IP address
26
IPS with scrubber
Malicious packet
Scrubbed packet
$%&&^#@@*&*
&^%$$#+!!*(+%%
^^$##@*&&^
Malicious code
rendered inactive
Network traffic
NIC
Server
Network traffic
NIC
with IPS
NIC
Has IP address
27
IPS Enhancements
• Traditionally switches work in OSI layer 2
• Most vulnerabilities are on applications
• Layer 7 switches control which applications go to
which server
• Layer 7 switches also help with load balancing
• Layer 7 switch inspects applications such as HTTP,
SMTP and DNS and decide which server to route the
application packets to
• Handles DoS and DDoS attacks
28
IPS Enhancements
• IPS systems first profile applications
• Helps identify normal behavior of access and
functionality from applications
29
IPS Scenario
User: GET /
User: GET /default.asp
Policy:
Allow: GET /
Allow: GET /default.asp
Allow: GET /login.asp
Allow: /public/default.html
Implicitly deny other requests
User: GET /login.asp
Traffic to
internal
network
User: GET /
User: GET /default.asp
Attacker: GET /passwd.txt
User: GET /login.asp
Traffic from internet
30
Commercial IPSs
• Hogwash (http://hogwash.sourceforge.net/oldindex.html)
• ISS Guard
(http://www.iss.net/products_services/enterprise_protection/rs
network/guard.php)
• Netscreen (http://www.juniper.net/products/)
• Tipping Point
(http://www.tippingpoint.com/products_ips.html)
• Intruvert
(http://www.mcafee.com/us/products/mcafee/network_ips/cate
gory.htm?cid=10355)
31
References
• IPS http://www.securityfocus.com/infocus/1670
• IBM’s IPS http://www1.ibm.com/services/us/index.wss/offering/bcrs/a1002
441
32