Transcript Network Intrusion Detection Systems

Network Intrusion Detection Systems
Ali Shayan
October 2008
Introduction
• Intrusion – an attempt to compromise or misuse a
computer system or network.
• Network Intrusion Detection System (NIDS) monitors
packets on the network wire and attempts to discover
if hackers are attempting to break into a system or
cause a DOS.
• NIDS can run on the target or independent system.
• Network NIDS monitor many machines.
• System Integrity Verifiers (SIV) monitor system files to
detect trojan versions of system binaries. It may log
the attempt as it occurs.
2
Introduction
• Log File Monitors (LFM) monitor log files generated
by network services.
• Deception Systems aka honeypots, fly-traps contain
pseudo-services that emulate well-known holes in an
attempt to trap hackers.
• Intruders – outsiders or insiders
3
How do Intruders Get In?
• Physical Intrusion – console passwords,
disk removal, etc.
• System Intrusion – hacker has a low
privilege account on the system and uses
a tool that exploits a weakness to gain
system privilege.
• Remote Intrusion – gains access via a
remote service on the system.
4
Intrusion Detection
• Process of identifying and responding to malicious
activities targeted against networks and its resources
• System that performs intrusion detection is called
Intrusion Detection System (IDS)
– complements prevention techniques (e.g. firewalls)
• defense mechanism behind outer barrier
• works against insiders
– important market for security companies (ISS, Cisco)
5
Intrusion Detection
• Type of IDSs
– Material-based
• HIDS (Host-based Intrusion Detection System)
• NIDS (Network-based Intrusion Detection System)
– Detection Techniques
• Misuse based / Signature based
• Anomaly based
• Hybrid
6
Intrusion Detection Techniques
• Misuse-based / Signature-based
– observed behavior is compared against description of known,
undesirable behavior (signatures)
– intrusion assumed when signature spotted in input data
– comparable to virus scanner
– all commercial systems follow this approach
– Advantages
• accurate reports (low false positive rate)
– Disadvantages
• needs continous update of signatures (like virus scanner)
• unable of detecting novel intrusions
7
Intrusion Detection Techniques
• Anomaly based
– behavior is compared against description of anticipated, legal behavior
(profile)
– intrusion assumed when deviation between input and profile significant
– statistical methods, AI techniques (neural networks)
– Advantages
• capable of detecting novel attacks
– Disadvantages
• difficult to configure / train
• high number of false alarms (incorrect detects)
8
Intrusion Detection Domains
• Network based
– input data is gathered from the network
– packet sniffer, protocol analysis
– Advantages
– complete set of events
– access to events related to multiple hosts from a single sampling
point
– Disadvantages
– performance issues (reassembling , de-fragmenting)
– switched architectures
– encryption
– discrepancies between sensor and target viewpoint (eg. encryption,
TTL, ...)
9
Network Based Detection
• Sample IDS‘s Idea
– “Insertion, Evasion and Denial of Service”
– bases on different TCP/IP stack implementations in case of nonstandard packets (header flags, options)
– TTL too short to reach target
– different timeout policy for IP fragments / TCP segments
– different reassembly policy in case of overlapping data
• NT, Solaris favour old data
• Linux, FreeBSD, OpenBSD favour new data
10
Network Based Detection
• Commercial systems
– RealSecure (ISS)
– Juniper (Juniper Networks Intrusion Prevention)
– Cisco (Cisco IPS 4200 Series Sensors)
• Academic systems
–
–
–
–
NFR (Marcus Ranum)
NetSTAT (UCSB)
Emerald (SRI)
Bro
• Snort (http://www.snort.org)
–
–
–
–
designed to be lightweight and fast
based on libpcap (reads/writes tcpdump files)
simple rule-based analysis engine
simple pattern-matching functionalities
11
Intrusion Detection Domains
• Host based
– produce data related to host activity
– two main sources
• operating system
– Syslog Daemon, klogd
– Linux – LIDS
– Solaris Auditing – Basic Security Model (BSM)
– Windows NT Events
• application level
– Apache logs
– ftpd logs
12
Intrusion Detection Domains
• Syslog
– Logging facility available in all UNIX system
– accessible through syslog() that sends a log message to
syslogd/klogd
• Syslog message
– Indentity - usually the program name
– Facility - specifies the source of the message (kernel, user, mail,
lpr, authpriv, daemon)
– Level - determines the importance of the message (emerg, alert,
crit, err, warning, notice, info, debug)
– Text message
13
Intrusion Detection Challanges
• Recognize malicious actions in the huge stream of events provided
by network monitors and host auditing facilities
• Detect intrusions in real-time
• Correlate detection results within and across security domains
• Integrate different systems so that all techniques (anomaly, misuse)
and domains (host, network) are covered
• Deploy ID systems in very different environments and take into
account the characteristics of the protected computer networks
14
Where to locate IDS
•
•
•
•
•
Network hosts
Network Perimeter
WAN/LAN Backbone
Server farms
Need to be on low-bandwidth nets to keep up with traffic.
15
Fitting IDS with Security Framework
• Put firewalls between networks with different security
requirements.
• Use scanners to check for exploits.
• Set host policy to conform with standards.
• Use NIDS to see what is actually happening.
• Use Host based IDS to flag intrusions.
• Create effective IRP.
16
Sample IDS Placement
IDS #1
INTERNET
INTERNAL
NETWORK
FIREWALL
IDS #3
IDS #2
IDS #4
IDS #1 – FW don’t produce enough info to effectively detect hits.
IDS #2 – detects attacks that penetrate the FW
IDS #3 – detects attacks attempted against the FW
IDS #4 – Insider attacks will be detected
17
Attacks Against the NIDS
• Blind the sensor with high traffic rates.
• Blind the event storage. Use decoy scans to fill up log
space.
• DOS
• Packet Fragmentation
• Slow Scan
• Coordinated low-bandwidth attacks
• Address spoofing
• Pattern Change
18
Questions to ask IDS Vendors
•
•
•
•
•
•
•
How Much?
What do signature updates cost?
What traffic level blinds the IDS?
How easy to evade?
How scalable is it?
How many signatures does it support?
What IR features are included?
19