Transcript Lesson15

Monitoring, Logs, and Intrusion
Detection Systems
Lesson 15
Are Firewalls Enough?



You have the world's best firewall, your Windows computers update their antivirus
software regularly and your Information Security staffers enforce your policies with an
iron fist. Does this mean you're safe?
Maybe not. In 1998, a news story asserted that the firewall for the New York Times was
one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's
network e-mailed reporters:
...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F
ART. 1F 1T D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R
ADMINZ HAD S0M3 W3IRD CR0NTABZ OR S0METHING.
0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T.
UNT1L THE N3XT T1M3...
No one at the Times had noticed weeks worth of the Hacking for Girliez gang on their
network. The intruders finally chose to go public by defacing the opening page of their
Web site—on the day the Times expected millions of visitors to view the Monica
Lewinsky transcripts. Instead, visitors encountered soft porn . . .
Intrusion and Misuse Detection

Remember the operational model of security
protection = prevention + (detection + response)
Access controls and filters seek to prevent unauthorized
or damaging activity.
 Intrusion and misuse detection mechanisms aim to
detect it at its outset or after the fact.
 Has its roots in audit log files
 Operate on the principle that it is neither practical nor
feasible to prevent all attacks.

Intrusion Detection
 Can be manual (review of logs), automated, or a
combination.
 Closely related to monitoring.
Workplace monitoring used to
– Ensure quality
– Assess performance
– Comply with regulations (e.g. ensure stockbrokers aren’t
using high-pressure tactics in violation of stock exchange
rules)
Audit Trails
Early intrusion detection involved reviewing system log
or audit files.
 What events can be audited varies from system to
system.
 Examples of auditable events include

Reading/opening of a file
Writing to or modifying a file
Creation or deletion of an object
Logins and Logouts
Other administrative actions
Special operations (e.g. changing a password)
NT and 2000 Logging

Primarily 3 types of event logs found in
\WINNT\system32\config
AppEvent.evt – the application log
SecEvent.evt – the security events log
SysEvent.evt – the system log
Logs viewable by the Event Viewer found in the
Administration Tools directory
 Files have a maximum size. When that size is reached
the system can

Overwrite events older than a certain number of days
Overwrite events as needed
Halt the system
Unix Logging

Several sources of log files in Unix
syslog – the system log
sulog – records actions to switch users (su)
utmp – keeps track of users currently logged on
wtmp – stores historical data on login, logout, shutdown, and
restart events.
lastlog – tracks each user’s most recent login time and the point
of origin of the user. Successful and unsuccessful logins can be
tracked.
– At login, this information (about the last login) is often displayed
Intrusion Detection Systems

Various types of activities that an IDS checks for
Attempted/successful break-ins
Masquerading
Penetration by legitimate users
Leakage by legitimate users
Inference by legitimate users
Trojan horses
Viruses
Denial-of-service
Approaches to IDS
 Attempt to define and detect abnormal behavior
 Attempt to define and detect anomalous activity
Methods to perform IDS
 Four major methods attempted to perform
intrusion detection:
User Profiling
Intruder Profiling
Signature Analysis
Action-based (attack “signatures”)
User Profiling
Basic Premise: the identity of any specific user can be
described by a profile of commonly performed actions.
 The user’s pattern of behavior is observed and established
over a period of time.
 Each user tends to

use certain commands more than others,
access the same files,
login at certain times and at specific frequencies, and
Execute the same programs.
A user profile can be established based on these activities and
maintained through frequent updating.
 A masquerading intruder will not match this profile.

User Profiling

Types of activity to record may include
CPU and I/O usage
Connect time and time of connection as well as duration
Location of use
Command usage
Mailer usage
Editor and compiler usage
Directories and files accessed/modified
Errors
Network activity
Initial profile takes time and can generate many alarms.
 Weighted actions often used (more recent activities more
important than activities accomplished in past)

Intruder Profiling
Concept similar to criminal profiles used in the Law
Enforcement community.
 Attempt to define the actions that an intruder will take when
unauthorized action is obtained.

For example: when an intruder first gains access the action often
taken is to check to see who else is on, will examine files and
directories, …
Can also apply to insiders gaining access to files they are not
authorized to access.
 Problem with this method is that it is hard to define all
possible intruder profiles and often the actions of a new user
will appear similar to the actions of an intruder.

Signature Analysis
Just as an individual has a unique written signature
which can be used for identification purposes,
individuals also have a “typing signature”.
 This characteristic first noticed in telegraph days.
 The time it takes to type certain pairs or triplets of letters
can be measured and the collection of these digraphs
and trigraphs together form a unique collections used to
characterize individuals.
 This technique requires special equipment.
 Variation on this is to watch for certain abbreviations for
commands and common errors.

Action Based


Also sometimes referred to as signature based.
Specific activities or actions (attack signatures) known to be
indicative of intrusive activity are watched for.
E.g. attempts to exploit known security holes.


Can also be used to look for unauthorized activity by insiders.
Problem is that not all methods are known so new signatures are
constantly being created and thus intrusion detection systems
constantly need to be updated.
Haystack
Canonical 9-track Tape
Audit trail
Preprocessor
Statistical Analysis
Z-248 PC
Audit
Data
Unisys 1100
Reports
Intrusion Detection Expert System (IDES)
Audit Records
Active Data Collector
Receiver
Audit
Data
Expert System
Active
Data
Profile Updater
Profile
Data
Anomaly Detector
Anomaly
Data
Security Admin
Interface
Multics Intrusion Detection and Alerting
System (MIDAS)
Command
Monitor
Audit
Records
Preprocessor
Network Interface
Fact Base
Multics
Statistical Data Base
System Security
Monitor
Rule Base
Symbolics
Different Levels of IDS

Host-based Intrusion Detection
Will catch users logged directly into a system
Will miss network actions (the network as a whole)

Network-based Intrusion Detection
Will miss individual actions on the host the user is logged
directly into.
Will be able to see attacks on multiple hosts (“door knob
rattling”).
Where do you place the IDS? On the LAN or on the outside
of the router (the connection to the Internet)?
Network Security Monitor (NSM)
Network Traffic
Packet Catcher
Filter
Object Detector
& analyzer
Report
Generator
Traffic
Archive
Network Profile – which systems normally connect to which others using what service.
During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly
identified over 300 intrusions, only 1% had been detected by admins.
Distributed IDS (DIDS)
Monitored
Host
Unmonitored
host
DIDS Director
Monitored
Host
Unmonitored
host
LAN Monitor
Monitored
Host
Cooperating Security Monitors (CSM)
Command
Monitor
Local
IDS
Intruder
Handler
User
Interface
CSM
Other
CSM’s
Common IDS’s
 Intruder Alert from AXENT/Symantec
 “NetRanger” (Cisco Secure IDS) from Cisco
Systems
 RealSecure from Internet Security Systems
 Network Flight Recorder from NFR
 Kane Security Analyst (KSA) from Security
Dynamics
 Snort an open source IDS
IDS evaluation
(from Network Computing 8.20.2001)
IDS evaluation (integrated)
(from Network Computing 8.20.2001)
IDS evaluation (host based)
(from Network Computing 8.20.2001)
IDS evaluation (signatures)
(from Network Computing 8.20.2001)
Discussion on current IDS
How are signature updates accomplished?
 How often are signatures updated? How many are there?
 What is the maximum bandwidth the IDS can monitor?
 What network protocols can be monitored?
 What OS platforms does the IDS work on?
 Does the IDS platform interact with other devices (e.g. firewalls,
routers…)?
 What type of reporting tools are available?
 How is the security manager notified of events?
 Host or network based? Enterprise deployable?
 What training is required to operate and how much time does it take to
operate the IDS?

50 ways to defeat an IDS






1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an
example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on
operation but with degraded IDS performance.
2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all
separators in the same way, changing to non-standard separators can make them fail. You might
also try ‘,’ instead of ‘;’ in the Unix shell.
3 – Closely related to number 2, you could change the separator character in the system so that
(for example) % is the separator. This would confuse detection systems almost without exception.
4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also
work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely
to be an actual attack.
5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X
types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected.
6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login
and type ‘c’.
From 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates
50 ways to defeat an IDS






7 - Split across multiple remote IP addresses/systems. Login from sites X and Y,
and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X.
8 - Define a macro for a command used in a standard attack. For example, set a
shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where
appropriate.
9 - Define a macro for a parameter in a standard attack. For example, use the
name ‘$P’ instead of the string ‘/etc/passwd’.
10 – Create shell scripts to replace commands you use. If you do this carefully,
the detector will not associate the names you use for the scripts to the commands
and will miss the whole attack.
11 - Use different commands to do the same function. For example, ‘echo *’ is
almost the same as ‘ls’ in the Unix shell.
12 - Change the names in standard attacks. For example, if the standard attack
uses a temporary file named ‘xxx’, try using ‘yyy’.
50 ways to defeat an IDS






15 - Encrypt your attacks – for example, by using the secure shell facilities intended to
increase protection by preventing snooping – including snooping by the IDS.
21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a
UDP port, you might make the sensor port unable to receive further sensor inputs.
22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems
that run IDS systems can be crashed, causing them to fail to detect subsequent attacks.
23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which
can themselves be attacked. Once the platform is taken over, the IDS can be
subverted.
25 - Consume all IDS disk space then launch for real. By (for example) overrunning the
disk space consumed by the IDS with innocuous but detected sequences, the IDS will
fail and subsequent attacks go undetected.
41 - Attack over dial-ins instead of a network. Network-based IDS systems will never
notice this activity.
Monitoring and the Law
Issue is expectation of privacy – does the individual
have one?
 You generally need to inform individuals using the
system that their actions are subject to monitoring.

Government systems have the warning banner.
This advice also issued by CERT (CA-92:19) for anybody
wanting to monitor keystrokes.

Note that it is considered not enough to notify all
authorized users (when they are issued their initial
password for example), it must be displayed each time
at login.
And what about IDS and the PSTN?
 Two aspects
Detection of intrusions into the IP network from the
PSTN
Detection of intrusions into the PSTN and its
systems
 Do you
Have a separate system, or
Feed current IDS with data from the PSTN?
Intrusion Detection –vsIntrusion Prevention
Often viewed as a blending of firewalls and IDS
 Definition: A device (HW or SW) that has the ability to
detect an attack and to prevent the attack from being
successful.

Must handle known and unknown attack methods

Will look at 4 general types of IPS
Inline NIDS
Layer Seven Switches
Application Firewall/IDS
Deceptive Applications
Inline NIDS
Offers the capabilities of a regular NIDS with the blocking capabilities
of a firewall. Examines traffic, decides whether to send it on or not.
Generally needs to know what it is looking for (e.g. signatures).
From: http://www.securityfocus.com/infocus/1670
Layer Seven Switch
 Usually think of switching as a layer 2 function.
 Due to bandwidth intensive content, some
switching now going on a layer seven (e.g. load
balancers) where application traffic can be
examined.
 Decisions can be made as to whether data is
sent.
 Generally needs to know what it is looking for.
 One of best uses is to address DoS attacks.
Application Firewall/IDS
 Loaded on each server to be protected.
 Customized for the application to be protected.
 Don’t look at packets, look at API calls, memory
management (for overflows), and interaction of
user with OS.
 Can help prevent new attacks since it is not
looking for signatures but rather attempted
actions.
Deceptive Applications
 Idea has been around for a while
 Concept is to first watch network to determine
profile of normal traffic
 If traffic comes along later, such as scan for a
service on a system that doesn’t exist, then
respond with bogus data so packets are
“marked” and future traffic from attacker will be
noticed and handled easily.
Deceptive Applications
No system
10.1.1.20!
From: http://www.securityfocus.com/infocus/1670
Sample Commercial IPS
Summary
 What is the Importance and Significance of this
material?
 How does this topic fit into the subject of “Voice
and Data Security”?