FORESEC Academy FORESEC Academy Security Essentials (III)
-
Upload
clyde-martin -
Category
Documents
-
view
220 -
download
3
Transcript of FORESEC Academy FORESEC Academy Security Essentials (III)
FORESEC Academy
HOST-BASED INTRUSION DETECTION
FORESEC Academy Security Essentials (III)
FORESEC Academy
Agenda
The need for host-based ID Host-based ID Methodology Unix host-based ID Tools Windows host-based ID Tools
FORESEC Academy
Need for Host-based ID
Very fast networks Switched networks Encrypted networks Backdoors in local network Insider on network Network-based IDS may miss attack Don't trust corporate security that
much
FORESEC Academy
Very Fast Networks
The current limits for network-based IDS boxes are about 80 MB/sec fully loaded
A 200 MHz Pentium bus would only partially increase this
Bandwidth at large sites will probably always exceed network detection and processing speed
HIDS does not face bandwith challenges, but does present deployment issues
FORESEC Academy
Switched Networks
Network-based intrusion detectionsystems rely on promiscuous mode fortheir NICs; this is not possible withswitched networks
Intrusion detection in the switch is thefuture direction, not really here yet
Spanning ports and network tapsprovide semi-effective options
FORESEC Academy
Switched Network Diagram
In a switched network, a virtual circuit is created between two peers across the switch fabric. Each port on the switch only supports the circuits to that host.
FORESEC Academy
Spanning PortSwitched Networks
Sensors can be placed on a spanning port, but can usually only monitor one VLAN at a time. This does not work very well in practice.
FORESEC Academy
Network Taps
FORESEC Academy
Encrypted Networks
NIDS sensors can't analyze what they can't read
The use of encryption for network traffic is growing
Encryption can be used by attackers to hide their traffic
Traffic must be read before/after the encryption process
NIDS and HIDS can work together to address these challenges
FORESEC Academy
Host-based IntrusionDetection Methodology
Host-based systems monitor their networkconnections and file system status. For thisto work, we have to acquire the aggregatelogs of ALL critical systems at a minimum
Local processing/alerting may be done, butdata is generally sent to a central location forparsing
When potential problems are found, alertsare raised
FORESEC Academy
Host-based IntrusionDetection Methodology (2)
1) A connects to B 3) Logserver records A-> B connection, checks ruleset, A -> B is OK, waits.
2) B logs connection and informs Logserver
FORESEC Academy
Unix Host-basedIntrusion Detection
TCPWrappers Port Sentry Syslog Swatch Tripwire
FORESEC Academy
TCPWrappers
Monitors and filters incoming TCPnetwork service requests
Valuable logging tool Where to get it
- ftp://ftp.porcupine.org/pub/security/index.html- Currently included in most Unix / Linuxdistributions
FORESEC Academy
Without TCPWrappers
All incoming TCP requests serviced
FORESEC Academy
With TCPWrappers
All requests checked and logged
FORESEC Academy
Host Deny
ALL : ALL# Deny everything, add back
with /etc/hosts.allow
FORESEC Academy
Host Allow
ALL: .nnnn.abc.org, 192.168.2, friend.somewhere.edusshd: trustedhost.somewhere.org
FORESEC Academy
Paranoid Mode
Default for TCPWrappers-Checks both forward and reverse DNS lookup-Both answers must match or connection is dropped-Adds a layer of security against spoofing
FORESEC Academy
Brief DNS Review(TCPWrappers Paranoid mode)
FORESEC Academy
TCPWrappers in Action(Intrusion detection AND prevention)
FORESEC Academy
TCPWrappers Threat List
Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code
FORESEC Academy
Psionic Port Sentry(TCPWrappers with an attitude)
Runs on TCP and UDP Stealth scan detection for Linux SYN/half-open, FIN, NULL, X-MAS and
oddball packet stealth scans Port Sentry will react to a port scan
attempt by blocking the host in real-time
Will remember hosts that connected previously
FORESEC Academy
Psionic Port Sentry Log
Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host:node10453.a2000.nl/24.132.4.83 to TCP port: 143
Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked viawrappers with string: "ALL: 24.132.4.83“
Jul 3 11:30:20 shepherd portsentry[418]:attackalert: Host 24.132.4.83 has been blocked viadropped route using command: "/sbin/route add –host24.132.4.83 gw 333.444.555.666"
FORESEC Academy
Syslog
Unix system logger can be on a local system or other system
TCPWrappers logs to Syslog by default Logs can offer valuable information, but
they can also be compromised Swatch or other tools can monitor
syslog and raise alerts