IDS
-
Upload
sandra4211 -
Category
Documents
-
view
1.331 -
download
4
Transcript of IDS
![Page 1: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/1.jpg)
1
Intrusion Detection Systems
![Page 2: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/2.jpg)
2
Intrusion Detection
• Intrusion is any use or attempted use of a system that exceeds authentication limits
• Intrusions are similar to incidents– An incident does not necessarily involve an active system
or network device, an intrusion does
• Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity
![Page 3: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/3.jpg)
3
Intrusion Detection
• Security policies are either prohibitive or permissive• An IDS is sensitive to configuration• Possible types of IDS errors:
– False positive (unauthorized user let in)
– False negative (authorized user denied access)
– Subversion error (compromised the system from detecting intrusion)
![Page 4: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/4.jpg)
4
Dealing with Intruders
• Intruders can be external or internal– External intruders are hackers or crackers
– Internal intruders are more common and very dangerous
• Security policy should state what steps will be taken to handle intrusions
• Block and ignore– Simplest tactic for handling intrusions
– Block the intruder and address the vulnerability
– Don’t take any further action
![Page 5: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/5.jpg)
5
Dealing with Intruders
• Block and investigate– Block the intruder and address the vulnerability
– Collect evidence and try to determine intruder’s identity
– Investigate
• Honeypot (bait the intruder)– Allow the intruder to access a part of your network
– Try to catch the intruder while he/she explores
– This is a potentially dangerous approach• The intruder does have at least partial access
• Crackers may become interested in your site
![Page 6: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/6.jpg)
6
Detecting Intruders
• An IDS monitors system activity in some way • When it detects suspicious activity, it performs an
action• Action is usually an alert of some type
– E-mail, cell phone, audible alert, etc. to a person or process
– For highly sensitive systems, out-of-band channel is used
• All IDS systems continuously sample system activity and compare the samples to a database
![Page 7: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/7.jpg)
7
IDS Principles
• Run unattended for extended periods of time• Stay active and secure• Recognize unusual activity• Operate without unduly affecting the system’s
activity• Configurable
![Page 8: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/8.jpg)
8
IDS Principles
Sample current activity
Compare with database
Decide what to do
![Page 9: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/9.jpg)
9
IDS Taxonomy
• Misuse intrusion– an attack against a known vulnerability
– Relatively easy to detect
• Anomaly intrusion– an attack against a new vulnerability or one using an
unknown set of actions
– Relatively difficult to detect
• Types of IDS that correspond to intrusion types:– Signature-based
– Knowledge-based
![Page 10: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/10.jpg)
10
IDS Taxonomy
• Signature-based IDS– Detects misuse intrusions– Maintains a database of attack signatures– Compares current activity to database– Database must be current and complete to be effective
• Knowledge-based IDS– Detects anomaly intrusions– Builds a profile of “normal” system activity over time– Produces more false positives and requires more
administration– Requires careful initial configuration
![Page 11: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/11.jpg)
11
Thresholds
• A rule tells the IDS which packets to examine and what action to take– Similar to a firewall rule
– Alert tcp any any -> 192.168.1.0/24 111
(content:”|00 01 86 a5|”;msg:”mountd access”;)• Alert specifies the action to take
• Tcp specifies the protocol
• Any any 192…. specifies the source and destination within the given subnet
• 111 specifies the port
• Content specifies the value of a payload
• Msg specifies the message to send
![Page 12: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/12.jpg)
12
Thresholds
• Threshold is a value that represents the boundary of normal activity
• Example: Maximum three tries for login • Common thresholds:
– file I/O activity
– network activity
– administrator logins and actions
![Page 13: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/13.jpg)
13
Snort IDS
• Snort is an example of an IDS– Freeware
– UNIX and Windows
• A highly configurable packet sniffer• Analyzes network traffic in real time• www.snort.org
![Page 14: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/14.jpg)
14
Snort IDS
• Snort sniffs a packet from the network– Preprocessor looks at the packet header and decides
whether to analyze it further
– Detection engine compares pattern from rules to the packet payload
– If payload matches, then appropriate action is taken
• Snort can be used in a plain packet sniffer mode or in full IDS mode
• Snort has numerous configurable options
![Page 15: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/15.jpg)
15
Snort IDS
![Page 16: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/16.jpg)
16
Snort IDS
![Page 17: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/17.jpg)
17
Snort IDS
![Page 18: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/18.jpg)
18
Network-Based vs Host-Based
• IDS systems are classified by their intended locations• A network-based IDS monitors all traffic on a
network segment– Can detect intrusions that cross a specific network segment
– Administrators sometimes place one inside and one outside of a firewall
– Will not see traffic that passes between LAN computers
![Page 19: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/19.jpg)
19
Network-Based vs Host-Based
• Host-based IDS examines all traffic and activity for a particular machine– Can examine system log files as well as inbound and
outbound packets
– Each system requires its own IDS
• Best choice is to use both network-based and host-based IDS in an organization
• Many firewalls provide some IDS functionality
![Page 20: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/20.jpg)
20
Network-Based IDS
![Page 21: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/21.jpg)
21
Choosing an Appropriate IDS
• Determine organizational security needs• Review the different IDS packages available• medium to large organizations commonly use both
network-based and host-based IDS
![Page 22: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/22.jpg)
22
Security Auditing with an IDS
• Must have periodic security audits– Sometimes mandated by law or by corporate structure
• IDS can contribute to a complete audit• Many host-based IDS can scan and analyze system
log files– They can act as a filter for various behaviors
• Port-sniffing IDS can help to profile network activity
![Page 23: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/23.jpg)
23
Intrusion Prevention System
• IPS combines the knowledge of IDS in an automated manner
• Usually IPS is a combination of a firewall and an IDS• IPSs come in different forms:
– NIDS with two NICs
– Inline NIDS
– Inline NIDS with scrubber
![Page 24: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/24.jpg)
24
Intrusion Prevention System
• IPS with two NICs configured as follows:– One NIC has an IP address and handles traffic management
– Second NIC has no IP address and performs detecting attacks only
![Page 25: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/25.jpg)
25
IPS with two NICs
Network Traffic
Server
with IPS
NIC1
NIC2
No IP address
Has IP address
Copy of traffic Copy of traffic
![Page 26: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/26.jpg)
26
IPS with inline NIDS
Server
with IPS
NIC
NIC NIC
No IP addre
ssNo IP addressHas IP address
Network traffic Network traffic
![Page 27: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/27.jpg)
27
IPS with scrubber
Server
with IPS
NIC
NIC NIC
No IP addre
ssNo IP addressHas IP address
Network traffic Network traffic
Malicious packet
$%&&^#@@*&*&^%$$#+!!*(+%%^^$##@*&&^
Scrubbed packet
Malicious code rendered inactive
![Page 28: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/28.jpg)
28
IPS Enhancements
• Traditionally switches work in OSI layer 2• Most vulnerabilities are on applications• Layer 7 switches control which applications go to
which server• Layer 7 switches also help with load balancing• Layer 7 switch inspects applications such as HTTP,
SMTP and DNS and decide which server to route the application packets to
• Handles DoS and DDoS attacks
![Page 29: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/29.jpg)
29
IPS Enhancements
• IPS systems first profile applications• Helps identify normal behavior of access and
functionality from applications
![Page 30: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/30.jpg)
30
IPS Scenario
Traffic from internet
User: GET /
User: GET /default.asp
Attacker: GET /passwd.txt
User: GET /login.asp
Policy:
Allow: GET /Allow: GET /default.aspAllow: GET /login.aspAllow: /public/default.html
Implicitly deny other requestsTraffic to internal network
User: GET /
User: GET /default.asp
User: GET /login.asp
![Page 31: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/31.jpg)
31
Commercial IPSs
• Hogwash (http://hogwash.sourceforge.net/oldindex.html)
• ISS Guard (http://www.iss.net/products_services/enterprise_protection/rsnetwork/guard.php)
• Netscreen (http://www.juniper.net/products/)
• Tipping Point (http://www.tippingpoint.com/products_ips.html)
• Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/category.htm?cid=10355)
![Page 32: IDS](https://reader036.fdocuments.us/reader036/viewer/2022062418/55635e72d8b42a734b8b4d2a/html5/thumbnails/32.jpg)
32
References
• IPS http://www.securityfocus.com/infocus/1670• IBM’s IPS
http://www-1.ibm.com/services/us/index.wss/offering/bcrs/a1002441