IDS

32
1 Intrusion Detection Systems

Transcript of IDS

Page 1: IDS

1

Intrusion Detection Systems

Page 2: IDS

2

Intrusion Detection

• Intrusion is any use or attempted use of a system that exceeds authentication limits

• Intrusions are similar to incidents– An incident does not necessarily involve an active system

or network device, an intrusion does

• Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity

Page 3: IDS

3

Intrusion Detection

• Security policies are either prohibitive or permissive• An IDS is sensitive to configuration• Possible types of IDS errors:

– False positive (unauthorized user let in)

– False negative (authorized user denied access)

– Subversion error (compromised the system from detecting intrusion)

Page 4: IDS

4

Dealing with Intruders

• Intruders can be external or internal– External intruders are hackers or crackers

– Internal intruders are more common and very dangerous

• Security policy should state what steps will be taken to handle intrusions

• Block and ignore– Simplest tactic for handling intrusions

– Block the intruder and address the vulnerability

– Don’t take any further action

Page 5: IDS

5

Dealing with Intruders

• Block and investigate– Block the intruder and address the vulnerability

– Collect evidence and try to determine intruder’s identity

– Investigate

• Honeypot (bait the intruder)– Allow the intruder to access a part of your network

– Try to catch the intruder while he/she explores

– This is a potentially dangerous approach• The intruder does have at least partial access

• Crackers may become interested in your site

Page 6: IDS

6

Detecting Intruders

• An IDS monitors system activity in some way • When it detects suspicious activity, it performs an

action• Action is usually an alert of some type

– E-mail, cell phone, audible alert, etc. to a person or process

– For highly sensitive systems, out-of-band channel is used

• All IDS systems continuously sample system activity and compare the samples to a database

Page 7: IDS

7

IDS Principles

• Run unattended for extended periods of time• Stay active and secure• Recognize unusual activity• Operate without unduly affecting the system’s

activity• Configurable

Page 8: IDS

8

IDS Principles

Sample current activity

Compare with database

Decide what to do

Page 9: IDS

9

IDS Taxonomy

• Misuse intrusion– an attack against a known vulnerability

– Relatively easy to detect

• Anomaly intrusion– an attack against a new vulnerability or one using an

unknown set of actions

– Relatively difficult to detect

• Types of IDS that correspond to intrusion types:– Signature-based

– Knowledge-based

Page 10: IDS

10

IDS Taxonomy

• Signature-based IDS– Detects misuse intrusions– Maintains a database of attack signatures– Compares current activity to database– Database must be current and complete to be effective

• Knowledge-based IDS– Detects anomaly intrusions– Builds a profile of “normal” system activity over time– Produces more false positives and requires more

administration– Requires careful initial configuration

Page 11: IDS

11

Thresholds

• A rule tells the IDS which packets to examine and what action to take– Similar to a firewall rule

– Alert tcp any any -> 192.168.1.0/24 111

(content:”|00 01 86 a5|”;msg:”mountd access”;)• Alert specifies the action to take

• Tcp specifies the protocol

• Any any 192…. specifies the source and destination within the given subnet

• 111 specifies the port

• Content specifies the value of a payload

• Msg specifies the message to send

Page 12: IDS

12

Thresholds

• Threshold is a value that represents the boundary of normal activity

• Example: Maximum three tries for login • Common thresholds:

– file I/O activity

– network activity

– administrator logins and actions

Page 13: IDS

13

Snort IDS

• Snort is an example of an IDS– Freeware

– UNIX and Windows

• A highly configurable packet sniffer• Analyzes network traffic in real time• www.snort.org

Page 14: IDS

14

Snort IDS

• Snort sniffs a packet from the network– Preprocessor looks at the packet header and decides

whether to analyze it further

– Detection engine compares pattern from rules to the packet payload

– If payload matches, then appropriate action is taken

• Snort can be used in a plain packet sniffer mode or in full IDS mode

• Snort has numerous configurable options

Page 15: IDS

15

Snort IDS

Page 16: IDS

16

Snort IDS

Page 17: IDS

17

Snort IDS

Page 18: IDS

18

Network-Based vs Host-Based

• IDS systems are classified by their intended locations• A network-based IDS monitors all traffic on a

network segment– Can detect intrusions that cross a specific network segment

– Administrators sometimes place one inside and one outside of a firewall

– Will not see traffic that passes between LAN computers

Page 19: IDS

19

Network-Based vs Host-Based

• Host-based IDS examines all traffic and activity for a particular machine– Can examine system log files as well as inbound and

outbound packets

– Each system requires its own IDS

• Best choice is to use both network-based and host-based IDS in an organization

• Many firewalls provide some IDS functionality

Page 20: IDS

20

Network-Based IDS

Page 21: IDS

21

Choosing an Appropriate IDS

• Determine organizational security needs• Review the different IDS packages available• medium to large organizations commonly use both

network-based and host-based IDS

Page 22: IDS

22

Security Auditing with an IDS

• Must have periodic security audits– Sometimes mandated by law or by corporate structure

• IDS can contribute to a complete audit• Many host-based IDS can scan and analyze system

log files– They can act as a filter for various behaviors

• Port-sniffing IDS can help to profile network activity

Page 23: IDS

23

Intrusion Prevention System

• IPS combines the knowledge of IDS in an automated manner

• Usually IPS is a combination of a firewall and an IDS• IPSs come in different forms:

– NIDS with two NICs

– Inline NIDS

– Inline NIDS with scrubber

Page 24: IDS

24

Intrusion Prevention System

• IPS with two NICs configured as follows:– One NIC has an IP address and handles traffic management

– Second NIC has no IP address and performs detecting attacks only

Page 25: IDS

25

IPS with two NICs

Network Traffic

Server

with IPS

NIC1

NIC2

No IP address

Has IP address

Copy of traffic Copy of traffic

Page 26: IDS

26

IPS with inline NIDS

Server

with IPS

NIC

NIC NIC

No IP addre

ssNo IP addressHas IP address

Network traffic Network traffic

Page 27: IDS

27

IPS with scrubber

Server

with IPS

NIC

NIC NIC

No IP addre

ssNo IP addressHas IP address

Network traffic Network traffic

Malicious packet

$%&&^#@@*&*&^%$$#+!!*(+%%^^$##@*&&^

Scrubbed packet

Malicious code rendered inactive

Page 28: IDS

28

IPS Enhancements

• Traditionally switches work in OSI layer 2• Most vulnerabilities are on applications• Layer 7 switches control which applications go to

which server• Layer 7 switches also help with load balancing• Layer 7 switch inspects applications such as HTTP,

SMTP and DNS and decide which server to route the application packets to

• Handles DoS and DDoS attacks

Page 29: IDS

29

IPS Enhancements

• IPS systems first profile applications• Helps identify normal behavior of access and

functionality from applications

Page 30: IDS

30

IPS Scenario

Traffic from internet

User: GET /

User: GET /default.asp

Attacker: GET /passwd.txt

User: GET /login.asp

Policy:

Allow: GET /Allow: GET /default.aspAllow: GET /login.aspAllow: /public/default.html

Implicitly deny other requestsTraffic to internal network

User: GET /

User: GET /default.asp

User: GET /login.asp

Page 32: IDS

32

References

• IPS http://www.securityfocus.com/infocus/1670• IBM’s IPS

http://www-1.ibm.com/services/us/index.wss/offering/bcrs/a1002441