Intrusion Detection Systemsledvina/DHT/tugraz/IDS.pdf · Honeypot n Runs alone on a server n...
Transcript of Intrusion Detection Systemsledvina/DHT/tugraz/IDS.pdf · Honeypot n Runs alone on a server n...
2
Outline
n Introductionn Types of IDSn How works an IDSn Attacks to IDSn Intrusion Prevention Systemsn Limits of IDSn Operation examplesn Some Products
3
What is an IDS …
n System to detect unwanted manipulations to computer systems
n Identification of misuse and abnormal behavior
n Detect many types of malicious network traffic and computer usage
4
Motivation
n Other security measures are not sufficient (Authentication, Firewall, …)
n Attacks motivated by¨ financial¨ political¨ military or¨ personal reasons
n We want to detect intrusionsn We want to prevent intrusions
5
What does an IDS?
n Logging and preparing for analysisn Analysis
n Presentation (i.e. an Alarm)n Reaction (only in Intrusion Prevention
Systems IPS)
6
Types of IDS
n Host based IDS (HIDS)n Network based IDS (NIDS)
n Hybrid IDS (combination of HIDS and NIDS)
7
Passive vs. Reactive System
n Passive System¨Detects a potential security breach¨Logs the information¨Signals an Alert
n A Reactive System additionally¨Resets the connection¨Reprograms the firewall¨Automatically or manually
8
Host based IDS (HIDS) 1
n Installed on a hostn Monitors system objects and remembers its
attributes, e.g. file-system objectsn Creates a checksum (optional)n Database to store objects and attributesn Reports anomalies in form of logs, e-mails or
similarn Detects unauthorized insider activity or file
modification
9
Host based IDS (HIDS) 2
n Pro¨Detailed information about attack
n Con¨HIDS itself can be attacked (and if attacked
host is down, HIDS is also down)
¨Local installation on each host
¨Host resources are needed
10
Network based IDS (NIDS) 1
n Monitors network trafficn Try to find suspicious patternsn I.e. Portscan detectionn NIDS collaborates with other systems like
Firewalln Detects attempts from outside the trusted
network
11
Network based IDS (NIDS) 2
n Pro¨ Controls a network segment, not only one host¨ A defect of one host is no risk for the NIDS
n Con¨ The bandwidth of the NIDS can be overloaded
¨ In switched networksn Using of Taps
n Port mirroring on switch
12
Hybrid IDS
n Combination of HIDS and NIDSn Management console necessary
n Network sensorsn Host sensors
13
Logging
n Differently on different IDS’s
n On HIDS¨ Detailed Information à specific Analysis possible
n On NIDS¨ Distributed Sensors
¨ Management station
n Privacy problem
14
Analysis 1
• Integrity check / Target monitoring¨ Cryptographic signature or checksum to secure the
integrity of files¨ On demand (post mortem or reactive) integrity check¨ Simple to implement
n Signature detection / Misuse detection¨ Compares network traffic with known signatures of
attacks¨ Pattern matching procedures¨ Reassembling of fragmented packets necessary
15
Analysis 2
n Anomaly detection¨ Detects anomalies on user behavior¨ I.e. a secretary uses at 11 p.m. applications like
nmap, gcc¨ Privacy problem!!!
n Stealth Probes¨ attempts to detect attackers that act over prolonged
periods of time¨ combination of Signature detection and Anomaly
detection
16
Attacks to IDS
n Integrity check with signature¨ is secure if the cryptograpical system is good enough
(i.e. RSA) and¨ if private key isn’t stored on the host
n Integrity check with checksum ¨ the integrity of the initial database can be tampered
(à WORM-Medium)n Signature detection can be attacked by
¨ DDoS¨ Insertion or Evasion attacks
17
Insertion Attack
n Idea: uses packets accepted by the IDS accept but not by the host
n i.e. attacker sends packets¨
¨Packet with * isn’t accepted by host
¨Host will Stop because IDS don’t know this Signature
H X* A L T
18
Intrusion Prevention Systems (IPS)
n Extended IDSn Automated reactions to alarms from IDS
¨ i.e. updates a firewall blacklist
¨Changes or interrupts actively network traffic
¨Try to prevent attacks in real time
n Honeypotsn Tarpits
19
Honeypot
n Runs alone on a servern Simulates services or proxy servers (Sugarcane)n Logs activityn Legitimated users don’t know and therefore never address a
honeypotn Automated attacks cannot distinguish the honeypot from a normal
hostn Used for
¨ attracting and binding attacks¨ detecting and analyzing of new attacks¨ protecting of production systems¨ conservation of evidence (court of law)
20
Tarpit
n Tries to delay the distribution velocity of Spammers and Worms
n IP-, TCP- or Application-Level Tarpitsn Example: HTTP-Tarpit
¨ Tries to block the Harvester (Search engine that searches email addresses on web pages) of the spammer
¨ Delivers web page very late¨ Inserts a lot of links to himself¨ Therefore the Harvester falls into the trap
21
Limits of IDS / IPS
n Positive and negative failuresn Unknown attacks cannot detected or preventedn Cryptographically methods can be a problemn Legal restrictions in identification and logging of
attackersn Needs other tools (Firewall, Router,…) to
prevent intrusionn Never 100% protection
22
Operation examples 1
Operation of an NIDS: the IDS and the Firewall supplement each other. [5]
23
Operation examples 2
Operation of an HIDS: observation of specific systems or applications . [5]
24
Operation examples 3
Operation of an hybrid IDS: observation of the internal network . [5]
25
Intrusion Detection Message Exchange Format (IDMEF)n Standardized communication protocol n Protocol to communicate between the IDS
components (Sensors – Management console, …)
n Main requirements to the protocol¨ Authentication of the sender¨ Reliable information¨ Resistance to attacks
26
Summary
n IDS are necessary because security incidents become more numerous and other security measures aren’t sufficient
n IDS is an active System à needs administrationn IDS itself can be attackedn Cryptographically data can be a problemn Never 100% protectionn Privacy must be taken into account
27
IDS/IPS Applications
n Snort [http://www.snort.org/ ] (NIPS)n Prelude [ http://www.prelude-ids.org/ ] (Hypbid IDS)
n Hogwash [http://hogwash.sourceforge.net/ ], combination of IDS and Firewall
n Honeyd [ http://www.honeyd.org/ ], Honeypotn LaBrea
[ http://labrea.sourceforge.net/labrea-info.html ], Honeypot and IDS
28
Literature
n [1] http://en.wikipedia.org/wiki/Intrusion_detection_systemn [2] http://de.wikipedia.org/wiki/Intrusion_Detection_Systemn [3] http://en.wikipedia.org/wiki/Honeypot_%28computing%29n [4] Einbruchserkennung in Netzwerke
http://www.net-tex.de/net/ids.htmln [5] Bundesamt für Sicherheit in der Informationstechnik,
Intrusion-Detection Grundlagenhttp://www.bsi.de/literat/studien/ids02/dokumente/Grundlagenv10.pdf
n [6] The Internet Engineering Task Force (IETF),Intrusion Detection Message Exchange Format(IDMEF) http://www3.ietf.org/proceedings/01mar/I-D/idwg-idmef-xml-03.txt
29
Questions
n Explain the three kinds of IDS. What are the advantages and disadvantages?¨Slides 8-12
n Which methods about analyzing in IDS do you know? How can these methods attacked?¨Slides 14-16