IPS Lecture

8/11/2019 IPS Lecture

http://slidepdf.com/reader/full/ips-lecture 1/25

Network Intrusion Detection

SystemsMM Clements

A Adekunle



Lecture Overview

• Taxonomy of intrusion detection system

• Promiscuous & Inline Mode Protection: IDS, IPS

• IDS and IPS Deployment Considerations &

example• Cisco IDS family

• Snort

• IDS/IPS Vulnerabilities

• How to protect IDS?• Unified Threat Management (UTM)

• Summary

2Engineering and Management of Secure Computer Networks



Intrusion Detection

• Detection and protection

from attacks against

networks

• Three types of networkattacks

– Reconnaissance

– Access

– Denial of service




Intrusion detection system (IDS)

• An Intrusion detection system (IDS) is software or

hardware designed to monitor, analyze and respond

to events occurring in a computer system or network

for signs of possible incidents of violation in securitypolicies.

– These incidents of violations can be unwanted attempts to

access, manipulate or disable computer systems, mainly via a

network, such as the Internet.




Classification of Intrusion Detection

• Signature based intrusion detection

– Also known as Misuse Detection

• A signature based IDS will monitor packets on the network

and compare them against a database of signatures orattributes from known malicious threats.

• Similar to the way most antivirus software detects malware.

– Examples: Cisco Sensors 4200 series, Snort

– Less prone to false positives – Unable to detect zero-day threats whose signatures

are not available




Signature based intrusion detection

•Signatures – A set of patterns pertaining to typical intrusion

activity that, when matched, generate an alarm

• Signature Types –

Atomic—Trigger contained in a single packet• Example: Looking for the pattern “/etc/passwd “in the

traffic

– Composite—Trigger contained in a series of multiplepackets




Types of Intrusion Detection Systems

• Host based intrusion detection Systems

– Software (Agents) installed on computers to monitor input

and output packets from device

–

It performs log analysis, file integrity checking, policymonitoring, rootkit detection, real-time alerting and active

response.

– Examples: •

Cisco Security Agent (CSA) , OSSEC, Tripwire




Firewall

Corporate

network

Agent

Untrusted

network

Agent Agent Agent

Agent Agent

DNS serverWWW

server

Agent Agent

Host-Based Intrusion Detection




Types of Intrusion Detection Systems

• Network-Based Intrusion Detection Systems

– Connected to network segments to monitor, analyze andrespond to network traffic.

– A single IDS sensor can monitor many hosts

– NIDS sensors are available in two formats• Appliance: It consists of specialized hardware sensor and its

dedicated software. The hardware consists of specialized NIC’s,processors and hard disks to efficiently capture traffic and performanalysis.

– Examples: Cisco IDS 4200 series, IBM Real Secure Network• Software: Sensor software installed on server and placed in

network to monitor network traffic.

– Examples: Snort, Bro, Untangle




Corporate

network

DNS

serverWWW

server

Sensor

Sensor

Firewall

Untrusted

network

Network-Based Intrusion Detection

Management

System




Inline-Mode Protection: IPS

TargetManagement

System

The sensor resides in the

data forwarding path.

If a packet triggers a

signature, it can bedropped before it

reaches its target.

An alert can be

sent to the

management console.

Sensor

14

Engineering and Management of Secure Computer Networks



IDS and IPS Deployment Considerations

– Deploy an IDS sensor in areas where you cannot

deploy an inline device or where you do not plan

to use deny actions.

– Deploy an IPS sensor in those areas where youneed and plan to use deny actions.




IDS and IPS Deployment Comparison

Attacker

Inside

Sensor on Outside:

• Sees all traffic destined for

your network• Has high probability of raising

false alarms (false positives)

• Does not detect internal

attacks

Sensor on Inside:

• Sees only traffic permitted

by firewall• Has lower probability of false

alarms (false positives)

• Requires immediate

response to alarms

Internet




CorporateNetwork

Network based IDS and IPS Deployment

ManagementServer

IPS Sensor

Firewall RouterSwitchSwitch

UntrustedNetwork

DNSServer

WWWServer

DMZ

SwitchIDSSensor




IDS and IPS deployment example in an

Enterprise NetworkBranch

ManagementServer

Sensor

FirewallRouter

NM-CIDS

CorporateNetwork

UntrustedNetwork

DNSServerWWWServer

Sensor

DMZ

Agent Agent




P

e r f o r m a n c e ( M

b p s )

Network Media

Cisco IDS Family

IDSM-2

IDS 4255

IPS 4240

45

600

80

250

200

IPS 4215

10/100/1000 TX

NM-CIDS

10/100 TX

AIP-SSM

10/100/1000 TX

1000 SX 10/100/1000 TX Switched/100010/100/1000 TX



Snort Modes

• Sniffer Mode• Used to sniff traffic from network

• Traffic will be captured using libpcap or winpcap.

• Traffic will be captured directly from the sensor .

• Logger Mode

• Simple logging into a file. Two possible formats are Binary and ASCII.

• Logging into a Database (eg. MySQL)

• Can be used for creating the normal traffic profile

• Intrusion Detection / Prevention

• The rules will be used in this mode of snort to detect unwanted activity




IDS/IPS Vulnerabilities

• Cisco IPS Packet Handling DoS -• In July 2006, a DoS vulnerability was discovered on Cisco

IPS 4200 series models which were running version 5.1software.

• Snort Rule Matching Backtrack DoS -• Snort versions 1.8 through 2.6 had a DoS vulnerability ,

found on January 11, 2007 which can exploit Snort's rulematching algorithm by using a crafted packet. This couldcause the algorithm to slow down to the point where

detection may become unavailable. Snort was quick torelease version 2.6.1 which corrected this issue.




How to protect IDS?

• Don't run any service on your IDS sensor.

• The platform on which you are running IDS should bepatched with the latest releases from your vendor.

• Configure the IDS machine so that it does notrespond to ping (ICMP Echo-type) packets.

• User accounts should not be created except thosethat are absolutely necessary.


IPS Lecture

Documents

Transcript of IPS Lecture