An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.

Slides:



Advertisements
Similar presentations
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Advertisements

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Host Intrusion Prevention Systems & Beyond
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Department Of Computer Engineering
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Cs490ns - cotter1 Snort Intrusion Detection System
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Chapter 5: Implementing Intrusion Prevention
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
An overview.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
Network Intrusion Detection System (NIDS)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
FIREWALL configuration in linux
Access control techniques
Hping2.
Domain 4 – Communication and Network Security
Securing the Network Perimeter with ISA 2004
Principles of Computer Security
Introduction to Networking
Configuring TMG as a Firewall
Introduction to Networking
CompTIA Security+ Study Guide (SY0-401)
NETWORK SECURITY LAB Lab 9. IDS and IPS.
Access Control Lists CCNA 2 v3 – Module 11
Intrusion Detection Systems (IDS)
Setting Up Firewall using Netfilter and Iptables
Presentation transcript:

An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems

What Is a Gateway IDS? Gateway Intrusion Detection System –A network intrusion detection system which acts as a network gateway –Designed to stop malicious traffic and generate alerts on suspicious traffic –An “ideal” gateway IDS is able to stop all known exploits © Jed Haile, Nitro Data Systems 2002

GIDS vs NIDS GIDS Acts as network gateway Stops suspect packets Prevents successful intrusions False positives are VERY bad NIDS Only observes network traffic Logs suspect packets and generates alerts Cannot stop an intruder False positives are not as big of an issue © Jed Haile, Nitro Data Systems 2002

About Hogwash Based on the Snort intrusion detection system Operation is similar to some bridging firewalls Uses snort rules with some additional keywords to make forward/drop decisions Compatible with most snort plugins Freely available under the GPL © Jed Haile, Nitro Data Systems 2002

Basic Theory of Operation Much like a bridging firewall, Hogwash makes forward/drop decisions… –This packet is always good so pass it into my network. –This packet is always bad so drop it and tell me about it. –This packet is sometimes bad so tell me about it, but don't drop it. © Jed Haile, Nitro Data Systems 2002

Typical Hogwash Installation © Jed Haile, Nitro Data Systems 2002

New Hogwash Keywords drop Drops a packet, sends an rst, logs the packet ignore Drops a packet without sending an rst sdrop Drops a packet, sends an rst, does not log the packet © Jed Haile, Nitro Data Systems 2002

Multipacket Signature Matching Hogwash cannot do traditional stream reassembly Instead, hogwash can watch for partial content matches at the end of a packet If there is a partial match, hogwash goes ahead and forwards the packet and caches a copy When then next packet comes hogwash will reassemble the two packets and run it back through the detection engine, if it matches the second packet is dropped Works for out of order packets also Enabled by using the “multi” keyword in a rule © Jed Haile, Nitro Data Systems 2002

Defeating Portscans Hogwash uses state counting to detect portscans –Each time a new session (tcp, udp, icmp) is initiated in your network, hogwash notes it –All sessions are tracked from a host until it is idle for some period of time, 60 seconds by default –If a host hits more than 20 unique ports or 5 unique targets, he is determined to be portscanning. These thresholds are user configurable. –Hogwash will then drop all that portscanner’s packets © Jed Haile, Nitro Data Systems 2002

Content Replacement Hogwash can replace content in a packet –“replace” keyword tells hogwash to replace a detected string with another string. –Example: alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;) –Any content in the packet payload can be replaced. –A great way to break an exploit without dropping the packet!! © Jed Haile, Nitro Data Systems 2002

Stealth Stackless Operation –Hogwash does not require an ip stack to be loaded on it’s network interfaces –Hogwash can invisibly forward traffic, no decreased TTLs, etc © Jed Haile, Nitro Data Systems 2002

Stackless Control Protocol –Hogwash can be remotely controlled, even when running in stackless mode –To send a command simply send a control packet so that it will pass through the hogwash box –Packets can be any combination of TCP, UDP, ICMP –The stackless control protocol uses twofish or AES cryptography and a custom protocol to ensure security © Jed Haile, Nitro Data Systems 2002

Stackless Control Protocol Theory Each packet that passes through hogwash is checked for a “magic token” in the payload. If the token is found, then hogwash will attempt to decrypt the payload following the magic token. If the token is found again immediately following the first magic token, then hogwash knows it has found a control packet and processes the command. © Jed Haile, Nitro Data Systems 2002

Stackless Control Protocol Theory © Jed Haile, Nitro Data Systems 2002

Stackless Control Protocol Commands hping - ping the hogwash box to see if its alive. hstat - get statistics from the hogwash box hbuff -retrieve either RULES, ALERT, or LOG file hfilesync - store the retrieved file in a file, can be used to feed standard snort toys hsetbuf - transfer a file to the hogwash box hsetrules - transfer a new rules file to the hogwash box, restart hogwash © Jed Haile, Nitro Data Systems 2002

Sample Hogwash Rules To drop incoming port 80 connections: drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”) To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe attempt”; content: “cmd.exe”) © Jed Haile, Nitro Data Systems 2002

Running Hogwash hogwash -c -i -e -l -n % hogwash –i eth0 –e eth1 –c hogwash.conf –l /var/log/hogwash © Jed Haile, Nitro Data Systems 2002

References Securing an Unpatchable Web Server Jed Haile Jason Larsen © Jed Haile, Nitro Data Systems 2002

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.