Outline Securing your system before the IDS and some tools to help you What is an IDS, 2 types How can an IDS help you and your company
First thing’s first! Do yourself a favor Passwords, housekeeping Vulnerability scanners (Saint scanning engine) Port scanners (Nmap)
Passwords Minimum length Both numbers and letters Lifespan All accounts must have a password! Maintaining good security practices
Housekeeping Unauthorized accounts Lifespan of accounts Permissions, users AND groups
Vulnerability Scanners “a computer program designed to search an application, computer or network for weaknesses.” - wikipedia
Saint Scanning Engine The Four Steps of a SAINT Scan Step 1: screens every live system on a network for TCP/UDP services. Step 2: For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network.
Step 3 – The scanner checks for vulnerabilities. Step 4 – When vulnerabilities are detected, the results are categorized in several ways, allowing customers to target the data they find most useful. The scanner can provide links to patches or new software versions that will eliminate the detected vulnerabilities!
Port Scanners Although an open port can be a vulnerability, I will break these programs up because they do work differently. “a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by crackers to compromise it.“ - wikipedia
Nmap All available hosts on the network What services (application name and version) those hosts are offering What operating systems (and OS versions) they are running What type of packet filters/firewalls are in use and more
Now what? Ready to implement your IDS Host based (Tripwire, Log Surfer, MOM, Sebek) simpler, monitors host activity Network based (Dragon, Manhunt, Snort) More involved, monitors network and it’s traffic
Snort “Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.”
Symantec ManHunt “28 January, 2004 -- Symantec Corp. (NASDAQ: SYMC), the world leader in Internet security, today announced that Symantec ManHunt is the first intrusion protection solution to be awarded Common Criteria Evaluation Assurance Level 3 (EAL3) certification. This prestigious certification assures customers that Symantec ManHunt, which was evaluated by Computer Sciences Corporation of Annapolis Junction, MD and validated by the National Information Assurance Partnership (NIAP), has gone through a long and rigorous testing process and conforms to standards sanctioned by the International Standards Organization.”
IDS Methods Signature Analysis Statistical Anomaly/Protocol Analysis Similar to antivirus software Tries to match data traffic Statistical Anomaly/Protocol Analysis Catches what signature misses Compares traffic to baseline Clipping level
References www.tripwire.com www.insecure.org/nmap www.saintcorporation.com http://en.wikipedia.org/wiki/Main_Page www.networkintrusion.co.uk www.snort.org