IDS/IPS Intrusion Detection System/ Intrusion Prevention System
Definitions (NIST) Intrusions are attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.
Definitions (NIST) Intrusion detection systems (IDSs) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.
Definitions (SANS) Event Incident Observable occurrence in an information system that actually happened at some point in time An email, a phone call, a system crash, a request for virus scan Incident Adverse event in an information system Implies harm or the attempt to harm From CERT guidelines: Violation of a security policy Attempt to gain unauthorized access Unwanted denial of resources Unauthorized use Changes without the owner’s knowledge, instruction or consent
Why an IDS is necessary? Blocks external bad known things Detects internal suspicious things
An firewall is constantly being probed for vulnerabilities from all over the world Often a new vulnerability is outed and usually with the exploit immediately behind No one can find and control all the vulnerabilities in a complex system
Why should I use an IDS (NIST) 1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system 2. To detect attacks and other security violations that are not prevented by other security measures Legacy systems that cannot be patched In big systems administrators don’t have the time nor resources Compelling operational requirements for network services and protocols vulnerable Users and adminitrators errors in configuring and using a system Our reliance on commercial software where new flaws and vulnerabilties are discovered daily An IDS can detect when an attacker has penetrated a system exploiting and uncorrected or uncorrectable flaw 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities) 4. To document the existing threat to an organization 5. To act as quality control for security design and administration, especially of large and complex enterprises 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors.
Intrusion Detection Systems (IDS) If all the protections fail, we are left with Detecting when something not desired occurs Process to detect abnormal activities, not appropiated or incorrect Tha vast majority of the attacks are perpetrated from de inside
Monitors users and system activities Audit systems configuration IDS Monitors users and system activities Audit systems configuration Recognizes known attacks patterns Identifies abnormal activity Statistic analysis Registers information about intruders
Problems False positive False alarm Produce an alarm when no attack happened False negative No alarm is raised when an attack happened
Characteristics of a good IDS Continuous operation and in real time Fault tolerance of the system Fault tolerance of it self Minimum overhead Configurability Flexibility Reliability Minimize false positives NO false negatives
Types of IDS technologies Network-Based Monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity (boundaries between networks, firewalls/routers) Wireless Monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves, not higher. Network Behavior Analysis (NBA) Examines network traffic to identify threats that generate unusual traffic flows, such as denial of service (DoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems). Traffic between internal network and external networks (Internet, partners) Host-Based Monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Networks traffic, system logs, running processes, application activity, file access and modification
Common Detection Methodologies
Signature-Based Signature = Pattern of a known threat Compares signatures against observed events to identify possible incidents Telnet (SSH) with username “root” (against policy) Email with the subject “Free pictures!” with an attachment named “freepics.exe” Effective against KNOWN threats But almost completely useless against UNKNOWN threats And some variants of known threats The simplest method But very limited It is basically stateless It does not process multiple events if none of the event is a clear indication of an attack
Anomaly-based Comparing events against “normal activity” To identify significants deviations Uses profiles of normal behavior Users, hosts, connections and applications Profiles are developed by observation of typical activity over a period of time (training period) They can be very effective against unknown threats Profiles can be Static: once generated they do not change unless they are specifically instructed to generate a new profile Dynamic: they are adjusted constantly (thresholds) They are susceptible to evasion
IDS and ........... Prevention Detection Both are needed! Reaction Doors, locks, bars, big dog, etc. Detection Motion detector, smoke detector, little dog, etc. Both are needed! Reaction Alarm, call to the police, etc.
IPS IPS: Intrusion Prevention System Detection before the attack IDS with active reaction or firewall? Marketing term?
Snort (www.snort.org)