Intrusion Detection Systems

Slides:

Advertisements

Similar presentations

Towards Software Defined Cellular Networks

Advertisements

Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI with Instrumentation and Monitoring Divya Bhat, Umass Amherst Niky Riga, GENI Project.

An Overview of Software-Defined Network Presenter: Xitao Wen.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

Mobile Communication and Internet Technologies

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.

Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

An Overview of Software-Defined Network

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

An Overview of Software-Defined Network Presenter: Xitao Wen.

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

Introduction to SDN & OpenFlow Based on Tutorials from: Srini Seetharaman, Deutsche Telekom Innovation Center FloodLight Open Flow Controller, floodlight.openflowhub.org.

Software-Defined Networks Jennifer Rexford Princeton University.

Brent Salisbury CCIE#11972 Network Architect University of Kentucky 9/22/ OpenStack & OpenFlow Demo.

Aaron Gember Aditya Akella University of Wisconsin-Madison

Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI GENI Project Office.

OpenFlow: Enabling Innovation in Campus Networks

CS : Software Defined Networks 3rd Lecture 28/3/2013

Sponsored by the National Science Foundation Tutorial: An Introduction to OpenFlow using POX GENI Engineering Conference 20 June 2014.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Fast NetServ Data Path: OpenFlow integration Emanuele Maccherani Visitor PhD Student DIEI - University of Perugia, Italy IRT - Columbia University, USA.

Sponsored by the National Science Foundation Introduction to OpenFlow Niky Riga GENI Project Office.

Sponsored by the National Science Foundation 1 GEC16, March 21, 2013 Are you ready for the tutorial? 1.Did you do the pre-work? A.Are you able to login.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

OpenFlow & NOX (& how the SDN era started) CCR 2008 Whitepapers Nick McKeown & Natasha Gude et al. Presented by: M. Asim Jamshed Some slides have been.

3.6 Software-Defined Networks and OpenFlow

Software Defined Networking and OpenFlow Geddings Barrineau Ryan Izard.

SDN and Beyond Ghufran Baig Mubashir Adnan Qureshi.

SDN basics and OpenFlow. Review some related concepts SDN overview OpenFlow.

Denial of Service detection and mitigation on GENI

SDN controllers App Network elements has two components: OpenFlow client, forwarding hardware with flow tables. The SDN controller must implement the network.

Konstantin agouros Omkar deshpande

Chapter 4 Network Layer: The Data Plane

SDN and Security Security as a service in the cloud

Denial of Service detection and mitigation on GENI

CIS 700-5: The Design and Implementation of Cloud Networks

Software defined networking: Experimental research on QoS

IT443 – Network Security Administration Instructor: Bo Sheng

Xenia Mountrouidou (Dr. X)

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Introduction to OpenFlow

NOX: Towards an Operating System for Networks

Week 6 Software Defined Networking (SDN): Concepts

Introduction to Networking

SDN basics and OpenFlow

Chapter 5 Network Layer: The Control Plane

ONOS Drake Release September 2015.

Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.

The Stanford Clean Slate Program

* Essential Network Security Book Slides.

Software Defined Networking (SDN)

Software Defined Networking

An Introduction to Software Defined Networking and OpenFlow

Intro Cyber Security Labs on GENI

GENI Exploring Networks of the Future

CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks Yang (Richard) Yang Computer Science Department Yale University.

Autonomous Network Alerting Systems and Programmable Networks

Chapter 5 Network Layer: The Control Plane

Intrusion Detection Systems

Intro Cyber Security Labs on GENI

An Introduction to Software Defined Networking and OpenFlow

Intelligent Network Services through Active Flow Manipulation

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Intrusion Detection Systems Xenia Mountrouidou (Dr. X)

Outline Start reserving your topology Learning goals Background Variations

Reserve topology Go to: https://goo.gl/Xieh9g Use RSPEC http://mountrouidoux.people.cofc.edu/Cyb erPaths/files/DDoS_IDS_RSpec.txt

Learning Goals Setup an IDS and verify that it functions properly Study and understand IDS logs Apply concepts of intrusion detection in a real scenario Create a custom Intrusion Detection System (IDS) rule

Intrusion Detection Systems and Mitigation Goals: Install Snort IDS on monitor machine Duplicate all traffic to monitor Create a custom alert for Snort IDS Use mitigation script Drop malicious traffic Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client

Background Intrusion Detection and Prevention Systems Computer Networks Software Defined Networks Command Line GENI DoS

Example Setup Example setup: the position of the IDS is important! Where would we position the HIDS? Where do we prefer HIDS vs An

Detection via Signatures Signature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

Snort Open source IDS Signature detection Lots of available rulesets alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

Intro to Software Defined Networking Slides modified from GENI openflow tutorial: http://groups.geni.net/geni/wiki/GENIExperimenter/Tutorials/OpenFlowOVS

OpenFlow… Enables innovation in networking Changes practice of networking Google’s SDN WAN

OpenFlow’s basic idea

OpenFlow’s basic idea

OpenFlow benefits [1] External control Centralized control Enables network Apps General-purpose computers (Moore’s Law) Deeper integration Network hardware becomes a commodity Centralized control One place for apps to interact (authentication, auth, etc) Simplifies algorithms Global Optimization and planning [1]: OpenFlow: A radical New idea in Networking, Thomas A. Limoncelli CACM 08/12 (Vol 55 No. 8)

Deployment Stories Google global private WAN [1] Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links Stanford Campus deployment Part of Stanford campus migrated to OpenFlow Microsoft Azure DataCenter [2] Internet 2 - AL2S Can build Layer 2 circuits between any Internet 2 end-points NTT’s BGP Free Edge https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201310fa3.html [1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al [2] Keynote ONS June 2015

GENI and OpenFlow deployment Key GENI concept: slices & deep programmability Internet: open innovation in application programs GENI: open innovation deep into the network OpenFlow switches one of the ways GENI is providing deep programmability Good old Internet Slice 0 Slice 1 Slice 2 Slice 3 Slice 4

GENI-enabled regionals OpenFlow Switches GENI Rack GENI-enabled regionals e.g. CENIC Internet2 AL2S

OpenFlow controllers Open source controller frameworks NoX – C++ PoX - Python OpenDaylight - Java FloodLight - Java Trema – C / Ruby Maestro - Java Ryu - Python

OpenFlow Protocol (SSL/TCP) The controller is responsible for populating forwarding table of the switch In a table miss the switch asks the controller Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

OpenFlow Protocol (SSL/TCP) OpenFlow in action Host1 sends a packet If there are no rules about handling this packet Forward packet to the controller Controller installs a flow Subsequent packets do not go through the controller Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) host2 host1 Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

OpenFlow Basics (1.0) Rule Action Stats Packet + byte counters Forward packet to port(s) Encapsulate and forward to controller Drop packet Send to normal processing pipeline Modify Fields Now I’ll describe the API that tries to meet these goals. Switch Port VLAN ID VLAN PCP MAC src MAC dst Eth type IP Src IP Dst IP Prot IP ToS TCP sport TCP dport + mask what fields to match slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt 21

Software Defined Networks SDN Capabilities Drop flows Redirect flows Duplicate flows Information available & accessible on different network layers Source: https://www.opennetworking.org/sdn-resources/sdn-definition

Questions? And one last thing… go to nxt slide Let’s experiment!

Variations GENI Desktop Different attacks: Slowloris Privilege escalation Third level: use the power of SDN to detect and mitigate the port(s) from which DoS is coming

Correlation and Mitigation Use monitor to alert correlator Correlator is logic that communicates with controller, gathers info about attack Correlator decides based on controller info if there is an attack Correlator logic is implemented in Python

Monitor-Correlator Communication Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS

Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

Monitor – real time snort alert monitoring

Monitor – send alert to correlator

Correlator Original Flow Table Flow Table Snapshot1 Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key Value port1 IP1 port2 IP12345 port3 IP3 portn IPn Key Value port1 IP1 port2 IP6789 port3 IP3 portn IPn Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Original Flow Table Flow Table Snapshot1 Flow Table Snapshot2

Correlator – parse and process flowdump

Correlator – block the port of attack

Role of SDN in Implementation Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance Questions so far?

Questions? Let’s experiment!