NETWORKS Fall 2010

Review – IDS What is Intrusion Detection ? The process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions Need for Intrusion Detection Systems Detect attacks not prevented by other security systems Detect and deal with Preambles to attacks Document existing threat to an organization Act as quality control for secure design and administration

Review – Why Not Firewalls? Need real time detection of intrusion Not all access to internet is through Firewalls Not all threats originate outside Firewalls Firewalls are subject to attack themselves IDSs and Firewalls should compliment each other

OUTLINE Intrusion Detection Systems

Intrusion Detection Systems

Intrusion Detection Capabilities Scan packet contents for classified or proprietary data Scan traffic for attack signatures Terminate suspicious TCP sessions Update firewall rules or router filters to deny all access from suspicious sources Alert administrators about violations/attacks Provide database of attacks and possible countermeasures

IDS Limitations Monitor traffic across routers, bridges or switches Find classified or proprietary information in encrypted transmissions Perform statistical analysis of traffic over time (not yet, anyway) Replace diligent, human review of logs/traces

Burglar Alarm 1 Based on site policy, alert administrator to policy violations Detect events that may not be “security” events which may indicate a policy violation New routers New subnets New web servers

Burglar Alarm 2 A burglar alarm is a misuse detection system that is carefully targeted You may not care about people port-scanning your firewall from the outside You may care profoundly about people port-scanning your mainframe from the inside Set up a misuse detector to watch for misuses violating site policy

Burglar Alarm 3 The ideal burglar alarm is situated so that it fires when an attacker performs an ordinary action, e.g., Mapping the network Scanning the network After successfully breaking in: Adding a userid Zapping a log file Making a program setuid root Starting a sniffer

Burglar Alarm Construction Burglar alarms can be built using firewall/router logs, e.g., Watch for attempts to access non-existent hosts on your network, which could indicate network scanning or mapping activity Send an email or other alert to the administrator Refer to the following URL for numerous examples of host-based burglar alarms: http://www.blackhat.com/presentations/bh-usa-99/MJR/burglar-alarms.ppt

Reporting Suspicious Hosts Always follow official channels first Don’t email info if you’re not reasonably sure that the attacker doesn’t “own” the mail host. Include dates and times Include log information if you can (may want to edit IP addresses to protect the innocent)

A Simple IDS Model A simple model of an Intrusion Detection system looks like CPU IDS monitor respond report IDS Control

IDS Components Audit Data Preprocessor Audit Records Activity Data system activities are observable Detection Models Detection Engine Alarms normal and intrusive activities have distinct evidence Decision Table Decision Engine Action/Report

Why use an IDS? Why would we want to do intrusion detection? Why not just keep intruders out? Stallings' list. Second line of defense. Even the best intrusion detection system can fail. Many intruders are insiders. Ejection. Catch intruders before they can do much damage. Deterrent. Intruders may stay out if they think they'll be caught. Educational. Learn how intruders do what they do and use this to improve both prevention and detection techniques.

Security principles: layered mechanisms Second Line of Defense Since Firewalls fail, detection is our second line of defense Prevent Detect React/ Survive Security principles: layered mechanisms

Fundamentals 1 What methods are used? Audit Trail Processing On the fly processing Profiles of normal behavior Signatures of abnormal behavior Parameter Pattern Matching

Processing Engine (Algorithms) Fundamentals 2 How is it organized? What are the basic components and how are they interconnected To target system To other IDS GUI/Display Sensor Audit/ Archive System Management Processing Engine (Algorithms) Knowledge Base Alarms To operators

Fundamentals 3 What is an intrusion? Is an attack the same thing as an intrusion? What actions constitute an intrusion? How is the identity of an intruder obtained? How is information correlated? Single or multiple packets Real time vs after the fact In-band and all-band

Fundamentals 4 How can an intruder be trapped? Can the intruder be diverted to a special trap system? What methods are available for incident response?

IDS Methods While there are automatic intrusion detections tools available it worth while to note that nearly all incidents in which an intruder has been caught in real time have involved manual intrusion detection methods. However there are five specific methods of practical intrusion detection. Audit Trail Processing On-the-fly processing Profiles of Normal Behavior Signature of Abnormal Behavior Parameter Pattern Matching

Audit Trail Processing Activity on audit probes is logged and stored in an audit trail The audit probes are selected by system administrators based on their view of what is a security critical event Logins / file opens / . . . GOAL: have a good set of probes that cover the threat environment PROBLEM: system performance decreases as the number of probes increase

Sample Audit Trail An audit record might look like: Example: <source IP addr, destination IP addr, source port, destination port, protocol, time session initiated, session initiation direction, success or failure of session> some external IP address Example: telnet output port <in, out, 3000, 23, TCP, 13:04, outbound, success> some internal IP address some user port

YES Example Audit Record Below is an example of an audit record: <in, in, 4050, 80, TCP, 07:36:04, inbound, success> <out(X), gw, 6025, 23, TCP, 07:51:12, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:51:55, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:17, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:58, inbound, failure> <out(X), in, 3000, 23, TCP, 13:04:22, inbound, success> <out(Y), gw, 5000, 23, TCP, 23:54:22, inbound, success> Your intranet gateway Is there anything suspicious going on?

Audit Trail Analysis 1 Consider the first entry: <in, in, 4050, 80, TCP, 07:36:04, inbound, success> An inbound session should have a out source IP address It appears that some intruder is changing the source IP address in an IP gateway spoof attack

Audit Trail Analysis 2 Consider the next few entries: <out(X), gw, 6025, 23, TCP, 07:51:12, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:51:55, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:17, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:58, inbound, failure> Someone from out address X is trying to telnet to the gateway

Consider the 6th entry: Audit Trail Analysis 3 <out(X), in, 3000, 23, TCP, 13:04:22, inbound, success> The previously suspicious IP address X manages to telnet to a internal address

Audit Trail Analysis 4 Consider the final entry: <out(Y), gw, 5000, 23, TCP, 23:54:22, inbound, success> This is suspicious because of the time (around midnight)

General Principles Things to look for in an Audit record: Users logging in at odd hours Unexplained reboots or changes to the system clock Unusual error messages from mailers, daemons or other servers Failed login attempts with bad passwords Unauthorized use of the su command Users logging in from unfamiliar sites on the network