1

 To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate the IDS policy 2

 IDS location  Honey pots vs. IDS  IDS policy 3

 NIDS  E.g. Snort or Cisco Secure IDS  Monitor network traffic or suspicious activity  Often reside on subnets that are directly connected to the firewall, as well as at critical points on the internal network  HIDS  E.g. Tripwire or ISS BlackICE  Resides on monitor individual hosts mms© 4

 IDS  Like a burglar alarm system in the network. It detects and alerts on malicious events  Many different IDS sensors placed at strategic points in your network  Watch for predefined signatures of malicious events, and might perform statistical and anomaly analysis  When detects suspicious events,  it alerts in several different ways:  E.g. , paging, or simply logging the occurrence  Reports to a central database that correlates their information to view the network from multiple points mms© 5

6

 Depending upon your network topology  Depend upon what type of intrusion activities you want to detect – internal, external, or both  Depends on security policy mms© 7

Example scenario:  If you want to detect only external intrusion activities and have only 1 router connecting to the Internet Recommendation:  The best place for IDS may be just inside the router or a firewall  If you have multiple paths to the Internet, you may want to place one IDS box at every entry point  However, if you want to detect internal threats as well, you may want to place a box in every network segment. mms© 8

Typical locations for an IDS:  Behind each firewall and router  If your network contains a DMZ (demilitarized zone), IDS may be placed in that zone as well  However, alert generation policy should not be as strict in a DMZ compared to private parts of the network mms© 9

Consists of:  Snort  data is captured and analyzed  MySQL  DB based on captured data from Snort  Apache web server  Help from ACID, PHP, PHPLOT  Displays data in browser windows to user mms© 10

11 A user looking at intrusion data collected by Snort through web browser MySQL Database Apache web server with PHP, GD Library, and PHPLOT installed Snort server captures the intruder data and stores it in MySQL database using output plug-in Intruder tries to attack hosts present on this network mms©

 You can build a single computer with Snort, MySQL, Apache, ACID, PHP, PHPLOT, and GD library 12 A user looking at intrusion data collected by Snort through web browser Intruder tries to attack hosts present on this network A computer with Snort, MySQL, Apache, ACID, PHPLOT, GD library installed

 In the enterprise – have multiple Snort sensors behind every router or firewall.  In that case, can use a single centralized DB to collect data from all sensors  Can run Apache web server on this centralized DB server 13 mms©

14 mms© A user looking at intrusion data collected by Snort through web browser Network cloud Centralized DB server running MySQL, Apache, ACID, PHPLOT, GD library Snort sensor

 Sniffer  Packet Logger  IDS  Free and Open Source IDS  Monitor network traffic  Scan for protocol anomalies  Scan for packet payload signatures that represent potential attacks, worms, and unusual activities  Monitoring consoles available  Can be configured as an IPS mms© 15

Previously logged network traffic Snort rules Network traffic log Alerts (file) Alerts (Database) Snort NIDS Live network traffic OR 16

 Snort Tap Placement  Natural Choke Points  Areas where the network topology creates a single traffic path  Artificial Choke Points  Exist due to logical topology of the network  Intranet Trust/Un-trust Zone Boundaries  Similar to Natural Choke Points but are intra-network mms© 17

[!] [!]  Primarily a signature based detection engine  Example:  While indicative of attacks, leaks, and protocol violations, false positives are generated mms© 18

mms© Example 1: “log tcp traffic from any port going to ports less than or equal to 6000” log tcp any any -> /24 :6000 Example 2: RPC alert call alert tcp any any -> / (rpc: , *,3; msg:RPC getport (TCP);) see Snort Users Manual for more information 19

mms© 20

mms© 21

mms© 22

 BASE (Basic Analysis and Security Engine)  Number of unique alerts  Alerts ordered by category  Today’s alert  Most frequent src/dest ports mms© 23

24 mms©

25 mms©

26 mms©

27 mms©

 ~ a system that is deliberately named and configured so as to invite attack  Goals:  Make it look inviting  Make it look weak and easy to crack  Instrument every piece of the system  Monitor all traffic going in or out  Alert administrator whenever someone accesses the system  Trivial honey pots can be built using tools like:  tcpwrapper  Restricted/logging shells (sudo, adminshell) 28 mms©

 Pros:  Easy to implement  Easy to understand  Reliable  No performance cost  Cons:  Assumes hackers are really stupid – they aren’t! 29 mms©

 When should you install:  …if your organization has enough resources (hardware and personnel) to track down hackers.  Otherwise, no need to install a honey pot, as you can’t use the data  A honey pot is useful only if you want to use the info gathered  Also if you want to prosecute hackers by gathering evidence of their activities 30 mms©

 project.honeypot.org/  Honeyd:  South Florida Honeynet Project:  etc… 31 mms©

 Before you install an IDS on your network, you must have a policy:  To detect intruders and take action when you find such activity  A policy must dictate IDS rules and how they will be applied  Depending upon your requirements  Who will monitor the IDS  Who will administer the IDS, rotate logs and so on  Who will handle incidents and how  What will be the escalation process (level 1, level 2, and so on)  Reporting  Signature updates  Documentation is required for every project 32 mms©

 Snort provides another tool in the toolkit and can help provide info about exactly who is talking to whom on the network  The usage of different types of IDS depends on the type of the user/organization  Different types of IDS has its own strengths and weaknesses  To position the IDS in the network depends on your network topology and the type of intrusion activities you want to detect  Based on the IDS policy you will get a clear idea on how many IDS sensors and other resources are required for your network 33