cs490ns - cotter1 Intrusion Detection
cs490ns - cotter2 Outline What is it? What types are there? –Network based –Host based –Stack based Benefits of each Example Implementations Difference between active and passive detection HoneyPots
cs490ns - cotter3 Intrusion Detection System (IDS) Detects malicious activity in computer systems –Identifies and stops attacks in progress –Conducts forensic analysis once attack is over
cs490ns - cotter4 The Value of IDS Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers) Expands available options to manage risk from threats and vulnerabilities
cs490ns - cotter5 Negatives and Positives IDS must correctly identify intrusions and attacks –True positives –True negatives False positives –Benign activity reported as malicious False negatives –IDS missed an attack
cs490ns - cotter6 Dealing with False Results False positives –Reduce number using the tuning process False negatives –Obtain more coverage by using a combination of network-based and host-based IDS –Deploy NICS at multiple strategic locations in the network
cs490ns - cotter7 Types of IDS Network-based (NIDS) –Monitors network traffic –Provides early warning system for attacks Host-based (HIDS) –Monitors activity on host machine –Able to stop compromises while they are in progress
cs490ns - cotter8 Network-based IDS Uses a dedicated platform for purpose of monitoring network activity Analyzes all passing traffic Sensors have two network connections –One operates in promiscuous mode to sniff passing traffic –An administrative NIC sends data such as alerts to a centralized management system Most commonly employed form of IDS
cs490ns - cotter9 NIDS Interfaces no IP Address Data Link Data Flow NIDS Management Console
cs490ns - cotter10 NIDS Architecture Place IDS sensors strategically to defend most valuable assets Typical locations of IDS sensors –Just inside the firewall –On the DMZ –On the server farm segment –On network segments connecting mainframe or midrange hosts
cs490ns - cotter11 Connecting the Monitoring Interface Using Switch Port Analyzer (SPAN) configurations, or similar switch features Using hubs in conjunction with switches Using taps in conjunction with switches
cs490ns - cotter12 SPAN May be built into configurable switches (high end) Allows traffic sent or received in one interface to be copied to another monitoring interface Typically used for sniffers or NIDS sensors
cs490ns - cotter13 How SPAN Works Data Link Monitored Port SPAN Port Duplicated Traffic IDS Monitored Host Switch
cs490ns - cotter14 Monitor Network Segment Duplicated Traffic IDS Monitored Hosts Data Link Switch
cs490ns - cotter15 Limitations of SPAN Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link Switch may offer limited number of SPAN ports or none at all
cs490ns - cotter16 Hub Device for creating LANs that forward every packet received to every host on the LAN Allows only a single port to be monitored
cs490ns - cotter17 Using a Hub in a Switched Infrastructure IDS Monitored Host Switch Hub Data Link Switch
cs490ns - cotter18 Tap Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures
cs490ns - cotter19 Using a Tap Data Link Monitoring Port IDS Monitored Host Tap Tap acts like a 3 way hub where monitoring port is read only
cs490ns - cotter20 Typical 10/100 8 port Tap Loss of power has no effect on traffic NetOptics Networktaps.com
cs490ns - cotter21 NIDS Signature Types Signature-based IDS Port signature Header signatures
cs490ns - cotter22 Network IDS Reactions TCP resets IP session logging Shunning or blocking
cs490ns - cotter23 Strengths of NIDS Cost of Ownership –Lower because IDS is shared Packet Analysis –Can look at all network traffic Evidence Removal –Packets are captured in a separate machine Real-Time Detection and Response –Can detect (and block) DDoS attacks Operating System Independence
cs490ns - cotter24 Host-based IDS Primarily used to protect only critical servers Software agent resides on the protected system Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity Use of resources can have impact on system performance
cs490ns - cotter25 HIDS Method of Operation Auditing logs (system logs, event logs, security logs, syslog) Monitoring file checksums to identify changes Elementary network-based signature techniques including port activity Intercepting and evaluating requests by applications for system resources before they are processed Monitoring of system processes for suspicious activity
cs490ns - cotter26 HIDS Software Host wrappers –Inexpensive and deployable on all machines –Do not provide in-depth, active monitoring measures of agent-based HIDS products Agent-based software –More suited for single purpose servers
cs490ns - cotter27 HIDS Active Monitoring Capabilities Log the event Alert the administrator Terminate the user login Disable the user account
cs490ns - cotter28 Advantages of Host-based IDS Verifies success or failure of attack by reviewing HIDS log entries Monitors use and system specific activities; useful in forensic analysis of the attack Can monitor network encrypted traffic Near real-time detection and response –Analysis is log based, but good design mitigates much of the delay. Can focus on key system components No additional Hardware
cs490ns - cotter29 Stack based IDS IDS is integrated with TCP/IP protocol stack Allows system to provide real-time analysis and response Intended to have low enough overhead so that each system can have its own IDS
cs490ns - cotter30 Passive Detection Systems Can take passive action (logging and alerting) when an attack is identified Cannot take active actions to stop an attack in progress
cs490ns - cotter31 Active Detection Systems Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic Options –IDS shunning or blocking –TCP reset Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms
cs490ns - cotter32 Signature-based and Anomaly-based IDS Signature detections –Also know as misuse detection –IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures Anomaly detection –Baseline is defined to describe normal state of network or host –Any activity outside baseline is considered to be an attack
cs490ns - cotter33 Intrusion Detection Products Aladdin Knowledge Systems Entercept Security Technologies Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Enterasys Networks Inc. Internet Security Systems Inc. Intrusion.com Inc. family of IDS products
cs490ns - cotter34 Intrusion Detection Products (cont.) NFR Security Network-1 Security Solutions Raytheon Co. Recourse Technologies Sanctum Inc. Snort Sourcefire, Inc. Symantec Corp. TripWire Inc.
cs490ns - cotter35 Honeypots False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks Simulate unsecured network services Make forensic process easy for investigators
cs490ns - cotter36 Honeypot Architecture Honeypot Servers Data Link Switch Router
cs490ns - cotter37 Commercial Honeypots KFSensor – NetBait –www2.netbaitinc.com:5080 Specter – Decoy Server –
cs490ns - cotter38cs490ns - cotter38 Open Source Honeypots Argos – HoneyNet Project – Honeyd – The Deception Toolkit –
cs490ns - cotter39 Honeypot Deployment Goal –Gather information on hacker techniques, methodology, and tools Options –Conduct research into hacker methods –Detect attacker inside organization’s network perimeter
cs490ns - cotter40 Honeypot Design Must attract, and avoid tipping off, the attacker Must not become a staging ground for attacking other hosts inside or outside the firewall
cs490ns - cotter41 Honeypots, Ethics, and the Law Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host Honeypot does not convince one to attack it; it merely appears to be a vulnerable target Doubtful that honeypots could be used as evidence in court
cs490ns - cotter42 References Security+ Guide to Network Security Fundamentals –Campbell, Calvert, Boswell – Course Technology, 2003 HowTo Guide for IDS –
cs490ns - cotter43 Summary What is Intrusion Detection? What types are there? –Network based –Host based –Stack based Benefits of each Example Implementations Difference between active and passive detection HoneyPots