Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Guide to Network Defense and Countermeasures Third Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
The Most Analytical and Comprehensive Defense Network in a Box.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
System Security Scanning and Discovery Chapter 14.
Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Chapter 6: Packet Filtering
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Linux Networking and Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
Integrating and Troubleshooting Citrix Access Gateway.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
SIEM Rotem Mesika System security engineering
IDS Intrusion Detection Systems
NETWORKS Fall 2010.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Intrusion Detection Systems (IDS)
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Presentation transcript:

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology

What IDS is: IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network. IDS is the detection and reporting of security vulnerabilities. IDS is the logging and detection of internal users “misdemeanors” to protect liability

What IDS is not: IDS in NOT security – For security you need: Good security policy that is both documented and adhered to. Good security practice by system administrators. Hardened perimeter firewalls and “DMZ” firewalls. IDS is not a product. IDS is not a sensor.

The scale of the problem Approximately hosts 100 web servers 300 “servers” of other type Students System Administrators IAS

IDS should perform the following tasks Detect known violations to host integrity by passively watching network traffic. Respond to attempted violations by blocking external IP addresses. Respond to probes from outside by blocking external IP addresses. Find and report usage inconsistencies that indicate account/quota theft. Detect violations by monitoring information (web pages etc….) Help log and establish traffic/host usage patterns for future reference and comparison

Detect known violations to host integrity by passively watching network traffic. Just one type of sensor? IDS sensors: Gateways – Traditionally Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.

Respond to attempted violations by blocking external IP addresses. Make sure the IDS is able to respond and send commands to firewalls and/or hosts. IDS sends RST packets to both ends of the connection. IDS is able to insert rules into border firewall.

Respond to probes from outside by blocking external IP addresses. Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.) Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

Find and report usage inconsistencies that indicate account/quota theft. Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins). Failed attempts to login to services that are not successful. Accounts being used simultaneously at various locations.

Detect violations by monitoring information. (web pages etc….) Graffiti, DNS spoofing, wares repositories. Ensure that the monitoring is external as well as internal.

Help log and establish traffic usage patterns for future reference and comparison. Central syslog collecting and analysis. Tripwire Nmap database Performance and Usage analysis.

Open Source Just about any platform(Including windows) Many plugins and external modules. Frequent rules updates.

Snort Plugins Databases mySQL Oracle Postgresql unixODBC Spade (Statistical Packet Anomaly Detection engine) FlexResp (Session response/closing) XML output TCP streams (stream single-byte reassembly)

Snort Add-ons Acid(Analysis Console for Intrusion Detection) - PHP Guardian – IPCHAINS rules modifier.(Girr – remover) SnortSnarf - HTML Snortlog – syslog “Ruleset retreive” – automatic rules updater. Snorticus – central multi-sensor manager – shell LogSnorter – Syslog > snort SQL database information adder. + a few win32 bits and pieces.

Acid + Snort Acid is a Cert project. Pretty simple PHP3 to mySQL Quite customizable. Simple GUI for casual browsing.

Main Console

Individual alerts

Securityfocus Whitehats CVE

Rule details

Incident details

Incident Details

Questions ?

URLS (Intrusion signatures data) (Intrusion signatures data) (Intrusion signatures data) (logcheck + hostsentry)