Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Honeypot and Intrusion Detection System
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Chapter 5: Implementing Intrusion Prevention
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
SIEM Rotem Mesika System security engineering
Denial of Service Mitigation with OpenFlow using SciPass
IDS Intrusion Detection Systems
Chapter 7: Identifying Advanced Attacks
NETWORKS Fall 2010.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Intrusion Detection Systems (IDS)
Presentation transcript:

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology

What we hope to achieve: Learn about the nature of traffic flowing on the network. Catch attempts to compromise host security. Detect compromised hosts on the network. Discover holes and incorrect configurations on existing services. Take a proactive rather than reactive approach to dealing with security issues.

What IDS is not: IDS in NOT security – For security you need: Good security policy that is both documented and adhered to. Good security practice by system administrators. Hardened perimeter firewalls and “DMZ” firewalls. IDS is not a “product”. IDS is not a “sensor”.

What Information can it provide: Denials, scans, vulnerable services, etc…. Other input sources (Tripwire, syslog, firewall…) Cross referencing allows individual events that seem innocent to take up more meaning in context.

Where do we put the sensor: Traditionally – gateway(s) Port Mirroring ? (50+ datacabinets) Preferably everywhere This would normally cost $$$$$ but open source makes this possible

The scale of the problem Approximately hosts 100 web servers 300 “servers” of other type Students System Administrators IAS

The scale of the problem - simplified Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts Bad!!

The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts Worse!!

The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

Dealing with the volume of information Manually examine each incident (initially). Classify and build up a database of false positives. Use the power of the SQL database to look for patterns and “repeats”

IDS should perform the following tasks Detect known violations to host integrity by passively watching network traffic. Respond to attempted violations by blocking external IP addresses. Respond to probes from outside by blocking external IP addresses. Find and report usage inconsistencies that indicate account/quota theft. Detect violations by monitoring information (web pages etc….) Help log and establish traffic/host usage patterns for future reference and comparison

Respond to attempted violations by blocking external IP addresses. Make sure the IDS is able to respond and send commands to firewalls and/or hosts. IDS sends RST packets to both ends of the connection. IDS is able to insert rules into border firewall.

Respond to probes from outside by blocking external IP addresses. Attempts to open ports on servers that are not enabled. Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

Supporting information sources that can be fed into the database. Central syslog collecting and analysis. Tripwire “Nmap” database Performance and Usage analysis.

Open Source Just about any platform(Including windows) Many plugins and external modules. Frequent rules updates.

Snort Plugins Databases mySQL Oracle Postgresql unixODBC Spade (Statistical Packet Anomaly Detection engine) FlexResp (Session response/closing) XML output TCP streams (stream single-byte reassembly)

Snort Add-ons Acid(Analysis Console for Intrusion Detection) - PHP Guardian – IPCHAINS rules modifier.(Girr – remover) SnortSnarf - HTML Snortlog – syslog “Ruleset retreive” – automatic rules updater. Snorticus – central multi-sensor manager – shell LogSnorter – Syslog > snort SQL database information adder. + a few win32 bits and pieces.

Snort + Acid = ? Acid is a Cert project. Pretty simple PHP to mySQL Quite customizable. Simple GUI for casual browsing.

Main Console

Individual alerts

Securityfocus Whitehats CVE

Rule details

Incident details

Incident Details

URLS (Intrusion signatures data) (Intrusion signatures data) (Intrusion signatures data) (logcheck + hostsentry)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.