Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004

Agenda The Problem Protection Firewall vs. IDS IDS Basics –Types Host Host Network Network –Passive and reactive systems Conclusion

The Problem Hackers –Internal –External Inherent holes in your security set up –Not configured properly –Patches not up to date or available –Virus definitions not up to date or available

The Problem "There's nothing on my system that anybody would want anyway". that anybody would want anyway". Legal Liability –Inappropriate content (child pornography, hosting illegal files such as.mp3 files, etc.) –You are potentially liable for damages caused by a hacker using your machine. Must be able to prove to the court that you took "reasonable" measures to defend yourself from hackers (i.e. cyber bank robbery from your computer as the host).

How do you protect yourself? Layered security setup –IDS –Firewall –Antivirus Applying the 3 basic security principles –Vulnerabilities –Threats –Countermeasures

Firewall vs. IDS Firewall: Software that is designed to restrict access to an organization's network or its Intranet (The Fence) IDS: A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDS's may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems that attempt to trap hackers (The Guard Dog)

Why do we need both? Firewalls as stated are designed to block unwanted traffic. A common misunderstanding is that firewalls recognize attacks and block them. This is not true. The firewall administrator carefully adds "rules" that allow specific types of traffic to go through the firewall. For example, a typical corporate firewall allowing access to the Internet would stop all UDP, stops incoming TCP connections, but allows outgoing TCP connections. This stops all incoming connections from Internet hackers, but still allows internal users to connect in the outgoing direction. Firewalls only limit access they don’t “recognize” but merely block what the administrator tells it to.

Why do we need both? firewalls are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network! –A firewall at the perimeter of the network sees nothing going on inside; it only sees that traffic which passes between the internal network and the Internet IDS capabilities –Double-checks misconfigured firewalls –Catches attacks that firewalls legitimately allow through (such as attacks against web servers and internal attacks) –Catches attempts that fail –Catches insider hacking

Why do we need both? Hackers are much more capable than you think; the more defense you have, the better. And they still won't protect you from the determined hacker. They will, however, raise the bar on determination needed by the hackers.

Types of IDS Host Based Network Based (NIDS)

Host Based IDS Host based Intrusion Detection Systems role is to identify tampering or malicious activity occurring on the system. –Monitors log files, users, and the file system for evidence of malicious or suspicious application activity in real time. –Monitors log files, users, and the file system for evidence of malicious or suspicious application activity in real time. –Can use system logs, application logs, host traffic, key system files, and in some instances firewall logs as its data source.

Host Based Some of the activities that Host based can monitor include: –user specific actions –Access to system log files, running processes, and files system –success/failure of an attack –Attacks that use NIDS evasion techniques i.e. makes it through firewall, undetected by NIDS and has a successful attack on system/network

Network Based Monitor both incoming and outgoing traffic. Typically deployed on standalone systems in front of firewalls or at key network choke points for large or complicated networks. Typically deployed on standalone systems in front of firewalls or at key network choke points for large or complicated networks. There are two forms of NIDS, –Pattern Matching –Anomaly based. NIDS use network traffic as its source; monitoring network traffic in real time, and alerting in near real time.

Network Based Pattern matching –Most IDS follow this standard. –Is a Knowledge based system –The intrusion detection system contains prior information about specific attacks and vulnerabilities. –Applies this to incoming and outgoing traffic by inspecting each packet against its signature database. –When such a condition is met, an alarm is triggered and the administrator is notified. The accuracy of a Knowledge based system relies on its signature databases

Network Based Anomoly matching –Creates a profile of normal network traffic. –Any anomalous/irregular traffic that is seen will be considered suspicious, thus an alarm is generated. –Detection of suspicious events can be implemented in various ways i.e. Protocol analysis/decoding, traffic doesn't comply with normal traffic criteria. –Detection of suspicious events can be implemented in various ways i.e. Protocol analysis/decoding, traffic doesn't comply with normal traffic criteria.

Passive and Reactive IDS Host and Network based systems can either be passive systems or reactive based systems Most network-based systems are passive with reactive capabilities Passive –detect possible attacks, log the information and issue an alert Reactive –attempt to react in some way to the malicious content it has spotted such as change firewall settings and/or permissions as appropriate –Though reactive systems implement nice defensive mechanisms, they are still prone to false positives

Reactive Network Based Have the ability to react while watching the network, instead of a per system basis. Authority to be reactive for a wide range of systems. More control per one intrusion detection system Methods of preventing/reacting –prevent known network/host based attacks from occurring –Insertion of Firewall rules –Packet Scrubbing

Reactive Host Based Events are entered into log files after completion, thus to rely on reading log files for reactive tactics won't work. Reactive host based systems tend to watch the actual file system (i.e. kernel) for malicious or illegal content –Improper privilege escalation While watching system calls and the kernel, an attempt to escalate privileges can be seen, a reactive host based IDS can attempt to defeat this by ending the process. –Logging off malicious users If activity is encountered that appears to be malicious, a reactive system can log the offending user off the system and block him from accessing the system until further notice and inform an administrator of that host.

Conclusion Problem –Hackers –Protecting yourself –Legal liability IDS vs. Firewall –Need for both the “Fence” and the “Guard Dog” Host and Network based IDS Passive and Reactive IDS

Questions?