Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Monitoring

Similar presentations


Presentation on theme: "Network Security Monitoring"— Presentation transcript:

1 Network Security Monitoring
COEN 250

2 Indicators and Warnings
“an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”* Indications and Warnings “the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”** * DoD Dictionary of Military Terms ** U.S. Army Intelligence, Document on Indicators in Operations Other Than War

3 Indicators and Warnings
Indicators generated by an Intrusion Detection System (IDS) are alerts Examples: Web server initiates outbound FTP to a site in Russia Spike in ICMP messages Warnings Result of analyst’s interpretation of indicator Escalation of warning Conclusion that warning warrants further analysis Conclusion that warning is indeed an incident Triggers Incident Response

4 Intrusion Detection Systems
Process of monitoring events occurring in a computer system or network Analyzing them for signs of possible incidents Incident Violation or imminent threat of violation of computer security policies acceptable use policies standard security practices Arise from Malware Attacks Honest errors

5 Intrusion Detection Systems
Software that automatizes the detection process Intrusion Prevention System Additionally has the capacity to stop some possible incidents

6 Intrusion Detection Systems
Key functions of IDS Technology Recording information related to observed events Notifying security administrators of important observed events Producing reports IDPS technology can be augmented by human analysis

7 Intrusion Detection Systems
Key functions of IPS technology IPS stops attack itself Terminate network connection Terminate user session Block access to target from offending user account IP address Block all access to target IPS changes security environment IPS changes configuration of other security controls to disrupt attack Reconfiguring a network device Altering a host based firewall Apply patches to a host it detects is vulnerable

8 Intrusion Detection Systems
Key functions of IPS technology IPS changes attack’s contents Remove or replace malicious portions of an attack Remove an infected file attachment from , but allow sans attachment to reach destination IPS acts as proxy and normalizes incoming requests

9 Intrusion Detection Systems
Current IDPS technology has false positives and false negatives. Attackers use evasion techniques E.g using escaping

10 Intrusion Detection Systems Common Detection Methodologies
Signature Based Detection Signature is a patterns corresponding to a known threat. Examples Telnet attempt with user name “root” with “You received a picture from a *” OS system log entry indicating that host’s auditing has been disabled

11 Intrusion Detection Systems Common Detection Methodologies
Signature-Based Detection Very effective against known threats Basically ineffective against unknown threats Subject to evasion by polymorphic attacks

12 Intrusion Detection Systems Common Detection Methodologies
Anomaly-Based Detection Relies on defining normal activity against observed events Identifies significant deviations Anomaly-Based IDPS has profiles Representing normal behavior of actors and activities Users Hosts Network connections Applications Developed through observation over time

13 Intrusion Detection Systems Common Detection Methodologies
Anomaly-Based Detection Profile Examples: Amount of a user sends Bandwidth of web activities Number of failed login attempts for a host Level of processor utilization for a host

14 Intrusion Detection Systems Common Detection Methodologies
Anomaly-Based Detection Can be effective at detecting unknown threats Depend on accuracy of profiles Inadvertent inclusion of malicious activity in a profile Dynamic profiles can be subverted by an attacker increasing slowly activity Static profiles generate false positives if usage patterns differ Subject to stealth attacks Make it difficult for human analyst to find reason for an alert

15 Intrusion Detection Systems Common Detection Methodologies
Stateful Protocol Analysis Sometimes known as “deep packet inspection” Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations “Stateful” refers to IDPS capability of understanding protocols

16 Intrusion Detection Systems Common Detection Methodologies
Stateful Protocol Analysis Can identify unexpected sequences of commands Allows tracking of authenticators for each session Helpful for human analysis of suspicious activity Typically includes reasonableness check for individual commands E.g. minimum and maximum length of arguments

17 Intrusion Detection Systems Common Detection Methodologies
Stateful Protocol Analysis Uses protocol models based on standards But most standards are underspecified Many implementations are not completely compliant Very resource intensive Cannot detect attacks that do not violate a protocol Detects protocol bending attacks

18 Intrusion Detection Systems
Network Based IDPS Wireless IDPS Network Behavior Analysis (NBA) Host-Based IDPS

19 Intrusion Detection Systems Components
Sensors / Monitors Used for network activity monitoring Agent Used for host-based IDPS Management Server Centralized component that receives data from agents and monitors Perform correlation: Matching event information from different monitors Database server Repository for previously recorded event information Console Interface for IDPS

20 Network Monitors Deployment Depends on monitoring zones Perimeter DMZ
External firewall through boundary router to internet DMZ Wireless Intranet(s)

21 Network Monitors Data Collection Tools Hubs
SPAN (Switched Port Analyzer) TAPs (Test Access Port) Inline Devices

22 Network Monitors Sensor Management Console access
Hard to manage In-band remote access Potential for loss of data confidentiality Not functioning during a successful DoS attack Virtual LAN Out-of-band remote access E.g. modem

23 Intrusion Detection Systems Networks
Security Capabilities Information Gathering OS identification of hosts General characteristics of networks Logging to confirm alerts to investigate incidents to correlate events with other sources need to be protected against an attacker need to deal with clock drift

24 Intrusion Detection Systems Networks
Security Capabilities Detection Capabilities Typically require tuning and customization Thresholds Blacklists and Whitelists Alert Settings IDPS code viewing and editing Prevention Capabilities Vary with technology / field

25 Intrusion Detection Systems Management
Implementation Architecture Design Placement of sensors Reliability of sensors Location of other components System interfaces Systems to which IDPS provide data Systems which IDPS resets for prevention Systems that manage IDPS components Patch management software Network management software

26 Intrusion Detection Systems Management
Implementation Component Testing and Deployment Consider deployment in a test environment E.g. to prevent surge of false positives IDPS deployment usually interrupts networks or systems for component installation Configuration typically a major effort

27 Intrusion Detection Systems Management
Implementation Securing IDPS components IDPS are often targeted by attackers Because of effects on security Because of sensitive data collected by IDPS System hardening Usual means Separate accounts for each IDPS user and administrator Configure firewalls, routers, etc to limit direct access to IDPS components Protect IDPS management communication Physically Logically Encryption Strong Authentication

28 Intrusion Detection Systems Management
Operations and Maintenance Typically GUI, but sometimes command lines Typical capabilities Drill down Reporting functions Database open to scripted searches Need for ongoing solution maintenance Monitor IDPS components for operational and security issues Periodic test of proper functioning Regular vulnerability assessments Receipt of notifications of security problems from vendor Receipt of notifications for updates

29 Intrusion Detection Systems Management
Operations and Maintenance Acquiring and Applying Updates Of signature files Of IDPS software components

30 Intrusion Detection Systems Management
Building and maintaining personnel skills Basic security training Vendor training Product documentation Technical support Professional services (consulting by vendors) User communities

31 Network Based IDPS Typical components Appliance Host-based
Specialized hardware and sensor software / firmware Host-based Only software

32 Network Based IDPS Architecture and Sensor Locations
Inline All traffic monitored must pass through it Typically placed where firewalls etc. would be placed Either hybrid devices Or placed on the more secure side

33 Network Based IDPS Architecture and Sensor Locations
Passive Monitors a copy of actual network traffic Spanning Port Network Tap IDS Load Balancer Receives copies of traffic from several sensors Aggregates traffic from different networks Distributes copies to one or more listening devices Typically not capable of prevention

34 Network Based IDPS Typical detection capabilities
Application layer reconnaissance and attacks Typically analyze several dozen application protocols Detect Banner grabbing Buffer overflows Format string attacks Password guessing Malware transmission

35 Network Based IDPS Typical detection capabilities
Transport layer reconnaissance and attacks Detects Port scanning Unusual packet fragmentation SYN floods Network layer reconnaissance and attacks Spoofed IP addresses Illegal IP header values

36 Network Based IDPS Typical detection capabilities
Unexpected application services Detects Tunneled protocols Backdoors Hosts running unauthorized application services Uses Stateful protocol analysis Anomaly detection Policy violations Use of inappropriate Web sites Use of forbidden application protocols

37 Network Based IDPS Detection Accuracy
High degree of false positives and false negatives Difficulty based on Complexity of activities monitored Different interpretation of meaning of traffic between IDPS sensor and client / server Cannot deal with encrypted network traffic VPN, HTTP over SSL, SSH Have limited capacity Number of connections Depth of analysis Longevity of connections

38 Network Based IDPS Attacks on network based IDPS
DDoS attacks generate unusually large volumes of traffic Generate loads of anomalous traffic to exhaust IDPS resources Blinding Generates many IDPS alerts Real attack is separate, but contemporary

39 Network Based IDPS Prevention capabilities Passive sensors only
Ending current TCP session Session sniping: sending resets to both partners Inline only Perform inline firewalling Throttle bandwidth usage Alter malicious content Both passive and inline Reconfigure other network security devices Run a third party program or script

40 Wireless IDPS Wireless attacks typically require proximity to access points or stations Typically, need access to radio link between stations and access points Many WLANs are configured with no or weak authentication

41 Wireless IDPS Components Same as for network-based IDPS Consoles
Database servers Management servers Sensors These function differently than for wired IDPS Needs to monitor two bands (2.4 GHz and 5 GHz) Divided into channels Sensor only models a single channel Channel scanning (monitor a channel for seconds at most)

42 Wireless IDPS Wireless sensors Dedicated sensors
Typically completely passive Fixed or mobile Bundled with an access point Bundled with a wireless switch Host-based IDPS sensor to be installed on a station

43 Wireless IDPS

44 Wireless IDPS Sensor Locations Physical security Sensor range Cost
Often deployed in open locations because of greater range than in closed locations Sensor range Cost AP and wireless switch locations Consider bundling or collocation

45 Wireless IDPS Security capabilities Information gathering
Identifying WLAN devices Typically based on SSIDs and MAC addresses Identifying WLANs Keep track of observed WLANs identified by SSID Logging capability

46 Wireless IDPS Security capabilities Detection capability Events
Unauthorized WLANs and WLAN devices Poorly secured WLAN devices A station is using WEP instead of WPA2 Unusual usage patterns The use of (active) wireless network scanners Denial of service (DoS) attacks and conditions Impersonation and man-in-the-middle attacks

47 Wireless IDPS Detection accuracy Tuning and Customization
Usually quite high due to limited scope Tuning and Customization Specify authorized WLANs, access points, stations Set thresholds for anomaly detection Some use blacklists and whitelists

48 Wireless IDPS Wireless IDPS cannot detect:
Attacker passively monitoring traffic Attackers with evasion techniques Attacker can identify IDPS product Physical survey Fingerprinting by prevention actions Attacker takes advantage of product’s channel scanning scheme Short bursts of attack packages on channels not currently monitored Attack on two channels at the same time

49 Wireless IDPS Attacks on wireless IDPS Same DDoS techniques
Physical attacks Jamming

50 Wireless IDPS Prevention capabilities Wireless prevention
Terminate connections between rogue or misconfigured stations and rogue or misconfigured access point Send discontinue messages to endpoints Wired prevention Block network activity involving a particular station or access point

51 Network Behavior Analysis (NBA)
Examines Network traffic or Statistics on network traffic Identifies unusual traffic flows

52 Host Based IDPS Monitors a single host and events occuring within that host Wired network traffic Wireless network traffic System logs Running processes File access and modification System and application configuration changes

53 Host Based IDPS Components and architectures
Agents (typically detection software) Monitor activity on a single host Transmit date to management servers Agents can be implemented as dedicated appliances Monitors: Servers Clients An application service ( application based IDPS)

54 Host Based IDPS

55 Host Based IDPS Agent locations Commonly deployed to critical hosts
But could be in a majority of systems including laptops and desktops

56 Host Based IDPS Host architecture
Agents often alter internal architecture of hosts Done by a shim Layer of code placed between existing layers of code Shim intercepts data when it is passed between different layers Shim analyzes data and determines whether data is allowed or not

57 Host Based IDPS Security capabilities Logging Detection Code analysis
Code behavior analysis in a sandbox Buffer overflow detection through detecting tell-tale sequences of instructions or memory accesses System call monitoring Keylogger COM object loading Driver loading Application and library lists

58 Host Based IDPS Security capabilities Detection
Network traffic analysis Basically the same a network or wireless IDPS would do Network traffic filtering Host based IDPS contains a host based firewall File system monitoring File integrity checking File attribute checking File access attempts Log analysis of OS and application logs Network configuration monitoring

59 Host Based IDPS Technology limits Alert generation delays
Centralized reporting delays Host resource usage Conflicts with existing security controls Rebooting hosts to update IDPS

60 Host Based IDPS Prevention capabilities Removable media restrictions
Code analysis Network traffic analysis Network traffic filtering File system monitoring Removable media restrictions Audio-visual device monitoring Automatic host hardening Process status monitoring Network traffic sanitization


Download ppt "Network Security Monitoring"

Similar presentations


Ads by Google