Presentation is loading. Please wait.

Presentation is loading. Please wait.

EE579T/12 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 12: Intrusion Detection Systems; Wireless Security Prof. Richard.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EE579T/12 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 12: Intrusion Detection Systems; Wireless Security Prof. Richard."— Presentation transcript:

1 EE579T/12 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 12: Intrusion Detection Systems; Wireless Security Prof. Richard A. Stanley

2 EE579T/12 #2 Spring 2003 © 2000-2003, Richard A. Stanley Overview of Tonight’s Class Schedule projects Review last week’s lesson Another MS Windows problem Virus checkers and food for thought Intrusion detection systems Wireless security

3 EE579T/12 #3 Spring 2003 © 2000-2003, Richard A. Stanley Project Scheduling We will NOT meet on 15 April First projects: 8 April Final projects: 22 April Let’s have volunteers for each evening, keeping in mind your work schedules

4 EE579T/12 #4 Spring 2003 © 2000-2003, Richard A. Stanley Summary of last time... Computer crime is a fast-growing area of illegal activity “That’s where the money is” Computers and networks are regulated by a large and growing body of law Both civil and criminal issues involved Liability is a major consideration for any business or practitioner

5 EE579T/12 #5 Spring 2003 © 2000-2003, Richard A. Stanley Another Windows Problem “Remote attacker could gain total control of a machine running Windows 2000” “Unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could allow an attacker to cause a buffer overflow on a machine running IIS” “Attackers could mount a denial-of-service attack against such machines or execute their own malicious code in the security context of the IIS service, gaining unfettered access to the vulnerable system” Source: Computerworld, March 17, 2003

6 EE579T/12 #6 Spring 2003 © 2000-2003, Richard A. Stanley Virus Checkers Three major vendors worldwide –(2 US, 1 Finland) Many more malicious code exploits in the zoo than in the wild (~200X) –Who are the zookeepers? –What does it take to get a zoo specimen out? Who are the software writers? What are the implications?

7 EE579T/12 #7 Spring 2003 © 2000-2003, Richard A. Stanley Intrusion Detection Systems Oddly enough, these are systems designed to detect intrusions into protected systems Security intrusion (per RFC 2828): –A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

8 EE579T/12 #8 Spring 2003 © 2000-2003, Richard A. Stanley What’s a Security Incident? A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.) In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. "Any adverse event which compromises some aspect of computer or network security." [R2350] Source: RFC 2828, page 152; emphasis added

9 EE579T/12 #9 Spring 2003 © 2000-2003, Richard A. Stanley Why Do We Need This? With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall These systems are not perfect--some intruders will get through Moreover, defenses such as firewalls cannot protect against intruders on the inside

10 EE579T/12 #10 Spring 2003 © 2000-2003, Richard A. Stanley Intrusion Detection Functions Monitor protected networks and computers in real time (or as close to real time as is practicable) Detect security incidents –Requires a policy, and a way for the IDS to know what that policy is Respond –Raise an alarm –Send some automated response to the attacker

11 EE579T/12 #11 Spring 2003 © 2000-2003, Richard A. Stanley IDS vs. Auditing Audits tend to be a posteriori –But an IDS can be seen as performing a constant, near real time audit function To perform an audit, you need to know what the policy is –Audit measures departures from the policy norms –Audits depend on system logs

12 EE579T/12 #12 Spring 2003 © 2000-2003, Richard A. Stanley Early IDS’s Emulated the audit function –Crawled the logs, looking for deviations from policy-permitted actions –Intent was to speed up the audit, making it nearly real time –Still a useful approach IDS technology has been around only since the early 1990’s; not too mature

13 EE579T/12 #13 Spring 2003 © 2000-2003, Richard A. Stanley IDS Uses Monitor system usage –Determine access, usage patterns –Plan for capacity engineering Monitor specific problem areas Serve as a deterrent –Sort of like the “burglar alarm” label on a house, even if there is really no alarm

14 EE579T/12 #14 Spring 2003 © 2000-2003, Richard A. Stanley Log Files Are evidence if an intrusion occurs –Must be stored in their original, unmodified form, otherwise inadmissible in court –Provide data from which trends can be deduced –Can be subjected to forensic analysis –Probably needed to assess level of system compromise/damage and to restore to state prior to intrusion

15 EE579T/12 #15 Spring 2003 © 2000-2003, Richard A. Stanley Legal Issues - 1 Privacy of your employees –Courts have held that employees have little expectation of privacy in the workplace, especially if told so at the outset email can be monitored at work by employer phone calls can be monitored at work by employer doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)

16 EE579T/12 #16 Spring 2003 © 2000-2003, Richard A. Stanley Legal Issues - 2 What if the IDS discovers illegal acts being performed on/by your network? –Employees using the network for illegal activities –Outsiders having planted zombie programs so that your system attacks others –What is your responsibility and liability?

17 EE579T/12 #17 Spring 2003 © 2000-2003, Richard A. Stanley Legal Issues - 3 This may be a Catch-22 issue –If an attacker is using your system, law enforcement may want you to continue to allow that to happen so they can apprehend the attacker If you interrupt the attack, could be interpreted as obstruction of justice –But, if you allow the attack to continue, you may be liable for damages to those attacked Get legal advice--beforehand!

18 EE579T/12 #18 Spring 2003 © 2000-2003, Richard A. Stanley What About Automated Response? Tempting capability If attacking your system is illegal, what makes your attack on the attacker less illegal? What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity? –Casus belli

19 EE579T/12 #19 Spring 2003 © 2000-2003, Richard A. Stanley IDS Architecture Sensor Management Console

20 EE579T/12 #20 Spring 2003 © 2000-2003, Richard A. Stanley Console Monitors and controls sensors –Sets policy, alarm levels, etc. –Stores logs Must have secure communications with sensors –Encrypted connection –Out of band (OOB)

21 EE579T/12 #21 Spring 2003 © 2000-2003, Richard A. Stanley IDS Types Network-based (NIDS) –Monitors the network backbone Network node-based (NNIDS) –Monitors network nodes, not the backbone Host-based (HIDS) –This is the “log crawler” that started it all Gateway (GIDS) –NIDS in series with the network

22 EE579T/12 #22 Spring 2003 © 2000-2003, Richard A. Stanley What Can It See? Network packets OS API calls System logs How do we merge this data to detect intrusions?

23 EE579T/12 #23 Spring 2003 © 2000-2003, Richard A. Stanley Host-Based Sits on a host as a background task Monitors (potentially) –traffic to and from the host –OS API calls –system logs Adds to processing load on the host, so host must be able to support the extra load

24 EE579T/12 #24 Spring 2003 © 2000-2003, Richard A. Stanley Network-based NIDS sensors placed on network backbone –Can view only packet traffic passing by, much like a classic passive sniffer –Does not place processing load on network, but the NIDS platform must be capable of dealing with network traffic speeds Software can usually handle 100 Mbps Hardware only 2-3 times faster If network is faster, looks only at subset of packets

25 EE579T/12 #25 Spring 2003 © 2000-2003, Richard A. Stanley Network Node-based Used to inspect intrusions directly into network nodes –Effectively a blending of HIDS and NIDS –Used to protect mission-critical machines –Again, a background process on existing nodes, so node must be able to handle added processing load

26 EE579T/12 #26 Spring 2003 © 2000-2003, Richard A. Stanley Gateway In series with network –Often set to block prohibited traffic automatically –Think of it as an in-network firewall with an extended rule set –Must be able to keep up with network load

27 EE579T/12 #27 Spring 2003 © 2000-2003, Richard A. Stanley Deployment Putting in an IDS is a complex and time- consuming affair –Typically, start simple and add functionality as you learn more about the network –NIDS tends to see more and load network least –Follow up with HIDS on selected hosts, perhaps NNIDS on critical nodes Policy has to be in place first

28 EE579T/12 #28 Spring 2003 © 2000-2003, Richard A. Stanley Attack Signatures Critical to success of any IDS Must be maintained, just like virus signatures –You want some visibility into this –Do you want strangers deciding what is an attack on your critical systems? Some IDS’s let you write/modify signatures, others do not CVE: http://www.cve.mitre.org/http://www.cve.mitre.org/

29 EE579T/12 #29 Spring 2003 © 2000-2003, Richard A. Stanley IDS Deployment First, design the IDS sensor and management layout Next, deploy the IDS –Test the network for normal operation –Test the IDS Run packaged attacks to see if all are detected Document performance and repeat test regularly –Tune the IDS

30 EE579T/12 #30 Spring 2003 © 2000-2003, Richard A. Stanley Sampling of IDS Products RealSecure: http://www.iss.net/products_services/enterp rise_protection/rsnetwork/sensor.php http://www.iss.net/products_services/enterp rise_protection/rsnetwork/sensor.php NFR: http://www.nfr.net/http://www.nfr.net/ Snort: http://www.snort.org/http://www.snort.org/ SnortSnarf: http://www.silicondefense.com/software/sn ortsnarf/ http://www.silicondefense.com/software/sn ortsnarf/

31 EE579T/12 #31 Spring 2003 © 2000-2003, Richard A. Stanley IDS Summary IDS’s can be useful in monitoring networks for intrusions and policy violations Up-to-date attack signatures and policy implementations essential Many types of IDS available, at least one as freeware Serious potential legal implications Automated responses to be avoided

32 EE579T/12 #32 Spring 2003 © 2000-2003, Richard A. Stanley Wireless Network Security Wireless networks growing at a rapid pace –Gartner Group predicts wireless installations will multiply >7X by 2007 to over 31M Business drivers –Installation cost and time –Mobility –Flexibility –Operating costs

33 EE579T/12 #33 Spring 2003 © 2000-2003, Richard A. Stanley Wireless Inherently Insecure Wired networks contain (or try) signals to a wired path, which must be physically tapped to compromise line security –Possible to physically discover the tap Wireless networks deliberately broadcast data into space, where it can be intercepted by anyone with proper receiver –Data tap impossible to discover

34 EE579T/12 #34 Spring 2003 © 2000-2003, Richard A. Stanley This Isn’t New News Since early days, wireless vendors strove to provide privacy equivalent to that available on the wired network –WEP = wired equivalent privacy –This is not a high standard to meet They succeeded, but that wasn’t good enough for user requirements

35 EE579T/12 #35 Spring 2003 © 2000-2003, Richard A. Stanley Projects We have several project teams that will report on wireless security issues, so I will not go into great detail here A few things to whet your appetites –How does a wireless network work? –How can you “join up?” –What about the encryption?

36 EE579T/12 #36 Spring 2003 © 2000-2003, Richard A. Stanley How It Works Clients send probes Access points broadcast beacons and, often, their Server Set ID (SSID) When a client finds an access point with an acceptable signal level and a matching SSID, a connection is established Many networks are built precisely to facilitate connection by “foreign” users

37 EE579T/12 #37 Spring 2003 © 2000-2003, Richard A. Stanley NetStumbler

38 EE579T/12 #38 Spring 2003 © 2000-2003, Richard A. Stanley Other Interesting Things Wardriving: http://www.wardriving.com/http://www.wardriving.com/ Warchalking: http://www.warchalking.org/http://www.warchalking.org/ Airsnort: http://airsnort.shmoo.com/http://airsnort.shmoo.com/ What other little “gifts” await us?

39 EE579T/12 #39 Spring 2003 © 2000-2003, Richard A. Stanley Wireless Security Summary It’s a problem, owing to the nature of wireless transmission So far, security implementations have left a lot to be desired Project presentations will provide added details Growth is explosive, both in legitimate and illegitimate wireless activity

Download ppt "EE579T/12 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 12: Intrusion Detection Systems; Wireless Security Prof. Richard."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

EE579T/GD_6 #1 Summer 2003 © , Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
EE579T/12 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579T Network Security 12: Intrusion Detection & Wireless Security Prof. Richard A. Stanley.

EE579T/12 #1 Spring 2004 © , Richard A. Stanley EE579T Network Security 12: Intrusion Detection & Wireless Security Prof. Richard A. Stanley.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Similar presentations

Ads by Google