Download presentation
Presentation is loading. Please wait.
Published byDale Oliver Modified over 9 years ago
1
1 Intrusion Detection Systems
2
2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are similar to incidents –An incident does not necessarily involve an active system or network device, an intrusion does Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity
3
3 Intrusion Detection Security policies are either prohibitive or permissive An IDS is sensitive to configuration Possible types of IDS errors: –False positive (unauthorized user let in) –False negative (authorized user denied access) –Subversion error (compromised the system from detecting intrusion)
4
4 Dealing with Intruders Intruders can be external or internal –External intruders are hackers or crackers –Internal intruders are more common and very dangerous Security policy should state what steps will be taken to handle intrusions Block and ignore –Simplest tactic for handling intrusions –Block the intruder and address the vulnerability –Don’t take any further action
5
5 Dealing with Intruders Block and investigate –Block the intruder and address the vulnerability –Collect evidence and try to determine intruder’s identity –Investigate Honeypot (bait the intruder) –Allow the intruder to access a part of your network –Try to catch the intruder while he/she explores –This is a potentially dangerous approach The intruder does have at least partial access Crackers may become interested in your site
6
6 Detecting Intruders An IDS monitors system activity in some way When it detects suspicious activity, it performs an action Action is usually an alert of some type –E-mail, cell phone, audible alert, etc. to a person or process –For highly sensitive systems, out-of-band channel is used All IDS systems continuously sample system activity and compare the samples to a database
7
7 IDS Principles Run unattended for extended periods of time Stay active and secure Recognize unusual activity Operate without unduly affecting the system’s activity Configurable
8
8 IDS Principles Sample current activity Compare with database Decide what to do
9
9 IDS Taxonomy Misuse intrusion –an attack against a known vulnerability –Relatively easy to detect Anomaly intrusion –an attack against a new vulnerability or one using an unknown set of actions –Relatively difficult to detect Types of IDS that correspond to intrusion types: –Signature-based –Knowledge-based
10
10 IDS Taxonomy Signature-based IDS –Detects misuse intrusions –Maintains a database of attack signatures –Compares current activity to database –Database must be current and complete to be effective Knowledge-based IDS –Detects anomaly intrusions –Builds a profile of “normal” system activity over time –Produces more false positives and requires more administration –Requires careful initial configuration
11
11 Thresholds A rule tells the IDS which packets to examine and what action to take –Similar to a firewall rule –Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;) Alert specifies the action to take Tcp specifies the protocol Any any 192…. specifies the source and destination within the given subnet 111 specifies the port Content specifies the value of a payload Msg specifies the message to send
12
12 Thresholds Threshold is a value that represents the boundary of normal activity Example: Maximum three tries for login Common thresholds: –file I/O activity –network activity –administrator logins and actions
13
13 Snort IDS Snort is an example of an IDS –Freeware –UNIX and Windows A highly configurable packet sniffer Analyzes network traffic in real time www.snort.org
14
14 Snort IDS Snort sniffs a packet from the network –Preprocessor looks at the packet header and decides whether to analyze it further –Detection engine compares pattern from rules to the packet payload –If payload matches, then appropriate action is taken Snort can be used in a plain packet sniffer mode or in full IDS mode Snort has numerous configurable options
15
15 Snort IDS
16
16 Snort IDS
17
17 Snort IDS
18
18 Network-Based vs Host-Based IDS systems are classified by their intended locations A network-based IDS monitors all traffic on a network segment –Can detect intrusions that cross a specific network segment –Administrators sometimes place one inside and one outside of a firewall –Will not see traffic that passes between LAN computers
19
19 Network-Based vs Host-Based Host-based IDS examines all traffic and activity for a particular machine –Can examine system log files as well as inbound and outbound packets –Each system requires its own IDS Best choice is to use both network-based and host- based IDS in an organization Many firewalls provide some IDS functionality
20
20 Network-Based IDS
21
21 Choosing an Appropriate IDS Determine organizational security needs Review the different IDS packages available medium to large organizations commonly use both network-based and host-based IDS
22
22 Security Auditing with an IDS Must have periodic security audits –Sometimes mandated by law or by corporate structure IDS can contribute to a complete audit Many host-based IDS can scan and analyze system log files –They can act as a filter for various behaviors Port-sniffing IDS can help to profile network activity
23
23 Intrusion Prevention System IPS combines the knowledge of IDS in an automated manner Usually IPS is a combination of a firewall and an IDS IPSs come in different forms: –NIDS with two NICs –Inline NIDS –Inline NIDS with scrubber
24
24 Intrusion Prevention System IPS with two NICs configured as follows: –One NIC has an IP address and handles traffic management –Second NIC has no IP address and performs detecting attacks only
25
25 IPS with two NICs Network Traffic Server with IPS NIC1 NIC2 No IP address Has IP address Copy of traffic
26
26 IPS with inline NIDS Server with IPS NIC No IP address Has IP address Network traffic
27
27 IPS with scrubber Server with IPS NIC No IP address Has IP address Network traffic Malicious packet $%&&^#@@*&* &^%$$#+!!*(+% ^^$##@*&&^ Scrubbed packet Malicious code rendered inactive
28
28 IPS Enhancements Traditionally switches work in OSI layer 2 Most vulnerabilities are on applications Layer 7 switches control which applications go to which server Layer 7 switches also help with load balancing Layer 7 switch inspects applications such as HTTP, SMTP and DNS and decide which server to route the application packets to Handles DoS and DDoS attacks
29
29 IPS Enhancements IPS systems first profile applications Helps identify normal behavior of access and functionality from applications
30
30 IPS Scenario Traffic from internet User: GET / User: GET /default.asp Attacker: GET /passwd.txt User: GET /login.asp Policy: Allow: GET / Allow: GET /default.asp Allow: GET /login.asp Allow: /public/default.html Implicitly deny other requests Traffic to internal network User: GET / User: GET /default.asp User: GET /login.asp
31
31 Commercial IPSs Hogwash (http://hogwash.sourceforge.net/oldindex.html)http://hogwash.sourceforge.net/oldindex.html ISS Guard (http://www.iss.net/products_services/enterprise_protection/rs network/guard.php)http://www.iss.net/products_services/enterprise_protection/rs network/guard.php Netscreen (http://www.juniper.net/products/)http://www.juniper.net/products/ Tipping Point (http://www.tippingpoint.com/products_ips.html)http://www.tippingpoint.com/products_ips.html Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/cate gory.htm?cid=10355)http://www.mcafee.com/us/products/mcafee/network_ips/cate gory.htm?cid=10355
32
32 References IPS http://www.securityfocus.com/infocus/1670 IBM’s IPS http://www- 1.ibm.com/services/us/index.wss/offering/bcrs/a1002 441
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.