Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Published byGinger Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services."— Presentation transcript:

1 Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology

2 What IDS is: IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network. IDS is the detection and reporting of security vulnerabilities. IDS is the logging and detection of internal users “misdemeanors” to protect liability

3 What IDS is not: IDS in NOT security – For security you need: Good security policy that is both documented and adhered to. Good security practice by system administrators. Hardened perimeter firewalls and “DMZ” firewalls. IDS is not a product. IDS is not a sensor.

4 The scale of the problem Approximately 10000 hosts 100 web servers 300 “servers” of other type Students System Administrators IAS

5 IDS should perform the following tasks Detect known violations to host integrity by passively watching network traffic. Respond to attempted violations by blocking external IP addresses. Respond to probes from outside by blocking external IP addresses. Find and report usage inconsistencies that indicate account/quota theft. Detect violations by monitoring information (web pages etc….) Help log and establish traffic/host usage patterns for future reference and comparison

6 Detect known violations to host integrity by passively watching network traffic. Just one type of sensor? IDS sensors: Gateways – Traditionally Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.

7 Respond to attempted violations by blocking external IP addresses. Make sure the IDS is able to respond and send commands to firewalls and/or hosts. IDS sends RST packets to both ends of the connection. IDS is able to insert rules into border firewall.

8 Respond to probes from outside by blocking external IP addresses. Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.) Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

9 Find and report usage inconsistencies that indicate account/quota theft. Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins). Failed attempts to login to services that are not successful. Accounts being used simultaneously at various locations.

10 Detect violations by monitoring information. (web pages etc….) Graffiti, DNS spoofing, wares repositories. Ensure that the monitoring is external as well as internal. http://forced.attrition.org/mirror/attrition/

11 Help log and establish traffic usage patterns for future reference and comparison. Central syslog collecting and analysis. Tripwire Nmap database Performance and Usage analysis.

12 Open Source Just about any platform(Including windows) Many plugins and external modules. Frequent rules updates.

13 Snort Plugins Databases mySQL Oracle Postgresql unixODBC Spade (Statistical Packet Anomaly Detection engine) FlexResp (Session response/closing) XML output TCP streams (stream single-byte reassembly)

14 Snort Add-ons Acid(Analysis Console for Intrusion Detection) - PHP Guardian – IPCHAINS rules modifier.(Girr – remover) SnortSnarf - HTML Snortlog – syslog “Ruleset retreive” – automatic rules updater. Snorticus – central multi-sensor manager – shell LogSnorter – Syslog > snort SQL database information adder. + a few win32 bits and pieces.

15 Acid + Snort Acid is a Cert project. Pretty simple PHP3 to mySQL Quite customizable. Simple GUI for casual browsing.

16 Main Console

17 Individual alerts

18 Securityfocus Whitehats CVE

19 Rule details

20 Incident details

21 Incident Details

22 Questions ?

23 URLS www.snort.org http://www.cert.org/kb/acid/ www.whitehats.com (Intrusion signatures data) www.whitehats.com www.securityfocus.com (Intrusion signatures data) www.securityfocus.com http://cve.mitre.org/ (Intrusion signatures data) http://cve.mitre.org/ http://www.psionic.com/ (logcheck + hostsentry) http://www.psionic.com/

Download ppt "Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Similar presentations

Ads by Google