Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Published byMiles Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize."— Presentation transcript:

1 Intrusion Detection and Prevention

2 Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize the IDS signature database

3 IDS What are they? ● Dedicated hardened host ● Sensors ● Sits on a network that you want to protect ● Network sniffer ● Packet pattern analyzer ● Unlike firewalls an IDS is passive (this is changing) ● They are often on each layer of your layered network

4 Location of IDS's Exterior Firewall Internet Protected Network Internal Clients Internal DNS Mail Server External DNS SMTP Server Web Server IDS Interior Firewall Logging Alerting Server Internal Servers Public Network Internal IDS

5 IDS The Need ● Detection of probes, scans ● Detection of network reconnaissance activity ● Record of attempted exploits ● Location of a compromised host on your network ● Determined compromised information

6 The Attack Plan ● Usually multiphased ● Phase 1: Network scan ● Characterizing the hosts on the network ● Looking for particular services, e.g DNS, HTTP ● Determining the versions and OS types ● Phase 2: Exploits a buffer overflow in DNS ● Compromises the DNS host ● Phase 3: Compromises other hosts on the network ● Without IDS you would not know

7 Protection Plan ● Analyze all packets continuously ● Look for patterns of known attacks ● Network IDS Signatures ● The science behind IDS ● Like virus signatures IDS signatures must be updated ● Do it your self signature writing ● Sometime necessary ● Look for statistical anomalies ● Not a very well developed science as yet

8 Land Attack 1997 ● Based on hand crafted packets ● Source IP and destination IP addresses are the same ● Older systems would crash ● NT & 95 depended on proper packets ● Basically a denial of service attack ● www.kb.cert.org/vuls/id/396645 www.kb.cert.org/vuls/id/396645

9 Teardrop Attack 1997 – 1998 ● Improper packet sequence ● The IP fragment offset is malformed ● Consecutive packets overlap ● Newtear.c (on web site) ● Another DoS attack

10 Teardrop cont'd ● Packet 1 ● Total length of IP datagram ● 48 bytes ● More fragments flag is set ● Fragment offset is 0 ● UDP length ● 48 bytes – incorrect length should be length – 20 = 28

11 Teardrop cont'd ● Packet 2 ● Total length of IP datagram ● 24 bytes ● Fragment offset is 3 (* 8 bytes) ● More fragments bit is cleared ● 24 bytes are sent

12 Teardrop cont'd IP Datagram headerUDP Segment header Lengt h 48 More Frags Bit 1 Offset 0 Src port Dest port Length 48 Checksu m Packet 1 Byte 20Byte 28Byte 47Byte 0 IP Datagram header IP Payload Lengt h 24 More Frags Bit 0 Offset 3 Src port Dest port Packet 2 Byte 20 Byte 23Byte 0 Length 48 Checku m Byte 0 Byte 27 Byte 3 UDP payload Byte 7 New fragment Fragment reconstruction Byte 23 Should be 28

13 nimda worm 2001 ● Scan phase ● Determine if a web server is an unpatched MS IIS box ● Is it vulnerable to a Unicode-related exploit? ● Attack phase ● Exploit a buffer overflow

14 nimda worm cont'd ● IDS can detect the scan phase of nimda attack ● “%c0%af../winnt/etc” is contained in the URL ● %c0%af is the Unicode of a slash ● Most web servers scan for a “/”stuff indicating a cd to root ● Success of this attempt to change to the root directory indicates an unpatched IIS

15 nimda worm cont'd ● IDS rule ● /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir ● Specific text search for %c0%af ● Attack may change and this rule would not catch it ● Better approach ● Convert %c0%af to “/” and then check for validity of URL ● More robust

16 False +/- ● False positives ● Classifying benign activity as malicious ● Get a lot of attention since people see the alerts ● Annoying, usually the rule gets shut off entirely ● False negatives ● Missing a malicious activity ● Not seen and ignored ● Dangerous ● The risks in classification

17 IDS Evasion Techniques ● The attacker is patient ● The attacker is clever ● The attacker has nothing else to do ● Examples ● cmd.exe in the URL is often bad ● However cmd.exe-analysis.html may be OKcmd.exe-analysis.html ● cmd.%65xe is the same thing ● Text searches are not always good or effective

18 IDS Software ● Popular systems ● Snort – open source ● Cisco recommends using snort ● ISS RealSecure ● NFR Security NID ● Centralizing all IDS logs ● Easier analysis ● Alerts – logs, e-mails, pagers, etc.

19 Distributed IDS ● IDS logs submitted to third party for collective analysis ● Attack Registry &Intelligence Service ● ttp://aris.securityfocus.com ttp://aris.securityfocus.com ● Dshield ● ttp://www.dshield.org ttp://www.dshield.org

20 Outsourced IDS ● Counterpane ● Trusecure ● Deloitte & Touche

Download ppt "Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize."

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.

K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google