Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Published byPhillip Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services."— Presentation transcript:

1 Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology

2 What we hope to achieve: Learn about the nature of traffic flowing on the network. Catch attempts to compromise host security. Detect compromised hosts on the network. Discover holes and incorrect configurations on existing services. Take a proactive rather than reactive approach to dealing with security issues.

3 What IDS is not: IDS in NOT security – For security you need: Good security policy that is both documented and adhered to. Good security practice by system administrators. Hardened perimeter firewalls and “DMZ” firewalls. IDS is not a “product”. IDS is not a “sensor”.

4 What Information can it provide: Denials, scans, vulnerable services, etc…. Other input sources (Tripwire, syslog, firewall…) Cross referencing allows individual events that seem innocent to take up more meaning in context.

5 Where do we put the sensor: Traditionally – gateway(s) Port Mirroring ? (50+ datacabinets) Preferably everywhere This would normally cost $$$$$ but open source makes this possible

6 The scale of the problem Approximately 10000 hosts 100 web servers 300 “servers” of other type Students System Administrators IAS

7 The scale of the problem - simplified Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

8 The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts Bad!!

9 The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts Worse!!

10 The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

11 The scale of the problem contd….. Outside 1Outside 2 Inside 1 10meg -> 1 Gig Inside 2 GW Servers User hosts

12 Dealing with the volume of information Manually examine each incident (initially). Classify and build up a database of false positives. Use the power of the SQL database to look for patterns and “repeats”

13 IDS should perform the following tasks Detect known violations to host integrity by passively watching network traffic. Respond to attempted violations by blocking external IP addresses. Respond to probes from outside by blocking external IP addresses. Find and report usage inconsistencies that indicate account/quota theft. Detect violations by monitoring information (web pages etc….) Help log and establish traffic/host usage patterns for future reference and comparison

14 Respond to attempted violations by blocking external IP addresses. Make sure the IDS is able to respond and send commands to firewalls and/or hosts. IDS sends RST packets to both ends of the connection. IDS is able to insert rules into border firewall.

15 Respond to probes from outside by blocking external IP addresses. Attempts to open ports on servers that are not enabled. Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

16 Supporting information sources that can be fed into the database. Central syslog collecting and analysis. Tripwire “Nmap” database Performance and Usage analysis.

17 Open Source Just about any platform(Including windows) Many plugins and external modules. Frequent rules updates.

18 Snort Plugins Databases mySQL Oracle Postgresql unixODBC Spade (Statistical Packet Anomaly Detection engine) FlexResp (Session response/closing) XML output TCP streams (stream single-byte reassembly)

19 Snort Add-ons Acid(Analysis Console for Intrusion Detection) - PHP Guardian – IPCHAINS rules modifier.(Girr – remover) SnortSnarf - HTML Snortlog – syslog “Ruleset retreive” – automatic rules updater. Snorticus – central multi-sensor manager – shell LogSnorter – Syslog > snort SQL database information adder. + a few win32 bits and pieces.

20 Snort + Acid = ? Acid is a Cert project. Pretty simple PHP to mySQL Quite customizable. Simple GUI for casual browsing.

21 Main Console

22 Individual alerts

23 Securityfocus Whitehats CVE

24 Rule details

25 Incident details

26 Incident Details

27 URLS www.snort.org http://www.cert.org/kb/acid/ www.whitehats.com (Intrusion signatures data) www.whitehats.com www.securityfocus.com (Intrusion signatures data) www.securityfocus.com http://cve.mitre.org/ (Intrusion signatures data) http://cve.mitre.org/ http://www.psionic.com/ (logcheck + hostsentry) http://www.psionic.com/

Download ppt "Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google