1 / 60

Network Security Monitoring

Network Security Monitoring. COEN 250. Indicators and Warnings. Indicator “an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”* Indications and Warnings

Leo
Download Presentation

Network Security Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Monitoring COEN 250

  2. Indicators and Warnings • Indicator • “an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”* • Indications and Warnings • “the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”** * DoD Dictionary of Military Terms ** U.S. Army Intelligence, Document on Indicators in Operations Other Than War

  3. Indicators and Warnings • Indicators generated by an Intrusion Detection System (IDS) are alerts • Examples: • Web server initiates outbound FTP to a site in Russia • Spike in ICMP messages • Warnings • Result of analyst’s interpretation of indicator • Escalation of warning • Conclusion that warning warrants further analysis • Conclusion that warning is indeed an incident • Triggers Incident Response

  4. Intrusion Detection Systems • Intrusion Detection • Process of monitoring events occurring in a computer system or network • Analyzing them for signs of possible incidents • Incident • Violation or imminent threat of violation of • computer security policies • acceptable use policies • standard security practices • Arise from • Malware • Attacks • Honest errors

  5. Intrusion Detection Systems • Intrusion Detection System • Software that automatizes the detection process • Intrusion Prevention System • Additionally has the capacity to stop some possible incidents

  6. Intrusion Detection Systems • Key functions of IDS Technology • Recording information related to observed events • Notifying security administrators of important observed events • Producing reports • IDPS technology can be augmented by human analysis

  7. Intrusion Detection Systems • Key functions of IPS technology • IPS stops attack itself • Terminate network connection • Terminate user session • Block access to target from • offending user account • IP address • Block all access to target • IPS changes security environment • IPS changes configuration of other security controls to disrupt attack • Reconfiguring a network device • Altering a host based firewall • Apply patches to a host it detects is vulnerable

  8. Intrusion Detection Systems • Key functions of IPS technology • IPS changes attack’s contents • Remove or replace malicious portions of an attack • Remove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destination • IPS acts as proxy and normalizes incoming requests

  9. Intrusion Detection Systems • Current IDPS technology has false positives and false negatives. • Attackers use evasion techniques • E.g using escaping

  10. Intrusion Detection SystemsCommon Detection Methodologies • Signature Based Detection • Signature is a patterns corresponding to a known threat. • Examples • Telnet attempt with user name “root” • e-mail with “You received a picture from a *” • OS system log entry indicating that host’s auditing has been disabled

  11. Intrusion Detection SystemsCommon Detection Methodologies • Signature-Based Detection • Very effective against known threats • Basically ineffective against unknown threats • Subject to evasion by polymorphic attacks

  12. Intrusion Detection SystemsCommon Detection Methodologies • Anomaly-Based Detection • Relies on defining normal activity against observed events • Identifies significant deviations • Anomaly-Based IDPS has profiles • Representing normal behavior of actors and activities • Users • Hosts • Network connections • Applications • Developed through observation over time

  13. Intrusion Detection SystemsCommon Detection Methodologies • Anomaly-Based Detection Profile Examples: • Amount of email a user sends • Bandwidth of web activities • Number of failed login attempts for a host • Level of processor utilization for a host

  14. Intrusion Detection SystemsCommon Detection Methodologies • Anomaly-Based Detection • Can be effective at detecting unknown threats • Depend on accuracy of profiles • Inadvertent inclusion of malicious activity in a profile • Dynamic profiles can be subverted by an attacker increasing slowly activity • Static profiles generate false positives if usage patterns differ • Subject to stealth attacks • Make it difficult for human analyst to find reason for an alert

  15. Intrusion Detection SystemsCommon Detection Methodologies • Stateful Protocol Analysis • Sometimes known as “deep packet inspection” • Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations • “Stateful” refers to IDPS capability of understanding protocols

  16. Intrusion Detection SystemsCommon Detection Methodologies • Stateful Protocol Analysis • Can identify unexpected sequences of commands • Allows tracking of authenticators for each session • Helpful for human analysis of suspicious activity • Typically includes reasonableness check for individual commands • E.g. minimum and maximum length of arguments

  17. Intrusion Detection SystemsCommon Detection Methodologies • Stateful Protocol Analysis • Uses protocol models based on standards • But most standards are underspecified • Many implementations are not completely compliant • Very resource intensive • Cannot detect attacks that do not violate a protocol • Detects protocol bending attacks

  18. Intrusion Detection Systems • Network Based IDPS • Wireless IDPS • Network Behavior Analysis (NBA) • Host-Based IDPS

  19. Intrusion Detection SystemsComponents • Sensors / Monitors • Used for network activity monitoring • Agent • Used for host-based IDPS • Management Server • Centralized component that receives data from agents and monitors • Perform correlation: • Matching event information from different monitors • Database server • Repository for previously recorded event information • Console • Interface for IDPS

  20. Network Monitors • Deployment • Depends on monitoring zones • Perimeter • External firewall through boundary router to internet • DMZ • Wireless • Intranet(s)

  21. Network Monitors • Data Collection Tools • Hubs • SPAN (Switched Port Analyzer) • TAPs (Test Access Port) • Inline Devices

  22. Network Monitors • Sensor Management • Console access • Hard to manage • In-band remote access • Potential for loss of data confidentiality • Not functioning during a successful DoS attack • Virtual LAN • Potential for loss of data confidentiality • Not functioning during a successful DoS attack • Out-of-band remote access • E.g. modem

  23. Intrusion Detection SystemsNetworks • Security Capabilities • Information Gathering • OS identification of hosts • General characteristics of networks • Logging • to confirm alerts • to investigate incidents • to correlate events with other sources • need to be protected against an attacker • need to deal with clock drift

  24. Intrusion Detection SystemsNetworks • Security Capabilities • Detection Capabilities • Typically require tuning and customization • Thresholds • Blacklists and Whitelists • Alert Settings • IDPS code viewing and editing • Prevention Capabilities • Vary with technology / field

  25. Intrusion Detection SystemsManagement • Implementation • Architecture Design • Placement of sensors • Reliability of sensors • Location of other components • System interfaces • Systems to which IDPS provide data • Systems which IDPS resets for prevention • Systems that manage IDPS components • Patch management software • Network management software

  26. Intrusion Detection SystemsManagement • Implementation • Component Testing and Deployment • Consider deployment in a test environment • E.g. to prevent surge of false positives • IDPS deployment usually interrupts networks or systems for component installation • Configuration typically a major effort

  27. Intrusion Detection SystemsManagement • Implementation • Securing IDPS components • IDPS are often targeted by attackers • Because of effects on security • Because of sensitive data collected by IDPS • System hardening • Usual means • Separate accounts for each IDPS user and administrator • Configure firewalls, routers, etc to limit direct access to IDPS components • Protect IDPS management communication • Physically • Logically • Encryption • Strong Authentication

  28. Intrusion Detection SystemsManagement • Operations and Maintenance • Typically GUI, but sometimes command lines • Typical capabilities • Drill down • Reporting functions • Database open to scripted searches • Need for ongoing solution maintenance • Monitor IDPS components for operational and security issues • Periodic test of proper functioning • Regular vulnerability assessments • Receipt of notifications of security problems from vendor • Receipt of notifications for updates

  29. Intrusion Detection SystemsManagement • Operations and Maintenance • Acquiring and Applying Updates • Of signature files • Of IDPS software components

  30. Intrusion Detection SystemsManagement • Building and maintaining personnel skills • Basic security training • Vendor training • Product documentation • Technical support • Professional services (consulting by vendors) • User communities

  31. Network Based IDPS • Typical components • Appliance • Specialized hardware and sensor software / firmware • Host-based • Only software

  32. Network Based IDPSArchitecture and Sensor Locations • Inline • All traffic monitored must pass through it • Typically placed where firewalls etc. would be placed • Either hybrid devices • Or placed on the more secure side

  33. Network Based IDPSArchitecture and Sensor Locations • Passive • Monitors a copy of actual network traffic • Spanning Port • Network Tap • IDS Load Balancer • Receives copies of traffic from several sensors • Aggregates traffic from different networks • Distributes copies to one or more listening devices • Typically not capable of prevention

  34. Network Based IDPS • Typical detection capabilities • Application layer reconnaissance and attacks • Typically analyze several dozen application protocols • Detect • Banner grabbing • Buffer overflows • Format string attacks • Password guessing • Malware transmission

  35. Network Based IDPS • Typical detection capabilities • Transport layer reconnaissance and attacks • Detects • Port scanning • Unusual packet fragmentation • SYN floods • Network layer reconnaissance and attacks • Detects • Spoofed IP addresses • Illegal IP header values

  36. Network Based IDPS • Typical detection capabilities • Unexpected application services • Detects • Tunneled protocols • Backdoors • Hosts running unauthorized application services • Uses • Stateful protocol analysis • Anomaly detection • Policy violations • Detects • Use of inappropriate Web sites • Use of forbidden application protocols

  37. Network Based IDPS • Detection Accuracy • High degree of false positives and false negatives • Difficulty based on • Complexity of activities monitored • Different interpretation of meaning of traffic between IDPS sensor and client / server • Cannot deal with encrypted network traffic • VPN, HTTP over SSL, SSH • Have limited capacity • Number of connections • Depth of analysis • Longevity of connections

  38. Network Based IDPS • Attacks on network based IDPS • DDoS attacks generate unusually large volumes of traffic • Generate loads of anomalous traffic to exhaust IDPS resources • Blinding • Generates many IDPS alerts • Real attack is separate, but contemporary

  39. Network Based IDPS • Prevention capabilities • Passive sensors only • Ending current TCP session • Session sniping: sending resets to both partners • Inline only • Perform inline firewalling • Throttle bandwidth usage • Alter malicious content • Both passive and inline • Reconfigure other network security devices • Run a third party program or script

  40. Wireless IDPS • Wireless attacks typically require proximity to access points or stations • Typically, need access to radio link between stations and access points • Many WLANs are configured with no or weak authentication

  41. Wireless IDPS • Components • Same as for network-based IDPS • Consoles • Database servers • Management servers • Sensors • These function differently than for wired IDPS • Needs to monitor two bands (2.4 GHz and 5 GHz) • Divided into channels • Sensor only models a single channel • Channel scanning (monitor a channel for seconds at most)

  42. Wireless IDPS • Wireless sensors • Dedicated sensors • Typically completely passive • Fixed or mobile • Bundled with an access point • Bundled with a wireless switch • Host-based IDPS sensor to be installed on a station

  43. Wireless IDPS

  44. Wireless IDPS • Sensor Locations • Physical security • Often deployed in open locations because of greater range than in closed locations • Sensor range • Cost • AP and wireless switch locations • Consider bundling or collocation

  45. Wireless IDPS • Security capabilities • Information gathering • Identifying WLAN devices • Typically based on SSIDs and MAC addresses • Identifying WLANs • Keep track of observed WLANs identified by SSID • Logging capability

  46. Wireless IDPS • Security capabilities • Detection capability • Events • Unauthorized WLANs and WLAN devices • Poorly secured WLAN devices • A station is using WEP instead of WPA2 • Unusual usage patterns • The use of (active) wireless network scanners • Denial of service (DoS) attacks and conditions • Impersonation and man-in-the-middle attacks

  47. Wireless IDPS • Detection accuracy • Usually quite high due to limited scope • Tuning and Customization • Specify authorized WLANs, access points, stations • Set thresholds for anomaly detection • Some use blacklists and whitelists

  48. Wireless IDPS • Wireless IDPS cannot detect: • Attacker passively monitoring traffic • Attackers with evasion techniques • Attacker can identify IDPS product • Physical survey • Fingerprinting by prevention actions • Attacker takes advantage of product’s channel scanning scheme • Short bursts of attack packages on channels not currently monitored • Attack on two channels at the same time

  49. Wireless IDPS • Attacks on wireless IDPS • Same DDoS techniques • Physical attacks • Jamming

  50. Wireless IDPS • Prevention capabilities • Wireless prevention • Terminate connections between rogue or misconfigured stations and rogue or misconfigured access point • Send discontinue messages to endpoints • Wired prevention • Block network activity involving a particular station or access point

More Related