Intrusion detection on a shoestring budget
Download
1 / 19

Intrusion Detection on a Shoestring Budget - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

Intrusion Detection on a Shoestring Budget. Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000. Setting. Public university department Lean budget Priority on openness Limited technical knowledge Independent faculty

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Intrusion Detection on a Shoestring Budget' - magee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intrusion detection on a shoestring budget

Intrusion Detection on a Shoestring Budget

Shane Williams

UT Austin Graduate School of Library and Information Science

Oct. 18, 2000

SANS Network Security 2000


Setting
Setting

  • Public university department

    • Lean budget

    • Priority on openness

    • Limited technical knowledge

    • Independent faculty

    • Heterogeneous computing environment


Setting1
Setting

  • Implications for security

    • Prime target for crackers

    • Not everyone understands need for security

    • Policy can be hard to implement

    • Solutions must be:

      • Inexpensive

      • Unobtrusive


Solutions
Solutions

  • Focus on Open Source Software

    • Often cost-free

    • Can run on inexpensive hardware

  • Prioritize security activities

    • Prevention

    • Detection

    • Maintenance

    • Only then identify


Prevention
Prevention

  • Verify clean systems or detection can be subverted

  • Identify platform specific vulnerabilities

    • Patch operating systems

    • Patch server software (www, ftp, etc.)

  • Enforce good user practices (especially as regards passwords).


Detection
Detection

  • Network based

    • Network Flight Recorder (NFR)

      • Academic Research version

    • Snort

    • Tcpdump

  • Host based

    • Tripwire


Detection1
Detection

  • Create a watchtower

    • Minimal open ports

      • SSH

      • Only visible from within subnet

    • Used many of the same tools mentioned above

  • About $2000 to $2500

    • FreeBSD OS

    • Commodity components


Network based ids
Network Based IDS

  • Switched versus shared may cause complications

    • Network IDS needs to see the network

    • Can work in a switched environment, but:

      • Depends on switching equipment

      • Switches are often controlled outside departments

  • False positives


Network flight recorder
Network Flight Recorder

  • Created to act as a “black box” for intrusion detection

  • Advantages

    • Records all network traffic

    • Alerts on specific signatures

    • Good query tools

    • Remote interface


Network flight recorder1
Network Flight Recorder

  • Disadvantages

    • Data collection takes up space

    • Space management feature didn’t always work

    • No longer freely available


Snort
Snort

  • Created to be a lightweight network IDS

    • Lightweight meaning compact and efficient

    • Not lightweight on performance

  • Advantages

    • Small size

    • Easy to install

    • Open source development means continued enhancement


Snort1
Snort

  • Disadvantages

    • Only saves suspect traffic

    • No query features

      • But other developers are working on this

    • Experiencing growing pains


Tcpdump
Tcpdump

  • Simple but powerful utility for listening to network traffic

  • Advantages

    • Can collect packet payload

    • Indispensable in understanding exploits

  • Disadvantages

    • Massive data storage requirements


Tripwire
Tripwire

  • Host-based IDS that calculates digital signatures of specified files

  • Differences between older open source version and newer commercial version

    • Signed files require pass phrase to change

    • Levels of violation


Tripwire1
Tripwire

  • Advantages

    • Doesn’t depend on network

    • Minimal false positives

    • Can catch local exploits


Tripwire2
Tripwire

  • Disadvantages

    • Requires careful setup to prevent subversion

    • Databases must be kept up to date

  • Best in hierarchical structure

    • Minimizes possibility of tampering


Conclusions
Conclusions

  • There are plenty of free tools out there

  • Host based better than network based

    • IPv6

    • Encrypted traffic

  • Tripwire is a preferred tool

    • Works well now to detect attacks

    • Potential to be enhanced even more



URLs

  • Network Flight Recorder

    • http://www.nfr.com/

  • Snort

    • http://www.snort.org/

  • Tripwire

    • http://www.tripwire.com/

  • Updated info

    • http://www.gslis.utexas.edu/~shanew/security.html


ad