intrusion detection on a shoestring budget
Download
Skip this Video
Download Presentation
Intrusion Detection on a Shoestring Budget

Loading in 2 Seconds...

play fullscreen
1 / 19

Intrusion Detection on a Shoestring Budget - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

Intrusion Detection on a Shoestring Budget. Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000. Setting. Public university department Lean budget Priority on openness Limited technical knowledge Independent faculty

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Intrusion Detection on a Shoestring Budget' - magee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
intrusion detection on a shoestring budget

Intrusion Detection on a Shoestring Budget

Shane Williams

UT Austin Graduate School of Library and Information Science

Oct. 18, 2000

SANS Network Security 2000

setting
Setting
  • Public university department
    • Lean budget
    • Priority on openness
    • Limited technical knowledge
    • Independent faculty
    • Heterogeneous computing environment
setting1
Setting
  • Implications for security
    • Prime target for crackers
    • Not everyone understands need for security
    • Policy can be hard to implement
    • Solutions must be:
      • Inexpensive
      • Unobtrusive
solutions
Solutions
  • Focus on Open Source Software
    • Often cost-free
    • Can run on inexpensive hardware
  • Prioritize security activities
    • Prevention
    • Detection
    • Maintenance
    • Only then identify
prevention
Prevention
  • Verify clean systems or detection can be subverted
  • Identify platform specific vulnerabilities
    • Patch operating systems
    • Patch server software (www, ftp, etc.)
  • Enforce good user practices (especially as regards passwords).
detection
Detection
  • Network based
    • Network Flight Recorder (NFR)
      • Academic Research version
    • Snort
    • Tcpdump
  • Host based
    • Tripwire
detection1
Detection
  • Create a watchtower
    • Minimal open ports
      • SSH
      • Only visible from within subnet
    • Used many of the same tools mentioned above
  • About $2000 to $2500
    • FreeBSD OS
    • Commodity components
network based ids
Network Based IDS
  • Switched versus shared may cause complications
    • Network IDS needs to see the network
    • Can work in a switched environment, but:
      • Depends on switching equipment
      • Switches are often controlled outside departments
  • False positives
network flight recorder
Network Flight Recorder
  • Created to act as a “black box” for intrusion detection
  • Advantages
    • Records all network traffic
    • Alerts on specific signatures
    • Good query tools
    • Remote interface
network flight recorder1
Network Flight Recorder
  • Disadvantages
    • Data collection takes up space
    • Space management feature didn’t always work
    • No longer freely available
snort
Snort
  • Created to be a lightweight network IDS
    • Lightweight meaning compact and efficient
    • Not lightweight on performance
  • Advantages
    • Small size
    • Easy to install
    • Open source development means continued enhancement
snort1
Snort
  • Disadvantages
    • Only saves suspect traffic
    • No query features
      • But other developers are working on this
    • Experiencing growing pains
tcpdump
Tcpdump
  • Simple but powerful utility for listening to network traffic
  • Advantages
    • Can collect packet payload
    • Indispensable in understanding exploits
  • Disadvantages
    • Massive data storage requirements
tripwire
Tripwire
  • Host-based IDS that calculates digital signatures of specified files
  • Differences between older open source version and newer commercial version
    • Signed files require pass phrase to change
    • Levels of violation
tripwire1
Tripwire
  • Advantages
    • Doesn’t depend on network
    • Minimal false positives
    • Can catch local exploits
tripwire2
Tripwire
  • Disadvantages
    • Requires careful setup to prevent subversion
    • Databases must be kept up to date
  • Best in hierarchical structure
    • Minimizes possibility of tampering
conclusions
Conclusions
  • There are plenty of free tools out there
  • Host based better than network based
    • IPv6
    • Encrypted traffic
  • Tripwire is a preferred tool
    • Works well now to detect attacks
    • Potential to be enhanced even more
slide19
URLs
  • Network Flight Recorder
    • http://www.nfr.com/
  • Snort
    • http://www.snort.org/
  • Tripwire
    • http://www.tripwire.com/
  • Updated info
    • http://www.gslis.utexas.edu/~shanew/security.html
ad