1 / 24

Host-Based Intrusion Detection

FORE SEC Academy Security Essentials (III ). Host-Based Intrusion Detection. Agenda. The need for host-based ID Host-based ID Methodology Unix host-based ID Tools Windows host-based ID Tools. Need for Host-based ID. Very fast networks Switched networks Encrypted networks

mavis
Download Presentation

Host-Based Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (III) Host-Based Intrusion Detection

  2. Agenda • The need for host-based ID • Host-based ID Methodology • Unix host-based ID Tools • Windows host-based ID Tools

  3. Need for Host-based ID • Very fast networks • Switched networks • Encrypted networks • Backdoors in local network • Insider on network • Network-based IDS may miss attack • Don't trust corporate security that much

  4. Very Fast Networks • The current limits for network-based IDS boxes are about 80 MB/sec fully loaded • A 200 MHz Pentium bus would only partially increase this • Bandwidth at large sites will probably always exceed network detection and processing speed • HIDS does not face bandwith challenges, but does present deployment issues

  5. Switched Networks • Network-based intrusion detection systems rely on promiscuous mode for their NICs;this is not possible with switched networks • Intrusion detection in the switch is the future direction, not really here yet • Spanning ports and network taps provide semi-effective options

  6. Switched Network Diagram In a switched network, a virtual circuit is created between two peers across the switch fabric. Each port on the switch only supports the circuits to that host.

  7. Spanning PortSwitched Networks Sensors can be placed on a spanning port, but can usually only monitor one VLAN at a time. This does not work very well in practice.

  8. Network Taps

  9. Encrypted Networks • NIDS sensors can't analyze what they can't read • The use of encryption for network traffic is growing • Encryption can be used by attackers to hide their traffic • Traffic must be read before/after the encryption process • NIDS and HIDS can work together to address these challenges

  10. Host-based IntrusionDetection Methodology • Host-based systems monitor their network connections and file system status. For this to work, we have to acquire the aggregate logs of ALL critical systems at a minimum • Local processing/alerting may be done, but data is generally sent to a central location for parsing • When potential problems are found, alerts are raised

  11. Host-based IntrusionDetection Methodology (2) A connects to B 3) Logserver records A-> B connection, checks ruleset, A -> B is OK, waits. 2) B logs connection and informs Logserver

  12. Unix Host-basedIntrusion Detection • TCPWrappers • Port Sentry • Syslog • Swatch • Tripwire

  13. TCPWrappers • Monitors and filters incoming TCP network service requests • Valuable logging tool • Where to get it - ftp://ftp.porcupine.org/pub/security/index.html - Currently included in most Unix / Linux distributions

  14. Without TCPWrappers All incoming TCP requests serviced

  15. With TCPWrappers All requests checked and logged

  16. Host Deny ALL : ALL # Deny everything, add back with /etc/hosts.allow

  17. Host Allow ALL: .nnnn.abc.org, 192.168.2, friend.somewhere.edu sshd: trustedhost.somewhere.org

  18. Paranoid Mode • Default for TCPWrappers -Checks both forward and reverse DNS lookup -Both answers must match or connection is dropped -Adds a layer of security against spoofing

  19. Brief DNS Review(TCPWrappers Paranoid mode)

  20. TCPWrappers in Action(Intrusion detection AND prevention)

  21. TCPWrappers Threat List • Outsider attack from network • Outsider attack from telephone • Insider attack from local network • Insider attack from local system • Attack from malicious code

  22. Psionic Port Sentry(TCPWrappers with an attitude) • Runs on TCP and UDP • Stealth scan detection for Linux • SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans • Port Sentry will react to a port scan attempt by blocking the host in real-time • Will remember hosts that connected previously

  23. Psionic Port Sentry Log • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host:node10453.a2000.nl/24.132.4.83 to TCP port: 143 • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked viawrappers with string: "ALL: 24.132.4.83“ • Jul 3 11:30:20 shepherd portsentry[418]:attackalert: Host 24.132.4.83 has been blocked viadropped route using command: "/sbin/route add –host24.132.4.83 gw 333.444.555.666"

  24. Syslog • Unix system logger can be on a local system or other system • TCPWrappers logs to Syslog by default • Logs can offer valuable information, but they can also be compromised • Swatch or other tools can monitor syslog and raise alerts

More Related