1 / 58

EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security

EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security. Prof. Richard A. Stanley. Overview of Tonight’s Class. Review last week’s lesson Final Exam On the web page Due to me electronically in 2 weeks (26 Apr) Project Scheduling Presentations on 15 April

moana
Download Presentation

EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EE579T / CS525TNetwork Security11:Intrusion Detection Systems;Wireless Security Prof. Richard A. Stanley

  2. Overview of Tonight’s Class • Review last week’s lesson • Final Exam • On the web page • Due to me electronically in 2 weeks (26 Apr) • Project Scheduling • Presentations on 15 April • Keep presentations to 25 minutes including Q&A • Let’s have volunteers for each time slot, keeping in mind your work schedules • Intrusion detection systems • Wireless security

  3. Summary • SNMP is widely-used for managing clients distributed across a network • SNMPv1 is simple, effective, and provides the majority of SNMP service in the field • SNMPv2 adds some functionality to v1 • SNMPv3 is a security overlay for either version, not a standalone replacement • SNMP security is a major issue!

  4. Intrusion Detection Systems • Oddly enough, these are systems designed to detect intrusions into protected systems • Security intrusion (per RFC 2828): • A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

  5. What’s a Security Incident? • A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.) • In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. • "Any adverse event which compromises some aspect of computer or network security." [R2350] Source: RFC 2828, page 152; emphasis added

  6. Why Do We Need This? • With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall • These systems are not perfect--some intruders will get through • Moreover, defenses such as firewalls cannot protect against intruders on the inside

  7. Intrusion Detection Functions • Monitor protected networks and computers in real time (or as close to real time as is practicable) • Detect security incidents • Requires a policy, and a way for the IDS to know what that policy is • Respond • Raise an alarm • Send some automated response to the attacker

  8. IDS vs. Auditing • Audits tend to be a posteriori • But an IDS can be seen as performing a constant, near real time audit function • To perform an audit, you need to know what the policy is • Audits measure departures from the policy norms • Audits depend on system logs

  9. Early IDS’s • Emulated the audit function • Crawled the logs, looking for deviations from policy-permitted actions • Intent was to speed up the audit, making it nearly real time • Still a useful approach • IDS technology has been around only since the early 1990’s; not too mature

  10. IDS Uses • Monitor system usage • Determine access, usage patterns • Plan for capacity engineering • Monitor specific problem areas • Serve as a deterrent • Sort of like the “burglar alarm” label on a house, even if there is really no alarm

  11. Log Files • Are evidence if an intrusion occurs • Must be stored in their original, unmodified form, otherwise inadmissible in court • Provide data from which trends can be deduced • Can be subjected to forensic analysis • Probably needed to assess level of system compromise/damage and to restore to state prior to intrusion

  12. Legal Issues - 1 • Privacy of your employees • Courts have held that employees have little expectation of privacy in the workplace, especially if told so at the outset • email can be monitored at work by employer • phone calls can be monitored at work by employer • doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)

  13. Legal Issues - 2 • What if the IDS discovers illegal acts being performed on/by your network? • Employees using the network for illegal activities • Outsiders having planted zombie programs so that your system attacks others • What is your responsibility and liability?

  14. Legal Issues - 3 • This may be a Catch-22 issue • If an attacker is using your system, law enforcement may want you to continue to allow that to happen so they can apprehend the attacker • If you interrupt the attack, could be interpreted as obstruction of justice • But, if you allow the attack to continue, you may be liable for damages to those attacked • Get legal advice--beforehand!

  15. What About Automated Response? • Tempting capability • If attacking your system is illegal, what makes your attack on the attacker in response less illegal? • What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity? • Casus belli

  16. Sensor Sensor Sensor Sensor Sensor IDS Architecture Management Console

  17. Console • Monitors and controls sensors • Sets policy, alarm levels, etc. • Stores logs • Must have secure communications with sensors • Encrypted connection • Out of band (OOB)

  18. IDS Types • Network-based (NIDS) • Monitors the network backbone • Network node-based (NNIDS) • Monitors network nodes, not the backbone • Host-based (HIDS) • This is the “log crawler” that started it all • Gateway (GIDS) • NIDS in series with the network

  19. What Can It See? • Network packets • OS API calls • System logs • How do we merge this data to detect intrusions?

  20. Host-Based • Sits on a host as a background task • Monitors (potentially) • traffic to and from the host • OS API calls • system logs • Adds to processing load on the host, so host must be able to support the extra load

  21. Network-based • NIDS sensors placed on network backbone • Can view only packet traffic passing by, much like a classic passive sniffer • Does not place processing load on network, but the NIDS platform must be capable of dealing with network traffic speeds • Software can usually handle 100 Mbps • Hardware only 2-3 times faster • If network is faster, looks only at subset of packets

  22. Network Node-based • Used to inspect intrusions directly into network nodes • Effectively a blending of HIDS and NIDS • Used to protect mission-critical machines • Again, a background process on existing nodes, so node must be able to handle added processing load

  23. Gateway • In series with network • Often set to block prohibited traffic automatically • Think of it as an in-network firewall with an extended rule set • Must be able to keep up with network load

  24. Intrusion Protection Systems • Latest trend in IDS technology • Idea is to use what the IDS identifies to change the network rules ad hoc, in theory preventing further exploitation • Very similar to GIDS

  25. IPS Issues • Attack signatures generally known only a posteriori • Heuristic analysis has not worked very well in other venues, such as virus detection • How long to maintain the “new” rules before reverting to the original ones? • Exploitation of the IPS

  26. Deployment • Putting in an IDS is a complex and time-consuming affair • Typically, start simple and add functionality as you learn more about the network • NIDS tends to see more and load network least • Follow up with HIDS on selected hosts, perhaps NNIDS on critical nodes • Policy has to be in place first

  27. Attack Signatures • Critical to success of any IDS • Must be maintained, just like virus signatures • You want some visibility into this • Do you want strangers deciding what is an attack on your critical systems? • Some IDS’s let you write/modify signatures, others do not • CVE: http://www.cve.mitre.org/

  28. IDS Deployment • First, design the IDS sensor and management layout • Next, deploy the IDS • Test the network for normal operation • Test the IDS • Run packaged attacks to see if all are detected • Document performance and repeat test regularly • Tune the IDS

  29. Sampling of IDS Products • RealSecure: http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php • NFR: http://www.nfr.net/ • Snort: http://www.snort.org/ • SnortSnarf: http://www.silicondefense.com/software/snortsnarf/

  30. IDS Summary • IDS’s can be useful in monitoring networks for intrusions and policy violations • Up-to-date attack signatures and policy implementations essential • Many types of IDS available, at least one as freeware • Serious potential legal implications • Automated responses to be avoided

  31. Wireless Network Security • Wireless networks growing at a rapid pace • Gartner Group predicts wireless installations will multiply >7X by 2007 to over 31M • Business drivers • Installation cost and time • Mobility • Flexibility • Operating costs

  32. Wireless Inherently Insecure • Wired networks contain (or try) signals to a wired path, which must be physically tapped to compromise line security • Possible to physically discover the tap • Wireless networks deliberately broadcast data into space, where it can be intercepted by anyone with proper receiver • Data tap impossible to discover

  33. This Isn’t New News • Since early days, wireless vendors strove to provide privacy equivalent to that available on the wired network • WEP = wired equivalent privacy • This is not a high standard to meet • They succeeded, but that wasn’t good enough for user requirements

  34. Wireless Security Issues • How does a wireless network work? • How can you “join up?” • What about the encryption? • Can it really be secure?

  35. How It Works • Clients send probes • Access points broadcast beacons and, often, their Server Set ID (SSID) • When a client finds an access point with an acceptable signal level and a matching SSID, a connection is established • Many networks are built precisely to facilitate connection by “foreign” users

  36. Wireless LAN Elements [AP] [STA]

  37. Origins of WEP • Marketing and Political Issues: • Developed as part of a wireless LAN research project at Apple Computer, Inc.. • Eavesdropping was perceived as a barrier to market acceptance. • Apple sells into a worldwide market so solution had to be exportable. • NSA only allowed 40-bit encryption to be exported.

  38. Origins of WEP (cont.) • Technical Issues: • Eavesdropping on wireless link => privacy and authentication problems. • Multiple network protocols (in 1993) => solution required at data link layer. • Data link layer is “best effort” => crypto-state (other than shared key) must accompany each frame.

  39. WEP Solution • Apple had unlimited RC4 license from RSA, Inc. • Method and apparatus for variable-overhead cached encryption, US Patent 5,345,508 applied for 23 Aug 1993, granted 6 Sept 1994. • Licensed for export in mid-1994.

  40. + + WEP Encryption IV Key Sequence Initialization Vector (IV) Seed PRNG RC4() Cache Secret Key (MAX_MSG_SZ) Ciphertext Plaintext

  41. IEEE 802.11’s use of WEP • IEEE runs by Robert’s Rules; “one man, one vote” • Simple majority required to add text, 75% vote to change text in draft standard • WEP introduced in March 1994 • Strong pushback in committee regarding cost and overhead of encryption • Dilution of proposal; privacy made optional

  42. WEP Security Problems • Papers submitted to 802.11 committee highlight the problems with WEP; “Unsafe at any Key Size” presented in October 2000 • 802.11 Task Group I formed to solve WEP security problems • Press gets wind of the issue • Public domain attacks; “war driving”

  43. WEP Security Problems (cont.) • Passive attacks to decrypt traffic based on statistical analysis • Active ‘known plaintext’ attack to inject new traffic from unauthorized mobile stations • Active attacks to decrypt traffic, based on tricking the access point • Dictionary-building attack; real-time automated decryption of all traffic after a day’s sampling

  44. 802.11 Task Group I • Long term security architecture for 802.11 • Based on 802.1X authentication standard and two new encryption protocols (TKIP and CCMP) – Labeled Robust Security Network (RSN) • Uses Upper Layer Authentication (ULA) protocols outside the scope of 802.11i (e.g. EAP/TLS, PEAP)

  45. Robust Security Network Includes: • Better key derivation/distribution based on 802.1X • For TKIP: per message 128 bit key derivation • Improved encryption (TKIP, CCMP) • Stronger keyed Message Integrity Checks • Custom MIC for TKIP with 22 bit effective strength • Strong AES based MIC for CCMP • IV sequencing to control message replay • 44 bits to avoid re-keying (4 bits for QoS)

  46. RSN Data Privacy Protocols • Temporal Key Integrity Protocol (TKIP) • a cipher suite enhancing the WEP protocol on pre-RSN hardware • Counter Mode/CBC-MAC Protocol • based on AES and Counter-Mode/CBC-MAC (CCM) • Mandatory for RSN compliance

  47. 802.1X • Originally designed as port-based network access control for PPP • Provides support for a centralized management model • Primary encryption keys are unique to each station and generated dynamically • Provides support for strong upper layer authentication

  48. 802.1X Architectural Framework • Employs Extensible Authentication Protocol (EAP) • EAP built around challenge-response paradigm • operates at network layer = flexibility • Provides transport for ULA protocols • EAP/TLS, PEAP, EAP-TTLS, LEAP • Two sets of keys dynamically generated • Session Keys, Group Keys

  49. Authentication and Key Mgmt. Controlled Port Wired LAN Services Unauthorized Port Supplicant Authenticator AP Authentication Server STA Uncontrolled Port AS EAPoL RADIUS EAP EAP

  50. Existing Solutions & Other Methods • MAC address filtering • Access Point Placement • Virtual Private Networks (VPNs)

More Related