1 / 27

Distributed IDS

Distributed IDS. The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology. What we hope to achieve:.

read
Download Presentation

Distributed IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed IDS • The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. • Darian Jenik - Network Management Queensland University of Technology

  2. What we hope to achieve: • Learn about the nature of traffic flowing on the network. • Catch attempts to compromise host security. • Detect compromised hosts on the network. • Discover holes and incorrect configurations on existing services. • Take a proactive rather than reactive approach to dealing with security issues.

  3. What IDS is not: • IDS in NOT security – • For security you need: • Good security policy that is both documented and adhered to. • Good security practice by system administrators. • Hardened perimeter firewalls and “DMZ” firewalls. • IDS is not a “product”. • IDS is not a “sensor”.

  4. What Information can it provide: Denials, scans, vulnerable services, etc…. Other input sources (Tripwire, syslog, firewall…) Cross referencing allows individual events that seem innocent to take up more meaning in context.

  5. Where do we put the sensor: Traditionally – gateway(s) Port Mirroring ? (50+ datacabinets) Preferably everywhere This would normally cost $$$$$ but open source makes this possible

  6. The scale of the problem • Approximately 10000 hosts 100 web servers 300 “servers” of other type • Students • System Administrators • IAS

  7. Outside 1 Outside 2 Servers GW GW Inside 1 10meg -> 1 Gig GW Inside 2 User hosts The scale of the problem - simplified

  8. Outside 1 Outside 2 Inside 1 10meg -> 1 Gig Inside 2 The scale of the problem contd….. Bad!! Servers Bad!! GW GW GW User hosts

  9. Outside 1 Outside 2 Inside 1 10meg -> 1 Gig Inside 2 The scale of the problem contd….. Servers GW GW GW Worse!! Worse!! User hosts

  10. Outside 1 Outside 2 Inside 1 10meg -> 1 Gig Inside 2 The scale of the problem contd….. Servers GW GW GW User hosts

  11. Outside 1 Outside 2 Inside 1 10meg -> 1 Gig Inside 2 The scale of the problem contd….. Servers GW GW GW User hosts

  12. Dealing with the volume of information • Manually examine each incident (initially). • Classify and build up a database of false positives. • Use the power of the SQL database to look for patterns and “repeats”

  13. IDS should perform the following tasks • Detect known violations to host integrity by passively watching network traffic. • Respond to attempted violations by blocking external IP addresses. • Respond to probes from outside by blocking external IP addresses. • Find and report usage inconsistencies that indicate account/quota theft. • Detect violations by monitoring information (web pages etc….) • Help log and establish traffic/host usage patterns for future reference and comparison

  14. Respond to attempted violations by blocking external IP addresses. • Make sure the IDS is able to respond and send commands to firewalls and/or hosts. • IDS sends RST packets to both ends of the connection. • IDS is able to insert rules into border firewall.

  15. Respond to probes from outside by blocking external IP addresses. • Attempts to open ports on servers that are not enabled. • Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

  16. Supporting information sources that can be fed into the database. • Central syslog collecting and analysis. • Tripwire • “Nmap” database • Performance and Usage analysis.

  17. Open Source • Just about any platform(Including windows) • Many plugins and external modules. • Frequent rules updates.

  18. Snort Plugins • Databases • mySQL • Oracle • Postgresql • unixODBC • Spade (Statistical Packet Anomaly Detection engine) • FlexResp (Session response/closing) • XML output • TCP streams (stream single-byte reassembly)

  19. Snort Add-ons • Acid(Analysis Console for Intrusion Detection) - PHP • Guardian – IPCHAINS rules modifier.(Girr – remover) • SnortSnarf - HTML • Snortlog – syslog • “Ruleset retreive” – automatic rules updater. • Snorticus – central multi-sensor manager – shell • LogSnorter – Syslog > snort SQL database information adder. • + a few win32 bits and pieces.

  20. Snort + Acid = ? • Acid is a Cert project. • Pretty simple PHP to mySQL • Quite customizable. • Simple GUI for casual browsing.

  21. Main Console

  22. Individual alerts

  23. Securityfocus • Whitehats • CVE

  24. Rule details

  25. Incident details

  26. Incident Details

  27. URLS • www.snort.org • http://www.cert.org/kb/acid/ • www.whitehats.com(Intrusion signatures data) • www.securityfocus.com(Intrusion signatures data) • http://cve.mitre.org/(Intrusion signatures data) • http://www.psionic.com/(logcheck + hostsentry)

More Related