1 / 15

Comprehensive Guide to Intrusion Detection Systems | Info, Types, Uses, and Tools

Explore the world of Intrusion Detection Systems (IDS) in this detailed presentation by Marshall Washburn. Learn how IDS works, the different types (NIDS, HIDS, NNIDS), uses, and modes (passive vs. aggressive). Dive into anomaly vs. signature-based detection, supplements like logging and honeypots, and overcoming challenges like false positives and negatives. Discover the popular Snort IDS, its rules, features, and benefits, along with useful strategies and case studies. Enhance your understanding of IDS to strengthen your network security.

ghenson
Download Presentation

Comprehensive Guide to Intrusion Detection Systems | Info, Types, Uses, and Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30th, 2010 CPSC 420/620 w/ Dr. Grossman

  2. Introduction and Layout • What is an IDS? • How it works • NIDS vs. HIDS (vs. NNIDS) • Different uses of an IDS • Passive vs. Aggressive (IDPS) • Anomaly vs. Signature • Supplements and Add-ons • Logging • Honeypots • Gotchas • False Positives • False Negatives • Closer look – Snort • Info • Modes • Rules & Features • Conclusion

  3. What is an IDS? • IDS – Intrusion Detection System • Analyzes network traffic • Reports problems • Three types of IDS • Network-based Intrusion Detection • Host-based Intrusion Detection • Network Node-based Intrusion Detection

  4. Types of IDS • Network-IDS • Typical view of IDS • Watches a subnet • Typically a perimeter defense • Host-based IDS • Watches host computers, involves software • Looks for system calls and registry changes • Typically an internal defense • Network-Node IDS • Specific host traffic • Kind of specialized NIDS (ex: VPN device)

  5. Types of IDS http://www.informit.com/articles/article.aspx?p=29601 http://ptgmedia.pearsoncmg.com/images/art_peikari1_intrusiondetection/elementLinks/fig01.gif

  6. Different uses of an IDS • How should the system react? • Passive system • Scans packets, traffic, or system • Takes notes • Sends alerts • Active system (Intrusion Detection and Prevention System) • Passive system + barrel rolls • Kills connections or modifies firewalls • Pros and Cons: Passive vs. Active • Less maintenance and lack of painful false alarms vs. More maintenance but avoid disasters

  7. Different uses of an IDS • What should the system look for? • Anomaly-based IDS • Samples network traffic • Checks against predefined ‘ideal’ traffic • Signature-based IDS • Polar opposite of anomaly • Samples network traffic • Checks against predefined virus patterns • Pros and Cons: Anomaly vs. Signature • Hard to pin down ‘normal’ network traffic, especially when updating or migrating a system • Virus patterns are only as good as the updated list

  8. Supplements and Add-ons • IDS: Good by themselves, great on a team • External Logging • Honeypots http://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpg http://blog.hazrulnz.net/tag/ids

  9. IDS Logging • IDS typically logs traffic locally • Can become unorganized • Hard to search through • External Logging Databases (ex: ACIDBASE) • Categorize suspected attacks • IP traffic • Port traffic • Latest virus information • Stealthy logging

  10. Honeypots • IDS can be used on production or development systems • Honeypots lure attacker in (ex: Honeyd) • Network decoys to distract away from vulnerable machines • Typically virtual machines that simulate real networks • Honeypots capture the attacks, IDS analyzes, your system stays secure.

  11. A Few Gotchas • Every rose has its thorn… • False Positives • Normal traffic suspected to be malicious • False Negatives • Some attack is flagged to be normal or non-malicious • Not software flaws, usually configuration flaws • Encrypted traffic can cause false positives, and mutated worms or viruses can mismatch an attack pattern and cause false negatives.

  12. Quick Case Study: Snort • Originally released in 1998 by Sourcefire founder and CTO Martin Roesch • Combines signature and anomaly techniques • Ready out of the box • Updated rule sets • Three primary modes • Sniffer mode • Packet-logger mode • Network IDS mode

  13. Snort Rules • Can specify what IP subnet to look at and types of traffic in ‘snort.conf’ file • Sample rule • alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) • Easy to customize with many different features • Logging, passing, dropping, custom • TCP and/or UDP, ICMP, IP • Traffic direction • Content, raw bytes, offsets

  14. Conclusions • Useful tool to keep a network safe • There are many different styles to a detection system • Snort incorporates many of the capabilities of intrusion detection systems • multiple detection techniques • ability to customize simple rules

  15. Works Cited • Bauer, Mick. “Stealthful Sniffing, Intrusion Detection and Logging http://www.linuxjournal.com/article/6222 October, 2002 • Innella, Paul. “The Evolution of Intrusion Detection Systems” http://www.symantec.com/connect/articles/evolution-intrusion-detection-systems November 16th, 2001 • Mattord, Verma (2008). Principles of Information Security. Course Technology. pp. 290–301 • Provos, Niels. “A Virtual Honeypot Network” http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_html/ Proceedings of the 13th USENIX Security Symposium. August, 2004 • Timm, Kevin. “Strategies to Reduce False Positives and False Negatives in NIDS” http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-false-negatives-nids September, 2001 • The Snort Team. SNORT Users Manual 2.9.0. http://www.snort.org/assets/152/snort_manual.pdf September, 2010 • Wikipedia. http://en.wikipedia.org/wiki/Intrusion_detection_system

More Related