Download
intrusion detection on a shoestring budget n.
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Detection on a Shoestring Budget PowerPoint Presentation
Download Presentation
Intrusion Detection on a Shoestring Budget

Intrusion Detection on a Shoestring Budget

92 Views Download Presentation
Download Presentation

Intrusion Detection on a Shoestring Budget

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000

  2. Setting • Public university department • Lean budget • Priority on openness • Limited technical knowledge • Independent faculty • Heterogeneous computing environment

  3. Setting • Implications for security • Prime target for crackers • Not everyone understands need for security • Policy can be hard to implement • Solutions must be: • Inexpensive • Unobtrusive

  4. Solutions • Focus on Open Source Software • Often cost-free • Can run on inexpensive hardware • Prioritize security activities • Prevention • Detection • Maintenance • Only then identify

  5. Prevention • Verify clean systems or detection can be subverted • Identify platform specific vulnerabilities • Patch operating systems • Patch server software (www, ftp, etc.) • Enforce good user practices (especially as regards passwords).

  6. Detection • Network based • Network Flight Recorder (NFR) • Academic Research version • Snort • Tcpdump • Host based • Tripwire

  7. Detection • Create a watchtower • Minimal open ports • SSH • Only visible from within subnet • Used many of the same tools mentioned above • About $2000 to $2500 • FreeBSD OS • Commodity components

  8. Network Based IDS • Switched versus shared may cause complications • Network IDS needs to see the network • Can work in a switched environment, but: • Depends on switching equipment • Switches are often controlled outside departments • False positives

  9. Network Flight Recorder • Created to act as a “black box” for intrusion detection • Advantages • Records all network traffic • Alerts on specific signatures • Good query tools • Remote interface

  10. Network Flight Recorder • Disadvantages • Data collection takes up space • Space management feature didn’t always work • No longer freely available

  11. Snort • Created to be a lightweight network IDS • Lightweight meaning compact and efficient • Not lightweight on performance • Advantages • Small size • Easy to install • Open source development means continued enhancement

  12. Snort • Disadvantages • Only saves suspect traffic • No query features • But other developers are working on this • Experiencing growing pains

  13. Tcpdump • Simple but powerful utility for listening to network traffic • Advantages • Can collect packet payload • Indispensable in understanding exploits • Disadvantages • Massive data storage requirements

  14. Tripwire • Host-based IDS that calculates digital signatures of specified files • Differences between older open source version and newer commercial version • Signed files require pass phrase to change • Levels of violation

  15. Tripwire • Advantages • Doesn’t depend on network • Minimal false positives • Can catch local exploits

  16. Tripwire • Disadvantages • Requires careful setup to prevent subversion • Databases must be kept up to date • Best in hierarchical structure • Minimizes possibility of tampering

  17. Conclusions • There are plenty of free tools out there • Host based better than network based • IPv6 • Encrypted traffic • Tripwire is a preferred tool • Works well now to detect attacks • Potential to be enhanced even more

  18. Questions? Comments?

  19. URLs • Network Flight Recorder • http://www.nfr.com/ • Snort • http://www.snort.org/ • Tripwire • http://www.tripwire.com/ • Updated info • http://www.gslis.utexas.edu/~shanew/security.html