1 / 19

Intrusion Detection on a Shoestring Budget

Intrusion Detection on a Shoestring Budget. Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000. Setting. Public university department Lean budget Priority on openness Limited technical knowledge Independent faculty

magee
Download Presentation

Intrusion Detection on a Shoestring Budget

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000

  2. Setting • Public university department • Lean budget • Priority on openness • Limited technical knowledge • Independent faculty • Heterogeneous computing environment

  3. Setting • Implications for security • Prime target for crackers • Not everyone understands need for security • Policy can be hard to implement • Solutions must be: • Inexpensive • Unobtrusive

  4. Solutions • Focus on Open Source Software • Often cost-free • Can run on inexpensive hardware • Prioritize security activities • Prevention • Detection • Maintenance • Only then identify

  5. Prevention • Verify clean systems or detection can be subverted • Identify platform specific vulnerabilities • Patch operating systems • Patch server software (www, ftp, etc.) • Enforce good user practices (especially as regards passwords).

  6. Detection • Network based • Network Flight Recorder (NFR) • Academic Research version • Snort • Tcpdump • Host based • Tripwire

  7. Detection • Create a watchtower • Minimal open ports • SSH • Only visible from within subnet • Used many of the same tools mentioned above • About $2000 to $2500 • FreeBSD OS • Commodity components

  8. Network Based IDS • Switched versus shared may cause complications • Network IDS needs to see the network • Can work in a switched environment, but: • Depends on switching equipment • Switches are often controlled outside departments • False positives

  9. Network Flight Recorder • Created to act as a “black box” for intrusion detection • Advantages • Records all network traffic • Alerts on specific signatures • Good query tools • Remote interface

  10. Network Flight Recorder • Disadvantages • Data collection takes up space • Space management feature didn’t always work • No longer freely available

  11. Snort • Created to be a lightweight network IDS • Lightweight meaning compact and efficient • Not lightweight on performance • Advantages • Small size • Easy to install • Open source development means continued enhancement

  12. Snort • Disadvantages • Only saves suspect traffic • No query features • But other developers are working on this • Experiencing growing pains

  13. Tcpdump • Simple but powerful utility for listening to network traffic • Advantages • Can collect packet payload • Indispensable in understanding exploits • Disadvantages • Massive data storage requirements

  14. Tripwire • Host-based IDS that calculates digital signatures of specified files • Differences between older open source version and newer commercial version • Signed files require pass phrase to change • Levels of violation

  15. Tripwire • Advantages • Doesn’t depend on network • Minimal false positives • Can catch local exploits

  16. Tripwire • Disadvantages • Requires careful setup to prevent subversion • Databases must be kept up to date • Best in hierarchical structure • Minimizes possibility of tampering

  17. Conclusions • There are plenty of free tools out there • Host based better than network based • IPv6 • Encrypted traffic • Tripwire is a preferred tool • Works well now to detect attacks • Potential to be enhanced even more

  18. Questions? Comments?

  19. URLs • Network Flight Recorder • http://www.nfr.com/ • Snort • http://www.snort.org/ • Tripwire • http://www.tripwire.com/ • Updated info • http://www.gslis.utexas.edu/~shanew/security.html

More Related