lesson 6 commercial intrusion detection systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Lesson 6 Commercial Intrusion Detection Systems PowerPoint Presentation
Download Presentation
Lesson 6 Commercial Intrusion Detection Systems

Loading in 2 Seconds...

play fullscreen
1 / 34

Lesson 6 Commercial Intrusion Detection Systems - PowerPoint PPT Presentation


  • 300 Views
  • Uploaded on

Lesson 6 Commercial Intrusion Detection Systems. Overview. Common Commercial IDS IDS Evaluations Specialized IDS. Common IDS Products. CISCO CISCO IDS (son of Netranger) Computer Associates eTrust PaloAlto Networks All in one Firewalls HP TippingPoint

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lesson 6 Commercial Intrusion Detection Systems' - omer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • Common Commercial IDS
  • IDS Evaluations
  • Specialized IDS
common ids products
Common IDS Products

CISCO CISCO IDS (son of Netranger)

Computer Associates eTrust

PaloAlto Networks All in one Firewalls

HP TippingPoint

McAfee (was Intruvert) Intrushield

Seimens (Enterasys) Dragon

Internet Security Systems(now IBM) RealSecure

Intrusion, Inc SecureNet,Secure Host

iPolicy Networks ipEnforcer

NetScreen NetScreen IDP

NFR Security Network Flight Recorder

Sourcefire Snort

Symantec Corp Intruder Alert

TippingPoint Technologies UnityOne

Tripwire Inc Tripwire

CoreTrace Bouncer

snort
SNORT
  • Snort is a packet sniffer on steroids.
  • Can be placed at different points in a network to provide real time information.
  • By logging alerts and rule violations, a systems administrator can be mindful of attacks in progress or research past incidents.
snort usage
Snort Usage
  • Run from the command line or as a Windows Service.
  • Lots of options
snort options
Snort Options

USAGE: snort [-options] <filter options>

snort /SERVICE /INSTALL [-options] <filter options>

snort /SERVICE /UNINSTALL

snort /SERVICE /SHOW

Options:

-A Set alert mode: fast, full, console, or none (alert file alerts only)

-b Log packets in tcpdump format (much faster!)

-c<rules> Use Rules File <rules>

-C Print out payloads with character data only (no hex)

-d Dump the Application Layer

-e Display the second layer header info

-E Log alert messages to NT Eventlog. (Win32 only)

-f Turn off fflush() calls after binary log writes

-F<bpf> Read BPF filters from file <bpf>

-h<hn> Home network = <hn>

-i <if> Listen on interface <if>

-I Add Interface name to alert output

-k<mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)

-l <ld> Log to directory <ld>

more snort options
More Snort Options

-L <file> Log to this tcpdump file

-n <cnt> Exit after receiving <cnt> packets

-N Turn off logging (alerts still work)

-o Change the rule testing order to Pass|Alert|Log

-O Obfuscate the logged IP addresses

-p Disable promiscuous mode sniffing

-P <snap> Set explicit snaplen of packet (default: 1514)

-q Quiet. Don't show banner and status report

-r <tf> Read and process tcpdump file <tf>

-R <id> Include 'id' in snort_intf<id>.pid file name

-s Log alert messages to syslog

-S <n=v> Set rules file variable n equal to value v

-T Test and report on the current Snort configuration

-U Use UTC for timestamps

-v Be verbose

-V Show version number

-W Lists available interfaces. (Win32 only)

-w Dump 802.11 management and control frames

-X Dump the raw packet data starting at the link layer

-y Include year in timestamp in the alert and log files

-z Set assurance mode, match on established sesions (for TCP)

-? Show this information

<Filter Options> are standard BPF options, as seen in TCPDump

observations of snort good
Observations of Snort - Good
  • FREE!
  • Large user base
  • Community provides constant rule updates
  • Free tools to provide log analysis and email/pager alerts
observations of snort bad
Observations of Snort - Bad
  • UNIX tool ported to Windows; behaves like a UNIX tool
    • Difficult to configure
      • Cryptic command line driven interface
      • All configuration is driven by files
  • Lacks standardized support
how acid supports snort
How ACID Supports SNORT
  • ACID helps to make sense of Snort data in a visual manner.
  • Can help analyze trends and help filter out the noise by categorizing attacks and IP addresses.
  • Query-builder and search interface.
  • Can provide alerts when events occur.
acid usage
ACID Usage
  • Acid runs as a set of PHP (PHP: Hypertext Preprocessor) web pages under IIS or Apache
  • Reports, alerts, and information is accessed through the web interface
observations of acid good
Observations of ACID - Good
  • FREE!
  • Nice graphical interface written in PHP, therefore user community to rely on.
  • Free tools to provide log analysis and email/pager alerts.
  • Helps sort through all the info from Snort.
observations of acid acid
Observations of ACID - ACID
  • Lacks standardized support
  • Lots of options to become familiar with
pstn ids enterprise manager
PSTN IDS&Enterprise Manager
  • World’s leading voice network security company.
  • Secures & better manages enterprise voice networks (TDM, VoIP, or Hybrid) – close phone line backdoors into data networks.
  • Established in 1998 by WheelGroup
  • Flagship product:
  • The ETM® (Enterprise Telephony

Management) System

centralized ids hierarchy
Centralized IDS Hierarchy

Corporate

Central

Director

All

Business

Offices

...

partially distributed ids hierarchy
Partially Distributed IDS Hierarchy

Corporate

Upper

Domain

Central

Director

Regional

Offices

Intermediate

Domain

Intermediate

Director

Intermediate

Director

Intermediate

Director

Intermediate

Director

Business

Offices

...

Lower

Domain

fully distributed ids hierarchy
Fully Distributed IDS Hierarchy

Corporate

Upper

Domain

Central

Director

Regional

Offices

Intermediate

Domain

Intermediate

Director

Intermediate

Director

Intermediate

Director

Intermediate

Director

Business

Offices

...

Lower

Domain

discussion on current ids
Discussion on current IDS
  • How are signature updates accomplished?
  • How often are signatures updated? How many are there?
  • What is the maximum bandwidth the IDS can monitor?
  • What network protocols can be monitored?
  • What OS platforms does the IDS work on?
  • Does the IDS platform interact with other devices (e.g. firewalls, routers…)?
  • What type of reporting tools are available?
  • How is the security manager notified of events?
  • Host or network based? Enterprise deployable?
  • What training is required to operate and how much time does it take to operate the IDS?
50 ways to defeat an ids
50 ways to defeat an IDS
  • 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance.
  • 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell.
  • 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception.
  • 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack.
  • 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected.
  • 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’.
    • From 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates
50 ways to defeat an ids32
50 ways to defeat an IDS
  • 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X.
  • 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate.
  • 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’.
  • 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack.
  • 11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell.
  • 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’.
50 ways to defeat an ids33
50 ways to defeat an IDS
  • 15 - Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS.
  • 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs.
  • 22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks.
  • 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted.
  • 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected.
  • 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
summary
Summary
  • Commercial IDS doing well, but thinning
  • IDS Evaluations conducted regularly
  • Centralized vs Decentralized management
  • IDS can be defeated or circumvented