1 / 18

Intrusion Detection Systems

Intrusion Detection Systems. Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel. Intrusion Detection Systems Legal Definitions. Login banners stating the terms of use should be used

rey
Download Presentation

Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systems

  2. Intrusion Detection Systems • A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.

  3. Intrusion Detection SystemsLegal Definitions • Login banners stating the terms of use should be used • Know your local and federal computer crime laws

  4. Intrusion Detection SystemsScan & Compromise • Very often, scanning is the prelude to an attempted attack • Nmap, Solar Winds scanner • Vulnerability scanner Nessus • Scan all hosts of an financial institute before engaging in online financial transaction with the institute. Legal or illegal?

  5. Intrusion Detection Systems Scan & Compromise • Realize that scanning is not an attempted compromise in itself • One of the best things you can do is to track the source IPs that are scanning you and then use them to correlate against alerts for higher priority events or look for repeat scanners

  6. Intrusion Detection Systems Viruses and Worms • SQL Slammer Worm • SQL Slammer is a perfect example of a situation where an “active response” IDS would not be able to prevent infection, but an incline IDS would • Five of the 13 root Domain Name servers that provide name service to the Internet were knocked down by the worm. • www.microsoft.com/technet/treeview/default.asp?url=/technet/security/alerts/slammer.asp • www.cert.org/advisories/CA-2003-04.html

  7. Intrusion Detection Systems • There are many organizations chartered to help mitigate attacks: • The Forum of Incident Response and Security Teams (FIRST) • Information Sharing and Analysis Centers (ISACs) • The Distributed Intrusion Detection System Dshield, in which anyone can join, or submit his or her logfiles for analysis anonymously for free

  8. Intrusion Detection Systems • IDSs are classified by their functionality, loosely grouped into three categories: • Network-Based Intrusion Detection System (NIDS) • Host-Based Intrusion Detection System (HIDS) • Distributed Intrusion Detection System (DIDS)

  9. NIDS • Advantages of NIDS: • Has no impact on the systems or networks it is monitoring • Doesn’t add any load to the hosts • An attacker who compromises one of the systems being watched can’t touch the NIDS and may not even know it is there • Disadvantage of NIDS: • Maxes out your span ports that you are allotted on a given network, and maxes out the bandwidth on the span itself

  10. HIDS • Differ from NIDS in two ways: • An installed HIDS protects only the system on which it resides • The network card of a system with a HIDS installed normally operates in nonpromiscuous mode (can be an advantage in speed and NIC)

  11. HIDS • Advantages of HIDS: • Has the ability to tailor the rule sets to be very specific to the particular host system • Has the capability to detect specific changes to the files and operating system of its host (main advantage) • Can watch traffic within a system that never crosses the network, and therefore would never be seen by the NIDS. • Disadvantages of HIDS: • Adds load to the host on which it is configured • The HIDS Solution alone does not always scale well, and without centralized management, you may be a very busy system administrator trying to keep up with all those alerts

  12. DIDS • DIDS is a combination of NIDS sensors, HIDS sensors, or both, distributed across your enterprise, and all reporting to a central correlation system

  13. Intrusion Detection Systems • Use existing network for sensor communication • Should encrypt or VPN among sensors • Possible detection by intruder • If ever flooded or disabled by malicious traffic (as happened to many networks as a result of SQL Slammer), IDS sensors won’t be able to communicate with the correlation or management servers, which significantly reduces their usefulness. • Use “stealth mode” NIDS and private (out of band) network for sensor communication • No IP, Tap (receive only), two NIC (one to Tap, one to private management network)

  14. Application-specific information Signature vs. Anomaly • If it’s sent in cleartext like Telnet or HyperText Transfer Protocol (HTTP) traffic, the HIDS/NIDS should have no problem matching vulnerable signature against the data packet for detection. • If the traffic is sent in binary and there is a known payload or a consistent part of the packet, the signature rule based HIDS/NIDS can still match against the packet and detect the attack. • Encrypted traffic is where Anomaly based HIDS/NIDS shine. HIDS is better than NIDS only if the data is processed through HIDS before encryption or after decryption. HIDS is mostly layer 2 and cannot see clear text data before encrypted or decrypted at application layer (ssl, ssh, etc).

  15. How IDS watches the network • Packet sniffing • Log Parsing www.loganalysis.org • File system Watching TRIPWIRE and Advanced Intrusion Detection Environment (AIDE)

  16. Technologies for IDS • Rused-based: a.k.a. Signature-based • Most widely used approach. • Protocol Analysis • Define every possible acceptance behavior for a specific kind of activity. • Anomaly detection • Learn (baseline profile) or predefine “normal” and “abnormal” activity to distinguish anomalies from normal system behavior. Most limited flavor of IDS.

  17. IDS responses of attack attempt • Passive response • Log, send alert, leave it alone. • Active response • Spoof TCP reset to source or destination system • ICMP unreachable to sour • Reconfigure of firewall or router to block traffic • DNS lookup or scan attacking system with report (check legalities and watch out for robot went crazy to attack your own servers) • Inline IPS • Effective and simple • Performance, single point of failure, false positive causes disastrous impact

  18. Topics for discussion • Why doesn’t my firewall server as in IDS • Why are attackers interested in me? • Automated scanning • Social Engineering • Security Plan and Policy • Physical security • Bootable CD toolkits: FIRE, KNOPPIX, LINUX-BBC, OFFLINE NT PASSWORD & REGISTRY EDITOR, BOOTDISK/CD • Correlate IP of suspicious attacker for correlation such as outside scanner’s IP appear in inside network • HIPS, NIPS, in-line IDS, Target based IDS

More Related