1 / 20

Intrusion Detection and Prevention

Intrusion Detection and Prevention. Objectives. Purpose of IDS's Function of IDS's in a secure network design Install and use an IDS Customize the IDS signature database. IDS What are they?. Dedicated hardened host Sensors Sits on a network that you want to protect Network sniffer

sylvana-silas
Download Presentation

Intrusion Detection and Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Prevention

  2. Objectives • Purpose of IDS's • Function of IDS's in a secure network design • Install and use an IDS • Customize the IDS signature database

  3. IDSWhat are they? • Dedicated hardened host • Sensors • Sits on a network that you want to protect • Network sniffer • Packet pattern analyzer • Unlike firewalls an IDS is passive (this is changing) • They are often on each layer of your layered network

  4. Location of IDS's Public Network Protected Network Internal Servers External DNS SMTP Server Web Server Internal DNS Mail Server IDS Internet Logging Alerting Server Exterior Firewall Interior Firewall Internal Clients Internal IDS

  5. IDSThe Need • Detection of probes, scans • Detection of network reconnaissance activity • Record of attempted exploits • Location of a compromised host on your network • Determined compromised information

  6. The Attack Plan • Usually multiphased • Phase 1: Network scan • Characterizing the hosts on the network • Looking for particular services, e.g DNS, HTTP • Determining the versions and OS types • Phase 2: Exploits a buffer overflow in DNS • Compromises the DNS host • Phase 3: Compromises other hosts on the network • Without IDS you would not know

  7. Protection Plan • Analyze all packets continuously • Look for patterns of known attacks • Network IDS Signatures • The science behind IDS • Like virus signatures IDS signatures must be updated • Do it your self signature writing • Sometime necessary • Look for statistical anomalies • Not a very well developed science as yet

  8. Land Attack1997 • Based on hand crafted packets • Source IP and destination IP addresses are the same • Older systems would crash • NT & 95 depended on proper packets • Basically a denial of service attack • www.kb.cert.org/vuls/id/396645

  9. Teardrop Attack1997 – 1998 • Improper packet sequence • The IP fragment offset is malformed • Consecutive packets overlap • Newtear.c (on web site) • Another DoS attack

  10. Teardropcont'd • Packet 1 • Total length of IP datagram • 48 bytes • More fragments flag is set • Fragment offset is 0 • UDP length • 48 bytes – incorrect length should be length – 20 = 28

  11. Teardropcont'd • Packet 2 • Total length of IP datagram • 24 bytes • Fragment offset is 3 (* 8 bytes) • More fragments bit is cleared • 24 bytes are sent

  12. Teardropcont'd Packet 1 IP Datagram header UDP Segment header Offset 0 Length 48 Length 48 1 Dest port Src port Checksum Byte 0 Byte 20 Byte 28 Byte 47 Should be 28 More Frags Bit Packet 2 IP Payload IP Datagram header Length 24 Offset 3 0 Byte 20 Byte 0 Byte 23 More Frags Bit New fragment Fragment reconstruction Length 48 Src port Dest port Checkum UDP payload Byte 27 Byte 0 Byte 23 Byte 3 Byte 7

  13. nimda worm2001 • Scan phase • Determine if a web server is an unpatched MS IIS box • Is it vulnerable to a Unicode-related exploit? • Attack phase • Exploit a buffer overflow

  14. nimda wormcont'd • IDS can detect the scan phase of nimda attack • “%c0%af../winnt/etc” is contained in the URL • %c0%af is the Unicode of a slash • Most web servers scan for a “/”stuff indicating a cd to root • Success of this attempt to change to the root directory indicates an unpatched IIS

  15. nimda wormcont'd • IDS rule • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Specific text search for%c0%af • Attack may change and this rule would not catch it • Better approach • Convert%c0%afto “/” and then check for validity of URL • More robust

  16. False +/- • False positives • Classifying benign activity as malicious • Get a lot of attention since people see the alerts • Annoying, usually the rule gets shut off entirely • False negatives • Missing a malicious activity • Not seen and ignored • Dangerous • The risks in classification

  17. IDS Evasion Techniques • The attacker is patient • The attacker is clever • The attacker has nothing else to do • Examples • cmd.exe in the URL is often bad • However cmd.exe-analysis.html may be OK • cmd.%65xe is the same thing • Text searches are not always good or effective

  18. IDS Software • Popular systems • Snort – open source • Cisco recommends using snort • ISS RealSecure • NFR Security NID • Centralizing all IDS logs • Easier analysis • Alerts – logs, e-mails, pagers, etc.

  19. Distributed IDS • IDS logs submitted to third party for collective analysis • Attack Registry &Intelligence Service • ttp://aris.securityfocus.com • Dshield • ttp://www.dshield.org

  20. Outsourced IDS • Counterpane • Trusecure • Deloitte & Touche

More Related