Intrusion Detection System
Content
Network Intrusion Detection Systems (NIDS)
IDS Definitions
An IDS is any combination of hardware & software that monitors a system or network for malicious activity.
Examples
of IDSs in real life
◦ ◦ ◦ ◦
Car alarms Fire detectors House alarms Surveillance systems
2
Defined
by ICSA as:
◦ The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network.
An
intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse Another definition:
◦ - detecting inappropriate, incorrect, or anomalous activity ◦ - misuse detection != intrusion detection
3
The Puzzle
Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but does not solve all your problems Part of “Defense in depth”
4
Why IDS?
o Many organizations deploy ◦ Mapping IDS systems ◦ Port scans o Provide warnings to Tens of thousands of packets network administrator ◦ TCP stack scans – Administrator can then Hundreds of thousands of packets improve network’s security Identify any of the following – Vigorous investigation types of intrusion: could lead to attackers ◦ Input validation errors o Typical responses to an ◦ Buffer overflow attack include the ◦ Boundary Conditions following: ◦ Access Validation Errors – Terminating the session ◦ Exceptional Condition Handling (TCP resets) Errors – Block offending traffic ◦ Environmental Errors (usually implemented with ACLs) ◦ Race Conditions – Creating session log files – Dropping the packet
Can be detected:
5
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
IDS
are a dedicated assistant used to monitor the rest of the security infrastructure. security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. of one of the above component of your security infrastructure jeopardized the system they are supposed to protect
6
Today’s
Failure
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
Not
all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Protect against misconfiguration or fault in other security mechanisms
7
REAL LIFE ANALOGY
It's
like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats. are really good access control points, but they aren't really good for or designed to prevent intrusions. why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.
You
Firewalls
That's
8
2. IDS Categories
In-Kernel
vs. Userspace Distributed vs. Atomic Host-based vs. Network-based Statistical vs. Signature Detection Active vs. Passive Proactive vs. Retroactive Flat vs. Hierarchial
IDS
9
We
consider some basic categories of intrusion detection mechanisms:
◦ By sensor location:
Network-based Intrusion Detection System (NIDS) Host-base Intrusion Detection System (HIDS)
◦ By method of detection
Statistical Detection Signature Detection
10
NIDS vs HIDS
11
IDS sensors
application gateway firewall
= IDS sensor
Internet
Internal network
Web server FTP server
DNS server
Underlying OS needs to be hardened: stripped of unnecessary network services
Demilitarized zone
12
Network based IDS
Protects
an entire network segment Is usually a passive device on the network and users are unaware of its existence Cannot detect malicious code in encrypted packets Is cost effective for mass protection Requires its own sensor for each network segment
13
Host-based IDS
Protects
a single system. Uses system resources such as the CPU and memory from system. Provides application level security. Provides day-one security as a shunt between high and low level processes Intrusion detection is performed after decryption. Used on servers and sensitive workstations, but is costly for mass protection
14
Anomaly/Statistical detection
Mostly on statistical basis ◦ Based on time, frequency, lenght of session ◦ For example: person logs on at 0300 AM and has never done so in the past, it will raise a flag Detects statistically exceptional events Learning: Watching activity during ‘normal’ state and storing patterns (who logs in, what is the origin, when, etc.) Experience shows that 90% of attacks can be considered as protocol usage anomalies. Does not require signatures (except what it learns) We should carefully add knowledge about “normal” activity, such as RFC compilant state machines, it needs much work. A non-RFC compilant client is not always an attacker – we need flexibility
15
Signature-based detection
Sniff Match
◦ border router ◦ within a LAN ◦ multiple sensors
traffic on network attack signatures
◦ attack signatures in database ◦ signature: set of rules pertaining to a typical intrusion activity
Warns
◦ skilled security engineers research known attacks; put them in database ◦ can configure IDS to exclude certain signatures; can modify signature parameters
Simple example rule: any ICMP packet > 10,000 bytes Example: Several thousand SYN packets to different ports on same host under a second
◦ send e-mail, SMS ◦ send message to network management system
16
administrator
Limitations to signature detection
Requires
previous knowledge of attack to generate accurate signature
◦ Blind to unknown attacks
No
knowledge of intention of activity bases are getting larger
◦ Triggers alarms even if traffic is benign
Signature
◦ Every packet must be compared with each signature ◦ IDS can get overwhelmed with processing, miss packets
17
Current State of IDS
Lots
of people are still using Firewall and Router logs for Intrusion Detection IDS are not very mature Mostly signature based It is a quickly evolving domain Giant leap and progress every quarter As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’:
Prevention Detection Reponse Getting to this point today
18
WHAT CAN IDS REALISTICLY DO
Monitor and analyse user and system activities Auditing of system and configuration vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit ◦ Installation of decoy servers (honey pots) ◦ Installation of vendor patches (some IDS) ◦ ◦ ◦ ◦ ◦ ◦
19
WHAT IDS CANNOT DO
◦ Compensate for weak authentication and identification mechanisms ◦ Investigate attacks without human intervention ◦ Guess the content of your organization security policy ◦ Compensate for weakeness in networking protocols, for example: IP Spoofing ◦ Compensate for integrity or confidentiality of information ◦ Analyze all traffic on a very high speed network ◦ Deal adequately with attack at the packet level ◦ Deal adequately with modern network hardware
20
Intrusion Detection System
Intrusion Prevention System
21
5. IDS Products
Dragon CISCO Snort
from Enterasys
◦ http://www.enterasys.com/ids/
Secure IDS
◦ http://www.cisco.com/go/ids/ ◦ http://www.snort.org/
ISS
Real Secure
◦ http://www.iss.net/securing_e-business/
SHADOW
◦ http://www.whitehats.ca ◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
22
References
Knowledge
Net CISSP http://www.snort.org
23
IDS Definitions
An IDS is any combination of hardware & software that monitors a system or network for malicious activity.
Examples
of IDSs in real life
◦ ◦ ◦ ◦
Car alarms Fire detectors House alarms Surveillance systems
2
Defined
by ICSA as:
◦ The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network.
An
intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse Another definition:
◦ - detecting inappropriate, incorrect, or anomalous activity ◦ - misuse detection != intrusion detection
3
The Puzzle
Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but does not solve all your problems Part of “Defense in depth”
4
Why IDS?
o Many organizations deploy ◦ Mapping IDS systems ◦ Port scans o Provide warnings to Tens of thousands of packets network administrator ◦ TCP stack scans – Administrator can then Hundreds of thousands of packets improve network’s security Identify any of the following – Vigorous investigation types of intrusion: could lead to attackers ◦ Input validation errors o Typical responses to an ◦ Buffer overflow attack include the ◦ Boundary Conditions following: ◦ Access Validation Errors – Terminating the session ◦ Exceptional Condition Handling (TCP resets) Errors – Block offending traffic ◦ Environmental Errors (usually implemented with ACLs) ◦ Race Conditions – Creating session log files – Dropping the packet
Can be detected:
5
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
IDS
are a dedicated assistant used to monitor the rest of the security infrastructure. security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. of one of the above component of your security infrastructure jeopardized the system they are supposed to protect
6
Today’s
Failure
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
Not
all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Protect against misconfiguration or fault in other security mechanisms
7
REAL LIFE ANALOGY
It's
like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats. are really good access control points, but they aren't really good for or designed to prevent intrusions. why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.
You
Firewalls
That's
8
2. IDS Categories
In-Kernel
vs. Userspace Distributed vs. Atomic Host-based vs. Network-based Statistical vs. Signature Detection Active vs. Passive Proactive vs. Retroactive Flat vs. Hierarchial
IDS
9
We
consider some basic categories of intrusion detection mechanisms:
◦ By sensor location:
Network-based Intrusion Detection System (NIDS) Host-base Intrusion Detection System (HIDS)
◦ By method of detection
Statistical Detection Signature Detection
10
NIDS vs HIDS
11
IDS sensors
application gateway firewall
= IDS sensor
Internet
Internal network
Web server FTP server
DNS server
Underlying OS needs to be hardened: stripped of unnecessary network services
Demilitarized zone
12
Network based IDS
Protects
an entire network segment Is usually a passive device on the network and users are unaware of its existence Cannot detect malicious code in encrypted packets Is cost effective for mass protection Requires its own sensor for each network segment
13
Host-based IDS
Protects
a single system. Uses system resources such as the CPU and memory from system. Provides application level security. Provides day-one security as a shunt between high and low level processes Intrusion detection is performed after decryption. Used on servers and sensitive workstations, but is costly for mass protection
14
Anomaly/Statistical detection
Mostly on statistical basis ◦ Based on time, frequency, lenght of session ◦ For example: person logs on at 0300 AM and has never done so in the past, it will raise a flag Detects statistically exceptional events Learning: Watching activity during ‘normal’ state and storing patterns (who logs in, what is the origin, when, etc.) Experience shows that 90% of attacks can be considered as protocol usage anomalies. Does not require signatures (except what it learns) We should carefully add knowledge about “normal” activity, such as RFC compilant state machines, it needs much work. A non-RFC compilant client is not always an attacker – we need flexibility
15
Signature-based detection
Sniff Match
◦ border router ◦ within a LAN ◦ multiple sensors
traffic on network attack signatures
◦ attack signatures in database ◦ signature: set of rules pertaining to a typical intrusion activity
Warns
◦ skilled security engineers research known attacks; put them in database ◦ can configure IDS to exclude certain signatures; can modify signature parameters
Simple example rule: any ICMP packet > 10,000 bytes Example: Several thousand SYN packets to different ports on same host under a second
◦ send e-mail, SMS ◦ send message to network management system
16
administrator
Limitations to signature detection
Requires
previous knowledge of attack to generate accurate signature
◦ Blind to unknown attacks
No
knowledge of intention of activity bases are getting larger
◦ Triggers alarms even if traffic is benign
Signature
◦ Every packet must be compared with each signature ◦ IDS can get overwhelmed with processing, miss packets
17
Current State of IDS
Lots
of people are still using Firewall and Router logs for Intrusion Detection IDS are not very mature Mostly signature based It is a quickly evolving domain Giant leap and progress every quarter As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’:
Prevention Detection Reponse Getting to this point today
18
WHAT CAN IDS REALISTICLY DO
Monitor and analyse user and system activities Auditing of system and configuration vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit ◦ Installation of decoy servers (honey pots) ◦ Installation of vendor patches (some IDS) ◦ ◦ ◦ ◦ ◦ ◦
19
WHAT IDS CANNOT DO
◦ Compensate for weak authentication and identification mechanisms ◦ Investigate attacks without human intervention ◦ Guess the content of your organization security policy ◦ Compensate for weakeness in networking protocols, for example: IP Spoofing ◦ Compensate for integrity or confidentiality of information ◦ Analyze all traffic on a very high speed network ◦ Deal adequately with attack at the packet level ◦ Deal adequately with modern network hardware
20
Intrusion Detection System
Intrusion Prevention System
21
5. IDS Products
Dragon CISCO Snort
from Enterasys
◦ http://www.enterasys.com/ids/
Secure IDS
◦ http://www.cisco.com/go/ids/ ◦ http://www.snort.org/
ISS
Real Secure
◦ http://www.iss.net/securing_e-business/
SHADOW
◦ http://www.whitehats.ca ◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
22
References
Knowledge
Net CISSP http://www.snort.org
23
