cs490ns - cotter 1

Intrusion Detection

cs490ns - cotter 2

Outline

• What is it?• What types are there?

– Network based– Host based– Stack based

• Benefits of each• Example Implementations• Difference between active and passive detection• HoneyPots

cs490ns - cotter 3

Intrusion Detection System (IDS)

• Detects malicious activity in computer systems– Identifies and stops attacks in progress

– Conducts forensic analysis once attack is over

cs490ns - cotter 4

The Value of IDS

• Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers)

• Expands available options to manage risk from threats and vulnerabilities

cs490ns - cotter 5

Negatives and Positives

• IDS must correctly identify intrusions and attacks– True positives– True negatives

• False positives– Benign activity reported as malicious

• False negatives– IDS missed an attack

cs490ns - cotter 6

Dealing with False Results

• False positives– Reduce number using the tuning process

• False negatives– Obtain more coverage by using a combination

of network-based and host-based IDS– Deploy NICS at multiple strategic locations in

the network

cs490ns - cotter 7

Types of IDS

• Network-based (NIDS)– Monitors network traffic– Provides early warning system for attacks

• Host-based (HIDS)– Monitors activity on host machine– Able to stop compromises while they are in

progress

cs490ns - cotter 8

Network-based IDS

• Uses a dedicated platform for purpose of monitoring network activity

• Analyzes all passing traffic• Sensors have two network connections

– One operates in promiscuous mode to sniff passing traffic

– An administrative NIC sends data such as alerts to a centralized management system

• Most commonly employed form of IDS

cs490ns - cotter 9

NIDS Interfaces

no IP Address

Data Link

Data Flow

NIDS Management Console

cs490ns - cotter 10

NIDS Architecture

• Place IDS sensors strategically to defend most valuable assets

• Typical locations of IDS sensors– Just inside the firewall– On the DMZ– On the server farm segment– On network segments connecting mainframe

or midrange hosts

cs490ns - cotter 11

Connecting the Monitoring Interface

• Using Switch Port Analyzer (SPAN) configurations, or similar switch features

• Using hubs in conjunction with switches

• Using taps in conjunction with switches

cs490ns - cotter 12

SPAN

• May be built into configurable switches (high end)

• Allows traffic sent or received in one interface to be copied to another monitoring interface

• Typically used for sniffers or NIDS sensors

cs490ns - cotter 13

How SPAN Works

DataLink

MonitoredPort

SPAN Port

DuplicatedTraffic

IDSMonitored Host

Switch

cs490ns - cotter 14

Monitor Network Segment

DuplicatedTraffic

IDS

Monitored Hosts

DataLink

Switch

cs490ns - cotter 15

Limitations of SPAN

• Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link

• Switch may offer limited number of SPAN ports or none at all

cs490ns - cotter 16

Hub

• Device for creating LANs that forward every packet received to every host on the LAN

• Allows only a single port to be monitored

cs490ns - cotter 17

Using a Hub in a Switched Infrastructure

IDS

Monitored Host

Switch

Hub

DataLink

Switch

cs490ns - cotter 18

Tap

• Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures

cs490ns - cotter 19

Using a Tap

DataLink

MonitoringPort

IDSMonitored Host

Tap

Tap acts like a 3 way hubwhere monitoring port isread only

cs490ns - cotter 20

Typical 10/100 8 port TapTypical 10/100 8 port Tap

Loss of power has no effect on traffic

NetOptics

Networktaps.com

cs490ns - cotter 21

NIDS Signature Types

• Signature-based IDS

• Port signature

• Header signatures

cs490ns - cotter 22

Network IDS Reactions

• TCP resets

• IP session logging

• Shunning or blocking

cs490ns - cotter 23

Strengths of NIDS

• Cost of Ownership– Lower because IDS is shared

• Packet Analysis– Can look at all network traffic

• Evidence Removal– Packets are captured in a separate machine

• Real-Time Detection and Response– Can detect (and block) DDoS attacks

• Operating System Independence

cs490ns - cotter 24

Host-based IDS

• Primarily used to protect only critical servers• Software agent resides on the protected system• Detects intrusions by analyzing logs of operating

systems and applications, resource utilization, and other system activity

• Use of resources can have impact on system performance

cs490ns - cotter 25

HIDS Method of Operation

• Auditing logs (system logs, event logs, security logs, syslog)

• Monitoring file checksums to identify changes• Elementary network-based signature techniques

including port activity• Intercepting and evaluating requests by

applications for system resources before they are processed

• Monitoring of system processes for suspicious activity

cs490ns - cotter 26

HIDS Software

• Host wrappers– Inexpensive and deployable on all machines– Do not provide in-depth, active monitoring

measures of agent-based HIDS products

• Agent-based software– More suited for single purpose servers

cs490ns - cotter 27

HIDS Active Monitoring Capabilities

• Log the event

• Alert the administrator

• Terminate the user login

• Disable the user account

cs490ns - cotter 28

Advantages of Host-based IDS

• Verifies success or failure of attack by reviewing HIDS log entries

• Monitors use and system specific activities; useful in forensic analysis of the attack

• Can monitor network encrypted traffic• Near real-time detection and response

– Analysis is log based, but good design mitigates much of the delay.

• Can focus on key system components• No additional Hardware

cs490ns - cotter 29

Stack based IDS

• IDS is integrated with TCP/IP protocol stack

• Allows system to provide real-time analysis and response

• Intended to have low enough overhead so that each system can have its own IDS

cs490ns - cotter 30

Passive Detection Systems

• Can take passive action (logging and alerting) when an attack is identified

• Cannot take active actions to stop an attack in progress

cs490ns - cotter 31

Active Detection Systems

• Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic

• Options– IDS shunning or blocking– TCP reset

• Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

cs490ns - cotter 32

Signature-based andAnomaly-based IDS

• Signature detections– Also know as misuse detection– IDS analyzes information it gathers and compares it

to a database of known attacks, which are identified by their individual signatures

• Anomaly detection– Baseline is defined to describe normal state of

network or host– Any activity outside baseline is considered to be an

attack

cs490ns - cotter 33

Intrusion Detection Products

• Aladdin Knowledge Systems• Entercept Security Technologies• Cisco Systems, Inc.• Computer Associates International Inc.• CyberSafe Corp.• Cylant Technology• Enterasys Networks Inc.• Internet Security Systems Inc.• Intrusion.com Inc. family of IDS products

cs490ns - cotter 34

Intrusion Detection Products (cont.)

• NFR Security• Network-1 Security Solutions• Raytheon Co.• Recourse Technologies• Sanctum Inc.• Snort• Sourcefire, Inc.• Symantec Corp.• TripWire Inc.

cs490ns - cotter 35

Honeypots

• False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks

• Simulate unsecured network services• Make forensic process easy for

investigators

cs490ns - cotter 36

Honeypot Architecture

Honeypot

Servers

DataLink Switch

Router

cs490ns - cotter 37

Commercial Honeypots

• KFSensor– www.keyfocus.net/kfsensor

• NetBait– www2.netbaitinc.com:5080

• Specter– www.specter.com

• Decoy Server– www.symantec.com

cs490ns - cotter 38cs490ns - cotter 38

Open Source HoneypotsOpen Source Honeypots

• Argos– www.few.vu.nl/argos

• HoneyNet Project– http://www.honeynet.org

• Honeyd– www.honeyd.org

• The Deception Toolkit– http://all.net/dtk/download.html

cs490ns - cotter 39

Honeypot Deployment

• Goal– Gather information on hacker techniques,

methodology, and tools

• Options– Conduct research into hacker methods– Detect attacker inside organization’s network

perimeter

cs490ns - cotter 40

Honeypot Design

• Must attract, and avoid tipping off, the attacker

• Must not become a staging ground for attacking other hosts inside or outside the firewall

cs490ns - cotter 41

Honeypots, Ethics, and the Law

• Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host

• Honeypot does not convince one to attack it; it merely appears to be a vulnerable target

• Doubtful that honeypots could be used as evidence in court

cs490ns - cotter 42

References

• Security+ Guide to Network Security Fundamentals– Campbell, Calvert, Boswell – Course

Technology, 2003

• HowTo Guide for IDS– http://www.snort.org/docs/iss-placement.pdf

cs490ns - cotter 43

Summary

• What is Intrusion Detection?• What types are there?

– Network based– Host based– Stack based

• Benefits of each• Example Implementations• Difference between active and passive detection• HoneyPots