Upload
lindsey-cameron
View
214
Download
0
Embed Size (px)
Citation preview
What will we discuss?
• Network-Based Detection• Network-based Architecture
- Traditional Sensor-based- Distributed Network-node
• Network Intrusion Detection Engine- Signatures
• Operational Concepts for network-based detection• Benefits of network-based ID• Challenges for network-based Technologies
Introduction
• Why you call it ‘network-based’?- used to analyze network packets. - packets are ‘sniffed’ off the network.
• TCP/IP is the most common protocol targeted by commercial IDS.
• Different technologies can resolve different levels of protocols through the application layer.
Network-based Detection
• Most network-based attacks are directed at OS vulnerabilities.
• These can be exploited mainly towards following means– Unauthorized Access– Data/Resource Theft– Denial of Service
Unauthorized Access
Unauthorized Login- Key is to detect before/while logging in.- TFTP is well-known for lack of security.- SunOS 4.1.x had security problems with file sharing protocol.
Jump-off Point- They are ‘bad’ and not ‘stupid’.- A compromised computer can open up several other computers in the same organization.- Why is my mail server contacting DoD?
Data/Resource Theft
Information theft- Password file download
gives attacker the ability to compromise other systems. (look for ‘/etc/passwd’)
- Secret Data file downloadCredit card numbers, Employee HR data
Bandwidth Theft- Firms with lot of bandwidth not used at all times.- If the business of the attacker grows, he will be caught.
Denial of ServiceMalformed Packets
- Not all error conditions are taken care of while coding the protocol stack.- Code is not prepared to handle impossible situations in argument fields.
Packet Flooding- Not a very sophisticated attack.- If source address is spoofed, it can be hard to deal with.
Distributed DoS-Special case of Flooding (several machines attack at once)- ID is not a very good tool against this attack, but it can be helpful
NID Architecture
• Two types of NID
Traditional Sensor-based (Promiscuous mode)
- obtain packets, search for patterns, report alarms to the central command console.
Network-node (Distributed)
- Agent on each computer (for individual target)
Traditional Sensor-based Architecture
• Ethernet Chip in Promiscuous mode
• “sniffed” packets are fed to the detection engine (typically on the same machine)
• Taps are distributed to all mission-critical segments (generally one per segment)
• Central command console correlates alarms from multiple sensors.
Life cycle of a Packet
• Packet is born.• “sniffed” off the wire in real-time by the
sensor. (a stand-alone machine or a network device in promiscuous mode)
• Detection engine matches the predefined patterns. If matched, Alert is generated and forwarded to central console.
• Security officer is notified.
Life cycle of a Packet (Contd.)
• Response is generated.- Reconfiguring of routers/firewall
rules- Terminate session
• Alert is stored for later review and correlation.
• Reports are generated.• Data forensics for long-term trends.
Distributed Network-node Architecture
• Sensor on every computer.• Every sensor is concerned about the target it
resides on.• Now confused between host and network based??
- the difference between host and network based ID is the source of data
• Network-node agents communicate with each other on the network to correlate alarms at the console.
Life cycle of a Packet
• Packet is born.• The packet is read in real-time through a
sensor resident on the destination machine.• A Detection Engine is used to match
signatures of misuse. If a pattern is found, an alarm is generated and forwarded to central console or other sensors on the network.
Life cycle of a Packet (Contd.)
• Security officer is notified.• Response is generated.
- Reconfiguring of routers/firewall rules
- Terminate session• Alert is stored for later review and
correlation.• Reports are generated.• Data forensics for long-term trends.
Misconception
Real-Time ID
“I need Intrusion Detection”
“Are you interested in network-based or host based?”
“Oh, I need real-time Intrusion Detection”
“Great, on the host or the network”
“What???”
Network Intrusion Detection Engine
• This is where the real magic is !!
• A stream of time sequential TCP/IP packets is processed to detect predetermined sequences and patterns (signatures).
• Speed – An Issue.
Network Signatures
• Packet Content Signatures- based on contents of packets (smart ??)
• Traffic Analysis Signatures- based on Header information and flow
of traffic
• More on detection mechanisms in future talks.
Packet Content Signatures
• Simple Example- Copy password file over FTP.
- Look for pattern “passwd” in the packet.
(Output of Snoop)Source.com dest.comETHER Type=0800(IP), size = 67 bytesIP D= 134.193.22.26 S=134.193.18.3 LEN=53, ID=34704TCP D=21 S=2095 Ack=21233432 Seq=21342876 Len=13 Win=4096FTP C port=2095 RETR \etc\passwd\r\n
Traffic Analysis Signature
• Simple Examples- A lot of packets destined to one machine in relatively short period of time.(An attempt of DoS attack)
- A packet coming from outside the network with Source IP address as that of the inside network.
Operational Concept
• A NIDS only performs as well as it is operated. (configured)
• The value of the system depends on the skills of the operator.
• Network based ID may be used in a manner that requires very few resources.
How do I use NIDSs?
• The specific use of a NIDS is dependent on the environment-specific requirement.
• Sensor placement plays an important role.Example:Sensor placed outside the firewall will identify
source addresses attempting to attack you.Sensors placed inside the firewall will detect attacks
that successfully circumvent your firewall.(IF you don’t have a Firewall, YOU SHOULDN’T
BE HERE ! GO INSTALL IT FIRST !!)
Operational Modes
• Operational mode describes the manner in which you will operate your NIDS and partially describe the end goals of monitoring.
• Two primary operational modes:
- Tip-Off
- Surveillance
Tip-Off and Surveillance
• The defining characteristic for tip-off The system is detecting something previously unsuspected.
• Unlike tip-off, Surveillance takes place when misuse is already indicated or suspected. It is an increased effort to observe the behavior of a small set of objects.
Benefits of NID
• Outside Deterrence- A notification to the hacker can enhance the deterrent value of an IDS.
• Threat Detection
- Can be used deterministically or in a Decision Support Context.
• Automated Response and Notification.- Pager, SNMP trap, On Screen, Audible, E-mail.
Challenges for Network-based Technologies (promiscuous-mode)
• Packet Reassembly (IP fragmentation)- can only search for patterns after reassembly.
• High-speed networks (Gig E?)
• Sniffer Detection Programs (Antisniff)
• Switched Networks (IP over ATM?)
• Encryption (IPSec, VPN)