Intrusion Detection System ( IDS )

Intrusion Detection

System

(IDS)

By:- Er. Magandeep Kaur(G.P.C. Bathinda)

4/26/2013 1Punjab EDUSAT Society (PES)

What is IDS?• IDS are tools for obtaining security in

networks.

• It helps the administrator to detect & respond to the malicious attacks which the firewall was not able to detect & filter.


• An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities.

• An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall.

4/26/2013 Punjab EDUSAT Society (PES) 3

http://en.wikipedia.org/wiki/Software_application

• This includes network attacks

against services, attacks on

applications, unauthorized logins

and access to sensitive files etc…

• IDS thus forms the second line of

defence against malicious hacker &

attackers.


Comparison with firewalls• Though they both relate to network

security, an IDS differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening.

• Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.


• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.

• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.

• A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.


http://en.wikipedia.org/wiki/Intrusion_prevention_system

http://en.wikipedia.org/wiki/Application_layer_firewall

• Normally the networks use firewall for protection against security threats but they can rarely identify the type of attack.

• So IDS is proven to be an excellent tool for monitoring the type of attack.


• There are two types of intrusion detection system: -

1. Reactive IDS 2. Passive IDS

1. Reactive IDS: - It is one in which if the intruder or attack is detected it does not alert the user.

2. Passive IDS: - In it the user is alerted in silent mode i.e. through mails, pagers etc.


• A better way to understand IDS would be to take your house as an example.

• The looks on your doors & windows stop strangers from gaining access to your house. These are your firewalls.

• A person having keys of your door locks or who has some way to open them can pass through the doors & windows i.e. one having keys is authorized person for your firewalls to pass through.4/26/2013 9Punjab EDUSAT Society (PES)

• But this firewall cannot detect if that authorized person has some malicious intentions or not.

• But they can be detected by IDS.

• IDS are combination of early warning & alarm system.

• When someone attempts to force entry into your house, your alarm will sound to scare of intruder (a “reactive” IDS), or it might make a silent phone call to a local police station(a “reactive” IDS).


Need of IDS• For any company with a connection

to internet, a firewall should always

be your first line of defence.

• But firewalls can be attacked, & one

way to plug these gaps in your

security is to use an IDS.


• Following are some reasons why we need IDS:-

• Trojans:- A Trojan is a bad program that you have been hoodwinked into installing on your computer in the belief that it is a good program.

• Spyware:- It is generally a particular type of Trojan. Its purpose is to sit quietly & hidden on your computer & to send information back to its originator. It spies on you, stealing confidential information, passwords, credit card etc.


Advantages of IDS• General benefits of an IDS include the

following: -

• It can detect the unauthorized user.

• It can detect password cracking & denial of services.

• It can catch illegal data manipulations.


• It monitors & analysis the system events & user behavior.

• Managing OS audit & logging mechanisms & the data they generate.

• Alerting appropriate staff by appropriate means when attacks are detected.


• They can detect & alert malicious code like viruses, worms, Trojan horses etc.

• They are similar to security camera & burglar alarm.

• They can detect most of the security threats & in some cases they are more reliable than firewalls.


Limitations of IDS• IDS is unable to catch the events of

tear drop attack.

• A tear drop attack occurs when an attack sends fragments of data that a system is unable to reassemble.

• Such an attack may lead to freezing of the system.


• Most of them are unable to detect & prevent the misuse or unintended consequences.

• A direct attack on IDS by an attacker also finishes up its ability to detect intrusion. So the attacker tries to shut down the IDS & then attack on network.

• Not all IDS are compatible with all routers.


What IDS ‘CAN and CANNOT’ provide

• The IDS however is not an answer to all your Security related problems.

• You have to know what you CAN, and CAN NOT expect of your IDS.

• In the following subsections I will try to show a few examples of what an Intrusion Detection Systems are capable of, but each network environment varies and each system needs to be tailored to meet your enterprise environment needs.


• The IDS CAN provide the following:

• CAN add a greater degree of integrity to

the rest of you infrastructure.

• CAN trace user activity from point of entry

to point of impact.

• CAN recognize and report alterations to

data.

• CAN automate a task of monitoring the

Internet searching for the latest attacks.4/26/2013 Punjab EDUSAT Society (PES) 19

• CAN detect when your system is under attack.

• CAN detect errors in your system configuration.

• CAN guide system administrator in the vital step of establishing a policy for your computing assets.

• CAN make the security management of your system possible by non-expert staff.


• The IDS CAN NOT provide:

• CAN NOT compensate for a weak

identification and authentication

mechanisms.

• CAN NOT conduct investigations of

attacks without human intervention.

• CAN NOT compensate for

weaknesses in network protocols.4/26/2013 Punjab EDUSAT Society (PES) 21

• CAN NOT compensate for problems in the quality or integrity of information the system provides.

• CAN NOT analyze all the traffic on a busy network.

• CAN NOT always deal with problems involving packet-level attacks.

• CAN NOT deal with some of the modern network hardware and features.4/26/2013 Punjab EDUSAT Society (PES) 22

Who needs to be involved?


• In order to identify critical systems the following people MUST be involved:

• Information Security Officers

• Network Administrators

• Database Administrators

• Senior Management

• Operating System Administrators

• Data owners

• Without those individuals involved, the resources will not be used efficiently.


My IDS is up, what now?

• Once your IDS is up and operational, you must dedicate a person to administer it.

• Logs must be reviewed, and traffic must be tailored to meet the specific needs of your company.


• You must know that IDS must be maintained and configured.

• If you feel that you lack knowledgeable staff, get a consultant to help, and train your personnel.

• Otherwise you will loose a lot of time and money trying to figure out, what is wrong.


• Emergency response procedure must outline:

• Who will be the first point of contact.

• List all of the people who will need to be contacted.

• Person responsible for decision making on how to proceed in the emergency situation.


• Person responsible for investigation of the incident.

• Who will handle media, in case the incident gets out.

• How will the information about the incident will be handled.


Where do I find an Intrusion Detection mechanism?

• After we decided that we need an intrusion detection mechanism, we have to find out where do we get it.

• Below I provide a list of vendors that offer Intrusion Detection products and services.

• Products vary from freeware to commercially available.4/26/2013 Punjab EDUSAT Society (PES) 29

• Freeware:- Snort Shadow - http://www.snort.org/

• Commercially Available:

- Real Secure from ISS - http://www.iss.net/customer_care/resource_center/product_lit/

- Net Prowler from Symantec -

http://enterprisesecurity.symantec.com/products/

products.cfm?ProductID=50&PID=5863267

- NFR - http://www.nfr.com/


Types of IDS• IDS can be categorized in 3 different

ways: -Host based ID systems

Network based ID systems

Application based IDS


Host based ID system (HIDS)

• These are concerned with what is happening on each individual computer or host .

• They are able to detect such things such as repeated failed access attempts or changes to system files.

• HIDS are installed on hosts to which they have to keep an eye & perform monitoring.


• Host can be server, workstation or any network device such as router, printer or gateway.

• HIDS do monitoring, reporting & direct interactions at application layer.

• It can inspect each incoming command, look for signs of maliciousness & unauthorized file changes.4/26/2013 33Punjab EDUSAT Society (PES)

• The disadvantage of Host based IDS is: they are harder to manage, as information must be configured & managed for every host monitored.

• Most of the HIDS can monitor only specific types of systems E.g. the HIDS cyber cop server can only protect web servers.

• If the server is running multiple services like file sharing, DNS etc then HIDS might not be able to detect an intrusion.4/26/2013 Punjab EDUSAT Society (PES) 34

Network based ID system• It examine the individual data packets

flowing through network.

• These packets are examined & sometimes compared with original data to verify their nature; malicious or not, because they are responsible for monitoring a network.

• They are able to understand all different options that exist within a network packet & ports.


• NIDS are also able to look at the payload within the packet, i.e. see which particular web server program is being accessed & with what options.

• When an unauthorized user logs in successfully or attempts to log in, they are best tracked by the host based IDS.

• However, detecting the unauthorized user before their log on attempt is best accomplished with network based IDS.


• NIDS can detect the maliciously crafted packet that can make attack & spoil security of the network.

• NIDS scans any traffic that is transmitted over the segment of the network & only permits that packets that are not identified as intrusive.

• Examples of network based IDS are Shadow, dragon, Real secure & Net Prowler.


• Disadvantage of Network based IDS is

that it may have difficulty in processing

all packets in a large or busy network &

therefore may fail to recognize an attack

launched during periods of high traffic.

• Another disadvantage of Network based

IDS is, it cannot analyze encrypted

information. This problem is increasing

as more organizations use VPNs.


Application based IDS• It can monitor the interaction between

user & application, which often allows them to trace unauthorized activity to individual users.

• Application based IDSs can work in encrypted environments, since they interface with application at transaction endpoints, where information is presented to user in encrypted form.4/26/2013 Punjab EDUSAT Society (PES) 39

Misuse & anomaly detection system

• Misuse detection within network based IDS involves checking for illegal types of network traffic.

• Detection of anomalous activity relies on the system knowing what is regular network traffic & what isn’t.

• Many modern systems use a combination of both Misuse & anomaly detection system.4/26/2013 40Punjab EDUSAT Society (PES)

Teardrop attack• A teardrop attack is a denial of

service attack (DoS).

• This attack causes fragmented packets to overlap one another on the host receipt, the host attempts to reconstruct them during the process but fails.


IDS & Network Security policy• IDS should be seen as an important layer

in company’s “defense in depth”

strategy.

• A well defined high level security policy

covering what is & isn’t permitted on

company’s system & network. This include

things such as password policy, which of

the internet facilities staff may access etc.4/26/2013 42Punjab EDUSAT Society (PES)

• Low level platform specific policies detailing how the high level strategy is to be implemented.

- e.g. how to configure password management subsystems on your NT and UNIX servers.


• Documented procedures for staff to follow.

- e.g. the help desk receives numerous calls one the system logs show morning from staff complaining that their accounts have been disabled & the system logs show repeated failed log in attempts to all the systems.


• Regular audits to confirm that the policies have been enacted & that the defenses are adequate for the level of risk you are exposed to.

- e.g. performing regular network scans from outside, the organization's firewall to determine what ports are open and how much information the firewalls & routers leak.4/26/2013 Punjab EDUSAT Society (PES) 45

• Available staff skilled in the

operation & monitoring of built in

security tools installed on server &

network devices.

- e.g. if the staff currently does not

have the time to check the firewall &

routers logs, IDS alerts are unlikely

to be acted upon in a timely manner.


THANKS…


Documents

Intrusion Detection System ( IDS )