Upload
randolph-briggs
View
215
Download
0
Embed Size (px)
Citation preview
Intrusion
Detection
Systems
By: William Pinkerton and Sean Burnside
What is IDS
• IDS is the acronym for Intrusion Detection Systems• Secure systems from attack
• Attacks on a system are through the network, by either: Crackers Hackers Disgruntled Employees
• Five different kinds of intrusion detection systems1. Network-based 2. Protocol-based3. Application-based4. Host-based5. Hybrid
History of IDS• Began
• Mid 1980’s • James P. Anderson
• “Computer Security Threat Monitoring and Surveillance”• Fred Cohen
• The inventor of defenses against viruses• Said, “It is impossible to detect an intrusion in every case” and
“the resources needed to detect intrusion grows with the amount of usage”
• Dorthy E. Denning assisted by Peter Neuman• Created an anomaly-based intrusion detection system• Named Intrusion Detection Expert System• Later version was named Next-generation Intrusion Detection
Expert System
Passive vs. Reactive Systems
• Passive System• First detects a breach • Logs the breach and/or alerts the administrator(s)
• Reactive System• Takes more action of alerting the breach, by either:
Resetting the connectionReprograms the firewall
Firewall and Antivirus vs. IDS
• Firewall• Blocks potentially harmful incoming or outgoing traffic• Does not detect intrusions
• Antivirus• Scans files to identify or eliminate, either:
Malicious Software Computer Viruses
• Intrusion Detection Systems• Alert an administrator(s) of suspicious activity• Looks for intrusions before they happen
**Note: For maximum protection it is best to have all three!!**
5 Methods of IDS
1. Network-based Intrusion Detection System2. Protocol-based Intrusion Detection System3. Application-based Intrusion Detection System4. Host-based Intrusion Detection System5. Hybrid Intrusion Detection System
Network-based Intrusion Detection System
• Runs on different points of a network• Scans for DOS attacks, activities on ports and hacking• Also scans incoming and outgoing packets that are bad• Pros
• Not much overhead on network• Installing, upkeep and securing is easy• Undetectable by most hacks
• Cons• Has trouble with large networks
Network-based Intrusion Detection System (cont.)
• Cons (cont.)• Has trouble with switch based networks• No reporting if attack fails or succeeds• Cannot look at encrypted data
Protocol-based Intrusion Detection System
• Sits at the front end of a server• Usually used for web servers• Two uses
• Making sure a protocol is enforced and used correctly• Teaching the system constructs of a protocol
• Pros• Easier for system to pick up on attacks since it is protocol
based• Cons
• Rules for protocols come out slowly could be a gap in attacks
Host-based Intrusion Detection System
• Internally based detection system• Analyses a system four ways
• File system monitoring• Logfile analysis• Connection analysis• Kernel based intrusion
• Pros• Analyses encrypted data• Can keep up with switch based networks• Provides more information about attacks
Host-based Intrusion Detection System(cont.)
• Pros (cont.)• System can tell what processes where used in the attack• System can tell the users involved in the attack
• Cons• Decrease in network performance if multiple hosts are
analyzed• If the host machine is broken the system can be disabled• Affected by DOS attacks• Needs allot of resources
Application-based Intrusion Detection System
• System is application specific• Monitor dynamic behaviors and states of protocol• The system analyzes the communication between
applications• Pros
• Greater chance of detecting an attack since it is application specific
• Can look at encrypted data• Con
• Needs a lot of processing power
Hybrid Intrusion Detection System
• Combines two or more systems• Pros
• It has the same pros as the systems that it is based on• Cons
• It has the same cons as the systems that it is based on
Top 5 IDS
1. Snort2. OSSEC HIDS3. Fragrouter4. BASE5. Squil
• Lightweight, open source• Originally named bro• Developed by Lawrence Berkeley National Laboratory in 1998• The most widely used Intrusion detection system• Capable of performing packet logging and real time traffic
analysis over IP networks
OSSEC HIDS
• Strong log analysis engine• Correlate and analyze logs from different devices and formats• Can be centralized
• Many different systems can be monitored• Runs on most operating systems
• Linus• OpenBSD• Mac OS X• Solaris• FreeBSD• Windows
Fragrouter
• Used to evade intrusion detection systems• Limited to certain operating systems
• BSD• Linux
• Good tool for finding weaknesses on a network, computers, or servers that ids may not be able to find
BASE
• Written in php• Nice web front in• Analyzes data stored in a database that is populated by
firewalls, ids, and network monitoring tools
Sguil
• Known for it’s graphical user interface• Runs on operating systems that support tcl/tk
• Linux• BSD• Solaris• MacOS • Win32
• Network security monitoring• Provides intrusion detection system alerts
Question Time…