Network Intrusion Detection Network Intrusion Detection Systems Systems

(NIDS)(NIDS)

2

IDS DefinitionsIDS Definitions

Examples of IDSs in real life◦ Car alarms◦ Fire detectors◦ House alarms◦ Surveillance systems

An IDS is any combination of hardware & software thatmonitors a system or network for malicious activity.

3

Defined by ICSA as:◦ The detection of intrusions or intrusions attempts either

manually or via software expert systems that operate on logs or other information available from the system or the network.

An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable.

When suspicious activity is from your internal network it can also be classified as misuse

Another definition:◦ - detecting inappropriate, incorrect, or anomalous activity ◦ - misuse detection != intrusion detection

4

The Puzzle

Intrusion Detection Systems are only one piece of the whole security puzzle

IDS must be supplemented by other security and protection mechanisms

They are a very important part of your security architecture but does not solve all your problems

Part of “Defense in depth”

Why IDS?Why IDS? Can be detected:◦ Mapping

◦ Port scans Tens of thousands of packets

◦ TCP stack scansHundreds of thousands of packets

Identify any of the following types of intrusion:◦ Input validation errors

◦ Buffer overflow

◦ Boundary Conditions

◦ Access Validation Errors

◦ Exceptional Condition Handling Errors

◦ Environmental Errors

◦ Race Conditions

5

o Many organizations deploy IDS systems

o Provide warnings to network administrator– Administrator can then

improve network’s security

– Vigorous investigation could lead to attackers

o Typical responses to an attack include the following:–   Terminating the session

(TCP resets)–   Block offending traffic

(usually implemented with ACLs)

–   Creating session log files–   Dropping the packet

WHY DO I NEED AN IDS, I HAVE A WHY DO I NEED AN IDS, I HAVE A FIREWALL?FIREWALL? IDS are a dedicated assistant used to monitor

the rest of the security infrastructure.

Today’s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors.

Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect

6

WHY DO I NEED AN IDS, I HAVE A WHY DO I NEED AN IDS, I HAVE A FIREWALL?FIREWALL?

Not all traffic may go through a firewalli:e modem on a user computer

Not all threats originates from outside. As networks uses more and more encryption,

attackers will aim at the location where it is often stored unencrypted (Internal network)

Firewall does not protect appropriately against application level weakenesses and attacks

Protect against misconfiguration or fault in other security mechanisms

7

REAL LIFE ANALOGYREAL LIFE ANALOGY It's like security at the airport... You can put up all the fences in

the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content).

You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats.

Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions.

That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.

8

2. IDS Categories2. IDS CategoriesIn-Kernel vs. UserspaceDistributed vs. AtomicHost-based vs. Network-basedStatistical vs. Signature

DetectionActive vs. PassiveProactive vs. RetroactiveFlat vs. Hierarchial

9IDS

10

We consider some basic categories of intrusion detection mechanisms:◦ By sensor location:

Network-based Intrusion Detection System (NIDS)Host-base Intrusion Detection System (HIDS)

◦ By method of detectionStatistical DetectionSignature Detection

NIDS vs HIDSNIDS vs HIDS

11

IDS sensorsIDS sensors

12

Webserver

FTPserver

DNSserver

applicationgateway

Internet

Demilitarized zone

Internalnetwork

firewall

= IDS sensor

Underlying OS needsto be hardened: stripped of unnecessarynetwork services

Network based IDSNetwork based IDSProtects an entire network segmentIs usually a passive device on the network

and users are unaware of its existenceCannot detect malicious code in encrypted

packetsIs cost effective for mass protectionRequires its own sensor for each network

segment

13

Host-based IDSHost-based IDS

Protects a single system.Uses system resources such as the CPU and memory

from system.Provides application level security.Provides day-one security as a shunt between high

and low level processesIntrusion detection is performed after decryption.Used on servers and sensitive workstations, but is

costly for mass protection

14

Anomaly/Statistical Anomaly/Statistical detectiondetection Mostly on statistical basis◦ Based on time, frequency, lenght of session◦ For example: person logs on at 0300 AM and has

never done so in the past, it will raise a flag Detects statistically exceptional events Learning: Watching activity during ‘normal’ state and

storing patterns (who logs in, what is the origin, when, etc.)

Experience shows that 90% of attacks can be considered as protocol usage anomalies.

Does not require signatures (except what it learns) We should carefully add knowledge about “normal”

activity, such as RFC compilant state machines, it needs much work.

A non-RFC compilant client is not always an attacker – we need flexibility

15

Signature-based detectionSignature-based detectionSniff traffic on network◦ border router◦ within a LAN◦ multiple sensors

Match attack signatures◦ attack signatures in database◦ signature: set of rules pertaining to a typical

intrusion activity Simple example rule: any ICMP packet > 10,000

bytesExample: Several thousand SYN packets to different

ports on same host under a second◦ skilled security engineers research known

attacks; put them in database◦ can configure IDS to exclude certain

signatures; can modify signature parametersWarns administrator◦ send e-mail, SMS◦ send message to network management system

16

Limitations to signature Limitations to signature detectiondetection

Requires previous knowledge of attack to generate accurate signature◦ Blind to unknown attacks

No knowledge of intention of activity◦ Triggers alarms even if traffic is benign

Signature bases are getting larger◦ Every packet must be compared with each

signature◦ IDS can get overwhelmed with processing,

miss packets

17

Current State of IDSCurrent State of IDS

Lots of people are still using Firewall and Router logs for Intrusion Detection

IDS are not very matureMostly signature basedIt is a quickly evolving domainGiant leap and progress every quarterAs stated by Bruce Schneier in his book

‘Secret and Lies in a digital world’:PreventionDetection Getting to this point today Reponse

18

WHAT CAN IDS REALISTICLY WHAT CAN IDS REALISTICLY DODO◦ Monitor and analyse user and system activities

◦ Auditing of system and configuration vulnerabilities

◦ Asses integrity of critical system and data files

◦ Recognition of pattern reflecting known attacks

◦ Statistical analysis for abnormal activities

◦ Data trail, tracing activities from point of entry up to the point of exit

◦ Installation of decoy servers (honey pots)

◦ Installation of vendor patches (some IDS)

19

WHAT IDS CANNOT DOWHAT IDS CANNOT DO◦ Compensate for weak authentication and identification

mechanisms

◦ Investigate attacks without human intervention

◦ Guess the content of your organization security policy

◦ Compensate for weakeness in networking protocols, for example: IP Spoofing

◦ Compensate for integrity or confidentiality of information

◦ Analyze all traffic on a very high speed network

◦ Deal adequately with attack at the packet level

◦ Deal adequately with modern network hardware

20

21

Intrusion Detection System

Intrusion Prevention System

5. IDS Products5. IDS ProductsDragon from Enterasys◦ http://www.enterasys.com/ids/

CISCO Secure IDS◦ http://www.cisco.com/go/ids/

Snort◦ http://www.snort.org/

ISS Real Secure◦ http://www.iss.net/securing_e-business/

SHADOW◦ http://www.whitehats.ca◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso

22

ReferencesReferencesKnowledge Net CISSPhttp://www.snort.org

23