23
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich

Network Intrusion Detection Systems

Embed Size (px)

DESCRIPTION

Network Intrusion Detection Systems. Slides by: MM Clements A Adekunle The University of Greenwich. Intrusion Detection. Detection and protection from attacks against networks Three types of network attacks Reconnaissance Access Denial of service. Intrusion detection system (IDS). - PowerPoint PPT Presentation

Citation preview

Page 1: Network Intrusion Detection Systems

Network Intrusion Detection SystemsSlides by:

MM ClementsA Adekunle

The University of Greenwich

Page 2: Network Intrusion Detection Systems

Intrusion Detection

• Detection and protection from attacks against networks

• Three types of network attacks– Reconnaissance– Access– Denial of service

2Engineering and Management of Secure Computer Networks

Page 3: Network Intrusion Detection Systems

Intrusion detection system (IDS)

• An Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to events occurring in a computer system or network for signs of possible incidents of violation in security policies.

– These incidents of violations can be unwanted attempts to access, manipulate or disable computer systems, mainly via a network, such as the Internet.

3Engineering and Management of Secure Computer Networks

Page 4: Network Intrusion Detection Systems

Classification of Intrusion Detection

• Profile or Anomaly based intrusion detection– Monitors network traffic and compares it against an

established baseline for normal use• Bandwidth, protocols, ports and devices generally connecting

to each other– Alerts the administrator or user when traffic is

detected which is anomalous, or significantly different, than the baseline.

– Example: Snort Spade plug-in– Prone to high number of false-positives

4Engineering and Management of Secure Computer Networks

Page 5: Network Intrusion Detection Systems

Classification of Intrusion Detection

• Signature based intrusion detection– Also known as Misuse Detection

• A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.

• Similar to the way most antivirus software detects malware.

– Examples: Cisco Sensors 4200 series, Snort– Less prone to false positives – Unable to detect zero-day threats whose signatures

are not available

5Engineering and Management of Secure Computer Networks

Page 6: Network Intrusion Detection Systems

Types of Intrusion Detection Systems

• Host based intrusion detection Systems– Software (Agents) installed on computers to monitor input

and output packets from device– It performs log analysis, file integrity checking, policy

monitoring, rootkit detection, real-time alerting and active response.

– Examples: • Cisco Security Agent (CSA) , OSSEC, Tripwire

6Engineering and Management of Secure Computer Networks

Page 7: Network Intrusion Detection Systems

Firewall

Corporatenetwork

Agent

Untrustednetwork

Agent Agent Agent

Agent Agent

DNS serverWWW server

Agent Agent

Host-Based Intrusion Detection

7Engineering and Management of Secure Computer Networks

Page 8: Network Intrusion Detection Systems

Types of Intrusion Detection Systems

• Network-Based Intrusion Detection Systems– Connected to network segments to monitor, analyze and

respond to network traffic.– A single IDS sensor can monitor many hosts– NIDS sensors are available in two formats

• Appliance: It consists of specialized hardware sensor and its dedicated software. The hardware consists of specialized NIC’s, processors and hard disks to efficiently capture traffic and perform analysis.

– Examples: Cisco IDS 4200 series, IBM Real Secure Network• Software: Sensor software installed on server and placed in

network to monitor network traffic.– Examples: Snort, Bro, Untangle

8Engineering and Management of Secure Computer Networks

Page 9: Network Intrusion Detection Systems

Corporatenetwork

DNSserver

WWWserver

SensorSensor

FirewallUntrustednetwork

Network-Based Intrusion Detection

Management System

9Engineering and Management of Secure Computer Networks

Page 10: Network Intrusion Detection Systems

Sensor Appliance Interfaces

Monitoring Interface

Command andControl Interface

ProtectedNetwork

Management System

Sensor

Switch

Router

Router

Untrusted Network

10Engineering and Management of Secure Computer Networks

Page 11: Network Intrusion Detection Systems

Promiscuous-Mode Protection: IDS

A network device sends copiesof packets to the sensor for analysis.

If the traffic matches a signature,the signature fires.

The sensor can send an alarmto a management console andtake a response action such asresetting the connection.

TargetManagement System

Sensor

2

23

1

Switch

Switched Port Analyzer (SPAN)

11Engineering and Management of Secure Computer Networks

Page 12: Network Intrusion Detection Systems

Inline-Mode Protection: IPS

TargetManagement System

The sensor resides in thedata forwarding path.

If a packet triggers asignature, it can bedropped before itreaches its target.

An alert can besent to themanagement console.

Sensor

12Engineering and Management of Secure Computer Networks

Page 13: Network Intrusion Detection Systems

IDS and IPS Deployment Considerations

– Deploy an IDS sensor in areas where you cannot deploy an inline device or where you do not plan to use deny actions.

– Deploy an IPS sensor in those areas where you need and plan to use deny actions.

13Engineering and Management of Secure Computer Networks

Page 14: Network Intrusion Detection Systems

IDS and IPS Deployment Comparison

Attacker

Inside

Sensor on Outside:• Sees all traffic destined for

your network• Has high probability of raising

false alarms (false positives)• Does not detect internal

attacks

Sensor on Inside:• Sees only traffic permitted

by firewall• Has lower probability of false

alarms (false positives)• Requires immediate

response to alarms

Internet

14Engineering and Management of Secure Computer Networks

Page 15: Network Intrusion Detection Systems

CorporateNetwork

Network based IDS and IPS Deployment

ManagementServer

IPS Sensor

Firewall RouterSwitchSwitch

UntrustedNetwork

DNSServer

WWWServer

DMZ

SwitchIDS Sensor

15Engineering and Management of Secure Computer Networks

Page 16: Network Intrusion Detection Systems

IDS and IPS deployment example in an Enterprise Network

Branch

ManagementServer

Sensor

FirewallRouter

NM-CIDS

CorporateNetwork

UntrustedNetwork

DNSServer

WWWServer

Sensor

DMZ

Agent Agent

16Engineering and Management of Secure Computer Networks

Page 17: Network Intrusion Detection Systems

Perf

orm

ance

(Mbp

s)

Network Media

Cisco IDS Family

IDSM-2

IDS 4255

IPS 4240

45

600

80

250

200

IPS 4215

10/100/1000 TX

NM-CIDS

10/100 TX

AIP-SSM

10/100/1000 TX 1000 SX 10/100/1000 TX Switched/100010/100/1000 TX

Page 18: Network Intrusion Detection Systems

Snort

• Open source, freely available software except for rules• Installed as dedicated server on Windows and Linux,

Solaris operating systems• Placed as network sensor in a network• Rules are set of instructions defined to take certain

action after matching some sort of signatures (atomic or composite)• Example:

• alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)

18Engineering and Management of Secure Computer Networks

Page 19: Network Intrusion Detection Systems

Snort Modes

• Sniffer Mode• Used to sniff traffic from network• Traffic will be captured using libpcap or winpcap.• Traffic will be captured directly from the sensor .

• Logger Mode• Simple logging into a file. Two possible formats are Binary and ASCII.• Logging into a Database (eg. MySQL)• Can be used for creating the normal traffic profile

• Intrusion Detection / Prevention• The rules will be used in this mode of snort to detect unwanted activity

19Engineering and Management of Secure Computer Networks

Page 20: Network Intrusion Detection Systems

IDS/IPS Vulnerabilities

• Cisco IPS Packet Handling DoS - • In July 2006, a DoS vulnerability was discovered on Cisco

IPS 4200 series models which were running version 5.1 software.

• Snort Rule Matching Backtrack DoS - • Snort versions 1.8 through 2.6 had a DoS vulnerability ,

found on January 11, 2007 which can exploit Snort's rule matching algorithm by using a crafted packet. This could cause the algorithm to slow down to the point where detection may become unavailable. Snort was quick to release version 2.6.1 which corrected this issue.

20Engineering and Management of Secure Computer Networks

Page 21: Network Intrusion Detection Systems

How to protect IDS?

• Don't run any service on your IDS sensor.

• The platform on which you are running IDS should be patched with the latest releases from your vendor.

• Configure the IDS machine so that it does not respond to ping (ICMP Echo-type) packets.

• User accounts should not be created except those that are absolutely necessary.

21Engineering and Management of Secure Computer Networks

Page 22: Network Intrusion Detection Systems

Unified Threat Management (UTM)• Unified Threat Management (UTM) is a

network device that have many features in one box, including:– IDS, IPS, Firewall, Spyware, Anti Spam , Anti

Phishing – Anti Virus, Content (www) Filter, VPN

– Example: Untangle, Watchguard– Untangle Demo:

http://www.untangle.com/video_overview/

22Engineering and Management of Secure Computer Networks

Page 23: Network Intrusion Detection Systems

Summary• Intrusion detection system (IDS) is software or hardware designed to

monitor, analyze and respond to network traffic .– Can be classified as Profile or Signature based intrusion detection.

• Signatures can be defined as Atomic or Composite.– Can be available as Host or Network based Intrusion detection .– IDS is used as promiscuous mode protection in DMZ– IPS is used as Inline mode protection for securing internal network – Cisco 4200 series IDS and IPS sensors offer rich set of features for ISD

and IPS– Snort is an open source, free IDS and can operate in sniff , logging and

Intrusion detection/prevention modes. Snort uses rules to analyze traffic.

– IDS/IPS software can be vulnerable to exploits so run patched version, and shutdown unnecessary services.

• Unified Threat Management (UTM) is a network device that have many features in one box. E.g, Untangle, Watchguard.

Engineering and Management of Secure Computer Networks 23