Introduction to Network IDS
Introduction to
Network IDS
Linux User Group Singapore
Friday 7th May 2004
By
Michael Boman
What we will cover:
What to expect from a Network IDS
How to physically connect a Network IDS
Where to connect the Network IDS
Different types of Network IDS
Interoperability between different vendors NIDS
What false positives / false negatives are
Classify network events using severity ratings
Q & A
Why Network Intrusion Detection?
Prevention is ideal, but detection is a must.
Provides forensic capabilities of network traffic
Compare with CCTV camera and recording equipment.
Side effect: You learn more about your network and discover
protocols, services and other resource stealing objects.
Think about this before installing a Network IDS
Do you:
Keep your system up-to-date with patches?
Remove unneeded services?
Configured IPTables to protect your host(s)?
Actually read (and understand) the IPTables generated log
files?
If not, you are not ready to do Network IDS.
NIDS will not protect you against malicious traffic.
NIDS will generate even more logs.
NIDS will take a considerable amount of time to configure
properly, and is several times more complicated compared to
IPTables.
How to connect your
Network IDS
A NIDS can be connected to a network in 3 ways
Network TAP
Using a switch' SPAN port
Using a hub
Using a network TAP
Features
Replicates cable signals for TX pair to two new cables
Have additional power to boost network signal
Fails open
Drawbacks
Expensive (can cost over S$1000 per unit)
Requires 2 NIC on the NIDS
Can only monitor one link
( TAP = Test Administrative Port)
Inside a Network TAP
Device ANetwork IDSDevice B
TX
TX
RX
RX
RX
RX
Can anyone spot the problem?
Can anyone spot the problem with this TAP design?
Did you figure it out?
The problem with this tap is:
If the sum of the streams collected from the two inputs exceeds
the capacity of the single output, packets are dropped. Whoops!
Using a switch SPAN port
SPAN: Switched Port Analyzer (Cisco)
Known as mirror port (port mirror) by other vendors
Mirrors one or more port data to a 2nd port.
Features
Can monitor several ports at the same time
No extra cost if hardware is already available
Drawbacks
Not all switches supports SPAN ports
Creates additional load on switch (decreased switch
performance)
Drop packets if you try to push too much traffic to a single
port
Using a HUB
Features
Low cost
Ideal for home network / ADSL / cable connection for playing
around
Drawbacks
Packet collisions (packet drop)
10/100 hubs requires extra care (10 and 100 Mbit links does not
propagate)
Where to connect your NIDS
InternetRouterFirewallHostSwitchFirewallSwitchHostHostHostHostHostHostHostHostHost
Different types of NIDS
Pattern matching
Looks for fingerprints of vulnerabilities or exploits
Signature database needs to be kept up-to-date
Anomaly detection
Creates a profile of normal network traffic
Suspicious events can be defined in various ways
RFC compliance checking
Protocol analysis/decoding
Traffic doesn't comply with normal traffic criteria.
The fact that protocols are well defined makes the use of
Protocol Analysis a strong contender, but many implementations of
protocols fail to follow their respective RFC.
False Positives / False Negatives
Alertgenerated
Alert notgenerated
Malicioustraffic
Non-malicioustraffic
False Positives / False Negatives Explained
False positive: Alert generated for non-malicious traffic
The biggest published drawback with NIDS
Having too many false positives and the analyst(s) will be tired
looking at them.
Can be reduced with tuning
False negative: Alert not generated for malicious traffic
Even more dangerous then false positives, as you don't get
alerted on it.
Can be reduced with tuning
Detector capability
Property
Result in it's absence
Reliability
Sensitivity
The level of certainty provided by detector when receive warning
of possible event
The capability detector has for extensive and complex analysis
in locating possible attacks
False Positives
False Negatives
Network IDS Interoperability
Network IDS has been, and in large extent still is, vendor
proprietary technology.
Signatures are written in different ways for different
vendors.
This is starting to change, more and more NIDS products are at
least incorporating part of the Snort signature language.
Alerts are sent and stored in vendor proprietary formats
Proposed solutions
IDMEF/IDXP
SDEE
IDMEF / IDXP
Intrusion Detection Message Exchange Format
Internet draft (proposed RFC) by IDWG
Uses IDXP (Intrusion Detection Exchange Protocol) for transport,
also a proposed RFC, by IDWG
IDWG = Intrusion Detection Working Group, appointed by IETF
http://www.ietf.org/html.charters/idwg-charter.html
SDEE
Released by ICSA Labs in February 2004
Cisco Systems, ISS, Sourcefire and TruSecure Corporation
co-developed the SDEE transport protocol specification format
Is not really free... See next slide..
SDEE Quote
What thing particularly made me looking quite negatively at the
SDEE spec is the ICSAlab involvement. I contacted the iscalab
people on the day when SDEE was officially out, with a question of
joining ids forum and contributing to the SDEE review. The response
to my mail included an invoice for 9,000+ USD (5k for general forum
membership, and 4k for the IDS cntm).
Fyodor Y,
Snort discussion forum on Orkut,
21 March 2004
SANS Institute has developed the following formula to classify
how bad an attack effects the target:
Where each item has a value between 1 and 5 assigned to it.
SANS Severity Ratings
Criticality+Lethality
System Countermeasures+Network Countermeasures
)
(
(
)
-
SANS Severity Ratings (cont'd)
Criticality: How critical is the target to the rest of the
network or operations?
Lethality: How dangerous is the attack?
System Countermeasures: What countermeasures has been been
implemented on the system to defend against this threat?
Network Countermeasures: What countermeasures has been
implemented on the network to defend against this threat?
What have we learned?
Network IDS is resource intensive
Placement of the NIDS depends on what you want to monitor
The difference between a signature based and a abnormality based
NIDS
IDMEF, SDEE and proprietary alert and storage formats
Calculate network event's severity level
Questions?
Got any questions? Now is the time to ask them!
Recommended reading material
TCP/IP Illustrated Vol. 1
W. Richard Stevens; ISBN: 0201633469
Network Intrusion Detection (3rd ed)
Stephen Northcutt, Judy Novak; ISBN: 0735712654
Intrusion Signatures and Analysis
Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederick;
ISBN: 0735710635
Click to edit the title text format
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level
Copyright 2004 Michael Boman. All Rights Reserved.
