Download pptx - NETWORK IDS (NIDS)

NETWORK IDS (NIDS)

11

2

OBJECTIVES Able to explain the roles of NIDS To understand and able to explain the NIDS

Sensor Placement. Able to solve case studies related to NIDS.

2

THE ROLES OF NETWORK IDS IN A PERIMETER DEFENSE

Identifying Weaknesses Security Auditing Policy Violations Detection Attack from Your Own Hosts Incident Handling and Forensics Complementing Other Defense

Components

33

NIDS SENSOR PLACEMENT:

44

5

DEPLOYING MULTIPLE NETWORK SENSORS

In many environments, you should deploy multiple IDS sensors. Each sensor generally monitors a single network segment. In a small organization:

with a simple network architecture and limited traffic a single sensor might be adequate. although more than one might still be advisable in high-security

situations. In larger environments:

with many network segments those that offer substantial Internet-based services with multiple Internet access points multiple sensors are need to monitor network traffic. Multi sensors are recommended.

6

DEPLOYING MULTIPLE NETWORK SENSORS

Deploying more intrusion detection sensors usually produces better results. By deploying sensors on various network segments, you can tune each of them to the traffic you typically see on that segment the type of hosts that use it and the services and protocols that are traversing it. You would probably tune a sensor on an Internet-connected segment much differently than you would tune one that is monitoring traffic between two tightly secured internal portions of your network. If you deploy only one sensor, the amount of tuning you can do is generally quite limited. Of course, if you deploy multiple sensors, you need to be prepared to handle the increased number of alerts that will be generated. Placing additional sensors on the network is not very helpful if administrators do not have time to maintain and monitor them.

Another reason for using multiple sensors is the fault tolerance of your IDS. What if your single sensor fails, for any reason, or the network segment that it's monitoring is unexpectedly unavailable? If you have one sensor, you won't have a network intrusion detection capability until the failure is corrected. Having more than one sensor provides a more robust solution that can continue monitoring at least portions of your network during a sensor failure or partial network outage.

PLACING SENSORS NEAR FILTERING DEVICES

Why deploy more sensors?1)Produces better results.

By deploying sensors on various network segments, you can tune each of them to the traffic you typically see on that segment the type of hosts that use it and the services and protocols that are traversing it.

2)Fault tolerance of your IDS. What if single sensor fails or the network segment that it's

monitoring is unexpectedly unavailable? Having more than one sensor provides a more robust solution

that can continue monitoring at least portions of your network during a sensor failure or partial network outage.

7

PLACING IDS SENSORS ON THE INTERNAL NETWORK

Deploy IDS sensors throughout their networks to monitor all traffic- require considerable financial and staffing resources

It gives the intrusion analysts a great feel for what's happening throughout their environment.

IDS sensors aren't limited to identifying attacks against servers; many can also find signs of worms and other malware attempting to spread through a network, sometimes before antivirus software can identify them.

8

WORKING WITH ENCRYPTION

When planning network IDS sensor placement, you must consider how to deal with encrypted network traffic, e.g. VPN connections

IDS sensors certainly don't have the capability to decrypt traffic

Recommended solutions: To deploy a sensor to examine packet headers and look for

unencrypted traffic. To deploy IDS sensors at the first point in the network where the

decrypted traffic travels. To put host-based IDS software on the host decrypting the traffic

because it's a likely target for attacks.

9

PROCESSING IN HIGH-TRAFFIC SITUATIONS

The amount of traffic that IDS sensors can process is dependent on many factors:

what product is being used, which protocols or applications are most commonly used, and for which signatures the sensors have been directed to look.

No simple answers exist as to what volume of traffic any particular product can handle.

In general, IDS sensors reach their capacity before firewalls do, primarily because IDS sensors do much more examination of packets than other network devices do.

The field of IDS sensor and signature development and optimization is still fairly young, at least compared to other aspects of network security.

10

USING AN IDS MANAGEMENT NETWORK

Create a separate management network to use strictly for communication among IDS sensors, a centralized IDS data collection box, and analyst consoles.

Implementing a separate management network advantages: It isolates management traffic so that anyone else who is monitoring

the same network doesn't see your sensors' communications. It also prevents the sensors from monitoring their own traffic. A good way to deal with potential problems related to passing sensor

data through firewalls and over unencrypted public networks Difficult for attackers to find and identify an IDS sensor because it

will not answer requests directed toward its monitoring NICs

11

MAINTAINING SENSOR SECURITY It's critical that you harden your IDS sensors to make the

risk of compromise as low as possible. If attackers gain control of your IDS, they could shut it off or

reconfigure it so that it can't log or alert you about their activities.

Attackers might also be able to use your IDS to launch attacks against other hosts.

However, if attackers can get access to your IDS management network, they might be able to access all your sensors.

Maintaining the security of your sensors is key to creating a stable and valuable IDS solution.

12

CASE STUDIES:PLACEMENT OF IDS IN DIFFERENT DESIGN OF NETWORK

1313

CASE STUDY 1

1414

This is a simple network infrastructure that includes IDS sensors and a separate IDS management network.

A firewall divides the network into three segments:• An external DMZ segment that is connected to the Internet• A screened subnet that contains servers that are directly

accessed by Internet-based users or must directly access the Internet, such as email, web, web proxy, and external DNS servers

• An internal segment that contains servers that typically aren't directly connected to the Internet, as well as workstations, printers, and other host devices

1515

IDS DEPLOYMENT RECOMMENDATIONS I

The IDS management network shall be treated as a separate entity from the monitored networks.

Each sensor contains two NICs: one sniffing packets on the monitored network, and the other transmitting IDS data on the management network. The management network is connected only to the sensors, a central IDS logging box, and the analyst workstations.

Ideally, all three network IDS sensors shown in case study1 should be deployed.

IDS 1 (on the external segment) looks for any probes, scans, or attacks coming from the Internet.

IDS 2 (on the internal segment) shows you which malicious traffic got through the firewall to your internal network.

1616

IDS DEPLOYMENT RECOMMENDATIONS II

Both IDS 1 and IDS 2 can monitor outgoing traffic as well, looking for attacks from your internal hosts.

IDS 3 focuses on identifying attacks against your externally exposed boxes, which are the most likely targets of attackers.

The same sensor is also able to monitor network activity between your external servers that doesn't pass through the firewall. If one of your external hosts becomes compromised, this is the only sensor that could see attempts from it to compromise other hosts on the same segment.

1717

CASE STUDY 2: MULTIPLE EXTERNAL ACCESS POINTS

This environment has multiple external points of access: a dedicated connection to the Internet, a dial-up modem bank for remote users, and multiple frame relay connections to remote offices and business partners. Firewalls have been deployed at each access point to restrict the traffic that enters the internal network.

Figure case study 2: A more complex corporate network has multiple external points of access, which each need to be protected with IDS sensors.

1818

1919


This scenario follows the same general rule as before. Whenever practical, deploy network IDS sensors on

both sides of firewalls and packet filters. The most interesting area to consider is that of the

external networks connected through the frame relay connections. You will notice that no sensors monitor the connections on the external side.

If your budget permits, you can add sensors to those connections as well, although they might not be needed. It depends on what is on the other side of the connection and what your firewall is supposed to be doing.

2020


You might feel that a remote office poses little threat and that a separate sensor to monitor its connection is not necessary.

You could also deploy a sensor at the remote location, which would monitor traffic before it was sent over the frame relay connection.

If the remote site is a business partner's network, you might want to be more cautious; however, your firewall might only be permitting a small, well-defined set of traffic to pass through.

If you decide to deploy sensors for the external links that enter the firewall, and the firewall has several interfaces on separate network segments

can deploy a sensor for each segment. Each sensor can then be tuned for the nature of that particular connection.

2121

IDS DEPLOYMENT RECOMMENDATIONS III

Another item to consider is the risk that outgoing attacks and probes pose.

If you are not restricting outbound traffic very much, then sensor placement shouldn't be affected by it.

But if you do restrict outbound traffic for example, you block all connection attempts from the internal network to the modem bank then having the sensor on the inside is necessary to detect attempted attacks.

The question is, how much do you care about that? In your environment, is it sufficient for the firewall to report that a

connection attempt was blocked, or do you need to know what the nature of that attempt was?

How important is the resource on the other side of the connection? What are the consequences if you fail to notice an attack from one of your hosts against your business partner's systems?

2222

CASE STUDY 3: UNRESTRICTED ENVIRONMENT

Simplified view of a university network with three main groups of hosts: students, faculty and staff, and administration (registrar, bursar, etc.).

As is typical of many university environments, no firewalls restrict traffic. A small amount of packet filtering might occur at routers throughout the network

The only exception is some machines in the administration network that contain sensitive information, such as student grades and financial information; these machines are somewhat protected through router packet filtering.

Because of the open nature of most universities, faculty and student machines are usually vulnerable to exploitation, in part because just about any sort of traffic is permitted. In addition, many servers are run by students or faculty, not centralized IT staff, and are almost certainly not kept fully patched and secured.

In a university environment with little network security, it is not easy to determine where to deploy IDS sensors.

2323

2424

We can expect: many student and faculty machines to

use modems or wireless network cards. some of these machines run software

such as pcAnywhere to allow external hosts to dial in to them.

In such an environment, it's impossible to define the border of your network.

It's also likely that the university offers dial-in services for users. These services may require little or no authentication.


Staffing and financial resources are probably quite limited, so you need to focus on the most important areas.

Your first priority is protecting the administrative computers, which are at high risk of being attacked.

You want to monitor these systems as closely as possible, through a combination of IDS sensors deployed to the segments where the hosts reside, and host-based IDS software running on all of them.

If you can do nothing else, you need to regularly monitor IDS alerts and logs related to these sensitive hosts.

If network IDS sensors are deployed, they need to be carefully tuned to only send alerts on the most severe attacks. If the sensor sends an alert every time a port scan or host scan occurs, the intrusion analyst will quickly be overwhelmed with alerts. Sensors might also be unable to keep up with the high volumes of traffic if they are performing too much analysis.

2525


You might be asking yourself, "Why should I bother trying to monitor this traffic at all? If users are permitted to do almost anything they want to, why should I try to deploy sensors to the networks they use?"

Here's a scenario that explains why some level of network intrusion detection should be performed.

Suppose that hundreds of hosts throughout the university have been infected with the same Trojan and that these hosts are used to launch DDoS attacks against other sites. Given the lack of other defense devices, deploying an intrusion detection sensor to monitor outgoing traffic may be your best chance of quickly detecting such an attack and collecting enough information about it to identify the infected hosts.

2626

SUMMARY

In this lesson, you learned about the basics of network IDSs, particularly signatures and how they cause false positives and negatives. We took a close look at where IDS sensors and software can be located in various network environments and discussed the advantages and disadvantages of various deployment architectures.

2727