Upload
lj-projects
View
1.707
Download
3
Embed Size (px)
Citation preview
IDS/IPSComputer Security and Intrusion Detection
• Communication
•Any communication requires 4 entities
•Source
•Destination
•Medium
•Protocol – Rule
IDS/IPSComputer Security and Intrusion Detection
• Communication – Flow of Information
IDS/IPSComputer Security and Intrusion Detection
• Various types of attacks
•Interruption
•Interception
•Modification
•Fabrication
IDS/IPSComputer Security and Intrusion Detection
• Interruption - state where the asset of a system gets
destroyed or becomes un-available
• targets the source or the communication channel
• prevents the information from reaching the destination
IDS/IPSComputer Security and Intrusion Detection
• Interruption - Examples
• Cutting the physical cable medium
• Overload the carrying medium
• Types of Denial of Service (DoS) Attacks
IDS/IPSComputer Security and Intrusion Detection
• Interception – un-authorized party gets illegal access to
the information traversing through the communication
channel.
• Examples
•Wiretapping
IDS/IPSComputer Security and Intrusion Detection
• Modification – information is intercepted and modified .
• Examples
•MITM Attacks
IDS/IPSComputer Security and Intrusion Detection
• Fabrication – attacker inserts forged objects into the
system without the senders knowledge and involvement .
IDS/IPSComputer Security and Intrusion Detection
• Fabrication – 2 types
• Replaying
• previously intercepted entity is inserted
• Example – Replaying an authentication message.
• Masquerading
• attacker pretends to be the legitimate source
• inserts his / her desired information
• Example – Adding new records to a file or database
IDS/IPSComputer Security and Intrusion Detection
• Security Property
•Desired feature of a system with regard to certaintype of attacks.
•The four attacks discussed in the previous sectionviolates the various security properties of aninformation system
•Core qualities of any information system
IDS/IPSComputer Security and Intrusion Detection
• Security Property
•Confidentiality
•Integrity
•Availability
•Authentication
•Non Repudiation
IDS/IPSComputer Security and Intrusion Detection
• Traffic Analysis - Process of intercepting andexamining messages in order to deduce informationfrom patterns in communication. Information collectedinclude:
•Source
•Destination
•Timing of the data
•Frequency of a particular message
•Type of data / communication
IDS/IPSComputer Security and Intrusion Detection
• Non-repudiationConcept of ensuring that a contract cannot later bedenied by one of the parties involved.
• Describes the mechanism that prevents either senderor receiver from denying a transmitted message.
•Non-repudiation of origin – proves data has been sent
•Non-repudiation of delivery – proves data has beenreceived
IDS/IPSComputer Security and Intrusion Detection
•Security MechanismsThe various actions and countermeasuresemployed to safeguard the security properties of aninformation system.
•Security Mechanisms – 3 Types
•Attack Prevention
•Attack Avoidance
•Attack Detection
IDS/IPSComputer Security and Intrusion Detection
• Attack PreventionSeries of security mechanisms implemented toprevent or defend against various kinds of attacksbefore they can actually reach and affect the targetsystem.
•Examples
•Access Control
•Firewall
IDS/IPSComputer Security and Intrusion Detection
• Attack AvoidanceTechniques in which the information is modified in away that makes it unusable for the attacker.
•Assumption – Attacker may / has access to thesubject information.
•Examples
• Cryptography
IDS/IPSComputer Security and Intrusion Detection
• Attack DetectionProcess / Technique of reporting that something isable to bypass the security measures (if available),and identifying the type of attack.
• Counter measures are initiated to recover from theimpact of the attack.
•Examples
• IDS / IPS
IDS/IPSComputer Security and Intrusion Detection
• Intrusion Detection System
Intrusion detection encompasses a range ofsecurity techniques designed to detect (and reporton) malicious system and network activity or torecord evidence of intrusion.
IDS/IPSAttack Framework
• Types of Events – 2
• Attributable
Event can be traced to an authenticated user
•Non-attributable
Event cannot be traced to an authenticated user.
Ex: Any event that occur before authentication in
the login process – bad password attempts.
IDS/IPSAttack Framework
Vulnerability
•Existence of a weakness, design, or implementationerror that can lead to an unexpected, undesirableevent compromising the security of the system,network, application, or protocol involved
•Pen Testers Point of View - From a penetrationtester’s point of view, vulnerability is defined as asecurity weakness in a Target of Evaluation.
IDS/IPSAttack Framework
Threat
• Any possible event, action, process or phenomenonthat can potentially inflict damage on system resources
IDS/IPSAttack Framework
Relation between Vulnerability and Threat
IDS/IPSAttack Framework
Real Life Case Study – European Space Agency
•Ariane 5 Rocket – 10 years and $ 7 million
•Capable of placing a pair of three-ton satellites intothe orbit.
•Launched on 04 Jun 1996
IDS/IPSAttack Framework
Immediately after launch, Ariane 5exploded
Case of the explosiona very small computer programtrying to stuff a 64-bit number into a16-bit space
See it: http://s.freissinet.free.fr/videos/ariane5.wmv
IDS/IPSAttack Framework
Vulnerability Classification
Vulnerabilities can be classified as follows:
• Design Vulnerabilities
• Implementation Vulnerabilities
• Configuration or Operational Vulnerabilities
IDS/IPSAttack Framework
Design Vulnerability
• When the vulnerability is said to be inherent to theproject or design
• Very difficult to detect and eliminate as it isinherent to the project
• Proper implementation of the product will not getrid of the flaw
• Example - TCP/IP protocol stack vulnerability
IDS/IPSAttack Framework
Implementation Vulnerability
• When an error is introduced into the componentsof a system, during the implementation stage of aproject or algorithm, they are termed asImplementation Vulnerabilities.
• Error could be hardware based or software based.
• Example – Buffer Overflows
IDS/IPSAttack Framework
Configuration Vulnerability
• Also known as Operational Vulnerability.
• Introduced into the system when the administratorresponsible does not perform the properconfiguration or sometimes leaving the defaultconfiguration on.
•Example - Not disabling unwanted services,allowing weak passwords
IDS/IPSAttack Framework
Attacks
• an assault on system security that derives from anintelligent threat.
• an intelligent act that is a deliberate attempt toevade security services and violate the securitypolicy of a system
•Example - denial of service attacks, penetrationand sabotage
IDS/IPSAttack Framework
Difference between Attack and Security Event
• Attack - the intruder aims at achieving a particularresult which could be against the implied securitypolicy
• Event – No rules are violated or broken
IDS/IPSAttack Framework
Attack Components
• Attack realization tool – Example - PortScanner• Vulnerability – Exploit a known vulnerability• Security Event – actions on target system• Result of the Attack - When an attacker isable to exploit vulnerability and has generated asecurity event
The results of an attack may vary depending uponthe security event and vulnerability chosen.
IDS/IPSAttack Framework
ATTACKER
TARGET
PERFORMS ATTACK
General Attack Model
IDS/IPSAttack Framework
The attacker and target represent the same entity
ATTACKER AND TARGET
ARE ON THE SAME
ENTITY
IDS/IPSAttack Framework
Attack Model Categories
• Traditional Attack Model
• One-to-one Attack Model
• One-to-many Attack Model
• Distribution Attack Model
• Many-to-one Attack Model
• Many-to-many Attack Model
IDS/IPSAttack Framework
Traditional Attack Model
• Attack always originate from a single point.
• Single – tier architecture
• There is only a single layer between the attackerand the target.
IDS/IPSAttack Framework
One-to-one (traditional attack model)
• The attacker and target is having a one-to-onerelationship.•Attack originates from a single machine.
IDS/IPSAttack Framework
One-to-many (traditional attack model)
• The attacker and target is having a one-to-manyrelationship.
•Attack originates from a single machine, but morethan one target is there
IDS/IPSAttack Framework
One-to-many (traditional attack model)
IDS/IPSAttack Framework
Distributed Attack Model
• Based on many-to-one and many-to-manyrelationship.
• Source of the attack is more than one entity.
• The attack packets originate from intermediatesystems compromised by the attacker.
IDS/IPSAttack Framework
Many-to-one (Distributed attack model)
• The attacker and target is having a Many-to-onerelationship.
•Attack originates from more than one machine.
•There is only one target
IDS/IPSAttack Framework
Many-to-one (Distributed attack model)
IDS/IPSAttack Framework
Many-to-many (Distributed attack model)
• The attacker and target is having a Many-to-manyrelationship.
•Attack originates from more than one machine.
•There are more than one target
IDS/IPSAttack Framework
Many-to-many (Distributed attack model)
IDS/IPSAttack Framework
Distributed attack
• Reconnaissance – searching for suitable host.
• Compromise the system – installing backdoors
• Attack Initiation – start the attack using thecompromised system.
IDS/IPSAttack Framework
Distributed attack - Agents
• Two types of special agents•Masters / Servers•Daemons / Clients
•Zombie – compromised systems where agents areinstalled.
•Distributed attacks implement a three tierarchitecture
IDS/IPSAttack Framework
Distributed attack - Advantages
• Attack Effect – devastating effect as attackoriginates from multiple locations.
• Anonymity – provides high level of anonymity tothe attacker.
• Hard-to-stop attacks – Very difficult to stop theattack without bringing down or disconnecting thetarget system
IDS/IPSAttack Framework
Intruder
• Also known as attacker – first element in theattack model.
•person who attempts to gain unauthorized accessto a system, to damage that system, or to disturbdata on that system
•attempts to violate Security by interfering withsystem Availability, data Integrity or dataConfidentialit
IDS/IPSAttack Framework
Intruder Types
•Black Hat Hacker
•Hacker spies support by Govt
•Cyber Terrorist
•Corporate Spies
•Professional Criminals
•Vandals
IDS/IPSAttack Framework
Incidents
•violation or imminent threat of violation that
could or results in
•a loss of data confidentiality,
•disruption of data or system integrity, or
disruption or denial of availability
•An incident must clearly be a breach of network
security.
IDS/IPSAttack Framework
Examples of Incidents
• DoS
• Malicious Code
• Unauthorized Access
• Inappropriate Usage
IDS/IPSIntroduction to IDS and IPS
Intrusion - any unauthorized system or network
activity on one (or more of) computer(s) or
network(s)
Intrusion detection systems (IDSs) are software
or/and hardware based systems that detect
intrusions to your network / host based on a number
of telltale signs.
IDS/IPSIntroduction to IDS and IPS
Two types of IDS:
•Active IDS –
•attempt to block attacks
•respond with countermeasures
•alert administrators
•Passive IDS –
•merely log the intrusion
•create audit trails
IDS/IPSIntroduction to IDS and IPS
IDS can provide the following information onattempted or actual security events
•Data destruction
•Denial-of-service
•Hostile Code
•Network or system eavesdropping
•System or network mapping and intrusion
•Unauthorized access
IDS/IPSIntroduction to IDS and IPS
Types of IDS
•Host - based Intrusion detection system (HIDS)
•Network-based intrusion detection system
(NIDS)
•Hybrid Intrusion Detection Systems
IDS/IPSIntroduction to IDS and IPS
HIDS
•Resides on the host
•They scan log files – OS log files, application
log files etc
•If the log files are corrupt, HIDS is not effective.
•The scan output is logged into secure database
and compared to detect any intrusion.
IDS/IPSIntroduction to IDS and IPS
Types of HIDS
• Operating System Level – Works on OS log
files.
•Application Level – Works on application level
log files.
• Network Level – works on packets addressed
to or sent from a host.
IDS/IPSIntroduction to IDS and IPS
Advantages of HIDS
• Cost Effective
• Additional Layer of Protection.
• Direct control over system entities – works on
packets addressed to or sent from a host.
IDS/IPSIntroduction to IDS and IPS
NIDS
• IDS responsible for detecting in-appropriate,
anomalous, or any other kind of data which may
be considered unauthorized or inappropriate for
a subject network
• Pattern based
HIDS – Combination of HIDS and NIDS
IDS/IPSIntroduction to IDS and IPS
IPS
• Sophisticated class of network security
implementation that not only has the ability to detect
the presence of intruders and their actions, but also
to prevent them from successfully launching any
attack.
• Incorporate the security features of firewall
technology and that of intrusion detection systems
IDS/IPSIntroduction to IDS and IPS
IPS Categories
• Host IPS (HIPS)
•Loaded on each PC and server
• Network IPS (NIPS)
•Component that effectively integrates into your
overall network security framework.
IDS/IPSIntroduction to IDS and IPS
Benefits of HIPS
• Attack Prevention
• Patch Relief
• Internal Attack propagation prevention
• Policy enforcement
• Regulatory requirements
IDS/IPSIntroduction to IDS and IPS
NIPS - Places sensors as L2 forwarding devices.
IDS/IPSIntroduction to IDS and IPS
Main difference between IDS and IPS – packet
dropping.
Dropping of packets – Categories
•Dropping a single packet
•Dropping all packets for a connection
•Dropping all traffic from a source IP.
IDS/IPSIntroduction to IDS and IPS
IDS/IPSIntroduction to IDS and IPS
Defense in Depth.
• Also known as Elastic defense.
• Military strategy that seeks to delay rather than
prevent the advance of an attacker.
• Represents the use of multiple computer security
techniques to help mitigate the risk of one
component of the defense being compromised or
circumvented.
IDS/IPSIntroduction to IDS and IPS
Defense in Depth
•Attacker has to penetrate a series of layered
defenses
• Each layer is equipped with the suitable defense
• The delay provides the security staff with the time
to respond to the attack.
IDS/IPSIntroduction to IDS and IPS
Defense in Depth
IDS/IPSIntroduction to IDS and IPS
IDS & IPS Analysis Scheme
•A baseline is first set.
•Baseline - known value or quantity with which an
unknown is compared when measured or assessed
•A group of network activities / characteristics are
categorized as baseline for an IDS system
•Anything outside baseline - malicious
IDS/IPSIntroduction to IDS and IPS
Network Activity Baseline
Variance from
the Baseline
activities
IDS/IPSIntroduction to IDS and IPS
IDS Analysis
• Process of organizing the various elements of
data related to IDS and their inter-relationships to
identify any irregular activity of interest.
IDS/IPSIntroduction to IDS and IPS
IDS Analysis
Divided into 4 phases:
• Preprocessing
• Analysis
• Response
• Refinement
IDS/IPSIntroduction to IDS and IPS
Detection Methodologies
• Rule based Detection
• Also known as Misuse Detection or Signature
detection or pattern matching.
• First scheme used in earlier IDS
• process of attempting to identify instances of
network attacks by comparing current activity
against the expected actions of an intruder
IDS/IPSIntroduction to IDS and IPS
• Anomaly Detection
• Also known as profile-based detection
•A profile is created for each user group on the
system.
•The profile created is then used as a baseline
to define user activity.
•If network activity deviates from baseline, alarm
is generated.
IDS/IPSIntroduction to IDS and IPS
• Behavior Anomaly Detection
• Looks for anomalies in user behavior.
• Characteristics dependent rather than
statistical.
IDS/IPSIntroduction to IDS and IPS
• Network Behavior Anomaly Detection (NMAD)
• Also known as traffic anomaly systems
• Process of continuously monitoring a
proprietary network for unusual events or trends
• Basically statistical rather than characteristics.
IDS/IPSIntroduction to IDS and IPS
• Protocol Anomaly Systems
• Look for deviations from the set protocol
standards.
• Primarily characteristics based.
• Not very reliable and generates false positives.
IDS/IPSIntroduction to IDS and IPS
• Target Monitoring Systems
• Look for modification of specified files or
objects.
• More of a corrective control.
•Creates crypto checksum for each file.
•This checksum is compared at regular intervals
to detect any changes.
IDS/IPSIntroduction to IDS and IPS
Heuristics
• Still in its initial stages
• Refers to the use of AI in detecting Intrusions.
• AI scripting language is used to apply the
analysis to the incoming data.
IDS/IPSIntroduction to IDS and IPS
Hybrid Approach
• Any system that uses a combination of the
above mentioned analysis
IDS/IPSIntroduction to IDS and IPS
Some Myths
•IDS and IPS are two separate solutions
•IDSs and IPSs will catch or stop all network
intrusions
•IDS give too many false positives
•IDS will eventually replace firewalls.
•Few Security Admins are required if you deploy
an IDS