Click here to load reader

Introduction To NIDS

  • View

  • Download

Embed Size (px)

Text of Introduction To NIDS

Introduction to Network IDS

Introduction to

Network IDS

Linux User Group Singapore

Friday 7th May 2004


Michael Boman

What we will cover:

What to expect from a Network IDS

How to physically connect a Network IDS

Where to connect the Network IDS

Different types of Network IDS

Interoperability between different vendors NIDS

What false positives / false negatives are

Classify network events using severity ratings

Q & A

Why Network Intrusion Detection?

Prevention is ideal, but detection is a must.

Provides forensic capabilities of network traffic

Compare with CCTV camera and recording equipment.

Side effect: You learn more about your network and discover protocols, services and other resource stealing objects.

Think about this before installing a Network IDS

Do you:

Keep your system up-to-date with patches?

Remove unneeded services?

Configured IPTables to protect your host(s)?

Actually read (and understand) the IPTables generated log files?

If not, you are not ready to do Network IDS.

NIDS will not protect you against malicious traffic.

NIDS will generate even more logs.

NIDS will take a considerable amount of time to configure properly, and is several times more complicated compared to IPTables.

How to connect your
Network IDS

A NIDS can be connected to a network in 3 ways

Network TAP

Using a switch' SPAN port

Using a hub

Using a network TAP


Replicates cable signals for TX pair to two new cables

Have additional power to boost network signal

Fails open


Expensive (can cost over S$1000 per unit)

Requires 2 NIC on the NIDS

Can only monitor one link

( TAP = Test Administrative Port)

Inside a Network TAP

Device ANetwork IDSDevice B







Can anyone spot the problem?

Can anyone spot the problem with this TAP design?

Did you figure it out?

The problem with this tap is:

If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops!

Using a switch SPAN port

SPAN: Switched Port Analyzer (Cisco)

Known as mirror port (port mirror) by other vendors

Mirrors one or more port data to a 2nd port.


Can monitor several ports at the same time

No extra cost if hardware is already available


Not all switches supports SPAN ports

Creates additional load on switch (decreased switch performance)

Drop packets if you try to push too much traffic to a single port

Using a HUB


Low cost

Ideal for home network / ADSL / cable connection for playing around


Packet collisions (packet drop)

10/100 hubs requires extra care (10 and 100 Mbit links does not propagate)

Where to connect your NIDS


Different types of NIDS

Pattern matching

Looks for fingerprints of vulnerabilities or exploits

Signature database needs to be kept up-to-date

Anomaly detection

Creates a profile of normal network traffic

Suspicious events can be defined in various ways

RFC compliance checking

Protocol analysis/decoding

Traffic doesn't comply with normal traffic criteria.

The fact that protocols are well defined makes the use of Protocol Analysis a strong contender, but many implementations of protocols fail to follow their respective RFC.

False Positives / False Negatives


Alert notgenerated



False Positives / False Negatives Explained

False positive: Alert generated for non-malicious traffic

The biggest published drawback with NIDS

Having too many false positives and the analyst(s) will be tired looking at them.

Can be reduced with tuning

False negative: Alert not generated for malicious traffic

Even more dangerous then false positives, as you don't get alerted on it.

Can be reduced with tuning

Detector capability


Result in it's absence



The level of certainty provided by detector when receive warning of possible event

The capability detector has for extensive and complex analysis in locating possible attacks

False Positives

False Negatives

Network IDS Interoperability

Network IDS has been, and in large extent still is, vendor proprietary technology.

Signatures are written in different ways for different vendors.

This is starting to change, more and more NIDS products are at least incorporating part of the Snort signature language.

Alerts are sent and stored in vendor proprietary formats

Proposed solutions




Intrusion Detection Message Exchange Format

Internet draft (proposed RFC) by IDWG

Uses IDXP (Intrusion Detection Exchange Protocol) for transport, also a proposed RFC, by IDWG

IDWG = Intrusion Detection Working Group, appointed by IETF


Released by ICSA Labs in February 2004

Cisco Systems, ISS, Sourcefire and TruSecure Corporation co-developed the SDEE transport protocol specification format

Is not really free... See next slide..

SDEE Quote

What thing particularly made me looking quite negatively at the SDEE spec is the ICSAlab involvement. I contacted the iscalab people on the day when SDEE was officially out, with a question of joining ids forum and contributing to the SDEE review. The response to my mail included an invoice for 9,000+ USD (5k for general forum membership, and 4k for the IDS cntm).

Fyodor Y,

Snort discussion forum on Orkut,

21 March 2004

SANS Institute has developed the following formula to classify how bad an attack effects the target:

Where each item has a value between 1 and 5 assigned to it.

SANS Severity Ratings


System Countermeasures+Network Countermeasures






SANS Severity Ratings (cont'd)

Criticality: How critical is the target to the rest of the network or operations?

Lethality: How dangerous is the attack?

System Countermeasures: What countermeasures has been been implemented on the system to defend against this threat?

Network Countermeasures: What countermeasures has been implemented on the network to defend against this threat?

What have we learned?

Network IDS is resource intensive

Placement of the NIDS depends on what you want to monitor

The difference between a signature based and a abnormality based NIDS

IDMEF, SDEE and proprietary alert and storage formats

Calculate network event's severity level


Got any questions? Now is the time to ask them!

Recommended reading material

TCP/IP Illustrated Vol. 1

W. Richard Stevens; ISBN: 0201633469

Network Intrusion Detection (3rd ed)

Stephen Northcutt, Judy Novak; ISBN: 0735712654

Intrusion Signatures and Analysis

Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederick; ISBN: 0735710635

Click to edit the title text format

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level

Copyright 2004 Michael Boman. All Rights Reserved.

Search related