Host Intrusion Prevention Systems & Beyond By Dilsad Sera SAHINTEPE Outline What is Intrusion Detection? Host Based & Network Based What does IDS Detect? Difference btw IDS & Firewall IDS types Importance of HIPS IDS Implementation HIDS Difference btw IDS & Firewall Passive/Reactive System Prevention System What is HIPS? What is Intrusion Detection ? • It is a device or software application that monitors network or system activities for malicious activities or policy violation and produces reports to a management station. What does IDS Detect? It is a system used to detect unauthorized intrusions into computer systems and network. Example: It detects attacks to FTP, Data driven attacks at the application layer such as SQL injection error could be used to crash an application. IDS Components Sensors – Generate security events such as log files Console – Monitors events, alerts and controls sensors Engine – Analyzes the data using artificial intelligence to generate alerts from the events received *** 3 in 1 (sometimes all three are in one appliance) Types of Intrusion Detection System NDS – Network Based It is an independent platform which identifies intrusion by examining network traffic and monitors multiple hosts. It gains access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. Example : Snort- KSU (Academic Freedom) PIDS – Protocol Based Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) APIDS – Application Protocol Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database. HIDS – Host Based Hybrid System How IDS is implemented? Host Based Intrusion Detection System Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC IDS vs. Firewalls Both related to network security. Firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between network to prevent intrusion and do not signal an attack from inside the network. IDS evaluates a suspected intrusion once it has taken place and signals an alarm. IDS watches for attacks that’s originate from within a system. Passive vs. Reactive Systems In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. They both has signature based systems depends on activity on host or network.(skype) tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"Skype client login -- reply from server"; flags:AP,SUFR12; flow:to_client,established; dsize:5; content:"|17 03 01 00|"; depth:4; sid:1000010; rev:2; ) Prevention System An enemy can send packets that the IPS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IPS but not the target computers it protects. This technique will result in an IPS with different state than the target. An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Host Intrusion Prevention System Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. They also have signature based system. How IDS differ from IPS * IPSs are designed to sit inline with traffic flows and prevent attacks in real-time Deep packet inspection; In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP RBIPS(Rate) can identify abnormal rates for certain types of traffic (botnetzombie-ddos) Ex : Connections per second, packets per connection Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics. Host-based vs. Network IPS • HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host. • NIPS does not use processor and memory on computer hosts but uses its own CPU and memory • NIPS drawback AND benefit, depending on how you look at it • NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. • Use failover or load balancing to combat this NIPS disadvantage Host-based vs. Network IPS - 2 • NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react • With a HIPS, only the host’s data itself is available to take a decision • It would take too much time to report it to a central decision making engine and report back to block. Importance of HIPS • Well known security companies realized how important HIPS and they all published their HIPS products. Questions????