Intrusion Detection, Access Control and Other Security Tools

advertisement
Security Technology:
Intrusion Detection,
Access Control and Other
Security Tools
Chapter 7
Intrusion
“Intrusion is a type of attack on information
assets in which the instigator attempts to
gain entry into a system or disrupt the
normal operation of system with, almost
always, the intent to do malicious harm.”
Definitions
 Intrusion prevention: activities that deter an intrusion
 Writing &implementing a good enterprise information security
policy
 Planning & executing effective information security programs
 Installing & testing technology-based countermeasures
 Conducting & measuring the effectiveness
 Employee training and awareness activities
 Intrusion detection: procedures and systems that identify sys
intrusions
 Intrusion correction:
 Activities finalize the restoration of operations to a normal state
 Activities seek to identify the source & method of attack for
prevention
Intrusion Detection Systems
 Commercially available in late 1990
 Works like a burglar alarm
 Detects a violation and sounds alarm
 Extension – Intrusion prevention systems
 Detect and prevent intrusion
 Generally accepted combination
 Intrusion detection and prevention system (IDPS)
IDPS Terminology
 Alarm or alert: indication that attack is happening
 Evasion: attacker change the format and/or timing of
activities to avoid being detected
 False attack stimulus: event triggers alarm – no real attack
 False negative: failure of IDPS to react to attack
 False positive: alarm activates in the absence of an
actual attack
 Noise: alarms events that are accurate but do not pose
threats
 Site policy: rules & configuration guidelines governing the
implementation & operation of IDPS
IDPS Terminology
 Site policy awareness: ability to dynamically modify
config in response to environmental activity
 True attack stimulus: event that triggers alarms in event
of real attack
 Tuning: adjusting an IDPS
 Confidence value: measure IDPS ability correctly
detect & identify type of attacks
 Alarm filtering: Classification of IDPS alerts
 Alarm clustering and compaction: grouping almost
identical alarms happening at close to the same time
Why Use an IDS
 Prevent problem behaviors by increasing the
perceived risk of discovery and punishment
 Detect attacks and other security violations
 Detect and deal with preambles to attacks
 Document existing threat to an organization
 Act as quality control for security design &
administration
 Provide useful information about intrusions
that take place
Types of IDS
 Network based
 Focused on protection network information assets
 Wireless
 Network behavior analysis
 Host-based
 Focused on protection server of host’s information assets
Network-Based
 Resides on computer or appliance connected
to an a segment of orgs. network
 Monitors network traffic on the segment
 Monitors packets
 Monitoring port (switched port analysis)
 Monitors all ingoing and outgoing traffic
 Looks for attack patterns
 Compares measured activity to known
signatures
 Protocol verification – packet structure
 Application verification – packet use
Advantages and
Disadvantages
 Advantages
 Needs few devices to monitor large network
 Little or no disruption to normal operations
 May not be detectable by attackers
 Disadvantages
 Overwhelmed by network volume
 Requires access to all traffic
 Cannot analyze encrypted packets
 Cannot ascertain if an attack was successful
 Some forms of attack are not easily discerned
 Fragmented packets
 Malformed packets
Wireless NIDPS
 Monitors and analyzes wireless network traffic
 Looks for potential problems with the wireless protocols
(layers 2 and 3)
 Cannot evaluate & diagnose issue with higher level
layers
 Issues associated with implementation
 Physical security
 Sensor range
 Access point and wireless switch locations
 Wired network connections
 Cost
Wireless NIDPS
 Can detect conditions in addition to traditional types of IDSPS
 Unauthorized WLAN and WLAN devices
 Poorly secured WLAN devices
 Unusual usage patterns
 The use of wireless network scanners
 DoS attacks and condition
 Man-in-middle attacks
 Unable to detect
 Passive wireless protocol attacks
 Susceptible to evasion techniques
 Susceptible to logical and physical attacks on wireless access
point
Host-Based
 Resides on a particular computer or server & monitors
traffic only on that system
 Also known as system integrity verifiers
 Works on principle of configuration and change
management
 Classifies files in categories & applies various notification
actions based on rules
 Maintains own log file
 Can monitor multiple computers simultaneously
Advantages
 Reliable
 Can detect local events
 Operates on host system where encrypted files already
decrypted and available
 Use of switched network protocols does not affect
 Can detect inconsistencies in how application and system
programs were used
Disadvantages
 Pose more management issues
 Configured and maintained on each host
 Vulnerable both to direct attacks
and attacks against the host
operating system
 Not optimized to detect multi-host
scanning
Disadvantages
 Not able to detect scanning of non-host devices
(routers and switches)
 Susceptible to Denial of Service attacks
 Can use large amounts of disk space – audit logs
 Can inflict a performance overhead on host
systems
Application Based
 Examines application for abnormal
events
 Looks for files created by application
 Anomalous occurrences – user exceeding authorization
 Tracks interaction between users and
applications
 Able to tract specific activity back to
individual user
 Able to view encrypted data
 Can examine encryption/decryption
process
Advantages &
Disadvantages
 Advantages
 Aware of specific users
 Able to operate on encrypted data
 Disadvantages
 More susceptible to attack
 Less capable of detecting software tampering
IDS Methodologies
 Types determined by where placed for monitoring
purposes
 IDS methodologies based on detection methods
 Two dominate methodologies
 Signature-based (knowledge-based)
 Statistical-anomaly approach
Signature Based
 Examines data traffic in search of patterns that match
known signature
 Foot printing and fingerprinting activities
 Specific attack sequences
 DOS
 Widely used
 Signature database must be continually updated
 Attack time-frame sometimes problematic
 Slow and methodical may slip through
Statistical Anomaly Based
 Based on frequency on which network activities take
place
 Collect statistical summaries of “normal” traffic to form
baseline
 Measure current traffic against baseline
 Traffic outside baseline will generate alert
 Can detect new type of attacks
 Requires much more overhead and processing
capacity
 May not detect minor changes to baseline
Log file Monitors
 Similar to NIDS
 Reviews logs
 Looks for patterns & signatures in log files
 Able to look at multiple log files from different systems
 Large storage requirement
Responses to IDS
 Vary according to organization policy, objectives, and
system capabilities
 Administrator must be careful not to increase the
problem
 Responses active or passive
Which One?
 Consider system environment
 Technical specification of systems environment
 Technical specification of current security protections
 Goals of enterprise
 Formality of system environment and management culture
Which One?
 Consider Security Goals and Objectives
 Protecting from threats out organization?
 Protecting against inside?
 Use output of IDS to determine new hardware/software
needs
 Maintain managerial over one-security related network
usage
Which One?
 Security policy
 Structure
 Job descriptions of system user
 Include reasonable use policy
 What are you going to do if violation occurs
Which One?
 Organization Requirements and Constraints?
 Outside Requirements
 Resource Constraints
 Features and Quality
 Tested Product
 User Level of Expertise
 Product Support
Strengths of IDS
 Monitoring & analysis of system events & user behaviors
 Testing security states of system configuration
 Base lining security state of the system & track changes to
baseline
 Pattern recognition
 Auditing and logging
 Alerting
 Measuring performance
Limitations of IDS
 Compensate for weak or missing security mechanisms
 Instantly report or detect during heavy operations
 Detect newly published attacks
 Effectively respond to sophisticated attackers
 Automatic investigate
 Keep attacks from circumventing them
 Deal effectively with switched networks
Control Strategies
 Centralized
 Partially distributed
 Fully distributed
Centralized
 All IDS control functions are implemented and
managed in a centralized location
 1 management system
 Advantages
 Cost and control
 Specialization
 Disadvantage
Fully Distributed
 Opposite of centralized
 All control functions applied at the physical location of
each IDS component
 Each sensor/agent is best configured to deal with its
own environment
 Reaction to attacks sped up
Partially Distributed Control
 Individual agents respond to local threats
 Report to a hierarchical central facility
 One of the more effective methods
Honey Pots / Honey Nets / Padded Cell
Systems
Honey Pots
 Decoy systems
 Lure potential attackers away from critical systems
 Encourages attacks against themselves
Honey Net
 Collection of honey pots
 Connects honey pots on a subnet
 Contains pseudo-services the emulated well-known services
 Filled with factious information
Honey Pots / Honey Nets / Padded Cell
Systems
 Padded Cell
 Protected honey pot
 IDS detects attacks and transfers to simulated environment
 Monitors action of attacker
Trap and Trace Systems
 Detect intrusion and trace incident back
 Consist of honey pot or padded cell & alarm
 Similar to concept of caller ID
 Back-hack
 Considered unethical
 Legal drawbacks to trap and trace
 Enticement and entrapment
Scanning and Analysis Tools
 Help find vulnerabilities in system, holes in security
components, and unsecure aspects of the network
 Allow system admin to see what the attacker sees
 May run into problems with ISP
 Port scanners – what is active on computer
 Firewall analysis tools
 Operating system detection tools
 Vulnerability scanners
 Packet sniffers
Access Control Tools
 Authentication – validation of users identity
 4 general ways carried out
 What he knows
 What he has
 Who he is
 What he produces
Download