network security - Clarkson University
advertisement
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York. Introduction to IDS • Why we need IDS? – Fire Walls and IDS. – Analogy Based Example • Classification of IDSs • Models of IDS – Anomaly based model – Signature based model. A Typical Fire Wall Deployment Source:http://www.scs-ca.com/images/topos/2-AV-01.gif Anomaly Based IDS • General Functional Mechanism • Behavioral Anomaly – Statistical Approach • Example: Traffic analysis • Protocol Anomaly – Based on Protocols and communication Structure • Example : Insecure Protocols • Pros – – – – – Captures all the headers of IP Filters out respective (Mail, Web, DNS,. etc) legal traffic More Pro- active. Quickly Identifies Probes and Scans towards Network Hardware Best Suited for Larger networks and Networks vulnerable to frequent hacking. Anomaly Based IDS • Cons – Often makes False Alarms (False Positives) – Need skilled personnel to analyze the possible intrusions. – Need Sophisticated Hardware and Software – Creates large amount of Log data – Increase network traffic (some) Signature Based IDS • Based on known Attack patterns • There are two (Basic) kinds of Signature Based IDSs: 1. NIDS (Network Intrusion Detection System) 2. HIDS (Host Intrusion Detection System) What is an attack Signature? • Sequence of Events A->B->C, D->E • Examples of Signature (Unix Systems) – Gaining root privileges – Suspected repetitive actions » Using the command “sudo –s” or “su – root” – Using Cgi scripts to access the file by fetching arguments. http://www.host.com/~xxxx or http://www.host.com/../../etc/passwd Signature Based IDS • General Functional Mechanism • Pros: – Ease of Use – Looks for O/S level changes (Biggest Advantage) – No need for skilled personal – Commercial and Open Source – Regular updates of new signatures to the signature database Signature Based IDS • Cons: – More Re-active – More reliable updates only for Commercial versions – More suited for Hosts than Networks • Why? – Depends on Network Traffic – Consumes CPU time – Can be hacked easily. Network Intrusion Detection Systems (NIDS). • Functional Mechanism – Uses huge standby databases with signatures • Components of NIDS – Sensors and Consoles NIDS.... A typical Deployment NIDS …… • Selection Criteria – Deployment of NIDS • Interference with Net work Traffic • Commercial NIDS – Example : Snort • Open Source NIDS – Example : Bro » Monitors network in Passive mode » No Direct Interference with the Network. HIDS • Functional Mechanism – Analogy example… – O/S level Changes – Sensors and Killing the session • Most efficient Among all IDSs – Strips down all the packets including encrypted ones. • Commercial Vs Open Source – Example Tripwire HIDS.. A typical Deployment Advancements in IDS • Hybrid IDS – Combination of NIDS functionality and HIDS. • Decoy Based IDS – Example: Our Honey Pot machine – *No problem with False Positive – – Captures only unauthorized activities All traffic are considered to be suspected ones On Progress…. • Circumstances where unnoticed attacks take place • Hybrid NIDS • Detection Points.
