NIDS
advertisement
Network Security Monitoring COEN 250 Indicators and Warnings Indicator “an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”* Indications and Warnings “the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”** * DoD Dictionary of Military Terms ** U.S. Army Intelligence, Document on Indicators in Operations Other Than War Indicators and Warnings Indicators generated by an Intrusion Detection System (IDS) are alerts Examples: Warnings Web server initiates outbound FTP to a site in Russia Spike in ICMP messages Result of analyst’s interpretation of indicator Escalation of warning Conclusion that warning warrants further analysis Conclusion that warning is indeed an incident Triggers Incident Response Intrusion Detection Systems Intrusion Detection Process of monitoring events occurring in a computer system or network Analyzing them for signs of possible incidents Incident Violation or imminent threat computer security policies acceptable use policies standard security practices Arise from Malware Attacks Honest errors of violation of Intrusion Detection Systems Intrusion Detection System Software that automatizes the detection process Intrusion Prevention System Additionally has the capacity to stop some possible incidents Intrusion Detection Systems Key functions of IDS Technology Recording information related to observed events Notifying security administrators of important observed events Producing reports IDPS technology can be augmented by human analysis Intrusion Detection Systems Key functions of IPS technology IPS stops attack itself Terminate network connection Terminate user session Block access to target from offending user account IP address Block all access to target IPS changes security environment IPS changes configuration of other security controls to disrupt attack Reconfiguring a network device Altering a host based firewall Apply patches to a host it detects is vulnerable Intrusion Detection Systems Key functions of IPS technology IPS changes attack’s contents Remove or replace malicious portions of an attack Remove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destination IPS acts as proxy and normalizes incoming requests Intrusion Detection Systems Current IDPS technology has false positives and false negatives. Attackers use evasion techniques E.g using escaping Intrusion Detection Systems Common Detection Methodologies Signature Based Detection Signature is a patterns corresponding to a known threat. Examples Telnet attempt with user name “root” e-mail with “You received a picture from a *” OS system log entry indicating that host’s auditing has been disabled Intrusion Detection Systems Common Detection Methodologies Signature-Based Detection Very effective against known threats Basically ineffective against unknown threats Subject to evasion by polymorphic attacks Intrusion Detection Systems Common Detection Methodologies Anomaly-Based Detection Relies on defining normal activity against observed events Identifies significant deviations Anomaly-Based IDPS has profiles Representing normal Users Hosts Network connections Applications Developed behavior of actors and activities through observation over time Intrusion Detection Systems Common Detection Methodologies Anomaly-Based Detection Profile Examples: Amount of email a user sends Bandwidth of web activities Number of failed login attempts for a host Level of processor utilization for a host Intrusion Detection Systems Common Detection Methodologies Anomaly-Based Detection Can be effective at detecting unknown threats Depend on accuracy of profiles Inadvertent inclusion of malicious activity in a profile Dynamic profiles can be subverted by an attacker increasing slowly activity Static profiles generate false positives if usage patterns differ Subject to stealth attacks Make it difficult for human analyst to find reason for an alert Intrusion Detection Systems Common Detection Methodologies Stateful Protocol Analysis Sometimes known as “deep packet inspection” Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations “Stateful” refers to IDPS capability of understanding protocols Intrusion Detection Systems Common Detection Methodologies Stateful Protocol Analysis Can identify unexpected sequences of commands Allows tracking of authenticators for each session Helpful for human analysis of suspicious activity Typically includes reasonableness check for individual commands E.g. minimum and maximum length of arguments Intrusion Detection Systems Common Detection Methodologies Stateful Protocol Analysis Uses protocol models based on standards But most standards are underspecified Many implementations are not completely compliant Very resource intensive Cannot detect attacks that do not violate a protocol Detects protocol bending attacks Intrusion Detection Systems Network Based IDPS Wireless IDPS Network Behavior Analysis (NBA) Host-Based IDPS Intrusion Detection Systems Components Sensors / Monitors Agent Used for network activity monitoring Used for host-based IDPS Management Server Centralized component that receives data from agents and monitors Perform correlation: Database server Matching event information from different monitors Repository for previously recorded event information Console Interface for IDPS Network Monitors Deployment Depends on monitoring zones Perimeter External firewall through boundary router to internet DMZ Wireless Intranet(s) Network Monitors Data Collection Tools Hubs SPAN (Switched Port Analyzer) TAPs (Test Access Port) Inline Devices Network Monitors Sensor Management Console access Hard to manage In-band remote access Potential for loss of data confidentiality Not functioning during a successful DoS attack Virtual LAN Potential for loss of data confidentiality Not functioning during a successful DoS attack Out-of-band remote access E.g. modem Intrusion Detection Systems Networks Security Capabilities Information Gathering OS identification of hosts General characteristics of networks Logging to confirm alerts to investigate incidents to correlate events with other sources need to be protected against an attacker need to deal with clock drift Intrusion Detection Systems Networks Security Capabilities Detection Capabilities Typically require tuning and customization Thresholds Blacklists and Whitelists Alert Settings IDPS code viewing and editing Prevention Capabilities Vary with technology / field Intrusion Detection Systems Management Implementation Architecture Design Placement of sensors Reliability of sensors Location of other components System interfaces Systems to which IDPS provide data Systems which IDPS resets for prevention Systems that manage IDPS components Patch management software Network management software Intrusion Detection Systems Management Implementation Component Testing and Deployment Consider deployment in a test environment E.g. to prevent surge of false positives IDPS deployment usually interrupts networks or systems for component installation Configuration typically a major effort Intrusion Detection Systems Management Implementation Securing IDPS components IDPS are often targeted by attackers Because of effects on security Because of sensitive data collected by IDPS System hardening Usual means Separate accounts for each IDPS user and administrator Configure firewalls, routers, etc to limit direct access to IDPS components Protect IDPS management communication Physically Logically Encryption Strong Authentication Intrusion Detection Systems Management Operations and Maintenance Typically GUI, but sometimes command lines Typical capabilities Drill down Reporting functions Database open to scripted searches Need for ongoing solution maintenance Monitor IDPS components for operational and security issues Periodic test of proper functioning Regular vulnerability assessments Receipt of notifications of security problems from vendor Receipt of notifications for updates Intrusion Detection Systems Management Operations and Maintenance Acquiring and Applying Updates Of signature files Of IDPS software components Intrusion Detection Systems Management Building and maintaining personnel skills Basic security training Vendor training Product documentation Technical support Professional services (consulting by vendors) User communities Network Based IDPS Typical components Appliance Specialized hardware and sensor software / firmware Host-based Only software Network Based IDPS Architecture and Sensor Locations Inline All traffic monitored must pass through it Typically placed where firewalls etc. would be placed Either hybrid devices Or placed on the more secure side Network Based IDPS Architecture and Sensor Locations Passive Monitors a copy of actual network traffic Spanning Port Network Tap IDS Load Balancer Receives copies of traffic from several sensors Aggregates traffic from different networks Distributes copies to one or more listening devices Typically not capable of prevention Network Based IDPS Typical detection capabilities Application layer reconnaissance and attacks Typically analyze several dozen application protocols Detect Banner grabbing Buffer overflows Format string attacks Password guessing Malware transmission Network Based IDPS Typical detection capabilities Transport Detects Port scanning Unusual packet fragmentation SYN floods Network layer reconnaissance and attacks layer reconnaissance and attacks Detects Spoofed IP addresses Illegal IP header values Network Based IDPS Typical detection capabilities Unexpected application services Detects Uses Tunneled protocols Backdoors Hosts running unauthorized application services Stateful protocol analysis Anomaly detection Policy violations Detects Use of inappropriate Web sites Use of forbidden application protocols Network Based IDPS Detection Accuracy High degree of false Difficulty based on positives and false negatives Complexity of activities monitored Different interpretation of meaning of traffic between IDPS sensor and client / server Cannot deal with encrypted VPN, HTTP over SSL, SSH Have limited capacity Number of connections Depth of analysis Longevity of connections network traffic Network Based IDPS Attacks on network based IDPS DDoS attacks generate unusually large volumes of traffic Generate loads of anomalous traffic to exhaust IDPS resources Blinding Generates many IDPS alerts Real attack is separate, but contemporary Network Based IDPS Prevention capabilities Passive sensors only Ending current TCP session Session sniping: sending resets to both partners Inline only Perform inline firewalling Throttle bandwidth usage Alter malicious content Both passive and inline Reconfigure other network security devices Run a third party program or script Wireless IDPS Wireless attacks typically require proximity to access points or stations Typically, need access to radio link between stations and access points Many WLANs are configured with no or weak authentication Wireless IDPS Components Same as for network-based Consoles Database servers Management servers Sensors IDPS These function differently than for wired IDPS Needs to monitor two bands (2.4 GHz and 5 GHz) Divided into channels Sensor only models a single channel Channel scanning (monitor a channel for seconds at most) Wireless IDPS Wireless sensors Dedicated sensors Typically completely passive Fixed or mobile Bundled with an access point Bundled with a wireless switch Host-based IDPS sensor to be installed on a station Wireless IDPS Wireless IDPS Sensor Locations Physical security Often deployed in open locations because of greater range than in closed locations Sensor range Cost AP and wireless switch locations Consider bundling or collocation Wireless IDPS Security capabilities Information Identifying WLAN devices gathering Typically based on SSIDs and MAC addresses Identifying WLANs Keep track of observed WLANs identified by SSID Logging capability Wireless IDPS Security capabilities Detection capability Events Unauthorized WLANs and WLAN devices Poorly secured WLAN devices A station is using WEP instead of WPA2 Unusual usage patterns The use of (active) wireless network scanners Denial of service (DoS) attacks and conditions Impersonation and man-in-the-middle attacks Wireless IDPS Detection accuracy Usually quite high due to limited scope Tuning and Customization Specify authorized WLANs, access points, stations Set thresholds for anomaly detection Some use blacklists and whitelists Wireless IDPS Wireless IDPS cannot detect: Attacker passively monitoring traffic Attackers with evasion techniques Attacker can identify IDPS product Physical survey Fingerprinting by prevention actions Attacker takes advantage of product’s channel scanning scheme Short bursts of attack packages on channels not currently monitored Attack on two channels at the same time Wireless IDPS Attacks on wireless IDPS Same DDoS techniques Physical attacks Jamming Wireless IDPS Prevention capabilities Wireless Terminate connections between rogue or misconfigured stations and rogue or misconfigured access point Send discontinue messages to endpoints Wired prevention prevention Block network activity involving a particular station or access point Network Behavior Analysis (NBA) Examines Network traffic or Statistics on network traffic Identifies unusual traffic flows Host Based IDPS Monitors a single host and events occuring within that host Wired network traffic Wireless network traffic System logs Running processes File access and modification System and application configuration changes Host Based IDPS Components and architectures Agents (typically detection software) Monitor activity on a single host Transmit date to management servers Agents can be implemented as dedicated appliances Monitors: Servers Clients An application service ( application based IDPS) Host Based IDPS Host Based IDPS Agent locations Commonly deployed to critical hosts But could be in a majority of systems including laptops and desktops Host Based IDPS Host architecture Agents often alter internal architecture of hosts Done by a shim Layer of code placed between existing layers of code Shim intercepts data when it is passed between different layers Shim analyzes data and determines whether data is allowed or not Host Based IDPS Security capabilities Logging Detection Code analysis Code behavior analysis in a sandbox Buffer overflow detection through detecting tell-tale sequences of instructions or memory accesses System call monitoring Keylogger COM object loading Driver loading Application and library lists Host Based IDPS Security capabilities Detection Network traffic analysis Network traffic filtering Host based IDPS contains a host based firewall File system monitoring Basically the same a network or wireless IDPS would do File integrity checking File attribute checking File access attempts Log analysis of OS and application logs Network configuration monitoring Host Based IDPS Technology limits Alert generation delays Centralized reporting delays Host resource usage Conflicts with existing security controls Rebooting hosts to update IDPS Host Based IDPS Prevention capabilities Code analysis Network traffic analysis Network traffic filtering File system monitoring Removable media restrictions Audio-visual device monitoring Automatic host hardening Process status monitoring Network traffic sanitization
