An Introduction to Intrusion Detection Systems Presented By Himanshu Gupta MCSE, MCP+I Outline What is Intrusion Detection ? Types of IDS Approaches to IDS Requirements Limitations Evading IDS’s Testing and Evaluating IDS’s Computer Forensics IDS Tools – nmap, nessus(newt), Snort 2.1, IDS Center, ACID, WinPcap, Ethereal, Links Books Network Security Quiz What is CIA ? What is a Bastion Host ? What is DMZ ? What is a Honey pot ? Why does a Network Switch Implementation makes Network Monitoring Difficult? What is Intrusion Detection ? Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity (internal/external). Why do we need IDS? Preparation, detection, containment and Eradication Types of IDS – Host-based ID systems • ID systems that operate on a host to detect malicious • activity on that host. – Network-based ID systems • ID systems that operate on network data flows Components of IDS • Engine • Console Detection Methodologies -Approaches to IDS Statistical Anomaly Detection • Based on time, frequency, length of session • For example: X user logs on at 0300 AM and has never done so in the past, it will raise a flag Protocol Verification/Anomaly Detection Signature Detection – Based on Pattern-matching - look for a specific string in the network data being presented to the IDS The Flexible Alternative: Rules-based Detection • Stateful Monitoring (Packet Analysis, Flow Analysis) e.g. SYN Flood to all ports • Integrity Checker - Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems. Types of Response Active Alerts – Visual, Audio, E-mail, Pager, SNMP Alarms Dropping connection or Throttling it to slow attack Block Traffic Completely Reconfiguring Network Devices Additional intelligence mining Launching counter attack Update Policy Passive Snapshots taken for later analysis Requirements Hardware for sensor and analysis stations Active monitoring and Analysis of IDS Output Baseline Creation Real Time Alerts Match With Comprehensive Signatures Provides Log Tracking Automatic Updates Limitations of IDS Functionality on High Network Bandwidths (What is the limit? ~ 300 Mbps) Multiple Attacks Late Response – e.g. DOS Attack – The damage is already done Direct Attack against the IDS itself Unknown Attacks Unsolved Problems – Tunneling, Ambiguities (e.g. different implementations of protocol stack) Is not independent of the whole security architecture Great Deal of Tuning required Performance of Algorithms Working on Encrypted data Working in Switched Environments Evading IDS’s Assumption – Attacker knows the IDS Algorithm E.g.Mimicry Attack – Malicious payload is executed on the host while mimicking normal application behavior Evasion techniques are used in order to navigate below the radar of your IDS – – – – – – – Fragmentation Slow scan Stealth scan Out of order packets Ambiguous packet (crafting) Encoding such as %u, UTF (%xx%xx), HEX (%xx) Use of well known port (Codered) Testing and Evaluating IDS’s Log Fidelity – Is all the info there ? Usability - GUI Can be fine tuned depending on requirements? Ability to write own rules, modify existing ones Low false positives rate Cost Issues Ability to detect unknown attacks Secure – The system should remain secure even when the attacker knows all the internal details of the system (Kerkhoff’s Principle) Real Time Detection and Response OS Independence Leading Products Dragon from Enterasys – http://www.enterasys.com/ids/ CISCO Secure IDS – http://www.cisco.com/go/ids/ Snort – http://www.snort.org/ ISS Real Secure – http://www.iss.net/securing_e-business/ SHADOW – http://www.whitehats.ca – ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso Computer Forensics Where did the attack come from ? What was the attacker method? Do we have any hope of catching the intruder? Do we have any evidence to prosecute the intruder? What if the attack script erased the logs ? WinPcap: the Free Packet Capture Library for Windows WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2). The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets. Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS. Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system. WinPcap is released under a BSD-style license. Nmap – Free Network Scanner for Network Exploration and Security Snort 2.1 – The de facto standard for intrusion detection and prevention Simple, Efficient FREE IDS Very well-written and maintained, robust application Snort is driven by a set of (community developed) rules Actively (constantly) under development Windows and UNIX versions available Snort 2.1 Alerts generated and/or packets logged when a "rule" is triggered. Very simple rule language for writing your own rules Ability to log alerts to syslog, directories in ascii, tcpdump format raw data Different alert styles from one-line, to verbose Modular "plug-in" architecture for adding functionality Many available plug-ins, including SQL and Oracle database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping" Resistant against some of the newer attacks directed at foiling IDS’s IDS Center- A front-end for Snort intrusion detection systems Snort 2.0, 1.9, 1.8 and 1.7 support, Snort service mode support Snort configuration wizard Online updates of IDS rules: IDScenter integrates a http client and starts an update script on demand Ruleset editor: supports all Snort 2.0 rule options HTML report from SQL backend Alert notification via e-mail, alarm sound or only visual notification AutoBlock plugins: write your own plugins (DLL) for your firewall Monitoring Global event logging, Integrated log viewer, Log rotation (compressed archiving of log files) Program execution possible if an attack was detected IDS Center- A front-end for Snort intrusion detection systems IDS Center- A front-end for Snort intrusion detection systems ACID - Analysis Console for Intrusion Databases The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include: – Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags). – Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts – Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases. – Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification ACID - Analysis Console for Intrusion Databases – Packet Decode NeWT - Nessus Windows Technology Nessus – Open Source Vulnerability Scanner Project NeWT is a complete network vulnerability scanner which includes high- speed checks for more than 6000 of the most commonly updated vulnerabilities, NeWT and NeWT Pro perform the following types of vulnerability checks including: – – – – – – – Buffer overflow checks in daemons such as Sendmail and IIS Default user accounts Misconfigured email, ftp and web servers Discovery of open ports and host OS discovery Denial of service (DOS) discovery Backdoors and virus infected host P2P, chat and suspicious file sharing services NeWT - Nessus Windows Technology NeWT - Nessus Windows Technology Ethereal – A Network Protocol Analyzer Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows. Data can be captured "off the wire" from a live network connection, or read from a capture file. 673 protocols can currently be dissected Ethereal – A Network Protocol Analyzer Ethereal can read capture files from tcpdump (libpcap), NAI's Sniffer™ (compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdump-format), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program. Capture files can be programmatically edited or converted via command-line switches to the "editcap" program. Ethereal – A Network Protocol Analyzer IETF Intrusion Detection Working Group (IDWG) RFC’, active Internet drafts defining IDS requirements, language, and framework www.ietf.org/html.charters/idwg-charter.html Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10 http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12 http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07 http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt The TUNNEL Profile (RFC 3620) http://www.ietf.org/rfc/rfc3620.txt Links Intrusion Detection FAQ - http://www.sans.org/resources/idfaq/ Network Scanning Tool Nmap – Free Security Scanner for Network Exploration and Security http://www.insecure.org/nmap/ Snort 2.1 – The de facto standard for intrusion detection and prevention - www.snort.org ACID - Analysis Console for Intrusion Databases - www.cert.org/kb/acid/ Nessus – Open Source Vulnerability Scanner Project - www.nessus.org NeWT - Nessus Windows Technology - www.tenablesecurity.com/products/newt.shtml Ethereal – A network Protocol Analyzer - www.ethereal.com WinPcap - winpcap.polito.it/ Snort IDS Center - www.engagesecurity.com/products/idscenter/ Books Network Intrusion Detection (3rd Edition) Stephen Northcutt, Judy Novak Snort 2.1 Intrusion Detection, Second Edition Jay Beale, Caswell Nessus Network Auditing (Jay Beale's Open Source Security) Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy Johnston, Jimmy Alderson Ethereal Packet Sniffing Angela D. Orebaugh, Gilbert Ramirez, Ethereal.com Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Fredrick, Ronald W. Ritchey Practical Unix & Internet Security, 3rd Edition Simson Garfinkel, Gene Spafford, Alan Schwartz Thanks I hope this session was Informative :-) If you would like any more sessions in April 2005 please let the ACM Officers know E-mail – hg24d@umkc.edu