Presentation

advertisement
An Introduction
to
Intrusion Detection
Systems
Presented By
Himanshu Gupta
MCSE, MCP+I
Outline
 What is Intrusion Detection ?
 Types of IDS
 Approaches to IDS
 Requirements
 Limitations
 Evading IDS’s
 Testing and Evaluating IDS’s
 Computer Forensics
 IDS Tools – nmap, nessus(newt), Snort 2.1, IDS Center, ACID,
WinPcap, Ethereal,
 Links
 Books
Network Security Quiz
 What is CIA ?
 What is a Bastion Host ?
 What is DMZ ?
 What is a Honey pot ?
 Why does a Network Switch Implementation
makes Network Monitoring Difficult?
What is Intrusion Detection ?
Intrusion Detection is the art of detecting
inappropriate, incorrect, or anomalous
activity (internal/external).
Why do we need IDS?
Preparation, detection, containment and Eradication
Types of IDS
– Host-based ID systems
• ID systems that operate on a host to detect malicious
• activity on that host.
– Network-based ID systems
• ID systems that operate on network data flows
Components of IDS
•
Engine
•
Console
Detection Methodologies -Approaches
to IDS
 Statistical Anomaly Detection
• Based on time, frequency, length of session
• For example: X user logs on at 0300 AM and has never done so in the past,
it will raise a flag
 Protocol Verification/Anomaly Detection
 Signature Detection
– Based on Pattern-matching - look for a specific string in the network
data being presented to the IDS
 The Flexible Alternative: Rules-based Detection
• Stateful Monitoring (Packet Analysis, Flow Analysis) e.g. SYN Flood to all
ports
• Integrity Checker - Based on hashing mechanism. Detects authorized and
unauthorized changes to files within your systems.
Types of Response
 Active
Alerts – Visual, Audio, E-mail, Pager, SNMP Alarms
Dropping connection or Throttling it to slow attack
Block Traffic Completely
Reconfiguring Network Devices
Additional intelligence mining
Launching counter attack
Update Policy
 Passive
Snapshots taken for later analysis
Requirements
 Hardware for sensor and analysis stations
 Active monitoring and Analysis of IDS Output
 Baseline Creation
 Real Time Alerts
 Match With Comprehensive Signatures
 Provides Log Tracking
 Automatic Updates
Limitations of IDS











Functionality on High Network Bandwidths (What is the limit? ~ 300 Mbps)
Multiple Attacks
Late Response – e.g. DOS Attack – The damage is already done
Direct Attack against the IDS itself
Unknown Attacks
Unsolved Problems – Tunneling, Ambiguities (e.g. different implementations
of protocol stack)
Is not independent of the whole security architecture
Great Deal of Tuning required
Performance of Algorithms
Working on Encrypted data
Working in Switched Environments
Evading IDS’s
 Assumption – Attacker knows the IDS Algorithm
 E.g.Mimicry Attack – Malicious payload is executed on
the host while mimicking normal application behavior
 Evasion techniques are used in order to navigate below the
radar of your IDS
–
–
–
–
–
–
–
Fragmentation
Slow scan
Stealth scan
Out of order packets
Ambiguous packet (crafting)
Encoding such as %u, UTF (%xx%xx), HEX (%xx)
Use of well known port (Codered)
Testing and Evaluating IDS’s
 Log Fidelity – Is all the info there ?
 Usability - GUI
 Can be fine tuned depending on requirements?
 Ability to write own rules, modify existing ones
 Low false positives rate
 Cost Issues
 Ability to detect unknown attacks
 Secure – The system should remain secure even when the attacker
knows all the internal details of the system (Kerkhoff’s Principle)
 Real Time Detection and Response
 OS Independence
Leading Products
 Dragon from Enterasys
– http://www.enterasys.com/ids/
 CISCO Secure IDS
– http://www.cisco.com/go/ids/
 Snort
– http://www.snort.org/
 ISS Real Secure
– http://www.iss.net/securing_e-business/
 SHADOW
– http://www.whitehats.ca
– ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
Computer Forensics
 Where did the attack come from ?
 What was the attacker method?
 Do we have any hope of catching the
intruder?
 Do we have any evidence to prosecute the
intruder?
What if the attack script erased the logs ?
WinPcap: the Free Packet
Capture Library for Windows
 WinPcap is an open source library for packet capture and network analysis for the
Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link
library (packet.dll), and a high-level and system-independent library (wpcap.dll, based
on libpcap version 0.6.2).
 The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and
2003 the ability to capture and send raw data from a network card, with the possibility to
filter and store in a buffer the captured packets.
 Packet.dll is an API that can be used to directly access the functions of the packet driver,
offering a programming interface independent from the Microsoft OS.
 Wpcap.dll exports a set of high level capture primitives that are compatible with
libpcap, the well known Unix capture library. These functions allow to capture packets
in a way independent from the underlying network hardware and operating system.
 WinPcap is released under a BSD-style license.
Nmap – Free Network Scanner for
Network Exploration and Security
Snort 2.1 – The de facto standard for
intrusion detection and prevention
 Simple, Efficient FREE IDS
 Very well-written and maintained, robust
application
 Snort is driven by a set of (community
developed) rules
 Actively (constantly) under development
 Windows and UNIX versions available
Snort 2.1
 Alerts generated and/or packets logged when a "rule" is






triggered.
Very simple rule language for writing your own rules
Ability to log alerts to syslog, directories in ascii, tcpdump
format raw data
Different alert styles from one-line, to verbose
Modular "plug-in" architecture for adding functionality
Many available plug-ins, including SQL and Oracle
database logging, statistical analysis, TCP stream and telnet
session reassembly, active response using "sniping"
Resistant against some of the newer attacks directed at
foiling IDS’s
IDS Center- A front-end for Snort
intrusion detection systems
 Snort 2.0, 1.9, 1.8 and 1.7 support, Snort service mode support
 Snort configuration wizard
 Online updates of IDS rules: IDScenter integrates a http client and starts







an update script on demand
Ruleset editor: supports all Snort 2.0 rule options
HTML report from SQL backend
Alert notification via e-mail, alarm sound or only visual notification
AutoBlock plugins: write your own plugins (DLL) for your firewall
Monitoring
Global event logging, Integrated log viewer, Log rotation (compressed
archiving of log files)
Program execution possible if an attack was detected
IDS Center- A front-end for Snort
intrusion detection systems
IDS Center- A front-end for Snort
intrusion detection systems
ACID - Analysis Console for Intrusion
Databases
The Analysis Console for Intrusion Databases (ACID) is a PHP-based
analysis engine to search and process a database of security events
generated by various IDSes, firewalls, and network monitoring tools.
The features currently include:
– Query-builder and search interface for finding alerts matching on
alert meta information (e.g. signature, detection time) as well as the
underlying network evidence (e.g. source/destination address, ports,
payload, or flags).
– Packet viewer (decoder) will graphically display the layer-3 and
layer-4 packet information of logged alerts
– Alert management by providing constructs to logically group alerts to
create incidents (alert groups), deleting the handled alerts or false
positives, exporting to email for collaboration, or archiving of alerts to
transfer them between alert databases.
– Chart and statistics generation based on time, sensor, signature,
protocol, IP address, TCP/UDP ports, or classification
ACID - Analysis Console for Intrusion
Databases – Packet Decode
NeWT - Nessus Windows
Technology
 Nessus – Open Source Vulnerability Scanner Project
 NeWT is a complete network vulnerability scanner which includes high-
speed checks for more than 6000 of the most commonly updated
vulnerabilities,
 NeWT and NeWT Pro perform the following types of vulnerability
checks including:
–
–
–
–
–
–
–
Buffer overflow checks in daemons such as Sendmail and IIS
Default user accounts
Misconfigured email, ftp and web servers
Discovery of open ports and host OS discovery
Denial of service (DOS) discovery
Backdoors and virus infected host
P2P, chat and suspicious file sharing services
NeWT - Nessus Windows Technology
NeWT - Nessus Windows Technology
Ethereal – A Network Protocol
Analyzer
 Ethereal is used by network professionals around
the world for troubleshooting, analysis, software
and protocol development, and education.
 Its open source license allows talented experts in
the networking community to add enhancements.
 It runs on all popular computing platforms,
including Unix, Linux, and Windows.
 Data can be captured "off the wire" from a live
network connection, or read from a capture file.
 673 protocols can currently be dissected
Ethereal – A Network Protocol
Analyzer
 Ethereal can read capture files from tcpdump (libpcap), NAI's Sniffer™
(compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and
atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network
Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl,
i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log
(pppdump-format), the AG Group's/WildPacket's
EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also
read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers,
as well as the text output from VMS's TCPIPtrace utility and the DBS
Etherwatch utility for VMS. Any of these files can be compressed with gzip and
Ethereal will decompress them on the fly.
 Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11,
Classical IP over ATM, and loopback interfaces (at least on some platforms; not
all of those types are supported on all platforms).
 Captured network data can be browsed via a GUI, or via the TTY-mode
"tethereal" program.
 Capture files can be programmatically edited or converted via command-line
switches to the "editcap" program.
Ethereal – A Network Protocol Analyzer
IETF Intrusion Detection
Working Group (IDWG)
RFC’, active Internet drafts defining IDS requirements, language, and framework
www.ietf.org/html.charters/idwg-charter.html
 Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10
http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
 The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt
 The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07
http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt
 The TUNNEL Profile (RFC 3620)
http://www.ietf.org/rfc/rfc3620.txt
Links
Intrusion Detection FAQ - http://www.sans.org/resources/idfaq/
Network Scanning Tool Nmap – Free Security Scanner for Network Exploration and Security
http://www.insecure.org/nmap/
Snort 2.1 – The de facto standard for intrusion detection and prevention - www.snort.org
ACID - Analysis Console for Intrusion Databases - www.cert.org/kb/acid/
Nessus – Open Source Vulnerability Scanner Project - www.nessus.org
NeWT - Nessus Windows Technology - www.tenablesecurity.com/products/newt.shtml
Ethereal – A network Protocol Analyzer - www.ethereal.com
WinPcap - winpcap.polito.it/
Snort IDS Center - www.engagesecurity.com/products/idscenter/
Books
 Network Intrusion Detection (3rd Edition)





Stephen Northcutt, Judy Novak
Snort 2.1 Intrusion Detection, Second Edition
Jay Beale, Caswell
Nessus Network Auditing (Jay Beale's Open Source Security)
Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy
Johnston, Jimmy Alderson
Ethereal Packet Sniffing
Angela D. Orebaugh, Gilbert Ramirez, Ethereal.com
Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual
Private Networks (VPNs), Routers, and Intrusion Detection Systems
Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Fredrick, Ronald W. Ritchey
Practical Unix & Internet Security, 3rd Edition
Simson Garfinkel, Gene Spafford, Alan Schwartz
Thanks
I hope this session was
Informative :-)
If you would like any more sessions in April
2005 please let the ACM Officers know
E-mail – hg24d@umkc.edu
Download