Intrusion Detection on a Shoestring Budget

Shane Williams

UT Austin Graduate School of Library and Information Science

Oct. 18, 2000

SANS Network Security 2000

2

Setting

• Public university department– Lean budget– Priority on openness– Limited technical knowledge– Independent faculty– Heterogeneous computing environment

3

Setting

• Implications for security– Prime target for crackers– Not everyone understands need for security– Policy can be hard to implement– Solutions must be:

• Inexpensive

• Unobtrusive

4

Solutions

• Focus on Open Source Software– Often cost-free– Can run on inexpensive hardware

• Prioritize security activities– Prevention– Detection– Maintenance– Only then identify

5

Prevention

• Verify clean systems or detection can be subverted

• Identify platform specific vulnerabilities– Patch operating systems– Patch server software (www, ftp, etc.)

• Enforce good user practices (especially as regards passwords).

6

Detection

• Network based– Network Flight Recorder (NFR)

• Academic Research version

– Snort– Tcpdump

• Host based– Tripwire

7

Detection

• Create a watchtower– Minimal open ports

• SSH

• Only visible from within subnet

– Used many of the same tools mentioned above

• About $2000 to $2500– FreeBSD OS– Commodity components

8

Network Based IDS

• Switched versus shared may cause complications– Network IDS needs to see the network– Can work in a switched environment, but:

• Depends on switching equipment

• Switches are often controlled outside departments

• False positives

9

Network Flight Recorder

• Created to act as a “black box” for intrusion detection

• Advantages– Records all network traffic– Alerts on specific signatures– Good query tools– Remote interface

10

Network Flight Recorder

• Disadvantages– Data collection takes up space– Space management feature didn’t always work– No longer freely available

11

Snort

• Created to be a lightweight network IDS– Lightweight meaning compact and efficient– Not lightweight on performance

• Advantages– Small size– Easy to install– Open source development means continued

enhancement

12

Snort

• Disadvantages– Only saves suspect traffic– No query features

• But other developers are working on this

– Experiencing growing pains

13

Tcpdump

• Simple but powerful utility for listening to network traffic

• Advantages– Can collect packet payload– Indispensable in understanding exploits

• Disadvantages– Massive data storage requirements

14

Tripwire

• Host-based IDS that calculates digital signatures of specified files

• Differences between older open source version and newer commercial version– Signed files require pass phrase to change– Levels of violation

15

Tripwire

• Advantages– Doesn’t depend on network– Minimal false positives– Can catch local exploits

16

Tripwire

• Disadvantages

– Requires careful setup to prevent subversion

– Databases must be kept up to date

• Best in hierarchical structure

– Minimizes possibility of tampering

17

Conclusions

• There are plenty of free tools out there

• Host based better than network based– IPv6– Encrypted traffic

• Tripwire is a preferred tool– Works well now to detect attacks– Potential to be enhanced even more

18

Questions? Comments?

19

URLs

• Network Flight Recorder– http://www.nfr.com/

• Snort– http://www.snort.org/

• Tripwire– http://www.tripwire.com/

• Updated info– http://www.gslis.utexas.edu/~shanew/security.html