Post on 17-Jan-2016
Intrusion Detection on a Shoestring Budget
Shane Williams
UT Austin Graduate School of Library and Information Science
Oct. 18, 2000
SANS Network Security 2000
2
Setting
• Public university department– Lean budget– Priority on openness– Limited technical knowledge– Independent faculty– Heterogeneous computing environment
3
Setting
• Implications for security– Prime target for crackers– Not everyone understands need for security– Policy can be hard to implement– Solutions must be:
• Inexpensive
• Unobtrusive
4
Solutions
• Focus on Open Source Software– Often cost-free– Can run on inexpensive hardware
• Prioritize security activities– Prevention– Detection– Maintenance– Only then identify
5
Prevention
• Verify clean systems or detection can be subverted
• Identify platform specific vulnerabilities– Patch operating systems– Patch server software (www, ftp, etc.)
• Enforce good user practices (especially as regards passwords).
6
Detection
• Network based– Network Flight Recorder (NFR)
• Academic Research version
– Snort– Tcpdump
• Host based– Tripwire
7
Detection
• Create a watchtower– Minimal open ports
• SSH
• Only visible from within subnet
– Used many of the same tools mentioned above
• About $2000 to $2500– FreeBSD OS– Commodity components
8
Network Based IDS
• Switched versus shared may cause complications– Network IDS needs to see the network– Can work in a switched environment, but:
• Depends on switching equipment
• Switches are often controlled outside departments
• False positives
9
Network Flight Recorder
• Created to act as a “black box” for intrusion detection
• Advantages– Records all network traffic– Alerts on specific signatures– Good query tools– Remote interface
10
Network Flight Recorder
• Disadvantages– Data collection takes up space– Space management feature didn’t always work– No longer freely available
11
Snort
• Created to be a lightweight network IDS– Lightweight meaning compact and efficient– Not lightweight on performance
• Advantages– Small size– Easy to install– Open source development means continued
enhancement
12
Snort
• Disadvantages– Only saves suspect traffic– No query features
• But other developers are working on this
– Experiencing growing pains
13
Tcpdump
• Simple but powerful utility for listening to network traffic
• Advantages– Can collect packet payload– Indispensable in understanding exploits
• Disadvantages– Massive data storage requirements
14
Tripwire
• Host-based IDS that calculates digital signatures of specified files
• Differences between older open source version and newer commercial version– Signed files require pass phrase to change– Levels of violation
15
Tripwire
• Advantages– Doesn’t depend on network– Minimal false positives– Can catch local exploits
16
Tripwire
• Disadvantages
– Requires careful setup to prevent subversion
– Databases must be kept up to date
• Best in hierarchical structure
– Minimizes possibility of tampering
17
Conclusions
• There are plenty of free tools out there
• Host based better than network based– IPv6– Encrypted traffic
• Tripwire is a preferred tool– Works well now to detect attacks– Potential to be enhanced even more
18
Questions? Comments?
19
URLs
• Network Flight Recorder– http://www.nfr.com/
• Snort– http://www.snort.org/
• Tripwire– http://www.tripwire.com/
• Updated info– http://www.gslis.utexas.edu/~shanew/security.html