1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related...
-
Upload
herbert-doyle -
Category
Documents
-
view
218 -
download
0
Transcript of 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related...
![Page 1: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/1.jpg)
1
An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies
Network Security
![Page 2: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/2.jpg)
2
Contents
• Lecture aims and learning outcomes• Assumptions• Motivation - Why Intrusion Detection and Vulnerability
Assessment• Attack Development• Vulnerability Development• Hacker Strategy
• Detection - Intrusion Detection Systems• Host based IDS• Network Based IDS
• Prevention - Vulnerability Assessment• Software• Services (Audits)• Web-Based Services
• Counter attacks• Honey Pots• Appliances
• Summary
![Page 3: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/3.jpg)
3
Lecture aims and learning outcomes
• The lecture aims are:• To describe the problems related to network based attacks• To describe how some these problems may be addressed
• At the end of this lecture you will be able to:• Demonstrate an understanding of the main issues relating
to threats in the context of network attacks• Understand a number of basic design components for
building a network security architecture• Demonstrate an understanding of the importance of a
security policy with reference to the security of a computer network
• Describe the features and security mechanisms which are generally used to implement security policies for dealing with the security of a computer network
![Page 4: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/4.jpg)
4
Assumption
• Perimeter security devices (e.g. firewalls) and computer security mechanisms (e.g. application and OS security) can only offer best effort at preventing attacks.
• They may fail to do so: • a firewall may be misconfigured, • a password may be sniffed off the network, • a new attack type may emerge. (cf. Zero-day attacks)
• They do not detect when an attack is underway or has taken place.
• And they do not react to attacks.
![Page 5: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/5.jpg)
5
Traditional Methods
• Example:• Imagine continuous inspection of a Unix system by hand
(similar examples for NT, W2K):• The following simplified checklist is taken from CERT
(http://www.cert.org/tech_tips/intruder_detection_checklist.html):
1. Examine log files for connections from unusual locations or other unusual activity. For example, look at your 'last' log, process accounting, all logs created by syslog, and other security logs.
2. Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time.
![Page 6: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/6.jpg)
6
Ad Hoc Intrusion Detection
• Imagine the complexity and degree of expertise needed to carry out the tasks in this checklist for every host and every sensitive network link on a network every single day.
• The ad hoc approach is not recommended!• Automated systems are needed:
• monitor multiple hosts and network links for suspicious behaviour;
• report this behaviour, possibly react to it.
• Hence: Intrusion Detection Systems (IDS).
![Page 7: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/7.jpg)
8
Vulnerability Development
0
100
200
300
400
500
600
700
1999 2000 2001 2002 2003
Linux (aggr.)
SolarisWindows
Total
Source: SecurityFocus
Motivation
![Page 8: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/8.jpg)
9
Intruder Knowledge
High
Low
1980 1985 1990 1995 2000
Attack Sophistication
AttackSophistication
Cross site scripting
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
Auto Coordinated
Source: Carnegie Mellon University
Motivation
![Page 9: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/9.jpg)
10
Advisory Release
Widespread Awareness
Vulnerability Scannersadding detection signature
Selective AwarenessFirst
Discovery
Vulnerability & Exploit Lifecycle
Motivation
![Page 10: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/10.jpg)
11
Unauthorized Use of Computer Systems within the Last 12 Months
![Page 11: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/11.jpg)
12
Origin of the Attack
![Page 12: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/12.jpg)
13
Which Type of Attacks ?
![Page 13: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/13.jpg)
14
Dollar Amount of Losses by Type
![Page 14: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/14.jpg)
15
Reactions to attacks
![Page 15: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/15.jpg)
16
Primary Target Identification - Identify Hosts ( ) with external visibility
denotes internal hosts with high value data but no external view
CORP
NETWORK
PING
SWEEPInternet
A Typical Hacker Strategy
![Page 16: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/16.jpg)
17
Primary Target Analysis - Identify services running on visible hoststo prioritize further probing activities
PORT
SWEEP
CORP
NETWORK
DNS
WEB
NFS
A Typical Hacker Strategy
![Page 17: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/17.jpg)
18
Primary Target Selection - Determine vulnerability state of weakest pointand concentrate further activities against this system
FINGER
NFS CORP
NETWORK
A Typical Hacker Strategy
![Page 18: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/18.jpg)
19
Primary Target Exploitation - Gain privileges & control of primary target- attacker now controls a ‘trusted’ corporate system !
Rlogin Root
NFS CORP
NETWORK
A Typical Hacker Strategy
![Page 19: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/19.jpg)
20
Secondary Target Identification - Probing for high value information or systems which are then compromised and data stolen or trojan horses planted, etc.
NFS CORP
NETWORK
HR
R&D
$
A Typical Hacker Strategy
![Page 21: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/21.jpg)
22
Detection
![Page 22: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/22.jpg)
23
Intrusion Detection Systems
• Popular second layer of network security enforcement• Passive supervision of exiting network, analogues to intruder
alarms• Creates more work for personal
• There exist 2 different approaches to the implementation of Intrusion Detection Systems (IDS)• Knowledge-based IDS
• Network based• Host based
• Behaviour-based IDS• Statistical anomaly detection
![Page 23: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/23.jpg)
24
Intrusion Detection Systems
• An Intrusion Detection System (IDS) is a network security system designed to identify intrusive or malicious behaviour via monitoring of network activity. The IDS identifies suspicious patterns that may indicate an attempt to attack, break in to, or otherwise compromise a system. An IDS can be network-based or host-based, passive or reactive, and can rely on either misuse detection or anomaly detection.
IDS vs Firewalls. Firewalls specify policies about what traffic may or may not enter a particular computer network. An IDS monitors patterns of traffic and signals an alert once it deems that an attack has taken place.
![Page 24: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/24.jpg)
25
Knowledge-based IDS
• ALL commercial IDS look for attack signatures:• specific patterns of network traffic or activity in log files that
indicate suspicious behaviour.
• Called a knowledge-based or misuse detection IDS• Example signatures might include:
• a number of recent failed login attempts on a sensitive host;• a certain pattern of bits in an IP packet, indicating a buffer
overflow attack;• certain types of TCP SYN packets, indicating a SYN flood
DoS attack.
![Page 25: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/25.jpg)
26
Knowledge-based IDS
• Knowledge-based IDS uses information such as:• Security policy;• Known vulnerabilities of particular OS and applications;• Known attacks on systems.
• They are only as good as the information in the database of attack signatures:• new vulnerabilities not in the database are constantly being
discovered and exploited;• vendors need to keep up to date with latest attacks and issue
database updates; customers need to install these;• large number of vulnerabilities and different exploitation methods,
so effective database difficult to build;• large database makes IDS slow to use.
![Page 26: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/26.jpg)
27
Behaviour-based IDS
• Statistical Anomaly Detection (or behaviour-based detection) is a methodology where statistical techniques are used to detect penetrations and attacks.
• Begin by establishing base-line statistical behaviour: what is normal for this system?
• Then gather new statistical data and measure the deviation from the base-line.
• If a threshold is exceeded, issue an alarm.
![Page 27: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/27.jpg)
28
Behaviour-based IDS
• Example: monitor the number of failed login attempts at a sensitive host over a period; • if a burst of failures occurs, an attack may be under way; • or maybe the admin just forgot his password?
• This raises the issue of false positives (an attack is flagged when one was not taking place – a false alarm) and false negatives (an attack was missed because it fell within the bounds of normal behaviour).
• This issue does also apply to knowledge-based systems.
![Page 28: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/28.jpg)
29
Behaviour-based IDS
• IDS does not need to know about security vulnerabilities in a particular system • the base-line defines normality;• don’t need to know the details of the construction of a buffer
overflow packet.
• Normal behaviour may overlap with forbidden behaviour.• Legitimate users may deviate from the baseline, causing false
positives (e.g. user goes on holiday, or works late in the office, or forgets password, or starts to use new application).
• If the base-line is adjusted dynamically and automatically, a patient attacker may be able to gradually shift the base-line over time so that his attack does not generate an alarm.
![Page 29: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/29.jpg)
30
Host-based and Network-based IDS
• When an IDS looks for attack signatures in network traffic, it is called a network-based IDS (NIDS).
• When an IDS looks for attack signatures in log files of hosts, it is called a host-based IDS (HIDS).
• Naturally, the most effective Intrusion Detection System will make use of both kinds of information.
![Page 30: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/30.jpg)
31
IDS Architecture
• Distributed set of sensors – either located on hosts or on network – to gather data.
• Centralised console to manage sensor network, analyze data, report and react.
• Ideally:• Protected communications between sensors and console;• Protected storage for signature database/logs;• Secure console configuration;• Secured signature updates from vendor;• Otherwise, the IDS itself can be attacked and manipulated.
![Page 31: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/31.jpg)
35
Placement of Network-based IDS
InternetInternet
FirewallMail server
Web server
Protected Network
Sensor
Sensor
Sensor
Console
Perimeter Network
![Page 33: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/33.jpg)
37
Host-based IDS
• Typically monitors system, event, and security logs on Windows and syslog in Unix environments.
• Checks key system files and executables via checksums at regular intervals for unexpected changes.
• Some products can use regular-expressions to refine attack signatures (e.g. passwd program executed AND .rhosts file changed).
• Some products listen to port activity and alert when specific ports are accessed – limited NIDS capability.
![Page 34: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/34.jpg)
40
Placement of Host-based IDS
InternetInternet
FirewallMail server
Web server
Sensor
Console
Perimeter Network
Sensor
Sensor
Human Resources Network
![Page 35: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/35.jpg)
41
IDS as a Response Tool
• Given the (near) real-time nature of IDS alerts, an IDS can be used as a response tool as well as for detection.
• NIDS and HIDS have different response capabilities – because they detect different attacks, or the same attacks but in different ways.
![Page 36: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/36.jpg)
42
HIDS and NIDS
• There are attack types that a HIDS can detect but a NIDS cannot:• SYN flood, Land, Smurf and Teardrop attacks, BackOrifice,…
• And vice-versa:• Trojan login script, walk up to unattended keyboard attack,
encrypted traffic,…
• For more reliable detection, combine both types of IDS.
![Page 37: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/37.jpg)
43
IDS Response Options
Network-based Host-based
Notification Alarm to console Alarm to console
E-Mail notification E-Mail notification
SNMP trap SNMP trap
View active session
Storage Log summary Log summary
Log raw network data
Active Kill connection (TCP Reset)
Terminate user login
Re-configure firewall Disable user account
Restore index.html
![Page 38: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/38.jpg)
44
IDS Response Options
• Dangers of automated response:• Attacker tricks IDS to respond, but response aimed at
innocent target (say, by spoofing source IP address);• Users locked out of their accounts because of false
positives;• Repeated e-mail notification becomes a denial of service
attack on sysadmin’s e-mail account;• Repeated restoration of index.html from CD reduces
website availability.
![Page 39: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/39.jpg)
45
What is Snort?
• Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator”
• Lead coder: Marty Roesch, now founder of Sourcefire (http://www.sourcefire.com)
• Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump
• Licensed under GPL, but version 2.0 may change to a different license
![Page 40: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/40.jpg)
46
Snort Rules
• Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS
• Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
• Elements before parentheses comprise ‘rule header’• Elements in parentheses are ‘rule options’
![Page 41: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/41.jpg)
47
Third-Party Enhancements
• Analysis Console for Intrusion Databases (ACID)• http://acidlab.sourceforge.net/• PHP-based analysis engine to search and process a
database of security events generated by various IDSes, firewalls, and network monitoring tools
• Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation
• Description and screenshots taken from ACID web
![Page 42: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/42.jpg)
![Page 43: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/43.jpg)
![Page 44: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/44.jpg)
50
Third-Party Enhancements
• Demarc• www.demarc.com • NIDS management console, integrating Snort with the
convenience and power of a centralized interface for all network sensors
• Monitor all servers / hosts to make sure network services such as a mail or web servers remain accessible at all times
• Monitor system logs for anomalous log entries that may indicate intruders or system malfunctions
• Description and screenshots taken from demarc web
![Page 45: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/45.jpg)
![Page 46: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/46.jpg)
![Page 47: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/47.jpg)
53
IDS – The Future
• Integrated approach to IDS: • Network and host-based in one system (some products
already do this in a limited way);• The strengths of both NIDS and HIDS (but maybe all of the
weaknesses!)
• Better visualisation, management and reporting tools• Event correlation:
• Correlate a number of sub-events which individually do not indicate an attack but which when viewed in combination do;
• Requires much more sophisticated software and data processing.
• Potentially much better attack detection.
• Commercial Statistical Anomaly Detection
![Page 48: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/48.jpg)
54
Prevention
Vulnerability AssessmentIntrusion Prevention Systems
![Page 49: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/49.jpg)
55
Vulnerability Assessment
![Page 50: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/50.jpg)
56
Vulnerability Assessment
• An examination of the ability of a system or application, including current security procedures and controls, to withstand assault.
• A vulnerability assessment may be used to: • identify weaknesses that could be exploited; • predict the effectiveness of additional security measures in
protecting information resources from attack.
![Page 51: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/51.jpg)
57
Vulnerability Assessment
• Vulnerability Assessment Methods• Software solutions (ISS Scanner, Stat, Nessus etc.)• Audit Services (manual Penetration tests etc)• Web based commercial (Qualys, Security Point etc.)
• Use a database of vulnerability signatures• Usually perform a port scan to detect which services
available• Try to identify if service is vulnerable by:
• Looking for banner information• Sending a harmless request and analysing the response• Actually performing the attack!
• Offer various reporting and management facilities
![Page 52: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/52.jpg)
58
Animated Demo
![Page 53: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/53.jpg)
59
Lesson learnt from VA
• Keep up-to-date with security (and other) patches• Form Microsoft OS www.windowsupdate.com
• Enterprise version available – Windows Update Services (WUS)
• Microsoft Baseline Security Advisor• Includes hfnetcheck.exe (from Shavlik)
• Similar for SUN, HP, IBM, CISCO etc. OSs
![Page 54: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/54.jpg)
60
Intrusion Prevention Systems
Rate basedContent based
![Page 55: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/55.jpg)
61
Intrusion Prevention System - IPS
• Relatively new (marketing) term • Essentially a combination of access control
(firewall/router) and intrusion detection systems• Often shared technologies between stateful inspection and
signature recognition (“looking deep into the packet”)• Inline network IDS allows for instant access control policy
modification
• 2004 Gartner study claims by 2005 only integrated firewalls with IDS (i.e. IPS) will survive
• Most success to-date with “flood” (DoS) attacks
![Page 56: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/56.jpg)
62
Definition of an IPS
• Can be defined as an in-line product that focuses on identifying and blocking malicious network activity in real time.
• Two general categories: • rate-based products• content-based (also referred to as signature- and anomaly-
based)
• Often look like firewalls and often have some basic firewall functionality.
• But firewalls block all traffic except that which they have a reason to pass;
• IPSs pass all traffic except that which they have a reason to block.
![Page 57: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/57.jpg)
63
Rate-based IPS
• Block traffic based on load: • too many packets, • too many connects, • too many errors.
• In the presence of too much of anything, the rate-based IPS kicks in and blocks, throttles or otherwise mediates the traffic.
• Most useful rate-based IPS include a combination of powerful configuration options with range of response technologies • For example, limit queries to your DNS server to 1,000 per
second• Other simple rules covering bandwidth and connection
limiting
![Page 58: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/58.jpg)
64
Disadvantages of Rate-based IPS
• Biggest problem with deploying rate-based IPS products is deciding what constitutes an overload.
• For any rate-based IPS to work properly, need to know not only what "normal" traffic levels are (on a host-by-host and port-by-port basis) but also other network details such as how many connections your Web servers can handle.
• Most products do not provide any help but require a “trained” system engineer
• Because rate-based IPSs require frequent tuning and adjustment, they will be most useful in very high-volume Web, application and mail server environments.
![Page 59: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/59.jpg)
65
Content-based products
• Block traffic based on attack signatures and protocol anomalies • Worms, e.g. Blaster and MyDoom, that match a signature can
be blocked. • Packets that do not comply to TCP/IP RFCs can be dropped. • Suspicious behaviour such as port scanning triggers the IPS to
block future traffic from a single host • The best content-based IPSs offer a range of techniques for
identifying malicious content and many options for how to handle the attacks, • simply dropping bad packets to • dropping future packets from the same attacker, and • reporting and alerting strategies.
• IDS-like technology for identifying threats and blocking them, content-based IPSs can be used deep inside the network to complement firewalls and provide security policy enforcement.
![Page 60: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/60.jpg)
66
Counter attacks
The Problem of originHoneypots/nets
![Page 61: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/61.jpg)
67
Problem of origin
• Denial of Service attacks (DoS)In contrast to unauthorised access attacks a DoS attack does not need to contain method for communicating back to the attacker
• Distributed Denial of Service (DDoS) attacks• Trin00/Stacheldraht (Feb 2000)
• Attacks on ebay, amazon.com and etrade.com
• MS.Blaster (August 2003)
• Problem of lack of metrics to measure the impact of Denial of Service attacks – more research required
![Page 62: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/62.jpg)
68
What is a DDoS Attack ?• In a Denial of Service (DoS) attack,
• The attacker overwhelms a targeted system with a flood of packets to deny availability of services to legitimate users
• In a Distributed Denial of Service (DDoS) attack,• The attacker uses dozens or even hundreds of ‘zombie’
machines to multiply the force of the attack
![Page 63: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/63.jpg)
69
Motives Behind DDoS Attacks
• Until recently attacks appear to be motivated by:• Desire for attention • Notoriety • Fun
• Long term, DDoS type attacks could become motivated by:• Economic warfare between competition• Disgruntled employees/customers • Monetary gains (i.e. stock market manipulation/online betting)• Political sabotage and vandalism (party websites during election
campaigns)
![Page 64: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/64.jpg)
70
DDoS Components
• All DDoS attacks consist of three parts:• Client Program• Master Server• Agent (Zombie) Program
![Page 65: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/65.jpg)
71
DDoS Attack Illustrated
ScanningProgram
Unsecured Computers
Hacker Hacker scans Internet for unsecured systems that can be compromised
1
Internet
![Page 66: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/66.jpg)
72
Hacker
Zombies
Hacker secretly installs zombie agent programs, turning unsecured computers into zombies
2
Internet
DDoS Attack Illustrated
![Page 67: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/67.jpg)
73
Hacker
Hacker selects a Master Server to send commands to the zombies
3
ZombiesMasterServer
Internet
DDoS Attack Illustrated
![Page 68: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/68.jpg)
74
Hacker
Using Client program, Hacker sends commands to Master Server to launch zombie attack against a targeted system
4
Zombies
TargetedSystem
MasterServer
Internet
DDoS Attack Illustrated
![Page 69: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/69.jpg)
75
Targeted SystemSystem
Hacker
Master Server sends signal to zombies to launch attack on targeted system
5
MasterServer
Internet
Zombies
DDoS Attack Illustrated
![Page 70: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/70.jpg)
76
TargetedSystem
Hacker
Targeted system is overwhelmed by bogus requests that shut it down for legitimate users
6
MasterServer
User
Request Denied
Internet
Zombies
DDoS Attack Illustrated
![Page 71: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/71.jpg)
77
Minimizing Risk
• Prevent yourself from being victimized• Ensure your computers are not zombies• Perform periodic assessments via automated scanning
services
• Implement an early warning system• Automated Intrusion Detection & Response tools• Collect forensic data to prosecute hackers later
![Page 72: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/72.jpg)
78
Honeypots
• Technology used to track, learn and gather evidence of hacker activities
• Definition• “… a resource whose value is being attacked or compromised”
Laurence Spitzner, “The value of honeypots”, SecurityFocus, October 2001
• Strategically placed systems designed to mimic production systems, but not reveal “real” data
• Modes of operation• Baiting• Waiting• Collating• Disseminating
![Page 73: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/73.jpg)
79
Honeypot types of implementation
• Level of Involvement• Low Involvement: Port Listeners• Mid Involvement: Fake Daemons• High Involvement: Real Services
• Risk increases with level of involvement
![Page 74: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/74.jpg)
80
Honeynet
• Network of honeypots• Supplemented by firewalls and intrusion detection
systems - Honeywall
• Advantages:• “More realistic” environment• Improved possibilities to collect data
![Page 75: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/75.jpg)
81
Honeynet
![Page 76: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/76.jpg)
82
Sebek
• Sebek is a data capture tool designed to capture all of the attackers activities on a honeypot, without the attacker knowing it.
• 2 components. • Client that runs on the honeypots, its purpose is to capture
all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server.
• Server which collects the data from the honeypots. The server normally runs on the Honeywall gateway.
• Since the Sebek client runs as a kernel module on the honeypots, it can capture all activity, including encrypted, such as SSH, IPSec
![Page 77: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/77.jpg)
83
Honeynet using a Honeywall
![Page 78: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/78.jpg)
84
Summary
• Threats are both internal and external.• Prevention, detection and reaction are needed in
combination. • Intrusion detection systems are a very useful second
line of defence (in addition to firewalls and other safeguards).
• IDS deployment, customisation and management is generally not straightforward.
• Vulnerability Assessment and Patch Management are King.
• Newer technologies such as IPS and Honeynets can remove the burden from over worked system and network administrators.
![Page 79: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/79.jpg)
85
IDS Further Reading
• Stallings Chapter 9, pp.292-303 (possibly too much emphasis on statistical approach; research-focussed rather than commercially focussed).
• An article: “The future of IDS” by Matthew Tanase at SecurityFocus.com:• http://online.securityfocus.com/infocus/1518
• An evaluation of IDS products by Kathleen A. Jackson:• http://www.sekure.net/ids/00416750.pdf
![Page 80: 1 An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security.](https://reader036.fdocuments.in/reader036/viewer/2022062314/56649de35503460f94ada5db/html5/thumbnails/80.jpg)
86
Questions
Thank You !
Merry Christmas&Happy New Year