EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview...

68
Summer 2003 © 2000-2003, Richard A. Stanley EE579T/GD_6 #1 EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley
  • date post

    19-Dec-2015
  • Category

    Documents

  • view

    218
  • download

    1

Transcript of EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview...

Page 1: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #1

EE579TNetwork Security

7: An Overview of SNMP and Intrusion Detection

Prof. Richard A. Stanley

Page 2: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #2

Overview of Today’s Class

• Administrivia

• Review last week’s lesson

• Security in the news

• SNMP

• Intrusion Detection

Page 3: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #3

Updates

• Monday, August 18: no class

• Monday, August 25: class as usual (final lecture)

• Wednesday, September 3: class at usual time with project presentations

• Final for this course is take-home

• Shall we start the next class on Sept. 8th?

Page 4: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #4

Last time...

• Firewalls are useful tools to mediate access from internal networks to external networks

• Firewalls are not a single-point security solution

• Firewalls cannot protect against a malicious user on the internal network

• Trusted computing systems are needed to enforce security policy

Page 5: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #5

Crypto Security--Again

• Bugtraq reports 1024-bit RSA encryption should be “considered compromised”

• Estimates factoring can be done for <$1B• What uses a key stronger than 1024 bits?• So, are SSL, S/MIME, all toast?• What about risk management?

– Is what you have worth $1B to someone?– If so, do they have the $1B to spend on it?

Page 6: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #6

SNMP Outline

• Basic Concepts of SNMP

• SNMPv1 Community Facility

• SNMPv2

• SNMPv3

Page 7: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #7

Why SNMP?

• To provide a simple means of managing objects across a network– These objects need not be network elements– The objects need not support SNMP (although

it makes things easier if they do!)– “Management” can be tailored to mean what we

need it to mean

• First introduced in 1988

Page 8: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #8

Basic Concepts of SNMP

• An integrated collection of tools for network monitoring and control.– Single operator interface– Minimal amount of separate equipment. Software and network

communications capability built into the existing equipment

• SNMP key elements:– Management station (physical device)– Management agent (software implementation)– Management information base (collection of objects)– Network Management protocol

• Get, Set and Trap

Page 9: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #9

SNMP MIB

• Management Information Base = MIB– Database held at the managed client– Scalar variables– 2D tables

• Uses streamlined protocol to: – Allow manager to Get and Set MIB variables– Enable agent to issue unsolicited notifications

• These are called traps

Page 10: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #10

SNMP Characteristics

• Runs over UDP/IP or TCP/IP, depending on version

• Uses – Port 161 (for messages) – Port 162 (for traps)

Page 11: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #11

SNMP Protocol

Page 12: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #12

SNMP Commands

• Get– Query a MIB for information

• Set– Set values in a MIB

• Trap– Send condition information– Asynchronous

Page 13: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #13

SNMP Proxies

• SNMPv1 supports UDP over IP– Period!

• There are lots of clients out there that need to be managed that don’t speak UDP

• Proxies bridge the gap– Provide translation of client management

language to SNMP– Interfaces to SNMP for the client

Page 14: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #14

Proxy Configuration

Page 15: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #15

SNMPv2

• Allows use of TCP/IP, and others• Provides additional management features

– Distributed network management• Single-server hierarchical networks get overloaded

– Functional enhancements• GetBulk – retrieve block of data at once• Inform – intra-management station communications

of events and/or conditions• Removes atomicity from the Get command

Page 16: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #16

SNMP v1 and v2

• SNMPv2 intended deal with deficiencies of SNMPv1– Introduced first in 1993

• SNMPv1 is “connectionless” – Just like HTTP

– Why?• Utilizes UDP as the transport layer protocol.

• SNMPv2 allows use of TCP for “reliable, connection-oriented” service

Page 17: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #17

SNMPv2 Distributed Management

Page 18: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #18

SNMPv1 vs. SNMPv2

SNMPv1 SNMPv2 Direction Description

GetRequest GetRequest Manager to agent Request value for each listed object

GetRequest GetRequest Manager to agent Request next value for each listed object

------ GetBulkRequest Manager to agent Request multiple values

SetRequest SetRequest Manager to agent Set value for each listed object

------ InformRequest Manager to manager Transmit unsolicited information

GetResponse Response Agent to manager or Manage to manager(SNMPv2)

Respond to manager request

Trap SNMPv2-Trap Agent to manager Transmit unsolicited information

Page 19: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #19

SNMPv1 Community Facility

• SNMP Community – Relationship between an SNMP agent and SNMP managers– Think of a network domain as an analog

• Three aspects of agent control:– Authentication service– Access policy– Proxy service

Page 20: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #20

SNMPv1 Administrative Concepts

Page 21: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #21

Access Policy

• SNMP MIB View– Subset of objects within the MIB– May be on different MIB sub-trees

• SNMP Access Mode– Element of the set of MIB objects– Defined for each community

• These two together are the SNMP Community Profile

Page 22: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #22

What About Proxied Clients?

• Supported within community concept

• Proxy is an SNMP agent that acts on behalf of other (foreign) devices– For each device supported, SNMP proxy

maintains an access policy– Therefore, proxy knows which MIB objects can

be used to manage the proxied system, and their access mode

Page 23: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #23

Where is the Security?

• SNMPv1 has no inherent security– Messages can be spoofed, altered, or deleted– Does this have a potential for evil?

• SNMPv2 doesn’t have any, either– It actually makes things worse by introducing

the distributed management concept

• What to do?

Page 24: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #24

Enter SNMPv3

• Framework for incorporating security into SNMPv1 or SNMPv2– Introduced 1998

• Not a standalone replacement for either v1 or v2 !!– Adds security– Requires underlying SNMP system

• Not yet completely standardized

Page 25: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #25

SNMPv3 Architecture

Page 26: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #26

Traditional SNMP Manager

Page 27: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #27

Traditional SNMP Agent

Page 28: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #28

SNMPv3 Message Flow

Page 29: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #29

SNMP3 Message Format with USM

Page 30: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #30

User Security Model (USM)

• Designed to secure against:– Modification of information (integrity)– Masquerade (authentication)– Message stream modification (stream integrity)– Disclosure (confidentiality)

• Not intended to secure against:– Denial of Service (DoS attack)– Traffic analysis

Page 31: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #31

In Theory…

• DoS attacks may look like network failure (imagine that!)

• DoS should be dealt with by an overall network security capability, not one embedded in a protocol

• Traffic analysis no problem, as management traffic highly predictable anyway

• What do you think?

Page 32: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #32

USM Encryption

• Authentication (using authKey)– HMAC-MD5-96– HMAC-SHA1-96

• Encryption (using privKey)– DES CBC– Uses first 64 bits of the 16-octet privKey– Last 64 bits used as IV to DES CBC

• Key values not accessible from SNMP

Page 33: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #33

Authoritative Engine

• SNMP messages with payloads that expect a response (Get…, Set, Inform)– Receiver of message is authoritative

• SNMP messages with payload that does not expect response (Trap, Response, Report)– Sender is authoritative

• So what?

Page 34: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #34

Key Localization

• Allows single user to own keys stored in multiple engines– Key localized to each authoritative engine using

hash functions– Avoids problem of a single key being stored in

many places

• Greatly slows brute force attack

Page 35: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #35

Key Localization Process

Page 36: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #36

Timeliness

• Determined by a clock kept at the authoritative engine– When authoritative engine sends a message, it includes

the current clock value• Nonauthoritative agent synchronizes on clock value

– When nonauthoritative engine sends a message, it includes the estimated destination clock value

• These procedures allow assessing message timeliness

• Why do we care?

Page 37: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #37

View-Based Access Control Model (VACM)

• VACM has two characteristics:– Determines whether access to a managed object

should be allowed.– Make use of an MIB that:

• Defines the access control policy for this agent.

• Makes it possible for remote configuration to be used.

Page 38: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #38

Access Control Logic in VACM

Page 39: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #39

SNMPv3 Security

• SNMPv3 solves SNMP security problems, right?– NOT!

• Decent security implementation, but reality is:– SNMPv1 still holds ~95% of the market

– Even SNMPv2 not widely deployed

– Upgrading to SNMPv3 is difficult and costly (sort of like moving from Win95 to WinXP all at once)

– There is the issue of proxies and foreign clients

• SNMPv3 is the clear long-term choice

Page 40: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #40

Recent SNMP Security Events

• CERT Advisory 12 Feb 02, Revised 26 Mar 02, warns about potential for– unauthorized privileged access (which allows,

inter alia, enumeration of SNMP agents)– denial of service attacks– unstable behavior

• Vulnerabilities in both messages and traps• Vulnerabilities are in SNMPv1!

Page 41: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #41

This is Not New News!

• After this class, are you surprised?• These vulnerabilities have been in SNMP

since Day One• Only now, with an increased emphasis on

security, are they getting the attention they deserve

• Officially, the vulnerabilities have not been exploited. Unofficially, they have.

Page 42: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #42

Intrusion Detection Systems

• Oddly enough, these are systems designed to detect intrusions into protected systems

• Security intrusion (per RFC 2828):– A security event, or a combination of multiple

security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Page 43: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #43

What’s a Security Incident?

• A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.)

• In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached.

• "Any adverse event which compromises some aspect of computer or network security." [R2350]

Source: RFC 2828, page 152; emphasis added

Page 44: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #44

Why Do We Need This?

• With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall

• These systems are not perfect--some intruders will get through

• Moreover, defenses such as firewalls cannot protect against intruders on the inside

Page 45: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #45

Intrusion Detection Functions

• Monitor protected networks and computers in real time (or as close to real time as is practicable)

• Detect security incidents– Requires a policy, and a way for the IDS to know

what that policy is

• Respond– Raise an alarm– Send some automated response to the attacker

Page 46: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #46

IDS vs. Auditing

• Audits tend to be a posteriori– But an IDS can be seen as performing a

constant, near real time audit function

• To perform an audit, you need to know what the policy is– Audit measures departures from the policy

norms– Audits depend on system logs

Page 47: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #47

Early IDS’s

• Emulated the audit function– Crawled the logs, looking for deviations from

policy-permitted actions– Intent was to speed up the audit, making it

nearly real time– Still a useful approach

• IDS technology has been around only since the early 1990’s; not too mature

Page 48: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #48

IDS Uses

• Monitor system usage– Determine access, usage patterns– Plan for capacity engineering

• Monitor specific problem areas

• Serve as a deterrent– Sort of like the “burglar alarm” label on a

house, even if there is really no alarm

Page 49: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #49

Log Files

• Are evidence if an intrusion occurs– Must be stored in their original, unmodified

form, otherwise inadmissible in court– Provide data from which trends can be deduced– Can be subjected to forensic analysis– Probably needed to assess level of system

compromise/damage and to restore to state prior to intrusion

Page 50: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #50

Legal Issues - 1

• Privacy of your employees– Courts have held that employees have little

expectation of privacy in the workplace, especially if told so at the outset

• email can be monitored at work by employer

• phone calls can be monitored at work by employer

• doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)

Page 51: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #51

Legal Issues - 2

• What if the IDS discovers illegal acts being performed on/by your network?– Employees using the network for illegal

activities– Outsiders having planted zombie programs so

that your system attacks others– What is your responsibility and liability?

Page 52: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #52

Legal Issues - 3

• This may be a Catch-22 issue– If an attacker is using your system, law

enforcement may want you to continue to allow that to happen so they can apprehend the attacker

• If you interrupt the attack, could be interpreted as obstruction of justice

– But, if you allow the attack to continue, you may be liable for damages to those attacked

• Get legal advice--beforehand!

Page 53: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #53

What About Automated Response?

• Tempting capability

• If attacking your system is illegal, what makes your attack on the attacker less illegal?

• What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity?– Casus belli

Page 54: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #54

IDS Architecture

Sensor Sensor Sensor

Sensor

Sensor

ManagementConsole

Page 55: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #55

Console

• Monitors and controls sensors– Sets policy, alarm levels, etc.– Stores logs

• Must have secure communications with sensors– Encrypted connection– Out of band (OOB)

Page 56: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #56

IDS Types

• Network-based (NIDS)– Monitors the network backbone

• Network node-based (NNIDS)– Monitors network nodes, not the backbone

• Host-based (HIDS)– This is the “log crawler” that started it all

• Gateway (GIDS)– NIDS in series with the network

Page 57: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #57

What Can It See?

• Network packets

• OS API calls

• System logs

• How do we merge this data to detect intrusions?

Page 58: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #58

Host-Based

• Sits on a host as a background task

• Monitors (potentially)– traffic to and from the host– OS API calls– system logs

• Adds to processing load on the host, so host must be able to support the extra load

Page 59: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #59

Network-based

• NIDS sensors placed on network backbone– Can view only packet traffic passing by, much

like a classic passive sniffer– Does not place processing load on network, but

the NIDS platform must be capable of dealing with network traffic speeds

• Software can usually handle 100 Mbps

• Hardware only 2-3 times faster

• If network is faster, looks only at subset of packets

Page 60: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #60

Network Node-based

• Used to inspect intrusions directly into network nodes– Effectively a blending of HIDS and NIDS– Used to protect mission-critical machines– Again, a background process on existing nodes,

so node must be able to handle added processing load

Page 61: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #61

Gateway

• In series with network– Often set to block prohibited traffic

automatically– Think of it as an in-network firewall with an

extended rule set– Must be able to keep up with network load

Page 62: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #62

Deployment

• Putting in an IDS is a complex and time-consuming affair– Typically, start simple and add functionality as

you learn more about the network– NIDS tends to see more and load network least– Follow up with HIDS on selected hosts,

perhaps NNIDS on critical nodes

• Policy has to be in place first

Page 63: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #63

Attack Signatures

• Critical to success of any IDS• Must be maintained, just like virus signatures

– You want some visibility into this– Do you want strangers deciding what is an attack

on your critical systems?

• Some IDS’s let you write/modify signatures, others do not

• CVE: http://www.cve.mitre.org/

Page 64: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #64

IDS Deployment

• First, design the IDS sensor and management layout

• Next, deploy the IDS – Test the network for normal operation– Test the IDS

• Run packaged attacks to see if all are detected

• Document performance and repeat test regularly

– Tune the IDS

Page 65: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #65

Sampling of IDS Products• RealSecure: http://www.iss

.net/products_services/enterprise_protection/rsnetwork/sensor.php

• NFR: http://www.nfr.net/

• Snort: http://www.snort.org/

• SnortSnarf: http://www.silicondefense.com/software/snortsnarf/

Page 66: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #66

SNMP Summary

• SNMP is widely-used for managing clients distributed across a network

• SNMPv1 is simple, effective, and provides the majority of SNMP service in the field

• SNMPv2 adds some functionality to v1• SNMPv3 is a security overlay for either

version, not a standalone replacement• SNMP security is a major issue!

Page 67: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #67

IDS Summary

• IDS’s can be useful in monitoring networks for intrusions and policy violations

• Up-to-date attack signatures and policy implementations essential

• Many types of IDS available, at least one as freeware

• Serious potential legal implications• Automated responses to be avoided

Page 68: EE579T/GD_6 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.

Summer 2003© 2000-2003, Richard A. Stanley

EE579T/GD_6 #68

Homework

• Read Stallings, Chapter 8

• Do Problems 8.2, 8.4, 8.8, 9.3, 9.7, 9.8, 9.9