IDS and IPS
38
IDS/IPS Santosh Khadsare
-
Upload
santosh-khadsare-cehrhcsaccipgdbaops-mgt -
Category
Education
-
view
1.805 -
download
8
Transcript of IDS and IPS
IDS/IPS
Santosh Khadsare
What is an Intrusion?An intrusion is somebody attempting to break into or misuse your system. The word “misuse” can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam.
Intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of resource.
In the context of info systems, intrusion refers to any unauthorized access, unauthorized attempt to access or damage or malicious use of info resources.
WHO ARE INTRUDERS?
• Outsiders. Intruders from outside the network. They may attempt to go around the firewall to attack machines on the internal network.
• Insiders. Intruders that legitimately use your internal network. These include users who misuse privileges or who impersonate higher privileged users.
HOW DO INTRUDERS GET INTO THE SYSTEM?
• Physical intrusion.
• System intrusion.
• Remote intrusion.
• The main function of an IDS is to warn about suspicious activity taking place, but not to prevent them.
• An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker.
WHAT IS AN INTRUSION DETECTION SYSTEM?
Intrusion Detection Systems (IDS)
IDS designed to detect security breaches.
IDS designed to aid in mitigating damage caused by hacking.
Basic intent behind IDS: spot something suspicious on NW/system and sound alarm.
May look for data bits that indicate questionable activity or monitor system logs.
Events that sound alarm – may not be an intrusion; any abnormal activity may trigger, depending on configuration.
Intrusion Detection Systems (IDS)
All IDS have three things in common:
Sensors: collect tfc and user activity data and sends to analyzer.
Analyzer: Looks for suspicious activity.
Administrator Interface: If analyzer detects suspicious activity, sends an alert to the Admin Interface.
Intrusion Detection Systems (IDS)Why use an IDS:
To detect attacks and other security violations that are not prevented by other security measures,To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities),To document the existing threat to an organizationTo act as quality control for security design and administration, especially of large and complex enterprisesTo provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors.
Intrusion Detection Systems (IDS)
IDS can be configured for:Watch for attacksParse audit logsTerminate a connectionAlert an admin as attacks are happeningProtect system filesExpose a hacker’s techniquesThrow up vulnerabilities that need to be addressedPossibly help to track down hackers
Two main type of IDS:NIDSHIDS
Network Intrusion Detection Systems (NIDS)
Uses sensors to monitor all NW tfc
Cannot see the activities within the computer itself.
Host based Intrusion Detection Systems (HIDS)
Installed on indl workstns / servers
Watches for abnormal activity
NIDs understands and monitors NW tfc, HIDs monitors the computer only on which it is installed.
Gen, HIDS installed on critical servers only due to administrative overheads.
Types of HIDS/NIDS
Signature basedPattern matchingStateful matching
Anomaly basedStatistical anomaly basedProtocol anomaly basedTfc anomaly based
Rule based
Types of HIDS/NIDS
Knowledge or Signature based IDSKnowledge is gained by sensors about how specific attacks are carried out.
Each identified attack has a signature
Eg of a signature: A pkt having the same source and destination address (Land Attack)A TCP header of a pkt in which all values are set to 1s (xmas attack).
Once these type of attack discovered, vendors wrote signatures that looks specially for pkts with same source and destination addresses or with TCP headers flag set to all 1s.
Types of HIDS/NIDS
Knowledge or Signature based IDSMost popular IDS today.
Effectiveness depends on regularly updating signature database.
May not be able to uncover new types of attacks.
Types of HIDS/NIDSState based IDSWhat is a state?Every change that an OS experiences (user log on, opening of aplns, user data input, etc), is a state transition.
Gen happens continuously in any system.
So again, what is a state?A snapshot of an OS’s values in volatile and non-volatile memory locations.
In a state based IDS:Initial state is the state prior to attack execution.Compromised state is the state after successful penetration.The IDS has rules as to which state transitions should trigger alarm.
Types of HIDS/NIDSAn example of State based IDS
•A remote user connects to a system
•Sends data to an apln (data exceeds alloted buffer for this empty variable).
•The data is executed and overwrites the buffer and possibly other memory segments.
•A malicious code executes.
State based IDS looks for activity between initial and compromised state and sends alert if any state transition sequence matches its preconfigured rules.Requires frequent signature updates.
Types of HIDS/NIDSStatistical Anomaly based IDSA behavior based system (also called heuristic IDS).
Does not use a signature database.
Initially put in a learning mode wherein the IDS learns the `normal’ NW activities.
The longer it is in learning mode, more accurate profile of a normal state is built up.
After a profile is built, all future activities are compared to this `normal’ profile.
If an activity exceeds a predefined `normal’ threshold, the alert is triggered.
Types of HIDS/NIDSStatistical Anomaly based IDS - BenefitsCan react to 0 day attacksAlso capable of detecting the low and slow attacks
Statistical Anomaly based IDS – ProblemsMay provide overwhelming number of false positives.If an attacker discovers an IDS on a NW, will try to detect type so that he can circumvent it.With a behavior based IDS, attacker will try to integrate activities in the `normal’ NW usage.If an attack was underway when the IDS was in learning mode, an attack will never be detected.Sends generic alerts compared to specific alerts thrown up by signature based IDS.
Types of HIDS/NIDSStatistical Anomaly based IDSStrength of this IDS lies in determining actual thresholds of normal activity.
Once an attack is iden, the IDS can:Send an alert to the admin’s console.Send an email to a preconfigured address.Kill the connection of the detected attackReconfigure a router/firewall to stop any further similar attacks.
Types of HIDS/NIDSProtocol Anomaly based IDSThese IDS have specific knowledge of each protocol they will monitor.
A protocol anomaly pertains to the format and behavior of a protocol..
The IDS builds a model of each protocol’s `normal’ usage
Eg of protocol anomaly:Data Link Layer: ARP attack where bogus data is inserted in an ARP table.
NW Layer: ICMP can be used in a Loki Attack to move data from one place to another.
Types of HIDS/NIDSTraffic Anomaly based IDSDetects changes in NW tfc patterns
Tfc patterns may change during DoS attacks or when a new service is introduced on the NW.
The IDS learns the normal tfc pattern and sets a threshold.
0 day attacks can be detected.
Types of HIDS/NIDSRule based IDSA signature based IDS is very straightforward – if a pkt has same source/destination address, send alert.
A statistical anomaly based IDS is also straightforward – X logs in his system at 8 AM and logs off at 5 PM everyday. If he logs on at 10 PM, it is an anomaly and an alert is sent.
Rule based IDS gen used in expert systems (Artificial Intelligence).
An expert system has:A knowledge baseAn inference engineRule based programming.
Types of HIDS/NIDSRule based IDSRule based programming refers to - IF situation THEN action.
The rules are applied to facts (data that comes in from a sensor).
Rule based IDS gathers data from sensors/logs, the inference engine uses its pre-programmed rules on it. If characteristics of the rule is met – an alert is triggered.
Eg of a rule based IDS:IF a root user creates file1 AND creates file2 SUCH THAT they are in the
same directory AND the root user opens tool1 TRIGGER send alert.
IDSPlacement of sensorsOutside the FW- detect attacksInside the FW – to detect actual intrusionsHighly sensitive subnetsDMZs
NW Tfc:Every vendor’s IDS product has a threshold.If NW tfc exceeds the threshold, all pkts may not be examined and attacks may go unnoticed.In high tfc environments multiple sensors reqd to be placed to ensure all pkts are investigated.
• Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful.
WHAT IS IPS?
Intrusion Prevention Systems (IPS)
The bad guys are always one step ahead of the security professionals.
Security professionals try and come up with innovative means to detect and prevent attacks.
IPS is a preventive device rather than a detective device (IDS).
An IPS combines the prevent action of a FW with the in depth pkt analysis function of an IDS.
• Broadly classified into two categories
– Host IPS (HIPS)
– Network IPS (NIPS)
CLASSIFICATION OF IPS
• HIPS is installed directly on the system being protected
• It binds closely with the operating system kernel and services, it monitors and intercepts system calls to the kernel in order to prevent attacks as well as log them.
• It prevents the system from generic attacks for which no “signature” yet exists.
HOST-IPS
• Has two network interfaces, one designated as internal and one as external.
• Packets passed through both interfaces and they determined whether the packet being examined poses a threat.
• If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination.
NETWORK-IPS
TYPES OF IPS
• Inline network intrusion protection systems.
• Layer seven switches.
• Application firewalls.
• Hybrid switches.
• Deceptive applications.
INLINE NETWORK IPS
• It is configured with two NICs, one for management and one for detection.
• NIC that is configured for detection usually does not have an IP address assigned .
• It works by sitting between the systems that need to be protected and the rest of the network.
• It inspects the packet for any vulnerabilities that it is configured to look for.
• Placing these devices in front of your firewalls would give protection for the entire network.
• However the drawbacks are that they can only stop attacks that they know about.
• The only attack they can stop that most others IPS can’t are the DoS attacks.
LAYER SEVEN SWITCHES
• These IPSs are loaded on each server that is to be protected.
• These types of IPSs are customizable to each application that they are to protect.
• It profiles a system before protecting it. During the profiling it watches the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like.
• The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use.
APPLICATION FIREWALLS
HYBRID SWITCHES • They inspect specific traffic for malicious content as
has been configured .
• Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server.
• It also fails , if the user’s request does not match any of the permitted requests.
DECEPTIVE APPLICATIONS • It watches all your network traffic and figures out what
is good traffic.
• When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker
• The response will be “marked” with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the “marked” data and stop all traffic coming from the attacker.
Honeypots
A system set up as a sacrificial lamb on a NW.
Not locked down.
Modified operational data kept on system to lure hackers to this system rather than going to an actual operational system.
Enables admin to know what types of attacks are occurring.
May also help to track down an intruder.
More the time spent by the hacker on a honeypot, more info can be gained about his techniques.
Honeypots
Legal issues with a honeypotEnticement versus entrapment.
THANK YOU
