Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and...
Click here to load reader
-
Upload
kristian-spencer -
Category
Documents
-
view
216 -
download
1
Transcript of Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and...
![Page 1: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/1.jpg)
Intrusion Detection on a Shoestring Budget
Shane Williams
UT Austin Graduate School of Library and Information Science
Oct. 18, 2000
SANS Network Security 2000
![Page 2: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/2.jpg)
2
Setting
• Public university department– Lean budget– Priority on openness– Limited technical knowledge– Independent faculty– Heterogeneous computing environment
![Page 3: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/3.jpg)
3
Setting
• Implications for security– Prime target for crackers– Not everyone understands need for security– Policy can be hard to implement– Solutions must be:
• Inexpensive
• Unobtrusive
![Page 4: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/4.jpg)
4
Solutions
• Focus on Open Source Software– Often cost-free– Can run on inexpensive hardware
• Prioritize security activities– Prevention– Detection– Maintenance– Only then identify
![Page 5: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/5.jpg)
5
Prevention
• Verify clean systems or detection can be subverted
• Identify platform specific vulnerabilities– Patch operating systems– Patch server software (www, ftp, etc.)
• Enforce good user practices (especially as regards passwords).
![Page 6: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/6.jpg)
6
Detection
• Network based– Network Flight Recorder (NFR)
• Academic Research version
– Snort– Tcpdump
• Host based– Tripwire
![Page 7: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/7.jpg)
7
Detection
• Create a watchtower– Minimal open ports
• SSH
• Only visible from within subnet
– Used many of the same tools mentioned above
• About $2000 to $2500– FreeBSD OS– Commodity components
![Page 8: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/8.jpg)
8
Network Based IDS
• Switched versus shared may cause complications– Network IDS needs to see the network– Can work in a switched environment, but:
• Depends on switching equipment
• Switches are often controlled outside departments
• False positives
![Page 9: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/9.jpg)
9
Network Flight Recorder
• Created to act as a “black box” for intrusion detection
• Advantages– Records all network traffic– Alerts on specific signatures– Good query tools– Remote interface
![Page 10: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/10.jpg)
10
Network Flight Recorder
• Disadvantages– Data collection takes up space– Space management feature didn’t always work– No longer freely available
![Page 11: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/11.jpg)
11
Snort
• Created to be a lightweight network IDS– Lightweight meaning compact and efficient– Not lightweight on performance
• Advantages– Small size– Easy to install– Open source development means continued
enhancement
![Page 12: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/12.jpg)
12
Snort
• Disadvantages– Only saves suspect traffic– No query features
• But other developers are working on this
– Experiencing growing pains
![Page 13: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/13.jpg)
13
Tcpdump
• Simple but powerful utility for listening to network traffic
• Advantages– Can collect packet payload– Indispensable in understanding exploits
• Disadvantages– Massive data storage requirements
![Page 14: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/14.jpg)
14
Tripwire
• Host-based IDS that calculates digital signatures of specified files
• Differences between older open source version and newer commercial version– Signed files require pass phrase to change– Levels of violation
![Page 15: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/15.jpg)
15
Tripwire
• Advantages– Doesn’t depend on network– Minimal false positives– Can catch local exploits
![Page 16: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/16.jpg)
16
Tripwire
• Disadvantages
– Requires careful setup to prevent subversion
– Databases must be kept up to date
• Best in hierarchical structure
– Minimizes possibility of tampering
![Page 17: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/17.jpg)
17
Conclusions
• There are plenty of free tools out there
• Host based better than network based– IPv6– Encrypted traffic
• Tripwire is a preferred tool– Works well now to detect attacks– Potential to be enhanced even more
![Page 18: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/18.jpg)
18
Questions? Comments?
![Page 19: Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.](https://reader038.fdocuments.in/reader038/viewer/2022100509/5697bf711a28abf838c7e1e8/html5/thumbnails/19.jpg)
19
URLs
• Network Flight Recorder– http://www.nfr.com/
• Snort– http://www.snort.org/
• Tripwire– http://www.tripwire.com/
• Updated info– http://www.gslis.utexas.edu/~shanew/security.html