IPS Lecture
-
Upload
pradeepbhanu-batreddi -
Category
Documents
-
view
217 -
download
0
Transcript of IPS Lecture
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 1/25
Network Intrusion Detection
SystemsMM Clements
A Adekunle
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 2/25
Lecture Overview
• Taxonomy of intrusion detection system
• Promiscuous & Inline Mode Protection: IDS, IPS
• IDS and IPS Deployment Considerations &
example• Cisco IDS family
• Snort
• IDS/IPS Vulnerabilities
• How to protect IDS?• Unified Threat Management (UTM)
• Summary
2Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 3/25
Intrusion Detection
• Detection and protection
from attacks against
networks
• Three types of networkattacks
– Reconnaissance
– Access
– Denial of service
3Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 4/25
Intrusion detection system (IDS)
• An Intrusion detection system (IDS) is software or
hardware designed to monitor, analyze and respond
to events occurring in a computer system or network
for signs of possible incidents of violation in securitypolicies.
– These incidents of violations can be unwanted attempts to
access, manipulate or disable computer systems, mainly via a
network, such as the Internet.
4Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 5/25
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 6/25
Classification of Intrusion Detection
• Signature based intrusion detection
– Also known as Misuse Detection
• A signature based IDS will monitor packets on the network
and compare them against a database of signatures orattributes from known malicious threats.
• Similar to the way most antivirus software detects malware.
– Examples: Cisco Sensors 4200 series, Snort
– Less prone to false positives – Unable to detect zero-day threats whose signatures
are not available
6Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 7/25
Signature based intrusion detection
•Signatures – A set of patterns pertaining to typical intrusion
activity that, when matched, generate an alarm
• Signature Types –
Atomic—Trigger contained in a single packet• Example: Looking for the pattern “/etc/passwd “in the
traffic
– Composite—Trigger contained in a series of multiplepackets
7Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 8/25
Types of Intrusion Detection Systems
• Host based intrusion detection Systems
– Software (Agents) installed on computers to monitor input
and output packets from device
–
It performs log analysis, file integrity checking, policymonitoring, rootkit detection, real-time alerting and active
response.
– Examples: •
Cisco Security Agent (CSA) , OSSEC, Tripwire
8Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 9/25
Firewall
Corporate
network
Agent
Untrusted
network
Agent Agent Agent
Agent Agent
DNS serverWWW
server
Agent Agent
Host-Based Intrusion Detection
9Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 10/25
Types of Intrusion Detection Systems
• Network-Based Intrusion Detection Systems
– Connected to network segments to monitor, analyze andrespond to network traffic.
– A single IDS sensor can monitor many hosts
– NIDS sensors are available in two formats• Appliance: It consists of specialized hardware sensor and its
dedicated software. The hardware consists of specialized NIC’s,processors and hard disks to efficiently capture traffic and performanalysis.
– Examples: Cisco IDS 4200 series, IBM Real Secure Network• Software: Sensor software installed on server and placed in
network to monitor network traffic.
– Examples: Snort, Bro, Untangle
10Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 11/25
Corporate
network
DNS
serverWWW
server
Sensor
Sensor
Firewall
Untrusted
network
Network-Based Intrusion Detection
Management
System
11Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 12/25
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 13/25
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 14/25
Inline-Mode Protection: IPS
TargetManagement
System
The sensor resides in the
data forwarding path.
If a packet triggers a
signature, it can bedropped before it
reaches its target.
An alert can be
sent to the
management console.
Sensor
14
Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 15/25
IDS and IPS Deployment Considerations
– Deploy an IDS sensor in areas where you cannot
deploy an inline device or where you do not plan
to use deny actions.
– Deploy an IPS sensor in those areas where youneed and plan to use deny actions.
15Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 16/25
IDS and IPS Deployment Comparison
Attacker
Inside
Sensor on Outside:
• Sees all traffic destined for
your network• Has high probability of raising
false alarms (false positives)
• Does not detect internal
attacks
Sensor on Inside:
• Sees only traffic permitted
by firewall• Has lower probability of false
alarms (false positives)
• Requires immediate
response to alarms
Internet
16Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 17/25
CorporateNetwork
Network based IDS and IPS Deployment
ManagementServer
IPS Sensor
Firewall RouterSwitchSwitch
UntrustedNetwork
DNSServer
WWWServer
DMZ
SwitchIDSSensor
17Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 18/25
IDS and IPS deployment example in an
Enterprise NetworkBranch
ManagementServer
Sensor
FirewallRouter
NM-CIDS
CorporateNetwork
UntrustedNetwork
DNSServerWWWServer
Sensor
DMZ
Agent Agent
18Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 19/25
P
e r f o r m a n c e ( M
b p s )
Network Media
Cisco IDS Family
IDSM-2
IDS 4255
IPS 4240
45
600
80
250
200
IPS 4215
10/100/1000 TX
NM-CIDS
10/100 TX
AIP-SSM
10/100/1000 TX
1000 SX 10/100/1000 TX Switched/100010/100/1000 TX
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 20/25
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 21/25
Snort Modes
• Sniffer Mode• Used to sniff traffic from network
• Traffic will be captured using libpcap or winpcap.
• Traffic will be captured directly from the sensor .
• Logger Mode
• Simple logging into a file. Two possible formats are Binary and ASCII.
• Logging into a Database (eg. MySQL)
• Can be used for creating the normal traffic profile
• Intrusion Detection / Prevention
• The rules will be used in this mode of snort to detect unwanted activity
21Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 22/25
IDS/IPS Vulnerabilities
• Cisco IPS Packet Handling DoS -• In July 2006, a DoS vulnerability was discovered on Cisco
IPS 4200 series models which were running version 5.1software.
• Snort Rule Matching Backtrack DoS -• Snort versions 1.8 through 2.6 had a DoS vulnerability ,
found on January 11, 2007 which can exploit Snort's rulematching algorithm by using a crafted packet. This couldcause the algorithm to slow down to the point where
detection may become unavailable. Snort was quick torelease version 2.6.1 which corrected this issue.
22Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 23/25
How to protect IDS?
• Don't run any service on your IDS sensor.
• The platform on which you are running IDS should bepatched with the latest releases from your vendor.
• Configure the IDS machine so that it does notrespond to ping (ICMP Echo-type) packets.
• User accounts should not be created except thosethat are absolutely necessary.
23Engineering and Management of Secure Computer Networks
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 24/25
8/11/2019 IPS Lecture
http://slidepdf.com/reader/full/ips-lecture 25/25