Network Security IDPS

8/17/2019 Network Security IDPS

1/35

Intrusion Detection & Prevention SystemIntrusion Detection & Prevention System


2/35

2

Can we do everything manually?

• Do we really need some automated mechanisms?

• Lets have a look on this clip


3/35

3

Intruders

• Significant issue hostile/unwanted trespass– from kind to serious

• user trespass

– unauthorized logon, privilege ause• software invade/tresspass

– virus, worm, or tro!an horse


4/35

4

Classes of intruders

• classes of intruders"

• mas#uerader, misfeasor, clandestine user– mas#uerader" unauthorized individuals who

penetrates a system– misfeasor" legitimate user who accesses

unauthorized data

– clandestine" seizes supervisory control

e$g %emove audit logs


5/35

5

Intrusion

• &he action of intruding– '$g$ he was furious aout this intrusion into his

private life


6/35

6

Examples of Intrusion

• remote root compromise )e$g, of an email server*• we server defacement

• guessing/cracking passwords

• copying viewing sensitive data/dataases )++/grades*

• running a packet sniffer )to capture passwords*• distriuting pirated software )anonymous &- servers*

• using an unsecured modem to access net

• impersonating a user to reset password

• using an unattended workstation


7/357

Security Intrusion & Detection

Security Intrusiona security event, or comination of multiple security events,

that constitutes a security incident in which an intruder gains,or attempts to gain, access to a system )or system resource*without having authorization to do so$

Intrusion Detection

a security service that monitors and analyzes system events for

the purpose of finding, and providing real.time or near real.

time warning of attempts to access system resources in an

unauthorized manner$


8/358

Hackers

• motivated y thrill of access and status– status is determined y level of competence

• kind intruders might e tolerale– do consume resources and may slow performance

– cant know in advance whether enign or harmful

• 0DS / 0-S / 1-2s can help counter

• awareness led to estalishment of +'%&s– collect / disseminate vulneraility info / responses


9/3510

Hacker ehavior Example

1. select target using IP lookup tools

2. map network for accessible services– study physical connectivity (via NMAP)

3. identify potentially vulnerable services4. brute force (guess) passwords

5. install remote administration tool

6. wait for admin to log on and capture password7. use password to access remainder of network


10/3511

Criminal Enterprise

• organized groups of hackers now a threat– corporation / government / loosely affiliated gangs

– typically young

– often 'astern 'uropean )Dark3arket$org meetings*

– common target credit cards on e.commerce server

• criminal hackers usually have specific targets

• once penetrated act #uickly and get out

• 0DS / 0-S help ut less effective• sensitive data needs strong protection


11/35

12

Criminal Enterprise ehavior

1. act quickly and precisely to make their

activities harder to detect

2. exploit perimeter via vulnerable ports

3. use trojan horses (hidden software) to leave

back doors for re-entry

4. use sniffers to capture passwords

5. do not stick around until noticed6. make few or no mistakes.


12/35

13

Insider !ttacks

• among most difficult to detect and prevent

• employees have access 4 systems knowledge

• may e motivated y revenge / entitlement

– when employment terminated– taking customer data when move to competitor

• 0DS / 0-S may help ut also need"– least privilege, monitor logs, strong authentication,

termination process to lock access 4 take mirror image ofemployees 5D )for future purposes*


13/35

14

Insider ehavior Example

1. create network accounts for themselves and theirfriends

2. access accounts and applications they wouldn'tnormally use for their daily jobs

3. e-mail former and prospective employers4. conduct furtive (covert) instant-messaging chats

5. visit web sites that cater to disgruntled employees, suchas f'dcompany.com

6. perform large downloads and file copying7. access the network during off hours


14/35

15

"hird party employees# Contractual

employees• 3ost dangerous

• 2ot a part of company

• 5aving access to almost every system


15/35

16

Intrusion "echni$ues

• o!ective to gain access or increase privileges

• initial attacks often e6ploit system or software

vulnerailities to e6ecute code to get ackdoor

– e$g$ uffer overflow• or to gain protected information

– e$g$ password guessing or ac#uisition


16/35


17/35

18

Intrusion Detection Systems

• classify intrusion detection systems )0DSs* as"7$ 5ost.ased 0DS" monitor single host activity

8$ 2etwork.ased 0DS" monitor network traffic

• logical components"7$ sensors" collect data )network packets, log files,

payload*

8$ analyzers" determine if intrusion has occurred

9$ user interface" manage / direct / view 0DS


18/35

19

Some "erminologies

• &rue positive : correctly identifiedalse positive : incorrectly identified

&rue negative : correctly re!ected

alse negative : incorrectly re!ected


19/35

20

Consider Example of %iometric system

• -ossiilities– &rue positive

• ;ive access the right person

– alse positive : incorrectly identified• ;ive access to wrong person

– &rue negative : correctly re!ected•


20/35

21

IDS rinciples

• =ssumption" intruder ehavior differs fromlegitimate users– e6pect overlap as shown

– for legitimate users"

oserve ma!or deviationsfrom past history

– prolems of"• false positives

• false negatives

• must compromise

valid user identified as intruder

intruder not identified


21/35


22/35

23

Host(ased IDS

• specialized software to monitor system activity to detectsuspicious ehavior– primary purpose is to detect intrusions, log suspicious events, and

send alerts

– can detect oth e6ternal and internal intrusions

• two approaches, often used in comination"– anomaly detection – consider or monitor normal/e6pected

ehavior over a period of time> apply statistical tests to detectintruder

• threshold detection" defining threshold for various events/ fre#uencyof event occurring

• profile ased" used to detect changes in ehavior )time/duration oflogin*

– signature detection . defines proper )or ad* ehavior)rules*/patterns to detect intruder


23/35

24

!nomaly Detection

• threshold detection

– checks e6cessive event occurrences over time

– alone a simple and ineffective intruder detector

– must determine oth thresholds and time intervals

– lots of false positive/false negative may e possile

• profile ased

– characterize past ehavior of users/groups

– then detect significant deviations

– ased on analysis of audit records" gather metrics


24/35

25

Example of metrics

• Counters" e$g$, numer of logins during anhour, numer of times a cmd e6ecuted

• )auge" e$g$, the numer of outgoing messages

pkts@• Interval time" the length of time etween two

events, e$g$, two successive logins

• 'esource utili*ation" #uantity of resources

used )e$g$, numer of pages printed*

• 3ean and standard deviations


25/35

26

Signature Detection

• oserve events on system and applying a set of

rules to decide if intruder

• approaches"– rule.ased anomaly detection

• analyze historical audit records for e6pected ehavior, then

match with current ehavior

– rule.ased penetration identification

• rules identify known penetrations / weaknesses• often y analyzing attack scripts from 0nternet

)+'%&s:+omputer emergency response team*

• supplemented with rules from security e6perts


26/35

27

Example of 'ules in a Signature

Detection IDS• users should not e logged in more than one

session

• users do not make copies of system, passwordfiles

• users should not read in other users directories

• users must not write other users files

• users who log after hours often access the same

files they used earlier• users do not generally open disk devices ut

rely on high.level AS utilities


27/35

28

Distri%uted Host(ased IDS

B 5ost agent

B L=2 agent )analyzes L=2 traffic*

B +entral manager


28/35

29

+etwork(ased IDS

• network.ased 0DS )20DS*– monitor traffic at selected points on a network

)e$g$, rlogins to disaled accounts*

– in )near* real time to detect intrusion patterns

– may e6amine network, transport and/or application

level protocol activity directed toward systems

• comprises a numer of sensors

– inline )possily as part of other net device* – trafficpasses thru it

– passive )monitors copy of traffic*


29/35

30

+IDS Sensor Deployment

7$ monitor attacks from outside

8$ monitor and documents

unfiltered packets>

more work to do

9$ protect ma!or ackones>

monitor internal/e6ternal attacks

C$ Special 0DS to provide additional protection

for critical systems )e$g$, ank accounts*


30/35

31

+IDS Intrusion Detection "echni$ues

• signature detection– at application )FTP *, transport ) port scans*, network

layers )ICMP *> une6pected application services )host running unexpected app*, policy violations )website use*

• anomaly detection– of denial of service attacks, scanning, worms )significant

traffic increase*

• when potential violation detected, sensor sends an

alert and logs information– used y analysis module to refine intrusion detection

parameters and algorithms

– y security admin to improve protection


31/35

32

Honeypots

• are decoy systems– filled with faricated info

– instrumented with monitors / event loggers

– divert and hold attacker to collect activity info

– without e6posing production systems

• initially were single systems

• more recently are/emulate entire networks

1 Tracks attempts to connect


32/35

33

Honeypot

Deployment

1. Tracks attempts to connect

to an unused IP address; can’t

help with inside attackers

2. In DMZ; must make sure the other

systems in the DMZ are secure; firewalls

may lock traffic to the honeypot

!. "ull internal

honeypot; can detect

internal attacks


33/35

34

S+,'"

• lightweight 0DS– open source– real.time packet capture and rule analysis– passive or inline– components" decoder, detector, logger, alerter

processes captured

packets to identify

and isolate

intrusion

detection

work


34/35

35

S+,'" 'ules

• use a simple, fle6ile rule definition language• with fi6ed header and zero or more options

• header includes- action. protocol. source I. sourceport. direction. dest I. dest port

• many options• e6ample rule to detect &+- S2.02 attack"

Alert tcp $EXTERNAL_NET any -> $HOME_NET any \

(msg: "SCAN SYN FIN"; flags: SF, 12; \

reference: arachnids, 198; classtype: attempted-recon;)

detects an attack at the TCP level; $strings are variablesith de!ned val"es; an# s"rce r dest %rt iscnsidered; checks t see i& '() and *+) bits are set


35/35

36

Summary

• introduced intruders 4 intrusion detection– hackers, criminals, insiders

• intrusion detection approaches– host.ased )single and distriuted*

– network– distriuted adaptive

– e6change format

• honeypots

• S2A%& e6ample

Network Security IDPS

Documents

Transcript of Network Security IDPS