Network Intrusion Detection Network Intrusion Detection Systems Systems
(NIDS)(NIDS)
2
IDS DefinitionsIDS Definitions
Examples of IDSs in real life◦ Car alarms◦ Fire detectors◦ House alarms◦ Surveillance systems
An IDS is any combination of hardware & software thatmonitors a system or network for malicious activity.
3
Defined by ICSA as:◦ The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate on logs or other information available from the system or the network.
An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable.
When suspicious activity is from your internal network it can also be classified as misuse
Another definition:◦ - detecting inappropriate, incorrect, or anomalous activity ◦ - misuse detection != intrusion detection
4
The Puzzle
Intrusion Detection Systems are only one piece of the whole security puzzle
IDS must be supplemented by other security and protection mechanisms
They are a very important part of your security architecture but does not solve all your problems
Part of “Defense in depth”
Why IDS?Why IDS? Can be detected:◦ Mapping
◦ Port scans Tens of thousands of packets
◦ TCP stack scansHundreds of thousands of packets
Identify any of the following types of intrusion:◦ Input validation errors
◦ Buffer overflow
◦ Boundary Conditions
◦ Access Validation Errors
◦ Exceptional Condition Handling Errors
◦ Environmental Errors
◦ Race Conditions
5
o Many organizations deploy IDS systems
o Provide warnings to network administrator– Administrator can then
improve network’s security
– Vigorous investigation could lead to attackers
o Typical responses to an attack include the following:– Terminating the session
(TCP resets)– Block offending traffic
(usually implemented with ACLs)
– Creating session log files– Dropping the packet
WHY DO I NEED AN IDS, I HAVE A WHY DO I NEED AN IDS, I HAVE A FIREWALL?FIREWALL? IDS are a dedicated assistant used to monitor
the rest of the security infrastructure.
Today’s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors.
Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect
6
WHY DO I NEED AN IDS, I HAVE A WHY DO I NEED AN IDS, I HAVE A FIREWALL?FIREWALL?
Not all traffic may go through a firewalli:e modem on a user computer
Not all threats originates from outside. As networks uses more and more encryption,
attackers will aim at the location where it is often stored unencrypted (Internal network)
Firewall does not protect appropriately against application level weakenesses and attacks
Protect against misconfiguration or fault in other security mechanisms
7
REAL LIFE ANALOGYREAL LIFE ANALOGY It's like security at the airport... You can put up all the fences in
the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content).
You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats.
Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions.
That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.
8
2. IDS Categories2. IDS CategoriesIn-Kernel vs. UserspaceDistributed vs. AtomicHost-based vs. Network-basedStatistical vs. Signature
DetectionActive vs. PassiveProactive vs. RetroactiveFlat vs. Hierarchial
9IDS
10
We consider some basic categories of intrusion detection mechanisms:◦ By sensor location:
Network-based Intrusion Detection System (NIDS)Host-base Intrusion Detection System (HIDS)
◦ By method of detectionStatistical DetectionSignature Detection
NIDS vs HIDSNIDS vs HIDS
11
IDS sensorsIDS sensors
12
Webserver
FTPserver
DNSserver
applicationgateway
Internet
Demilitarized zone
Internalnetwork
firewall
= IDS sensor
Underlying OS needsto be hardened: stripped of unnecessarynetwork services
Network based IDSNetwork based IDSProtects an entire network segmentIs usually a passive device on the network
and users are unaware of its existenceCannot detect malicious code in encrypted
packetsIs cost effective for mass protectionRequires its own sensor for each network
segment
13
Host-based IDSHost-based IDS
Protects a single system.Uses system resources such as the CPU and memory
from system.Provides application level security.Provides day-one security as a shunt between high
and low level processesIntrusion detection is performed after decryption.Used on servers and sensitive workstations, but is
costly for mass protection
14
Anomaly/Statistical Anomaly/Statistical detectiondetection Mostly on statistical basis◦ Based on time, frequency, lenght of session◦ For example: person logs on at 0300 AM and has
never done so in the past, it will raise a flag Detects statistically exceptional events Learning: Watching activity during ‘normal’ state and
storing patterns (who logs in, what is the origin, when, etc.)
Experience shows that 90% of attacks can be considered as protocol usage anomalies.
Does not require signatures (except what it learns) We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it needs much work.
A non-RFC compilant client is not always an attacker – we need flexibility
15
Signature-based detectionSignature-based detectionSniff traffic on network◦ border router◦ within a LAN◦ multiple sensors
Match attack signatures◦ attack signatures in database◦ signature: set of rules pertaining to a typical
intrusion activity Simple example rule: any ICMP packet > 10,000
bytesExample: Several thousand SYN packets to different
ports on same host under a second◦ skilled security engineers research known
attacks; put them in database◦ can configure IDS to exclude certain
signatures; can modify signature parametersWarns administrator◦ send e-mail, SMS◦ send message to network management system
16
Limitations to signature Limitations to signature detectiondetection
Requires previous knowledge of attack to generate accurate signature◦ Blind to unknown attacks
No knowledge of intention of activity◦ Triggers alarms even if traffic is benign
Signature bases are getting larger◦ Every packet must be compared with each
signature◦ IDS can get overwhelmed with processing,
miss packets
17
Current State of IDSCurrent State of IDS
Lots of people are still using Firewall and Router logs for Intrusion Detection
IDS are not very matureMostly signature basedIt is a quickly evolving domainGiant leap and progress every quarterAs stated by Bruce Schneier in his book
‘Secret and Lies in a digital world’:PreventionDetection Getting to this point today Reponse
18
WHAT CAN IDS REALISTICLY WHAT CAN IDS REALISTICLY DODO◦ Monitor and analyse user and system activities
◦ Auditing of system and configuration vulnerabilities
◦ Asses integrity of critical system and data files
◦ Recognition of pattern reflecting known attacks
◦ Statistical analysis for abnormal activities
◦ Data trail, tracing activities from point of entry up to the point of exit
◦ Installation of decoy servers (honey pots)
◦ Installation of vendor patches (some IDS)
19
WHAT IDS CANNOT DOWHAT IDS CANNOT DO◦ Compensate for weak authentication and identification
mechanisms
◦ Investigate attacks without human intervention
◦ Guess the content of your organization security policy
◦ Compensate for weakeness in networking protocols, for example: IP Spoofing
◦ Compensate for integrity or confidentiality of information
◦ Analyze all traffic on a very high speed network
◦ Deal adequately with attack at the packet level
◦ Deal adequately with modern network hardware
20
21
Intrusion Detection System
Intrusion Prevention System
5. IDS Products5. IDS ProductsDragon from Enterasys◦ http://www.enterasys.com/ids/
CISCO Secure IDS◦ http://www.cisco.com/go/ids/
Snort◦ http://www.snort.org/
ISS Real Secure◦ http://www.iss.net/securing_e-business/
SHADOW◦ http://www.whitehats.ca◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
22
ReferencesReferencesKnowledge Net CISSPhttp://www.snort.org
23
Top Related