1 / 36

Intrusion Detection

Intrusion Detection. Chapter 12. Intrusion Detection Overview. An IDS monitors network resources to detect intrusions that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers), like a burglar alarm – Many approaches Passive Active Host-based (HIDS)

liona
Télécharger la présentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Chapter 12

  2. Intrusion Detection Overview • An IDS monitors network resources to detect intrusions that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers), like a burglar alarm – Many approaches • Passive • Active • Host-based (HIDS) • Network-based (NIDS) • Decoys and honeypots continued…

  3. IDS • IDS compares traffic to files of signatures that indicate specific known types of attack and, also, detect anomalies to: • to identify and stop attackers, • conducts forensic analysis to understand the attacker's strategy, • and to prevent the strategy from being successful in the future.

  4. Negatives and Positives • There are really only two possible decisions for each activity that IDS observe: the activity can be positively identified as an attack, or just the opposite, it can be identified as benign. • IDS must correctly identify intrusions and attacks • True positives • True negatives

  5. Dealing with False Negatives and False Positives • False negatives occur when the pattern of traffic is not identified in the signature database. To resolve: • Obtain more coverage by using a combination of network-based and host-based IDS • Deploy NIDS at multiple strategic locations in the network • False positives happen when the IDS mistakenly reports certain benign activity as malicious • Best-case false positives require human intervention to diagnose the event. • Worst-case false positives can cause the legitimate traffic to be blocked by a router or firewall. • The tuning process allows the administrator to instruct sensors not to alarm

  6. Types of IDS • Network-based (NIDS) • Monitors network traffic associated with a specific network/segment • More NIDS products are available due to capable open source solutions and most commonly used • Host-based (HIDS) • Monitors activity on host machine • Able to stop attacks while they are in progress • Like any application, host-based IDS agents use resources on the host server • Host-based IDS are primarily used to protect only critical servers,

  7. Network-based IDS • Uses a dedicated platform such as a network appliance or server • Analyzes all passing traffic • Sensors have two network connections • NIC operates in promiscuous mode to sniff passing traffic • Sends data alerts to a centralized management system

  8. NIDS Architecture • To determine how to deploy IDS, one needs only answer the question: What do I most need to protect? • Typical locations of IDS sensors • Just inside the firewall - bottleneck • On the DMZ – first point of entry • On the server farm segment - monitoring of mission-critical application servers • On network segments connecting mainframe or midrange hosts

  9. Switched Networks Single host • Careful planning is required in switched network infrastructures to ensure that the sensor is able to sniff the passing traffic. • Using Switch Port Analyzer (SPAN) on a switch causes the switch to copy all packets destined for a given interface, and transmit them to the port with the SPAN configuration. • Problems exist if switched networks offer limited number of SPAN ports or none at all

  10. Switched Networks • All traffic leaving the segment can be monitored because that link forms a bottleneck that all traffic must pass through. • However, traffic between hosts on the same segment is not monitored

  11. Using a Hub in a Switched Infrastructure • Although adding a hub solves some SPAN issues, it still only allows a single port to be monitored. But connecting all the servers to the hub, would defeat the advantages of having a switched network. • Further, only fault-tolerant hubs should be used for this design, which significantly increases the cost of the solution.

  12. Tap • Taps are fault-tolerant hub-like devices used very much like a three-port hub but permit only the transmission (and not the reception) of data out the monitoring port. • Once the taps have been added, they copy the normal network traffic on its way to the switch and forward it on to a hub. The IDS sensor is also connected to the hub and is therefore able to monitor the traffic from multiple hosts.

  13. Taps • Network TAPS: • Doesn't need a IP/Mac so the IDS or Sniffer is hidden to the network • Taps do not require configuration and are generally passive and fault tolerant. • Taps operate on the signal level and do not recognize packets, sending faithful copies of actual packets, legal and otherwise. • Taps provide dependable and complete data streams to the IDS. Security Engineers depend on complete data streams to recognize intruder patterns. • Most Span/mirror hub combos only show you half of the conversation and drop critical packets • Since Taps are inline they are not limited to the bandwidth of the Span port or switch

  14. NIDS Signature Types Signature-based IDS - look for patterns in packet payloads • Port signature - watches for connection attempts to a known or frequently attacked port, ie 21, 22, 23, 25 • Header signatures – examines each frame and packet header for evidence of tampering • String signature – command-line string issued remotely that is intended to waken the security or alter the OS

  15. Network IDS Reactions • TCP resets • sends a TCP reset packet (which terminates TCP sessions) to the victim host, but doesn’t stop the first packet from reaching the host. • It also spoofs the IP addresses of the attacker and attempts to guess the correct TCP session number so that the victim will accept the reset and end the session.

  16. Network IDS Reactions • IP session logging • The limitation of logging is that only the trigger and the subsequent packets are logged, so any preceding packets are lost. • IP session logging can also impact sensor performance and quickly consume large amounts of disk space.

  17. Network IDS Reactions • Shunning or IDS blocking • the sensor connects to the firewall/packet-filtering router from its management interface and configures filtering rules • Shunning is not typically a permanent countermeasure and it can interfere with legitimate traffic. If the attacker has used a spoofed source address in his attack, then the IDS sensor will actually block the real owner of the spoofed IP address.

  18. History of Host-based IDS • Early host-based intrusion detection systems were designed in the 1980s to automate the process of system administrators checking logs. • In the 1990s, the range of methods employed by host-based IDS began to expand. Tripwire was developed to scan file systems and create hashes of critical system files, which periodically reran to validate that the hash value for each file has not changed.

  19. Host-based IDS • The more common techniques: • Primarily used to protect only critical servers • Software agent resides on the protected system • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance

  20. HIDS Method of Operation • Auditing logs (system logs, event logs, security logs, syslog). If a log file is changed, the new entry is checked against signature patterns • Monitoring file checksums to identify changes based on past activity by checking the hash on critical files. • Can be used in conjunction with a NIDS which protects host only, not a network segment • Intercepting and evaluating requests by applications for system resources before they are processed • Validation of the software calls is accomplished by generic rules about what processes are valid • By matching calls to system resources with signatures.

  21. HIDS Software • Deployed by installing agent software on the system to be protected. More effective on inside attacks than NIDS. • Host wrappers – personal firewall • Does not have the ability to provide the in-depth, active monitoring measures that agent-based provides • Inexpensive and deployable on all machines • Monitors network activity into and out of computer, including protocols, packets, broadcasts, remote login etc. • Agent-based software • More suited for single purpose servers and monitors local logon attempts, file and folder access, changes to permissions and use of software applications

  22. HIDS Active Monitoring Capabilities • The HIDS have access to the host's operating system, therefore, HIDS have more power to end attacks than NIDS • Log the event • Alert the administrator • Terminate the user login • Disable the user account

  23. Advantages of Host-based IDS • Verifies success or failure of attack by reviewing HIDS log entries, NIDS can’t always report if attack was successful • Monitors user and system activities such as file access, changes to permissions and user accounts, software installation, and use of networked resources • Protects against attacks from the keyboard • Reacts very quickly to intrusions • Not limited by switched infrastructures • Requires no additional hardware to deploy and no changes to network infrastructure continued…

  24. Passive Detection Systems • Passive tools can detect the following: • Login attempts that have succeeded and failed • Suspicious attempts to access admin accounts • Changes to files, accounts, security, DNS services • Successful and failed attempts to access files • Files that are opened under suspicious circumstances • Unplanned system shutdowns • Services unexpectedly shutdown • Unusual or excessive email • Network probes and connections from suspicious locations • Port scans • Suspicious file transfers

  25. Active Detection Systems • Have logging, alerting, and recording features of passive IDS, but can take action against attack • Options • IDS shunning or blocking • TCP reset • Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

  26. TCP Reset • Active IDS features need to be carefully tuned to minimize the number of false positive alarms. • Attackers can use the IDS to create denial-of-service attacks where legitimate users' IP addresses or subnets are blocked from entering the network. • Legitimate traffic can be blocked

  27. Signature-based andAnomaly-based IDS IDSs are classified how they detect malicious activity • Signature detections • Also know as misuse detection • IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures • Problems exist when there is a large number of signatures required to effectively detect misuse

  28. Signature-based andAnomaly-based IDS IDSs are classified how they detect malicious activity • Anomaly detection • Baseline is defined to describe normal state of network or host • Any activity outside baseline is considered to be an attack • The difficulty is in creating the model of normal network activity. • Anomaly detection systems aren't as popular as signature detection systems because of high false alarm rates created by inaccurate models of normal use.

  29. Honeypots • False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks • Simulate unsecured network services • Make forensic process easy for investigators

  30. Honeypot Deployment • Goal • The honeypot must attract, and avoid tipping off, the attacker • The host must also have something of interest for the intruder • Gather information on hacker techniques, methodology, and tools • Detect attacker inside organization’s network perimeter • Must not become a staging ground for attacking other hosts inside or outside the firewall • Draw attackers away from critical targets

  31. Honeypots, Ethics, and the Law • Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host • Honeypot does not convince one to attack it; it merely appears to be a vulnerable target, therefore, not entrapment • Doubtful that honeypots could be used as evidence in court

  32. Open Source Honeypots • BackOfficer Friendly • BigEye • Deception Toolkit • LaBrea Tarpit • Honeyd • Honeynets • User Mode Linux

  33. Incident Response • Every IDS deployment should include two documents to answer “what now” questions • IDS monitoring policy and procedure that details action for specific alerts, classification scheme • Incident response plan - Responsible for assigning personnel to assemble resources required to handle security incidents

  34. Incident Response Procedures should include: • What immediate steps need to be taken. • Who needs to be notified. • What impact does it have. • What tools will be used, and by whom. • Is system recovery more important than evidence collection. • What other resources are available. • Where are backups. • Establish process for avoiding further exploitations of the same vulnerability

  35. Classification Scheme Sample The steps taken depend on the level of seriousness, so a classification system is needed to categorize alarms: • Level 3: The least threatening type of alarm, would include a port scan or a single unauthorized attempt to telnet to a network device. • Level 2: More serious, might include unsuccessful attempts to obtain unauthorized access to systems. Continued level 3 attacks could also constitute a reason for escalating to level 2. • Level 1: The most serious types of attack, level 1 incidents could include major denial-of-service attacks, successful intrusions into systems, or similar activities.

  36. Chapter Summary • Two major types of intrusion detection • Network-based IDS (monitor network traffic) • Host-based IDS (monitor activity on individual computers) • Honeypots • Incident response

More Related