290 likes | 313 Vues
Intrusion-Detection Systems. Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018). Objectives. Explain how intrusion-detection systems work Implement strategies for preventing intrusion
E N D
Intrusion-Detection Systems Based on slides accompanying the book NetworkDefense and Countermeasures by Chuck Easttom (2018)
Objectives • Explain how intrusion-detection systems work • Implement strategies for preventing intrusion • Identify and describe several popular intrusion-detection systems • Define the term honeypot • Identify and describe at least one honeypot implementation
Introduction • What is an IDS? An Intrusion-Detection System (IDS) is a system that is designed to detect signs that someone (or something) is attempting to breach a system, and to alert the system administrator that suspicious activity is taking place.
Introduction • Why do we use IDSs? Intrusion-detection systems enable system administrators to detect possible attacks to the network.
Preemptive Blocking (as a primitive form of intrusion detection/prevention) • Sometimes called banishment vigilance • Attempts to detect impending intrusions through examining their footprinting (c.f., a virus’s signature) • Weaknesses? • Susceptible to false positives May block legitimate traffic (i.e., false positive, or mistakenly identifying a legitimate packet as part of a threat) • When an IP address is blocked, the attacker can switch to different IP addresses.
IDS Detection Methodologies • Signature-based detection - Compares known threat signatures to observed events to identify incidents • Anomaly-based detection - Compares definitions of what activity is considered normal against observed events to identify significant deviations • Stateful protocol analysis - compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.
Anomaly Detection • Anomaly Detection • Any activity that does not match normal use is noted and saved in a log. • Normal usage profiles are kept and updated and then compared to the user’s, the group’s, or the system’s behavior. • Most IDSs work this way. • Based on heuristics, and not on signatures or pre-stored patterns can detect previously unknown threats • Q: Examples of anomalous behavior?
Anomaly Detection • Different ways an anomaly may be detected: • Threshold monitoring • Resource profiling • User/group work profiling • Executable profiling
Types of Anomaly Detection • Threshold monitoring • Defines acceptable behaviors • Presets acceptable behavior levels – the threshold • Monitors the exceeding of these thresholds • Q: Example thresholds? • Weaknesses? • Can be difficult to set up the thresholds • Difficult to set times for monitoring behavior (i.e., When? How often?) • Susceptible to false positives and negatives
Questions: • Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Give an example. • Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false positives? • Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? Give an example. • Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false negatives?
Types of Anomaly Detection • Resource Profiling • Measures system-wide resource use to develop a historic usage profile. • Abnormal readings can indicate illicit activity. • c.f., threshold monitoring Q: What are the differences between resource profiling and threshold monitoring as means of anomaly detection?
Types of Anomaly Detection • User/Group Work Profiling • Each user/group’s typical activities are stored in its work profile. • Activities not typical of that user or group are suspected. • Changes in work patterns need to be updated in the respective profiles. • Weaknesses? • Dynamic user base could be difficult to profile. Examples?
Types of Anomaly Detection • User/Group Work Profiling Q: Compare work profiling with other methods, such as threshold monitoring and resource profiling.
Types of Anomaly Detection • Executable Profiling • Measures and monitors how programs use system resources • Helpful in detecting many types of malware attacks • Profiles how system objects (files and printers) are normally used • Enables the IDS to identify activity that might indicate an attack
IDS Components • Activity • Administrator • Sensor (or agent)– collects data and passes it to the analyzer for analysis • Analyzer • Alert – a message from the analyzer sent to the administrator • Manager (or management server) – part of the IDS (e.g., a console)
IDS Components • Notification – the method by which the IDS manager notifies the operator • Operator -- administrator • Event – an occurrence of a suspicious activity • Data source – the raw data used by the IDS • Database server -- a repository for event information recorded by sensors, agents, and/or management servers
IDS vs IPSsource: https://www.youtube.com/watch?v=dYQMzyfFrTE
IDS vs IPS Intrusion Detection System Intrusion Prevention System Active Takes steps to prevent an attack in progress Problem of false positives • Passive • Logs the activity • Alerts an administrator (perhaps) Intrusion Detection/Protection System (IDPS)
Snort • Possibly the most well-known open source IDS • Available on multiple platforms including: • UNIX, Linux, and Windows • Three modes of operation: • Sniffer • Packet logger • Network intrusion-detection
Snort Modes • Packet Sniffer Mode • Monitors all traffic coming and going on a computer (i.e., host-based IDS) • A good way to check encryption (because the console displays a continuous stream of the contents of all packets coming across that machine) • Helps determine potential sources of problems
Snort Modes • Packet Logger Mode • Similar to sniffer mode • Packet contents are written to a text file • Contents can be searched for specific items
Snort Modes • Network Intrusion-Detection Mode • Uses a heuristic approach to detect anomalous traffic (i.e., network-based IDS) • Rules-based • Command-line-based interface • Need to know commands and what they do
Cisco Intrusion-Detection and Prevention • Past models • Cisco IDS 4200 Series Sensors • Cisco Catalyst 6500 Series Intrusion-Detection System Services Module (IDSM-2) • Current system offering • Cisco Next-Generation IPS Solution • There are a number of products in this group • Firepower 4100 series – smaller networks • Firepower 8000 series • Firepower 9000 series – large-scale networks
Understanding and Implementing Honeypots • A honeypot is a single machine set up to appear to be an important (and possibly vulnerable) server • All traffic to the machine is suspicious; no legitimate users should connect • Honeypots can be configured to emulate many server services • Honeypots can help track and catch hackers
Specter • A software honeypot solution • Can simulate AIX, Solaris, Unix, Linux, and Mac OS X • Works by appearing to run a number of services common to network servers • SMTP, FTP, TELNET, FINGER, POP3, IMAP4, HTTP, SSH, DNS, SUN-RPC, NETBUS, SUB-7, BO2K, GENERIC TRAP
Specter • Can be set up in one of five modes: • Open • Secure • Failing • Strange • Aggressive • Fake password files can also be configured: • Easy • Normal • Hard • Fun • Warning
Summary • A variety of intrusion-detection systems are available • Should be used with firewalls • Can run at the perimeter and internally as sensors • Ideally implemented on every server • Free IDS solutions are available • Honeypots entice hackers to a fake server