1 / 24

“IDS and your network”

“IDS and your network”. Dale Tongue 10 September 2005. Intro. What is a router? What is a syslog server? What is a Firewall? What is an IDS? How does a network get blocked?. What is a router?. Router

taurus
Télécharger la présentation

“IDS and your network”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “IDS and your network” Dale Tongue 10 September 2005

  2. Intro • What is a router? • What is a syslog server? • What is a Firewall? • What is an IDS? • How does a network get blocked?

  3. What is a router? • Router • A router is a hardware device designed to take incoming packets, analyzing the packet and then directing it to the appropriate location, moving the packet to another network, converting the packet to be moved across a different type of network interface,  dropping the packet, or performing any other number of other types of actions.  • Brouter • Short for Bridge Router a "brouter" is a networking device that serves as both a bridge and a router. • Core router • A core router is a router in a computer network that routes data within a network but not between networks. • Edge router • A edge Router is a router in a computer network that routes data between one or more networks. • Virtual router • A Virtual Router is a backup router used in a VRRP setup.

  4. Router examples

  5. What is a Syslog Server? • Syslog • Short for SYStems LOG, syslog is a logging system originally developed for UNIX systems. The syslog is a collection of error messages, warning messages, and/or other system messages that are sent to the central location through UDPport 514. Today syslog is available and/or capable of being run by the majority of all operating systems as well as hardware devices such as network switches and routers.

  6. Syslog Server example ID/Pwrd ID/Pwrd

  7. What is a Firewall? • Firewall - The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing. • Firewalls are good DETECTION devices • they can detect legal/illegal access by logging it • Firewalls are weaker PROTECTION devices • attack code could be in the application layer not the network layer • application firewalls address this

  8. What is a Firewall? (Cont)Firewall Techniques • Following are the different methods used to provide firewall protection, and several of them are often used in combination. • Packet Filter - Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host. • Proxy Server - Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server). • Network Address Translation (NAT) - Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS. • Stateful Inspection - Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection. • Most are “Deny All – Allow By Exception”

  9. Firewall Example Denying all, Allow by exception The use of two screening routers in the firewall configuration offers two points of protection from the outside world to the internal LAN.

  10. What is an IDS? • IDS (Intrusion Detection System) Software that detects an attack on a network or computer system. A Network IDS (NIDS) is designed to support multiple hosts, whereas a Host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarms. Insufficient analysis can overlook a valid attack. See protocol anomaly, traffic anomaly, IPS and attack.

  11. WAN WAN WAN WAN router router router router NIDS NIDS NIDS NIDS LAN/IP based network LAN/IP based network LAN/IP based network LAN/IP based network NIDS example Syslog Server

  12. Sequence of events • Network looks for signatures and is checked for someone “knocking” on the door (such as) (1) Scan the network to: - Locate which IP addresses are in use, - Identify what operating system is in use, - Identify what TCP or UDP ports are “open” (being listened to by Servers). (2) Run “Exploit” scripts against open ports (3) Get access to Shell program which is “suid” (has “root” privileges). (4) Download special versions of systems files that will let Hackers have free access without his /her CPU time or disk storage space being noticed by auditing programs. (5) Use IRC (Internet Relay Chat) to invite fellow hackers.

  13. Sequence of events (Cont) • As IDS boxes spit out data, syslog server is checked against the “knocking” IP/network • Searches for anything from that IP or subnet • Use ARIN (http://www.arin.net/whois/) or • APNIC (http://www.apnic.net/apnic-bin/whois.pl) or • RIPE (http://www.ripe.net/) or • Sam Spade, etc • Dial up will give a new IP, but probably same subnet • If it’s not a coincidence, block the IP or the subnet

  14. Blocking the network • Using CISCO Works, edit the template and FTP it to all sites • Offending network would/could be trying all networks, cuts down on labor and assures a block everywhere • If the offending network is korea.com, will you get your mail to an army.mil domain? • Discuss the bh.korea list that commercial vendors use

  15. Domains? • The internet is big. • Two entry points into the NIPRNet • From the “fixed east” and fixed west: • Access the army.mil networks • Each post has its own gateway • Each gateway has its Access Control List • As Huachuca edits the list, subnets can be denied • Can also have “allow” list

  16. Sequence of events?

  17. Intrusion Steps from the bad guys perspective • Outside Reconnaissance – whois, DNS, WWW, FTP • Inside Reconnaissance – ping sweep, inverse mapping, port scanning, rpcinfo, showmount, snmpwalk. • Exploit – exploiting vulnerabilities discovered earlier. • Foothold – gained entrance into the machine and now starts to hide the evidence. Install rootkits, trojans. • Profit – taking advantage of the entry, the hacker now goes after the real target – information, $$, credit card info, etc. • Joyride – systems used in a relay attack. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  18. Common WWW Exploits • CGI – passing data to the command shell via shell metacharacters, using hidden variables, phf. • WWW server • IIS/RDP - ../../../../ attack to get files from the server. • Alternate data streams ( Win95 names). • URL – fields can cause buffer overflows as it’s parsed in the HTTP header, displayed on the screen or saved in the cache history. Old IE bug would execute .LNK or .URL commands. • HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. • HTML – MIME-type overflow in Netscape Communicator’s <EMBED> command. • Javascript – usually tries to exploit the “file upload” function by generating a filename and automatically hidden the SUBMIT button. Many fixes for this but equal # of circumventions. • Frames – part of JavaScript or Java hack (hiding web bugs). Hackers include link to valid site that uses frames then replace some of those frames with bad www pages. • Java – normal Java applets have no access to the local system but sometimes they’d be more useful if they did have local access. • Active X – works purely on trust model and runs in native mode. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  19. Common Reconnaissance Scans and DOS Attacks • Ping Sweeps • TCP/UDP Scans • OS identification • Account Scans • Ping of Death • SYN Flood • Land • DDoS • See PDF File that I brought for RealSecure signatures file Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  20. How Do NIDS Detect Intrusions? • Anomaly detection – measures a baseline of stats like CPU utilization, disk activity, user logins, file activity. NIDS triggers when a deviation from this baseline occurs. • Signature recognition – pattern matching attack probes. Uses large databases to detect the attack. Antiviral software uses this. Works only for known attacks. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  21. Matching Signatures with Incoming Traffic • NIDS consists of special TCP/IP stack that reassembles datagrams and TCP streams. It uses: • Protocol Stack Verification – search for protocol violations (SYN/FIN, etc.) • Application Protocol Verification • New Event Creation – log all application layer protocols for later correlation. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  22. NIDS Detect the Attack • Firewall reconfiguration to block IP address. • Chime – “Danger, Will Robinson!” alarm. Email or page admins. • SNMP trap – send trap datagram to console. • Syslog – record it in NT Event log or Unix syslog • Save Evidence. • Launch Program to handle the event. • Terminate the TCP connection by sending a FIN. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

  23. Some NIDS Products • BlackIce Defender (Network Ice) • CyberCop Monitor (Network Associates) • RealSecure (ISS) • NetRanger (WheelGroup/Cisco) • eTrust Intrusion Detection (CA) • NetProwler (Axent) • Centrax (CyberSafe) • NFR (Network Flight Recorder) • Dragon (Security Wizards) Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: marchany@vt.edu

More Related