Intrusion Detection

1
Intrusion Detection
2
Outline

• What is it?
• What types are there?
• Network based
• Host based
• Stack based
• Benefits of each
• Example Implementations
• Difference between active and passive detection
• HoneyPots

3
Intrusion Detection System (IDS)

• Detects malicious activity in computer systems
• Identifies and stops attacks in progress
• Conducts forensic analysis once attack is over

4
The Value of IDS

• Monitors network resources to detect intrusions
  and attacks that were not stopped by preventative
  techniques (firewalls, packet-filtering routers,
  proxy servers)
• Expands available options to manage risk from
  threats and vulnerabilities

5
Negatives and Positives

• IDS must correctly identify intrusions and
  attacks
• True positives
• True negatives
• False positives
• Benign activity reported as malicious
• False negatives
• IDS missed an attack

6
Dealing with False Results

• False positives
• Reduce number using the tuning process
• False negatives
• Obtain more coverage by using a combination of
  network-based and host-based IDS
• Deploy NICS at multiple strategic locations in
  the network

7
Types of IDS

• Network-based (NIDS)
• Monitors network traffic
• Provides early warning system for attacks
• Host-based (HIDS)
• Monitors activity on host machine
• Able to stop compromises while they are in
  progress

8
Network-based IDS

• Uses a dedicated platform for purpose of
  monitoring network activity
• Analyzes all passing traffic
• Sensors have two network connections
• One operates in promiscuous mode to sniff passing
  traffic
• An administrative NIC sends data such as alerts
  to a centralized management system
• Most commonly employed form of IDS

9
NIDS Interfaces
NIDS Management Console
no IP Address
Data Link
Data Flow
10
NIDS Architecture

• Place IDS sensors strategically to defend most
  valuable assets
• Typical locations of IDS sensors
• Just inside the firewall
• On the DMZ
• On the server farm segment
• On network segments connecting mainframe or
  midrange hosts

11
Connecting the Monitoring Interface

• Using Switch Port Analyzer (SPAN) configurations,
  or similar switch features
• Using hubs in conjunction with switches
• Using taps in conjunction with switches

12
SPAN

• May be built into configurable switches (high
  end)
• Allows traffic sent or received in one interface
  to be copied to another monitoring interface
• Typically used for sniffers or NIDS sensors

13
How SPAN Works
Duplicated Traffic
IDS
Monitored Host
Switch
SPAN Port
Monitored Port
Data Link
14
Monitor Network Segment
Duplicated Traffic
IDS
Switch
Data Link
Monitored Hosts
15
Limitations of SPAN

• Traffic between hosts on the same segment is not
  monitored only traffic leaving the segment
  crosses the monitored link
• Switch may offer limited number of SPAN ports or
  none at all

16
Hub

• Device for creating LANs that forward every
  packet received to every host on the LAN
• Allows only a single port to be monitored

17
Using a Hub in a Switched Infrastructure
Data Link
Switch
Switch
IDS
Monitored Host
Hub
18
Tap

• Fault-tolerant hub-like device used inline to
  provide IDS monitoring in switched network
  infrastructures

19
Using a Tap
IDS
Monitored Host
Tap
Monitoring Port
Tap acts like a 3 way hub where monitoring port
is read only
Data Link
20
Typical 10/100 8 port Tap
Loss of power has no effect on traffic
NetOptics
Networktaps.com
21
NIDS Signature Types

• Signature-based IDS
• Port signature
• Header signatures

22
Network IDS Reactions

• TCP resets
• IP session logging
• Shunning or blocking

23
Strengths of NIDS

• Cost of Ownership
• Lower because IDS is shared
• Packet Analysis
• Can look at all network traffic
• Evidence Removal
• Packets are captured in a separate machine
• Real-Time Detection and Response
• Can detect (and block) DDoS attacks
• Operating System Independence

24
Host-based IDS

• Primarily used to protect only critical servers
• Software agent resides on the protected system
• Detects intrusions by analyzing logs of operating
  systems and applications, resource utilization,
  and other system activity
• Use of resources can have impact on system
  performance

25
HIDS Method of Operation

• Auditing logs (system logs, event logs, security
  logs, syslog)
• Monitoring file checksums to identify changes
• Elementary network-based signature techniques
  including port activity
• Intercepting and evaluating requests by
  applications for system resources before they are
  processed
• Monitoring of system processes for suspicious
  activity

26
HIDS Software

• Host wrappers
• Inexpensive and deployable on all machines
• Do not provide in-depth, active monitoring
  measures of agent-based HIDS products
• Agent-based software
• More suited for single purpose servers

27
HIDS Active Monitoring Capabilities

• Log the event
• Alert the administrator
• Terminate the user login
• Disable the user account

28
Advantages of Host-based IDS

• Verifies success or failure of attack by
  reviewing HIDS log entries
• Monitors use and system specific activities
  useful in forensic analysis of the attack
• Can monitor network encrypted traffic
• Near real-time detection and response
• Analysis is log based, but good design mitigates
  much of the delay.
• Can focus on key system components
• No additional Hardware

29
Stack based IDS

• IDS is integrated with TCP/IP protocol stack
• Allows system to provide real-time analysis and
  response
• Intended to have low enough overhead so that each
  system can have its own IDS

30
Passive Detection Systems

• Can take passive action (logging and alerting)
  when an attack is identified
• Cannot take active actions to stop an attack in
  progress

31
Active Detection Systems

• Have logging, alerting, and recording features of
  passive IDS, with additional ability to take
  action against offending traffic
• Options
• IDS shunning or blocking
• TCP reset
• Used in networks where IDS administrator has
  carefully tuned the sensors behavior to minimize
  number of false positive alarms

32
Signature-based andAnomaly-based IDS

• Signature detections
• Also know as misuse detection
• IDS analyzes information it gathers and compares
  it to a database of known attacks, which are
  identified by their individual signatures
• Anomaly detection
• Baseline is defined to describe normal state of
  network or host
• Any activity outside baseline is considered to be
  an attack

33
Intrusion Detection Products

• Aladdin Knowledge Systems
• Entercept Security Technologies
• Cisco Systems, Inc.
• Computer Associates International Inc.
• CyberSafe Corp.
• Cylant Technology
• Enterasys Networks Inc.
• Internet Security Systems Inc.
• Intrusion.com Inc. family of IDS products

34
Intrusion Detection Products (cont.)

• NFR Security
• Network-1 Security Solutions
• Raytheon Co.
• Recourse Technologies
• Sanctum Inc.
• Snort
• Sourcefire, Inc.
• Symantec Corp.
• TripWire Inc.

35
Honeypots

• False systems that lure intruders and gather
  information on methods and techniques they use to
  penetrate networksby purposely becoming victims
  of their attacks
• Simulate unsecured network services
• Make forensic process easy for investigators

36
Honeypot Architecture
Honeypot
Data Link
Switch
Router
Servers
37
Commercial Honeypots

• KFSensor
• www.keyfocus.net/kfsensor
• NetBait
• www2.netbaitinc.com5080
• Specter
• www.specter.com
• Decoy Server
• www.symantec.com

38
Open Source Honeypots

• Argos
• www.few.vu.nl/argos
• HoneyNet Project
• http//www.honeynet.org
• Honeyd
• www.honeyd.org
• The Deception Toolkit
• http//all.net/dtk/download.html

cs490ns - cotter
38
39
Honeypot Deployment

• Goal
• Gather information on hacker techniques,
  methodology, and tools
• Options
• Conduct research into hacker methods
• Detect attacker inside organizations network
  perimeter

40
Honeypot Design

• Must attract, and avoid tipping off, the attacker
• Must not become a staging ground for attacking
  other hosts inside or outside the firewall

41
Honeypots, Ethics, and the Law

• Nothing wrong with deceiving an attacker into
  thinking that he/she is penetrating an actual
  host
• Honeypot does not convince one to attack it it
  merely appears to be a vulnerable target
• Doubtful that honeypots could be used as evidence
  in court

42
References

• Security Guide to Network Security Fundamentals
• Campbell, Calvert, Boswell Course Technology,
  2003
• HowTo Guide for IDS
• http//www.snort.org/docs/iss-placement.pdf

43
Summary

• What is Intrusion Detection?
• What types are there?
• Network based
• Host based
• Stack based
• Benefits of each
• Example Implementations
• Difference between active and passive detection
• HoneyPots