an introduction to intrusion detection systems
DESCRIPTION
An Introduction to Intrusion Detection Systems. Presented By Himanshu Gupta MCSE, MCP+I. Outline. What is Intrusion Detection ? Types of IDS Approaches to IDS Requirements Limitations Evading IDS’s Testing and Evaluating IDS’s Computer Forensics - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/1.jpg)
An Introductionto
Intrusion Detection SystemsPresented By
Himanshu GuptaMCSE, MCP+I
![Page 2: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/2.jpg)
Outline
What is Intrusion Detection ? Types of IDS Approaches to IDS Requirements Limitations Evading IDS’s Testing and Evaluating IDS’s Computer Forensics IDS Tools – nmap, nessus(newt), Snort 2.1, IDS Center, ACID,
WinPcap, Ethereal, Links Books
![Page 3: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/3.jpg)
Network Security Quiz
What is CIA ? What is a Bastion Host ? What is DMZ ? What is a Honey pot ? Why does a Network Switch Implementation
makes Network Monitoring Difficult?
![Page 4: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/4.jpg)
What is Intrusion Detection ?
Intrusion Detection is the art of detecting
inappropriate, incorrect, or anomalous
activity (internal/external).
Why do we need IDS?Preparation, detection, containment and Eradication
![Page 5: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/5.jpg)
Types of IDS
– Host-based ID systems • ID systems that operate on a host to detect malicious
• activity on that host.
– Network-based ID systems• ID systems that operate on network data flows
Components of IDS• Engine
• Console
![Page 6: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/6.jpg)
Detection Methodologies -Approaches to IDS
Statistical Anomaly Detection• Based on time, frequency, length of session• For example: X user logs on at 0300 AM and has never done so in the past,
it will raise a flag
Protocol Verification/Anomaly Detection Signature Detection
– Based on Pattern-matching - look for a specific string in the network data being presented to the IDS
The Flexible Alternative: Rules-based Detection
• Stateful Monitoring (Packet Analysis, Flow Analysis) e.g. SYN Flood to all ports
• Integrity Checker - Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems.
![Page 7: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/7.jpg)
Types of Response
ActiveAlerts – Visual, Audio, E-mail, Pager, SNMP AlarmsDropping connection or Throttling it to slow attackBlock Traffic CompletelyReconfiguring Network DevicesAdditional intelligence miningLaunching counter attackUpdate Policy
PassiveSnapshots taken for later analysis
![Page 8: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/8.jpg)
Requirements
Hardware for sensor and analysis stations Active monitoring and Analysis of IDS Output Baseline Creation Real Time Alerts Match With Comprehensive Signatures Provides Log Tracking Automatic Updates
![Page 9: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/9.jpg)
Limitations of IDS
Functionality on High Network Bandwidths (What is the limit? ~ 300 Mbps) Multiple Attacks Late Response – e.g. DOS Attack – The damage is already done Direct Attack against the IDS itself Unknown Attacks Unsolved Problems – Tunneling, Ambiguities (e.g. different implementations
of protocol stack) Is not independent of the whole security architecture Great Deal of Tuning required Performance of Algorithms Working on Encrypted data Working in Switched Environments
![Page 10: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/10.jpg)
Evading IDS’s
Assumption – Attacker knows the IDS Algorithm E.g.Mimicry Attack – Malicious payload is executed on
the host while mimicking normal application behavior Evasion techniques are used in order to navigate below the
radar of your IDS– Fragmentation– Slow scan– Stealth scan– Out of order packets– Ambiguous packet (crafting)– Encoding such as %u, UTF (%xx%xx), HEX (%xx)– Use of well known port (Codered)
![Page 11: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/11.jpg)
Testing and Evaluating IDS’s
Log Fidelity – Is all the info there ? Usability - GUI Can be fine tuned depending on requirements? Ability to write own rules, modify existing ones Low false positives rate Cost Issues Ability to detect unknown attacks Secure – The system should remain secure even when the attacker
knows all the internal details of the system (Kerkhoff’s Principle) Real Time Detection and Response OS Independence
![Page 12: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/12.jpg)
Leading Products
Dragon from Enterasys– http://www.enterasys.com/ids/
CISCO Secure IDS– http://www.cisco.com/go/ids/
Snort– http://www.snort.org/
ISS Real Secure– http://www.iss.net/securing_e-business/
SHADOW– http://www.whitehats.ca– ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
![Page 13: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/13.jpg)
Computer Forensics
Where did the attack come from ?What was the attacker method?Do we have any hope of catching the
intruder?Do we have any evidence to prosecute the
intruder?
What if the attack script erased the logs ?
![Page 14: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/14.jpg)
WinPcap: the Free Packet Capture Library for Windows
WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2).
The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets.
Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS.
Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.
WinPcap is released under a BSD-style license.
![Page 15: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/15.jpg)
Nmap – Free Network Scanner for Network Exploration and Security
![Page 16: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/16.jpg)
Snort 2.1 – The de facto standard for intrusion detection and prevention
Simple, Efficient FREE IDSVery well-written and maintained, robust
applicationSnort is driven by a set of (community
developed) rulesActively (constantly) under developmentWindows and UNIX versions available
![Page 17: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/17.jpg)
Snort 2.1
Alerts generated and/or packets logged when a "rule" is triggered.
Very simple rule language for writing your own rules Ability to log alerts to syslog, directories in ascii, tcpdump
format raw data Different alert styles from one-line, to verbose Modular "plug-in" architecture for adding functionality Many available plug-ins, including SQL and Oracle
database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping"
Resistant against some of the newer attacks directed at foiling IDS’s
![Page 18: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/18.jpg)
IDS Center- A front-end for Snort intrusion detection systems
Snort 2.0, 1.9, 1.8 and 1.7 support, Snort service mode support Snort configuration wizard Online updates of IDS rules: IDScenter integrates a http client and starts
an update script on demand Ruleset editor: supports all Snort 2.0 rule options HTML report from SQL backend Alert notification via e-mail, alarm sound or only visual notification AutoBlock plugins: write your own plugins (DLL) for your firewall Monitoring Global event logging, Integrated log viewer, Log rotation (compressed
archiving of log files) Program execution possible if an attack was detected
![Page 19: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/19.jpg)
IDS Center- A front-end for Snort intrusion detection systems
![Page 20: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/20.jpg)
IDS Center- A front-end for Snort intrusion detection systems
![Page 21: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/21.jpg)
ACID - Analysis Console for Intrusion Databases
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include:
– Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).
– Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts
– Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.
– Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification
![Page 22: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/22.jpg)
ACID - Analysis Console for Intrusion Databases – Packet Decode
![Page 23: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/23.jpg)
NeWT - Nessus Windows Technology
Nessus – Open Source Vulnerability Scanner Project
NeWT is a complete network vulnerability scanner which includes high-speed checks for more than 6000 of the most commonly updated vulnerabilities,
NeWT and NeWT Pro perform the following types of vulnerability checks including:
– Buffer overflow checks in daemons such as Sendmail and IIS – Default user accounts – Misconfigured email, ftp and web servers – Discovery of open ports and host OS discovery – Denial of service (DOS) discovery – Backdoors and virus infected host – P2P, chat and suspicious file sharing services
![Page 24: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/24.jpg)
NeWT - Nessus Windows Technology
![Page 25: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/25.jpg)
NeWT - Nessus Windows Technology
![Page 26: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/26.jpg)
Ethereal – A Network Protocol Analyzer
Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education.
Its open source license allows talented experts in the networking community to add enhancements.
It runs on all popular computing platforms, including Unix, Linux, and Windows.
Data can be captured "off the wire" from a live network connection, or read from a capture file.
673 protocols can currently be dissected
![Page 27: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/27.jpg)
Ethereal – A Network Protocol Analyzer
Ethereal can read capture files from tcpdump (libpcap), NAI's Sniffer™ (compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdump-format), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program.
Capture files can be programmatically edited or converted via command-line switches to the "editcap" program.
![Page 28: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/28.jpg)
Ethereal – A Network Protocol Analyzer
![Page 29: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/29.jpg)
IETF Intrusion Detection Working Group (IDWG)
RFC’, active Internet drafts defining IDS requirements, language, and frameworkwww.ietf.org/html.charters/idwg-charter.html
Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10
http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07
http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt The TUNNEL Profile (RFC 3620)
http://www.ietf.org/rfc/rfc3620.txt
![Page 30: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/30.jpg)
LinksIntrusion Detection FAQ - http://www.sans.org/resources/idfaq/
Network Scanning Tool Nmap – Free Security Scanner for Network Exploration and Security
http://www.insecure.org/nmap/
Snort 2.1 – The de facto standard for intrusion detection and prevention - www.snort.org
ACID - Analysis Console for Intrusion Databases - www.cert.org/kb/acid/
Nessus – Open Source Vulnerability Scanner Project - www.nessus.org
NeWT - Nessus Windows Technology - www.tenablesecurity.com/products/newt.shtml
Ethereal – A network Protocol Analyzer - www.ethereal.com
WinPcap - winpcap.polito.it/
Snort IDS Center - www.engagesecurity.com/products/idscenter/
![Page 31: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/31.jpg)
Books Network Intrusion Detection (3rd Edition)
Stephen Northcutt, Judy Novak Snort 2.1 Intrusion Detection, Second Edition
Jay Beale, Caswell Nessus Network Auditing (Jay Beale's Open Source Security)
Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy Johnston, Jimmy Alderson
Ethereal Packet Sniffing
Angela D. Orebaugh, Gilbert Ramirez, Ethereal.com Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual
Private Networks (VPNs), Routers, and Intrusion Detection Systems
Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Fredrick, Ronald W. Ritchey Practical Unix & Internet Security, 3rd Edition
Simson Garfinkel, Gene Spafford, Alan Schwartz
![Page 32: An Introduction to Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022070407/56814374550346895daff32f/html5/thumbnails/32.jpg)
Thanks
I hope this session was Informative :-)
If you would like any more sessions in April 2005 please let the ACM Officers know
E-mail – [email protected]