network security monitoring coen 250. indicators and warnings indicator “an item of information...
Post on 19-Dec-2015
219 views
TRANSCRIPT
Network Security Monitoring
COEN 250
Indicators and Warnings
Indicator “an item of information which reflects the intention or
capability of a potential enemy to adopt or reject a course of action”*
Indications and Warnings “the strategic monitoring of world military, economic,
and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”**
* DoD Dictionary of Military Terms
** U.S. Army Intelligence, Document on Indicators in Operations Other Than War
Indicators and Warnings
Indicators generated by an Intrusion Detection System (IDS) are alerts Examples:
Web server initiates outbound FTP to a site in Russia Spike in ICMP messages
Warnings Result of analyst’s interpretation of indicator
Escalation of warning Conclusion that warning warrants further analysis Conclusion that warning is indeed an incident
Triggers Incident Response
Intrusion Detection Systems Intrusion Detection
Process of monitoring events occurring in a computer system or network
Analyzing them for signs of possible incidents Incident
Violation or imminent threat of violation of computer security policies acceptable use policies standard security practices
Arise from Malware Attacks Honest errors
Intrusion Detection Systems
Intrusion Detection SystemSoftware that automatizes the detection
process Intrusion Prevention System
Additionally has the capacity to stop some possible incidents
Intrusion Detection Systems
Key functions of IDS TechnologyRecording information related to observed
eventsNotifying security administrators of important
observed eventsProducing reports
IDPS technology can be augmented by human analysis
Intrusion Detection Systems Key functions of IPS technology
IPS stops attack itself Terminate network connection Terminate user session Block access to target from
offending user account IP address
Block all access to target IPS changes security environment
IPS changes configuration of other security controls to disrupt attack
Reconfiguring a network device Altering a host based firewall Apply patches to a host it detects is vulnerable
Intrusion Detection Systems Key functions of IPS technology
IPS changes attack’s contents Remove or replace malicious portions of an attack
Remove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destination
IPS acts as proxy and normalizes incoming requests
Intrusion Detection Systems
Current IDPS technology has false positives and false negatives.
Attackers use evasion techniquesE.g using escaping
Intrusion Detection SystemsCommon Detection Methodologies Signature Based Detection
Signature is a patterns corresponding to a known threat.
Examples Telnet attempt with user name “root” e-mail with “You received a picture from a *” OS system log entry indicating that host’s auditing
has been disabled
Intrusion Detection SystemsCommon Detection Methodologies Signature-Based Detection
Very effective against known threatsBasically ineffective against unknown threatsSubject to evasion by polymorphic attacks
Intrusion Detection SystemsCommon Detection Methodologies Anomaly-Based Detection
Relies on defining normal activity against observed events
Identifies significant deviations Anomaly-Based IDPS has profiles
Representing normal behavior of actors and activities Users Hosts Network connections Applications
Developed through observation over time
Intrusion Detection SystemsCommon Detection Methodologies Anomaly-Based Detection Profile
Examples:Amount of email a user sendsBandwidth of web activitiesNumber of failed login attempts for a hostLevel of processor utilization for a host
Intrusion Detection SystemsCommon Detection Methodologies Anomaly-Based Detection
Can be effective at detecting unknown threats Depend on accuracy of profiles
Inadvertent inclusion of malicious activity in a profile Dynamic profiles can be subverted by an attacker increasing
slowly activity Static profiles generate false positives if usage patterns differ
Subject to stealth attacks Make it difficult for human analyst to find reason for
an alert
Intrusion Detection SystemsCommon Detection Methodologies Stateful Protocol Analysis
Sometimes known as “deep packet inspection”
Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations
“Stateful” refers to IDPS capability of understanding protocols
Intrusion Detection SystemsCommon Detection Methodologies Stateful Protocol Analysis
Can identify unexpected sequences of commands
Allows tracking of authenticators for each session
Helpful for human analysis of suspicious activity
Typically includes reasonableness check for individual commands
E.g. minimum and maximum length of arguments
Intrusion Detection SystemsCommon Detection Methodologies Stateful Protocol Analysis
Uses protocol models based on standards But most standards are underspecified Many implementations are not completely
compliant
Very resource intensiveCannot detect attacks that do not violate a
protocolDetects protocol bending attacks
Intrusion Detection Systems
Network Based IDPS Wireless IDPS Network Behavior Analysis (NBA) Host-Based IDPS
Intrusion Detection SystemsComponents Sensors / Monitors
Used for network activity monitoring Agent
Used for host-based IDPS Management Server
Centralized component that receives data from agents and monitors
Perform correlation: Matching event information from different monitors
Database server Repository for previously recorded event information
Console Interface for IDPS
Network Monitors
DeploymentDepends on monitoring zones
Perimeter External firewall through boundary router to internet
DMZ Wireless Intranet(s)
Network Monitors
Data Collection ToolsHubsSPAN (Switched Port Analyzer)TAPs (Test Access Port) Inline Devices
Network Monitors
Sensor Management Console access
Hard to manage In-band remote access
Potential for loss of data confidentiality Not functioning during a successful DoS attack
Virtual LAN Potential for loss of data confidentiality Not functioning during a successful DoS attack
Out-of-band remote access E.g. modem
Intrusion Detection SystemsNetworks Security Capabilities
Information Gathering OS identification of hosts General characteristics of networks
Logging to confirm alerts to investigate incidents to correlate events with other sources need to be protected against an attacker need to deal with clock drift
Intrusion Detection SystemsNetworks Security Capabilities
Detection Capabilities Typically require tuning and customization
Thresholds Blacklists and Whitelists Alert Settings IDPS code viewing and editing
Prevention Capabilities Vary with technology / field
Intrusion Detection SystemsManagement Implementation
Architecture Design Placement of sensors Reliability of sensors Location of other components System interfaces
Systems to which IDPS provide data Systems which IDPS resets for prevention Systems that manage IDPS components
Patch management software Network management software
Intrusion Detection SystemsManagement Implementation
Component Testing and Deployment Consider deployment in a test environment
E.g. to prevent surge of false positives
IDPS deployment usually interrupts networks or systems for component installation
Configuration typically a major effort
Intrusion Detection SystemsManagement Implementation
Securing IDPS components IDPS are often targeted by attackers
Because of effects on security Because of sensitive data collected by IDPS
System hardening Usual means Separate accounts for each IDPS user and administrator Configure firewalls, routers, etc to limit direct access to IDPS
components Protect IDPS management communication
Physically Logically Encryption Strong Authentication
Intrusion Detection SystemsManagement Operations and Maintenance
Typically GUI, but sometimes command lines Typical capabilities
Drill down Reporting functions Database open to scripted searches
Need for ongoing solution maintenance Monitor IDPS components for operational and security issues Periodic test of proper functioning Regular vulnerability assessments Receipt of notifications of security problems from vendor Receipt of notifications for updates
Intrusion Detection SystemsManagement Operations and Maintenance
Acquiring and Applying Updates Of signature files Of IDPS software components
Intrusion Detection SystemsManagement Building and maintaining personnel skills
Basic security trainingVendor trainingProduct documentationTechnical supportProfessional services (consulting by vendors)User communities
Network Based IDPS
Typical componentsAppliance
Specialized hardware and sensor software / firmware
Host-based Only software
Network Based IDPSArchitecture and Sensor Locations Inline
All traffic monitored must pass through it
Typically placed where firewalls etc. would be placed
Either hybrid devices Or placed on the more secure
side
Network Based IDPSArchitecture and Sensor Locations Passive
Monitors a copy of actual network traffic
Spanning Port Network Tap IDS Load Balancer
Receives copies of traffic from several sensors
Aggregates traffic from different networks
Distributes copies to one or more listening devices
Typically not capable of prevention
Network Based IDPS
Typical detection capabilitiesApplication layer reconnaissance and attacks
Typically analyze several dozen application protocols
Detect Banner grabbing Buffer overflows Format string attacks Password guessing Malware transmission
Network Based IDPS
Typical detection capabilities Transport layer reconnaissance and attacks
Detects Port scanning Unusual packet fragmentation SYN floods
Network layer reconnaissance and attacks Detects
Spoofed IP addresses Illegal IP header values
Network Based IDPS
Typical detection capabilities Unexpected application services
Detects Tunneled protocols Backdoors Hosts running unauthorized application services
Uses Stateful protocol analysis Anomaly detection
Policy violations Detects
Use of inappropriate Web sites Use of forbidden application protocols
Network Based IDPS
Detection Accuracy High degree of false positives and false negatives
Difficulty based on Complexity of activities monitored Different interpretation of meaning of traffic between IDPS
sensor and client / server Cannot deal with encrypted network traffic
VPN, HTTP over SSL, SSH Have limited capacity
Number of connections Depth of analysis Longevity of connections
Network Based IDPS
Attacks on network based IDPSDDoS attacks generate unusually large
volumes of trafficGenerate loads of anomalous traffic to
exhaust IDPS resourcesBlinding
Generates many IDPS alerts Real attack is separate, but contemporary
Network Based IDPS
Prevention capabilities Passive sensors only
Ending current TCP session Session sniping: sending resets to both partners
Inline only Perform inline firewalling Throttle bandwidth usage Alter malicious content
Both passive and inline Reconfigure other network security devices Run a third party program or script
Wireless IDPS
Wireless attacks typically require proximity to access points or stationsTypically, need access to radio link between
stations and access points Many WLANs are configured with no or
weak authentication
Wireless IDPS
Components Same as for network-based IDPS
Consoles Database servers Management servers Sensors
These function differently than for wired IDPS Needs to monitor two bands (2.4 GHz and 5 GHz) Divided into channels
Sensor only models a single channel Channel scanning (monitor a channel for seconds at most)
Wireless IDPS
Wireless sensorsDedicated sensors
Typically completely passive Fixed or mobile
Bundled with an access pointBundled with a wireless switchHost-based IDPS sensor to be installed on a
station
Wireless IDPS
Wireless IDPS
Sensor LocationsPhysical security
Often deployed in open locations because of greater range than in closed locations
Sensor rangeCostAP and wireless switch locations
Consider bundling or collocation
Wireless IDPS
Security capabilities Information gathering
Identifying WLAN devices Typically based on SSIDs and MAC addresses
Identifying WLANs Keep track of observed WLANs identified by SSID
Logging capability
Wireless IDPS
Security capabilitiesDetection capability
Events Unauthorized WLANs and WLAN devices Poorly secured WLAN devices
A station is using WEP instead of WPA2 Unusual usage patterns The use of (active) wireless network scanners Denial of service (DoS) attacks and conditions Impersonation and man-in-the-middle attacks
Wireless IDPS
Detection accuracyUsually quite high due to limited scope
Tuning and CustomizationSpecify authorized WLANs, access points,
stationsSet thresholds for anomaly detectionSome use blacklists and whitelists
Wireless IDPS
Wireless IDPS cannot detect: Attacker passively monitoring traffic Attackers with evasion techniques
Attacker can identify IDPS product Physical survey Fingerprinting by prevention actions
Attacker takes advantage of product’s channel scanning scheme
Short bursts of attack packages on channels not currently monitored
Attack on two channels at the same time
Wireless IDPS
Attacks on wireless IDPSSame DDoS techniquesPhysical attacks
Jamming
Wireless IDPS
Prevention capabilitiesWireless prevention
Terminate connections between rogue or misconfigured stations and rogue or misconfigured access point
Send discontinue messages to endpoints
Wired prevention Block network activity involving a particular station
or access point
Network Behavior Analysis (NBA)
Examines Network traffic or Statistics on network traffic
Identifies unusual traffic flows
Host Based IDPS
Monitors a single host and events occuring within that hostWired network trafficWireless network trafficSystem logsRunning processesFile access and modificationSystem and application configuration changes
Host Based IDPS
Components and architectures Agents (typically detection software)
Monitor activity on a single host Transmit date to management servers Agents can be implemented as dedicated appliances Monitors:
Servers Clients An application service ( application based IDPS)
Host Based IDPS
Host Based IDPS
Agent locationsCommonly deployed to critical hostsBut could be in a majority of systems including
laptops and desktops
Host Based IDPS
Host architectureAgents often alter internal architecture of
hosts Done by a shim
Layer of code placed between existing layers of code Shim intercepts data when it is passed between different
layers Shim analyzes data and determines whether data is
allowed or not
Host Based IDPS
Security capabilities Logging Detection
Code analysis Code behavior analysis in a sandbox Buffer overflow detection through detecting tell-tale sequences
of instructions or memory accesses System call monitoring
Keylogger COM object loading Driver loading
Application and library lists
Host Based IDPS
Security capabilities Detection
Network traffic analysis Basically the same a network or wireless IDPS would do
Network traffic filtering Host based IDPS contains a host based firewall
File system monitoring File integrity checking File attribute checking File access attempts
Log analysis of OS and application logs Network configuration monitoring
Host Based IDPS
Technology limitsAlert generation delaysCentralized reporting delaysHost resource usageConflicts with existing security controlsRebooting hosts to update IDPS
Host Based IDPS
Prevention capabilities Code analysis Network traffic analysis Network traffic filtering File system monitoring
Removable media restrictions Audio-visual device monitoring Automatic host hardening Process status monitoring Network traffic sanitization