Distributed IDS - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Distributed IDS

Description:

Discover holes and incorrect configurations on existing services. ... 'Nmap' database. Performance and Usage analysis. Open Source ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 28
Provided by: dar135
Category:
Tags: ids | distributed | nmap | spade

less

Transcript and Presenter's Notes

Title: Distributed IDS


1
Distributed IDS
  • The implementation of a Distributed Intrusion
    Detection System over a medium scale open network
    where the focus is availability of services.
  • Darian Jenik - Network Management
  • Queensland University of Technology

2
What we hope to achieve
  • Learn about the nature of traffic flowing on the
    network.
  • Catch attempts to compromise host security.
  • Detect compromised hosts on the network.
  • Discover holes and incorrect configurations on
    existing services.
  • Take a proactive rather than reactive approach to
    dealing with security issues.

3
What IDS is not
  • IDS in NOT security
  • For security you need
  • Good security policy that is both documented and
    adhered to.
  • Good security practice by system administrators.
  • Hardened perimeter firewalls and DMZ firewalls.
  • IDS is not a product.
  • IDS is not a sensor.

4
What Information can it provide
  • Denials, scans, vulnerable services, etc.
  • Other input sources (Tripwire, syslog,
    firewall)
  • Cross referencing allows individual events that
    seem innocent to take up more meaning in context.

5
Where do we put the sensor
  • Traditionally gateway(s)
  • Port Mirroring ? (50 datacabinets)
  • Preferably everywhere
  • This would normally cost but open source
    makes this possible

6
The scale of the problem
  • Approximately 10000 hosts
  • 100 web servers
  • 300 servers of other type
  • Students
  • System Administrators
  • IAS

7
The scale of the problem - simplified
8
The scale of the problem contd..
Bad!!
Servers
Bad!!
GW
GW
GW
User hosts
9
The scale of the problem contd..
Servers
GW
GW
GW
Worse!!
Worse!!
User hosts
10
The scale of the problem contd..
Servers
GW
GW
GW
User hosts
11
The scale of the problem contd..
Servers
GW
GW
GW
User hosts
12
Dealing with the volume of information
  • Manually examine each incident (initially).
  • Classify and build up a database of false
    positives.
  • Use the power of the SQL database to look for
    patterns and repeats

13
IDS should perform the following tasks
  • Detect known violations to host integrity by
    passively watching network traffic.
  • Respond to attempted violations by blocking
    external IP addresses.
  • Respond to probes from outside by blocking
    external IP addresses.
  • Find and report usage inconsistencies that
    indicate account/quota theft.
  • Detect violations by monitoring information (web
    pages etc.)
  • Help log and establish traffic/host usage
    patterns for future reference and comparison

14
Respond to attempted violations by blocking
external IP addresses.
  • Make sure the IDS is able to respond and send
    commands to firewalls and/or hosts.
  • IDS sends RST packets to both ends of the
    connection.
  • IDS is able to insert rules into border firewall.

15
Respond to probes from outside by blocking
external IP addresses.
  • Attempts to open ports on servers that are not
    enabled.
  • Make flypaper IP addresses that have never been
    used for anything that serve to pickup slow
    probes.

16
Supporting information sources that can be fed
into the database.
  • Central syslog collecting and analysis.
  • Tripwire
  • Nmap database
  • Performance and Usage analysis.

17
  • Open Source
  • Just about any platform(Including windows)
  • Many plugins and external modules.
  • Frequent rules updates.

18
Snort Plugins
  • Databases
  • mySQL
  • Oracle
  • Postgresql
  • unixODBC
  • Spade (Statistical Packet Anomaly Detection
    engine)
  • FlexResp (Session response/closing)
  • XML output
  • TCP streams (stream single-byte reassembly)

19
Snort Add-ons
  • Acid(Analysis Console for Intrusion Detection) -
    PHP
  • Guardian IPCHAINS rules modifier.(Girr
    remover)
  • SnortSnarf - HTML
  • Snortlog syslog
  • Ruleset retreive automatic rules updater.
  • Snorticus central multi-sensor manager shell
  • LogSnorter Syslog gt snort SQL database
    information adder.
  • a few win32 bits and pieces.

20
Snort Acid ?
  • Acid is a Cert project.
  • Pretty simple PHP to mySQL
  • Quite customizable.
  • Simple GUI for casual browsing.

21
  • Main Console

22
  • Individual alerts

23
  • Securityfocus
  • Whitehats
  • CVE

24
  • Rule details

25
  • Incident details

26
  • Incident Details

27
URLS
  • www.snort.org
  • http//www.cert.org/kb/acid/
  • www.whitehats.com (Intrusion signatures data)
  • www.securityfocus.com (Intrusion signatures data)
  • http//cve.mitre.org/ (Intrusion signatures data)
  • http//www.psionic.com/ (logcheck hostsentry)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Distributed IDS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!