Network Intrusion Detection - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Network Intrusion Detection

Description:

the art of detecting inappropriate, incorrect, or anomalous activity. ... (ov)_at_ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv ... – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 21
Provided by: davidl145
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection


1
Network Intrusion Detection
  • David LaPorte
  • david_laporte_at_harvard.edu

2
Topics
  • What is IDS?
  • HIDS v. NIDS
  • Signatures
  • Active Response / IPS
  • NIDS on the Cheap
  • Additional Resources

3
What is IDS?
the art of detecting inappropriate, incorrect, or
anomalous activity. ID systems that operate on a
host to detect malicious activity on that host
are called host-based ID systems, and ID systems
that operate on network data flows are called
network-based ID systems.
http//www.sans.org/newlook/resources/IDFAQ/what_i
s_ID.htm
4
HIDS v. NIDS
  • Defense in depth, layered security
  • HIDS
  • Typically software installed on a system
  • Agent-based
  • Monitors multiple data sources, including file
    system meta-data, log files
  • Wrapper-based
  • Acts like a firewall denies or accepts
    connections or logins based on defined policy

5
HIDS v. NIDS
  • NIDS
  • Monitors traffic on a network
  • Reports on traffic not considered normal
  • Anomaly-based
  • Packet sizes, destinations, protocol
    distributions, etc
  • Hard to determine what normal traffic looks
    like
  • Signature-based
  • Most products use signature-based technologies

6
Signature-based NIDS
  • Signature-based
  • Matches header fields, port numbers, content
  • Network grep
  • Advantages
  • No learning curve
  • Works out-of-box for well known attacks
  • Snort has 1900 signatures
  • Dragon has 1700 signatures
  • Disadvantages
  • New attacks cannot be detected
  • False positives
  • Maintenance/tweaking
  • Not very hard to evade
  • Stateless, lacks thresholding

7
Signatures
  • T A A S 10 20 6668 IRCXDCC /5Bxdcc/5Dslt
  • SEARCH STRING
  • EVENT NAME
  • PORT
  • COMPARE BYTES
  • DYNAMIC LOG
  • BINARY OR STRING
  • PROTECTED NETWORKS
  • DIRECTION
  • PROTOCOL

8
Signatures
  • On the console
  • Time Dir Source Destination Proto Event Name
    Group Sensor Session Raw Data
  • 1102 02Nov04 from 128.103.a.b4295
    207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
  • 1101 02Nov04 from 128.103.a.b1141
    207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
  • 1059 02Nov04 from 128.103.a.b2582
    207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
  • 1057 02Nov04 from 128.103.a.b3341
    207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5

9
  • NICK XDCCSLT-L482A
  • USER b0b 32 . XDCCA
  • MODE XDCCSLT-L482 iA
  • NICK XDCCSLT-L482A
  • USER b0b 32 . XDCCA
  • MODE XDCCSLT-L482 iA
  • NICK XDCCSLT-L482A
  • USER b0b 32 . XDCCA
  • MODE XDCCSLT-L482 iA
  • A
  • snagged.wi.us.criten.net NOTICE AUTH
    Looking up your hostname...A
  • snagged.wi.us.criten.net NOTICE AUTH Found
    your hostname, cachedA
  • snagged.wi.us.criten.net NOTICE AUTH
    Checking IdentA
  • snagged.wi.us.criten.net 001 XDCCSLT-L482
    Welcome to the Criten IRC Network
    XDCCSLT-L482!b0b_at_jojo.harvard.eduDA
  • snagged.wi.us.criten.net 002 XDCCSLT-L482
    Your host is snagged.wi.us.criten.net_at_0.0.0.0,
    running version bahamut-1
  • .4(34)DA
  • snagged.wi.us.criten.net 003 XDCCSLT-L482
    This server was created Fri Oct 18 2002 at
    124934 CDTDA
  • snagged.wi.us.criten.net 004 XDCCSLT-L482
    snagged.wi.us.criten.net bahamut-1.4(34)
    oiwscrknfydaAbghe biklLmMnoprRstvc
  • DA

10
NIDS Management
  • Correlation is key
  • Multiple sensors
  • Single data repository
  • Syslog
  • DBMS
  • Text files

11
NIDS Placement
  • Inside firewall
  • Limits false positives cleaner data
  • Outside firewall
  • Shows overall interest
  • Need to collect all traffic
  • Switch port wont cut it
  • Hub
  • Switch SPAN port
  • Passive tap
  • Difficult on high-bandwidth links (gt300Mbps)
  • Distribution devices (TopLayer, etc)
  • Hardware

12
NIDS Drawbacks
  • False Positives
  • LOTS of data
  • We generate 3-4GB of logs each day on a 250Mbps
    sustained link
  • Makes alerting difficult
  • Interoperability
  • ESM Intellitactics, PentaSafe, etc.

13
NIDS - Drawbacks
  • Evasion
  • Packet fragmentation
  • Out of order, overlapping
  • Fragroute
  • Character encodings / padding
  • Unicode, mixed case, ../..s, \0s
  • OS stack behavior
  • A simple grep of a packet wont work

14
Active Response
  • NIDS is primarily a passive technology
  • Only monitors traffic
  • Doesnt sit in the data stream
  • Active response
  • aka sniping, flex response

15
Active Response
  • Several issues
  • Timing
  • By the time filters are applied, attack is
    complete
  • False alarms / spoofed traffic
  • Self-inflicted DOS
  • Lack of formatting standards
  • CVE, OPSEC

16
Intrusion Prevention
  • Place system in-line
  • Hardware
  • Redundancy
  • Acts as an IDS/Firewall hybrid
  • Hogwash

17
NIDS on the Cheap
  • So you want a NIDS?
  • Snort
  • Open-source NIDS
  • Quickly becoming the Apache of IDS
  • Runs on Windows and most Unix variants
  • MySQL
  • Open-source DBMS
  • ACID
  • Great web-based front-end for Snort/Mysql
  • A place to collect traffic
  • Your NIC is fine if you have only one machine
  • Use a hub if youve got a LAN

18
Additional Resources
  • Fragroute
  • http//monkey.org/dugsong/fragroute/
  • Insertion, Evasion, and Denial of Service
    Eluding Network Intrusion Detection
  • http//secinf.net/info/ids/idspaper/idspaper.html
  • HIDS Products
  • PortSentry
  • http//www.psionic.com/products/portsentry.html
  • Tripwire
  • http//www.tripwire.com/
  • AIDE
  • http//www.cs.tut.fi/rammer/aide.html

19
Additional Resources
  • NIDS Products
  • Snort
  • http//www.snort.org
  • Dragon
  • http//www.enterasys.com/ids/
  • CiscoSecure IDS
  • ISS RealSecure
  • http//www.iss.net/products_services/enterprise_pr
    otection/rsnetwork/index.php
  • ACID
  • http//www.andrew.cmu.edu/rdanyliw/snort/snortaci
    d.html
  • Hogwash
  • http//hogwash.sourceforge.net/

20
Questions?
Write a Comment
User Comments (0)
About PowerShow.com