Intrusion Detection System - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Intrusion Detection System

Description:

Intrusion Detection System Alan TAM Program Committee, PISA Definition and Needs IDS = Intrusion Detection System Not firewall Content inspection Technology Signature ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 42
Provided by: pisaOrgHk
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection System


1
Intrusion Detection System
  • Alan TAM
  • Program Committee, PISA

2
Definition and Needs
  • IDS Intrusion Detection System
  • Not firewall
  • Content inspection

3
Technology
  • Signature detection
  • Anomaly detection

4
General IDS Model
  • Sensor
  • Analyzer
  • Manager
  • Administrator
  • Operator

5
Basic Classification
  • NIDS - Network Based
  • e.g. Cisco Secure IDS , Axent Netpowler, Snort,
    ISS RealSecure Network Sensor, NAI Cybercop
    Monitor
  • HIDS - Host Based
  • e.g. Axent Intruder Alert, ISS RealSecure OS
    Sensor, Tripwire

6
Functional Classification
  • Packet capturing Pattern matching
  • Log parser
  • Host firewall
  • File integrity checker
  • Activity monitor

7
Deployment Tips (1)
  • Dual NIC
  • No TCP/IP binding
  • Network Performance
  • Security
  • NIC optimization settings
  • Promiscuous mode

8
Deployment Tips (2)
  • Locations
  • DMZ
  • In front of firewall
  • Behind firewall
  • Server segments
  • Power user segments

9
Deployment Tips (3)
  • Generic OS hardening optimization
  • TCP/IP services
  • NetBIOS services
  • File directory permission
  • Useless background process
  • Peripherals

10
Deployment Tips (4)
  • Miscellaneous
  • Automatic mass deployment of HIDS
  • Downtime against SLA
  • Tuning of false alarms
  • Do policy customization (no kidding)
  • Monitor log grow-up rate

11
Problem Scenarios (1)
  • Signature quality
  • False POSITIVES
  • False NEGATIVES
  • Threshold values
  • Duplicates elimination
  • Encrypted traffic
  • SSL, IPSEC PPTP tunnels, PGP attachment

12
Problem Scenarios (2)
  • Switch instead of Hub
  • Collision domain
  • Port Spanning/Mirroring/Monitoring
  • Performance degrade
  • High speed network
  • Packet drop
  • DoS

13
How to choose an IDS (1)
  • Attack Signature
  • Quality
  • Update frequency
  • Update mechanism

14
How to choose an IDS (2)
  • Scalability
  • Traffic handling capacity
  • Shutdown mechanism
  • Supported platforms (HIDS)

15
How to choose an IDS (3)
  • Manageability
  • Examining log
  • Cross reference
  • Archiving
  • Centralized console

16
How to choose an IDS (4)
  • Hardware platform
  • Intel based
  • SPARC based

17
Response Actions (1)
  • Log
  • Header, significant application data
  • Raw packet
  • Alert
  • Console
  • Email
  • SNMP Traps

18
Response Actions (2)
  • Termination
  • TCP kill
  • Kernel drop
  • Third-party Integration
  • Firewall
  • Router

19
Response Actions (3)
  • User Script
  • Increase log level
  • Modem to Pager
  • Email to SMS
  • Redirect to Honey Pot

20
Previous Battlefield
  • IP defragmentation
  • TCP stream reassembly

21
Today
  • IDS load balancing
  • Hardware IDS
  • ASIC IDS module in a Chassis
  • ASIC Switch appliance

22
Standards
  • CVE (Common Vulnerabilities and Exposures)
  • IDMEF (Intrusion Detection Message Exchange
    Format)

23
CVE (1)
  • Standardized name
  • Interoperability between tools
  • Tool comparison guidelines
  • CVE-Compatible
  • No. of signatures

24
(No Transcript)
25
CVE (2)
  • Version
  • As of August 2001 20010507
  • Classification
  • CVE candidate(CAN-YYYY-XXXX)
  • CVE entry(CVE-YYYY-XXXX)

26
Data Sources
  • Security Focus - SecurityFocus.com weekly
    Newsletters(http//www.securityfocus.com/vdb)
  • Network Computing and the SANS Institute - weekly
    Security Alert Consensus(http//archives.neohapsi
    s.com/archives/securityexpress/current/)
  • ISS - monthly Security Alert Summary(http//xforc
    e.iss.net/alerts/summaries.php)
  • NIPC CyberNotes - biweekly issues(http//www.nipc
    .gov/cybernotes.htm)

27
Reference Source
28
Tips for using CVE
  • Do not use general terms (e.g. buffer overflow)
    to search
  • Use exact process name (e.g. sendmail)
  • Go to the references for Fix

29
IDWG
  • Intrusion Detection Working Group
  • Aims
  • Define data format
  • Define exchange procedure
  • Outputs
  • Requirement document
  • Common intrusion language specification
  • Framework document

30
IDMEF
  • Standard data format (using XML)
  • Interoperability
  • Typical deployments
  • Sensor to Manager
  • Database
  • Event correlation system
  • Centralized console

31
IDMEF Addressed Problems
  • Inherently heterogeneous information
  • Different sensor types
  • Different analyzer capabilities
  • Different operation systems
  • Different objectives of commercial vendors

32
Message Classes (1)
  • IDMEF-Message Class
  • Alert Class
  • ToolAlert
  • CorrelationAlert
  • OverflowAlert
  • Heartbeat Class

33
Message Classes (2)
  • Core Classes
  • Analyzer
  • Source
  • Target
  • Classification
  • Additional Data

34
Message Classes (3)
  • Time Class
  • CreatTime
  • DetectTime
  • AnalyzerTime

35
Message Classes (4)
  • Support Class
  • Node
  • User
  • Process
  • Service

36
Example
37
Summary
  • IDS Classification
  • IDS Deployment Considerations
  • How to choose an IDS
  • Industry standards

38
HKCERT/CC
  • Web - http//www.hongkongcert.org
  • Telephone - 2788 6060
  • Fax - 2190 9760
  • Email - mailtoinfosecurity_at_hkpc.org

39
Reference
  • http//cve.mitre.org/cve
  • http//www.silicondefense.com/idwg/
  • http//www.securityfocus.com/

40
Thank You
  • For suggestions and corrections, please send
    email to
  • alan.tam_at_pisa.org.hk
  • or
  • alantam_at_hk.is-one.net

41
Discussion
  • SLA - cannot stop service immediately
  • Switch to standby system if possible
  • Contingency planning
  • Trace the source Track its activity
Write a Comment
User Comments (0)
About PowerShow.com