Intrusion Detection

1
Intrusion Detection
2
Learning Objectives

• Explain what intrusion detection systems are and
  identify some major characteristics of intrusion
  detection products
• Detail the differences between host-based and
  network-based intrusion detection
• Identify active detection and passive detection
  features of both host- and network-based IDS
  products

continued
3
Learning Objectives

• Explain what honeypots are and how they are
  employed to increase network security
• Clarify the role of security incident response
  teams in the organization

4
Intrusion Detection System (IDS)

• Detects malicious activity in computer systems
• Identifies and stops attacks in progress
• Conducts forensic analysis once attack is over

5
The Value of IDS

• Monitors network resources to detect intrusions
  and attacks that were not stopped by preventative
  techniques (firewalls, packet-filtering routers,
  proxy servers)
• Expands available options to manage risk from
  threats and vulnerabilities

6
Negatives and Positives

• IDS must correctly identify intrusions and
  attacks
• True positives
• True negatives
• False negatives
• IDS missed an attack
• False positives
• Benign activity reported as malicious

7
Dealing with False Negatives and False Positives

• False negatives
• Obtain more coverage by using a combination of
  network-based and host-based IDS
• Deploy NICS at multiple strategic locations in
  the network
• False positives
• Reduce number using the tuning process

8
Types of IDS

• Network-based (NIDS)
• Monitors network traffic
• Provides early warning system for attacks
• Host-based (HIDS)
• Monitors activity on host machine
• Able to stop compromises while they are in
  progress

9
Network-based IDS

• Uses a dedicated platform for purpose of
  monitoring network activity
• Analyzes all passing traffic
• Sensors have two network connections
• One operates in promiscuous mode to sniff passing
  traffic
• An administrative NIC sends data such as alerts
  to a centralized management system
• Most commonly employed form of IDS

10
NIDS Monitoring and Management Interfaces
11
NIDS Architecture

• Place IDS sensors strategically to defend most
  valuable assets
• Typical locations of IDS sensors
• Just inside the firewall
• On the DMZ
• On the server farm segment
• On network segments connecting mainframe or
  midrange hosts

12
Connecting the Monitoring Interface

• Using Switch Port Analyzer (SPAN) configurations,
  or similar switch features
• Using hubs in conjunction with switches
• Using taps in conjunction with switches

13
SPAN

• Allows traffic sent or received in one interface
  to be copied to another monitoring interface
• Typically used for sniffers or NIDS sensors

14
How SPAN Works
15
(No Transcript)
16
Limitations of SPAN

• Traffic between hosts on the same segment is not
  monitored only traffic leaving the segment
  crosses the monitored link
• Switch may offer limited number of SPAN ports or
  none at all

17
Hub

• Device for creating LANs that forward every
  packet received to every host on the LAN
• Allows only a single port to be monitored

18
Using a Hub in a Switched Infrastructure
19
Tap

• Fault-tolerant hub-like device used inline to
  provide IDS monitoring in switched network
  infrastructures

20
(No Transcript)
21
Network IDS Reactions

• Passive Response
• IP session logging
• Notification
• Shunning or blocking
• Active Response
• TCP resets
• Network Configuration Changes
• Deception

22
Host-based IDS

• Primarily used to protect only critical servers
• Software agent resides on the protected system
• Detects intrusions by analyzing logs of operating
  systems and applications, resource utilization,
  and other system activity
• Use of resources can have impact on system
  performance

23
HIDS Method of Operation

• Auditing logs (system logs, event logs, security
  logs, syslog)
• Monitoring file checksums to identify changes
• Elementary network-based signature techniques
  including port activity
• Intercepting and evaluating requests by
  applications for system resources before they are
  processed
• Monitoring of system processes for suspicious
  activity

24
HIDS Software

• Host wrappers
• Inexpensive and deployable on all machines
• Do not provide in-depth, active monitoring
  measures of agent-based HIDS products
• Agent-based software
• More suited for single purpose servers

25
HIDS Active Monitoring Capabilities

• Log the event
• Alert the administrator
• Terminate the user login
• Disable the user account

26
Advantages of Host-based IDS

• Verifies success or failure of attack by
  reviewing HIDS log entries
• Monitors use and system activities useful in
  forensic analysis of the attack
• Protects against attacks that are not network
  based
• Reacts very quickly to intrusions

continued
27
Advantages of Host-based IDS

• Not reliant on particular network infrastructure
  not limited by switched infrastructures
• Installed on protected server itself requires no
  additional hardware to deploy and no changes to
  network infrastructure

28
Passive Detection Systems

• Can take passive action (logging and alerting)
  when an attack is identified
• Cannot take active actions to stop an attack in
  progress

29
Active Detection Systems

• Have logging, alerting, and recording features of
  passive IDS, with additional ability to take
  action against offending traffic
• Options
• IDS shunning or blocking
• TCP reset
• Used in networks where IDS administrator has
  carefully tuned the sensors behavior to minimize
  number of false positive alarms

30
(No Transcript)
31
TCP Reset
32
Signature-based andAnomaly-based IDS

• Signature detections
• Also know as misuse detection
• IDS analyzes information it gathers and compares
  it to a database of known attacks, which are
  identified by their individual signatures
• Anomaly detection
• Baseline is defined to describe normal state of
  network or host
• Any activity outside baseline is considered to be
  an attack

33
Intrusion Detection Products

• Aladdin Knowledge Systems
• Entercept Security Technologies
• Cisco Systems, Inc.
• Computer Associates International Inc.
• CyberSafe Corp.
• Cylant Technology
• Enterasys Networks Inc.
• Internet Security Systems Inc.
• Intrusion.com Inc. family of IDS products

continued
34
Intrusion Detection Products

• NFR Security
• Network-1 Security Solutions
• Raytheon Co.
• Recourse Technologies
• Sanctum Inc.
• Snort
• Sourcefire, Inc.
• Symantec Corp.
• TripWire Inc.

35
Honeypots

• False systems that lure intruders and gather
  information on methods and techniques they use to
  penetrate networksby purposely becoming victims
  of their attacks
• Simulate unsecured network services
• Make forensic process easy for investigators

36
Commercial Honeypots

• ManTrap
• Specter
• Smoke Detector
• NetFacade

37
Open Source Honeypots

• BackOfficer Friendly
• BigEye
• Deception Toolkit
• LaBrea Tarpit
• Honeyd
• Honeynets
• User Mode Linux

38
Honeypot Deployment

• Goal
• Gather information on hacker techniques,
  methodology, and tools
• Options
• Conduct research into hacker methods
• Detect attacker inside organizations network
  perimeter

39
Honeypot Design

• Must attract, and avoid tipping off, the attacker
• Must not become a staging ground for attacking
  other hosts inside or outside the firewall

40
Honeypots, Ethics, and the Law

• Nothing wrong with deceiving an attacker into
  thinking that he/she is penetrating an actual
  host
• Honeypot does not convince one to attack it it
  merely appears to be a vulnerable target
• Doubtful that honeypots could be used as evidence
  in court

41
Incident Response

• Every IDS deployment should include two documents
  to answer what now questions
• IDS monitoring policy and procedure
• Incident response plan

42
IDS Monitoring

• Requires well-documented monitoring procedures
  that detail actions for specific alerts

43
Incident Response Team

• Responsible for assigning personnel to assemble
  resources required to handle security incidents

44
Typical IRT Objectives

• Determine how incident happened
• Establish process for avoiding further
  exploitations of the same vulnerability
• Avoid escalation and further incidents
• Assess impact and damage of the incident
• Recover from the incident

continued
45
Typical IRT Objectives

• Update procedures as needed
• Determine who was responsible
• Involve legal counsel and law enforcement
  officials, as appropriate

46
Chapter Summary

• Two major types of intrusion detection
• Network-based IDS (monitor network traffic)
• Host-based IDS (monitor activity on individual
  computers)
• Honeypots
• Incident response