SURFnet IDS a Distributed Intrusion Detection System - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

SURFnet IDS a Distributed Intrusion Detection System

Description:

SURFnet IDS a Distributed Intrusion Detection System Rogier Spoor (project leader) Kees Trippelvitz Relatiedagen May 2006 Goals Understanding: types of malicious ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 17
Provided by: ROG96
Category:

less

Transcript and Presenter's Notes

Title: SURFnet IDS a Distributed Intrusion Detection System


1
SURFnet IDSa Distributed Intrusion Detection
System
Rogier Spoor (project leader) Kees Trippelvitz
Relatiedagen May 2006
2
Goals
  • Understanding
  • types of malicious network traffic within a LAN
  • amount of malicious network traffic within a LAN
  • spreading of worms
  • Setting up
  • a scalable IDS solution
  • an IDS that is easy to manage and maintain
  • Comparing results with other sensors
  • Limit malicious outbound traffic SURFnet

3
Why build something new?
  • Sensor must be maintenance free
  • IDS must be scalable and easy to manage
  • No False Positives! (cannot use snort)
  • Design IDS based on high speed networks (LAN/WAN)
  • Design IDS should be able to analyse L2 traffic

4
Global Overview
5
Sensor
  • remastered Knoppix distribution
  • USB boot
  • Open-vpn between Sensor and Central Server
  • Need
  • PC capable of USB boot 1 NIC
  • 2x DHCP or 2 static IP-addresses
  • Open-vpn session through local firewall (TCP
    1194)
  • https session, for updates (TCP 4443 )

6
Honeypot/Tunnel server
  • Based on nepenthes
  • a low-interaction honeypot
  • Link http//nepenthes.sourceforge.net
  • Open-vpn tunnel to sensor
  • Manage X509 certificates/keys of sensors
  • Source-based routing

7
Logging server
  • Postgresql
  • Web interface
  • Show statistics of sensors (groups/individual)
  • Show statistics of different attacks
  • Ranking of sensors
  • Mail logging

8
Working of SURFnet IDS
  • Attacker/Worm/Virus/Hacker
  • Attacks IP on server
  • Layer 2 tunnel (tap device)
  • DHCP request trough tunnel
  • Binds IP of client LAN on tap device
  • Nepenthes simulates weakness
  • Nepenthes handles attack
  • Nepenthes logs attack
  • Sensor is booted
  • OpenVPN is started
  • Uses tcp port 1194
  • Works with NAT !!
  • Web interface makes data representable

9
ß-version Multiple VLAN support
10
ß-version Multiple honeypot
11
ß-version Multiple honeypot
12
ß-version Multiple honeypot
13
ß-version Multiple honeypot
14
Future
15
Demo
16
Questions?
  • Website http//ids.surfnet.nl
Write a Comment
User Comments (0)
About PowerShow.com