IC3 - Network Security

1
IC3 - Network Security

• An Introduction to Intrusion Detection and
  Vulnerability Assessment
• RHUL, 8-Dec-2003

Andreas Fuchsberger Robert Christian,
F.A.C.T.S. Group
2
Agenda

• Basics Definitions
• Why Intrusion Detection and Vulnerability
  Assessment
• Attack Development
• Vulnerability Development
• Hacker Strategy
• Anatomy of a Hack
• VA
• Software
• Services ( Audits)
• Web-Based Services
• IDS
• Host based IDS
• Network Based IDS
• Demo of VA and IDS
• Current technological Approaches
• Honey Pots
• Appliances
• Summary

3
Basic and Definitions

• Perimeter security devices (e.g. firewalls) and
  computer security mechanisms (e.g. application
  and OS security) can only prevent attacks by
  outsiders.
• They may fail to do so a firewall may be
  misconfigured, a password may be sniffed off the
  network, a new attack type may emerge.
• They do not detect when an attack is underway or
  has taken place.
• And they do not react to attacks.

4
Basics and Definitions

• Example
• Imagine continuous inspection of a Unix system by
  hand (similar examples for NT, W2K)
• The following checklist is from CERT
• (http//www.cert.org/tech_tips/intruder_detection
  _checklist.html)
• 1. Examine log files for connections from
  unusual locations or other unusual activity. For
  example, look at your 'last' log, process
  accounting, all logs created by syslog, and other
  security logs.
• 2. Look for setuid and setgid files (especially
  setuid root files) everywhere on your system.
  Intruders often leave setuid copies of /bin/sh or
  /bin/time around to allow them root access at a
  later time.

5
Ad Hoc Intrusion Detection

• Imagine the complexity and degree of expertise
  needed to carry out the tasks in this checklist
  for every host and every sensitive network link
  on a network every single day.
• The ad hoc approach is not recommended!
• Automated systems are needed
• monitor multiple hosts and network links for
  suspicious behaviour
• report this behaviour, possibly react to it.
• Hence Intrusion Detection Systems (IDS).

6
Basics Definitions

• Prevention
• Vulnerability Assessment (VA)
• Intrusion Prevention Systems (IPS)
• Detection
• Intrusion Detection (IDS)
• Counterattack
• Problem of origin c.f. DoS
• Actual fight back technologies
• Intrusion Prevention Systems (IPS)
• Honeypots/nets Honeytechs

7
Intrusion Detection Systems

• Popular second layer of technical Information
  Security enforcement
• Passive supervision of exiting network, analogues
  to intruder alarms
• Creates more work for personal
• There exist 2 different approaches to the
  implementation of Intrusion Detection Systems
  (IDS)
• Knowledge-based IDS
• Network based
• Host based
• Behaviour-based IDS
• Statistical anomaly detection

8
Why Intrusion Detection and Vulnerability
Assessment
Auto Coordinated
Cross site scripting
Attack Sophistication
stealth / advanced scanning techniques
High
Staged
packet spoofing
denial of service
distributed attack tools
sniffers
sweepers
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Intruder Knowledge
password guessing
Low
2000
1980
1985
1990
1995
Source Carnegie Mellon University
9
Why Intrusion Detection and Vulnerability
Assessment
4 Vulnerability Development
700
600
Linux (aggr.)
500
Solaris
Windows NT
400
Gesamt
300
200
100
0
Source SecurityFocus
1997
1998
1999
2000
(Cum.)
10
Why Intrusion Detection and Vulnerability
Assessment
Vulnerability Exploit Lifecycle
Vulnerability Scanners adding detection signature
Widespread Awareness
Selective Awareness
First Discovery
Advisory Release
11
Why Intrusion Detection and Vulnerability
Assessment
Unauthorized Access to Networks
12
Why Intrusion Detection and Vulnerability
Assessment
Origin of the Attack
13
Why Intrusion Detection and Vulnerability
Assessment
Source of the Attack
14
Why Intrusion Detection and Vulnerability
Assessment
Which Type of Attacks ?
2001 CSI/FBI - Computer Crime and Security Survey
15
Why Intrusion Detection and Vulnerability
Assessment
Types of Attacks
16
Why Intrusion Detection and Vulnerability
Assessment
Reactions to attacks
17
Why Intrusion Detection and Vulnerability
Assessment

• Classic
• Hacker Strategy

18
Why Intrusion Detection and Vulnerability
Assessment
PING
CORP
Internet
NETWORK
SWEEP
Primary Target Identification - Identify
Hosts ( ) with external visibility
denotes internal hosts with high value data but
no external view
19
Why Intrusion Detection and Vulnerability
Assessment
PORT
CORP
NETWORK
SWEEP
WEB
Primary Target Analysis - Identify services
running on visible hosts to prioritize further
probing activities
20
Why Intrusion Detection and Vulnerability
Assessment
Primary Target Selection - Determine
vulnerability state of weakest point and
concentrate further activities against this system
21
Why Intrusion Detection and Vulnerability
Assessment
Primary Target Exploitation - Gain privileges
control of primary target - attacker now
controls a trusted corporate system !
22
Why Intrusion Detection and Vulnerability
Assessment
Secondary Target Identification - Probing for
high value information or systems which are
then compromised and data stolen or trojan horses
planted, etc.
23
Summary / Schematic
Big Widgets Network
netbus
crack
Web Server
Unix
NT
Unix
NT
Firewall
Router
Network
imap
E-Mail Server
Clients Workstations
24
Denial of Service

• Denial of Service attacks (DoS)
• In contrast to unauthorised access attacks a DoS
  attack does not need to contain method for
  communicating back to the attacker
• Distributed Denial of Service (DDoS) attacks
• Trin00/Stacheldraht (Feb 2000)
• Attacks on ebay, amazon.com and etrade.com
• MS.Blaster (August 2003)
• Problem of lack of metrics to measure the impact
  of Denial of Service attacks more research
  required

25
Vulnerability Assessment

• Vulnerability Assessment Methods
• Software solutions (ISS Scanner, Stat, Nessus
  etc.)
• Audit Services (manual Penetration tests etc)
• Web based commercial (Qualys, Security Point etc)
• Keep up-to-date with security (and other) patches
• Form Microsoft OS www.windowsupdate.com
• Enterprise version available
• Microsoft Baseline Security Advisor
• Includes hfnetcheck.exe (from Shavlik)
• Similar for SUN, HP, IBM, CISCO etc. OS

26
Vulnerability Assessment (VA)
Vulnerability Assessment DEMO
27
Intrusion Detection

• Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)

28
Knowledge-based IDS

• ALL commercial IDS look for attack signatures
• specific patterns of network traffic or activity
  in log files that indicate suspicious behaviour.
• Called a knowledge-based or misuse detection IDS
• Example signatures might include
• a number of recent failed login attempts on a
  sensitive host
• a certain pattern of bits in an IP packet,
  indicating a buffer overflow attack
• certain types of TCP SYN packets, indicating a
  SYN flood DoS attack.

29
Knowledge-based IDS

• Knowledge-based IDS uses information such as
• Security policy
• Known vulnerabilities of particular OS and
  applications
• Known attacks on systems.
• They are only as good as the information in the
  database of attack signatures
• new vulnerabilities not in the database are
  constantly being discovered and exploited
• vendors need to keep up to date with latest
  attacks and issue database updates customers
  need to install these
• large number of vulnerabilities and different
  exploitation methods, so effective database
  difficult to build
• large database makes IDS slow to use.

30
Behaviour-based IDS

• Statistical Anomaly Detection (or behaviour-based
  detection) is a methodology where statistical
  techniques are used to detect penetrations and
  attacks.
• Begin by establishing base-line statistical
  behaviour what is normal for this system?
• Then gather new statistical data and measure the
  deviation from the base-line.
• If a threshold is exceeded, issue an alarm.

31
Behaviour-based IDS

• Example monitor the number of failed login
  attempts at a sensitive host over a period
• if a burst of failures occurs, an attack may be
  under way
• or maybe the admin just forgot his password?
• This raises the issue of false positives (an
  attack is flagged when one was not taking place
  a false alarm) and false negatives (an attack was
  missed because it fell within the bounds of
  normal behaviour).
• This issue does also apply to knowledge-based
  systems.

32
Behaviour-based IDS

• IDS does not need to know about security
  vulnerabilities in a particular system
• the base-line defines normality
• dont need to know the details of the
  construction of a buffer overflow packet.
• Normal behaviour may overlap with forbidden
  behaviour.
• Legitimate users may deviate from the baseline,
  causing false positives (e.g. user goes on
  holiday, or works late in the office, or forgets
  password, or starts to use new application).
• If the base-line is adjusted dynamically and
  automatically, a patient attacker may be able to
  gradually shift the base-line over time so that
  his attack does not generate an alarm.

33
Host-based and Network-based IDS

• When an IDS looks for attack signatures in
  network traffic, it is called a network-based IDS
  (NIDS).
• When an IDS looks for attack signatures in log
  files of hosts, it is called a host-based IDS
  (HIDS).
• Naturally, the most effective Intrusion Detection
  System will make use of both kinds of
  information.

34
IDS Architecture

• Distributed set of sensors either located on
  hosts or on network to gather data.
• Centralised console to manage sensor network,
  analyze data, report and react.
• Ideally
• Protected communications between sensors and
  console
• Protected storage for signature database/logs
• Secure console configuration
• Secured signature updates from vendor
• Otherwise, the IDS itself can be attacked and
  manipulated.

35
Network-based IDS

• Uses network packets as the data source.
• Typically utilizes a network adapter running in
  promiscuous mode to monitor and analyze all
  traffic in real-time as it travels across the
  network.
• The attack recognition module uses three common
  techniques to recognize attack signatures
• Pattern, expression or bytecode matching
• Frequency or threshold crossing (eg detect
  portscanning activity)
• Correlation of lesser events (in reality, not
  much of this in commercial systems).

36
Network-based IDS
Response Capability
UserConfigurable Policy
Attack Recognition
Filter Engine
Packet Grabber
Network Sensor
Adapter
37
Placement of Network-based IDS

• Deployment options
• Outside fire wall
• Just inside fire wall
• Combination of both will detect attacks getting
  through firewall and may help to refine firewall
  ruleset.
• Behind remote access server
• Between Business Units
• Between Corporate Network and Partner Networks

38
Placement of Network-based IDS

• Internet

Sensor
Mail server
Firewall
Perimeter Network
Sensor
Web server
Sensor
Console
Protected Network
39
Host-based IDS

• Typically monitors system, event, and security
  logs on Windows and syslog in Unix environments.
• Checks key system files and executables via
  checksums at regular intervals for unexpected
  changes.
• Some products can use regular-expressions to
  refine attack signatures (e.g. passwd program
  executed AND .rhosts file changed).
• Some products listen to port activity and alert
  when specific ports are accessed limited NIDS
  capability.

40
Host-based IDS
Response Capability
UserConfigurable Policy
Attack Recognition
Filter Engine
Log files and file checksums
Host Sensor
41
Placement of Host-based IDS

• Deployment options
• Key servers that contain mission-critical and
  sensitive information
• Web servers
• FTP and DNS servers
• E-commerce database servers, etc.

42
Placement of Host-based IDS
Internet
Sensor
Mail server
Firewall
Perimeter Network
Web server
Sensor
Human Resources Network
Console
Sensor
43
IDS as a Response Tool

• Given the (near) real-time nature of IDS alerts,
  an IDS can be used as a response tool as well as
  for detection.
• NIDS and HIDS have different response
  capabilities because they detect different
  attacks, or the same attacks but in different
  ways.

44
HIDS and NIDS

• There are attack types that a HIDS can detect but
  a NIDS cannot
• SYN flood, Land, Smurf and Teardrop attacks,
  BackOrifice,
• And vice-versa
• Trojan login script, walk up to unattended
  keyboard attack, encrypted traffic,
• For more reliable detection, combine both types
  of IDS.

45
IDS Response Options
46
IDS Response Options

• Dangers of automated response
• Attacker tricks IDS to respond, but response
  aimed at innocent target (say, by spoofing source
  IP address)
• Users locked out of their accounts because of
  false positives
• Repeated e-mail notification becomes a denial of
  service attack on sysadmins e-mail account
• Repeated restoration of index.html from CD
  reduces website availability.

47
Intrusion Detection
Intrusion Detection
DEMO
48
What is Snort?

• Snort is a fast, flexible, small-footprint,
  open-source NIDS developed by the security
  community and a benevolent dictator
• Lead coder Marty Roesch, now founder of
  Sourcefire (www.sourcefire.com)
• Initially developed in late 1998 as a sniffer
  with consistent output, unlike protocol-dependent
  output of TCPDump
• Licensed under GPL, but version 2.0 may change to
  a different license

49
Snort Rules

• Snort rules are extremely flexible and are easy
  to modify, unlike many commercial NIDS
• Sample rule to detect SubSeven trojan
• alert tcp EXTERNAL_NET 27374 -gt HOME_NET any
  (msg"BACKDOOR subseven 22" flags A content
  "0d0a5b52504c5d3030320d0a" referencearachnids,
  485 referenceurl,www.hackfix.org/subseven/
  sid103 classtypemisc-activity rev4)
• Elements before parentheses comprise rule
  header
• Elements in parentheses are rule options

50
Third-Party Enhancements

• Analysis Console for Intrusion Databases (ACID)
• http//acidlab.sourceforge.net/
• PHP-based analysis engine to search and process a
  database of security events generated by various
  IDSes, firewalls, and network monitoring tools
• Query-builder and search interface, packet viewer
  (decoder), alert management, chart and statistics
  generation
• Description and screenshots taken from ACID web

51
(No Transcript)
52
(No Transcript)
53
Third-Party Enhancements

• Demarc
• www.demarc.com
• NIDS management console, integrating Snort with
  the convenience and power of a centralized
  interface for all network sensors
• Monitor all servers / hosts to make sure network
  services such as a mail or web servers remain
  accessible at all times
• Monitor system logs for anomalous log entries
  that may indicate intruders or system
  malfunctions
• Description and screenshots taken from demarc web

54
(No Transcript)
55
(No Transcript)
56
IDS The Future

• Integrated approach to IDS
• Network and host-based in one system (some
  products already do this in a limited way)
• The strengths of both NIDS and HIDS (but maybe
  all of the weaknesses!)
• Better visualisation, management and reporting
  tools
• Event correlation
• Correlate a number of sub-events which
  individually do not indicate an attack but which
  when viewed in combination do
• Requires much more sophisticated software and
  data processing.
• Potentially much better attack detection.
• Commercial Statistical Anomaly Detection
• Intrusion Protection Systems (IPS)
• Honeypots and Honeynets

57
Intrusion Prevention System - IPS

• Relatively new (marketing) term
• Essentially a combination of access control
  (firewall/router) and intrusion detection systems
• Often shared technologies between stateful
  inspection and signature recognition (looking
  deep into the packet)
• Inline network IDS allows for instant access
  control policy modification
• Recent Gartner study claims by 2005 only
  integrated firewalls with IDS (i.e. IPS) will
  survive
• Most success to-date with flood attacks

58
Honeypots

• Technology used to track, learn and gather
  evidence of hacker activities
• Definition
• a resource whose value is being attacked or
  compromised
• Laurence Spitzner, The value of honeypots,
  SecurityFocus, October 2001
• Strategically placed systems designed to mimic
  production systems, but not reveal real data
• Modes of operation
• Baiting
• Waiting
• Collating
• Disseminating

59
Honeypot types of implementation

• Level of Involvement
• Low Involvement Port Listeners
• Mid Involvement Fake Daemons
• High Involvement Real Services
• Risk increases with level of involvement

60
Honeynet

• Network of honeypots
• Supplemented by firewalls and intrusion detection
  systems - Honeywall
• Advantages
• More realistic environment
• Improved possibilities to collect data

61
Honeynet
62
Sebek

• Sebek is a data capture tool designed to capture
  all of the attackers activities on a honeypot,
  without the attacker knowing it.
• 2 components.
• Client that runs on the honeypots, its purpose is
  to capture all of the attackers activities
  (keystrokes, file uploads, passwords) then
  covertly send the data to the server.
• Server which collects the data from the
  honeypots. The server normally runs on the
  Honeywall gateway.
• Since the Sebek client runs as a kernel module on
  the honeypots, it can capture all activity,
  including encrypted, such as SSH, IPSec

63
Honeynet using a Honeywall
64
Lecture Summary

• Threats are both internal and external.
• Prevention, detection and reaction are needed in
  combination.
• Intrusion detection systems are a very useful
  second line of defence (in addition to firewalls
  and other safeguards).
• IDS deployment, customisation and management is
  generally not straightforward.

65
Lecture Summary

• Critical Issues
• Why detect, if it cannot be prevented ?
• Technical limitations
• What defines the quality of any IDS
• Reliability (False Positives / False Negatives)
• Reliabilty
• Managebility
• Implementation
• Is a Patch really a Patch ?
• What other means exist ?

66
Lecture Summary

• What do you absolutely need to know
• What is IDS / VA ?
• Different Types
• How do they function
• What are issues to be observed ?
• What are limitations to IDS / VA
• and if you really want to be good
• What are critical issues and how could they be
  overcome ?

67
IDS Further Reading

• Stallings Chapter 9, pp.292-303 (possibly too
  much emphasis on statistical approach
  research-focussed rather than commercially
  focussed).
• An article The future of IDS by Matthew Tanase
  at SecurityFocus.com
• http//online.securityfocus.com/infocus/1518
• An evaluation of IDS products by Kathleen A.
  Jackson
• http//www.sekure.net/ids/00416750.pdf

68

• Thank You !