An Introduction to Intrusion Detection Systems

1
An IntroductiontoIntrusion Detection Systems

• Presented By
• Himanshu Gupta
• MCSE, MCPI

2
Outline

• What is Intrusion Detection ?
• Types of IDS
• Approaches to IDS
• Requirements
• Limitations
• Evading IDSs
• Testing and Evaluating IDSs
• Computer Forensics
• IDS Tools nmap, nessus(newt), Snort 2.1, IDS
  Center, ACID, WinPcap, Ethereal,
• Links
• Books

3
Network Security Quiz

• What is CIA ?
• What is a Bastion Host ?
• What is DMZ ?
• What is a Honey pot ?
• Why does a Network Switch Implementation makes
  Network Monitoring Difficult?

4
What is Intrusion Detection ?

• Intrusion Detection is the art of detecting
• inappropriate, incorrect, or anomalous
• activity (internal/external).
• Why do we need IDS?
• Preparation, detection, containment and
  Eradication

5
Types of IDS

• Host-based ID systems
• ID systems that operate on a host to detect
  malicious
• activity on that host.
• Network-based ID systems
• ID systems that operate on network data flows
• Components of IDS
• Engine
• Console

6
Detection Methodologies -Approaches to IDS

• Statistical Anomaly Detection
• Based on time, frequency, length of session
• For example X user logs on at 0300 AM and has
  never done so in the past, it will raise a flag
• Protocol Verification/Anomaly Detection
• Signature Detection
• Based on Pattern-matching - look for a specific
  string in the network data being presented to the
  IDS
• The Flexible Alternative Rules-based Detection
• Stateful Monitoring (Packet Analysis, Flow
  Analysis) e.g. SYN Flood to all ports
• Integrity Checker - Based on hashing mechanism.
  Detects authorized and unauthorized changes to
  files within your systems.

7
Types of Response

• Active
• Alerts Visual, Audio, E-mail, Pager, SNMP
  Alarms
• Dropping connection or Throttling it to slow
  attack
• Block Traffic Completely
• Reconfiguring Network Devices
• Additional intelligence mining
• Launching counter attack
• Update Policy
• Passive
• Snapshots taken for later analysis

8
Requirements

• Hardware for sensor and analysis stations
• Active monitoring and Analysis of IDS Output
• Baseline Creation
• Real Time Alerts
• Match With Comprehensive Signatures
• Provides Log Tracking
• Automatic Updates

9
Limitations of IDS

• Functionality on High Network Bandwidths (What
  is the limit? 300 Mbps)
• Multiple Attacks
• Late Response e.g. DOS Attack The damage is
  already done
• Direct Attack against the IDS itself
• Unknown Attacks
• Unsolved Problems Tunneling, Ambiguities (e.g.
  different implementations of protocol stack)
• Is not independent of the whole security
  architecture
• Great Deal of Tuning required
• Performance of Algorithms
• Working on Encrypted data
• Working in Switched Environments

10
Evading IDSs

• Assumption Attacker knows the IDS Algorithm
• E.g.Mimicry Attack Malicious payload is
  executed on the host while mimicking normal
  application behavior
• Evasion techniques are used in order to navigate
  below the radar of your IDS
• Fragmentation
• Slow scan
• Stealth scan
• Out of order packets
• Ambiguous packet (crafting)
• Encoding such as u, UTF (xxxx), HEX (xx)
• Use of well known port (Codered)

11
Testing and Evaluating IDSs

• Log Fidelity Is all the info there ?
• Usability - GUI
• Can be fine tuned depending on requirements?
• Ability to write own rules, modify existing ones
• Low false positives rate
• Cost Issues
• Ability to detect unknown attacks
• Secure The system should remain secure even
  when the attacker knows all the internal details
  of the system (Kerkhoffs Principle)
• Real Time Detection and Response
• OS Independence

12
Leading Products

• Dragon from Enterasys
• http//www.enterasys.com/ids/
• CISCO Secure IDS
• http//www.cisco.com/go/ids/
• Snort
• http//www.snort.org/
• ISS Real Secure
• http//www.iss.net/securing_e-business/
• SHADOW
• http//www.whitehats.ca
• ftp//ftp.whitehats.ca/pub/ids/shadow-slack/shadow
  .iso

13
Computer Forensics

• Where did the attack come from ?
• What was the attacker method?
• Do we have any hope of catching the intruder?
• Do we have any evidence to prosecute the
  intruder?
• What if the attack script erased the logs ?

14
WinPcap the Free Packet Capture Library for
Windows

• WinPcap is an open source library for packet
  capture and network analysis for the Win32
  platforms. It includes a kernel-level packet
  filter, a low-level dynamic link library
  (packet.dll), and a high-level and
  system-independent library (wpcap.dll, based on
  libpcap version 0.6.2).
• The packet filter is a device driver that adds to
  Windows 95, 98, ME, NT, 2000, XP and 2003 the
  ability to capture and send raw data from a
  network card, with the possibility to filter and
  store in a buffer the captured packets.
• Packet.dll is an API that can be used to directly
  access the functions of the packet driver,
  offering a programming interface independent from
  the Microsoft OS.
• Wpcap.dll exports a set of high level capture
  primitives that are compatible with libpcap, the
  well known Unix capture library. These functions
  allow to capture packets in a way independent
  from the underlying network hardware and
  operating system.
• WinPcap is released under a BSD-style license.

15
Nmap Free Network Scanner for Network
Exploration and Security
16
Snort 2.1 The de facto standard for intrusion
detection and prevention

• Simple, Efficient FREE IDS
• Very well-written and maintained, robust
  application
• Snort is driven by a set of (community developed)
  rules
• Actively (constantly) under development
• Windows and UNIX versions available

17
Snort 2.1

• Alerts generated and/or packets logged when a
  "rule" is triggered.
• Very simple rule language for writing your own
  rules
• Ability to log alerts to syslog, directories in
  ascii, tcpdump format raw data
• Different alert styles from one-line, to verbose
• Modular "plug-in" architecture for adding
  functionality
• Many available plug-ins, including SQL and Oracle
  database logging, statistical analysis, TCP
  stream and telnet session reassembly, active
  response using "sniping"
• Resistant against some of the newer attacks
  directed at foiling IDSs

18
IDS Center- A front-end for Snort intrusion
detection systems

• Snort 2.0, 1.9, 1.8 and 1.7 support, Snort
  service mode support
• Snort configuration wizard
• Online updates of IDS rules IDScenter integrates
  a http client and starts an update script on
  demand
• Ruleset editor supports all Snort 2.0 rule
  options
• HTML report from SQL backend
• Alert notification via e-mail, alarm sound or
  only visual notification
• AutoBlock plugins write your own plugins (DLL)
  for your firewall
• Monitoring
• Global event logging, Integrated log viewer, Log
  rotation (compressed archiving of log files)
• Program execution possible if an attack was
  detected

19
IDS Center- A front-end for Snort intrusion
detection systems
20
IDS Center- A front-end for Snort intrusion
detection systems
21
ACID - Analysis Console for Intrusion Databases

• The Analysis Console for Intrusion Databases
  (ACID) is a PHP-based
• analysis engine to search and process a database
  of security events
• generated by various IDSes, firewalls, and
  network monitoring tools.
• The features currently include
• Query-builder and search interface for finding
  alerts matching on alert meta information (e.g.
  signature, detection time) as well as the
  underlying network evidence (e.g.
  source/destination address, ports, payload, or
  flags).
• Packet viewer (decoder) will graphically display
  the layer-3 and layer-4 packet information of
  logged alerts
• Alert management by providing constructs to
  logically group alerts to create incidents (alert
  groups), deleting the handled alerts or false
  positives, exporting to email for collaboration,
  or archiving of alerts to transfer them between
  alert databases.
• Chart and statistics generation based on time,
  sensor, signature, protocol, IP address, TCP/UDP
  ports, or classification

22
ACID - Analysis Console for Intrusion Databases
Packet Decode
23
NeWT - Nessus Windows Technology

• Nessus Open Source Vulnerability Scanner
  Project
• NeWT is a complete network vulnerability scanner
  which includes high-speed checks for more than
  6000 of the most commonly updated
  vulnerabilities,
• NeWT and NeWT Pro perform the following types of
  vulnerability checks including
• Buffer overflow checks in daemons such as
  Sendmail and IIS
• Default user accounts
• Misconfigured email, ftp and web servers
• Discovery of open ports and host OS discovery
• Denial of service (DOS) discovery
• Backdoors and virus infected host
• P2P, chat and suspicious file sharing services

24
NeWT - Nessus Windows Technology
25
NeWT - Nessus Windows Technology
26
Ethereal A Network Protocol Analyzer

• Ethereal is used by network professionals around
  the world for troubleshooting, analysis, software
  and protocol development, and education.
• Its open source license allows talented experts
  in the networking community to add enhancements.
• It runs on all popular computing platforms,
  including Unix, Linux, and Windows.
• Data can be captured "off the wire" from a live
  network connection, or read from a capture file.
• 673 protocols can currently be dissected

27
Ethereal A Network Protocol Analyzer

• Ethereal can read capture files from tcpdump
  (libpcap), NAI's Sniffer (compressed and
  uncompressed), Sniffer Pro, NetXray, Sun snoop
  and atmsnoop, Shomiti/Finisar Surveyor, AIX's
  iptrace, Microsoft's Network Monitor, Novell's
  LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX
  nettl, i4btrace from the ISDN4BSD project, Cisco
  Secure IDS iplog, the pppd log (pppdump-format),
  the AG Group's/WildPacket's EtherPeek/TokenPeek/Ai
  roPeek, or Visual Networks' Visual UpTime. It can
  also read traces made from Lucent/Ascend WAN
  routers and Toshiba ISDN routers, as well as the
  text output from VMS's TCPIPtrace utility and the
  DBS Etherwatch utility for VMS. Any of these
  files can be compressed with gzip and Ethereal
  will decompress them on the fly.
• Live data can be read from Ethernet, FDDI, PPP,
  Token-Ring, IEEE 802.11, Classical IP over ATM,
  and loopback interfaces (at least on some
  platforms not all of those types are supported
  on all platforms).
• Captured network data can be browsed via a GUI,
  or via the TTY-mode "tethereal" program.
• Capture files can be programmatically edited or
  converted via command-line switches to the
  "editcap" program.

28
Ethereal A Network Protocol Analyzer
29
IETF Intrusion Detection Working Group (IDWG)

• RFC, active Internet drafts defining IDS
  requirements, language, and framework
• www.ietf.org/html.charters/idwg-charter.html
• Intrusion Detection Message Exchange Requirements
  -draft-ietf-idwg-requirements-10
• http//www.ietf.org/internet-drafts/draft-ietf-id
  wg-requirements-10.txt
• The Intrusion Detection Message Exchange Format
  draft-ietf-idwg-idmef-xml-12
• http//www.ietf.org/internet-drafts/draft-ietf-id
  wg-idmef-xml-12.txt
• The Intrusion Detection Exchange Protocol (IDXP)
  draft-ietf-idwg-beep-idxp-07
• http//www.ietf.org/internet-drafts/draft-ietf-id
  wg-beep-idxp-07.txt
• The TUNNEL Profile (RFC 3620)
• http//www.ietf.org/rfc/rfc3620.txt

30
Links

• Intrusion Detection FAQ - http//www.sans.org/reso
  urces/idfaq/
• Network Scanning Tool Nmap Free Security
  Scanner for Network Exploration and Security
• http//www.insecure.org/nmap/
• Snort 2.1 The de facto standard for intrusion
  detection and prevention - www.snort.org
• ACID - Analysis Console for Intrusion Databases -
  www.cert.org/kb/acid/
• Nessus Open Source Vulnerability Scanner
  Project - www.nessus.org
• NeWT - Nessus Windows Technology -
  www.tenablesecurity.com/products/newt.shtml
• Ethereal A network Protocol Analyzer -
  www.ethereal.com
• WinPcap - winpcap.polito.it/
• Snort IDS Center - www.engagesecurity.com/products
  /idscenter/

31
Books

• Network Intrusion Detection (3rd Edition)
• Stephen Northcutt, Judy Novak
• Snort 2.1 Intrusion Detection, Second Edition
• Jay Beale, Caswell
• Nessus Network Auditing (Jay Beale's Open Source
  Security)
• Renaud Deraison, Noam Rathaus, HD Moore, Raven
  Alder, George Theall, Andy Johnston, Jimmy
  Alderson
• Ethereal Packet Sniffing
• Angela D. Orebaugh, Gilbert Ramirez,
  Ethereal.com
• Inside Network Perimeter Security The Definitive
  Guide to Firewalls, Virtual Private Networks
  (VPNs), Routers, and Intrusion Detection Systems
• Stephen Northcutt, Lenny Zeltser, Scott Winters,
  Karen Fredrick, Ronald W. Ritchey
• Practical Unix Internet Security, 3rd Edition
• Simson Garfinkel, Gene Spafford, Alan Schwartz

32
Thanks I hope this session was Informative
-)If you would like any more sessions in April
2005 please let the ACM Officers know

• E-mail hg24d_at_umkc.edu