710 likes | 1.02k Views
Security Perimeter. Eng. Mohammad Adly , M. Sc. Intrusion Detection. Host-based HIDS, HIPS Network-based NIDS, NIPS. What is IDS. Reports attacks against monitored systems/networks Alarm System Mature Technology that has significant utilization. What IDS is NOT?.
E N D
Security Perimeter Eng. Mohammad Adly, M. Sc.
Intrusion Detection • Host-based • HIDS, HIPS • Network-based • NIDS, NIPS
What is IDS • Reports attacks against monitored systems/networks • Alarm System • Mature Technology that has significant utilization
What IDS is NOT? • Not a replacement for firewalls, strong policies, system hardening, timely patching, and other DiD techniques • Not a low maintenance tool • Not an inexpensive tool • Not a silver bullet
IDS in Action • Attacker used nmap to scan a host for open ports • Attacker managed to scan and find the open ports already • Victim used TCP_Xmas_Scan that logged the attacker’s activity and IP address • This tool just presented data to an analyst to take action
IDS Alerts • Alerts are generated from Events of Intrest EOI • 4 types of events: • True Positive, True Negative • False Positive, False Negative • Which one is the worst to have on your network?
NIDS Overview • Deployed as a passive sensor at network aggregation points • Captures traffic like a sniffer • Detects EOI on the network • Uses signature, anomaly, or application/protocol analysis
Signature Analysis • Rules indicate criteria in packet that represent EOI • Rules are applied to packets as they are received by the IDS • Alerts are created when matches are found
Rules and Signature Criteria • Protocol, address and port information • Payload contents • String matching • Traffic flow analysis • Flags in protocol headers
Anomaly Analysis • Flags anomalous conditions in traffic on the network • Unexpected conditions are identified as suspicious • Requires understanding of what “normal” is • Usually based on good traffic as baseline for future analysis • Usually an inclusive detection method
Application/Protocol Analysis • IDS has understanding of the logic for a specific application or protocol • Any protocol activity that is not known as normal is flagged • Difficult to implement • Few protocol implementations are standard • Usually an exclusive detection method
Deep Vs Shallow Inspection • Shallow • Fast, but provides little fidelity • Examines header information, limited payload data • Deep • Slow, requires stateful tracking of data • Inspects all fields including variable length fields
NIDS Challenges • Deployment challenges including deployment and access limitations • Analyzing encrypted traffic • Quantity Vs quality of signatures • Performance limitations (Speed of Processing, and Size of Storage) • Very costly for proper management
TCPDump as NIDS • Uses libpcap for packet capture • Always available • Complies on many unix platforms • Runs on Windows • High fedelity • Same program for data collection and first order analysis
Snort • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Low effort for reporting
Basic Snort Rule • Rule : • alert tcp any any -> 192.168.1.0/24 80 (msg: "Inbound HTTP Traffic"; ) • Output: • [**] [1:0:0] Inbound HTTP Traffic [**] 09/02-13:03:22.734392 192.168.1.104:1460 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:28581 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2550D716 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK
Advanced Snort Rule • Rule: • alert tcp any any -> 192.168.1.0/24 80 (content: "/cgibin/ test.cgi"; msg: "Attempted CGI-BIN Access!!";) • Output : • [**] [1:0:0] Attempted CGI-BIN Access!! [**] 09/02-13:18:30.550445 192.168.1.104:1472 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:29951 IpLen:20 DgmLen:466 DF ***AP*** Seq: 0x32D8E9C1 Ack: 0xB427699E Win: 0x4470 TcpLen:20
Additional Snort Tools • Log Analysis Tools • Snort Stat • http://www.snort.org/dl/contrib/data_analysis/snort_stat.pl • Snort Snarf • http://www.silicondefense.com/software/snortsnarf/index.htm • Snort Log • http://www.snort.org/dl/contrib/data_analysis/snortlog3.pl • Real-Time Alerting Tools • SWATCH . the Simple WATCHer
Core_Host Filter • DNS, Web, and mail servers draw a lot of fire • About 20% of all our attacks • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look
HR IDS Application • Content monitoring systems • Spy on employees • Monitors web, IM, e-mail, for confidential information leakage • Helps address the inside attacker • Identifies violations against the company acceptable use policy
NIDS Pros • Internet is a large attack vector • Fairly easy to setup • Does not affect the speed of the network or add load to the systems it monitors
NIDS Cons • Sensors have limited speed • Almost impossible to detect attacks not in rule set • Very susceptible to “low” and “slow” attacks
NIDS Summary • NIDS is an important part of a robust perimeter defense. • NIDS tools such as BlackICE, Defender, Snort, and Ethereal are available and viable products • Add-ons provide additional features
Why NIDS is not Enough? • Very fast networks • Switched networks • Encrypted networks • Backdoors in local network • Insider on network • NIDS may miss attack • Don’t trust corporate security that much
HIDS • Host-based systems monitor their network connections and file system status. • Have to acquire the aggregate logs of ALL critical systems at a minimum • When potential problems are found, alerts are raised
HIDS • Monitoring and controlling traffic into and out of the host • Generating logs that record activity on the host • Performing actions based on what is found in the logs • Managing file changes on the host- authorized or otherwise
Unix Based- HIDS • TCPWrappers and Xinetd • Port Sentry (reacts to port scans) • Syslog • Swatch • Tripwire
TCPWrappers • Monitors and filters incoming TCP network service requests • Valuable logging tool • Currently included in most Unix / Linux distributions
TCPWrappers Configuration • The ACLs for TCP Wrappers are configured in the /etc/hosts.deny and /etc/hosts.allow files. • The default setting in /etc/hosts.deny is a single line: • ALL: ALL • # Deny everything, add back with /etc/hosts.allow • “deny everything not expressly permitted”
Host Allow ALL: .nnnn.abc.org, 192.168.2, friend.somewhere.edu sshd: trustedhost.somewhere.org
TCPWrappers • Checks both forward and reverse DNS lookup • Both answers must match or connection is dropped • Adds a layer of security against spoofing
Psionic Port Sentry • Runs on TCP and UDP • Stealth scan detection for Linux • Reacts to a port scan attempt by blocking the host in real-time • Remembers hosts that connected previously
Port Sentry Log • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host: node10453.a2000.nl/24.132.4.83 to TCP port: 143 • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via wrappers with string: "ALL: 24.132.4.83" • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via dropped route using command: "/sbin/route add –host 24.132.4.83 gw 333.444.555.666"
Syslog • Unix system logger can be on a local system or other system • TCPWrappers logs to Syslog by default • Logs can offer valuable information, but they can also be compromised • Swatch or other tools can monitor syslog and raise alerts
Syslog Example • Nov 13 01:28:36 ns1 named[22988]: unapproved AXFR from [192.168.1.2].3209 for abc.nnnn.org • Nov 13 01:28:36 ns2 named[89]: unapproved AXFR from [192.168.1.2].3250 for abc.nnnn.org • AXFR= Zone Transfer Attempt
Swatch • Swatch (Simple WATCHer) is one such tool that monitors selected log files • Completes one or more user-specified actions when it encounters a match to a user defined search string
Swatch • Keywords: • watchforregular expression • ignore regular expression
Swatch • Actions: • echo attributes • bell length • mail recipient,subject line • write user • exec “command” • pipe “command”
Tripwire • It will examine some or all of the file system (configurable) • Create one or more cryptographic hashes of each file • If a file changes, the change can be detected