1 / 70

Security Perimeter

Security Perimeter. Eng. Mohammad Adly , M. Sc. Intrusion Detection. Host-based HIDS, HIPS Network-based NIDS, NIPS. What is IDS. Reports attacks against monitored systems/networks Alarm System Mature Technology that has significant utilization. What IDS is NOT?.

alain
Download Presentation

Security Perimeter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Perimeter Eng. Mohammad Adly, M. Sc.

  2. Intrusion Detection • Host-based • HIDS, HIPS • Network-based • NIDS, NIPS

  3. What is IDS • Reports attacks against monitored systems/networks • Alarm System • Mature Technology that has significant utilization

  4. What IDS is NOT? • Not a replacement for firewalls, strong policies, system hardening, timely patching, and other DiD techniques • Not a low maintenance tool • Not an inexpensive tool • Not a silver bullet

  5. IDS in Action • Attacker used nmap to scan a host for open ports • Attacker managed to scan and find the open ports already • Victim used TCP_Xmas_Scan that logged the attacker’s activity and IP address • This tool just presented data to an analyst to take action

  6. IDS Alerts • Alerts are generated from Events of Intrest EOI • 4 types of events: • True Positive, True Negative • False Positive, False Negative • Which one is the worst to have on your network?

  7. NIDS Overview • Deployed as a passive sensor at network aggregation points • Captures traffic like a sniffer • Detects EOI on the network • Uses signature, anomaly, or application/protocol analysis

  8. Signature Analysis • Rules indicate criteria in packet that represent EOI • Rules are applied to packets as they are received by the IDS • Alerts are created when matches are found

  9. Rules and Signature Criteria • Protocol, address and port information • Payload contents • String matching • Traffic flow analysis • Flags in protocol headers

  10. Anomaly Analysis • Flags anomalous conditions in traffic on the network • Unexpected conditions are identified as suspicious • Requires understanding of what “normal” is • Usually based on good traffic as baseline for future analysis • Usually an inclusive detection method

  11. Application/Protocol Analysis • IDS has understanding of the logic for a specific application or protocol • Any protocol activity that is not known as normal is flagged • Difficult to implement • Few protocol implementations are standard • Usually an exclusive detection method

  12. Deep Vs Shallow Inspection • Shallow • Fast, but provides little fidelity • Examines header information, limited payload data • Deep • Slow, requires stateful tracking of data • Inspects all fields including variable length fields

  13. NIDS Challenges • Deployment challenges including deployment and access limitations • Analyzing encrypted traffic • Quantity Vs quality of signatures • Performance limitations (Speed of Processing, and Size of Storage) • Very costly for proper management

  14. Where to put NIDS?

  15. TCPDump as NIDS • Uses libpcap for packet capture • Always available • Complies on many unix platforms • Runs on Windows • High fedelity • Same program for data collection and first order analysis

  16. Snort • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Low effort for reporting

  17. Snort Capture

  18. Basic Snort Rule • Rule : • alert tcp any any -> 192.168.1.0/24 80 (msg: "Inbound HTTP Traffic"; ) • Output: • [**] [1:0:0] Inbound HTTP Traffic [**] 09/02-13:03:22.734392 192.168.1.104:1460 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:28581 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2550D716 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK

  19. Advanced Snort Rule • Rule: • alert tcp any any -> 192.168.1.0/24 80 (content: "/cgibin/ test.cgi"; msg: "Attempted CGI-BIN Access!!";) • Output : • [**] [1:0:0] Attempted CGI-BIN Access!! [**] 09/02-13:18:30.550445 192.168.1.104:1472 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:29951 IpLen:20 DgmLen:466 DF ***AP*** Seq: 0x32D8E9C1 Ack: 0xB427699E Win: 0x4470 TcpLen:20

  20. Additional Snort Tools • Log Analysis Tools • Snort Stat • http://www.snort.org/dl/contrib/data_analysis/snort_stat.pl • Snort Snarf • http://www.silicondefense.com/software/snortsnarf/index.htm • Snort Log • http://www.snort.org/dl/contrib/data_analysis/snortlog3.pl • Real-Time Alerting Tools • SWATCH . the Simple WATCHer

  21. Snort Stat

  22. Snort Snarf

  23. Core_Host Filter • DNS, Web, and mail servers draw a lot of fire • About 20% of all our attacks • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look

  24. Core_Host Filter- Web Server

  25. HR IDS Application • Content monitoring systems • Spy on employees • Monitors web, IM, e-mail, for confidential information leakage • Helps address the inside attacker • Identifies violations against the company acceptable use policy

  26. NIDS Pros • Internet is a large attack vector • Fairly easy to setup • Does not affect the speed of the network or add load to the systems it monitors

  27. NIDS Cons • Sensors have limited speed • Almost impossible to detect attacks not in rule set • Very susceptible to “low” and “slow” attacks

  28. NIDS Summary • NIDS is an important part of a robust perimeter defense. • NIDS tools such as BlackICE, Defender, Snort, and Ethereal are available and viable products • Add-ons provide additional features

  29. Why NIDS is not Enough? • Very fast networks • Switched networks • Encrypted networks • Backdoors in local network • Insider on network • NIDS may miss attack • Don’t trust corporate security that much

  30. HIDS • Host-based systems monitor their network connections and file system status. • Have to acquire the aggregate logs of ALL critical systems at a minimum • When potential problems are found, alerts are raised

  31. HIDS • Monitoring and controlling traffic into and out of the host • Generating logs that record activity on the host • Performing actions based on what is found in the logs • Managing file changes on the host- authorized or otherwise

  32. Unix Based- HIDS • TCPWrappers and Xinetd • Port Sentry (reacts to port scans) • Syslog • Swatch • Tripwire

  33. TCPWrappers • Monitors and filters incoming TCP network service requests • Valuable logging tool • Currently included in most Unix / Linux distributions

  34. Without TCPWrappers

  35. With TCPWrappers

  36. TCPWrappers Configuration • The ACLs for TCP Wrappers are configured in the /etc/hosts.deny and /etc/hosts.allow files. • The default setting in /etc/hosts.deny is a single line: • ALL: ALL • # Deny everything, add back with /etc/hosts.allow • “deny everything not expressly permitted”

  37. Host Allow ALL: .nnnn.abc.org, 192.168.2, friend.somewhere.edu sshd: trustedhost.somewhere.org

  38. TCPWrappers • Checks both forward and reverse DNS lookup • Both answers must match or connection is dropped • Adds a layer of security against spoofing

  39. DNS Review

  40. TCPWrappers in Action

  41. Psionic Port Sentry • Runs on TCP and UDP • Stealth scan detection for Linux • Reacts to a port scan attempt by blocking the host in real-time • Remembers hosts that connected previously

  42. Port Sentry Log • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host: node10453.a2000.nl/24.132.4.83 to TCP port: 143 • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via wrappers with string: "ALL: 24.132.4.83" • Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via dropped route using command: "/sbin/route add –host 24.132.4.83 gw 333.444.555.666"

  43. Syslog • Unix system logger can be on a local system or other system • TCPWrappers logs to Syslog by default • Logs can offer valuable information, but they can also be compromised • Swatch or other tools can monitor syslog and raise alerts

  44. Syslog Example • Nov 13 01:28:36 ns1 named[22988]: unapproved AXFR from [192.168.1.2].3209 for abc.nnnn.org • Nov 13 01:28:36 ns2 named[89]: unapproved AXFR from [192.168.1.2].3250 for abc.nnnn.org • AXFR= Zone Transfer Attempt

  45. Swatch • Swatch (Simple WATCHer) is one such tool that monitors selected log files • Completes one or more user-specified actions when it encounters a match to a user defined search string

  46. Swatch • Keywords: • watchforregular expression • ignore regular expression

  47. Swatch • Actions: • echo attributes • bell length • mail recipient,subject line • write user • exec “command” • pipe “command”

  48. Swatch- Sample Configuration File

  49. Swatch Notification

  50. Tripwire • It will examine some or all of the file system (configurable) • Create one or more cryptographic hashes of each file • If a file changes, the change can be detected

More Related