400 likes | 492 Views
Lesson 13-Intrusion Detection Systems. Perimeter Security. “ In ancient times, those skilled in warfare make themselves invincible and then wait for the enemy to become vulnerable. Being invincible depends on oneself, but the enemy becoming vulnerable depends on himself. ”.
E N D
Perimeter Security “In ancient times, those skilled in warfare make themselves invincible and then wait for the enemy to become vulnerable. Being invincible depends on oneself, but the enemy becoming vulnerable depends on himself.” -- Sun Tzu -The Art of War
Background • A layered network security approach starts with a well-secured system. • Layers of protection such as • antivirus products, • firewalls, • sniffers, • intrusion detection systems, • Well chosen passwords, • Up-to-date application and operating system patches, • access lists, • The minimum number of services running. • Restricted access to available services. • file permissions can be added to a well secured system. • Physical security includes locks, walls, gates, guards, motion sensors, and pressure plates.
Firewalls • Can’t protect against: • attacks that don't go through the firewall • traitors or idiots inside your network • tunneling over most application protocols to trojaned or poorly written clients (HTTP or SMTP) • bad things being allowed through them when an internal system connects to any external system (IRC) • things like viruses or malicious software (malware)
IDS Background • One of the more complicated types of network/data security devices are intrusion detection systems (IDS). • An IDS is the burglar alarm to the network. • IDSs monitors network resources to detect intrusions and attacks not stopped by firewalls, packet-filtering routers, proxy servers, etc. • Conducts forensic analysis once attack is over • Manages risk from threats and vulnerabilities
History of IDS • In 1972, James Anderson published a paper outlining the growing number of computer security problems and the immediate need to secure Air Force systems “Computer Security Technology Planning Study Volume 2.” • Anderson continued his research and, in 1980, published a follow-up paper outlining methods to improve security auditing and surveillance methods. • He pioneered the concept of using system audit files to detect unauthorized access and misuse.
Denning, Neumann and Government Research • IDS came into existence when Dorothy Denning and Peter Neumann developed the first real-time IDS model, called “The Intrusion Detection Expert System (IDES),” following their research between 1984 and 1986. • 1987, Denning published “An Intrusion-Detection Model,” a paper that laid out the model on which most modern intrusion detection systems are based. • With a model and its definitions in place, the U.S. government continued to fund research for projects, such as: • Discovery • Haystack • Multics Intrusion Detection and Alerting System (MIDAS) • Network Audit Director and Intrusion Reporter (NADIR)
IDS Commercialization • In 1989, Haystack Labs released “Stalker,” the first commercial intrusion detection system. • The host-based system worked by comparing audit data to known patterns of suspicious activity. • In 1995, WheelGroup developed NetRanger, the first commercial network-based intrusion detection product. • It monitored network links and the traffic moving across them. • Cisco Systems acquired WheelGroup in February 1998 and IDSs were recognized as a vital part of any network security infrastructure.
Purpose of an IDS IPS • Intrusion Prevention Systems – The next step in the evolution of IDS
Types of IDS • Network-based (NIDS) • Monitors network traffic • Most commonly employed form of IDS • More NIDS products are available due to capable open source solutions • Host-based (HIDS) • Monitors activity on host machine • Able to stop compromises while they are in progress • Like any application, host-based IDS agents use resources on the host server • Host-based IDS are primarily used to protect only critical servers.
Host-Based IDS Host-Based IDS • A host-based IDS (HIDS) examines log files, audit trails, and network traffic coming in to or leaving a specific host. • A host-based IDS (HIDS) operates in: • -Real time. • -Batch mode, looking for activity on a periodic basis. • They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system.
HID Advantages and Disadvantages • The advantages of host-based IDSs include: • Operating system-specific. • More detailed signatures. • Reduced false positive rates. • Examination of data after decryption. • Application specific. • Alarm may impact determination of a specific system. • Before deployment, weigh the disadvantages of this technology: • An IDS has a process on every system watched. • An IDS has a high cost of ownership. • An IDS uses local system resources. • An IDS has a focused view and cannot relate to activity around it. • A locally logged IDS may be compromised or disabled.
HIDS Components – Traffic Collector • Traffic collector collects activities/events for the other components • On host-based IDS, log files, audit logs, or in-bound and out-bound traffic. • On network-based IDS, copies traffic off the network link—basically functioning as a sniffer. • It is responsible for reading files, selecting items of interest, and forwarding to the analysis engine. • On some host-based systems, it also examines specific attributes of critical files such as file size, date modified, or checksum.
HIDS Components – Analysis Engine and Signature Database • Analysis engine - pattern-matching mechanism which compares traffic (present or future) to the signature database. • If matches exist, the analysis engine reacts with an alert or alarm. • Must examine traffic patterns as quickly as possible. • The longer it takes to match a malicious pattern, the less time the IDS or human operator has to react to malicious traffic. • The signature database is a collection of predefined activity patterns that have already been identified and categorized as activity patterns typical of suspicious or malicious activity.
HIDS Components • User interface and reporting: • Independent of the type and complexity, the interface allows users to interact with the system by: • Changing parameters • Receiving alarms • Tuning signatures and response patterns • Most IDSs can be “tuned” • Signatures may be turned off • Alarm levels can be adjusted. • Some IDSs also allow users to “exclude” certain patterns of activity from specific hosts.
Focus on Log Files • Host-based intrusion detection systems focus on the log files or audit trails from the local operating system. • The IDS looks for hostile actions or misuse activities, such as: • Logins at odd hours • Login authentication failures • Adding new user accounts • Modification or access of critical system files • Modification or removal of binary files (executables) • Starting or stopping processes • Privilege escalation • Using certain programs
Active vs. Passive HIDS • IDS is distinguished by how they examine the activity and whether or not they interact with that activity. • A passive system watches the activity, analyzes it, and generates alarms. • It does not interact with the activity itself in any way. • It does not modify the defensive posture of the system to react to the traffic. • An active IDS contains the same components and capabilities as the passive IDS. • However, the active IDS reacts to the activity it is analyzing.
Network IDS Components • Network-based IDS (NIDS) exams network traffic. • analyzes traffic by protocol, type, amount, source, destination, content, and traffic already seen. • The analysis must happen quickly regardless of speed. • The components are similar to those of a host-based system. • Traffic collector • Analysis engine • Signature database • User interface
Network-Based IDS • What does it look for? • Like host-based systems, a network-based IDS looks for activities that represent hostile actions or misuse. • Denial-of-Service attacks • Port scans or sweeps • Malicious content in the data payload of a packet or packets • Vulnerability scanning • Trojans, viruses, or worms • Tunneling • Brute-force attacks
Network IDS Traffic Collector • The traffic collector behaves the same way as a network traffic sniffer by analyzing every packet. • The traffic collector attaches itself logically to a network interface card (NIC) and instructs the NIC to accept every packet it can. • A NIC that accepts and processes every packet regardless of the packet's origin and destination is said to be in “promiscuous” mode.
NIDS Analysis Engine • Same function but with substantial differences to the HIDS. • Must be capable of collecting packets and examining them individually. • If necessary, it reassembles them into an entire traffic session. • Patterns and signature matching is more complicated than host-based signatures. • Compares current traffic to past traffic to determine whether or it fits a larger pattern of malicious activity. • The network-based analysis engine must be able to keep up with the flow of traffic on the network, rebuilding network sessions and matching patterns in real time.
NIDS Signature Database • The NIDS signature database is usually larger than HIDS. • the IDS must recognize traffic targeted at different applications and OSs as well as traffic from a variety of threats such as worms, assessment tools, and attack tools. • Some of the signatures are large. • The IDS must examine network traffic occurring in a specific order over a period of time in order to match a particular malicious pattern.
Advantages and Disadvantages • Advantages and Disadvantages of NIDS • NIDS advantages • It takes fewer systems to provide IDS coverage. • Deployment, maintenance, and upgrade costs are usually lower. • A network-based IDS has visibility into all network traffic and can correlate attacks among multiple systems. • NIDS disadvantages • It is ineffective when traffic is encrypted. • It cannot see traffic that does not cross it. • It must be able to handle high volumes of traffic. • It does not know about activity on the hosts themselves.
Active vs. Passive NIDS • NIDS systems can be distinguished by how they examine the traffic and whether or not they interact with that traffic. • In a passive system, the IDS watches the traffic, analyzes it, and generates alarms. However, it does not interact with the traffic or modify the defensive posture of the system to react to the traffic. • An active IDS contains all the same components and capabilities of the passive IDS with one critical addition. • The active IDS may react to the traffic it is analyzing.
NIDS Architecture • To determine how to deploy IDS, one needs only answer the question: What do I most need to protect? • Typical locations of IDS sensors • Just inside the firewall - bottleneck • On the DMZ – first point of entry • On the server farm segment - monitoring of mission-critical application servers • On network segments connecting mainframe or midrange hosts
Defense via TCP Reset • A common defense for an active IDS is to send a TCP reset message. • Within the TCP protocol, the reset message (RST) essentially tells both sides to drop the session and stop communicating • RST affects only the current session and there is nothing to prevent the attacker from coming back and trying again. • Although temporary, sending a RST is usually the only defensive measure implemented on IDS deployments. • The fear of blocking legitimate traffic and disrupting business processes, even for a few moments, outweighs the perceived benefit of discouraging potential intruders.
IDS and Signatures • A critical element of any good intrusion detection system is the signature set. • It is a set of patterns to examine; simple or complicated, depending on the activity highlighted • Two main groups, depending on what the signature is looking for: • Content Signatures - look at the content of packets or log entries, are easy to build, and look for something simple such as a certain string of characters or a certain flag set in a TCP packet. • Context Signatures are more complicated and resource intensive since they match large patterns of activity and examine how certain types of activities fit into the other activities going on around them. • The IDS must “remember” past events to match certain context signatures.
False Positives and Negatives • There are really only two possible decisions for the IDS: • the activity can be positively identified as an attack, or just the opposite, it can be identified as benign. • IDS must correctly identify intrusions and attacks • True positives • True negatives • However, there is no way for an IDS to know the true intent behind an activity and determine whether or not it is benign or hostile. • It is limited by its signature set. It can match only the activity for which it has stored patterns.
Dealing with False Negatives and False Positives • False negatives occur when the pattern of traffic is not identified in the signature database. To resolve: • Obtain more coverage by using a combination of network-based and host-based IDS • Deploy NIDS at multiple strategic locations in the network • False positives happen when the IDS mistakenly reports certain benign activity as malicious • Best-case false positives require human intervention to diagnose the event. • Worst-case false positives can cause the legitimate traffic to be blocked by a router or firewall. • The tuning process allows the administrator to instruct sensors not to alarm
Misuse andAnomaly-based IDS • In addition to being divided along the host and network lines, IDS are often classified according to the detection model they use: anomaly or misuse. • The IDS must know what “normal” behavior really is. • The IDS can then identify deviations from the norm, which are further scrutinized to determine if that activity is malicious. • Building the profile of normal activity is usually done by the IDS and and security administrators, and can take days or months. • The IDS must be flexible and capable enough to account for things such as new systems, new users, and movement of information resources. • However, it must be sensitive enough to detect a single user illegally switching from one account to another at 3 a.m. on a Saturday.
Anomaly/Misuse • Anomaly (behavior based )detection was developed to make the system capable of dealing with variations in traffic. • It ignores patterns from legitimate hosts and users but can still identify those suspicious patterns. • Most anomaly-based systems suffer from high false positives, • An anomaly-based system is not restricted to a specific signature set • In a misuse detection model, the IDS looks for suspicious activity or activity that violates specific policies and then reacts. • This is the more efficient model. • It takes fewer resources to operate, does not need to learn what “normal” behavior is, and generates an alarm whenever a pattern is successfully matched. • The greatest weakness is its reliance on a predefined signature.
IDS Products and Vendors There are quite a few IDSs available today, with prices ranging from free to very expensive.
IPS • A preventative IDS (IPS) is simple: It is configured to respond to an attempted intrusion without your intervention. • The IPS provides for a faster reaction and thus less likelihood of damage occurring due to the intrusion. On the other hand, it can also result in disruption of legitimate network traffic in response to a "false alarm." • A IPS will typically be a mixture of HIDS and NIDS. • The host-based portion serves as a security wrapper for the protected system, catching known, malicious patterns and stopping the attack before it is allowed to execute and affect the local system. • The network-based portion operates in a similar manner catching the malicious activity and preventing it from reaching the intended target.
Honeynets and Pots • One of the most effective techniques for collecting information about malicious activity is to observe activity first-hand. • Watching attackers as they probe, navigate, and exploit their way through a network. • A honeypot is an artificial environment where attackers can be contained and observed without putting real systems at risk.
Honeypots • When attackers connect to the honeypot, they are presented with an entire “virtual” network of servers and PCs running a variety of applications and gives the appearance of a real network. • The few systems runs specialized software to simulate user and network traffic, especially versions of applications that are known to be vulnerable to specific exploits. • HoneyPots and Spam
Incidence Response • Incident response is how an organization reacts to an unusual behavior. When building response procedures consider: • What immediate steps need to be taken? • Does the security posture need to be modified? When? How? • Who needs to be notified of this event? When? How? • What impact does this have on business operations? • What tools will be used to investigate this incident? Who will use them and how? • Which is more important, system recovery or evidence collection?
Where is it going? 1st Generation IDS • Signature based libraries are obsolete: • Too many alerts to manage, can’t tell difference between an event and non-event • Too many false positives • Too many ways to fool it • Future will be a hybrid. • Monitoring at the edge and core, sensor devices and remediation consoles all over the network.
Solutions • SIM layering provides proprietary vulnerability management, anomaly detection, networked assessment and honeypot modules with IDS modules. • IDS and IPS provide anomaly detection, heuristics, traffic pattern analysis, application analysis, payload analysis, passive vs. active listening • IPS – Intrusion prevention systems reduces reliance on signatures and avoid the false positive mistakes of the IDS, inbound traffic. • IPS won’t replace IDS which can stop internal attacks from rogue access points or laptops.
Third Generation • Future - Kernel-level security policies enforced on each endpoint device will rid the network of vulnerabilites. IDS and IPS will fade altogether and the SIM console will be used primarily for compliance checks and policy updates.