480 likes | 595 Views
A survey of commercial tools for intrusion detection. Introduction Systems analyzed Methodology Results Conclusions Cao er Kai. INSA lab. 2003.09. 1. Introduction. Intrusion Detection Systems generic ID architecture
E N D
A survey of commercial toolsfor intrusion detection Introduction Systems analyzed Methodology Results Conclusions Cao er Kai. INSA lab. 2003.09
1. Introduction • Intrusion Detection Systems • generic ID architecture • Common Intrusion Detection Framework (CIDF) - DARPA (Defense Advanced Research Projects Agency) • Event generators (E-boxes) •Event analyzers (A-boxes) •Event databases (D-boxes) •Event response units (R-boxes)
event generators • obtain information from sources and transformed into a standard format (gido) • event analyzers • statistical analysis and pattern recognition searching • event databases • storage of events and information (gidos) • response units • initiate the proper response
3. Methodology • Comparison criteria • Granularity of data processing • Source of audit data (raw events) • network-based : Ethernet (see all traffic) • IPSEC • host-based : security logs • Detection method • rule based • anomaly based • Response to detected intrusions • passive • active
System organization • Centralized : data analysis • Distributed : data collection • Security : withstand attacks againstitself • Degree of interoperability • Exchange of audit data records • Exchange of audit data records • Exchange of misuse patterns or statistical information about user activities • Exchange of alarm reports and event notifications • Manageability • HP Openview , BMC Patrol • Adaptivity • System and network infrastructure requirements • TCP/IP
4. Results • Functional aspects • Granularity of data processing • real-time • T-Sight • Source of audit data (Raw events) • host-based (H) • both host-based and network-based (NW/H) • network-based (NW) switched networks network encryption • Response to detected intrusions • Passive responses • sending e-mails, paging or displaying alert messages. • Active response • network-based systems : terminating transport level sessions • Host-based systems : control processes, terminate network sessions • Interfaces to network management applications : SNMP (send traps) • Interfaces to network elements : firewall control sessions/connections • Service availability aspects • Legal aspects : “returning fire”
Degree of interoperability • Exchange of audit data records • Exchange of security policies • Exchange of misuse patterns or statistical information about user activities • Exchange of alarm reports, event notifications and response mechanisms
Adaptivity (customization) • Adding new intrusion patterns • Adopting rules for site specific protocols and applications • Detection method • Rule based detection • anomaly based detection • Detection capabilities • Physical and data-link layer • Network and transport layer • Operating Systems • Applications, databases, management and support systems, office automation
Security aspects • Confidentiality of audit data • Integrity of audit data : using encryption • Confidentiality of the detection policy • Integrity of detection policy • Protection of response mechanisms • Availability • Encrypted communication channels • Heartbeat functions • Stealth behavior • Access control • Weaknesses of network-based systems
Architectural aspects • System organization • distributed environment • single host or network segment • System and network infrastructure requirements • Operating systems • Network technology
Operational aspects • Performance aspects • Communication overhead network-based intrusion detection, the overhead is caused by the distribution of audit data and the communication between the various subsystems of the IDS. • Computational overhead host-based IDS execute and collect audit data on the target they monitor.
Management aspects • Configuration management management of the detection capability and the corresponding response mechanisms • Security management • Access security • Audit trails and security alarms • Security of management • Authenticity • Integrity • Confidentiality • Availability • Management interfaces • Management model • Many-to-Many • One-to-Many • One-to-one
5. Conclusions • The role of IDS in corporate security infrastructures: IDS are not a substitute for other security services such as firewalls, authentication servers etc • Host-based versus network-based IDS. • Security of IDS • Lack of modularity and interoperability • Background of vendors
RealSecure • Architecture: • RealSecure Engines • Network interface • Ethernet, fast Ethernet, FDDI and Token-ring • Packet Capture Module • Windows NT: network service • Solaris: Data Link Provider Interface • Filter Module • Attack recognition Module • Response Module
RealSecure • RealSecure Agents • RealSecure Manager • Central real-time alarm • Central data management • Central engine configuration
Intruder Alert • Architecture • Interface console • Manager interface console and manager only runs on Windows NT/95 • Agents
Intruder Alert • Intruder Alert Domains: groups of agents/hosts • Intruder Alert Policies • Drop & Detect Policies • Detect and respond Policies • Custom-configurable Policies • Carte Blanche
NetRanger • Architecture • Sensors Ethernet, Fast Ethernet, Token Ring and FDDI • Director • Post office
Stake Out I.D • Architecture • Network Observation • Intrusion Detection • Evidence logging • Alert Notification • Incident Analyzer/Reporter
Kane Security Monitor • Architecture • Monitoring Console • Collection Auditor and Alerting Engine • Intelligent Agents
Session Wall-3 • Architecture • Network Usage Reporting • Network Security • WEB and Internal Usage Policy Monitoring and Controls • Company Preservation
Entrax • Architecture • Command Console • Assessment Manager • Alert Manager • Detection Policy Editor • Audit Policy Editor • Collection Policy Editor • Report Manager • Target Agent
CyberCop • Architecture • CyberCop Sensors • CyberCop Management Server