470 likes | 602 Views
Intrusion Detection System ( IDS ). By:- Er. Magandeep Kaur (G.P.C. Bathinda). What is IDS?. IDS are tools for obtaining security in networks. It helps the administrator to detect & respond to the malicious attacks which the firewall was not able to detect & filter.
E N D
Intrusion Detection System (IDS) By:- Er. Magandeep Kaur (G.P.C. Bathinda) Punjab EDUSAT Society (PES)
What is IDS? • IDS are tools for obtaining security in networks. • It helps the administrator to detect & respond to the malicious attacks which the firewall was not able to detect & filter. Punjab EDUSAT Society (PES)
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities. • An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. Punjab EDUSAT Society (PES)
This includes network attacks against services, attacks on applications, unauthorized logins and access to sensitive files etc… • IDS thus forms the second line of defence against malicious hacker & attackers. Punjab EDUSAT Society (PES)
Comparison with firewalls • Though they both relate to network security, an IDS differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. • Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. Punjab EDUSAT Society (PES)
An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall. Punjab EDUSAT Society (PES)
Normally the networks use firewall for protection against security threats but they can rarely identify the type of attack. • So IDS is proven to be an excellent tool for monitoring the type of attack. Punjab EDUSAT Society (PES)
There are two types of intrusion detection system: - 1. Reactive IDS 2. Passive IDS • Reactive IDS: - It is one in which if the intruder or attack is detected it does not alert the user. • Passive IDS: - In it the user is alerted in silent mode i.e. through mails, pagers etc. Punjab EDUSAT Society (PES)
A better way to understand IDS would be to take your house as an example. • The looks on your doors & windows stop strangers from gaining access to your house. These are your firewalls. • A person having keys of your door locks or who has some way to open them can pass through the doors & windows i.e. one having keys is authorized person for your firewalls to pass through. Punjab EDUSAT Society (PES)
But this firewall cannot detect if that authorized person has some malicious intentions or not. • But they can be detected by IDS. • IDS are combination of early warning & alarm system. • When someone attempts to force entry into your house, your alarm will sound to scare of intruder (a “reactive” IDS), or it might make a silent phone call to a local police station(a “reactive” IDS). Punjab EDUSAT Society (PES)
Need of IDS • For any company with a connection to internet, a firewall should always be your first line of defence. • But firewalls can be attacked, & one way to plug these gaps in your security is to use an IDS. Punjab EDUSAT Society (PES)
Following are some reasons why we need IDS:- • Trojans:- A Trojan is a bad program that you have been hoodwinked into installing on your computer in the belief that it is a good program. • Spyware:- It is generally a particular type of Trojan. Its purpose is to sit quietly & hidden on your computer & to send information back to its originator. It spies on you, stealing confidential information, passwords, credit card etc. Punjab EDUSAT Society (PES)
Advantages of IDS • General benefits of an IDS include the following: - • It can detect the unauthorized user. • It can detect password cracking & denial of services. • It can catch illegal data manipulations. Punjab EDUSAT Society (PES)
It monitors & analysis the system events & user behavior. • Managing OS audit & logging mechanisms & the data they generate. • Alerting appropriate staff by appropriate means when attacks are detected. Punjab EDUSAT Society (PES)
They can detect & alert malicious code like viruses, worms, Trojan horses etc. • They are similar to security camera & burglar alarm. • They can detect most of the security threats & in some cases they are more reliable than firewalls. Punjab EDUSAT Society (PES)
Limitations of IDS • IDS is unable to catch the events of tear drop attack. • A tear drop attack occurs when an attack sends fragments of data that a system is unable to reassemble. • Such an attack may lead to freezing of the system. Punjab EDUSAT Society (PES)
Most of them are unable to detect & prevent the misuse or unintended consequences. • A direct attack on IDS by an attacker also finishes up its ability to detect intrusion. So the attacker tries to shut down the IDS & then attack on network. • Not all IDS are compatible with all routers. Punjab EDUSAT Society (PES)
What IDS ‘CAN and CANNOT’ provide • The IDS however is not an answer to all your Security related problems. • You have to know what you CAN, and CAN NOT expect of your IDS. • In the following subsections I will try to show a few examples of what an Intrusion Detection Systems are capable of, but each network environment varies and each system needs to be tailored to meet your enterprise environment needs. Punjab EDUSAT Society (PES)
The IDS CAN provide the following: • CAN add a greater degree of integrity to the rest of you infrastructure. • CAN trace user activity from point of entry to point of impact. • CAN recognize and report alterations to data. • CAN automate a task of monitoring the Internet searching for the latest attacks. Punjab EDUSAT Society (PES)
CAN detect when your system is under attack. • CAN detect errors in your system configuration. • CAN guide system administrator in the vital step of establishing a policy for your computing assets. • CAN make the security management of your system possible by non-expert staff. Punjab EDUSAT Society (PES)
The IDS CAN NOT provide: • CAN NOT compensate for a weak identification and authentication mechanisms. • CAN NOT conduct investigations of attacks without human intervention. • CAN NOT compensate for weaknesses in network protocols. Punjab EDUSAT Society (PES)
CAN NOT compensate for problems in the quality or integrity of information the system provides. • CAN NOT analyze all the traffic on a busy network. • CAN NOT always deal with problems involving packet-level attacks. • CAN NOT deal with some of the modern network hardware and features. Punjab EDUSAT Society (PES)
Who needs to be involved? • In order to identify critical systems the following people MUST be involved: • Information Security Officers • Network Administrators • Database Administrators Punjab EDUSAT Society (PES)
Senior Management • Operating System Administrators • Data owners • Without those individuals involved, the resources will not be used efficiently. Punjab EDUSAT Society (PES)
My IDS is up, what now? • Once your IDS is up and operational, you must dedicate a person to administer it. • Logs must be reviewed, and traffic must be tailored to meet the specific needs of your company. Punjab EDUSAT Society (PES)
You must know that IDS must be maintained and configured. • If you feel that you lack knowledgeable staff, get a consultant to help, and train your personnel. • Otherwise you will loose a lot of time and money trying to figure out, what is wrong. Punjab EDUSAT Society (PES)
Emergency response procedure must outline: • Who will be the first point of contact. • List all of the people who will need to be contacted. • Person responsible for decision making on how to proceed in the emergency situation. Punjab EDUSAT Society (PES)
Person responsible for investigation of the incident. • Who will handle media, in case the incident gets out. • How will the information about the incident will be handled. Punjab EDUSAT Society (PES)
Where do I find an Intrusion Detection mechanism? • After we decided that we need an intrusion detection mechanism, we have to find out where do we get it. • Below I provide a list of vendors that offer Intrusion Detection products and services. • Products vary from freeware to commercially available. Punjab EDUSAT Society (PES)
Freeware:- Snort Shadow - http://www.snort.org/ • Commercially Available: - Real Secure from ISS - http://www.iss.net/customer_care/resource_center/product_lit/ - Net Prowler from Symantec - http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=50&PID=5863267 - NFR - http://www.nfr.com/ Punjab EDUSAT Society (PES)
Types of IDS • IDS can be categorized in 3 different ways: - • Host based ID systems • Network based ID systems • Application based IDS Punjab EDUSAT Society (PES)
Host based ID system (HIDS) • These are concerned with what is happening on each individual computer or host . • They are able to detect such things such as repeated failed access attempts or changes to system files. • HIDS are installed on hosts to which they have to keep an eye & perform monitoring. Punjab EDUSAT Society (PES)
Host can be server, workstation or any network device such as router, printer or gateway. • HIDS do monitoring, reporting & direct interactions at application layer. • It can inspect each incoming command, look for signs of maliciousness & unauthorized file changes. Punjab EDUSAT Society (PES)
The disadvantage of Host based IDS is: they are harder to manage, as information must be configured & managed for every host monitored. • Most of the HIDS can monitor only specific types of systems E.g. the HIDS cyber cop server can only protect web servers. • If the server is running multiple services like file sharing, DNS etc then HIDS might not be able to detect an intrusion. Punjab EDUSAT Society (PES)
Network based ID system • It examine the individual data packets flowing through network. • These packets are examined & sometimes compared with original data to verify their nature; malicious or not, because they are responsible for monitoring a network. • They are able to understand all different options that exist within a network packet & ports. Punjab EDUSAT Society (PES)
NIDS are also able to look at the payload within the packet, i.e. see which particular web server program is being accessed & with what options. • When an unauthorized user logs in successfully or attempts to log in, they are best tracked by the host based IDS. • However, detecting the unauthorized user before their log on attempt is best accomplished with network based IDS. Punjab EDUSAT Society (PES)
NIDS can detect the maliciously crafted packet that can make attack & spoil security of the network. • NIDS scans any traffic that is transmitted over the segment of the network & only permits that packets that are not identified as intrusive. • Examples of network based IDS are Shadow, dragon, Real secure & Net Prowler. Punjab EDUSAT Society (PES)
Disadvantage of Network based IDS is that it may have difficulty in processing all packets in a large or busy network & therefore may fail to recognize an attack launched during periods of high traffic. • Another disadvantage of Network based IDS is, it cannot analyze encrypted information. This problem is increasing as more organizations use VPNs. Punjab EDUSAT Society (PES)
Application based IDS • It can monitor the interaction between user & application, which often allows them to trace unauthorized activity to individual users. • Application based IDSs can work in encrypted environments, since they interface with application at transaction endpoints, where information is presented to user in encrypted form. Punjab EDUSAT Society (PES)
Misuse & anomaly detection system • Misuse detection within network based IDS involves checking for illegal types of network traffic. • Detection of anomalous activity relies on the system knowing what is regular network traffic & what isn’t. • Many modern systems use a combination of both Misuse & anomaly detection system. Punjab EDUSAT Society (PES)
Teardrop attack • A teardrop attack is a denial of service attack (DoS). • This attack causes fragmented packets to overlap one another on the host receipt, the host attempts to reconstruct them during the process but fails. Punjab EDUSAT Society (PES)
IDS & Network Security policy • IDS should be seen as an important layer in company’s “defense in depth” strategy. • A well defined high level security policy covering what is & isn’t permitted on company’s system & network. This include things such as password policy, which of the internet facilities staff may access etc. Punjab EDUSAT Society (PES)
Low level platform specific policies detailing how the high level strategy is to be implemented. - e.g. how to configure password management subsystems on your NT and UNIX servers. Punjab EDUSAT Society (PES)
Documented procedures for staff to follow. - e.g. the help desk receives numerous calls one the system logs show morning from staff complaining that their accounts have been disabled & the system logs show repeated failed log in attempts to all the systems. Punjab EDUSAT Society (PES)
Regular audits to confirm that the policies have been enacted & that the defenses are adequate for the level of risk you are exposed to. - e.g. performing regular network scans from outside, the organization's firewall to determine what ports are open and how much information the firewalls & routers leak. Punjab EDUSAT Society (PES)
Available staff skilled in the operation & monitoring of built in security tools installed on server & network devices. - e.g. if the staff currently does not have the time to check the firewall & routers logs, IDS alerts are unlikely to be acted upon in a timely manner. Punjab EDUSAT Society (PES)
THANKS… Punjab EDUSAT Society (PES)