810 likes | 959 Views
An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies. Network Security. Contents. Lecture aims and learning outcomes Assumptions Motivation - Why Intrusion Detection and Vulnerability Assessment Attack Development Vulnerability Development
E N D
An Introduction to Intrusion Detection/Prevention, Vulnerability Assessment and related Technologies Network Security
Contents • Lecture aims and learning outcomes • Assumptions • Motivation - Why Intrusion Detection and Vulnerability Assessment • Attack Development • Vulnerability Development • Hacker Strategy • Detection - Intrusion Detection Systems • Host based IDS • Network Based IDS • Prevention - Vulnerability Assessment • Software • Services (Audits) • Web-Based Services • Counter attacks • Honey Pots • Appliances • Summary
Lecture aims and learning outcomes • The lecture aims are: • To describe the problems related to network based attacks • To describe how some these problems may be addressed • At the end of this lecture you will be able to: • Demonstrate an understanding of the main issues relating to threats in the context of network attacks • Understand a number of basic design components for building a network security architecture • Demonstrate an understanding of the importance of a security policy with reference to the security of a computer network • Describe the features and security mechanisms which are generally used to implement security policies for dealing with the security of a computer network
Assumption • Perimeter security devices (e.g. firewalls) and computer security mechanisms (e.g. application and OS security) can only offer best effort at preventing attacks. • They may fail to do so: • a firewall may be misconfigured, • a password may be sniffed off the network, • a new attack type may emerge. (cf. Zero-day attacks) • They do not detect when an attack is underway or has taken place. • And they do not react to attacks.
Traditional Methods • Example: • Imagine continuous inspection of a Unix system by hand (similar examples for NT, W2K): • The following simplified checklist is taken from CERT (http://www.cert.org/tech_tips/intruder_detection_checklist.html): • Examine log files for connections from unusual locations or other unusual activity. For example, look at your 'last' log, process accounting, all logs created by syslog, and other security logs. • Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time.
Ad Hoc Intrusion Detection • Imagine the complexity and degree of expertise needed to carry out the tasks in this checklist for every host and every sensitive network link on a network every single day. • The ad hoc approach is not recommended! • Automated systems are needed: • monitor multiple hosts and network links for suspicious behaviour; • report this behaviour, possibly react to it. • Hence: Intrusion Detection Systems (IDS).
Motivation 4 Vulnerability Development 700 600 Linux (aggr.) 500 Solaris Windows 400 Total 300 200 100 0 1999 2000 2001 2002 2003 Source: SecurityFocus
Motivation Auto Coordinated Cross site scripting Attack Sophistication “stealth” / advanced scanning techniques High Staged packet spoofing denial of service distributed attack tools sniffers sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code Intruder Knowledge password guessing Low 2000 1980 1985 1990 1995 Source: Carnegie Mellon University
Motivation Vulnerability & Exploit Lifecycle Vulnerability Scanners adding detection signature Widespread Awareness Selective Awareness First Discovery Advisory Release
Unauthorized Use of Computer Systems within the Last 12 Months
A Typical Hacker Strategy PING CORP Internet NETWORK SWEEP Primary Target Identification - Identify Hosts ( ) with external visibility denotes internal hosts with high value data but no external view
DNS NFS A Typical Hacker Strategy PORT CORP NETWORK SWEEP WEB Primary Target Analysis - Identify services running on visible hosts to prioritize further probing activities
FINGER CORP NFS NETWORK A Typical Hacker Strategy Primary Target Selection - Determine vulnerability state of weakest point and concentrate further activities against this system
Rlogin Root CORP NFS NETWORK A Typical Hacker Strategy Primary Target Exploitation - Gain privileges & control of primary target - attacker now controls a ‘trusted’ corporate system !
R&D $ CORP NFS NETWORK HR A Typical Hacker Strategy Secondary Target Identification - Probing for high value information or systems which are then compromised and data stolen or trojan horses planted, etc.
Intrusion Detection Systems • Popular second layer of network security enforcement • Passive supervision of exiting network, analogues to intruder alarms • Creates more work for personal • There exist 2 different approaches to the implementation of Intrusion Detection Systems (IDS) • Knowledge-based IDS • Network based • Host based • Behaviour-based IDS • Statistical anomaly detection
Intrusion Detection Systems • An Intrusion Detection System (IDS) is a network security system designed to identify intrusive or malicious behaviour via monitoring of network activity. The IDS identifies suspicious patterns that may indicate an attempt to attack, break in to, or otherwise compromise a system. An IDS can be network-based or host-based, passive or reactive, and can rely on either misuse detection or anomaly detection. IDS vs Firewalls. Firewalls specify policies about what traffic may or may not enter a particular computer network. An IDS monitors patterns of traffic and signals an alert once it deems that an attack has taken place.
Knowledge-based IDS • ALL commercial IDS look for attack signatures: • specific patterns of network traffic or activityin log files that indicate suspicious behaviour. • Called a knowledge-based or misuse detection IDS • Example signatures might include: • a number of recent failed login attempts on a sensitive host; • a certain pattern of bits in an IP packet, indicating a buffer overflow attack; • certain types of TCP SYN packets, indicating a SYN flood DoS attack.
Knowledge-based IDS • Knowledge-based IDS uses information such as: • Security policy; • Known vulnerabilities of particular OS and applications; • Known attacks on systems. • They are only as good as the information in the database of attack signatures: • new vulnerabilities not in the database are constantly being discovered and exploited; • vendors need to keep up to date with latest attacks and issue database updates; customers need to install these; • large number of vulnerabilities and different exploitation methods, so effective database difficult to build; • large database makes IDS slow to use.
Behaviour-based IDS • Statistical Anomaly Detection (or behaviour-based detection) is a methodology where statistical techniques are used to detect penetrations and attacks. • Begin by establishing base-line statistical behaviour: what is normal for this system? • Then gather new statistical data and measure the deviation from the base-line. • If a threshold is exceeded, issue an alarm.
Behaviour-based IDS • Example: monitor the number of failed login attempts at a sensitive host over a period; • if a burst of failures occurs, an attack may be under way; • or maybe the admin just forgot his password? • This raises the issue of false positives (an attack is flagged when one was not taking place – a false alarm) and false negatives (an attack was missed because it fell within the bounds of normal behaviour). • This issue does also apply to knowledge-based systems.
Behaviour-based IDS • IDS does not need to know about security vulnerabilities in a particular system • the base-line defines normality; • don’t need to know the details of the construction of a buffer overflow packet. • Normal behaviour may overlap with forbidden behaviour. • Legitimate users may deviate from the baseline, causing false positives (e.g. user goes on holiday, or works late in the office, or forgets password, or starts to use new application). • If the base-line is adjusted dynamically and automatically, a patient attacker may be able to gradually shift the base-line over time so that his attack does not generate an alarm.
Host-based and Network-based IDS • When an IDS looksfor attack signatures in network traffic, it is called a network-based IDS (NIDS). • When an IDS looks for attack signatures inlog files of hosts, it is called a host-based IDS (HIDS). • Naturally, the most effective Intrusion Detection System will make use of both kinds of information.
IDS Architecture • Distributed set of sensors – either located on hosts or on network – to gather data. • Centralised console to manage sensor network, analyze data, report and react. • Ideally: • Protected communications between sensors and console; • Protected storage for signature database/logs; • Secure console configuration; • Secured signature updates from vendor; • Otherwise, the IDS itself can be attacked and manipulated.
Placement of Network-based IDS Internet Sensor Mail server Firewall Perimeter Network Sensor Web server Sensor Console Protected Network
Host-based IDS • Typically monitors system, event, and security logs on Windows and syslog in Unix environments. • Checks key system files and executables via checksums at regular intervals for unexpected changes. • Some products can use regular-expressions to refine attack signatures (e.g. passwd program executed AND .rhosts file changed). • Some products listen to port activity and alertwhen specific ports are accessed – limited NIDS capability.
Placement of Host-based IDS Internet Sensor Mail server Firewall Perimeter Network Web server Sensor Human Resources Network Console Sensor
IDS as a Response Tool • Given the (near) real-time nature of IDS alerts, an IDS can be used as a response tool as well as for detection. • NIDS and HIDS have different response capabilities – because they detect different attacks, or the same attacks but in different ways.
HIDS and NIDS • There are attack types that a HIDS can detect but a NIDS cannot: • SYN flood, Land, Smurf and Teardrop attacks, BackOrifice,… • And vice-versa: • Trojan login script, walk up to unattended keyboard attack, encrypted traffic,… • For more reliable detection, combine both types of IDS.
IDS Response Options • Dangers of automated response: • Attacker tricks IDS to respond, but response aimed at innocent target (say, by spoofing source IP address); • Users locked out of their accounts because of false positives; • Repeated e-mail notification becomes a denial of service attack on sysadmin’s e-mail account; • Repeated restoration of index.html from CD reduces website availability.
What is Snort? • Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator” • Lead coder: Marty Roesch, now founder of Sourcefire (http://www.sourcefire.com) • Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump • Licensed under GPL, but version 2.0 may change to a different license
Snort Rules • Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’
Third-Party Enhancements • Analysis Console for Intrusion Databases (ACID) • http://acidlab.sourceforge.net/ • PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools • Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation • Description and screenshots taken from ACID web
Third-Party Enhancements • Demarc • www.demarc.com • NIDS management console, integrating Snort with the convenience and power of a centralized interface for all network sensors • Monitor all servers / hosts to make sure network services such as a mail or web servers remain accessible at all times • Monitor system logs for anomalous log entries that may indicate intruders or system malfunctions • Description and screenshots taken from demarc web
IDS – The Future • Integrated approach to IDS: • Network and host-based in one system (some products already do this in a limited way); • The strengths of both NIDS and HIDS (but maybe all of the weaknesses!) • Better visualisation, management and reporting tools • Event correlation: • Correlate a number of sub-events which individually do not indicate an attack but which when viewed in combination do; • Requires much more sophisticated software and data processing. • Potentially much better attack detection. • Commercial Statistical Anomaly Detection
Prevention Vulnerability Assessment Intrusion Prevention Systems
Vulnerability Assessment • An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. • A vulnerability assessment may be used to: • identify weaknesses that could be exploited; • predict the effectiveness of additional security measures in protecting information resources from attack.