210 likes | 528 Views
Intrusion Detection/Prevention Systems. Charles Poff Bearing Point. Intrusion Detection Systems. Intrusion Detection System (IDS) Passive Hardwaresoftware based Uses attack signatures Configuration SPAN/Mirror Ports Generates alerts (email, pager) After the fact response.
E N D
Intrusion Detection/Prevention Systems Charles Poff Bearing Point
Intrusion Detection Systems • Intrusion Detection System (IDS) • Passive • Hardware\software based • Uses attack signatures • Configuration • SPAN/Mirror Ports • Generates alerts (email, pager) • After the fact response
Intrusion Prevention Systems • Intrusion Prevention System (IPS) • Also called Network Defense Systems (NDS) • Inline & active • Hardware\software based • Uses attack signatures • Configuration • Inline w/fail over features. • Generates alerts (email, pager) • Real time response
IDS vs. IPS • IPS evolved from IDS • Need to stop attacks in real time • After the fact attacks have lesser value • IDS is cheaper. • Several Open Source IDS/IPS • Software based • IPS = EXPENSIVE • Hardware based (ASIC & FPGA)
Detection Capabilities • Signatures • Based on current exploits (worm, viruses) • Detect malware, spyware and other malicious programs. • Bad traffic detection, traffic normalization • Anomaly Detection • Analyzes TCP/IP parameters • Normalization • Fragmentation/reassembly • Header & checksum problems
Evasion Techniques • Encryption • IPSec, SSH, Blowfish, SSL, etc. • Placement of IPS sensors are crucial • Lead to architectural problems • False sense of security • Encryption Key Exchange • IPS sensors can “usually” detect/see encryption key exchanges • IPS sensors can “usually” detected unknown protocols
Evasion Techniques (cont.) • Packet Fragmentation • Reassembly – 1.) out of order, 2.) storage of fragments (D.o.S) • Overlapping – different size packets arrive out of order and in overlapping positions. • Newly arrived packets can overwrite older data.
Evasion Techniques (cont.) • Zero day exploits (XSS, SQL Injection) • Not caught by signatures • Not detected by normalization triggers • Specific to custom applications/DB’s. • Social engineering • Verbal communication • Malicious access via legitimate credentials • Poor configuration management • Mis-configurations allow simple access not detected. • Increases attack vectors
Vendors • Open Source • SNORT (IDS/IPS) – my favorite • Prelude (IDS) • HoneyNet (Honey Pot/IDS) • Commercial • TippingPoint • Internet Security Systems • Juniper • RadWare • Mirage Networks
Tools of the Trade • Fuzzers – SPIKE, WebScarab, ADMmutate, ISIC, Burp Suite • Scanners - Nessus, NMAP, Nikto, Whisker • Fragmentation – ADMmutate, Fragroute, Fragrouter, ettercap, dSniff • Sniffers – ethereal, dSniff, ettercap, TCPDump • Web Sites • www.thc.org • packetstormsecurity.nl • www.packetfactory.net
Future of IDS/IPS • Many security appliances ONE • IDS/IPS, SPAM, AV, Content Filtering • IDS will continue to loose market share • IPS, including malware, spyware, av are gaining market share • Security awareness is increasing • Attacks are getting sophisticated • Worms, XSS, SQL Injection, etc.
Your Organization • What’s protecting your organization? • Future Plans? • Products and vendors? • Evolution of security infrastructure.
Question • Question & comments