190 likes | 318 Views
Intrusion Detection on a Shoestring Budget. Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000. Setting. Public university department Lean budget Priority on openness Limited technical knowledge Independent faculty
E N D
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000
Setting • Public university department • Lean budget • Priority on openness • Limited technical knowledge • Independent faculty • Heterogeneous computing environment
Setting • Implications for security • Prime target for crackers • Not everyone understands need for security • Policy can be hard to implement • Solutions must be: • Inexpensive • Unobtrusive
Solutions • Focus on Open Source Software • Often cost-free • Can run on inexpensive hardware • Prioritize security activities • Prevention • Detection • Maintenance • Only then identify
Prevention • Verify clean systems or detection can be subverted • Identify platform specific vulnerabilities • Patch operating systems • Patch server software (www, ftp, etc.) • Enforce good user practices (especially as regards passwords).
Detection • Network based • Network Flight Recorder (NFR) • Academic Research version • Snort • Tcpdump • Host based • Tripwire
Detection • Create a watchtower • Minimal open ports • SSH • Only visible from within subnet • Used many of the same tools mentioned above • About $2000 to $2500 • FreeBSD OS • Commodity components
Network Based IDS • Switched versus shared may cause complications • Network IDS needs to see the network • Can work in a switched environment, but: • Depends on switching equipment • Switches are often controlled outside departments • False positives
Network Flight Recorder • Created to act as a “black box” for intrusion detection • Advantages • Records all network traffic • Alerts on specific signatures • Good query tools • Remote interface
Network Flight Recorder • Disadvantages • Data collection takes up space • Space management feature didn’t always work • No longer freely available
Snort • Created to be a lightweight network IDS • Lightweight meaning compact and efficient • Not lightweight on performance • Advantages • Small size • Easy to install • Open source development means continued enhancement
Snort • Disadvantages • Only saves suspect traffic • No query features • But other developers are working on this • Experiencing growing pains
Tcpdump • Simple but powerful utility for listening to network traffic • Advantages • Can collect packet payload • Indispensable in understanding exploits • Disadvantages • Massive data storage requirements
Tripwire • Host-based IDS that calculates digital signatures of specified files • Differences between older open source version and newer commercial version • Signed files require pass phrase to change • Levels of violation
Tripwire • Advantages • Doesn’t depend on network • Minimal false positives • Can catch local exploits
Tripwire • Disadvantages • Requires careful setup to prevent subversion • Databases must be kept up to date • Best in hierarchical structure • Minimizes possibility of tampering
Conclusions • There are plenty of free tools out there • Host based better than network based • IPv6 • Encrypted traffic • Tripwire is a preferred tool • Works well now to detect attacks • Potential to be enhanced even more
URLs • Network Flight Recorder • http://www.nfr.com/ • Snort • http://www.snort.org/ • Tripwire • http://www.tripwire.com/ • Updated info • http://www.gslis.utexas.edu/~shanew/security.html