390 likes | 677 Views
Intrusion Detection. Chapter 12. Learning Objectives. Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection
E N D
Intrusion Detection Chapter 12
Learning Objectives • Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products • Detail the differences between host-based and network-based intrusion detection • Identify active detection and passive detection features of both host- and network-based IDS products continued…
Learning Objectives • Explain what honeypots are and how they are employed to increase network security • Clarify the role of security incident response teams in the organization
Intrusion Detection System (IDS) • Detects malicious activity in computer systems • Identifies and stops attacks in progress • Conducts forensic analysis once attack is over
The Value of IDS • Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers) • Expands available options to manage risk from threats and vulnerabilities
Negatives and Positives • IDS must correctly identify intrusions and attacks • True positives • True negatives • False negatives • IDS missed an attack • False positives • Benign activity reported as malicious
Dealing with False Negatives and False Positives • False negatives • Obtain more coverage by using a combination of network-based and host-based IDS • Deploy NIDS at multiple strategic locations in the network • False positives • Reduce number using the tuning process
Types of IDS • Network-based (NIDS) • Host-based (HIDS)
Network-based IDS • Uses a dedicated platform for purpose of monitoring network activity • Analyzes all passing traffic • Sensors have two network connections • One operates in promiscuous mode to sniff passing traffic • An administrative NIC sends data such as alerts to a centralized management system • Most commonly employed form of IDS
NIDS Architecture • Place IDS sensors strategically to defend most valuable assets • Typical locations of IDS sensors • Just inside the firewall • On the DMZ • On network segments connecting mainframe or midrange hosts
Switch Port Analyzer (SPAN) • Allows traffic sent or received in one interface to be copied to another monitoring interface • Typically used for sniffers or NIDS sensors
Limitations of SPAN • Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link • Switch may offer limited number of SPAN ports or none at all
Hub • Device for creating LANs that forward every packet received to every host on the LAN • Allows only a single port to be monitored
Tap • Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures
NIDS Signature Types • Signature-based IDS • Port signature • Header signatures
Network IDS Reactions • TCP resets • IP session logging • Shunning or blocking
Host-based IDS • Primarily used to protect only critical servers • Software agent resides on the protected system • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance
HIDS Method of Operation • Auditing logs (system logs, event logs, security logs, syslog) • Monitoring file checksums to identify changes • Elementary network-based signature techniques including port activity • Intercepting and evaluating requests by applications for system resources before they are processed • Monitoring of system processes for suspicious activity
HIDS Software • Host wrappers • Inexpensive and deployable on all machines • Do not provide in-depth, active monitoring measures of agent-based HIDS products • Agent-based software • More suited for single purpose servers
HIDS Active Monitoring Capabilities • Log the event • Alert the administrator • Terminate the user login • Disable the user account
Advantages of Host-based IDS • Verifies success or failure of attack by reviewing HIDS log entries • Monitors use and system activities; useful in forensic analysis of the attack • Protects against attacks that are not network based • Reacts very quickly to intrusions continued…
Advantages of Host-based IDS • Not reliant on particular network infrastructure; not limited by switched infrastructures • Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure
Passive Detection Systems • Can take passive action (logging and alerting) when an attack is identified • Cannot take active actions to stop an attack in progress
Active Detection Systems • Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic • Options • IDS shunning or blocking • TCP reset • Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms
Signature-based andAnomaly-based IDS • Signature detections • Also know as misuse detection • IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures • Anomaly detection • Baseline is defined to describe normal state of network or host • Any activity outside baseline is considered to be an attack
Intrusion Detection Products • Aladdin Knowledge Systems • Entercept Security Technologies • Cisco Systems, Inc. • Computer Associates International Inc. • CyberSafe Corp. • Cylant Technology • Enterasys Networks Inc. • Internet Security Systems Inc. • Intrusion.com Inc. family of IDS products
Honeypots • False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks • Simulate unsecured network services • Make forensic process easy for investigators
Commercial Honeypots • ManTrap • Specter • Smoke Detector • NetFacade
Open Source Honeypots • BackOfficer Friendly • BigEye • Deception Toolkit • LaBrea Tarpit • Honeyd • Honeynets • User Mode Linux
Honeypot Deployment • Goal • Gather information on hacker techniques, methodology, and tools • Options • Conduct research into hacker methods • Detect attacker inside organization’s network perimeter
Honeypot Design • Must attract, and avoid tipping off, the attacker • Must not become a staging ground for attacking other hosts inside or outside the firewall
Honeypots, Ethics, and the Law • Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host • Honeypot does not convince one to attack it; it merely appears to be a vulnerable target • Doubtful that honeypots could be used as evidence in court
Incident Response • Every IDS deployment should include two documents to answer “what now” questions • IDS monitoring policy and procedure • Requires well-documented monitoring procedures that detail actions for specific alerts • Incident response plan • Responsible for assigning personnel to assemble resources required to handle security incidents
Typical SIRT Objectives • Determine how incident happened • Establish process for avoiding further exploitations of the same vulnerability • Avoid escalation and further incidents • Assess impact and damage of the incident • Recover from the incident continued…
Chapter Summary • Two major types of intrusion detection • Network-based IDS (monitor network traffic) • Host-based IDS (monitor activity on individual computers) • Honeypots • Incident response