580 likes | 785 Views
EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security. Prof. Richard A. Stanley. Overview of Tonight’s Class. Review last week’s lesson Final Exam On the web page Due to me electronically in 2 weeks (26 Apr) Project Scheduling Presentations on 15 April
E N D
EE579T / CS525TNetwork Security11:Intrusion Detection Systems;Wireless Security Prof. Richard A. Stanley
Overview of Tonight’s Class • Review last week’s lesson • Final Exam • On the web page • Due to me electronically in 2 weeks (26 Apr) • Project Scheduling • Presentations on 15 April • Keep presentations to 25 minutes including Q&A • Let’s have volunteers for each time slot, keeping in mind your work schedules • Intrusion detection systems • Wireless security
Summary • SNMP is widely-used for managing clients distributed across a network • SNMPv1 is simple, effective, and provides the majority of SNMP service in the field • SNMPv2 adds some functionality to v1 • SNMPv3 is a security overlay for either version, not a standalone replacement • SNMP security is a major issue!
Intrusion Detection Systems • Oddly enough, these are systems designed to detect intrusions into protected systems • Security intrusion (per RFC 2828): • A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
What’s a Security Incident? • A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.) • In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. • "Any adverse event which compromises some aspect of computer or network security." [R2350] Source: RFC 2828, page 152; emphasis added
Why Do We Need This? • With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall • These systems are not perfect--some intruders will get through • Moreover, defenses such as firewalls cannot protect against intruders on the inside
Intrusion Detection Functions • Monitor protected networks and computers in real time (or as close to real time as is practicable) • Detect security incidents • Requires a policy, and a way for the IDS to know what that policy is • Respond • Raise an alarm • Send some automated response to the attacker
IDS vs. Auditing • Audits tend to be a posteriori • But an IDS can be seen as performing a constant, near real time audit function • To perform an audit, you need to know what the policy is • Audits measure departures from the policy norms • Audits depend on system logs
Early IDS’s • Emulated the audit function • Crawled the logs, looking for deviations from policy-permitted actions • Intent was to speed up the audit, making it nearly real time • Still a useful approach • IDS technology has been around only since the early 1990’s; not too mature
IDS Uses • Monitor system usage • Determine access, usage patterns • Plan for capacity engineering • Monitor specific problem areas • Serve as a deterrent • Sort of like the “burglar alarm” label on a house, even if there is really no alarm
Log Files • Are evidence if an intrusion occurs • Must be stored in their original, unmodified form, otherwise inadmissible in court • Provide data from which trends can be deduced • Can be subjected to forensic analysis • Probably needed to assess level of system compromise/damage and to restore to state prior to intrusion
Legal Issues - 1 • Privacy of your employees • Courts have held that employees have little expectation of privacy in the workplace, especially if told so at the outset • email can be monitored at work by employer • phone calls can be monitored at work by employer • doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)
Legal Issues - 2 • What if the IDS discovers illegal acts being performed on/by your network? • Employees using the network for illegal activities • Outsiders having planted zombie programs so that your system attacks others • What is your responsibility and liability?
Legal Issues - 3 • This may be a Catch-22 issue • If an attacker is using your system, law enforcement may want you to continue to allow that to happen so they can apprehend the attacker • If you interrupt the attack, could be interpreted as obstruction of justice • But, if you allow the attack to continue, you may be liable for damages to those attacked • Get legal advice--beforehand!
What About Automated Response? • Tempting capability • If attacking your system is illegal, what makes your attack on the attacker in response less illegal? • What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity? • Casus belli
Sensor Sensor Sensor Sensor Sensor IDS Architecture Management Console
Console • Monitors and controls sensors • Sets policy, alarm levels, etc. • Stores logs • Must have secure communications with sensors • Encrypted connection • Out of band (OOB)
IDS Types • Network-based (NIDS) • Monitors the network backbone • Network node-based (NNIDS) • Monitors network nodes, not the backbone • Host-based (HIDS) • This is the “log crawler” that started it all • Gateway (GIDS) • NIDS in series with the network
What Can It See? • Network packets • OS API calls • System logs • How do we merge this data to detect intrusions?
Host-Based • Sits on a host as a background task • Monitors (potentially) • traffic to and from the host • OS API calls • system logs • Adds to processing load on the host, so host must be able to support the extra load
Network-based • NIDS sensors placed on network backbone • Can view only packet traffic passing by, much like a classic passive sniffer • Does not place processing load on network, but the NIDS platform must be capable of dealing with network traffic speeds • Software can usually handle 100 Mbps • Hardware only 2-3 times faster • If network is faster, looks only at subset of packets
Network Node-based • Used to inspect intrusions directly into network nodes • Effectively a blending of HIDS and NIDS • Used to protect mission-critical machines • Again, a background process on existing nodes, so node must be able to handle added processing load
Gateway • In series with network • Often set to block prohibited traffic automatically • Think of it as an in-network firewall with an extended rule set • Must be able to keep up with network load
Intrusion Protection Systems • Latest trend in IDS technology • Idea is to use what the IDS identifies to change the network rules ad hoc, in theory preventing further exploitation • Very similar to GIDS
IPS Issues • Attack signatures generally known only a posteriori • Heuristic analysis has not worked very well in other venues, such as virus detection • How long to maintain the “new” rules before reverting to the original ones? • Exploitation of the IPS
Deployment • Putting in an IDS is a complex and time-consuming affair • Typically, start simple and add functionality as you learn more about the network • NIDS tends to see more and load network least • Follow up with HIDS on selected hosts, perhaps NNIDS on critical nodes • Policy has to be in place first
Attack Signatures • Critical to success of any IDS • Must be maintained, just like virus signatures • You want some visibility into this • Do you want strangers deciding what is an attack on your critical systems? • Some IDS’s let you write/modify signatures, others do not • CVE: http://www.cve.mitre.org/
IDS Deployment • First, design the IDS sensor and management layout • Next, deploy the IDS • Test the network for normal operation • Test the IDS • Run packaged attacks to see if all are detected • Document performance and repeat test regularly • Tune the IDS
Sampling of IDS Products • RealSecure: http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php • NFR: http://www.nfr.net/ • Snort: http://www.snort.org/ • SnortSnarf: http://www.silicondefense.com/software/snortsnarf/
IDS Summary • IDS’s can be useful in monitoring networks for intrusions and policy violations • Up-to-date attack signatures and policy implementations essential • Many types of IDS available, at least one as freeware • Serious potential legal implications • Automated responses to be avoided
Wireless Network Security • Wireless networks growing at a rapid pace • Gartner Group predicts wireless installations will multiply >7X by 2007 to over 31M • Business drivers • Installation cost and time • Mobility • Flexibility • Operating costs
Wireless Inherently Insecure • Wired networks contain (or try) signals to a wired path, which must be physically tapped to compromise line security • Possible to physically discover the tap • Wireless networks deliberately broadcast data into space, where it can be intercepted by anyone with proper receiver • Data tap impossible to discover
This Isn’t New News • Since early days, wireless vendors strove to provide privacy equivalent to that available on the wired network • WEP = wired equivalent privacy • This is not a high standard to meet • They succeeded, but that wasn’t good enough for user requirements
Wireless Security Issues • How does a wireless network work? • How can you “join up?” • What about the encryption? • Can it really be secure?
How It Works • Clients send probes • Access points broadcast beacons and, often, their Server Set ID (SSID) • When a client finds an access point with an acceptable signal level and a matching SSID, a connection is established • Many networks are built precisely to facilitate connection by “foreign” users
Wireless LAN Elements [AP] [STA]
Origins of WEP • Marketing and Political Issues: • Developed as part of a wireless LAN research project at Apple Computer, Inc.. • Eavesdropping was perceived as a barrier to market acceptance. • Apple sells into a worldwide market so solution had to be exportable. • NSA only allowed 40-bit encryption to be exported.
Origins of WEP (cont.) • Technical Issues: • Eavesdropping on wireless link => privacy and authentication problems. • Multiple network protocols (in 1993) => solution required at data link layer. • Data link layer is “best effort” => crypto-state (other than shared key) must accompany each frame.
WEP Solution • Apple had unlimited RC4 license from RSA, Inc. • Method and apparatus for variable-overhead cached encryption, US Patent 5,345,508 applied for 23 Aug 1993, granted 6 Sept 1994. • Licensed for export in mid-1994.
+ + WEP Encryption IV Key Sequence Initialization Vector (IV) Seed PRNG RC4() Cache Secret Key (MAX_MSG_SZ) Ciphertext Plaintext
IEEE 802.11’s use of WEP • IEEE runs by Robert’s Rules; “one man, one vote” • Simple majority required to add text, 75% vote to change text in draft standard • WEP introduced in March 1994 • Strong pushback in committee regarding cost and overhead of encryption • Dilution of proposal; privacy made optional
WEP Security Problems • Papers submitted to 802.11 committee highlight the problems with WEP; “Unsafe at any Key Size” presented in October 2000 • 802.11 Task Group I formed to solve WEP security problems • Press gets wind of the issue • Public domain attacks; “war driving”
WEP Security Problems (cont.) • Passive attacks to decrypt traffic based on statistical analysis • Active ‘known plaintext’ attack to inject new traffic from unauthorized mobile stations • Active attacks to decrypt traffic, based on tricking the access point • Dictionary-building attack; real-time automated decryption of all traffic after a day’s sampling
802.11 Task Group I • Long term security architecture for 802.11 • Based on 802.1X authentication standard and two new encryption protocols (TKIP and CCMP) – Labeled Robust Security Network (RSN) • Uses Upper Layer Authentication (ULA) protocols outside the scope of 802.11i (e.g. EAP/TLS, PEAP)
Robust Security Network Includes: • Better key derivation/distribution based on 802.1X • For TKIP: per message 128 bit key derivation • Improved encryption (TKIP, CCMP) • Stronger keyed Message Integrity Checks • Custom MIC for TKIP with 22 bit effective strength • Strong AES based MIC for CCMP • IV sequencing to control message replay • 44 bits to avoid re-keying (4 bits for QoS)
RSN Data Privacy Protocols • Temporal Key Integrity Protocol (TKIP) • a cipher suite enhancing the WEP protocol on pre-RSN hardware • Counter Mode/CBC-MAC Protocol • based on AES and Counter-Mode/CBC-MAC (CCM) • Mandatory for RSN compliance
802.1X • Originally designed as port-based network access control for PPP • Provides support for a centralized management model • Primary encryption keys are unique to each station and generated dynamically • Provides support for strong upper layer authentication
802.1X Architectural Framework • Employs Extensible Authentication Protocol (EAP) • EAP built around challenge-response paradigm • operates at network layer = flexibility • Provides transport for ULA protocols • EAP/TLS, PEAP, EAP-TTLS, LEAP • Two sets of keys dynamically generated • Session Keys, Group Keys
Authentication and Key Mgmt. Controlled Port Wired LAN Services Unauthorized Port Supplicant Authenticator AP Authentication Server STA Uncontrolled Port AS EAPoL RADIUS EAP EAP
Existing Solutions & Other Methods • MAC address filtering • Access Point Placement • Virtual Private Networks (VPNs)