340 likes | 697 Views
Lesson 6 Commercial Intrusion Detection Systems. Overview. Common Commercial IDS IDS Evaluations Specialized IDS. Common IDS Products. CISCO CISCO IDS (son of Netranger) Computer Associates eTrust PaloAlto Networks All in one Firewalls HP TippingPoint
E N D
Overview • Common Commercial IDS • IDS Evaluations • Specialized IDS
Common IDS Products CISCO CISCO IDS (son of Netranger) Computer Associates eTrust PaloAlto Networks All in one Firewalls HP TippingPoint McAfee (was Intruvert) Intrushield Seimens (Enterasys) Dragon Internet Security Systems(now IBM) RealSecure Intrusion, Inc SecureNet,Secure Host iPolicy Networks ipEnforcer NetScreen NetScreen IDP NFR Security Network Flight Recorder Sourcefire Snort Symantec Corp Intruder Alert TippingPoint Technologies UnityOne Tripwire Inc Tripwire CoreTrace Bouncer
SNORT • Snort is a packet sniffer on steroids. • Can be placed at different points in a network to provide real time information. • By logging alerts and rule violations, a systems administrator can be mindful of attacks in progress or research past incidents.
Snort Usage • Run from the command line or as a Windows Service. • Lots of options
Snort Options USAGE: snort [-options] <filter options> snort /SERVICE /INSTALL [-options] <filter options> snort /SERVICE /UNINSTALL snort /SERVICE /SHOW Options: -A Set alert mode: fast, full, console, or none (alert file alerts only) -b Log packets in tcpdump format (much faster!) -c<rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) -d Dump the Application Layer -e Display the second layer header info -E Log alert messages to NT Eventlog. (Win32 only) -f Turn off fflush() calls after binary log writes -F<bpf> Read BPF filters from file <bpf> -h<hn> Home network = <hn> -i <if> Listen on interface <if> -I Add Interface name to alert output -k<mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -l <ld> Log to directory <ld>
More Snort Options -L <file> Log to this tcpdump file -n <cnt> Exit after receiving <cnt> packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P <snap> Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r <tf> Read and process tcpdump file <tf> -R <id> Include 'id' in snort_intf<id>.pid file name -s Log alert messages to syslog -S <n=v> Set rules file variable n equal to value v -T Test and report on the current Snort configuration -U Use UTC for timestamps -v Be verbose -V Show version number -W Lists available interfaces. (Win32 only) -w Dump 802.11 management and control frames -X Dump the raw packet data starting at the link layer -y Include year in timestamp in the alert and log files -z Set assurance mode, match on established sesions (for TCP) -? Show this information <Filter Options> are standard BPF options, as seen in TCPDump
Observations of Snort - Good • FREE! • Large user base • Community provides constant rule updates • Free tools to provide log analysis and email/pager alerts
Observations of Snort - Bad • UNIX tool ported to Windows; behaves like a UNIX tool • Difficult to configure • Cryptic command line driven interface • All configuration is driven by files • Lacks standardized support
How ACID Supports SNORT • ACID helps to make sense of Snort data in a visual manner. • Can help analyze trends and help filter out the noise by categorizing attacks and IP addresses. • Query-builder and search interface. • Can provide alerts when events occur.
ACID Usage • Acid runs as a set of PHP (PHP: Hypertext Preprocessor) web pages under IIS or Apache • Reports, alerts, and information is accessed through the web interface
Observations of ACID - Good • FREE! • Nice graphical interface written in PHP, therefore user community to rely on. • Free tools to provide log analysis and email/pager alerts. • Helps sort through all the info from Snort.
Observations of ACID - ACID • Lacks standardized support • Lots of options to become familiar with
PSTN IDS&Enterprise Manager • World’s leading voice network security company. • Secures & better manages enterprise voice networks (TDM, VoIP, or Hybrid) – close phone line backdoors into data networks. • Established in 1998 by WheelGroup • Flagship product: • The ETM® (Enterprise Telephony Management) System
IDS evaluation (integrated)(from Network Computing 8.20.2001)
IDS evaluation (host based)(from Network Computing 8.20.2001)
IDS evaluation (signatures)(from Network Computing 8.20.2001)
Centralized IDS Hierarchy Corporate Central Director All Business Offices ...
Partially Distributed IDS Hierarchy Corporate Upper Domain Central Director Regional Offices Intermediate Domain Intermediate Director Intermediate Director Intermediate Director Intermediate Director Business Offices ... Lower Domain
Fully Distributed IDS Hierarchy Corporate Upper Domain Central Director Regional Offices Intermediate Domain Intermediate Director Intermediate Director Intermediate Director Intermediate Director Business Offices ... Lower Domain
Discussion on current IDS • How are signature updates accomplished? • How often are signatures updated? How many are there? • What is the maximum bandwidth the IDS can monitor? • What network protocols can be monitored? • What OS platforms does the IDS work on? • Does the IDS platform interact with other devices (e.g. firewalls, routers…)? • What type of reporting tools are available? • How is the security manager notified of events? • Host or network based? Enterprise deployable? • What training is required to operate and how much time does it take to operate the IDS?
50 ways to defeat an IDS • 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance. • 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell. • 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. • 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. • 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected. • 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’. • From 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates
50 ways to defeat an IDS • 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X. • 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate. • 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’. • 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack. • 11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell. • 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’.
50 ways to defeat an IDS • 15 - Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS. • 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs. • 22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. • 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted. • 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected. • 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
Summary • Commercial IDS doing well, but thinning • IDS Evaluations conducted regularly • Centralized vs Decentralized management • IDS can be defeated or circumvented