1 / 27

Intrusion Detection Presentation : 2 OF n

Intrusion Detection Presentation : 2 OF n. by Manish Mehta 02/07/03. What will we discuss?. Network-Based Detection Network-based Architecture - Traditional Sensor-based - Distributed Network-node Network Intrusion Detection Engine - Signatures

tam
Download Presentation

Intrusion Detection Presentation : 2 OF n

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion DetectionPresentation : 2 OF n by Manish Mehta 02/07/03

  2. What will we discuss? • Network-Based Detection • Network-based Architecture - Traditional Sensor-based - Distributed Network-node • Network Intrusion Detection Engine - Signatures • Operational Concepts for network-based detection • Benefits of network-based ID • Challenges for network-based Technologies

  3. Introduction • Why you call it ‘network-based’? - used to analyze network packets. - packets are ‘sniffed’ off the network. • TCP/IP is the most common protocol targeted by commercial IDS. • Different technologies can resolve different levels of protocols through the application layer.

  4. Network-based Detection • Most network-based attacks are directed at OS vulnerabilities. • These can be exploited mainly towards following means • Unauthorized Access • Data/Resource Theft • Denial of Service

  5. Unauthorized Access Unauthorized Login - Key is to detect before/while logging in. - TFTP is well-known for lack of security. - SunOS 4.1.x had security problems with file sharing protocol. Jump-off Point - They are ‘bad’ and not ‘stupid’. - A compromised computer can open up several other computers in the same organization. - Why is my mail server contacting DoD?

  6. Data/Resource Theft Information theft - Password file download gives attacker the ability to compromise other systems. (look for ‘/etc/passwd’) - Secret Data file download Credit card numbers, Employee HR data Bandwidth Theft - Firms with lot of bandwidth not used at all times. - If the business of the attacker grows, he will be caught.

  7. Denial of Service Malformed Packets - Not all error conditions are taken care of while coding the protocol stack. - Code is not prepared to handle impossible situations in argument fields. Packet Flooding - Not a very sophisticated attack. - If source address is spoofed, it can be hard to deal with. Distributed DoS -Special case of Flooding (several machines attack at once) - ID is not a very good tool against this attack, but it can be helpful

  8. NID Architecture • Two types of NID Traditional Sensor-based (Promiscuous mode) - obtain packets, search for patterns, report alarms to the central command console. Network-node (Distributed) - Agent on each computer (for individual target)

  9. Traditional Sensor-based Architecture • Ethernet Chip in Promiscuous mode • “sniffed” packets are fed to the detection engine (typically on the same machine) • Taps are distributed to all mission-critical segments (generally one per segment) • Central command console correlates alarms from multiple sensors.

  10. Life cycle of a Packet • Packet is born. • “sniffed” off the wire in real-time by the sensor. (a stand-alone machine or a network device in promiscuous mode) • Detection engine matches the predefined patterns. If matched, Alert is generated and forwarded to central console. • Security officer is notified.

  11. Life cycle of a Packet (Contd.) • Response is generated. - Reconfiguring of routers/firewall rules - Terminate session • Alert is stored for later review and correlation. • Reports are generated. • Data forensics for long-term trends.

  12. Distributed Network-node Architecture • Sensor on every computer. • Every sensor is concerned about the target it resides on. • Now confused between host and network based?? - the difference between host and network based ID is the source of data • Network-node agents communicate with each other on the network to correlate alarms at the console.

  13. Life cycle of a Packet • Packet is born. • The packet is read in real-time through a sensor resident on the destination machine. • A Detection Engine is used to match signatures of misuse. If a pattern is found, an alarm is generated and forwarded to central console or other sensors on the network.

  14. Life cycle of a Packet (Contd.) • Security officer is notified. • Response is generated. - Reconfiguring of routers/firewall rules - Terminate session • Alert is stored for later review and correlation. • Reports are generated. • Data forensics for long-term trends.

  15. Misconception  Real-Time ID “I need Intrusion Detection” “Are you interested in network-based or host based?” “Oh, I need real-time Intrusion Detection” “Great, on the host or the network” “What???”

  16. Network Intrusion Detection Engine • This is where the real magic is !! • A stream of time sequential TCP/IP packets is processed to detect predetermined sequences and patterns (signatures). • Speed – An Issue.

  17. Network Signatures • Packet Content Signatures- based on contents of packets (smart ??) • Traffic Analysis Signatures- based on Header information and flow of traffic • More on detection mechanisms in future talks.

  18. Packet Content Signatures • Simple Example- Copy password file over FTP. - Look for pattern “passwd” in the packet. (Output of Snoop) Source.com  dest.com ETHER Type=0800(IP), size = 67 bytes IP D= 134.193.22.26 S=134.193.18.3 LEN=53, ID=34704 TCP D=21 S=2095 Ack=21233432 Seq=21342876 Len=13 Win=4096 FTP C port=2095 RETR \etc\passwd\r\n

  19. Traffic Analysis Signature • Simple Examples- A lot of packets destined to one machine in relatively short period of time.(An attempt of DoS attack) - A packet coming from outside the network with Source IP address as that of the inside network.

  20. Operational Concept • A NIDS only performs as well as it is operated. (configured) • The value of the system depends on the skills of the operator. • Network based ID may be used in a manner that requires very few resources.

  21. How do I use NIDSs? • The specific use of a NIDS is dependent on the environment-specific requirement. • Sensor placement plays an important role. Example: Sensor placed outside the firewall will identify source addresses attempting to attack you. Sensors placed inside the firewall will detect attacks that successfully circumvent your firewall. (IF you don’t have a Firewall, YOU SHOULDN’T BE HERE ! GO INSTALL IT FIRST !!)

  22. Operational Modes • Operational mode describes the manner in which you will operate your NIDS and partially describe the end goals of monitoring. • Two primary operational modes: - Tip-Off - Surveillance

  23. Tip-Off and Surveillance • The defining characteristic for tip-off The system is detecting something previously unsuspected. • Unlike tip-off, Surveillance takes place when misuse is already indicated or suspected. It is an increased effort to observe the behavior of a small set of objects.

  24. Benefits of NID • Outside Deterrence- A notification to the hacker can enhance the deterrent value of an IDS. • Threat Detection - Can be used deterministically or in a Decision Support Context. • Automated Response and Notification.- Pager, SNMP trap, On Screen, Audible, E-mail.

  25. Challenges for Network-based Technologies (promiscuous-mode) • Packet Reassembly (IP fragmentation)- can only search for patterns after reassembly. • High-speed networks (Gig E?) • Sniffer Detection Programs (Antisniff) • Switched Networks (IP over ATM?) • Encryption (IPSec, VPN)

  26. Questions ?

  27. Until then ..

More Related