Intrusion Detection

Document Sample
Intrusion Detection Powered By Docstoc
					Intrusion Detection

             Neil Long
        University of Oxford
Network Intrusion Detection Systems (IDS)
 are used to monitor attempts (successful
 or otherwise) to use remote exploits .
There are basically 2 different IDS
 Post-intrusion detection after the event
 Active (re-active) real-time detection
Introduction (cont.)
The main difference between the 2 IDS
 can often be one of cost.

Many free packages depend on scripts for
 data reduction whilst real-time IDS is
 usually commercial.
Post-Intrusion Detection
Suppose there is no firewall or attack is
 against well-known service which
 cannot be access controlled.
Assumption is that an attack has been
 detected on one or more hosts (from
 logs, etc).
Need to establish extent of compromise
 for the rest of the site.
Network Flows
Extent of attacks can be determined if
  there are logs of all the TCP traffic
Cisco flow logs can be recorded with high
  efficiency on Cisco routers.
Argus (available from SEI / Cert-CC )
Sniffers - tcpdump, snoop, etc.
Size of data files is a big issue.
Analysis and Reduction
This can be time consuming.
If know src IP of attacker and dest port
   then similar targets can be determined
   and times.
Data should be retained for a reasonable
   time in case of need to refine the
   analysis parameters.
Real-time IDS
Several commercial packages.
Need very fast TCP monitoring.
Packets analysed for tell-tale fingerprints.
Port scans, buffer overflows, cgi-bin, etc.
Many ‘new’ attacks may not be detected
  but there may be a ‘generic’ indicator.
Log ‘events’ detected.
Real-time IDS (cont.)
Huge logfiles if too many ‘events’ are
  enabled on a busy interface.
Fingerprint updates - maintenance costs.
Main benefit - real-time alarms and auto-
SNMP traps, email, auto-kill, firewall ACL
  on detection if one reliable event.
Real-time IDS (cont)
One event could trigger a block for all
  further attacks from attacking host.
Beware IP spoofing - easy DoS.
IDS becomes target for attacks - direct or
  in-direct - efficiency falls under high
  packet loads.
Newer style attacks - multi-sourced and/or
  slow (low frequency).
Both should offer chance to go back in
Ease of data extraction - time stamp
Secure access to IDS needs care -
 obviously a very tempting target
Can be distributed across network -
 combine data
Real-time and Post-event
Major benefit if you have both IDS sytems
  logs to analyse.
Net-flow or Argus very efficient and
  unlikely to miss connections
Use one to trace events in the other(s)
Src MAC address very hard to trace
  unless all routers log flows
IDS is another very useful component in
  multi-faceted security system.
One observant admin’s report can lead to
  a speedy recovery of many
  compromised hosts.
Non-obvious target ports can then be
  considered for ACLs.
Data can be used to support bids for

Shared By: