Intrusion Detection Systems (IDS)

Document Sample
Intrusion Detection Systems (IDS) Powered By Docstoc
					    Intrusion Detection Systems (IDS)




                           Jeramie Reese




1              8/30/2012             Jeramie Reese - IDS
    Agenda
       What is Intrusion Detection?
       Categorizing IDS Systems
       IDS Functionality
       Passive Scans
       Benefits
       IDS Products
       Open Source Project: Snort
       Conclusion
       References

2                       Jeramie Reese - IDS   8/30/2012
    What is Intrusion Detection?

       “An IDS does for a network what an antivirus software
        package does for files that enter a system.”
       “An Intrusion Detection System (IDS) is a system for
        detecting misuse of network or computer resources.”
       Sensors
        –   Connection Requests
        –   Log File Monitors
        –   File Integrity Checker
        –   User Account Auditing


3                          Jeramie Reese - IDS          8/30/2012
    Categorizing IDS Systems

       Misuse detection
       Anomaly detection
       Network-based
       Host-based systems
       Passive system
       Reactive system


4                   Jeramie Reese - IDS   8/30/2012
    IDS Functionality




                                     from http://www.snort.org/docs/idspaper/
5              Jeramie Reese - IDS                                        8/30/2012
    Passive Scans

       Active (Intrusion Prevention System: IPS) vs.
        Passive Scans (IDS)
       Collect / Analyze Information
       Looking for patterns of misuse
        –   Attack Signatures
        –   Authorized users overstepping permissions
        –   Patterns of abnormal activity
                Failed password attempts
                Access times

6                          Jeramie Reese - IDS      8/30/2012
    Benefits
       Early warning of attack
       Flexible configuration options
       Alerts that a Network Invasion may be in progress
       Help identify the source of the incoming probes or
        attacks
       Troubleshoot system anomalies
       Determine what has been compromised
       Catches insider hacking
       Identify attacker (proof)

7                       Jeramie Reese - IDS              8/30/2012
    IDS Products (Commercial)

       Cisco Intrusion Detection
        –   Cisco Secure IDS Director Software ($4,900)
       Internet Security Systems
        –   Real Secure ($8,995 per sensor)
       Symantec Corporation
        –   Intruder Alert (server: $995, workstation: $295)
       Tripwire Inc.
        –   Tripwire Manager 2.4 ($6,995)


8                        Jeramie Reese - IDS               8/30/2012
    IDS Products (Open Source)

       Naval Surface Warfare Center
        –   Shadow IDS
        –   Originally started by the Cooperative Intrusion Detection
            Evaluation and Response (CIDER) project
       Developer: Stephen P. Berry
        –   Shoki IDS
       Developer: Marty Roesch
        –   Snort IDS




9                           Jeramie Reese - IDS                     8/30/2012
     Snort

        Packet Sniffing
         –   Similar to tcpdump
        Packet Monitoring
         –   Useful for network traffic debugging
        Intrusion Detection
         –   Applies rules on all captured packets




10                        Jeramie Reese - IDS        8/30/2012
     Snort Rules

        Rule Actions
        Protocols
        IP Addresses
        Port Numbers
        The Direction Operator
        Activate/Dynamic Rules


11                   Jeramie Reese - IDS   8/30/2012
     Snort Rules Examples

        log tcp 192.168.1.0/24 <> 192.168.1.0/24 23
         (content: "USER root"; msg: "FTP root login";)
        alert icmp any any -> any any (msg: “Ping with
         TTL=100” ttl:100;)
        log udp any any -> 192.168.1.0/24 1:1024
        Response: Fast Mode, Full Mode, UNIX
         Socket Mode, SNMP, SYSLOG, etc.


12                    Jeramie Reese - IDS          8/30/2012
     Conclusion

        IDS could benefit from standards
        Neighborhood Architecture
         –   IDS itself can be attacked
         –   Altered to report incorrect data
        Heuristic data collection
        More focus on internal attacks



13                         Jeramie Reese - IDS   8/30/2012
     References
        Honeypots; Intrusion Detection, Honeypots and Incident Handling
         Resources; 2001. http://www.honeypots.net/ids/products
        Infosyssec; Intrusion Detection Systems FAQ; 2003.
         http://www.infosyssec.net/infosyssec/intdet1.htm
        Network World Fusion; Buyer's Guide: Network-based intrusion-
         detection systems; 2001.
         http://www.networkworld.com/reviews/2001/1008bgtoc.html
        Shimonski, Robert J.; What You Need to Know About Intrusion
         Detection Systems; 2001.
         http://www.windowsecurity.com/articles/What_You_Need_to_Kno
         w_About_Intrusion_Detection_Systems.html


14                         Jeramie Reese - IDS                    8/30/2012

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:438
posted:8/31/2012
language:Unknown
pages:14