Docstoc

Knock_ Knock_ Knocking on _Network_ Doors ... - EDUCAUSE

Document Sample
Knock_ Knock_ Knocking on _Network_ Doors ... - EDUCAUSE Powered By Docstoc
					  Knock, Knock, Knocking on
 (Network) Doors: Penn State's
Intrusion Detection Architecture


Copyright Penn State Information Technology Services,
2004. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-
commercial, educational purposes, provided that this
copyright statement appears on the reproduced materials and
notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires
written permission from the author.
  Knock, Knock, Knocking on
 (Network) Doors: Penn State's
Intrusion Detection Architecture




  The Security Professionals Workshop
             May 18, 2004
Security Operations and Services

●   A division of Information and Technology
    Services (ITS) at Penn State
●   8 full time staff members
    –   Director
         ●   Kathy Kimball
    –   Intrusion detection:   2 staff members
         ●   Randy Hegarty
         ●   Mike Petkac
    –   Incident response:     2 staff members
    –   Virus response:        1 staff member
    –   Advanced Forensics:    1 staff member
    –   Training:              1 staff member
  Penn State by the Numbers:
     Enrollment Fall 2003


University Park (Main Campus)      41,795
Other campus locations             33,743
College of Medicine                   738
Dickinson School of Law               646
PA College of Technology        6,255

Totals                            83,177
    Penn State by the Numbers:
     Information Technology


●   110,000+ active access accounts
●   3 ½ class B networks *
    –   * excludes Hershey Medical Center (another class B)
    –   * ½ class B for residence halls (locked by MAC)
    –   229,376 IP addresses
         ●   5,120 modem addresses
         ●   2,167 mobility addresses
         ●   ????? wireless/VPN addresses
Penn State Network View
Penn State Network View (cont)
     Security Status: January 2001

●   Known colleges/departments/campuses with
    network security devices: 1
●   SOS: 3 full time staff members
    –   Primary function: incident response
    –   Secondary function: intrusion detection
         ●   Based on (ex/in)ternal reports/well-know information (e.g. Sub7)
         ●   “Intrusion Detection” Tools
               – Nmap
               – Remote Intrusion Detection (RID)
                    ● Signature-based on individual ports


                    ● TCP port 27374; Signature “connected. time/date”


    –   Much accomplished, but issues loomed
    –   Mission: implementation of SOS five-year plan to
        address issues
        Intrusion Detection's Arrival

●   A component of SOS five-year plan:
    security enhancements to existing
    infrastructure
    –   Two-step process was envisioned
         ●   External (commercial) analysis/recommendation plan
         ●   External (commercial) implementation of recommendations
    –   Step 1 (conducted August – November 2001) results
         ●   Open-source recommendations:
         ●   Snort (signature-based Network Intrusion Detection System (NIDS) )
         ●   Hogwash (Snort-based early Intrusion Prevention System (IPS) )
    –   NIDS path chosen for initial pursuit
         ●   Commercial 24x7 managed service pilot (April – June 2002)
               – 3 NIDS/2 HIDS
         ●   SOS IDS program (June 2002)
Snort Network Configuration
             ●   Location: local area
                 network level
             ●   Network
                 Requirements
                 –   Network switch with
                     mirrored/monitor port
                            or
                 –   Network tap
             ●   System Requirements
                 –   Hardened/firewalled host
                 –   Two interface cards
                      ●   1 promiscuous (inbound only)
                      ●   1 management/monitoring
         SOS Deployed IDS Units

●   18 installed units
    –   2002: 6 units (5 commercial, 1 SOS build)
    –   2003: 12 units (3 commercial, 9 SOS builds)
●   Locations
    –   8 units at 6 non-UP campus locations
    –   6 units at 5 UP colleges
    –   2 units at 2 ITS locations
    –   1 unit at other UP department
    –   1 unit at UP residence hall*
●   8,912 addresses covered (~35 class Cs)
                Initial Experiences

●   Overwhelming amount of data
    –   Initial average of 60,000 alerts daily on each sensor
●   What does this alert mean?
    –   Initial tendency to analyze false positives
    –   Initial tendency to question/ignore alerts
●   How do I write this rule?
●   Constant attention needed
    –   No benefit without continuous monitoring
    –   Rule sets/software updates
    –   Mirrors go down
●   The insight provided into networks
        IDS and ID Tool Utilization

●   Iterative process using Snort, RID, nmap,
    flow data, (ex/in)ternal reports, well-
    known information; for example:
    –   Scanning activity from internal host ( (ex/in)ternal
        report/Snort detected)
         ●   Nmap of host/connection to open ports for signature detection
         ●   Signature of detected port(s) input into RID
                    or
    –   Compromise (with signature) detected on Snort
         ●   Signature of for detected port(s) input into RID
                    or
    –   Backdoor without signature identified on specific port
         ●   Nmap scans
     Ex 1: Snort Detected Portscan
05/09-08:26:46 Portscan detected {TCP} 128.118.xx.xx:7047 -> 128.118.xx.xx:445
05/09-08:26:56 Portscan detected {TCP} 128.118.xx.xx:14494 -> 128.118.xx.xx:445
05/09-08:30:00 Portscan detected {TCP} 128.118.xx.xx:3578 -> 128.118.xx.xx:445
05/09-08:32:24 Portscan detected {TCP} 128.118.xx.xx:3975 -> 128.118.xx.xx:445
05/09-08:38:22 Portscan detected {TCP} 128.118.xx.xx:1152 -> 128.118.xx.xx:445
05/09-08:40:16 Portscan detected {TCP} 128.118.xx.xx:2459 -> 128.118.xx.xx:445
05/09-08:42:36 Portscan detected {TCP} 128.118.xx.xx:2320 -> 128.118.xx.xx:445

Interesting ports on (128.118.xx.xx):
Port State       Protocol Service
135 open          tcp    loc-srv
139 open          tcp    netbios-ssn
206 open          tcp    at-zis
...
1926 open          tcp    unknown

Ports 206, 1926
220                          ...

Rid detected 18 additional hosts/2 additional compromised ports: TCP 90/4711

Rid scan for TCP ports 90/4711 detected 19 addition hosts
Ex 2: Snort Detected Compromise
05/14-05:56:47 [1:1326:3] EXPLOIT ssh CRC32 overflow NOOP
[Classification: Executable code was detected] [Priority: 1] {TCP}
210.50.152.189:1898 -> 128.118.xxx.xxx:22
                                ...
05/14-05:58:46 [1:1324:3] EXPLOIT ssh CRC32 overflow /bin/sh
[Classification: Executable code was detected] [Priority: 1] {TCP}
210.50.152.189:1903 -> 128.118.xxx.xxx:22

05/14-06:01:17 LR - Possible SSHD Backdoor [Classification: Misc RID] {TCP}
128.118.xxx.xxx:101 -> 81.196.33.66:1140

05/14-06:04:27 (spp_portscan2) Portscan detected from 128.118.xxx.xxx {TCP}
128.118.xxx.xxx:1039 -> 81.216.198.11:21

Interesting ports on (128.118.xxx.xxx):
Port State       Protocol Service
22 open          tcp    ssh
...
101 open          tcp    hostname
...

SSH-1.5-1.2.32
        IDS and ID Tool Summary

●   Caution: numbers do not fully depict situation
●   2002 – 2003
    –   2,909 machines attributed to IDS
    –   1,253 machines attributed to RID/nmap scans
    –   4,162 machines from IDS/ID tools
●   2004 (January through April)
    –   1,803 machines attributed to IDS
    –     120 machines attributed to RID/nmap scans
    –   1,923 machines from IDS/ID tools


●   6,085 machines from IDS/ID tools
    (28 months)
Location/Type Detections in 2004

(January through April 2004)


Totals   Mod/Mob/Wireless Res Hall University
1,923        697                445         781



1,312              IRC Bots (full control/Warez)
  279              Welchia
  177              Blaster
   81              Misc Trojans (Backdoors/Spammers)
   74              Warez
             Additional Experiences

●   Effectiveness? - can't say with certainty
    –   Circumstances often limit monitoring (e.g. crisis
        management, other tasks, time off)
    –   Things are missed/ignored
    –   Signatures don't exist or not on devices
●   What we can say with certainty
    –   Improvement over commercial 24x7 managed service trial
    –   Central detection contributes to effectiveness during crisis
    –   July 2003: border filters applied for vulnerable Microsoft
        ports (and a few more)
         ●   More internal damage is detected/limited
         ●   July 30/August 7, 2003 experiences
    –   Self-monitoring is important; less external reporting/some
        attacks remain inside with border filters
         The Need for Automation

●   New attacks/worms require IDS signature
    development (though portscan may detect)
●   Human analysis/response (even 24x7) is
    insufficient to minimize attack/worm damage
    –   “Triage” experience against recent rapidly propagating
        attacks: Sadmind/Code Red/Nimda/Blaster/Welchia/Witty
    –   Stealthy, relatively slow attacks with higher risk potential:
        Gaobot/Phatbot
●   Intrusion Prevention: detecting known and
    unknown attacks and preventing their success
     Intrusion Prevention Systems

●   System/market development still early
●   Many players are startup companies
●   Some issues common to other security devices
    –   Latency
    –   Network placement
    –   Scalability
●   Some issues uncommon to other devices
    –   Escalation of false positive issues
    –   Escalation of false negative or exception issues
                   Some IPS Types

●   Inline NIDS
    - Hogwash - looking for a new maintainer
    - Flexresp2 - Snort plugin to terminate connections

●   Firewalls coupled with IDS
    - Checkpoint FW-1 Smart Defense/Application Intelligence
    - SnortSam - Snort plugin
       Architecture supports large, distributed response networks
       Compatible with Checkpoint/Cisco/Netscreen/Watchguard firewalls and
       Cisco routers
●   Deceptive/engaging systems
    - One initially tested/others to be evaluated
●   Layer seven switches
                      Future Plans

●   Intrusion Detection
    –   Continue with new IDS deployments
    –   Begin life-cycle replacement of initial units
    –   Upgrade ID tool (RID/nmap) resources
●   Intrusion Prevention
    –   Proceed cautiously, but proceed
    –   SnortSam test/evaluation
    –   Continue/expand commercial product testing/evaluation
    –   Continue investigating new/enhanced products
            Security Status: Today

●   Known colleges/departments/campuses with
    firewalls: 22
    –   42% of colleges with college-wide deployment
    –   25% non-UP campuses
●   Known colleges/departments/campuses with
    IDS: 21
    –   5 units independently runnning IDS
    –   6 coupled with firewalls
●   SOS security staff: 8 members
●   Security state relative to 2001?
                Questions?

Kathy Kimball
krk5@psu.edu

Randy Hegarty
rlh30@psu.edu

Mike Petkac
mjp23@psu.edu

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/1/2013
language:English
pages:24