VIEWS: 53 PAGES: 25 POSTED ON: 7/30/2011
Network Intrusion Detection Systems MM Clements A Adekunle Lecture Overview • Taxonomy of intrusion detection system • Promiscuous & Inline Mode Protection: IDS, IPS • IDS and IPS Deployment Considerations & example • Cisco IDS family • Snort • IDS/IPS Vulnerabilities • How to protect IDS? • Unified Threat Management (UTM) • Summary Engineering and Management of Secure Computer Networks 2 Intrusion Detection • Detection and protection from attacks against networks • Three types of network attacks – Reconnaissance – Access – Denial of service Engineering and Management of Secure Computer Networks 3 Intrusion detection system (IDS) • An Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to events occurring in a computer system or network for signs of possible incidents of violation in security policies. – These incidents of violations can be unwanted attempts to access, manipulate or disable computer systems, mainly via a network, such as the Internet. Engineering and Management of Secure Computer Networks 4 Classification of Intrusion Detection • Profile or Anomaly based intrusion detection – Monitors network traffic and compares it against an established baseline for normal use • Bandwidth, protocols, ports and devices generally connecting to each other – Alerts the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. – Example: Snort Spade plug-in – Prone to high number of false-positives Engineering and Management of Secure Computer Networks 5 Classification of Intrusion Detection • Signature based intrusion detection – Also known as Misuse Detection • A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. • Similar to the way most antivirus software detects malware. – Examples: Cisco Sensors 4200 series, Snort – Less prone to false positives – Unable to detect zero-day threats whose signatures are not available Engineering and Management of Secure Computer Networks 6 Signature based intrusion detection • Signatures – A set of patterns pertaining to typical intrusion activity that, when matched, generate an alarm • Signature Types – Atomic—Trigger contained in a single packet • Example: Looking for the pattern “/etc/passwd “in the traffic – Composite—Trigger contained in a series of multiple packets Engineering and Management of Secure Computer Networks 7 Types of Intrusion Detection Systems • Host based intrusion detection Systems – Software (Agents) installed on computers to monitor input and output packets from device – It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. – Examples: • Cisco Security Agent (CSA) , OSSEC, Tripwire Engineering and Management of Secure Computer Networks 8 Host-Based Intrusion Detection Corporate network Agent Agent Firewall Untrusted network Agent Agent Agent Agent Agent Agent WWW DNS server server Engineering and Management of Secure Computer Networks 9 Types of Intrusion Detection Systems • Network-Based Intrusion Detection Systems – Connected to network segments to monitor, analyze and respond to network traffic. – A single IDS sensor can monitor many hosts – NIDS sensors are available in two formats • Appliance: It consists of specialized hardware sensor and its dedicated software. The hardware consists of specialized NIC’s, processors and hard disks to efficiently capture traffic and perform analysis. – Examples: Cisco IDS 4200 series, IBM Real Secure Network • Software: Sensor software installed on server and placed in network to monitor network traffic. – Examples: Snort, Bro, Untangle Engineering and Management of Secure Computer Networks 10 Network-Based Intrusion Detection Corporate network Sensor Sensor Firewall Untrusted network Management WWW DNS System server server Engineering and Management of Secure Computer Networks 11 Sensor Appliance Interfaces Untrusted Network Monitoring Interface Router Switch Sensor Router Protected Network Command and Control Interface Management System 12 Engineering and Management of Secure Computer Networks Promiscuous-Mode Protection: IDS 1 A network device sends copies of packets to the sensor for analysis. 2 If the traffic matches a signature, Switched Port Analyzer (SPAN) the signature fires. Switch 2 3 The sensor can send an alarm to a management console and take a response action such as Sensor resetting the connection. Management Target System Engineering and Management of Secure Computer Networks 13 Inline-Mode Protection: IPS The sensor resides in the data forwarding path. Sensor An alert can be If a packet triggers a sent to the signature, it can be management console. dropped before it reaches its target. Management Target System 14 Engineering and Management of Secure Computer Networks IDS and IPS Deployment Considerations – Deploy an IDS sensor in areas where you cannot deploy an inline device or where you do not plan to use deny actions. – Deploy an IPS sensor in those areas where you need and plan to use deny actions. Engineering and Management of Secure Computer Networks 15 IDS and IPS Deployment Comparison Inside Attacker Internet Sensor on Outside: Sensor on Inside: • Sees all traffic destined for • Sees only traffic permitted your network by firewall • Has high probability of raising • Has lower probability of false false alarms (false positives) alarms (false positives) • Does not detect internal • Requires immediate attacks response to alarms 16 Engineering and Management of Secure Computer Networks Network based IDS and IPS Deployment Firewall Router Switch Switch IPS Sensor Untrusted IDS Switch Network Sensor Management Server Corporate Network WWW DNS Server Server Engineering and Management of Secure Computer Networks DMZ 17 IDS and IPS deployment example in an Enterprise Network Branch Corporate Network NM-CIDS Router Firewall Untrusted Network Sensor Sensor Management Server DMZ Agent Agent WWW DNS Engineering and Management of Secure Computer Networks Server Server 18 Cisco IDS Family 600 250 IDSM-2 Performance (Mbps) IDS 4255 200 IPS 4240 80 AIP-SSM 45 IPS 4215 NM-CIDS 10/100/1000 TX 10/100/1000 TX 10/100 TX 10/100/1000 TX 10/100/1000 TX Switched/1000 1000 SX Network Media Snort • Open source, freely available software except for rules • Installed as dedicated server on Windows and Linux, Solaris operating systems • Placed as network sensor in a network • Rules are set of instructions defined to take certain action after matching some sort of signatures (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";) Engineering and Management of Secure Computer Networks 20 Snort Modes • Sniffer Mode • Used to sniff traffic from network • Traffic will be captured using libpcap or winpcap. • Traffic will be captured directly from the sensor . • Logger Mode • Simple logging into a file. Two possible formats are Binary and ASCII. • Logging into a Database (eg. MySQL) • Can be used for creating the normal traffic profile • Intrusion Detection / Prevention • The rules will be used in this mode of snort to detect unwanted activity Engineering and Management of Secure Computer Networks 21 IDS/IPS Vulnerabilities • Cisco IPS Packet Handling DoS - • In July 2006, a DoS vulnerability was discovered on Cisco IPS 4200 series models which were running version 5.1 software. • Snort Rule Matching Backtrack DoS - • Snort versions 1.8 through 2.6 had a DoS vulnerability , found on January 11, 2007 which can exploit Snort's rule matching algorithm by using a crafted packet. This could cause the algorithm to slow down to the point where detection may become unavailable. Snort was quick to release version 2.6.1 which corrected this issue. Engineering and Management of Secure Computer Networks 22 How to protect IDS? • Don't run any service on your IDS sensor. • The platform on which you are running IDS should be patched with the latest releases from your vendor. • Configure the IDS machine so that it does not respond to ping (ICMP Echo-type) packets. • User accounts should not be created except those that are absolutely necessary. Engineering and Management of Secure Computer Networks 23 Unified Threat Management (UTM) • Unified Threat Management (UTM) is a network device that have many features in one box, including: – IDS, IPS, Firewall, Spyware, Anti Spam , Anti Phishing – Anti Virus, Content (www) Filter, VPN – Example: Untangle, Watchguard – Untangle Demo: http://www.untangle.com/video_overview/ Engineering and Management of Secure 24 Computer Networks Summary • Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to network traffic . – Can be classified as Profile or Signature based intrusion detection. • Signatures can be defined as Atomic or Composite. – Can be available as Host or Network based Intrusion detection . – IDS is used as promiscuous mode protection in DMZ – IPS is used as Inline mode protection for securing internal network – Cisco 4200 series IDS and IPS sensors offer rich set of features for ISD and IPS – Snort is an open source, free IDS and can operate in sniff , logging and Intrusion detection/prevention modes. Snort uses rules to analyze traffic. – IDS/IPS software can be vulnerable to exploits so run patched version, and shutdown unnecessary services. • Unified Threat Management (UTM) is a network device that have many features in one box. E.g, Untangle, Watchguard. Engineering and Management of Secure Computer Networks 25
"IDS and IPS"