Network Intrusion Detection Systems (NIDS)

Transcription

1 Network Intrusion Detection Systems (NIDS)

2 IDS Definitions An IDS is any combination of hardware & software that monitors a system or network for malicious activity. Examples of IDSs in real life Car alarms Fire detectors House alarms Surveillance systems 2

3 Defined by ICSA as: The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network. An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse Another definition: - detecting inappropriate, incorrect, or anomalous activity - misuse detection!= intrusion detection 3

4 The Puzzle Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but does not solve all your problems Part of Defense in depth 4

5 Why IDS? Can be detected: Mapping Port scans Tens of thousands of packets TCP stack scans Hundreds of thousands of packets Identify any of the following types of intrusion: Input validation errors Buffer overflow Boundary Conditions Access Validation Errors Exceptional Condition Handling Errors Environmental Errors Race Conditions o o o Many organizations deploy IDS systems Provide warnings to network administrator Administrator can then improve network s security Vigorous investigation could lead to attackers Typical responses to an attack include the following: Terminating the session (TCP resets) Block offending traffic (usually implemented with ACLs) Creating session log files Dropping the packet 5

6 WHY DO I NEED AN IDS, I HAVE A FIREWALL? IDS are a dedicated assistant used to monitor the rest of the security infrastructure. Today s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect 6

7 WHY DO I NEED AN IDS, I HAVE A FIREWALL? Not all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Protect against misconfiguration or fault in other security mechanisms 7

8 REAL LIFE ANALOGY It's like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats. Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions. That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host. 8

9 2. IDS Categories In-Kernel vs. Userspace Distributed vs. Atomic Host-based vs. Network-based Statistical vs. Signature Detection Active vs. Passive Proactive vs. Retroactive Flat vs. Hierarchial IDS 9

10 We consider some basic categories of intrusion detection mechanisms: By sensor location: Network-based Intrusion Detection System (NIDS) Host-base Intrusion Detection System (HIDS) By method of detection Statistical Detection Signature Detection 10

11 NIDS vs HIDS 11

12 IDS sensors = IDS sensor application gateway firewall Internet Internal network Web server FTP server DNS server Underlying OS needs to be hardened: stripped of unnecessary network services Demilitarized zone 12

13 Network based IDS Protects an entire network segment Is usually a passive device on the network and users are unaware of its existence Cannot detect malicious code in encrypted packets Is cost effective for mass protection Requires its own sensor for each network segment 13

14 Host-based IDS Protects a single system. Uses system resources such as the CPU and memory from system. Provides application level security. Provides day-one security as a shunt between high and low level processes Intrusion detection is performed after decryption. Used on servers and sensitive workstations, but is costly for mass protection 14

15 Anomaly/Statistical detection Mostly on statistical basis Based on time, frequency, lenght of session For example: person logs on at 0300 AM and has never done so in the past, it will raise a flag Detects statistically exceptional events Learning: Watching activity during normal state and storing patterns (who logs in, what is the origin, when, etc.) Experience shows that 90% of attacks can be considered as protocol usage anomalies. Does not require signatures (except what it learns) We should carefully add knowledge about normal activity, such as RFC compilant state machines, it needs much work. A non-rfc compilant client is not always an attacker we need flexibility 15

16 Signature-based detection Sniff traffic on network border router within a LAN multiple sensors Match attack signatures attack signatures in database signature: set of rules pertaining to a typical intrusion activity Simple example rule: any ICMP packet > 10,000 bytes Example: Several thousand SYN packets to different ports on same host under a second skilled security engineers research known attacks; put them in database can configure IDS to exclude certain signatures; can modify signature parameters Warns administrator send , SMS send message to network management system 16

17 Limitations to signature detection Requires previous knowledge of attack to generate accurate signature Blind to unknown attacks No knowledge of intention of activity Triggers alarms even if traffic is benign Signature bases are getting larger Every packet must be compared with each signature IDS can get overwhelmed with processing, miss packets 17

18 Current State of IDS Lots of people are still using Firewall and Router logs for Intrusion Detection IDS are not very mature Mostly signature based It is a quickly evolving domain Giant leap and progress every quarter As stated by Bruce Schneier in his book Secret and Lies in a digital world : Prevention Detection Reponse Getting to this point today 18

19 WHAT CAN IDS REALISTICLY DO Monitor and analyse user and system activities Auditing of system and configuration vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS) 19

20 WHAT IDS CANNOT DO Compensate for weak authentication and identification mechanisms Investigate attacks without human intervention Guess the content of your organization security policy Compensate for weakeness in networking protocols, for example: IP Spoofing Compensate for integrity or confidentiality of information Analyze all traffic on a very high speed network Deal adequately with attack at the packet level Deal adequately with modern network hardware 20

21 Intrusion Detection System Intrusion Prevention System 21

22 5. IDS Products Dragon from Enterasys CISCO Secure IDS Snort ISS Real Secure SHADOW ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso 22

23 References Knowledge Net CISSP 23