Introduction of Intrusion Detection Systems

Transcription

1 Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection: analyzes the information it gathers and compares it to large databases of attack signatures. o A signature is a set of rules that uses to detect typical intrusive activity. Prevention: stop detected attacks from being executed. Reaction: immunize the systems from future attacks and provide real-time alerts. 1

2 NIDS (Network-based IDS): check the individual packets flowing through a network. detect malicious packets that are designed to be overlooked by a firewall s simplistic filtering rules. HIDS (Host-based IDS): check information at the host or operating system level. examine log files, such as system calls, audit logs, error messages and compare the logs against common signatures for known attacks. What the firewall does not do? (1) Protect against internal threats (2) Protect against the transfer of virusinfected programs or files. 2

3 Benefits of HIDS (1) Monitors specific system activities monitor user and file access activity. changes to file permissions attempts to install new executables attempts to access privileged services. (2) Detect some attacks that cannot be seen by NIDS Example: attacks from the keyboard of a critical server do not cross the network, and so cannot be seen by a NIDS. Drawbacks of HIDS Limited network view Example: It is impossible for a HIDS to detect reconnaissance scans. 3

4 Benefits of NIDS Detects attacks that host-based systems miss Examine all packet headers for signs of malicious activity. HIDS cannot detect these types of attacks such as denial of service attacks. Real-time detection and response Detect malicious attacks as they occur, and provide faster notification and response. Example: NIDS terminate the DOS attack before it crashes a targeted host. Operating system independence NIDS are not dependent on host operating systems. Drawbacks of NIDS Bandwidth: As network pipes grow larger and larger, you normally need to install more IDS throughout the network at locations where the IDS can handle the traffic. Encryption: when the network traffic is encrypted, the NIDS cannot match the encrypted data against its signature database. New attacks occur with no known signatures available to detect them. Regular updating of the signatures can prevent some of these issues. 4

5 IDS Signatures A signature is a set of rules that your sensor uses to detect typical intrusive activity. Rules are based on various criteria: IP protocol parameters (IP addresses, IP fragmentation parameters and so on) Transport protocol parameters (TCP flags, port numbers) Packet data IP packets are composed of different headers and application data. Signatures can examine the information in the various headers or the packet's data. Context-based Signatures: examine packet headers Content-based Signatures: examine packet data Context-based Signatures Triggered by the data contained in packet headers. IP and TCP protocol parameters: 3050 Half-open SYN Attack Port numbers IP fragmentation parameters TCP flags IP protocol field IP addresses 5

6 Example: TCP SYN Attack (Signature ID 3050) Triggers when multiple TCP sessions have been improperly initiated on several well known service ports. FTP, Telnet, WWW, SSH and servers ports 21, 23, 80, 22 and 25 respectively). TCP Connection: 1. SYN. 2. SYN/ACK 3. ACK Content-based Signatures Triggered by the data portion of the packets traveling across the network. Example: Sendmail Reconnaissance (Signature ID 3103). Locates IP packets with either a VRFY or EXPN sendmail command. An attacker can use these commands to locate account names on the mail server. 6

7 Cisco Secure IDS IDS Sensors: perform the real-time monitoring of network packets Director platform: provides the management software used to configure, log, and display alarms generated by sensors. IDS sensors have two interfaces: Monitoring: monitor network traffic for alarms in real time through it. o IDS looks for patterns of attacks. Command and control: alarms are transmitted through it to the Director platform. Functionality of the Director Platform: Provides a user interface for the configuration of signature elements Provides a facility for logging information collected by the sensor Sends event information to pager, or to alert security personnel 7

8 The basic Cisco Secure IDS process: 1. A sensor captures network packets through its monitoring interface. 2. Packets are reassembled, if required, and compared against a signature indicating typical intrusion activity. 3. If an attack is detected, the sensor logs the attack and notifies the Director platform through the command and control interface. 4. The Director platform displays the alarms and logs the data. You can program your sensors to respond in various ways upon alarm detection. Possible responses: TCP reset IP blocking IP logging 8

9 TCP reset After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS may terminate session by sending a TCP RST packet to the attacked server and the host. The TCP Reset is initiated from the data-capturing port to the attacked server and the host Effective only for TCP-based connections. UDP traffic is unaffected. Director Platform 9

10 IP blocking The sensor updates the access control list (ACL) on the perimeter router to deny all traffic from the offending IP address. Director Platform 10

11 IP logging Records in a session log file what the attacker is doing. This option is passive and does not prevent the attacker from continuing his attack. The logged information provides a record of what the attacker does against the network. Director Platform 11

12 Installation Configurations Different installation configurations provide a different level of functionality Standalone Configuration Installing sensors without IP blocking is called a standalone configuration. IP Logging: capture a history of the intrusive traffic TCP Reset: if the attack is TCP-based, then the sensor can generate TCP resets in an attempt to halt the intrusive activity. In the standalone configuration, the sensor usually communicates alarms and other information to the Director via a separate command and control network connection. 12

13 Device Management Configuration Support IP blocking: drop all traffic from the attacker's host, future attacks are blocked as well from that specific IP address. If any of these signatures is configured for IP Blocking, then the sensor telnets into the router to automatically block the offending host by updating the ACL. 13

14 Firewall Sandwich Configuration Placing a sensor with the monitoring interface in front of the firewall and the command and control network behind the firewall is known as a firewall sandwich. Firewall protects the command and control network for IDS. The command and control interface can connect directly into the network behind the firewall. However, internal users can potentially attack the Cisco Secure IDS. A more secure installation places the command and control interface on a separate interface behind the firewall. 14

15 The IDS Sensor can dynamically update the access control lists on the router to block future attacks. Command traffic to update the access control lists traverses through the firewall to the router, while the firewall prevents unauthorized traffic from accessing your sensor. You must allow certain traffic through the firewall to enable IP blocking. Step 1 Enable Telnet on the router. Step 2 Permit the Telnet traffic (only from the sensor to the router) to pass through the firewall. 15

16 Remote Sensor Configuration Sometimes, you need to deploy a sensor to monitor a network but the Director is located on a remote network that is reachable only through an untrusted network. The traffic traveling across the untrusted network (from the sensor to the director, and vice versa) must be encrypted. A simple way is to define an IPSec tunnel across the untrusted network. 16