Network Intrusion Detection Systems. Beyond packet filtering

Similar documents

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Introduction of Intrusion Detection Systems

CSCE 465 Computer & Network Security

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Announcements. No question session this week

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Network Security

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

Attacking the TCP Reassembly Plane of Network Forensics Tools

Chapter 8 Security Pt 2

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Solution of Exercise Sheet 5

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

Firewalls and Intrusion Detection

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Transport Layer. Chapter 3.4. Think about

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February Version 1.

ΕΠΛ 674: Εργαστήριο 5 Firewalls

How do I get to

Ethernet. Ethernet. Network Devices

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

FIREWALL AND NAT Lecture 7a

Intrusion Detection Systems

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

RARP: Reverse Address Resolution Protocol

Protocols. Packets. What's in an IP packet

Chapter 9. IP Secure

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Outline. TCP connection setup/data transfer Computer Networking. TCP Reliability. Congestion sources and collapse. Congestion control basics

Cisco IOS Flexible NetFlow Technology

Transport and Network Layer

VLAN und MPLS, Firewall und NAT,

Barracuda Intrusion Detection and Prevention System

What is a DoS attack?

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls Netasq. Security Management by NETASQ

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

INTRODUCTION TO FIREWALL SECURITY

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Proxy Server, Network Address Translator, Firewall. Proxy Server

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Configuring Flexible NetFlow

Abstract. Introduction. Section I. What is Denial of Service Attack?

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Improving DNS performance using Stateless TCP in FreeBSD 9

ACHILLES CERTIFICATION. SIS Module SLS 1508

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

EVADING IDSS AND FIREWALLS AS FUNDAMENTAL SOURCES OF INFORMATION IN SIEMS

Internet Packets. Forwarding Datagrams

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Chapter 6: Network Access Control

SURVEY OF INTRUSION DETECTION SYSTEM

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

RTP / RTCP. Announcements. Today s Lecture. RTP Info RTP (RFC 3550) I. Final Exam study guide online. Signup for project demos

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

CIT 380: Securing Computer Systems

8.2 The Internet Protocol

Network Layer: Network Layer and IP Protocol

IP address format: Dotted decimal notation:

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Course Title: Penetration Testing: Security Analysis

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Network Address Translation (NAT)

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Computer Security: Principles and Practice

IP addressing and forwarding Network layer

Network layer: Overview. Network layer functions IP Routing and forwarding

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Using SYN Flood Protection in SonicOS Enhanced

Intrusion Detection Systems

Network and Services Discovery

Network Simulation Traffic, Paths and Impairment

Advanced Computer Networks IN Dec 2015

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Computer Security DD2395

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

COSC4377. Chapter 8 roadmap

PROFESSIONAL SECURITY SYSTEMS

Transcription:

Network Intrusion Detection Systems Beyond packet filtering

Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic analysis Passive systems: monitoring and reporting Active systems: corrective measures adopted Good place to establish a NIDS: The perimeter network, or DMZ.

Strategies Often NIDS are described as being composed of several parts Event generator boxes Analysis boxes Storage boxes Counter-measure boxes Analysis is the most complex element, and can use protocol analysis as well as anomaly detection, graph analysis, etc.

Elements of a NIDS

Host based vs. Network based Host based: Operating system log analyses Semantically rich: Contain information about the state of the system Network based: Direct analysis of network traffic Complete: Sees all the network events, not only those conveyed up to the higher levels of the operating system. Unobtrusive: Does not degrade network or host performance

Common analysis techniques Attempts pattern-matching against certain known attack types. For instance, substring matching. Passive protocol analysis. Emulate the sequence of protocol events to detect attacks.

Difficulties inherent in NIDS What defines an attack is not a packet, but its induced behavior on the receiving host. NIDS must determine this behavior NIDS runs in a different machine, even a different part of the network. Proper function of the NIDS may require of each host being protected: Knowledge of its place in the network topology Knowledge of its TCP/UDP implementation OS-based behavior variance.

Influence of Network Topology If several internal routers exist between the network component where the NIDS resides, and where the receiver host resides: TTL may result in some packets reaching the NIDS but not the receiver. Some packets being dropped by filtering routers.

Influence of implementation UDP packets with incorrect checksum -- will be dropped or accepted? will be filtered? Packets with incorrect header fields. Fragmentation, overlap, and re-ordering issues.

Insertion attacks Means: Lead the NIDS into thinking a particular packet will be accepted by the receiving host, when it in fact will not. Goal: To prevent the NIDS from recognizing patterns (either for protocol analysis or signature recognition) by reconstructing an incorrect series of events

Example of intrusion attack NIDS performs signature analysis based on substring match: fragment the string into parts and add intermediate packets that are rejected by receiving host, but not by NIDS.

Evasion attacks Means: Lead the NIDS into believing that a particular packet will be rejected by the host, when it will not. Goal: To prevent the NIDS from detecting an attack (via protocol analysis or signature analysis) by preventing the NIDS from reconstructing the correct sequence of packets processed by the receiving host.

Evasion example

Confusing the NIDS Some implementations of NIDS may allow evasion/ insertion attacks simply because the NIDS does not correctly implement all the steps of protocol verification. An attacker specifically targets this. In what follows, we consider difficulties which are inherent with the design of NIDS systems, namely intrinsic ambiguity on what types of decisions the NIDS should take.

Ambiguity

Some evasion/insertion attacks Bad IP headers Differences in NIDS network and host network with respect to TTL and don t fragment (DF) bit. Bad IP options Source-based packets filtered and variations in timestamp decisions Direct frame addressing: Attacker in the same physical network as NIDS directs packet to NIDS (or to non-existing MAC address) but IP address of host.

IP packet fragmentation Large IP packets (larger than the size of the data-frames in the link layer) must be broken up into smaller packets. The IDS must be able to handle IP packet reassembly correctly. out-of-order fragments must be reordered. fragments must be stored until all fragments for the packet are known. DoS attack: Send partial IP packets

Packet fragmentation After some time, packet fragments must be discarded based on their arrival times, or the system will run out of memory. If NIDS drops them faster than end system, there is opportunity for successful evasion attacks. If NIDS keeps them longer than end system, there is opportunity for successful insertion attacks. Coordinated attacks using many source/ destination pairs can disable NIDS.

Overlapping fragments Two IP fragments may contain overlapping data.

Different OSes resolve this differently

TCP layer problems For forensic reasons it is important to keep/ analyze higher level protocol information. One such approach is called TCP connection monitoring TCP packets can be assigned to connections, or at least requests to open connections. A TCP session can be in a set of states Established, Closed, The NIDS and the end system should be statesynchronized for monitoring to succeed.

TCB = TCP Control Block A TCP monitoring NIDS must keep a TCB for every existing connection, with state, packet numbers, window, etc. TCBs must be created for new connections and should be discarded for closed connections. TCB creation TCB re-assembly TCB teardown

TCB creation and re-assembly Missed handshake sequences TCP has a 3-way handshake. When to consider the connection has been established? Existing connections at boot time: Insertion attacks replay an old packet sequence number on an existing connection send a packet on a closed connection send a packet on a non-existing connection

TCP stream synchronization TCB re-assembly: TCP data overlap TCP time-window and acknowledgment strategies NIDS does not validate TCP packets in accordance with end system TCP header, options, checksum Wrapped sequence numbers

TCB teardown TCP connections are closed by sending FIN or RST packets. TCP connections do not time-out DoS attack by never closing connections What to do with RST packets with wrong sequence numbers. TCP control information re-use after connection is closed.