Intrusion Detection Systems



Similar documents
Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Introduction of Intrusion Detection Systems

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Firewalls and Intrusion Detection

CS5008: Internet Computing

CSE 571S: Network Security CSE571S

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

INTRUSION DETECTION SYSTEMS and Network Security

Firewalls, Tunnels, and Network Intrusion Detection

PROFESSIONAL SECURITY SYSTEMS

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Computer Security DD2395

Intrusion Detection Systems

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Network Security Management

Internet Security Firewalls

Computer Security: Principles and Practice

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

SonicWALL PCI 1.1 Implementation Guide

Firewalls & Intrusion Detection

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Security DD2395

Firewalls, IDS and IPS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CSCE 465 Computer & Network Security

How To Protect A Network From Attack From A Hacker (Hbss)

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Guideline on Firewall

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 15. Firewalls, IDS and IPS

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

IDS / IPS. James E. Thiel S.W.A.T.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Based Intrusion Detection Using Honey pot Deception

Network- vs. Host-based Intrusion Detection

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

SURVEY OF INTRUSION DETECTION SYSTEM

Firewalls. Chapter 3

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Overview. Firewall Security. Perimeter Security Devices. Routers

Name. Description. Rationale

CSE 571S: Network Security CSE571S

FIREWALLS & CBAC. philip.heimer@hh.se

12. Firewalls Content

Development of a Network Intrusion Detection System

CTS2134 Introduction to Networking. Module Network Security

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Application Firewalls

8. Firewall Design & Implementation

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Intrusion Detection Systems (IDS)

Transport Level Security

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Security Technology: Firewalls and VPNs

Lab Configure IOS Firewall IDS

Firewall Firewall August, 2003

Network Security Part II: Standards

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

CaptIO Policy-Based Security Device

Description: Objective: Attending students will learn:

Cisco Secure PIX Firewall with Two Routers Configuration Example

Network Defense Tools

Network Access Control and Cloud Security

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Linux Network Security

Cryptography and Network Security: Overview

Transcription:

Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 23-1

Overview Concepts Intrusion vs. Extrusion Detection Types of IDS Host vs. Network IDS Protocols for IDS: Syslog, BEEP, IDXP 23-2

Concepts Intrusion: Break into, misuse, or exploit a system (against policy) Intruders: Insiders or outsiders Most IDS are designed for outsiders Vulnerability: Weakness that could be used by the attacker Threat: Party that exploits a vulnerability Structured Threat: Adversaries with a formal methodology, a financial sponsor, and a defined objective. Unstructured Threat: Compromise victims out of intellectual curiosity 23-3

Intrusion vs. Extrusion Detection Intrusion Detection: Detecting unauthorized activity by inspecting inbound traffic Extrusion Detection: Detecting unauthorized activity by inspecting outbound traffic Extrusion: Insider visiting malicious web site or a Trojan contacting a remote internet relay chat channel 23-4

Notification Alarms False Positive: Valid traffic causes an alarm False Negative: Invalid traffic does not cause an alarm Probability Normal Abnormal False Negatives 23-5 Activities False Positives

Types of IDS Sensors Log analyzers: Matching log entry Action Signature based sensors System call analyzers: Shim between applications and OS Application behavior analyzers: E.g., web server writing a file File Integrity checkers 23-6

Types of IDS IDS Sensor: SW/HW to collect and analyze network traffic Host IDS: Runs on each server or host Network IDS: Monitors traffic on the network Network IDS may be part of routers or firewalls Manager Host Based Network Based IDS Agent Agent Agent WWW Mail DNS 23-7

Host vs. Network IDS 23-8

Types of IDS (Cont) Signature Based IDS: Search for known attack patterns using pattern matching, heuristics, protocol decode Rule Based IDS: Violation of security policy Anomaly-Based IDS Statistical or non-statistical detection Response: Passive: Alert the console Reactive: Stop the intrusion Intrusion Prevention System Blocking 23-9

Signature Based IDS 5-tuple packet filtering (SA/DA/L4 protocol/ports) Use Ternary Content Addressable Memories (TCAMs) Deep packet inspection requires pattern string matching algorithms (Aho-Corasik algorithm and enhancements) Regular expression signatures 23-10

Types of Signatures Ref: Sasdat Malik's book 23-11

Sample Signatures ICMP Floods directed at a single host Connections of multiple ports using TCP SYN A single host sweeping a range of nodes using ICMP A single host sweeping a range of nodes using TCP Connections to multiple ports with RPC requests between two nodes 23-12

Anomaly Based IDS Traffic that deviates from normal, e.g., routing updates from a host Statistical Anomaly: sudden changes in traffic characteristics Machine Learning: Learn from false positives and negatives Data Mining: Develop fuzzy rules to detect attacks 23-13

Performance degradation Encrypted traffic Open Issues Polymorphic attacks: change their signatures Human intervention: Inconvenient and slows down Newer and Newer Attacks: Need to keep signatures updated 23-14

SYSLOG Protocol SYSLOG Packet Format Protocols for IDS Remote Data Exchange Protocol (RDEP) BEEP IDMEF 23-15

RFC 3164, August 2001 SYSLOG Protocol Designed for BSD. Now used on many OSs. Used to send event data Device: Originates event data Collector (Server): Consumes/logs/acts on event data Relay: forwards event data Sender/Receiver Uses UDP port 514 23-16

SYSLOG Packet Format 3 Parts: PRI, Header, Msg PRI = <nnn> = Facility*8+Severity Facility: 0=Kernel, 1=User-level, 2=Mail,... Severity: 0=Emergency, 1=Alert,... Header: Timestamp and Hostname MSG: Additional info Example: <34>Dec 10 22:14:15 siesta su: 'su root' failed for jain on /dev/csf/ No connection No security, integrity, reliability Reliability Syslog over TCP, RFC 3195, November 2001 23-17

Remote Data Exchange Protocol (RDEP) Cisco protocol to exchange IDS events Alarms remain on the sensors until pulled by the management system Uses XML encoding for data Out-of-band or in-band communication using secure channel Ref: Joe Minieri, "RDEP Client," http: 23-18

BEEP Block Extensible Exchange Protocol RFC 3080, March 2001 Generic application protocol kernel for connection-oriented asynch interactions Supports both textual and binary messages Messages are arbitrary MIME content, usually XML Supports multiple simultaneous exchanges - channels Each channel has a associated profile that defines syntax and semantics Channel management profile, TLS transport security profile BEEP peer advertises the profiles it supports and later offers one of the profile for the channel 23-19

IDMEF Intrusion Detection Message Exchange Format RFC 4765, 4766, 4767, March 2007 Many IDS sensor vendors, Many management consoles Need standard data format and protocol Data format and exchange procedures for sharing IDS info Uses Extensible Markup Language (XML) Allows vendors to extend the definition 23-20

IDMEF Concepts Data Source Activity Sensor Event Sensor Event Analyzer Alert Operator Notification Response Manager Administrator Security Policies 23-21

IDMEF Concepts (Cont) Data source: Raw network packets, audit logs, application logs Sensor: Collects from data source and forwards to analyzer Analyzer: Analyzes the data collected by sensor Manager: Used by operator to configure sensors, analyzers, data consolidation, etc. Operator: Human user of IDS manager Administrator: Human responsible for security policies Activity: Any action - Unauthorized file access, login failure Alert: Message from analyzer to manager Event: Activity that results in an alert Notification: from manager to administrator Response: Action taken in response to an event Signature: Rule used by analyzer Security Policy: Formal document on what is allowed 23-22

IDXP Intrusion Detection Exchange Protocol RFC 4767, March 2007 Application level protocol for exchanging IDS data A profile of Blocks Extensible Exchange Protocol (BEEP) BEEP offers the security part using TLS or Simple Authentication and Security Layer (SASL) profiles BEEP also has a TUNNEL profile for going over proxy servers (untrusted) IDXP provides the messages for IDS data exchange Only peer-to-peer two-party communication Multi-party to multi-party communication using pair-wise connections 23-23

IDMEF Example: Teardrop Attack Teardrop= IP Fragments with overlapping oversize payloads <?xml version="1.0" encoding="utf-8"?> <idmef:idmef-message xmlns:idmef=http://iana.org/idmef version="1.0"> <idmef:alert messageid="abc123456789"> <idmef:analyzer analyzerid="hq-dmz-analyzer01"> <idmef:node category="dns"> <idmef:location>headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:node> </idmef:analyzer> <idmef:createtime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </idmef:createtime> <idmef:source ident="a1b2c3d4"> <idmef:node ident="a1b2c3d4-001" category="dns"> <idmef:name>badguy.example.net</idmef:name> </idmef:alert> </idmef:idmef-message> 23-24

Summary Intrusion detection systems: Host based and Network Based Analyzers can be signature based, anomaly based Syslog provides a simple efficient method for IDS data But it is not secure or reliable IDXP provides a secure, reliable method of IDS data exchange 23-25

References S. Kumar, "Survey of Current Network Intrusion Detection Techniques," http://www.cse.wustl.edu/~jain/cse571-07/p_nid.html NIST, Guide to Intrusion Detection and Prevention Systems (IDPS), Special Publication SP 800-94, Sep 2006, http://csrc.nist.gove/publications/pubssps.html Open Directory Projects IDS Page, http://www.dmos.org/computers/security/intrusion_detection_syste ms/ Has a list of 25 open source and 96 commercial tools, 79 security scanners, 25 security scanner services Architectural Issues of Intrusion Detection Infrastructure in Large Enterprises, http://www.softpanorama.org/security/intrusion_detection.shtml SANS Institute, "Intrusion Detection FAQ," http://www.sans.org/resources/idfaq/index.php?portal=46489b3fa83 24804cb8de1e1ff4ae9e7 23-26

RFCs RFC 3080 The Blocks Extensible Exchange Protocol Core, March 2001 RFC 3164 The BSD Syslog Protocol, August 2001. RFC 3195 Reliable Delivery for syslog, November 2001. RFC 4765 The Intrusion Detection Message Exchange Format (IDMEF), March 2007. RFC 4766 Intrusion Detection Message Exchange Requirements, March 2007. RFC 4767 The Intrusion Detection Exchange Protocol (IDXP), March 2007. 23-27

References: Books Used Gert DeLaet, Gert X. Schauwers, "Network Security Fundamentals," Cisco Press, Sep 2004, 400 pp., ISBN:1587051672. Richard Bejtlich, "The Tao Of Network Security Monitoring : Beyond Intrusion Detection," Addison-Wesley, Jul 2004, 798 pp., ISBN:321246772. Richard Bejtlich, "Extrusion Detection: Security Monitoring for Internal Intrusions," Addison-Wesley Professional, Nov 2005, Paperback 416 pp., ISBN:0321349962. Saadat Malik, "Network Security Principles and Practices," Macmillan Technical Pub, Nov 2002, 400 pp., ISBN:1587050250. Terry Escamilla, "Intrusion Detection : Network Security Beyond the Firewall," Wiley, Oct 1998, 348 pp., ISBN:0471290009. 23-28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information