8. Intrusion detection and penetration tests
Intrusion detection and response Purpose: to detect and respond to network attacks and malicious code Malicious code Intended to harm, disrupt, or circumvent computer and network functions (viruses, trojan horses, worms ) Network attacks Modification attacks: unauthorized alteration of information Repudiation attack: denial that an event or transaction ever occurred Denial-of-service attack: actions resulting in the unavailability of network resources and services, when required Access attacks: unauthorized access to network resources and information 2
Intrusion Detection Mechanisms Anti-virus client machines server machines (mail server ) Intrusion detection and response Monitoring systems for evidence of intrusions or inappropriate usage and responding to this evidence ID Detection of inappropriate, incorrect or anomalous activity Response Notifying the appropriate parties to take action To determine the extent of the severity of an incident To remediate the incident s effects 3
8.1.1 History of the development of IDS Today, the products implement concepts dating from the years 1980 4
8.1.1 Types of ID systems: NIDS Network-based ID systems (NIDSs, network IDSs): NIDS reside on a discrete network segment and monitor the traffic on that segment. They usually consist in a network appliance with a network interface card (NIC) that is intercepting and analyzing the network packets in real time. Les cartes d interface réseau sont en général en mode promiscuité (promiscuous mode), elles sont alors en mode «furtif» afin qu elles n aient pas d adresse IP. Packets are identified to be of interest if they match a signature String signature: look for a text string that indicates a possible attack Port signature: watch for connection attempts to well-known, frequently attacked ports Header condition signatures: watch for dangerous or illogical combinations in packet headers Generally deployed in front of and behind the firewalls and VPN Characteristics provides reliable, real-time information without consuming network or host resources Passive when acquiring data and review packets and headers Can detect DoS attacks Can respond to an attack in progress to limit damage (thanks to real-time monitoring) Not able to detect attacks against a host made by an intruder who is logged in at the host s terminal 5
8.1.1 Types of ID systems: HIDS Host-based ID systems (host-based IDSs): use small programs that resides on a host computer (web server, mail server ) Monitor the operating system Detect inappropriate activity Write to log files Trigger alarms Characteristics Monitor accesses and changes to critical system files and changes in user privileges Detect trusted insider attacks better than a network-based IDS Relatively effective for detecting attacks from the outside Can be configured to look at all the network packets, connection attempts, login attempts to the monitored machine, including dial-in attempts or other non-network-related communication ports 6
Signature-based IDSs Signature-based IDSs: signature or attributes that characterizes an attack are stored for reference (if there is a match, a response is initiated) Advantages Low false alarm rates Standardized (generally) Understandable by security personnel Disadvantages Failure to characterize slow attacks that extend over a long period of time Only attack signatures that are stored in the database are detected Knowledge database needs to be maintained and updated regularly Because knowledge about attacks is very focused (dependent on the operating system, version, platform, and application), new, unique, or original attacks often go unnoticed 7
Statistical anomaly-based IDSs Statistical anomaly-based or behavior-based IDSs: dynamically detects deviations from the learned patterns of «normal» user behaviour and trigger an alarm when an intrusive activity occurs Needs to learn the «normal» usage profile (which is difficult to determine) Advantages Can dynamically adapt to new, unique, or original vulnerabilities Not as dependent upon specific operating systems as a knowledgebased IDS Disadvantages Does not detect an attack that does not significantly change the system-operating characteristics High false alarm rates. High positive are the most common failure of behavior-based ID systems The network may experienced an attack at the same time the intrusion detection system is learning the behaviour 8
Some IDSs issues Many issues confront the effective use of an IDS. These include the following: The need to interoperate and correlate data accross infrastructure environments with diverse technologies and policies Ever-increasing network traffic Risks inherent in taking inappropriate automated response actions Attacks on the IDSs themselves Unacceptably high level of false positives and false negatives => difficult to determine the true positives False negative: non detected incident which can generate security problems False positive: anomaly which is detected whereas the trigger event does not have any consequence to security The lack of objective IDS evaluation and test information 9
Active answers 8.1.2 Functionalities of IDS: Responses to the detected intrusions - To undertake an aggressive action against the intruder (! Take care of legality issues!) - To restructure the network architecture To isolate the attacked system To modify the environment parameters which made the intrusion possible - To supervise the attacked system To collect information in order to understand the intrusion To identify the author of the intrusion and his approach To identify security failures Passive answers - Generation of an alarm - Emission of a SMS message towards the administrator 10
8.1.2 Functionalities of IDS: Analyze journals The journals provide explanations on the alarms which were set off Can receive the messages of journalizing of multiple events and audit the associated events of security (ex: filing of all the protocols of level application which are carried out on a machine). System of journalizing downstream (newspapers W. 2003, syslog Unix, traps SNMP) are given the responsability to correlate these events with other events Possibility of consigning packets which set off an alarm to be able to analyze them Possibility of configuring to collect additional packets (after an alarm) and even a complete session => essential to be able to understand why a given signature made it possible to identify a positive true 11
8.1.5 IPS: Intrusion Prevention Systems Blocking of the attacks as soon as possible Operate in conjunction with IDS IDS and IPS are combined in the same equipment Three techniques implemented to neutralize the attacks Sniping: allows IDS to put an end to a supposed attack by reinitialisation Shunning: allows IDS to automatically configure the pre-filtering router or the firewall so that this one rejects the traffic according to what the IDS detected, thus preventing connection Blocking: extension of shunning : here IDS contacts the router or the firewall and creates an access control list (ACL) to block the IP address of the attacker 12
8.1.5 IDS Product Few standard in the field of IDS SNORT Open source free IDS (www.snort.org) Analyze traffic and journalizing of the packets in real time on IP networks Support the analysis of protocols and the correspondence of contents. Can be employed to detect a variety of attacks and explorations Buffer Overflow Furtive Scan of ports Attack cgi SMB probe Identification of the operating system Language with flexible rules to describe the traffic to be let pass or to collect detection Engine real time alarm Function Alarms Mechanisms for Syslog File specified by the user Unix Socket WinPopup Messages for Windows clients who use smbclient (Samba) Three functions Packet Sniffer Journalisor of packages (useful for the debugging of the traffic network) IDS completely functional Command line Language graphic Interface developed by Engage Security (www.engagesecurity.com) Developed under Linux, some Windows versions exist 13
8.1.5 Example of IDS Billy Goat Collect information at the network level Listen to the traffic sent to unused addresses Either an error Or an attack attempt Responds to (HTTP, NETBIOS, MS/SQL, MS/RPC) requests and records the data which allows identify their behaviors and origin Can be seen as a server A HTTP server A SMB (Server Message Block) SMB protocol for file sharing, printer, ports series, launched by IBM in 1985 whose Samba, ms Networks are some alternatives A MS/SQL database server A distant procedures MS/RPC server Thanks to these properties, Billy Goat can detect several suspect activities Kismet 14
8.1.5 Ex of Enterasys IDS More details than only an analysis of protocols or the detection of anomalies Details of the detected attack Description of the attacks Attack packets 15
8.2 Honeypots
Purpose of honeypots Monitored mechanism that is used to: Keep a hacker away of valuable resources Provide an early indication of an attack Purposes Research mode Collects information on new and emerging threats Attack trends Production mode Preventing attacks Detecting attacks Responding to attacks 17
Honeypots Preventing attacks Slowing or impeding scans initiated by worms or automated attacks by monitoring unused IP space and detecting scanning activities Consuming an attacker s energy through interaction with a honeypot while the attack is detected, analyzed, and handled Detecting attacks Ability to capture new and unknown attacks Ability to capture polymorphic code Ability to handle encrypted data They are reducing the amount of data that has to be analysed by capturing only attack information Capable of operating with IPV6 Current solutions Honeyd http://www.honeyd.org Honeynet project http://www.honeypot.net 18
8.3 Evaluation of security and test of penetration
8.3 Evaluation of security and test of penetration Carry out an evaluation of the security of a network per annum Type of evaluations - Evaluation of the vulnerabilities and internal test of penetration - Evaluation of the vulnerabilities and external test of penetration - Evaluation of physical security We should specify well the contents of the evaluation, the procedures, planning, the duration of the tests 20
8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities and internal test of penetration 60% of the threats come from inside - Incorrect configuration of the equipment of network - Lack of effective security procedures - Software to which the corrective measures were not applied Consultants in security - Should help the companies to knows about new vulnerabilities discovered each day in the operating systems and applications. - Must recommend corrective measures to set up in order to satisfy the objectives of your company as regards security 21
8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities and internal test of penetration Methodology of evaluation Must be done on the site Must concentrate on the internal risks associated with the strategies, procedures, hosts and applications Minimal actions to carry out To collect all information which can be provided on the network To gather any information publicly available on the network to have an idea of what an attacker can know To use the techniques of hacking to determine the topology and the physical topology of the network To probe and scan the network 22
8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities and internal test of penetration Methodology of evaluation Minimal actions to carry out (continuation) To use the techniques of hacking to identify the operating systems and to detect the vulnerabilities in order to reveal the exposed hosts To identify the models and flow of traffic to see whether they correspond to the activities considered as normal by the company (network supervision) To detect the weaknesses of the users authentication systems To analyze the vulnerabilities of the network and the hosts by means of public, private and personalized tools To manually check all the vulnerabilities detected to make sure that they are not false positive To observe the internal security practices and strategies used through all the network To analyze the results and to generate a report by providing specific recommendations to reinforce security 23
8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities and internal test of penetration Methodology of evaluation (end) Final result of the internal evaluation = document containing Methodology Work carried out Details collected for each system, including those exposed to attacks Precise List of vulnerabilities Give a clearer vision of the network architecture and security risks Include the results and conclusions of each phase of the test as concrete recommendations presented with a priority order (realistic in term of cost) 24
8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities and external test of penetration Main risks - Unsuitable configuration of the routers and firewall(s) - Non-protected Web Applications Evaluation Methodology evaluation achieved where the network interacts with outside Connections to Internet Wireless Networks telephony Systems We can use the same methodology as for Internal evaluation It is relevant to consider an internal and external evaluation simultaneously 25
8.3 Other types of evaluation Evaluation of the security strategies To make analyze by experts the security strategies and procedures in order to check their conformities with best practices Evaluation of the recovery capacity after a disaster To have a reliable recovery plan for the infrastructure Evaluation of the management of the confidential data for banks and medical institutes (for instance) Attention with the laws as regards financial and medical security Obligation to apply strict protection standards 26
Configuration management Process of tracking and approving changes to a system Identifying Controlling Auditing All changes made to the system Hardware and software changes Networking changes Any other change affecting security Configuration management can also be used to protect a trusted system while it is being designed and developed 27
Primary functions of configuration management To ensure that the change is implemented in an orderly manner through formalized testing To ensure that the user base is informed of the impending change To analyze the effect of the change on the system after implementation To reduce the negative impact that the change might have had on the computing service and resources 28
Procedures to implement and support the change control process Applying to introduce a change Cataloguing the intended change Scheduling the change Implementing the change Reporting the change to the appropriate parties 29
Business continuity and disaster recovery planning Contigency plan Documented, organized plan for emergency response, backup operations, and recovery maintained by an activity as part of its security program that will ensure the availability of critical resources and facilitates the continuity of operations in an emergency situation Disaster recovery plan Plan and procedures that have been developed to recover from a disaster that has interfered with the network and other information system operations Continuity of operations plan The plans and procedures documented to ensure continued critical operations during any period where normal operations are impossible Business continuity plan Plan and procedures developed that identify and prioritize the critical business functions that must be preserved and the associated procedures for continued operations of those critical business functions 30
8.3 Suppliers of services of evaluation Cisco Security Services - www.cisco.com/go/securityconsulting INRGI - www.inrgi.net/index_security.html Aegis Security - www.aegissecurity.com 31
8.4 Tools for analysis of vulnerabilities
8.4 Tools for vulnerabilities analysis : Nessus www.nessus.org: open Source solution Distant security scanner test all the services and all the ports (without making assumption on traditional associations services/ports) Precision of the scans and detection The documentation is not very accessible No technical support but mailing list developers Reporting Many links with a complete analysis of vulnerabilities risk Level which the vulnerabilities present for the network Graphs Update of the vulnerabilities Update via scripts which can be automated Do not function with Windows but has a Windows client allowing to connect itself to a Nessus server to carry out scans remotely www.securityprojects.org/nessuswx http://list.nessus.org 33
8.4 Tools for vulnerabilities analysis : Retina Continuation of security tools developed by eeye www.eeye.com can scan in a short time machines on the network (Apple, Windows, Unix, Linux ) network Equipment (switches, firewall) Databases Specific applications Generate at the end of the scan a full report which details Vulnerabilities Corrective actions Suitable remedies Databases of vulnerability is available, downloaded to the beginning of each Retina session Existence of modules called CHAM (Common Hacking Attack Method) which can be used to carry out a detection and tests deepened in order to detect still unknown problems of security on the network Specified scans and detection Possibility of personalizing and of planning the scans (ex: scans of servers can be different from the scans of the users) Documentation and technical support Included in the help file of Windows and complete on line Form to obtain a support of the technical team (it is a company) Reporting Description of the vulnerabilities detected with links towards additional information Update of the vulnerabilities Can be configured to update not only the list of vulnerability but also its engine Once familiarized with its use, it is a very effective scanner 34
8.4 Summary of vulnerabilities following a scan on Retina 35
8.4 Details of the vulnerabilities on Retina 36
8.4 Limits of the vulnerability scanners Give a theoretical insurance of security Identify the vulnerabilities, but not the consequences of the danger Produce a long list of weakness (including false positive ) Do not allow to identify the resources likely to be compromised Cannot simulate true attacks 37
8.5 Tools for tests of penetration
8.5 Tools for test of penetration Intervene where the tools for evaluation show their limits Core Impact Core Security, www.coresecurity.com Tackles the computer resources and presents a detailed analysis of the incurred risks Precision of the scans and detection: allows to explore the ports and to detect the target operating system Reporting: Report of discovery: enumerate all the hosts discovered and their vulnerabilities Report of histories: enumerate all the activities carried out by the user Update of the vulnerabilities Update of the attack modules The company makes evolve its product 39
Bibliographical references E. Cole, R. Krutz, JW Conley - Network security bible Wiley, 2005. La sécurité des réseaux-first steps, Tom Thomas, Cisco Press, 2005 Les réseaux, édition 2005, G. Pujolle, Eyrolles 2004 MySQL, WebTraining, Jay Greenspan, OEM, 2002 S. Ghernaouti-Helie Sécurité informatique et réseaux Dunod, 2005 40
The use of the methods and tools described in this course engages the responsibility for the users! 41
TD 1. Comparez les systèmes de détection d intrusions dont la collecte d information est basée sur les machines hôtes et sur le réseau 2. Quels sont les avantages et inconvénients d un système de détection d intrusions utilisant la méthode d analyse par signature? 42