8/5/2010

Paul Apolinar Christian Chavez RJ Favila Arni Paragas Jessica Mayuga Abegail Soas

Defined by ICSA as:

The detection of intrusions or intrusions attempts either

manually or via software expert systems that operate on logs or other information available from the system or the network.
IT Security

An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse

Intrusion : Attempting to break into or misuse your system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion.

Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but does not solve all your problems

Part of Defense in depth

IDS are a dedicated assistant used to monitor the rest of the security infrastructure

Todays security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors.

Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect

8/5/2010

Not all traffic may go through a firewall

i:e modem on a user computer

Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Firewalls are subject to attacks themselves Protect against misconfigurationor fault in other security mechanisms

It's like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats.

Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions. That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.

Monitor and analyse user and system activities Auditing of system and configuration

Compensate for weak authentication and

identification mechanisms
Investigate attacks without human intervention Guess the content of your organization security policy Compensate for weakeness in networking protocols,

vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statisticalanalysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS)

for example: IP Spoofing

Compensate for integrity or confidentiality of

information
Analyze all traffic on a very high speed network Deal adequately with attack at the packet level Deal adequately with modern network hardware

Attacks
Are unauthorized activity with malicious intent

Misuse
Refers to unauthorized events without specially

using specially crafted code or techniques. Includes DOS, Virus or Worm Infections, buffer overflows, malcrafted requests, file corruption, malformed network packets, or unauthorized program execution

crafted code.
In this case, The offending person used normally

crafted traffic or requests and their implicit level of authorization to do something malicious. Unintended consequences like when a hapless new user overwrites a critical document with a blank page.

8/5/2010

Network Protocol Attacks

Network Protocol define the packets formatting

Application Attacks
It can be text commands used to exploit OS or

and how the diagram is transmitted between source and destination.

Application holes, or can contain malicious content such as a buffer overflow exploit, a maliciously-crafted command, or a computer virus. Include
misappropriated passwords, password-cracking attempts, rootkit software, illegal data manipulation, unauthorized file access, and every other network that doesnt rely on malformed network packets to work.

Fragmentation and Reassembly Attacks

IP Packets can be used in Fragmentation attacks Attacks can use fragment offset values to cause

the packets to maliciously reassemble and intentionallycover up the header and payload of the first fragment.

Content Obfuscation
Code Obfuscation is when programmers conceal

the codes purpose or its logic to prevent tampering.

Crackers use encoding schemes to hide their

malicious commands and content.

Some experts will say that a properly defined IDS can catch any security threat, events involving misuseprove the most difficult to detect and prevent. For example, if an outside hacker uses social engineering tricks to get the CEOs password, there arent many IDSs that will notice. If the webmaster accidentally posts a confidential document to a public directory available to the world, IDS wont notice.

If a cracker uses the default passwordof an administrative account that should have been right after the system was installed, few IDSs will notice. If a hacker gets inside the network and copies confidential files, that would be tough to notice.

IDS development began in the early 1980sm but only started growing in the PC marketplace in the late 1990s. Focuses almost exclusively on the benefit of early warning resulting from accurate detection. The practical reality is that while most IDSs are considered fairly accurate, no IDS has ever been close to being perfectly accurate.

8/5/2010

IDSs never get over 90 % accuracy against a wide spectrum of real-world attack traffic. Most are in the 80% range. When an IDS misses a legitimate threat, it is called false-negative.

False-positive is when the IDS says there is a security threat, but the traffic is not malicious or was never intended to be malicious. Ex: When an IDS flags an e-mail as infected with a particular virus because it is looking for some key text known to be in the message body of the e-mail virus(for example, the phrase see my wifes photos).

Features that may be more or less useful in different circumstances:

Return on investment IDS type and detection model End-user interface IDS Management Prevention Mechanisms Performance Logging and alerting Reporting and analysis

While first-generation IDSs focused on accurate attack detection, the second-generationIDSs do that and work to simplify the administrators life by offering a bountiful array of back-end options. They offer

intuitive end-user interfaces, intrusion prevention, centralized device management, Event correlation, and data analysis.

This generation of IDSs do more than just detect attacks- they sort, prevent and attempt to add as much value as they can beyond mere detection. Tips: to increase your odds of a successful IDS deployment,

for every hour you spend looking at cool detection

signatures,
spend an hour planning and configuring your logging,

reporting, and analysis tools.

But configuring the IDS, we have to justify its cost.

8/5/2010

Are installed on the host they are intended to monitor. Host can be a server, workstation, or any networked device (such as printer, router, gateway).
Have the ability to sniff network traffic intended for

HIDS can inspect each incoming command, looking for signs of maliciousness, or simply track unauthorized file changes. File-integrity HIDSs

(sometimes called snapshot or checksum HIDSs) take a cryptographic hash of important files in a known

the monitored host, they excel at monitoring and reporting direct interactions at the application layer.

clean state, and then check them again later for comparison.

If any changes are noted, the administrator is alerted. Ex: Tripwire (www.tripwire.com) , Pedestal Softwares INTACT (www.pedestalsoftware.com)

Behavior-monitoring HIDSs
do real-time monitoring and will intercept

Examples of behavior-monitoring HIDS

Ciscos IDS Host Sensor

potentially malicious behavior.

For instance, a Windows HIDS will report on

attempts to modify the registry, file manipulations, system access, password changes, privilege escalations, and other direct modifications to the host.

(www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/pr odlit/hid25_ds.htm) Okenas StormWatch(www.okena.com) Entercept Security Technologies IDS solutions(www.entercept.com)

Are designated to protect more than one host.

They can protect a group of computer hosts, like a

server farm, or monitor an entire network.

Captured traffic is compared against protocol specifications and normal traffic trends or the packets payload data is examined for malicious content. If a security threat is noted,
the event is logged and an alert is generated.

8/5/2010

Monitor in terms of who accessed what Can map problem activities to a specific user ID System can track behavior changes associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console

Cannot see all network activities Running audit mechanisms adds overload to system, performance may be an issue Audit trails can take lots of storage OS vulnerabilities can undermine the effectiveness of agents Agents are OS specific Escalation of false positive Greater deployment and maintenance cost

Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms Does not affect network or data sources Monitor and detects in real time networks attacks or misuses Does not create system overhead

Cannot scan protocols if the data is encrypted Can infer from network traffic what is happening on host but cannot tell the outcome Hard to implement on fully switched networks Has difficulties sustaining network with a very large bandwidth

The 2nd generation IDSs Going far beyond mere monitoring and alerting Examples:

Setting access controls Requiring passwords Enabling real-time antivirus scanning Updating patches Installing perimeter firewalls

8/5/2010

IDS is a mandatory inspection point with the ability to filter real-time traffic Can:

Drop packets Reset connections Route suspicious traffic to quarantined areas for
Internet

inspection

IDS placed to drop malicious packets before they can enter the network.

Is the best Intrusion-Detection Software a host-based, real-time intrusion-monitoring system, succeeded detects unauthorized activity and security breaches and responds automatically You use Intruder Alert's central console to

create, update, and deploy policies and securely collect and archive audit logs

for incident analysis.

Symantec Endpoint Protection Manager

Symantec Information Foundation Mail Security

8/5/2010

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection,

Snort is the most widely deployed IDS/IPS

technology worldwide.

Snort is logically divided into multiple components. These components work together to detect particular attacks and to generate output in a required format from the detection system. A Snort-based IDS consists of the following major components:

Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules

Snort

8/5/2010

IDS solution for GNU/Linux systems

Initially released in 1992

Snort IDS Console

a tool used by sys admins to detect an intrusion by a hacker on a system used to detect any changes made to your system by a hacker useful tool for monitoring any change from the baseline configuration of a system

Tripwire creates a known-state database of cryptographic checksums of all of your operating system and application software, and then periodically compares that knownstate against new tests.

Tripwire Configuration

Tripwire Sample Report

8/5/2010

Although behavior-based intrusion detection is a relatively new technology, WatchGuard already has mechanisms in place within the firewall to identify known attack behaviors, such as:
Port scans and probes Spoofing Synflood attacks DoS and DDoS attacks The misuse of IP options such as source routing

Utilizes highly innovative and sophisticated detection techniques including

stateful pattern recognition, protocol parsing, heuristic detection, and anomaly detection,

that provide comprehensive protection from a variety of both known and unknown cyber threats.

10

8/5/2010

11