Intrusion Detection Systems(IDS)

and
Intrusion Prevention Systems(IPS)

Overview
Taxonomy of intrusion detection system
Promiscuous & Inline Mode Protection:
IDS, IPS
Snort
Summary

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

Intrusion Detection Systems (IDSs)

1. An attack is launched on a
network that has a sensor
deployed in promiscuous IDS
mode; therefore copies of all
packets are sent to the IDS
sensor for packet analysis.
However, the target machine
will experience the malicious
attack.
2. The IDS sensor, matches the
malicious traffic to a signature
and sends the switch a
command to deny access to
the source of the malicious
traffic.
3. The IDS can also send an
alarm to a management
console for logging and other
management purposes.

Switch

1
2
Sensor

Management
Console

Target

Intrusion Prevention Systems (IPSs)

1

1. An attack is launched on a
network that has a sensor
deployed in IPS mode (inline
mode).
2. The IPS sensor analyzes the
packets as they enter the IPS
sensor interface. The IPS
sensor matches the malicious
traffic to a signature and the
attack is stopped immediately.
3. The IPS sensor can also send
an alarm to a management
console for logging and other
management purposes.
4. Traffic in violation of policy can
be dropped by an IPS sensor.

Sensor

Bit Bucket

Management
Console

Target

Common characteristics of IDS and IPS

Both
technologies
are deployed
sensors.
Both
technologies
are using
deployed
using
Bothsensors.
technologies use signatures to detect
patterns of misuse in network traffic.

Both technologies use signatures to

Both can detect atomic patterns (single-packet)

detect patterns
of misuse in network
or composite
patterns (multi-packet).

traffic.

Both can detect atomic patterns

(single-packet) or composite patterns
(multi-packet).

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

Comparing IDS and IPS Solutions

Advantages

IDS

Promiscuous Mode

No impact on network
(latency, jitter)

Disadvantages
Response action cannot
stop trigger packets

Correct tuning required for

No network impact if there is a response actions
sensor failure
Must have a well thoughtout security policy
No network impact if there is
sensor overload
More vulnerable to network
evasion techniques

Comparing IDS and IPS Solutions

Advantages

Disadvantages
Sensor issues might affect
network traffic

IPS

Inline Mode

Stops trigger packets

Sensor overloading
impacts the network

Can use stream normalization

Must have a well thoughttechniques
out security policy
Some impact on network
(latency, jitter)

Types of Intrusion Detection Systems

Host based intrusion detection Systems
Software (Agents) installed on computers to monitor input and
output packets from device
It performs log analysis, file integrity checking, policy
monitoring, rootkit detection, real-time alerting and active
response.
Examples:
Cisco Security Agent (CSA) , Tripwire

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

Host-Based Intrusion Detection

Corporate
network
Agent

Agent

Firewall

Agent

Agent

Agent

Agent
Agent

WWW
server

2/14/15

Untruste
d
network

Agent

DNS
server

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

Types of Intrusion Detection Systems

Network-Based Intrusion Detection Systems
Connected to network segments to monitor, analyze and respond

to network traffic.

A single IDS sensor can monitor many hosts

NIDS sensors are available in two formats

Appliance: It consists of specialized hardware sensor and its
dedicated software. The hardware consists of specialized NICs,
processors and hard disks to efficiently capture traffic and perform
analysis.
Examples: Cisco IDS 4200 series, IBM Real Secure Network

Software: Sensor software installed on server and placed in network

to monitor network traffic.
Examples: Snort, Bro, Untangle
2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

10

Network-Based Intrusion Detection

Corporate
network
Sensor

Sensor
Firewall

Untruste
d
network

Managemen
t System

2/14/15

WWW DNS
server server

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

11

Comparing HIPS and Network IPS

Advantages

Disadvantages

Is host-specific
HIPS

Operating system
dependent
Protects host after decryption
Lower level network events
Provides application-level
not seen
encryption protection
Host is visible to attackers

Is cost-effective
Not visible on the network
Operating system
Network independent
IPS
Lower level network events
seen

Cannot examine encrypted

traffic
Does not know whether an
attack was successful

Signature Triggers
Advantages

Disadvantages

Easy configuration

No detection of unknown signatures

Fewer false positives

Initially a lot of false positives

Good signature design

Signatures must be created, updated, and

tuned

Anomalybased
Detection

Simple and reliable

Generic output

Customized policies

Policy must be created

Policy-based
Detection

Easy configuration

Pattern-based
Detection

Honey PotBased
Detection

Can detect unknown attacks

Can detect unknown attacks

Difficult to profile typical activity in large

networks

Window to view attacks

Dedicated honey pot server

Distract and confuse attackers

Honey pot server must not be trusted

Slow down and avert attacks

Collect information about attack

Traffic profile must be constant

Classification of Intrusion Detection

Profile or Anomaly based intrusion detection

Monitors network traffic and compares it against an

established baseline for normal use
Bandwidth, protocols, ports and devices generally connecting to
each other

Alerts the administrator or user when traffic is detected

which is anomalous, or significantly different, than the
baseline.
Example: Snort Spade plug-in
Prone to high number of false-positives

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

14

Classification of Intrusion Detection

Signature based intrusion detection
Also known as Misuse Detection
A signature based IDS will monitor packets on the network and
compare them against a database of signatures or attributes
from known malicious threats.
Similar to the way most antivirus software detects malware.

Examples: Cisco Sensors 4200 series, Snort

Less prone to false positives
Unable to detect zero-day threats whose signatures are
not available
2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

15

Signature Types
Atomic

Simplest form
Consists of a single packet, activity, or event
Does not require intrusion system to maintain state information
Easy to identify

Composite
Also called a stateful signature
Identifies a sequence of operations distributed across multiple hosts
Signature must maintain a state known as the event horizon

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

16

Pattern-based Detection
Trigger

Signature Type
Atomic Signature
Stateful Signature

No state required to
Pattern- examine pattern to
based
determine if signature
detection action should be applied

Example

Detecting for an Address

Resolution Protocol
(ARP) request that has a
source Ethernet address
of FF:FF:FF:FF:FF:FF

Must maintain state or examine

multiple items to determine if
signature action should be
applied
Searching for the string
confidential across multiple
packets in a TCP session

Policy-based Detection
Signature
Trigger

Signature Type
Atomic Signature
Stateful Signature

Policy- No state required to

based
identify undesirable
detection behavior
Detecting abnormally
large fragmented packets
Example
by examining only the last
fragment

Previous activity (state)

required to identify undesirable
behavior
A SUN Unix host sending RPC
requests to remote hosts
without initially consulting the
SUN PortMapper program.

IPS Sensors
Factors that impact IPS sensor selection and deployment:

Amount of network traffic

Network topology
Security budget
Available security staff

Size of implementation
Small (branch offices)
Large
Enterprise

2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

19

Snort
Open source, freely available software except for rules
Installed as dedicated server on Windows and Linux,
Solaris operating systems
Placed as network sensor in a network
Rules are set of instructions defined to take certain action
after matching some sort of signatures (atomic or
composite)
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(content:"uk.youtube.com;msg:"someone visited YouTube";)
2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

20

Snort Modes
Sniffer Mode
Used to sniff traffic from network
Traffic will be captured using libpcap or winpcap.
Traffic will be captured directly from the sensor .

Logger Mode
Simple logging into a file. Two possible formats are Binary
and ASCII.
Logging into a Database (eg. MySQL)
Can be used for creating the normal traffic profile

Intrusion Detection / Prevention

2/14/15

The rules will be used in this mode of snort to detect unwanted

INTRUSION DETECTION SYSTEM AND INTRUSION
activity
PREVENTION SYSTEM

21

Summary
Intrusion detection system (IDS) is software or hardware
designed to monitor, analyze and respond to network traffic .
Can be classified as Profile or Signature based intrusion
detection.
Signatures can be defined as Atomic or Composite.
Can be available as Host or Network based Intrusion
detection .
IDS is used as promiscuous mode protection in DMZ
IPS is used as Inline mode protection for securing internal
network
Cisco 4200 series IDS and IPS sensors offer rich set of
features for ISD and IPS
Snort is an open source, free IDS and can operate in sniff ,
logging and Intrusion detection/prevention modes. Snort
uses rules to analyze traffic.
IDS/IPS software can be vulnerable to exploits so run patched
version, and shutdown unnecessary services.
Unified Threat Management (UTM) is a network device that have
many features in one box. E.g, Untangle, Watchguard.
2/14/15

INTRUSION DETECTION SYSTEM AND INTRUSION

PREVENTION SYSTEM

22