Professional Documents
Culture Documents
Systems
(NIDS)
IDS Definitions
An IDS is any combination of hardware & software that
monitors a system or network for malicious activity.
2
Defined by ICSA as:
◦ The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate on
logs or other information available from the system or the
network.
An intrusion is a deliberate, unauthorized attempt to
access or manipulate information or system and to
render them unreliable or unusable.
When suspicious activity is from your internal
network it can also be classified as misuse
Another definition:
◦ - detecting inappropriate, incorrect, or anomalous activity
◦ - misuse detection != intrusion detection
3
The Puzzle
4
Why IDS?
Can be detected:
o Many organizations deploy
◦ Mapping IDS systems
◦ Port scans o Provide warnings to
Tens of thousands of packets network administrator
◦ TCP stack scans – Administrator can then
Hundreds of thousands of packets improve network’s
Identify any of the following security
types of intrusion: – Vigorous investigation
◦ Input validation errors could lead to attackers
o Typical responses to an
◦ Buffer overflow
attack include the
◦ Boundary Conditions following:
◦ Access Validation Errors – Terminating the session
◦ Exceptional Condition Handling (TCP resets)
Errors – Block offending traffic
◦ Environmental Errors (usually implemented
◦ Race Conditions with ACLs)
– Creating session log files
– Dropping the packet 5
WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
IDSare a dedicated assistant used to monitor
the rest of the security infrastructure.
Failure
of one of the above component of your
security infrastructure jeopardized the system
they are supposed to protect
6
WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
Not all traffic may go through a firewall
i:e modem on a user computer
Not all threats originates from outside.
As networks uses more and more encryption,
attackers will aim at the location where it is
often stored unencrypted (Internal network)
Firewall does not protect appropriately
against application level weakenesses and
attacks
Protect against misconfiguration or fault in
other security mechanisms
7
REAL LIFE ANALOGY
It'slike security at the airport... You can put up all the fences in
the world and have strict access control, but the biggest threat
are all the PASSENGERS (packet) that you MUST let through!
That's why there are metal detectors to detect what they may
be hiding (packet content).
You have to let them get to the planes (your application) via the
gate ( port 80) but without X-rays and metal detectors, you can't
be sure what they have under their coats.
8
2. IDS Categories
In-Kernel vs. Userspace
Distributed vs. Atomic
Host-based vs. Network-based
Statistical vs. Signature
Detection
Active vs. Passive
Proactive vs. Retroactive
Flat vs. Hierarchial
IDS
9
We consider some basic categories of
intrusion detection mechanisms:
◦ By sensor location:
Network-based Intrusion Detection System (NIDS)
Host-base Intrusion Detection System (HIDS)
◦ By method of detection
Statistical Detection
Signature Detection
10
NIDS vs HIDS
11
IDS sensors
= IDS sensor
application
gateway firewall
Internet
Underlying OS needs
Internal Web
server DNS to be hardened:
network FTP server stripped of unnecessary
server network services
Demilitarized zone
12
Network based IDS
Protects an entire network segment
Is usually a passive device on the network
and users are unaware of its existence
Cannot detect malicious code in encrypted
packets
Is cost effective for mass protection
Requires its own sensor for each network
segment
13
Host-based IDS
Protects a single system.
Uses system resources such as the CPU and memory
from system.
Provides application level security.
Provides day-one security as a shunt between high
and low level processes
Intrusion detection is performed after decryption.
Used on servers and sensitive workstations, but is
costly for mass protection
14
Anomaly/Statistical
detection
Mostly on statistical basis
◦ Based on time, frequency, lenght of session
◦ For example: person logs on at 0300 AM and has
never done so in the past, it will raise a flag
Detects statistically exceptional events
Learning: Watching activity during ‘normal’ state and
storing patterns (who logs in, what is the origin, when,
etc.)
Experience shows that 90% of attacks can be considered
as protocol usage anomalies.
Does not require signatures (except what it learns)
We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it needs
much work.
A non-RFC compilant client is not always an attacker –
we need flexibility
15
Signature-based detection
Sniff traffic on network
◦ border router
◦ within a LAN
◦ multiple sensors
Match attack signatures
◦ attack signatures in database
◦ signature: set of rules pertaining to a typical
intrusion activity
Simple example rule: any ICMP packet > 10,000
bytes
Example: Several thousand SYN packets to different
ports on same host under a second
◦ skilled security engineers research known
attacks; put them in database
◦ can configure IDS to exclude certain
signatures; can modify signature parameters
Warns administrator
◦ send e-mail, SMS
◦ send message to network management system
16
Limitations to signature
detection
Requires previous knowledge of attack to
generate accurate signature
◦ Blind to unknown attacks
No knowledge of intention of activity
◦ Triggers alarms even if traffic is benign
Signature bases are getting larger
◦ Every packet must be compared with each
signature
◦ IDS can get overwhelmed with processing,
miss packets
17
Current State of IDS
Lots of people are still using Firewall and
Router logs for Intrusion Detection
IDS are not very mature
Mostly signature based
It is a quickly evolving domain
Giant leap and progress every quarter
As stated by Bruce Schneier in his book
‘Secret and Lies in a digital world’:
Prevention
Detection Getting to this point today
Reponse
18
WHAT CAN IDS REALISTICLY
DO
◦ Monitor and analyse user and system activities
◦ Auditing of system and configuration vulnerabilities
◦ Asses integrity of critical system and data files
◦ Recognition of pattern reflecting known attacks
◦ Statistical analysis for abnormal activities
◦ Data trail, tracing activities from point of entry up to
the point of exit
◦ Installation of decoy servers (honey pots)
◦ Installation of vendor patches (some IDS)
19
WHAT IDS CANNOT DO
◦ Compensate for weak authentication and identification
mechanisms
◦ Investigate attacks without human intervention
◦ Guess the content of your organization security policy
◦ Compensate for weakeness in networking protocols, for example:
IP Spoofing
◦ Compensate for integrity or confidentiality of information
◦ Analyze all traffic on a very high speed network
◦ Deal adequately with attack at the packet level
◦ Deal adequately with modern network hardware
20
Intrusion Detection System
21
5. IDS Products
Dragon from Enterasys
◦ http://www.enterasys.com/ids/
CISCO Secure IDS
◦ http://www.cisco.com/go/ids/
Snort
◦ http://www.snort.org/
ISS Real Secure
◦ http://www.iss.net/securing_e-business/
SHADOW
◦ http://www.whitehats.ca
◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
22
References
Knowledge Net CISSP
http://www.snort.org
23