Network Intrusion Detection

Systems
(NIDS)
 IDS Definitions
An IDS is any combination of hardware & software that
monitors a system or network for malicious activity.

Examples of IDSs in real life

◦ Car alarms
◦ Fire detectors
◦ House alarms
◦ Surveillance systems

2
 Defined by ICSA as:
◦ The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate on
logs or other information available from the system or the
network.
 An intrusion is a deliberate, unauthorized attempt to
access or manipulate information or system and to
render them unreliable or unusable.
 When suspicious activity is from your internal
network it can also be classified as misuse
 Another definition:
◦ - detecting inappropriate, incorrect, or anomalous activity
◦ - misuse detection != intrusion detection

3
The Puzzle

 Intrusion Detection Systems are only

one piece of the whole security puzzle
 IDS must be supplemented by other
security and protection mechanisms
 They are a very important part of your
security architecture but does not solve
all your problems
 Part of “Defense in depth”

4
Why IDS?
 Can be detected:
◦ Mapping
◦ Port scans
 Tens of thousands of packets
◦ TCP stack scans
 Hundreds of thousands of packets
 Identify any of the following
types of intrusion:
◦ Input validation errors
◦ Buffer overflow
◦ Boundary Conditions
◦ Access Validation Errors
◦ Exceptional Condition Handling
Errors
◦ Environmental Errors
◦ Race Conditions
o Many organizations deploy
IDS systems
o Provide warnings to
network administrator
– Administrator can then
improve network’s
security
– Vigorous investigation
could lead to attackers
o Typical responses to an
attack include the
following:
–   Terminating the session
(TCP resets)
–   Block offending traffic
(usually implemented
with ACLs)
–   Creating session log files
–   Dropping the packet 5
WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
 IDSare a dedicated assistant used to monitor
the rest of the security infrastructure.

 Today’s security infrastructure are becoming

extremely complex, it includes firewalls,
identification and authentication systems,
access control product, virtual private networks,
encryption products, virus scanners, and more.
All of these tools performs functions essential to
system security. Given their role they are also
prime target and being managed by humans,
as such they are prone to errors.

 Failure
of one of the above component of your
security infrastructure jeopardized the system
they are supposed to protect

6
WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
 Not all traffic may go through a firewall
i:e modem on a user computer
 Not all threats originates from outside.
As networks uses more and more encryption,
attackers will aim at the location where it is
often stored unencrypted (Internal network)
 Firewall does not protect appropriately
against application level weakenesses and
attacks
 Protect against misconfiguration or fault in
other security mechanisms

7
 REAL LIFE ANALOGY
 It'slike security at the airport... You can put up all the fences in
the world and have strict access control, but the biggest threat
are all the PASSENGERS (packet) that you MUST let through!
That's why there are metal detectors to detect what they may
be hiding (packet content).

 You have to let them get to the planes (your application) via the
gate ( port 80) but without X-rays and metal detectors, you can't
be sure what they have under their coats.

 Firewallsare really good access control points, but they aren't

really good for or designed to prevent intrusions.

 That's why most security professionals back their firewalls up

with IDS, either behind the firewall or at the host.

8
 2. IDS Categories
In-Kernel vs. Userspace
Distributed vs. Atomic
Host-based vs. Network-based
Statistical vs. Signature
Detection
Active vs. Passive
Proactive vs. Retroactive
Flat vs. Hierarchial
IDS

9
We consider some basic categories of
intrusion detection mechanisms:
◦ By sensor location:
 Network-based Intrusion Detection System (NIDS)
Host-base Intrusion Detection System (HIDS)
◦ By method of detection
Statistical Detection
Signature Detection

10
NIDS vs HIDS

11
IDS sensors
= IDS sensor

application
gateway firewall

Internet

Underlying OS needs
Internal Web
server DNS to be hardened:
network FTP server stripped of unnecessary
server network services

Demilitarized zone

12
Network based IDS
Protects an entire network segment
Is usually a passive device on the network
and users are unaware of its existence
Cannot detect malicious code in encrypted
packets
Is cost effective for mass protection
Requires its own sensor for each network
segment

13
 Host-based IDS
 Protects a single system.
 Uses system resources such as the CPU and memory
from system.
 Provides application level security.
 Provides day-one security as a shunt between high
and low level processes
 Intrusion detection is performed after decryption.
 Used on servers and sensitive workstations, but is
costly for mass protection

14
Anomaly/Statistical
detection
 Mostly on statistical basis
◦ Based on time, frequency, lenght of session
◦ For example: person logs on at 0300 AM and has
never done so in the past, it will raise a flag
 Detects statistically exceptional events
 Learning: Watching activity during ‘normal’ state and
storing patterns (who logs in, what is the origin, when,
etc.)
 Experience shows that 90% of attacks can be considered
as protocol usage anomalies.
 Does not require signatures (except what it learns)
 We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it needs
much work.
 A non-RFC compilant client is not always an attacker –
we need flexibility
15
Signature-based detection
 Sniff traffic on network
◦ border router
◦ within a LAN
◦ multiple sensors
 Match attack signatures
◦ attack signatures in database
◦ signature: set of rules pertaining to a typical
intrusion activity
 Simple example rule: any ICMP packet > 10,000
bytes
Example: Several thousand SYN packets to different
ports on same host under a second
◦ skilled security engineers research known
attacks; put them in database
◦ can configure IDS to exclude certain
signatures; can modify signature parameters
 Warns administrator
◦ send e-mail, SMS
◦ send message to network management system

16
 Limitations to signature
detection
Requires previous knowledge of attack to
generate accurate signature
◦ Blind to unknown attacks
No knowledge of intention of activity
◦ Triggers alarms even if traffic is benign
Signature bases are getting larger
◦ Every packet must be compared with each
signature
◦ IDS can get overwhelmed with processing,
miss packets

17
Current State of IDS
Lots of people are still using Firewall and
Router logs for Intrusion Detection
IDS are not very mature
Mostly signature based
It is a quickly evolving domain
Giant leap and progress every quarter
As stated by Bruce Schneier in his book
‘Secret and Lies in a digital world’:
Prevention
Detection  Getting to this point today
Reponse

18
WHAT CAN IDS REALISTICLY
DO
◦ Monitor and analyse user and system activities
◦ Auditing of system and configuration vulnerabilities
◦ Asses integrity of critical system and data files
◦ Recognition of pattern reflecting known attacks
◦ Statistical analysis for abnormal activities
◦ Data trail, tracing activities from point of entry up to
the point of exit
◦ Installation of decoy servers (honey pots)
◦ Installation of vendor patches (some IDS)

19
WHAT IDS CANNOT DO
◦ Compensate for weak authentication and identification
mechanisms
◦ Investigate attacks without human intervention
◦ Guess the content of your organization security policy
◦ Compensate for weakeness in networking protocols, for example:
IP Spoofing
◦ Compensate for integrity or confidentiality of information
◦ Analyze all traffic on a very high speed network
◦ Deal adequately with attack at the packet level
◦ Deal adequately with modern network hardware

20
 Intrusion Detection System

Intrusion Prevention System

21
5. IDS Products
Dragon from Enterasys
◦ http://www.enterasys.com/ids/
CISCO Secure IDS
◦ http://www.cisco.com/go/ids/
Snort
◦ http://www.snort.org/
ISS Real Secure
◦ http://www.iss.net/securing_e-business/
SHADOW
◦ http://www.whitehats.ca
◦ ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso

22
References
Knowledge Net CISSP
http://www.snort.org

23