Post on 06-Jul-2018
transcript
8/17/2019 Network Security IDPS
1/35
Intrusion Detection & Prevention SystemIntrusion Detection & Prevention System
8/17/2019 Network Security IDPS
2/35
2
Can we do everything manually?
• Do we really need some automated mechanisms?
• Lets have a look on this clip
8/17/2019 Network Security IDPS
3/35
3
Intruders
• Significant issue hostile/unwanted trespass– from kind to serious
• user trespass
– unauthorized logon, privilege ause• software invade/tresspass
– virus, worm, or tro!an horse
8/17/2019 Network Security IDPS
4/35
4
Classes of intruders
• classes of intruders"
• mas#uerader, misfeasor, clandestine user– mas#uerader" unauthorized individuals who
penetrates a system– misfeasor" legitimate user who accesses
unauthorized data
– clandestine" seizes supervisory control
e$g %emove audit logs
8/17/2019 Network Security IDPS
5/35
5
Intrusion
• &he action of intruding– '$g$ he was furious aout this intrusion into his
private life
8/17/2019 Network Security IDPS
6/35
6
Examples of Intrusion
• remote root compromise )e$g, of an email server*• we server defacement
• guessing/cracking passwords
• copying viewing sensitive data/dataases )++/grades*
• running a packet sniffer )to capture passwords*• distriuting pirated software )anonymous &- servers*
• using an unsecured modem to access net
• impersonating a user to reset password
• using an unattended workstation
8/17/2019 Network Security IDPS
7/357
Security Intrusion & Detection
Security Intrusiona security event, or comination of multiple security events,
that constitutes a security incident in which an intruder gains,or attempts to gain, access to a system )or system resource*without having authorization to do so$
Intrusion Detection
a security service that monitors and analyzes system events for
the purpose of finding, and providing real.time or near real.
time warning of attempts to access system resources in an
unauthorized manner$
8/17/2019 Network Security IDPS
8/358
Hackers
• motivated y thrill of access and status– status is determined y level of competence
• kind intruders might e tolerale– do consume resources and may slow performance
– cant know in advance whether enign or harmful
• 0DS / 0-S / 1-2s can help counter
• awareness led to estalishment of +'%&s– collect / disseminate vulneraility info / responses
8/17/2019 Network Security IDPS
9/3510
Hacker ehavior Example
1. select target using IP lookup tools
2. map network for accessible services– study physical connectivity (via NMAP)
3. identify potentially vulnerable services4. brute force (guess) passwords
5. install remote administration tool
6. wait for admin to log on and capture password7. use password to access remainder of network
8/17/2019 Network Security IDPS
10/3511
Criminal Enterprise
• organized groups of hackers now a threat– corporation / government / loosely affiliated gangs
– typically young
– often 'astern 'uropean )Dark3arket$org meetings*
– common target credit cards on e.commerce server
• criminal hackers usually have specific targets
• once penetrated act #uickly and get out
• 0DS / 0-S help ut less effective• sensitive data needs strong protection
8/17/2019 Network Security IDPS
11/35
12
Criminal Enterprise ehavior
1. act quickly and precisely to make their
activities harder to detect
2. exploit perimeter via vulnerable ports
3. use trojan horses (hidden software) to leave
back doors for re-entry
4. use sniffers to capture passwords
5. do not stick around until noticed6. make few or no mistakes.
8/17/2019 Network Security IDPS
12/35
13
Insider !ttacks
• among most difficult to detect and prevent
• employees have access 4 systems knowledge
• may e motivated y revenge / entitlement
– when employment terminated– taking customer data when move to competitor
• 0DS / 0-S may help ut also need"– least privilege, monitor logs, strong authentication,
termination process to lock access 4 take mirror image ofemployees 5D )for future purposes*
8/17/2019 Network Security IDPS
13/35
14
Insider ehavior Example
1. create network accounts for themselves and theirfriends
2. access accounts and applications they wouldn'tnormally use for their daily jobs
3. e-mail former and prospective employers4. conduct furtive (covert) instant-messaging chats
5. visit web sites that cater to disgruntled employees, suchas f'dcompany.com
6. perform large downloads and file copying7. access the network during off hours
8/17/2019 Network Security IDPS
14/35
15
"hird party employees# Contractual
employees• 3ost dangerous
• 2ot a part of company
• 5aving access to almost every system
8/17/2019 Network Security IDPS
15/35
16
Intrusion "echni$ues
• o!ective to gain access or increase privileges
• initial attacks often e6ploit system or software
vulnerailities to e6ecute code to get ackdoor
– e$g$ uffer overflow• or to gain protected information
– e$g$ password guessing or ac#uisition
8/17/2019 Network Security IDPS
16/35
8/17/2019 Network Security IDPS
17/35
18
Intrusion Detection Systems
• classify intrusion detection systems )0DSs* as"7$ 5ost.ased 0DS" monitor single host activity
8$ 2etwork.ased 0DS" monitor network traffic
• logical components"7$ sensors" collect data )network packets, log files,
payload*
8$ analyzers" determine if intrusion has occurred
9$ user interface" manage / direct / view 0DS
8/17/2019 Network Security IDPS
18/35
19
Some "erminologies
• &rue positive : correctly identifiedalse positive : incorrectly identified
&rue negative : correctly re!ected
alse negative : incorrectly re!ected
8/17/2019 Network Security IDPS
19/35
20
Consider Example of %iometric system
• -ossiilities– &rue positive
• ;ive access the right person
– alse positive : incorrectly identified• ;ive access to wrong person
– &rue negative : correctly re!ected•
8/17/2019 Network Security IDPS
20/35
21
IDS rinciples
• =ssumption" intruder ehavior differs fromlegitimate users– e6pect overlap as shown
– for legitimate users"
oserve ma!or deviationsfrom past history
– prolems of"• false positives
• false negatives
• must compromise
valid user identified as intruder
intruder not identified
8/17/2019 Network Security IDPS
21/35
8/17/2019 Network Security IDPS
22/35
23
Host(ased IDS
• specialized software to monitor system activity to detectsuspicious ehavior– primary purpose is to detect intrusions, log suspicious events, and
send alerts
– can detect oth e6ternal and internal intrusions
• two approaches, often used in comination"– anomaly detection – consider or monitor normal/e6pected
ehavior over a period of time> apply statistical tests to detectintruder
• threshold detection" defining threshold for various events/ fre#uencyof event occurring
• profile ased" used to detect changes in ehavior )time/duration oflogin*
– signature detection . defines proper )or ad* ehavior)rules*/patterns to detect intruder
8/17/2019 Network Security IDPS
23/35
24
!nomaly Detection
• threshold detection
– checks e6cessive event occurrences over time
– alone a simple and ineffective intruder detector
– must determine oth thresholds and time intervals
– lots of false positive/false negative may e possile
• profile ased
– characterize past ehavior of users/groups
– then detect significant deviations
– ased on analysis of audit records" gather metrics
8/17/2019 Network Security IDPS
24/35
25
Example of metrics
• Counters" e$g$, numer of logins during anhour, numer of times a cmd e6ecuted
• )auge" e$g$, the numer of outgoing messages
pkts@• Interval time" the length of time etween two
events, e$g$, two successive logins
• 'esource utili*ation" #uantity of resources
used )e$g$, numer of pages printed*
• 3ean and standard deviations
8/17/2019 Network Security IDPS
25/35
26
Signature Detection
• oserve events on system and applying a set of
rules to decide if intruder
• approaches"– rule.ased anomaly detection
• analyze historical audit records for e6pected ehavior, then
match with current ehavior
– rule.ased penetration identification
• rules identify known penetrations / weaknesses• often y analyzing attack scripts from 0nternet
)+'%&s:+omputer emergency response team*
• supplemented with rules from security e6perts
8/17/2019 Network Security IDPS
26/35
27
Example of 'ules in a Signature
Detection IDS• users should not e logged in more than one
session
• users do not make copies of system, passwordfiles
• users should not read in other users directories
• users must not write other users files
• users who log after hours often access the same
files they used earlier• users do not generally open disk devices ut
rely on high.level AS utilities
8/17/2019 Network Security IDPS
27/35
28
Distri%uted Host(ased IDS
B 5ost agent
B L=2 agent )analyzes L=2 traffic*
B +entral manager
8/17/2019 Network Security IDPS
28/35
29
+etwork(ased IDS
• network.ased 0DS )20DS*– monitor traffic at selected points on a network
)e$g$, rlogins to disaled accounts*
– in )near* real time to detect intrusion patterns
– may e6amine network, transport and/or application
level protocol activity directed toward systems
• comprises a numer of sensors
– inline )possily as part of other net device* – trafficpasses thru it
– passive )monitors copy of traffic*
8/17/2019 Network Security IDPS
29/35
30
+IDS Sensor Deployment
7$ monitor attacks from outside
8$ monitor and documents
unfiltered packets>
more work to do
9$ protect ma!or ackones>
monitor internal/e6ternal attacks
C$ Special 0DS to provide additional protection
for critical systems )e$g$, ank accounts*
8/17/2019 Network Security IDPS
30/35
31
+IDS Intrusion Detection "echni$ues
• signature detection– at application )FTP *, transport ) port scans*, network
layers )ICMP *> une6pected application services )host running unexpected app*, policy violations )website use*
• anomaly detection– of denial of service attacks, scanning, worms )significant
traffic increase*
• when potential violation detected, sensor sends an
alert and logs information– used y analysis module to refine intrusion detection
parameters and algorithms
– y security admin to improve protection
8/17/2019 Network Security IDPS
31/35
32
Honeypots
• are decoy systems– filled with faricated info
– instrumented with monitors / event loggers
– divert and hold attacker to collect activity info
– without e6posing production systems
• initially were single systems
• more recently are/emulate entire networks
1 Tracks attempts to connect
8/17/2019 Network Security IDPS
32/35
33
Honeypot
Deployment
1. Tracks attempts to connect
to an unused IP address; can’t
help with inside attackers
2. In DMZ; must make sure the other
systems in the DMZ are secure; firewalls
may lock traffic to the honeypot
!. "ull internal
honeypot; can detect
internal attacks
8/17/2019 Network Security IDPS
33/35
34
S+,'"
• lightweight 0DS– open source– real.time packet capture and rule analysis– passive or inline– components" decoder, detector, logger, alerter
processes captured
packets to identify
and isolate
intrusion
detection
work
8/17/2019 Network Security IDPS
34/35
35
S+,'" 'ules
• use a simple, fle6ile rule definition language• with fi6ed header and zero or more options
• header includes- action. protocol. source I. sourceport. direction. dest I. dest port
• many options• e6ample rule to detect &+- S2.02 attack"
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-recon;)
detects an attack at the TCP level; $strings are variablesith de!ned val"es; an# s"rce r dest %rt iscnsidered; checks t see i& '() and *+) bits are set
8/17/2019 Network Security IDPS
35/35
36
Summary
• introduced intruders 4 intrusion detection– hackers, criminals, insiders
• intrusion detection approaches– host.ased )single and distriuted*
– network– distriuted adaptive
– e6change format
• honeypots
• S2A%& e6ample