An Introductionto

Intrusion Detection SystemsPresented By

Himanshu GuptaMCSE, MCP+I

Outline

What is Intrusion Detection ? Types of IDS Approaches to IDS Requirements Limitations Evading IDS’s Testing and Evaluating IDS’s Computer Forensics IDS Tools – nmap, nessus(newt), Snort 2.1, IDS Center, ACID,

WinPcap, Ethereal, Links Books

Network Security Quiz

What is CIA ? What is a Bastion Host ? What is DMZ ? What is a Honey pot ? Why does a Network Switch Implementation

makes Network Monitoring Difficult?

What is Intrusion Detection ?

Intrusion Detection is the art of detecting

inappropriate, incorrect, or anomalous

activity (internal/external).

Why do we need IDS?Preparation, detection, containment and Eradication

Types of IDS

– Host-based ID systems • ID systems that operate on a host to detect malicious

• activity on that host.

– Network-based ID systems• ID systems that operate on network data flows

Components of IDS• Engine

• Console

Detection Methodologies -Approaches to IDS

Statistical Anomaly Detection• Based on time, frequency, length of session• For example: X user logs on at 0300 AM and has never done so in the past,

it will raise a flag

Protocol Verification/Anomaly Detection Signature Detection

– Based on Pattern-matching - look for a specific string in the network data being presented to the IDS

The Flexible Alternative: Rules-based Detection

• Stateful Monitoring (Packet Analysis, Flow Analysis) e.g. SYN Flood to all ports

• Integrity Checker - Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems.

Types of Response

ActiveAlerts – Visual, Audio, E-mail, Pager, SNMP AlarmsDropping connection or Throttling it to slow attackBlock Traffic CompletelyReconfiguring Network DevicesAdditional intelligence miningLaunching counter attackUpdate Policy

PassiveSnapshots taken for later analysis

Requirements

Hardware for sensor and analysis stations Active monitoring and Analysis of IDS Output Baseline Creation Real Time Alerts Match With Comprehensive Signatures Provides Log Tracking Automatic Updates

Limitations of IDS

Functionality on High Network Bandwidths (What is the limit? ~ 300 Mbps) Multiple Attacks Late Response – e.g. DOS Attack – The damage is already done Direct Attack against the IDS itself Unknown Attacks Unsolved Problems – Tunneling, Ambiguities (e.g. different implementations

of protocol stack) Is not independent of the whole security architecture Great Deal of Tuning required Performance of Algorithms Working on Encrypted data Working in Switched Environments

Evading IDS’s

Assumption – Attacker knows the IDS Algorithm E.g.Mimicry Attack – Malicious payload is executed on

the host while mimicking normal application behavior Evasion techniques are used in order to navigate below the

radar of your IDS– Fragmentation– Slow scan– Stealth scan– Out of order packets– Ambiguous packet (crafting)– Encoding such as %u, UTF (%xx%xx), HEX (%xx)– Use of well known port (Codered)

Testing and Evaluating IDS’s

Log Fidelity – Is all the info there ? Usability - GUI Can be fine tuned depending on requirements? Ability to write own rules, modify existing ones Low false positives rate Cost Issues Ability to detect unknown attacks Secure – The system should remain secure even when the attacker

knows all the internal details of the system (Kerkhoff’s Principle) Real Time Detection and Response OS Independence

Leading Products

Dragon from Enterasys– http://www.enterasys.com/ids/

CISCO Secure IDS– http://www.cisco.com/go/ids/

Snort– http://www.snort.org/

ISS Real Secure– http://www.iss.net/securing_e-business/

SHADOW– http://www.whitehats.ca– ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso

Computer Forensics

Where did the attack come from ?What was the attacker method?Do we have any hope of catching the

intruder?Do we have any evidence to prosecute the

intruder?

What if the attack script erased the logs ?

WinPcap: the Free Packet Capture Library for Windows

WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2).

The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets.

Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS.

Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.

WinPcap is released under a BSD-style license.

Nmap – Free Network Scanner for Network Exploration and Security

Snort 2.1 – The de facto standard for intrusion detection and prevention

Simple, Efficient FREE IDSVery well-written and maintained, robust

applicationSnort is driven by a set of (community

developed) rulesActively (constantly) under developmentWindows and UNIX versions available

Snort 2.1

Alerts generated and/or packets logged when a "rule" is triggered.

Very simple rule language for writing your own rules Ability to log alerts to syslog, directories in ascii, tcpdump

format raw data Different alert styles from one-line, to verbose Modular "plug-in" architecture for adding functionality Many available plug-ins, including SQL and Oracle

database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping"

Resistant against some of the newer attacks directed at foiling IDS’s

IDS Center- A front-end for Snort intrusion detection systems

Snort 2.0, 1.9, 1.8 and 1.7 support, Snort service mode support Snort configuration wizard Online updates of IDS rules: IDScenter integrates a http client and starts

an update script on demand Ruleset editor: supports all Snort 2.0 rule options HTML report from SQL backend Alert notification via e-mail, alarm sound or only visual notification AutoBlock plugins: write your own plugins (DLL) for your firewall Monitoring Global event logging, Integrated log viewer, Log rotation (compressed

archiving of log files) Program execution possible if an attack was detected

IDS Center- A front-end for Snort intrusion detection systems

IDS Center- A front-end for Snort intrusion detection systems

ACID - Analysis Console for Intrusion Databases

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include:

– Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).

– Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts

– Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.

– Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification

ACID - Analysis Console for Intrusion Databases – Packet Decode

NeWT - Nessus Windows Technology

Nessus – Open Source Vulnerability Scanner Project

NeWT is a complete network vulnerability scanner which includes high-speed checks for more than 6000 of the most commonly updated vulnerabilities,

NeWT and NeWT Pro perform the following types of vulnerability checks including:

– Buffer overflow checks in daemons such as Sendmail and IIS – Default user accounts – Misconfigured email, ftp and web servers – Discovery of open ports and host OS discovery – Denial of service (DOS) discovery – Backdoors and virus infected host – P2P, chat and suspicious file sharing services

NeWT - Nessus Windows Technology

NeWT - Nessus Windows Technology

Ethereal – A Network Protocol Analyzer

Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education.

Its open source license allows talented experts in the networking community to add enhancements.

It runs on all popular computing platforms, including Unix, Linux, and Windows.

Data can be captured "off the wire" from a live network connection, or read from a capture file.

673 protocols can currently be dissected

Ethereal – A Network Protocol Analyzer

Ethereal can read capture files from tcpdump (libpcap), NAI's Sniffer™ (compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdump-format), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.

Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).

Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program.

Capture files can be programmatically edited or converted via command-line switches to the "editcap" program.

Ethereal – A Network Protocol Analyzer

IETF Intrusion Detection Working Group (IDWG)

RFC’, active Internet drafts defining IDS requirements, language, and frameworkwww.ietf.org/html.charters/idwg-charter.html

Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10

http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12

http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07

http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt The TUNNEL Profile (RFC 3620)

http://www.ietf.org/rfc/rfc3620.txt

LinksIntrusion Detection FAQ - http://www.sans.org/resources/idfaq/

Network Scanning Tool Nmap – Free Security Scanner for Network Exploration and Security

http://www.insecure.org/nmap/

Snort 2.1 – The de facto standard for intrusion detection and prevention - www.snort.org

ACID - Analysis Console for Intrusion Databases - www.cert.org/kb/acid/

Nessus – Open Source Vulnerability Scanner Project - www.nessus.org

NeWT - Nessus Windows Technology - www.tenablesecurity.com/products/newt.shtml

Ethereal – A network Protocol Analyzer - www.ethereal.com

WinPcap - winpcap.polito.it/

Snort IDS Center - www.engagesecurity.com/products/idscenter/

Books Network Intrusion Detection (3rd Edition)

Stephen Northcutt, Judy Novak Snort 2.1 Intrusion Detection, Second Edition

Jay Beale, Caswell Nessus Network Auditing (Jay Beale's Open Source Security)

Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy Johnston, Jimmy Alderson

Ethereal Packet Sniffing

Angela D. Orebaugh, Gilbert Ramirez, Ethereal.com Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual

Private Networks (VPNs), Routers, and Intrusion Detection Systems

Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Fredrick, Ronald W. Ritchey Practical Unix & Internet Security, 3rd Edition

Simson Garfinkel, Gene Spafford, Alan Schwartz

Thanks

I hope this session was Informative :-)

If you would like any more sessions in April 2005 please let the ACM Officers know

E-mail – hg24d@umkc.edu