IDS / IPS
An introduction to intrusion detection and intrusion prevention systems
James E. ThielJanuary 14, 2005
S.W.A.T.Drexel University
Overview
• Intrusion Detection
• Purpose
• Types
• Detection Methods
• Output
• Examples
• Limitations
• Intrusion Prevention
• Purpose
• Types
• Examples
• Risks
• Conclusions
Intrusions• “Any set of actions that attempts to undermine the integrity, confidentiality, or
availability of a resource” (R. Heady et al)
• Port scans
• Worms
• Application exploits (buffer overflow)
• Denial of Service
• Becoming increasingly subtle
• Firewalls provide only limited protection
Intrusion Detection• An intrusion detection system (IDS) performs three actions:
• Obtain audit data from the system monitored
• Network traffic• System logs• System properties (load average, file use, login times, etc)
• Analyze the data, searching for evidence of attack
• Report any attack evidence to a human operator (‘alert’)
• Work in real time
• Typically identified by the system monitored
• Individual host
• Network
• Also identified by audit data source and detection method
IDS Effectiveness• Accuracy how often an IDS will report an alert when an attack has not occurred
• Known as a false positive (false alarm)
• Completeness how often an IDS will fail to report an alert when an attack has occurred
• Known as a false negative (missed detection)
• Performance rate at which an IDS can analyze audit data
• Timeliness rate at which an IDS can raise an alarm
• Fault tolerance the ability of the IDS to withstand an intrusion against the IDS itself
Network Intrusion Detection• A networkbased IDS (NIDS) is configured to monitor a subnet
• Dedicated IDS machine sniffs network traffic near a central routing device (hub, span port)
• Pros:
• Does not affect network performance
• Can be hidden
• Cons:
• Weak against denial of service attack
• Single point of failure
Firewall
Internet
Hub
NIDS
Host Host Host Host
Host Intrusion Detection• A hostbased IDS (HIDS) is configured to monitor a single host machine (server,
terminal, firewall, etc)
• Can monitor either incoming network traffic or operations on host
• Runs as a process on host
• Pros:
• Monitor for intrusions that only apply to host
• Cons:
• Use resources of system
• Requires specific HIDS for specific system
Firewall
Internet
Hub
Host
HIDS
Host
HIDS
Host
HIDS
Host
HIDS
Distributed Intrusion Detection• A distributed IDS (DIDS) uses NIDS or HIDS or both as sensors
• All analysis results are sent to a central management station
• Also known as a hybrid IDS
• Pros:
• Widest in range
• Sensors can share and coordinate results
• Cons:
• Results from sensors are sent across the [potentially compromised] network
• Results from sensors may not be sent if network is flooded
Firewall
Internet
Hub
Host
HIDS
NIDS
Management Station
Detection Method Types• Known Good desired/expected is defined; raise alarm at undesired
• Pros:
• Low chance of missing intrusions• Strong against new vulnerabilities
• Cons:
• Extensive; lots of work to implement• High chance of false alarms
• Known Bad undesired is defined; raise alarm at undesired
• Pros:
• Less work (potentially)• Low chance of false alarms
• Cons:
• High chance of missed intrusions• Weak against new vulnerabilities
Detection Methods• Terminology varies among the different fields using IDS
• Researchers use abstract, general classifications
• IDS developers use concrete classifications
• System administrators use only the classifications that apply to their system
• Anywhere between two and five detection methods
• Rulebased (signature) detection
• Protocol analysis
• Anomaly detection
• Specification detection
• Policybased detection
Rulebased Detection• IDS has a database of pattern descriptions (rules) that indicate an attack
• Alarm is raised if pattern (signature) is detected in audit data
• Example: Raise alarm if a TCP packet contains a GET request for 'passwd.txt'
• Pros:
• Fast (given a small rule set)
• Rules are customizable and easy to write
• Easily identify intrusion
• Cons:
• Weak against newlydiscovered vulnerabilities
• Requires constant updating to be effective
• Also known as misuse detection
Protocol Analysis• IDS contains protocol rules for system
• Alarm is raised for violations of protocol in audit data
• Example: Raise alarm if response to TCP connection setup is anything other than an RST/ACK or SYN/ACK packet
• Pros:
• More flexible than rulebased; can detect new types of intrusions
• Cons:
• Assumes that all applications adhere to protocol standards
• Extensive and difficult to write
• Will miss intrusions that do not violate protocol
Anomaly Detection• IDS 'learns' properties of the system in its normal operating state (profiling)
• Alarm is raised if system deviates from its normal state
• Example: Raise alarm if network traffic volume is higher than a certain value at a specific time
• Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions
• Low chance of missing an intrusion
• Cons:
• Requires complete profile of system behavior
• High chance of false alarms
• Must be updated if system changes
Specificationbased Detection• IDS is given a defined description (specification) of the normal system state
• Alarm is raised if system deviates from specification
• Example: Raise alarm if CPU load on a host goes higher than value in specification
• Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions
• Low chance of missing an intrusion
• Cons:
• Requires syntax for description of system
• Requires complete knowledge of system behavior
• High chance of false alarms
• Must be updated if system changes
Policybased Detection• IDS has list of predefined acceptable actions (policy)
• Alarm is raised if policy is violated
• Example: Raise alarm if a GET request to a specific HTTP server is for any file other than those allowed to be viewed by users
• Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions
• Cons:
• Requires complete policy of system
• Must be updated if policy changes
Output• Contact administrator directly
• Email
• Page
• Record to data file
• Text file
• System log
• Binary packet log (tcpdump)
• Record to database
• Print to console window (verbose)
IDS Examples• NIDS
• Snort lightweight rulebased packet sniffer with limited protocol analysis and anomaly detection
• Bro heavyweight rulebased and policybased packet sniffer
• HIDS
• PortSentry port scan detector
• LogSentry log analyzer
• Tripwire file integrity monitor
• Rkdet rootkit detector
• DIDS
• Prelude rulebased packet sniffer, log analyzer, buffer overflow detection
• Osiris file integrity monitor
Limitations
• Must be kept up to date (signatures, protocols, etc)
• Assumes compromised network will be able to send alarm
• Accuracy and completeness depend largely on finetuning of IDS by administrator
• Often weak against denial of service attacks
• IDSs give warning, but they do not prevent/stop attacks (usually)
Intrusion Prevention• Many network intrusions take little time to execute
• Worms
• Backdoor exploits
• An IDS often does not provide enough time for an administrator to respond before the intrusion has damaged the system
• An Intrusion Prevention System (IPS) is designed to identify potential attacks and autonomously execute countermeasures to inhibit them, without affecting normal system operation
• IPS is the ‘next step’ following IDS
IPS Types• Typically networkbased (NIPS); analyze network traffic for exploits
• Several different types of countermeasures
• Session sniping
• Packet filtering
• Packet scrubbing
• IP blocking
• Deception
• Hostbased IPS (HIPS) also exists; prevent malicious actions on operating system (dangerous system calls, unauthorized file changes)
Session Sniping• The IPS closes a network session involving a host that has sent malicious traffic
• TCP RESET for TCP sessions
• ICMP Host/Network/Port Unreachable for UDP traffic
• Pros:
• Easy to implement and use
• Cons:
• Can be prevented by attacker through various means
• Examples:
• IPtables (Linux firewall) can REJECT traffic from a given host using this method
• Snort has a ‘flexible response’ option, which allows it to send resets when a rule is triggered
Packet Filtering• The IPS drops traffic that contains malicious information
• Pros:
• Removes malicious traffic from the network
• Cons:
• Possibility of removing legitimate traffic
• Examples:
• Hogwash drops traffic when a rule is triggered
• Latest version of Snort has an ‘inline’ feature that allows it to drop traffic when a rule is triggered
Packet Filtering Implementation• Usually implemented as an Inline NIDS
• NIDS positioned inline on network;
acts as a bridge between subnets• NIDS redesigned to drop malicious
traffic.• Disruption of Inline NIDS will disrupt
network• Also deployed as ‘ smart’ switches
Firewall
Internet
Hub
Inline NIDS
Host Host Host Host
Packet Scrubbing• The IPS replaces malicious packet content with benign content
• Pros:
• Does not indicate that IPS detected intrusion
• Cons:
• Only works if the intrusion involves malicious packet content
• Example:
• Snort has a ‘replace’ option that changes the malicious content to userdefined content of the same length
IP Blocking• The IPS changes the settings on a local firewall, causing it to block traffic from the
malicious host
• Pros:
• Effectively removes attacker from the network
• Cons:
• Possibility of blocking legitimate hosts
• Example:
• SnortSAM firewall agent receives information from Snort rules and changes settings of firewalls (such as IPtables) accordingly
Deception• The IPS sends traffic to the attacker indicating that the attack against a host succeeded
or that the connection to the host is no longer available
• Usually a dedicated host (a ‘honeypot’) on the network purposely exhibits vulnerabilities, drawing the attacker away from the rest of the network
• Can also fake service applications on the hosts
• Pros:
• Attacker proceeds with attack; obtain information about attack and attacker
• Cons:
• Attacker is still on the network; may be able to launch attacks on other hosts
• Possible legal implications
• Examples:
• The Deception Toolkit (DTK) simulates services on a host
• honeyd creates virtual hosts for the attacker to attack
IPS Examples• Packet filtering
• Hogwash drop packets that trigger rules
• Snort_Inline drop packets that trigger rules
• FWSnort convert Snort rules to IPtables rules
• IP blocking
• SnortSAM block IP addresses based on Snort alerts
• PortSentry can automatically block IP addresses that run port scans
• Deception
• DTK simulate services on a host
• honeyd create virtual hosts on network
Risks• Attacker may obtain information from the countermeasure taken
• Existence of IPS on network
• Type of IPS
• Operating system of host running IPS
• Attack may still succeed if there is sufficient delay between detection of attack and deployment of countermeasure
• If IPS blocks IP addresses or traffic, attacker may manipulate traffic to prevent communication between hosts or between networks
• Should only be used against attacks with certain characteristics (P. Proctor)
• The attack is rare
• The attack is catastrophic
• The attack cannot be spoofed (to cause another attack)
• The attack is positively identifiable as misuse
Experiences with Snort
• Pros:
• Rule syntax is simple
• Easy to configure
• Multiple output formats
• Multiple IPS features
• Large amount of documentation
• Cons:
• Difficult to write rules for binary data (applications, compressed files)
• Stateful inspection of network traffic is limited
• Never use ASCII packet logging mode!
Conclusions
• Intrusions are becoming increasingly fast and difficult to detect by traditional methods.
• An Intrusion Detection System searches system data for signs of attack and reports the results to an administrator.
• An IDS is defined by the system it monitors (host or network) and by its detection method. Several different detection methods exist, which either detect intrusive data or recognize legitimate data.
• An Intrusion Prevention System searches system data for signs of attack and autonomously activates countermeasures. It is the ‘next step’ beyond IDS, which reports intrusions but does not stop them.
• Several different networkbased countermeasures exist, which either disable malicious traffic or disable the attacker.
• IPS deployment involves several risks from the use of countermeasures.