Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | ishmael-hopkins |
View: | 33 times |
Download: | 2 times |
Intrusion Detection
System
(IDS)
By:- Er. Magandeep Kaur(G.P.C. Bathinda)
4/26/2013 1Punjab EDUSAT Society (PES)
What is IDS?• IDS are tools for obtaining security in
networks.
• It helps the administrator to detect & respond to the malicious attacks which the firewall was not able to detect & filter.
4/26/2013 2Punjab EDUSAT Society (PES)
• An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities.
• An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall.
4/26/2013 Punjab EDUSAT Society (PES) 3
• This includes network attacks
against services, attacks on
applications, unauthorized logins
and access to sensitive files etc…
• IDS thus forms the second line of
defence against malicious hacker &
attackers.
4/26/2013 Punjab EDUSAT Society (PES) 4
Comparison with firewalls• Though they both relate to network
security, an IDS differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening.
• Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.
4/26/2013 Punjab EDUSAT Society (PES) 5
• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.
• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.
• A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
4/26/2013 Punjab EDUSAT Society (PES) 6
• Normally the networks use firewall for protection against security threats but they can rarely identify the type of attack.
• So IDS is proven to be an excellent tool for monitoring the type of attack.
4/26/2013 7Punjab EDUSAT Society (PES)
• There are two types of intrusion detection system: -
1. Reactive IDS 2. Passive IDS
1. Reactive IDS: - It is one in which if the intruder or attack is detected it does not alert the user.
2. Passive IDS: - In it the user is alerted in silent mode i.e. through mails, pagers etc.
4/26/2013 8Punjab EDUSAT Society (PES)
• A better way to understand IDS would be to take your house as an example.
• The looks on your doors & windows stop strangers from gaining access to your house. These are your firewalls.
• A person having keys of your door locks or who has some way to open them can pass through the doors & windows i.e. one having keys is authorized person for your firewalls to pass through.4/26/2013 9Punjab EDUSAT Society (PES)
• But this firewall cannot detect if that authorized person has some malicious intentions or not.
• But they can be detected by IDS.
• IDS are combination of early warning & alarm system.
• When someone attempts to force entry into your house, your alarm will sound to scare of intruder (a “reactive” IDS), or it might make a silent phone call to a local police station(a “reactive” IDS).
4/26/2013 10Punjab EDUSAT Society (PES)
Need of IDS• For any company with a connection
to internet, a firewall should always
be your first line of defence.
• But firewalls can be attacked, & one
way to plug these gaps in your
security is to use an IDS.
4/26/2013 11Punjab EDUSAT Society (PES)
• Following are some reasons why we need IDS:-
• Trojans:- A Trojan is a bad program that you have been hoodwinked into installing on your computer in the belief that it is a good program.
• Spyware:- It is generally a particular type of Trojan. Its purpose is to sit quietly & hidden on your computer & to send information back to its originator. It spies on you, stealing confidential information, passwords, credit card etc.
4/26/2013 12Punjab EDUSAT Society (PES)
Advantages of IDS• General benefits of an IDS include the
following: -
• It can detect the unauthorized user.
• It can detect password cracking & denial of services.
• It can catch illegal data manipulations.
4/26/2013 13Punjab EDUSAT Society (PES)
• It monitors & analysis the system events & user behavior.
• Managing OS audit & logging mechanisms & the data they generate.
• Alerting appropriate staff by appropriate means when attacks are detected.
4/26/2013 Punjab EDUSAT Society (PES) 14
• They can detect & alert malicious code like viruses, worms, Trojan horses etc.
• They are similar to security camera & burglar alarm.
• They can detect most of the security threats & in some cases they are more reliable than firewalls.
4/26/2013 15Punjab EDUSAT Society (PES)
Limitations of IDS• IDS is unable to catch the events of
tear drop attack.
• A tear drop attack occurs when an attack sends fragments of data that a system is unable to reassemble.
• Such an attack may lead to freezing of the system.
4/26/2013 16Punjab EDUSAT Society (PES)
• Most of them are unable to detect & prevent the misuse or unintended consequences.
• A direct attack on IDS by an attacker also finishes up its ability to detect intrusion. So the attacker tries to shut down the IDS & then attack on network.
• Not all IDS are compatible with all routers.
4/26/2013 17Punjab EDUSAT Society (PES)
What IDS ‘CAN and CANNOT’ provide
• The IDS however is not an answer to all your Security related problems.
• You have to know what you CAN, and CAN NOT expect of your IDS.
• In the following subsections I will try to show a few examples of what an Intrusion Detection Systems are capable of, but each network environment varies and each system needs to be tailored to meet your enterprise environment needs.
4/26/2013 Punjab EDUSAT Society (PES) 18
• The IDS CAN provide the following:
• CAN add a greater degree of integrity to
the rest of you infrastructure.
• CAN trace user activity from point of entry
to point of impact.
• CAN recognize and report alterations to
data.
• CAN automate a task of monitoring the
Internet searching for the latest attacks.4/26/2013 Punjab EDUSAT Society (PES) 19
• CAN detect when your system is under attack.
• CAN detect errors in your system configuration.
• CAN guide system administrator in the vital step of establishing a policy for your computing assets.
• CAN make the security management of your system possible by non-expert staff.
4/26/2013 Punjab EDUSAT Society (PES) 20
• The IDS CAN NOT provide:
• CAN NOT compensate for a weak
identification and authentication
mechanisms.
• CAN NOT conduct investigations of
attacks without human intervention.
• CAN NOT compensate for
weaknesses in network protocols.4/26/2013 Punjab EDUSAT Society (PES) 21
• CAN NOT compensate for problems in the quality or integrity of information the system provides.
• CAN NOT analyze all the traffic on a busy network.
• CAN NOT always deal with problems involving packet-level attacks.
• CAN NOT deal with some of the modern network hardware and features.4/26/2013 Punjab EDUSAT Society (PES) 22
Who needs to be involved?
4/26/2013 Punjab EDUSAT Society (PES) 23
• In order to identify critical systems the following people MUST be involved:
• Information Security Officers
• Network Administrators
• Database Administrators
• Senior Management
• Operating System Administrators
• Data owners
• Without those individuals involved, the resources will not be used efficiently.
4/26/2013 Punjab EDUSAT Society (PES) 24
My IDS is up, what now?
• Once your IDS is up and operational, you must dedicate a person to administer it.
• Logs must be reviewed, and traffic must be tailored to meet the specific needs of your company.
4/26/2013 Punjab EDUSAT Society (PES) 25
• You must know that IDS must be maintained and configured.
• If you feel that you lack knowledgeable staff, get a consultant to help, and train your personnel.
• Otherwise you will loose a lot of time and money trying to figure out, what is wrong.
4/26/2013 Punjab EDUSAT Society (PES) 26
• Emergency response procedure must outline:
• Who will be the first point of contact.
• List all of the people who will need to be contacted.
• Person responsible for decision making on how to proceed in the emergency situation.
4/26/2013 Punjab EDUSAT Society (PES) 27
• Person responsible for investigation of the incident.
• Who will handle media, in case the incident gets out.
• How will the information about the incident will be handled.
4/26/2013 Punjab EDUSAT Society (PES) 28
Where do I find an Intrusion Detection mechanism?
• After we decided that we need an intrusion detection mechanism, we have to find out where do we get it.
• Below I provide a list of vendors that offer Intrusion Detection products and services.
• Products vary from freeware to commercially available.4/26/2013 Punjab EDUSAT Society (PES) 29
• Freeware:- Snort Shadow - http://www.snort.org/
• Commercially Available:
- Real Secure from ISS - http://www.iss.net/customer_care/resource_center/product_lit/
- Net Prowler from Symantec -
http://enterprisesecurity.symantec.com/products/
products.cfm?ProductID=50&PID=5863267
- NFR - http://www.nfr.com/
4/26/2013 Punjab EDUSAT Society (PES) 30
Types of IDS• IDS can be categorized in 3 different
ways: -Host based ID systems
Network based ID systems
Application based IDS
4/26/2013 31Punjab EDUSAT Society (PES)
Host based ID system (HIDS)
• These are concerned with what is happening on each individual computer or host .
• They are able to detect such things such as repeated failed access attempts or changes to system files.
• HIDS are installed on hosts to which they have to keep an eye & perform monitoring.
4/26/2013 32Punjab EDUSAT Society (PES)
• Host can be server, workstation or any network device such as router, printer or gateway.
• HIDS do monitoring, reporting & direct interactions at application layer.
• It can inspect each incoming command, look for signs of maliciousness & unauthorized file changes.4/26/2013 33Punjab EDUSAT Society (PES)
• The disadvantage of Host based IDS is: they are harder to manage, as information must be configured & managed for every host monitored.
• Most of the HIDS can monitor only specific types of systems E.g. the HIDS cyber cop server can only protect web servers.
• If the server is running multiple services like file sharing, DNS etc then HIDS might not be able to detect an intrusion.4/26/2013 Punjab EDUSAT Society (PES) 34
Network based ID system• It examine the individual data packets
flowing through network.
• These packets are examined & sometimes compared with original data to verify their nature; malicious or not, because they are responsible for monitoring a network.
• They are able to understand all different options that exist within a network packet & ports.
4/26/2013 35Punjab EDUSAT Society (PES)
• NIDS are also able to look at the payload within the packet, i.e. see which particular web server program is being accessed & with what options.
• When an unauthorized user logs in successfully or attempts to log in, they are best tracked by the host based IDS.
• However, detecting the unauthorized user before their log on attempt is best accomplished with network based IDS.
4/26/2013 Punjab EDUSAT Society (PES) 36
• NIDS can detect the maliciously crafted packet that can make attack & spoil security of the network.
• NIDS scans any traffic that is transmitted over the segment of the network & only permits that packets that are not identified as intrusive.
• Examples of network based IDS are Shadow, dragon, Real secure & Net Prowler.
4/26/2013 37Punjab EDUSAT Society (PES)
• Disadvantage of Network based IDS is
that it may have difficulty in processing
all packets in a large or busy network &
therefore may fail to recognize an attack
launched during periods of high traffic.
• Another disadvantage of Network based
IDS is, it cannot analyze encrypted
information. This problem is increasing
as more organizations use VPNs.
4/26/2013 Punjab EDUSAT Society (PES) 38
Application based IDS• It can monitor the interaction between
user & application, which often allows them to trace unauthorized activity to individual users.
• Application based IDSs can work in encrypted environments, since they interface with application at transaction endpoints, where information is presented to user in encrypted form.4/26/2013 Punjab EDUSAT Society (PES) 39
Misuse & anomaly detection system
• Misuse detection within network based IDS involves checking for illegal types of network traffic.
• Detection of anomalous activity relies on the system knowing what is regular network traffic & what isn’t.
• Many modern systems use a combination of both Misuse & anomaly detection system.4/26/2013 40Punjab EDUSAT Society (PES)
Teardrop attack• A teardrop attack is a denial of
service attack (DoS).
• This attack causes fragmented packets to overlap one another on the host receipt, the host attempts to reconstruct them during the process but fails.
4/26/2013 Punjab EDUSAT Society (PES) 41
IDS & Network Security policy• IDS should be seen as an important layer
in company’s “defense in depth”
strategy.
• A well defined high level security policy
covering what is & isn’t permitted on
company’s system & network. This include
things such as password policy, which of
the internet facilities staff may access etc.4/26/2013 42Punjab EDUSAT Society (PES)
• Low level platform specific policies detailing how the high level strategy is to be implemented.
- e.g. how to configure password management subsystems on your NT and UNIX servers.
4/26/2013 43Punjab EDUSAT Society (PES)
• Documented procedures for staff to follow.
- e.g. the help desk receives numerous calls one the system logs show morning from staff complaining that their accounts have been disabled & the system logs show repeated failed log in attempts to all the systems.
4/26/2013 Punjab EDUSAT Society (PES) 44
• Regular audits to confirm that the policies have been enacted & that the defenses are adequate for the level of risk you are exposed to.
- e.g. performing regular network scans from outside, the organization's firewall to determine what ports are open and how much information the firewalls & routers leak.4/26/2013 Punjab EDUSAT Society (PES) 45
• Available staff skilled in the
operation & monitoring of built in
security tools installed on server &
network devices.
- e.g. if the staff currently does not
have the time to check the firewall &
routers logs, IDS alerts are unlikely
to be acted upon in a timely manner.
4/26/2013 Punjab EDUSAT Society (PES) 46
THANKS…
4/26/2013 47Punjab EDUSAT Society (PES)