1. to analyze and explain the ids placement in network topology to explain the relationship...
Post on 19-Dec-2015
228 views
TRANSCRIPT
1
INTRUSION DETECTION SYSTEM
2
OBJECTIVES
To analyze and explain the IDS placement in network topology
To explain the relationship between honey pots and IDS
To explain, analyze and evaluate the IDS policy
3
OUTLINE
IDS location Honey pots vs. IDS IDS policy
4
IDS LOCATION
NIDS E.g. Snort or Cisco Secure IDS Monitor network traffic or suspicious activity Often reside on subnets that are directly connected
to the firewall, as well as at critical points on the internal network
HIDS E.g. Tripwire or ISS BlackICE Resides on monitor individual hosts
mms©
5
IDS LOCATION
IDS Like a burglar alarm system in the network. It detects and alerts
on malicious events Many different IDS sensors placed at strategic points in your
network Watch for predefined signatures of malicious events, and might
perform statistical and anomaly analysis When detects suspicious events,
it alerts in several different ways: E.g. email, paging, or simply logging the occurrence
Reports to a central database that correlates their information to view the network from multiple points
mms©
6
7
IDS LOCATION
Depending upon your network topology Depend upon what type of intrusion activities
you want to detect – internal, external, or both Depends on security policy
mms©
8
IDS LOCATION
Example scenario: If you want to detect only external intrusion activities and
have only 1 router connecting to the InternetRecommendation: The best place for IDS may be just inside the router or a
firewall If you have multiple paths to the Internet, you may want
to place one IDS box at every entry point However, if you want to detect internal threats as well, you
may want to place a box in every network segment.
mms©
9
IDS LOCATION
Typical locations for an IDS: Behind each firewall and router If your network contains a DMZ (demilitarized zone), IDS
may be placed in that zone as well However, alert generation policy should not be as strict
in a DMZ compared to private parts of the network
mms©
10
COMPLETE NIDS
Consists of: Snort
data is captured and analyzed MySQL
DB based on captured data from Snort Apache web server
Help from ACID, PHP, PHPLOT Displays data in browser windows to user
mms©
11
A user looking at intrusion data collected by Snort through web browser
MySQL Database
Apache web server with PHP, GD Library, and
PHPLOT installed
Snort server captures the
intruder data and stores it in MySQL
database using output plug-in
Intruder tries to attack hosts
present on this network
mms©
12
NIDS IN A SINGLE MACHINE
You can build a single computer with Snort, MySQL, Apache, ACID, PHP, PHPLOT, and GD library
A user looking at intrusion data collected by Snort through web browser
Intruder tries to attack hosts
present on this network
A computer with Snort, MySQL, Apache, ACID, PHPLOT, GD library installed
13
MULTIPLE SNORT SENSORS
In the enterprise – have multiple Snort sensors behind every router or firewall.
In that case, can use a single centralized DB to collect data from all sensors
Can run Apache web server on this centralized DB server
mms©
14mms©
A user looking at intrusion data collected by Snort through web browser
Network cloud
Centralized DB server running MySQL, Apache, ACID, PHPLOT, GD library
Snort sensor
Snort sensor
Snort sensor
Snort sensor
Snort sensor
15
EXAMPLE IDS - SNORT
Sniffer Packet Logger IDS
Free and Open Source IDS Monitor network traffic Scan for protocol anomalies Scan for packet payload signatures that represent potential attacks,
worms, and unusual activities Monitoring consoles available Can be configured as an IPS
mms©
16
SNORT
Previously logged network traffic
Snort rules
Network traffic log
Alerts (file)
Alerts (Database)
Snort NIDS
Live network trafficOR
17
SNORT PLACEMENT
Snort Tap Placement Natural Choke Points
Areas where the network topology creates a single traffic path
Artificial Choke Points Exist due to logical topology of the network
Intranet Trust/Un-trust Zone Boundaries Similar to Natural Choke Points but are intra-network
mms©
18
SNORT RULE - FORMAT
<rule action> <protocol> [!]<source ip> [!]<source port> <direction> <dest ip> <dest port> <rule options>
Primarily a signature based detection engineExample:
While indicative of attacks, leaks, and protocol violations, false positives are generated
mms©
19
SNORT RULES
mms©
Example 1: “log tcp traffic from any port going to ports less than or equal to 6000”log tcp any any -> 192.168.1.0/24 :6000
Example 2: RPC alert callalert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *,3; msg:RPC getport (TCP);)
see Snort Users Manual for more information
20
HOW TO MONITOR?
mms©
21
HOW TO MONITOR?
mms©
22
HOW TO MONITOR?
mms©
23
HOW TO MONITOR?
BASE (Basic Analysis and Security Engine) Number of unique alerts Alerts ordered by category Today’s alert Most frequent src/dest ports
mms©
24mms©
25mms©
26
WORM PROPAGATION ANALYSIS EXAMPLE
mms©
27
WORM PROPAGATION ANALYSIS EXAMPLE
mms©
28
HONEY POTS
~ a system that is deliberately named and configured so as to invite attack
Goals: Make it look inviting Make it look weak and easy to crack Instrument every piece of the system Monitor all traffic going in or out Alert administrator whenever someone accesses the system
Trivial honey pots can be built using tools like: tcpwrapper Restricted/logging shells (sudo, adminshell)
mms©
29
HONEY POTS
Pros: Easy to implement Easy to understand Reliable No performance cost
Cons: Assumes hackers are really stupid – they aren’t!
mms©
30
HONEY POTS
When should you install: …if your organization has enough resources (hardware and
personnel) to track down hackers. Otherwise, no need to install a honey pot, as you can’t use the data A honey pot is useful only if you want to use the info
gathered Also if you want to prosecute hackers by gathering
evidence of their activities
mms©
31
HONEY POTS - REFERENCES
project.honeypot.org/ Honeyd: www.citi.umich.edu/u/provos/honeyd South Florida Honeynet Project: www.sfhn.net etc…
mms©
32
IDS POLICY
Before you install an IDS on your network, you must have a policy: To detect intruders and take action when you find such activity A policy must dictate IDS rules and how they will be applied Depending upon your requirements Who will monitor the IDS Who will administer the IDS, rotate logs and so on Who will handle incidents and how What will be the escalation process (level 1, level 2, and so on) Reporting Signature updates Documentation is required for every project
mms©
33
SUMMARY
Snort provides another tool in the toolkit and can help provide info about exactly who is talking to whom on the network
The usage of different types of IDS depends on the type of the user/organization
Different types of IDS has its own strengths and weaknesses To position the IDS in the network depends on your network
topology and the type of intrusion activities you want to detect
Based on the IDS policy you will get a clear idea on how many IDS sensors and other resources are required for your network