intrusion detection and prevention systemspersonal.utulsa.edu/~james-childress/cs5493/... ·...

Intrusion Detection and

Prevention Systems Jim Thavisay

University of Tulsa

SFS Cyber Corps

Security+, CNSS, NSTISSI

Overview

• Intrusion Detection and Prevention Systems

• Documentation

• Types of IDS/IPS

• Available Tools

• Sample Implementation

• Concerns

• IDS/IPS Evasion

• Development Needs

Intrusion Detection and

Prevention Systems

• “Intrusion detection is a process of

monitoring the events occurring in a

computer system or network and

analyzing them for signs of possible

incidents, which are violations or

imminent threats…” (NIST SP800-94, 2007)

IDS vs. IPS

http://cache.gawkerassets.com/assets/images/17/2011/10/face-punch.png

Documentation

• National Security Agency (NSA)

– Factfeet: Best Practices for Keeping Your

Home Network Security

– Highlight: Install a comprehensive host-

based security suite

• National Institute of Standards and

Technology (NIST)

– Guide to Intrusion Detection and

Prevention Systems

Type of IDS/IPS

• Signature

• Anomaly (Non-baseline activities)

• Stateful Protocol (Appropriate protocol usage)

• Logging

• Detection

• Prevention

• Host

• Network

Available Tools

• OSSEC (IDS/IPS)

• Snort (IDS/IPS)

• OSSIM (SIEM)

• Splunk (SIEM)

• Squil (NetSec Monitoring)

• Arcsight SIEM Platform (NetSec Monitoring)

• HoneyD (Honeypot)

• Hippo (Logs brute force SSH Attacks)

• PortSentry (Detects/Prevent Port Scanning)

Sample Implementation

• Tools

– Webmin

– PortSentry

– Nmap

– Wireshark

• OS

– Ubuntu 11.04

(Oneiric Ocelot)

Tools: Webmin

Tools: PortSentry

Tools: PortSentry, cont’d

Tools: Nmap

• Nmap

– sudo nmap –v 192.168.1.100

– sudo nmap –v 192.168.1.100 -S

192.168.1.192 –e wlan0

Wireshark Capture

Thresholds

• Compatibility

– Software/OS/Hardware

• User-friendly Interface

– Home-users/”Average Joes”

• Evasion

IDS/IPS Evasion

• String Matching Weaknesses

• Polymorphic Shell Code

• Session Splicing

• Fragmentation Attacks

• Fragmentation Overlap

• Snort Signatures

• Denial-of-Service

• Spoofing

• 0-day Attacks

Development Needs

• Easy UI for home-users

• Professional concern:

– IDS/IPS services should be integrated by

professionals to ensure integrity of host

and networks are to baseline activity

Summary

• IDS/IPS

• Documentation available

• Types of IDS/IPS

• Available Applications

• Thresholds

• IDS/IPS Evasion

• Development Needs

References

• http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

• http://www.symantec.com/connect/articles/ids-evasion-techniques-and-tactics

• http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

• http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

• http://rfc-ref.org/RFC-TEXTS/3514/kw-intrusion_detection_system.html

• http://sectools.org/tag/ids/

Questions?