c. ids (intrusion detection system) - final
TRANSCRIPT
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
1/11
8/5/20
IT Security
Paul ApolinarChristian Chavez
RJ FavilaArniParagas
Jessica Mayuga
AbegailS oas Defined by ICSA as:
T he d etectio n of i ntru si ons o r i ntru si ons a ttempts ei th er
manually or viasoftwareexpert systemsthat operate on logs orotherinformationavailablefrom the system or the network.
An intrusion is a deliberate, unauthorized attempt to
access or manipulate information or system and to
render them unreliable or unusable.
When suspiciousactivity is from your internal network it
can also be classified as misuse
Intrusion : Attempting to break into ormisuse your system.
Intruders may be from outside the network or
legitimate users of the network.
Intrusion can be a physical, system or remoteintrusion.
Intrusion DetectionSystems are only one piece of the
wholesecurity puzzle
IDS must be supplementedby othersecurity and
protection mechanisms
They are a very important part of your security
architecture but does
not solve all your problems
Part of Defense in depth
IDS are a dedicated assistant used to monitor the rest of the security
infrastructure
Todays security infrastructure are becoming extremely complex, it
includes firewalls, identification and authentication systems, access
control product, virtual private networks, encryption products, virus
scanners, and more. All of these tools performsfunctionsessential to
system security. Giventheir rolethey are alsoprime target and being
managedby humans, as such they are proneto errors.
Failure of one of the above component of your security infrastructure
jeopardized the system they are supposed to protect
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
2/11
8/5/20
Not all traffic may go through a firewall
i:e modem on a user computer Not all threats originates from outside. As networks
uses more and more encryption, attackers will aim atthe location where it is oftenstored unencrypted(Internalnetwork)
Firewall does not protect appropriatelyagainstapplication level weakenesses and attacks
Firewalls are subject to attacks themselves
Protect against misconfigurationor fault in othersecurity mechanisms
It's like security at the airport... You can put up all the fences in
the world and have strict accesscontrol, but the biggest threat are
all the PASSENGERS (packet) that you MUST let through! That'swhy there are metal detectorsto detect whatthey may be hiding(packet content).
You have to let them get to the planes (your application) via thegate ( port 80) but without X-rays and metal detectors, you can't
be sure what they have under their coats.
Firewalls are really good access control points, but they aren'treally good for or designed to prevent intrusions.
That's why most security professionals back their firewalls up with
IDS, either behind the firewall or at the host.
Monitor and analyse user and system activities
Auditing of system and configurationvulnerabilities
Asses integrityof critical system and data files
Recognition of pattern reflecting known attacks
Statisticalanalysisfor abnormalactivities
Data trail, tracing activities frompoint of entry upto the point of exit
Installation of decoy servers (honey pots)
Installation of vendor patches (someIDS)
Compensate for weak authentication and
identification mechanisms
Investigate attacks without human intervention
Guessthe content of your organizationsecurity policy
Compensate for weakeness in networking protocols,
for example: IP Spoofing
Compensate for integrity or confidentiality of
information
Analyze all traffic on a very high speed network
Deal adequately with attack at the packet level Deal adequately with modern network hardware
Attacks
Are unauthorized activity with malicious intent
using specially crafted code or techniques . Includes DOS, Virus or Worm Infections, buffer
overflows, malcrafted requests, file corruption,malformed network packets, or unauthorizedprogram execution
Misuse
Refers to unauthorized events without speciallycrafted code.
In this case, The offending person used normallycrafted traffic or requests and their implicit levelof authorization to do something malicious.
Unintended consequences like when a haplessnew user overwrites a critical document with ablank page.
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
3/11
8/5/20
Network Protocol Attacks Network Protocol define the packets formatting
and how the diagram is transmittedbetweensource and destination.
Fragmentation and Reassembly Attacks IP Packets can be used in Fragmentation attacks
Attacks can use fragment offset values to causethe packets to maliciously reassemble andintentionallycover up the headerandpayload ofthe first fragment.
Application Attacks It can be text commands used to exploit OS or
Application holes, or can contain malicious contentsuch as a buffer overflow exploit, a maliciously-craftedcommand, or a computer virus.
Include misappropriated passwords,
password-cracking attempts,
rootkit software,
illegal data manipulation,
unauthorized file access,
and every other network that doesnt rely on malformednetwork packets to work.
Content Obfuscation
Code Obfuscation is when programmers concealthe codes purpose or its logic to preventtampering.
Crackers use encoding schemes to hide theirmalicious commands and content.
Some experts will say that a properly definedIDS can catch any security threat, eventsinvolving misuseprove the most difficult todetect and prevent.
For example, if an outside hackeruses socialengineering tricks to get the CEOs password,there arent many IDSs that will notice.
If the webmaster accidentally posts aconfidential documentto a public directory
available to the world, IDS wont notice.
If a cracker uses the default passwordof anadministrative account that should have beenright after the system was installed, few IDSs
will notice. If a hackergets inside the network and copies
confidential files, that would be tough tonotice.
IDS development began in the early 1980smbut only started growing in the PCmarketplace in the late 1990s.
Focuses almost exclusively on the benefit ofearly warning resulting from accuratedetection.
The practical reality is that while most IDSsare considered fairly accurate, no IDS hasever been close to being perfectly accurate.
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
4/11
8/5/20
IDSs never get over 90 % accuracy against a
wide spectrum of real-world attack traffic.Most are in the 80% range.
When an IDS misses a legitimate threat, it is
called false-negative.
False-positive is when the IDS says there is a
security threat, but the traffic is notmalicious or was never intended to bemalicious.
Ex: When an IDS flags an e-mail as infectedwith a particular virus because it is looking forsome key text known to be in the messagebody of the e-mail virus(for example, thephrase see my wifes photos).
Features that may be more or less useful indifferent circumstances:
Return on investment
IDS type and detection model
End-user interface
IDS Management
Prevention Mechanisms
Performance
Logging and alerting
Reporting and analysis
While first-generationIDSs focused on accurateattack detection, the second-generationIDSs dothat and work to simplify the administrators life byoffering a bountiful array ofback-end options.
They offer
intuitive end-user interfaces,
intrusion prevention,
centralized device management,
Event correlation, and
data analysis.
This generation of IDSs do more than just detectattacks- they sort, prevent and attempt to add asmuch value as they can beyond mere detection.
Tips: to increase your odds of a successful IDSdeployment,
for every hour you spend looking at cool detectionsignatures,
spend an hour planning and configuring your logging,reporting, and analysis tools.
But configuring the IDS, we have to justify its cost.
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
5/11
8/5/20
Are installed on the host they are intended to
monitor. Host can be a server, workstation,or any
networked device (such as printer, router,gateway).
Have the ability to sniff network traffic intended for
the monitored host,
they excel at monitoring and reporting direct
interactions at the application layer.
HIDS can inspect each incoming command, looking
for signs of maliciousness, or simply trackunauthorized file changes. File-integrityHIDSs
(sometimes called snapshotor checksum HIDSs)
take a cryptographic hash of important files in a knownclean state, and then check them again later forcomparison.
If any changes are noted, the administrator isalerted.
Ex: Tripwire (www.tripwire.com) , PedestalSoftwares INTACT (www.pedestalsoftware.com)
Behavior-monitoring HIDSs do real-time monitoring and will intercept
potentially malicious behavior. For instance, a Windows HIDS will report on
attempts to modify the registry,
file manipulations,
system access,
password changes,
privilege escalations,
and other direct modifications to the host.
Examples of behavior-monitoring HIDS
Ciscos IDS Host Sensor(www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/hid25_ds.htm)
OkenasStormWatch(www.okena.com)
Entercept Security Technologies IDSsolutions(www.entercept.com)
Are designated to protect more than one host.
They can protect a group of computer hosts, like a
server farm, or monitor an entire network.
Captured traffic is compared against protocolspecifications and normal traffic trends or the packets payload
data is examined for malicious content. If a security threat is noted,
the event is logged
and an alert isgenerated.
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
6/11
8/5/20
Monitor in terms of who accessed what
Can map problem activities to a specificuserID System can track behavior changes
associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple
hosts and not on a single host, reporting onlyrelevant data to central console
Cannotsee all network activities Running audit mechanisms adds overload to
system, performance may be an issue Audit trails can take lots of storage
OS vulnerabilitiescan undermine theeffectivenessof agents
Agents are OS specific Escalation of false positive Greater deployment and maintenance cost
Can get information quickly without anyreconfiguration of computers or need toredirect loggingmechanisms
Does not affect network or data sources
Monitor and detects in real time networksattacks or misuses
Does not create system overhead
Cannotscan protocols if the data is encrypted Can infer from network traffic what is
happening on host but cannot tell the
outcome Hard to implementon fully switched
networks Has difficulties sustainingnetwork with a very
large bandwidth
The 2nd generation IDSs Going far beyond mere monitoring and
alerting
Examples: Setting access controls
Requiring passwords
Enabling real-time antivirus scanning
Updating patches
Installing perimeter firewalls
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
7/11
8/5/20
IDS is a mandatory inspection point with the
ability to filter real-time traffic Can:
Drop packets
Reset connections
Route suspicious traffic to quarantined areas forinspection
IDS placed to drop malicious packets before they can enter the network.IDS placed to drop malicious packets before they can enter the network.
Internet
Is the best Intrusion-Detection Software
a host-based, real-time intrusion-monitoring
system, succeeded
detects unauthorized activity and security
breaches and responds automatically
You use Intruder Alert's central console to
create, update, and deploypolicies and
securely collect and archive audit logs
for incident analysis.
Symantec Endpoint Protection ManagerSymantec Endpoint Protection ManagerSymantec Information Foundation Mail SecuritySymantec Information Foundation Mail Security
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
8/11
8/5/20
Snort is an open source network intrusion
prevention and detection system (IDS/IPS)developed by Sourcefire. Combining the benefits of signature, protocol
and anomaly-based inspection,
Snort is the most widely deployed IDS/IPStechnology worldwide.
Snort is logically divided into multiplecomponents. These components work togetherto detect particular attacks and to generateoutput in a required format from the detectionsystem. A Snort-based IDS consists of thefollowing major components: Packet Decoder
Preprocessors
Detection Engine
Logging and Alerting System
Output Modules
SnortSnort
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
9/11
8/5/20
Snort IDS ConsoleSnort IDS Console
IDS solution for GNU/Linux systems
Initially released in 1992
a tool used by sys admins to detect an
intrusion by a hacker on a system
used to detect any changes made to your
system by a hacker
useful tool for monitoring anychange from
the baseline configuration of a system
Tripwire creates a known-state database ofcryptographic checksums of all of youroperating system and application software,and then periodically compares that known-
state against new tests.
Tripwire ConfigurationTripwire Configuration
Tripwire Sample ReportTripwire Sample Report
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
10/11
8/5/20
Although behavior-based intrusion detection is
a relatively new technology, WatchGuardalready has mechanisms in place within thefirewall to identify known attack behaviors,such as:
Port scans and probes
Spoofing
Synflood attacks
DoS and DDoS attacks
The misuse of IP options such as source routing
Utilizes highly innovative and sophisticateddetection techniques including
statefulpattern recognition,
protocol parsing,
heuristic detection, and
anomaly detection,
that provide comprehensive protection from
a variety of both known and unknown cyberthreats.
-
8/3/2019 C. IDS (Intrusion Detection System) - FINAL
11/11
8/5/20