c. ids (intrusion detection system) - final

8/3/2019 C. IDS (Intrusion Detection System) - FINAL

1/11

8/5/20

IT Security

Paul ApolinarChristian Chavez

RJ FavilaArniParagas

Jessica Mayuga

AbegailS oas Defined by ICSA as:

T he d etectio n of i ntru si ons o r i ntru si ons a ttempts ei th er

manually or viasoftwareexpert systemsthat operate on logs orotherinformationavailablefrom the system or the network.

An intrusion is a deliberate, unauthorized attempt to

access or manipulate information or system and to

render them unreliable or unusable.

When suspiciousactivity is from your internal network it

can also be classified as misuse

Intrusion : Attempting to break into ormisuse your system.

Intruders may be from outside the network or

legitimate users of the network.

Intrusion can be a physical, system or remoteintrusion.

Intrusion DetectionSystems are only one piece of the

wholesecurity puzzle

IDS must be supplementedby othersecurity and

protection mechanisms

They are a very important part of your security

architecture but does

not solve all your problems

Part of Defense in depth

IDS are a dedicated assistant used to monitor the rest of the security

infrastructure

Todays security infrastructure are becoming extremely complex, it

includes firewalls, identification and authentication systems, access

control product, virtual private networks, encryption products, virus

scanners, and more. All of these tools performsfunctionsessential to

system security. Giventheir rolethey are alsoprime target and being

managedby humans, as such they are proneto errors.

Failure of one of the above component of your security infrastructure

jeopardized the system they are supposed to protect


2/11

8/5/20

Not all traffic may go through a firewall

i:e modem on a user computer Not all threats originates from outside. As networks

uses more and more encryption, attackers will aim atthe location where it is oftenstored unencrypted(Internalnetwork)

Firewall does not protect appropriatelyagainstapplication level weakenesses and attacks

Firewalls are subject to attacks themselves

Protect against misconfigurationor fault in othersecurity mechanisms

It's like security at the airport... You can put up all the fences in

the world and have strict accesscontrol, but the biggest threat are

all the PASSENGERS (packet) that you MUST let through! That'swhy there are metal detectorsto detect whatthey may be hiding(packet content).

You have to let them get to the planes (your application) via thegate ( port 80) but without X-rays and metal detectors, you can't

be sure what they have under their coats.

Firewalls are really good access control points, but they aren'treally good for or designed to prevent intrusions.

That's why most security professionals back their firewalls up with

IDS, either behind the firewall or at the host.

Monitor and analyse user and system activities

Auditing of system and configurationvulnerabilities

Asses integrityof critical system and data files

Recognition of pattern reflecting known attacks

Statisticalanalysisfor abnormalactivities

Data trail, tracing activities frompoint of entry upto the point of exit

Installation of decoy servers (honey pots)

Installation of vendor patches (someIDS)

Compensate for weak authentication and

identification mechanisms

Investigate attacks without human intervention

Guessthe content of your organizationsecurity policy

Compensate for weakeness in networking protocols,

for example: IP Spoofing

Compensate for integrity or confidentiality of

information

Analyze all traffic on a very high speed network

Deal adequately with attack at the packet level Deal adequately with modern network hardware

Attacks

Are unauthorized activity with malicious intent

using specially crafted code or techniques . Includes DOS, Virus or Worm Infections, buffer

overflows, malcrafted requests, file corruption,malformed network packets, or unauthorizedprogram execution

Misuse

Refers to unauthorized events without speciallycrafted code.

In this case, The offending person used normallycrafted traffic or requests and their implicit levelof authorization to do something malicious.

Unintended consequences like when a haplessnew user overwrites a critical document with ablank page.


3/11

8/5/20

Network Protocol Attacks Network Protocol define the packets formatting

and how the diagram is transmittedbetweensource and destination.

Fragmentation and Reassembly Attacks IP Packets can be used in Fragmentation attacks

Attacks can use fragment offset values to causethe packets to maliciously reassemble andintentionallycover up the headerandpayload ofthe first fragment.

Application Attacks It can be text commands used to exploit OS or

Application holes, or can contain malicious contentsuch as a buffer overflow exploit, a maliciously-craftedcommand, or a computer virus.

Include misappropriated passwords,

password-cracking attempts,

rootkit software,

illegal data manipulation,

unauthorized file access,

and every other network that doesnt rely on malformednetwork packets to work.

Content Obfuscation

Code Obfuscation is when programmers concealthe codes purpose or its logic to preventtampering.

Crackers use encoding schemes to hide theirmalicious commands and content.

Some experts will say that a properly definedIDS can catch any security threat, eventsinvolving misuseprove the most difficult todetect and prevent.

For example, if an outside hackeruses socialengineering tricks to get the CEOs password,there arent many IDSs that will notice.

If the webmaster accidentally posts aconfidential documentto a public directory

available to the world, IDS wont notice.

If a cracker uses the default passwordof anadministrative account that should have beenright after the system was installed, few IDSs

will notice. If a hackergets inside the network and copies

confidential files, that would be tough tonotice.

IDS development began in the early 1980smbut only started growing in the PCmarketplace in the late 1990s.

Focuses almost exclusively on the benefit ofearly warning resulting from accuratedetection.

The practical reality is that while most IDSsare considered fairly accurate, no IDS hasever been close to being perfectly accurate.


4/11

8/5/20

IDSs never get over 90 % accuracy against a

wide spectrum of real-world attack traffic.Most are in the 80% range.

When an IDS misses a legitimate threat, it is

called false-negative.

False-positive is when the IDS says there is a

security threat, but the traffic is notmalicious or was never intended to bemalicious.

Ex: When an IDS flags an e-mail as infectedwith a particular virus because it is looking forsome key text known to be in the messagebody of the e-mail virus(for example, thephrase see my wifes photos).

Features that may be more or less useful indifferent circumstances:

Return on investment

IDS type and detection model

End-user interface

IDS Management

Prevention Mechanisms

Performance

Logging and alerting

Reporting and analysis

While first-generationIDSs focused on accurateattack detection, the second-generationIDSs dothat and work to simplify the administrators life byoffering a bountiful array ofback-end options.

They offer

intuitive end-user interfaces,

intrusion prevention,

centralized device management,

Event correlation, and

data analysis.

This generation of IDSs do more than just detectattacks- they sort, prevent and attempt to add asmuch value as they can beyond mere detection.

Tips: to increase your odds of a successful IDSdeployment,

for every hour you spend looking at cool detectionsignatures,

spend an hour planning and configuring your logging,reporting, and analysis tools.

But configuring the IDS, we have to justify its cost.


5/11

8/5/20

Are installed on the host they are intended to

monitor. Host can be a server, workstation,or any

networked device (such as printer, router,gateway).

Have the ability to sniff network traffic intended for

the monitored host,

they excel at monitoring and reporting direct

interactions at the application layer.

HIDS can inspect each incoming command, looking

for signs of maliciousness, or simply trackunauthorized file changes. File-integrityHIDSs

(sometimes called snapshotor checksum HIDSs)

take a cryptographic hash of important files in a knownclean state, and then check them again later forcomparison.

If any changes are noted, the administrator isalerted.

Ex: Tripwire (www.tripwire.com) , PedestalSoftwares INTACT (www.pedestalsoftware.com)

Behavior-monitoring HIDSs do real-time monitoring and will intercept

potentially malicious behavior. For instance, a Windows HIDS will report on

attempts to modify the registry,

file manipulations,

system access,

password changes,

privilege escalations,

and other direct modifications to the host.

Examples of behavior-monitoring HIDS

Ciscos IDS Host Sensor(www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/hid25_ds.htm)

OkenasStormWatch(www.okena.com)

Entercept Security Technologies IDSsolutions(www.entercept.com)

Are designated to protect more than one host.

They can protect a group of computer hosts, like a

server farm, or monitor an entire network.

Captured traffic is compared against protocolspecifications and normal traffic trends or the packets payload

data is examined for malicious content. If a security threat is noted,

the event is logged

and an alert isgenerated.


6/11

8/5/20

Monitor in terms of who accessed what

Can map problem activities to a specificuserID System can track behavior changes

associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple

hosts and not on a single host, reporting onlyrelevant data to central console

Cannotsee all network activities Running audit mechanisms adds overload to

system, performance may be an issue Audit trails can take lots of storage

OS vulnerabilitiescan undermine theeffectivenessof agents

Agents are OS specific Escalation of false positive Greater deployment and maintenance cost

Can get information quickly without anyreconfiguration of computers or need toredirect loggingmechanisms

Does not affect network or data sources

Monitor and detects in real time networksattacks or misuses

Does not create system overhead

Cannotscan protocols if the data is encrypted Can infer from network traffic what is

happening on host but cannot tell the

outcome Hard to implementon fully switched

networks Has difficulties sustainingnetwork with a very

large bandwidth

The 2nd generation IDSs Going far beyond mere monitoring and

alerting

Examples: Setting access controls

Requiring passwords

Enabling real-time antivirus scanning

Updating patches

Installing perimeter firewalls


7/11

8/5/20

IDS is a mandatory inspection point with the

ability to filter real-time traffic Can:

Drop packets

Reset connections

Route suspicious traffic to quarantined areas forinspection

IDS placed to drop malicious packets before they can enter the network.IDS placed to drop malicious packets before they can enter the network.

Internet

Is the best Intrusion-Detection Software

a host-based, real-time intrusion-monitoring

system, succeeded

detects unauthorized activity and security

breaches and responds automatically

You use Intruder Alert's central console to

create, update, and deploypolicies and

securely collect and archive audit logs

for incident analysis.

Symantec Endpoint Protection ManagerSymantec Endpoint Protection ManagerSymantec Information Foundation Mail SecuritySymantec Information Foundation Mail Security


8/11

8/5/20

Snort is an open source network intrusion

prevention and detection system (IDS/IPS)developed by Sourcefire. Combining the benefits of signature, protocol

and anomaly-based inspection,

Snort is the most widely deployed IDS/IPStechnology worldwide.

Snort is logically divided into multiplecomponents. These components work togetherto detect particular attacks and to generateoutput in a required format from the detectionsystem. A Snort-based IDS consists of thefollowing major components: Packet Decoder

Preprocessors

Detection Engine

Logging and Alerting System

Output Modules

SnortSnort


9/11

8/5/20

Snort IDS ConsoleSnort IDS Console

IDS solution for GNU/Linux systems

Initially released in 1992

a tool used by sys admins to detect an

intrusion by a hacker on a system

used to detect any changes made to your

system by a hacker

useful tool for monitoring anychange from

the baseline configuration of a system

Tripwire creates a known-state database ofcryptographic checksums of all of youroperating system and application software,and then periodically compares that known-

state against new tests.

Tripwire ConfigurationTripwire Configuration

Tripwire Sample ReportTripwire Sample Report


10/11

8/5/20

Although behavior-based intrusion detection is

a relatively new technology, WatchGuardalready has mechanisms in place within thefirewall to identify known attack behaviors,such as:

Port scans and probes

Spoofing

Synflood attacks

DoS and DDoS attacks

The misuse of IP options such as source routing

Utilizes highly innovative and sophisticateddetection techniques including

statefulpattern recognition,

protocol parsing,

heuristic detection, and

anomaly detection,

that provide comprehensive protection from

a variety of both known and unknown cyberthreats.


11/11

8/5/20

c. ids (intrusion detection system) - final

Documents