internet security intrusion detection systems

Internet Security

Intrusion Detection Systems

© 2002 Enterprise Security Solutions, LLC.

Overview

• Need for Security - Regulations and Policy• Logging and IDS Basics• Architecture• NIDS Issues

– Speed and Management– Database– Technical Considerations

• NIDS Sampling• Costs• Configuration Issues• HIDS and other IDS-like products


Why Security?

• Protect Investment• Maintain Service• Protect Reputation• Protect against Unauthorized Disclosure• Insurance Requirement• Required by Regulations• Lawsuits• Regulatory Sanctions


Regulations• Gramm-Leach-Bliley Act

– Title V – Privacy

• FTC - Standards for Safeguarding Customer Information– 16 CFR Part 314

• Office of the Comptroller of the Currency (OCC)– Guidelines Establishing Standards For Safeguarding Customer Information

• FDIC– Guidelines Establishing Standards for Safeguarding Customer Information

• Federal Reserve– Guidelines Establishing Standards for Safeguarding Customer Information

• Department of the Treasury– Office of Thrift Supervision (OTS) Information


Items Covered in Regulations

• Manage and Control Risk by developing an information security program to control the identified risks (Policies and Procedures)

• Apply appropriate security measures:– Access controls– Encryption – Monitoring systems– Response programs– Disaster recovery measures– Training– Regular testing


Logical Steps of Security

Prevention

Detection

Response


Policy• Acceptable use policy

• No expectation of privacy

• A requirement for successfully prosecuting those unauthorized users who improperly use a computer is that the computer must have a warning banner displayed at all access points. That banner must warn authorized and unauthorized users:

1) about what is considered the proper use of the system,2) that the system is being monitored to detect improper use and other illicit activity,3) that there is no expectation of privacy while using this system.

• If no policy is in place, defaults to Personal Privacy Act (PPA) and 4th Amendment*

• Intrusion Response Policy

*Always consult your legal staff as regulations differ from state to state


Sample Warning Banner

This system is for the use of authorized users only. These systems and equipment are This system is for the use of authorized users only. These systems and equipment are subject to monitoring to ensure proper functioning, to protect against improper or subject to monitoring to ensure proper functioning, to protect against improper or

unauthorized use or access, and to verify the presence or performance of applicable unauthorized use or access, and to verify the presence or performance of applicable security features or procedures, and for other like purposes. Such monitoring may security features or procedures, and for other like purposes. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals transmitted, processed or stored in this system by a user. If monitoring reveals

evidence of possible criminal activity, such evidence may be provided to law evidence of possible criminal activity, such evidence may be provided to law enforcement personnel. Use of this system constitutes consent to such monitoring.enforcement personnel. Use of this system constitutes consent to such monitoring.


Common Sources of Logs

• Router (and many network elements)

• Firewall

• Host• operating system• application• file: hashing or digital signature

• Intrusion detection system (IDS)


Security Provided by IDS

• Detect Attacks

• More cost-effective to deal with attacks using intrusion detection than other methods

• Provide “Forensic Readiness”– Maximizing an environment’s ability to collect credible

digital evidence– Minimizing the cost of forensics in an incident response


Types of IDS

• Network (NIDS) • Host (HIDS) • Hybrid


Types of NIDS

• Signature vs. Anomaly– Signature

raw data matching

preprocessors

– Anomaly

CPU/device/process utilization

standard deviation


Protocols used by NIDS

IPExcept for encrypted protocols: SSL (tcp 443) SSH (tcp 22) telnet-SSL (tcp 992) other encrypted protocols

IPSec IPX and other protocols

• use a protocol analyzer and filters

Architecture• The placement of the IDS within the institution's system architecture

should be carefully considered.

• The primary benefit of placing an IDS inside a firewall is the detection of attacks that penetrate the firewall as well as insider abuses.

• The primary benefit of placing an IDS outside of a firewall (Attack Sensor) is the ability to detect such activities as sweeping, which can be the first sign of attack; repeated failed log-in attempts; and attempted denial of service and spoofing attacks.

• Placing an IDS outside the firewall will also allow the monitoring of traffic that the firewall stops.


Architectural Issues

• Attack sensor

• Intrusion detection sensor

• Stealth vs. non-stealth

• Management networks

• Hubs vs. switches• Switch firmware• Taps


Internet

Router

Internet Firewall

External subnet

Internet DMZ

Internal Firewallor

Choke Router

Protected DMZ

Internal subnet

Internet DMZIDS

IDS Database

Typical IDSDeployment

Internal SubnetIDS

Attack Sensor

Attack Database

Protected DMZIDS

Stealth

Stealth


Some NIDS products

• Cisco Catalyst IDS Module • Cisco Secure IDS Network Sensor• Computer Associates eTrust Intrusion Detection• Enterasys Dragon IDS• Internet Security Systems RealSecure• Martin Roesch Snort• NFR Network Intrusion Detection• Symantec (Axent) Net Prowler


Speed and Management Issues

• Speed– Pre-processors – Signature matching

• Management– GUI– encrypted communications– heart-beat/watchdog– time synchronization – version updates– rule updates– Configuration


Alerting/Logging Issues• Alerting capabilities

– Log– Record session– Alert– Run program– Trigger secondary rules– SNMP– Page– WinPopUp


Database Issues• Type

– SQL– Access– Flat file– Proprietary

• Size– Maximum database size– Size vs. speed

• Centralized/de-centralized– Data forwarding


Technical Issues

• Resets (RSKill, FlexResp, etc.)• Router/FW automated reconfiguration• ARP spoof detection• Fragment reassembly on different stacks


ARP Spoofing

Server00:60:00:dd:ee:ff

192.168.0.10

Client00:60:00:aa:bb:cc

192.168.0.5

Attacker00:60:00:12:34:56

192.168.0.100

ARP Spoofing

Server00:60:00:dd:ee:ff

192.168.0.10

Client00:60:00:aa:bb:cc

192.168.0.5

Attacker00:60:00:12:34:56

192.168.0.99

00:60:00:12:34:56192.168.0.10

00:60:00:12:34:56192.168.0.5

Fragment Reassembly

C

A

ATAKT

CATT K

15 263 4

Arrival Order

Intended Order

Fragment Reassembly

Solaris 2.6

Data Stream15 263 43

A CATT K

C

A

ATAKX

CAXT K

Windows NT 4.0

T


Snort

.

ISS RealSecure

• ISS was one of the first to produce a commercial Network Intrusion Detection System and RealSecure still tends to be the standard by which other NIDS products are measured.


ISS RealSecure

Beyond IDS

• Network Forensics Analysis Tools (NFAT)

• Raytheon Silent Runner


Silent Runner

Costs

• Hardware purchase• Software purchase• Software maintenance fees• Maintenance costs• Training


Configuration Issues

• Creating your own signature rules

• Signature rule for CodeRed v2:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 1257; rev: 1;)

• Sample rule for mail about “Project X”:

alert tcp $EXTERNAL_NET 25 -> $MAIL_SERVERS 25 (msg: “Project X correspondence"; content:“Project X"; nocase;)

• Local rules© 2002 Enterprise Security Solutions, LLC.

Sample Local Rules

Ethernet

Router

SQL Server192.168.0.100

TCP 1433

IDS

Web Server192.168.0.200

TCP 80TCP 443

Stealth

alert tcp any any <> 192.168.0.100 1:1432 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.100 1434:65535 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert udp any any <> 192.168.0.100 any (msg:"UNAUTHORIZED CONNECTION ATTEMPT;)alert tcp any any <> 192.168.0.200 1:79 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.200 81:442 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert tcp any any <> 192.168.0.200 444:65535 (msg:"UNAUTHORIZED CONNECTION ATTEMPT; flags: S;)alert udp any any <> 192.168.0.200 any (msg:"UNAUTHORIZED CONNECTION ATTEMPT;)


Additional Issues

• Installation ease• Support• Rule updates• Monitoring services


Host-based IDS (HIDS)

• File Integrity Checkers– MD5 signature– Checks for changes

• Log Parsers– Windows event log– Unix syslog– Novell logs– Flat files


Some HIDS Products

• ISS RealSecure

• Symantec (Axent) Intruder Alert (ITA)

• TripWire


Other types of pseudo-IDS

• Personal firewalls• Sniffers• Performance monitoring• SNMP-based network monitoring• Policy enforcement software• ARP watch• Honeypots


HEADQUARTERS:

FIVE HUNTERDON BOULEVARDMURRAY HILL, N.J. 07974-2768

TELEPHONE (TOLL FREE IN US & CANADA): 1-866-563-6362OUTSIDE OF THE US: 908-508-9825

E-mail: [email protected]

NORTHEAST - NEW ENGLAND REGIONAL OFFICE: PO BOX 468

RICHMONDVILLE, NY 12149518-294-6338

Enterprise Security Solutions, LLC

ReferencesBOOKS• Mandia, Kevin, and Prosise, Chris. Incident Response: Investigating Computer

Crime, Osborne/McGraw-Hill, 2001.• Northcutt, Stephen, and Novak, Judy. Network Intrusion Detection: An Analyst's

Handbook, Second Edition. New Riders Publishing, 2000.

PAPERS• Internet Security Systems. “Evaluating an Intrusion Detection Solution: A Strategy

for a Successful IDS Evaluation,” ISS, 1999.• NSS Group. “Intrusion Detection Systems, Group Test (Edition 2),” December, 2001.• Ptacek, Thomas H., and Newsham, Timothy N. “Insertion, Evasion, and Denial of

Service: Eluding Network Intrusion Detection,” Secure Networks, Inc., January, 1998.

• Tan, John. “Forensic Readiness,” @stake, Inc., July 17, 2001.

STANDARDS• ISO-17799 (Formerly BS-7799)


References

WEB SITES

• http://www.ihs.gov/Cio/ITSecurity/Posters/• http://web.mit.edu/security/www/gassp1.html#dowlnoad• http://banking.senate.gov/conf/fintl5.pdf• http://www.ftc.gov/os/2001/07/stansafecustinfofrn.htm• http://www.occ.treas.gov/ftp/bulletin/2001-8.txt• http://www.occ.treas.gov/netbank/ebguide.htm• http://www.occ.treas.gov/fr/fedregister/66fr8616.htm

http://www.ihs.gov/Cio/ITSecurity/Posters/

http://web.mit.edu/security/www/gassp1.html#dowlnoad

http://banking.senate.gov/conf/fintl5.pdf

http://www.ftc.gov/os/2001/07/stansafecustinfofrn.htm

http://www.occ.treas.gov/ftp/bulletin/2001-8.txt

http://www.occ.treas.gov/netbank/ebguide.htm

References

WEB SITES• http://www.federalreserve.gov/boarddocs/SRLetters/2001/sr0111a1.pdf

• http://www.occ.treas.gov/ftp/bulletin/2000-14.doc

• http://www.occ.treas.gov/ftp/bulletin/2001-35a.pdf

• http://www.occ.treas.gov/ftp/bulletin/2001-35b.pdf

• http://www.occ.treas.gov/ftp/alert/2001-4.doc

• http://www.occ.treas.gov/ftp/alert/2001%2D4.txt

• http://www.fdic.gov/regulations/information/ebanking/Internet&NationalBankChrtr.pdf

• http://ciac.llnl.gov/ciac/bulletins/j-043.shtml

internet security intrusion detection systems

Documents

enterprise security

security regulations

information security

appropriate security

detection of attacks

intrusion response policy

improper use

policy acceptable use