intrusion detection

Download Intrusion Detection

Post on 30-Oct-2014

117 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

Tools

Information Assurance Tools Report

Sixth Edition September 25, 2009

Intrusion Detection Systems

Distribution Statement AS E R VICE

I NF

O R MA T

IO

N

EXC E L L E NC E

Approved for public release; distribution is unlimited.

N

I

REPORT DOCUMENTATION PAGE

Form Approved OMB No. 0704-0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.

1. REPORT DATE

2. REPORT TYPE

3. DATES COVERED (From - To)

25-09-2009

4. TITLE AND SUBTITLE

Report

25-09-2009

5a. CONTRACT NUMBER

Information Assurance Technology Analysis Center (IATAC) Information Assurance Tools Report Intrusion Detection Systems. Sixth Edition.

SPO700-98-D-40025b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER

Revision by Tzeyoung Max Wu

N/A5f. WORK UNIT NUMBER 8. PERFORMING ORGANIZATION REPORT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) AND ADDRESS(ES) IATAC

13200 Woodland Park Road Herndon, VA 20171

9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)

10. SPONSOR/MONITORS ACRONYM(S)

Defense Technical Information Center 8725 John J. Kingman Road, Suite 0944 Fort Belvoir, VA 22060-621812. DISTRIBUTION / AVAILABILITY STATEMENT

11. SPONSOR/MONITORS REPORT NUMBER(S)

Distribution Statement A. Approved for public release; distribution is unlimited.13. SUPPLEMENTARY NOTES

IATAC is operated by Booz Allen Hamilton, 8283 Greensboro Drive, McLean, VA 22102.14. ABSTRACT

This Information Assurance Technology Analysis Center (IATAC) report provides an index of Intrusion Detection System (IDS) tools. It summarizes pertinent information, providing users a brief description of available IDS tools and contact information for each. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tool. The written descriptions are based solely on vendors claims and are intended only to highlight the capabilities and features of each firewall product. The report does identify sources of product evaluations when available.15. SUBJECT TERMS

IATAC Collection, Intrusion Detection Systems (IDS)16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT c. THIS PAGE 18. NUMBER OF PAGES 19a. NAME OF RESPONSIBLE PERSON

Tyler, Gene19b. TELEPHONE NUMBER(include area code)

a. REPORT

b. ABSTRACT

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

None

93

703-984-0775Standard Form 298 (Rev. 8-98)Prescribed by ANSI Std. Z39.18

Table of ContentsSECTION 1 SECTION 2u

Introduction . . . . . . . . . . . 1 I ntrusionDetection/ PreventionOverview . . . . 3

1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2u

2.1 Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2 Technologies....................................3 2.2.1 Network-Based . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.2 Wireless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.3 NetworkBehaviorAnomalyDetection . . . . . . .3 2.2.4 Host-Based. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3 DetectionTypes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3.1 Signature-BasedDetection. . . . . . . . . . . . . . . . .3 2.3.2 Anomaly-BasedDetection. . . . . . . . . . . . . . . . . .4 2.3.3 StatefulProtocolInspection . . . . . . . . . . . . . . . .4 2.4 FalsePositivesandNegatives . . . . . . . . . . . . . . . . . . . .4 2.5 SystemComponents. . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

5.1.2 SocialEngineering. . . . . . . . . . . . . . . . . . . . . . . .13 5.2 ChallengesinIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 5.2.1 IDSScalabilityinLargeNetworks . . . . . . . . . .14 5.2.2 VulnerabilitiesinOperatingSystems. . . . . . . .14 5.2.3 LimitsinNetworkIntrusion DetectionSystems. . . . . . . . . . . . . . . . . . . . . . . .14 5.2.4 Signature-BasedDetection. . . . . . . . . . . . . . . .14 5.2.5 ChallengeswithWirelessTechnologies. . . . .14 5.2.6 Over-RelianceonIDS. . . . . . . . . . . . . . . . . . . . .15

SECTION 6 SECTION 7

u u

Conclusion . . . . . . . . . . . 17 . IDSTools . . . . . . . . . . . . 19

SECTION 3

u

Technologies . . . . . . . . . . 5

3.1 NetworkIntrusionDetectionSystem. . . . . . . . . . . . . . .5 3.1.1 AnOverviewoftheOpenSystems InterconnectionModel. . . . . . . . . . . . . . . . . . . . .5 3.1.2 ComponentTypes. . . . . . . . . . . . . . . . . . . . . . . . . .5 3.1.3 NIDSSensorPlacement. . . . . . . . . . . . . . . . . . . .6 3.1.4 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 3.1.5 Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.2 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .8 . 3.3 NetworkBehaviorAnomalyDetection . . . . . . . . . . . . .8 3.4 Host-BasedIntrusionDetectionSystem. . . . . . . . . . . .8 3.4.1 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .9 . 3.4.2 Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

SECTION 4

u

IDSManagement . . . . . 11 .

4.1 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 4.2 Tuning.........................................11 4.3 DetectionAccuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

SECTION 5

u

IDSChallenges . . . . . . . . 13

5.1 Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 5.1.1 ToolsUsedinAttacks. . . . . . . . . . . . . . . . . . . . .13

Host-Based Intrusion Detection Systems AIDEAdvancedIntrusionDetectionEnvironment. . . . .21 CSPAlert-Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 eEyeRetina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 eEyeSecureIISWebServerProtection . . . . . . . . . . . . . . .24 GFIEventsManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 HewlettPackard-Unix(HP-UX)11iHostIntrusion DetectionSystem(HIDS). . . . . . . . . . . . . . . . . . . . . . . . . . . .26 IBMRealSecureServerSensor. . . . . . . . . . . . . . . . . .27 integrit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 LumensionApplicationControl. . . . . . . . . . . . . . . . . . . . .29 McAfeeHostIntrusionPrevention. . . . . . . . . . . . . . . . . .30 NetIQSecurityManageriSeries. . . . . . . . . . . . . . . . . .31 Osiris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 OSSECHIDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 PivXpreEmpt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Samhain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 TripwireEnterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 TripwireforServers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Network Intrusion Detection Systems ArborNetworksPeakflowX . . . . . . . . . . . . . . . . . . . . . . .39 . ArcSight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Bro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 CheckPointIPSSoftwareBlade . . . . . . . . . . . . . . . . . . . . .42 CheckPointVPN-1Power. . . . . . . . . . . . . . . . . . . . . . . . . . .43 CheckPointVPN-1PowerVSX. . . . . . . . . . . . . . . . . . . . . . .44 CiscoASA5500SeriesIPSEdition . . . . . . . . . . . . . . . . .45 CiscoCatalyst6500SeriesIntrusionDetection SystemServicesModule(IDSM-2) . . . . . . . . . . . . . . . . . . .46

IA Tools Report

i

Cisco Guard XT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Cisco Intrusion Detection System Appliance IDS-4200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Cisco IOS IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Cisco Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Enterasys Dragon Network Defense . . . . . . . . . . . . . . . . . .51 ForeScout CounterAct Edge . . . . . . . . . . . . . . . . . . . . . . . .52 IBM Proventia SiteProtector . . . . . . .

Recommended

View more >