lesson 7 intrusion prevention systems
DESCRIPTION
Lesson 7 Intrusion Prevention Systems. Overview. Definitions Differences Honeypots Defense in Depth. Intrusion Detection Systems. IDS – “Combination of Hardware and Software Designed to Detect Suspect Activity on a Network” Types of IDS Solutions and Deployments - PowerPoint PPT PresentationTRANSCRIPT
Lesson 7Intrusion
Prevention Systems
UTSA IS 3523 ID & Incident Response
Overview
• Definitions• Differences• Honeypots• Defense in Depth
UTSA IS 3523 ID & Incident Response
Intrusion Detection Systems • IDS – “Combination of Hardware and Software
Designed to Detect Suspect Activity on a Network”
• Types of IDS Solutions and Deployments– Network, Host and Application
• Detection Methods – Signature, Anomaly and Behavior Based
• IDS Evolution – Three Evolutions of IDS Products and Solutions – Detect, Shore-Up and Proactively Block (IPS)
UTSA IS 3523 ID & Incident Response
What Should an IDS Do
• Detect scans against a network– Helps determine who might attack
• Provide info on DoS attacks • Alert on possible worm infections• Alert administrator about brute force,
password cracks, dictionary attacks, etc. • Block Some Worms
– Code Red, Nimda, SQL Slammer– If Linked to a Firewall
UTSA IS 3523 ID & Incident Response
IDS Challenges • Performance
– Network Based IDS Systems must handle large throughput, i.e. large amounts of packets
• Reliability - false positives plague early IDS– Misnomer: “bad string development”
• Cost – Extensive IDS Deployments Can Be a expensive
• Labor intensive– IDS tuning and maintenance requires much expertise
• Host based IDS systems can use up lots of resources on their hosts
UTSA IS 3523 ID & Incident Response
Intrusion Prevention Systems• HW/SW that pro-actively block attacks
– Little or no human intervention
• Normally stand alone solutions but may integrate with firewalls, switches or routers
• Usually less maintenance than traditional IDS• Usually requires more set-up—have to know
your network traffic • May be network or host based• Emerging sub-sector of IDS market
UTSA IS 3523 ID & Incident Response
What an IPS Can Do
• Detect and Block Network• Block DoS attacks in real time• Completely stop nuisance attacksBlock
Worm propagation
UTSA IS 3523 ID & Incident Response
Intrusion Detection –vs- Intrusion Prevention
• Often viewed as a blending of firewalls and IDS• Definition: A device (HW or SW) that has the
ability to detect an attack and to prevent the attack from being successful.– Must handle known and unknown attack methods
• Will look at 4 general types of IPS– Inline NIDS– Layer Seven Switches– Application Firewall/IDS– Deceptive Applications
Inline NIDS
From: http://www.securityfocus.com/infocus/1670
Offers the capabilities of a regular NIDS with the blocking capabilities of a firewall. Examines traffic, decides whether to send it on or not.Generally needs to know what it is looking for (e.g. signatures).
UTSA IS 3523 ID & Incident Response
Layer Seven Switch• Usually think of switching as a layer 2 function.• Due to bandwidth intensive content, some
switching now going on a layer seven (e.g. load balancers) where application traffic can be examined.
• Decisions can be made as to whether data is sent.• Generally needs to know what it is looking for.• One of best uses is to address DoS attacks.
UTSA IS 3523 ID & Incident Response
Application Firewall/IDS
• Loaded on each server to be protected.• Customized for the application to be
protected.• Don’t look at packets, look at API calls,
memory management (for overflows), and interaction of user with OS.
• Can help prevent new attacks since it is not looking for signatures but rather attempted actions.
UTSA IS 3523 ID & Incident Response
Deceptive Applications
• Idea has been around for a while• Concept is to first watch network to
determine profile of normal traffic• If traffic comes along later, such as scan for
a service on a system that doesn’t exist, then respond with bogus data so packets are “marked” and future traffic from attacker will be noticed and handled easily.
Deceptive Applications
No system10.1.1.20!
From: http://www.securityfocus.com/infocus/1670
UTSA IS 3523 ID & Incident Response
IDS/IPS Market
Total 2002 IDS/IPS Market: $382 Million (IDC)
2003: Gartner states: “IDS is dead”
Total 2009 IDS/IPS Market: $939 Million (Gartner)
2013 Prediction: $2.34B (Frost and Sullivan)…compound annual growth rate of 17.1%
UTSA IS 3523 ID & Incident Response
Network Commercial IPS
• Cisco Secure IDS (son of Netranger)• ISS Proventia• NetScreen IDP-500• McAfee Intrushield 4000• TippingPoint UnityOne -1200• TopLayer Mitigator IPS-2400
UTSA IS 3523 ID & Incident Response
What Do The Look Like
UTSA IS 3523 ID & Incident Response
IPS Pictures
http://www.nss.co.uk/ips/edition1/nai-intrushield/fig1-Group_all.png
http://www.iss.net/products_services/enterprise_protection/proventia/g_series.php
UTSA IS 3523 ID & Incident Response
Honey Pot
• Resurgent Player..not quite an IDS, but results are the same
• Decoy System• Mislead Hackers• Begin Incident Response (early!)
UTSA IS 3523 ID & Incident Response
Defense-in-Depth
• Key Security Concept• Usually considered in shallow ways• We don’t so good job implementing
organization wide• Very seldom do we simultaneously simplify
and improve security
UTSA IS 3523 ID & Incident Response
5 Different Control Types
• Protect - firewalls/router ACLs• Detect - IDSes• Recover - Incident Response/Recovery Plans• Deter - Laws and marketing• Transfer - Insurance
UTSA IS 3523 ID & Incident Response
Problem with Approaches
• Each control has binary effectiveness• No security is perfect• Better approach is “synergistic security”
– Success hinges on redundancy of security controls
UTSA IS 3523 ID & Incident Response
Security Synergy• Baye’s Theorem:
– Effectivness(TOTAL)= 1-((1-E1)*(1-E2)*(1-E3)…)
#Synergistic
Controls Efficiency of Each Control
60% 70% 80% 90%
1 60 70 80 90
2 84 91 96 99
3 93.6 97.3 99.299.9
4 94.7 99.2 99.8100
5 99 99.8 100100
UTSA IS 3523 ID & Incident Response
The Challenge
• “The real challenge is for people who can write good models for the data that comes out. The problem we have is that different enterprise networks create quite different traffic. Trying to model it and pull out interesting patterns with it while minimizing false positives and things like that, is very difficult.
• Bob Gleichauf• Cisco Systems
UTSA IS 3523 ID & Incident Response
Summary
• IDSes are advancing and morphing at same time• IDSes are not silver bullets…they cannot
overcome inherent security weaknesses• IDSes are usually the primary “detectors” to
start the incident response process• Synergistic Security (Defense-in-depth) is the
key…definitwly monitor where the crown jewels are