Intrusion DetectionPrevention Systems

1
Intrusion Detection/Prevention Systems

• Charles Poff
• Bearing Point

2
Intrusion Detection Systems

• Intrusion Detection System (IDS)
• Passive
• Hardware\software based
• Uses attack signatures
• Configuration
• SPAN/Mirror Ports
• Generates alerts (email, pager)
• After the fact response

3
Intrusion Prevention Systems

• Intrusion Prevention System (IPS)
• Also called Network Defense Systems (NDS)
• Inline active
• Hardware\software based
• Uses attack signatures
• Configuration
• Inline w/fail over features.
• Generates alerts (email, pager)
• Real time response

4
IDS vs. IPS

• IPS evolved from IDS
• Need to stop attacks in real time
• After the fact attacks have lesser value
• IDS is cheaper.
• Several Open Source IDS/IPS
• Software based
• IPS EXPENSIVE
• Hardware based (ASIC FPGA)

5
Detection Capabilities

• Signatures
• Based on current exploits (worm, viruses)
• Detect malware, spyware and other malicious
  programs.
• Bad traffic detection, traffic normalization
• Anomaly Detection
• Analyzes TCP/IP parameters
• Normalization
• Fragmentation/reassembly
• Header checksum problems

6
Evasion Techniques

• Encryption
• IPSec, SSH, Blowfish, SSL, etc.
• Placement of IPS sensors are crucial
• Lead to architectural problems
• False sense of security
• Encryption Key Exchange
• IPS sensors can usually detect/see encryption
  key exchanges
• IPS sensors can usually detected unknown
  protocols

7
Evasion Techniques (cont.)

• Packet Fragmentation
• Reassembly 1.) out of order, 2.) storage of
  fragments (D.o.S)
• Overlapping different size packets arrive out
  of order and in overlapping positions.
• Newly arrived packets can overwrite older data.

8
Evasion Techniques (cont.)

• Zero day exploits (XSS, SQL Injection)
• Not caught by signatures
• Not detected by normalization triggers
• Specific to custom applications/DBs.
• Social engineering
• Verbal communication
• Malicious access via legitimate credentials
• Poor configuration management
• Mis-configurations allow simple access not
  detected.
• Increases attack vectors

9
Vendors

• Open Source
• SNORT (IDS/IPS) my favorite
• Prelude (IDS)
• HoneyNet (Honey Pot/IDS)
• Commercial
• TippingPoint
• Internet Security Systems
• Juniper
• RadWare
• Mirage Networks

10
Tools of the Trade

• Fuzzers SPIKE, WebScarab, ADMmutate, ISIC, Burp
  Suite
• Scanners - Nessus, NMAP, Nikto, Whisker
• Fragmentation ADMmutate, Fragroute, Fragrouter,
  ettercap, dSniff
• Sniffers ethereal, dSniff, ettercap, TCPDump
• Web Sites
• www.thc.org
• packetstormsecurity.nl
• www.packetfactory.net

11
Future of IDS/IPS

• Many security appliances ? ONE
• IDS/IPS, SPAM, AV, Content Filtering
• IDS will continue to loose market share
• IPS, including malware, spyware, av are gaining
  market share
• Security awareness is increasing
• Attacks are getting sophisticated
• Worms, XSS, SQL Injection, etc.

12
Your Organization

• Whats protecting your organization?
• Future Plans?
• Products and vendors?
• Evolution of security infrastructure.

13
Question

• Question comments