Intrusion Detection System

1
Intrusion Detection System

• Alan TAM
• Program Committee, PISA

2
Definition and Needs

• IDS Intrusion Detection System
• Not firewall
• Content inspection

3
Technology

• Signature detection
• Anomaly detection

4
General IDS Model

• Sensor
• Analyzer
• Manager
• Administrator
• Operator

5
Basic Classification

• NIDS - Network Based
• e.g. Cisco Secure IDS , Axent Netpowler, Snort,
  ISS RealSecure Network Sensor, NAI Cybercop
  Monitor
• HIDS - Host Based
• e.g. Axent Intruder Alert, ISS RealSecure OS
  Sensor, Tripwire

6
Functional Classification

• Packet capturing Pattern matching
• Log parser
• Host firewall
• File integrity checker
• Activity monitor

7
Deployment Tips (1)

• Dual NIC
• No TCP/IP binding
• Network Performance
• Security
• NIC optimization settings
• Promiscuous mode

8
Deployment Tips (2)

• Locations
• DMZ
• In front of firewall
• Behind firewall
• Server segments
• Power user segments

9
Deployment Tips (3)

• Generic OS hardening optimization
• TCP/IP services
• NetBIOS services
• File directory permission
• Useless background process
• Peripherals

10
Deployment Tips (4)

• Miscellaneous
• Automatic mass deployment of HIDS
• Downtime against SLA
• Tuning of false alarms
• Do policy customization (no kidding)
• Monitor log grow-up rate

11
Problem Scenarios (1)

• Signature quality
• False POSITIVES
• False NEGATIVES
• Threshold values
• Duplicates elimination
• Encrypted traffic
• SSL, IPSEC PPTP tunnels, PGP attachment

12
Problem Scenarios (2)

• Switch instead of Hub
• Collision domain
• Port Spanning/Mirroring/Monitoring
• Performance degrade
• High speed network
• Packet drop
• DoS

13
How to choose an IDS (1)

• Attack Signature
• Quality
• Update frequency
• Update mechanism

14
How to choose an IDS (2)

• Scalability
• Traffic handling capacity
• Shutdown mechanism
• Supported platforms (HIDS)

15
How to choose an IDS (3)

• Manageability
• Examining log
• Cross reference
• Archiving
• Centralized console

16
How to choose an IDS (4)

• Hardware platform
• Intel based
• SPARC based

17
Response Actions (1)

• Log
• Header, significant application data
• Raw packet
• Alert
• Console
• Email
• SNMP Traps

18
Response Actions (2)

• Termination
• TCP kill
• Kernel drop
• Third-party Integration
• Firewall
• Router

19
Response Actions (3)

• User Script
• Increase log level
• Modem to Pager
• Email to SMS
• Redirect to Honey Pot

20
Previous Battlefield

• IP defragmentation
• TCP stream reassembly

21
Today

• IDS load balancing
• Hardware IDS
• ASIC IDS module in a Chassis
• ASIC Switch appliance

22
Standards

• CVE (Common Vulnerabilities and Exposures)
• IDMEF (Intrusion Detection Message Exchange
  Format)

23
CVE (1)

• Standardized name
• Interoperability between tools
• Tool comparison guidelines
• CVE-Compatible
• No. of signatures

24
(No Transcript)
25
CVE (2)

• Version
• As of August 2001 20010507
• Classification
• CVE candidate(CAN-YYYY-XXXX)
• CVE entry(CVE-YYYY-XXXX)

26
Data Sources

• Security Focus - SecurityFocus.com weekly
  Newsletters(http//www.securityfocus.com/vdb)
• Network Computing and the SANS Institute - weekly
  Security Alert Consensus(http//archives.neohapsi
  s.com/archives/securityexpress/current/)
• ISS - monthly Security Alert Summary(http//xforc
  e.iss.net/alerts/summaries.php)
• NIPC CyberNotes - biweekly issues(http//www.nipc
  .gov/cybernotes.htm)

27
Reference Source
28
Tips for using CVE

• Do not use general terms (e.g. buffer overflow)
  to search
• Use exact process name (e.g. sendmail)
• Go to the references for Fix

29
IDWG

• Intrusion Detection Working Group
• Aims
• Define data format
• Define exchange procedure
• Outputs
• Requirement document
• Common intrusion language specification
• Framework document

30
IDMEF

• Standard data format (using XML)
• Interoperability
• Typical deployments
• Sensor to Manager
• Database
• Event correlation system
• Centralized console

31
IDMEF Addressed Problems

• Inherently heterogeneous information
• Different sensor types
• Different analyzer capabilities
• Different operation systems
• Different objectives of commercial vendors

32
Message Classes (1)

• IDMEF-Message Class
• Alert Class
• ToolAlert
• CorrelationAlert
• OverflowAlert
• Heartbeat Class

33
Message Classes (2)

• Core Classes
• Analyzer
• Source
• Target
• Classification
• Additional Data

34
Message Classes (3)

• Time Class
• CreatTime
• DetectTime
• AnalyzerTime

35
Message Classes (4)

• Support Class
• Node
• User
• Process
• Service

36
Example
37
Summary

• IDS Classification
• IDS Deployment Considerations
• How to choose an IDS
• Industry standards

38
HKCERT/CC

• Web - http//www.hongkongcert.org
• Telephone - 2788 6060
• Fax - 2190 9760
• Email - mailtoinfosecurity_at_hkpc.org

39
Reference

• http//cve.mitre.org/cve
• http//www.silicondefense.com/idwg/
• http//www.securityfocus.com/

40
Thank You

• For suggestions and corrections, please send
  email to
• alan.tam_at_pisa.org.hk
• or
• alantam_at_hk.is-one.net

41
Discussion

• SLA - cannot stop service immediately
• Switch to standby system if possible
• Contingency planning
• Trace the source Track its activity