SURFnet IDS a Distributed Intrusion Detection System - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

SURFnet IDS a Distributed Intrusion Detection System

Description:

Title: Distributed Intrusion Detection System Author: rogier Last modified by: sjaak Created Date: 11/9/2005 3:46:31 PM Document presentation format – PowerPoint PPT presentation

Number of Views:172
Avg rating:3.0/5.0
Slides: 12
Provided by: rogi2
Category:

less

Transcript and Presenter's Notes

Title: SURFnet IDS a Distributed Intrusion Detection System


1
SURFnet IDSa Distributed Intrusion Detection
System
Rogier Spoor (project leader) Jan van Lith
(developer) Kees Trippelvitz (developer)
Amsterdam 24-1-2006
2
Goals
  • Understanding
  • types of malicious network traffic within a LAN
  • amount of malicious network traffic within a LAN
  • spreading of worms
  • Setting up
  • a scalable IDS solution
  • an IDS that is easy to manage and maintain
  • Comparing results with other sensors
  • Limit malicious outbound traffic SURFnet

3
Why build something new?
  • Sensor must be maintenance free
  • IDS must be scalable and easy to manage
  • No False Positives! (cannot use snort)
  • Design IDS based on high speed networks (LAN/WAN)
  • Design IDS should be able to analyse L2 traffic

4
Sensor
  • remastered Knoppix distribution
  • USB boot
  • Open-vpn between Sensor and Central Server
  • Need
  • PC capable of USB boot 1 NIC
  • DHCP LAN (2x DHCP)
  • Open-vpn session through local firewall (TCP 1194)

5
Honeypot/Tunnel server
  • Based on nepenthes
  • a low-interaction honeypot
  • Link http//nepenthes.sourceforge.net
  • Open-vpn tunnel to sensor
  • Manage X509 certificates/keys of sensors
  • Source-based routing

6
Logging server
  • Postgresql
  • Web interface
  • Show statistics of sensors (groups/individual)
  • Show statistics of different attacks
  • Ranking of sensors
  • Mail logging
  • IDMEF

7
Global Overview
8
Working of SURF IDS
  • Attacker/Worm/Virus/Hacker
  • Attacks IP on server
  • Layer 2 tunnel (tap device)
  • DHCP request trough tunnel
  • Binds IP of client LAN on tap device
  • Nepenthes simulates weakness
  • Nepenthes handles attack
  • Nepenthes logs attack
  • Sensor is booted
  • OpenVPN is started
  • Uses tcp port 1194
  • Works with NAT !!
  • Web interface makes data representable

9
Future
  • Start an IDS service for SURFnet customers
  • Open source licensing (GPL) and packaging
  • Additional honeypots on the central server
  • Logging interface for tools like AIRT
  • Interface for a quarantaine environment
  • Static assignment of IP addresses on server and
    sensor
  • Multiple VLAN support for sensor

10
Demo
11
Questions?
  • Website http//ids.surfnet.nl
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SURFnet IDS a Distributed Intrusion Detection System" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!