Network Intrusion Detection

1
Network Intrusion Detection

• David LaPorte
• david_laporte_at_harvard.edu

2
Topics

• What is IDS?
• HIDS v. NIDS
• Signatures
• Active Response / IPS
• NIDS on the Cheap
• Additional Resources

3
What is IDS?
the art of detecting inappropriate, incorrect, or
anomalous activity. ID systems that operate on a
host to detect malicious activity on that host
are called host-based ID systems, and ID systems
that operate on network data flows are called
network-based ID systems.
http//www.sans.org/newlook/resources/IDFAQ/what_i
s_ID.htm
4
HIDS v. NIDS

• Defense in depth, layered security
• HIDS
• Typically software installed on a system
• Agent-based
• Monitors multiple data sources, including file
  system meta-data, log files
• Wrapper-based
• Acts like a firewall denies or accepts
  connections or logins based on defined policy

5
HIDS v. NIDS

• NIDS
• Monitors traffic on a network
• Reports on traffic not considered normal
• Anomaly-based
• Packet sizes, destinations, protocol
  distributions, etc
• Hard to determine what normal traffic looks
  like
• Signature-based
• Most products use signature-based technologies

6
Signature-based NIDS

• Signature-based
• Matches header fields, port numbers, content
• Network grep
• Advantages
• No learning curve
• Works out-of-box for well known attacks
• Snort has 1900 signatures
• Dragon has 1700 signatures
• Disadvantages
• New attacks cannot be detected
• False positives
• Maintenance/tweaking
• Not very hard to evade
• Stateless, lacks thresholding

7
Signatures

• T A A S 10 20 6668 IRCXDCC /5Bxdcc/5Dslt
• SEARCH STRING
• EVENT NAME
• PORT
• COMPARE BYTES
• DYNAMIC LOG
• BINARY OR STRING
• PROTECTED NETWORKS
• DIRECTION
• PROTOCOL

8
Signatures

• On the console
• Time Dir Source Destination Proto Event Name
  Group Sensor Session Raw Data
• 1102 02Nov04 from 128.103.a.b4295
  207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
• 1101 02Nov04 from 128.103.a.b1141
  207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
• 1059 02Nov04 from 128.103.a.b2582
  207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5
• 1057 02Nov04 from 128.103.a.b3341
  207.44.x.y6667 tcp IRCXDCC UNKNOWN ids5

9

• NICK XDCCSLT-L482A
• USER b0b 32 . XDCCA
• MODE XDCCSLT-L482 iA
• NICK XDCCSLT-L482A
• USER b0b 32 . XDCCA
• MODE XDCCSLT-L482 iA
• NICK XDCCSLT-L482A
• USER b0b 32 . XDCCA
• MODE XDCCSLT-L482 iA
• A
• snagged.wi.us.criten.net NOTICE AUTH
  Looking up your hostname...A
• snagged.wi.us.criten.net NOTICE AUTH Found
  your hostname, cachedA
• snagged.wi.us.criten.net NOTICE AUTH
  Checking IdentA
• snagged.wi.us.criten.net 001 XDCCSLT-L482
  Welcome to the Criten IRC Network
  XDCCSLT-L482!b0b_at_jojo.harvard.eduDA
• snagged.wi.us.criten.net 002 XDCCSLT-L482
  Your host is snagged.wi.us.criten.net_at_0.0.0.0,
  running version bahamut-1
• .4(34)DA
• snagged.wi.us.criten.net 003 XDCCSLT-L482
  This server was created Fri Oct 18 2002 at
  124934 CDTDA
• snagged.wi.us.criten.net 004 XDCCSLT-L482
  snagged.wi.us.criten.net bahamut-1.4(34)
  oiwscrknfydaAbghe biklLmMnoprRstvc
• DA

10
NIDS Management

• Correlation is key
• Multiple sensors
• Single data repository
• Syslog
• DBMS
• Text files

11
NIDS Placement

• Inside firewall
• Limits false positives cleaner data
• Outside firewall
• Shows overall interest
• Need to collect all traffic
• Switch port wont cut it
• Hub
• Switch SPAN port
• Passive tap
• Difficult on high-bandwidth links (gt300Mbps)
• Distribution devices (TopLayer, etc)
• Hardware

12
NIDS Drawbacks

• False Positives
• LOTS of data
• We generate 3-4GB of logs each day on a 250Mbps
  sustained link
• Makes alerting difficult
• Interoperability
• ESM Intellitactics, PentaSafe, etc.

13
NIDS - Drawbacks

• Evasion
• Packet fragmentation
• Out of order, overlapping
• Fragroute
• Character encodings / padding
• Unicode, mixed case, ../..s, \0s
• OS stack behavior
• A simple grep of a packet wont work

14
Active Response

• NIDS is primarily a passive technology
• Only monitors traffic
• Doesnt sit in the data stream
• Active response
• aka sniping, flex response

15
Active Response

• Several issues
• Timing
• By the time filters are applied, attack is
  complete
• False alarms / spoofed traffic
• Self-inflicted DOS
• Lack of formatting standards
• CVE, OPSEC

16
Intrusion Prevention

• Place system in-line
• Hardware
• Redundancy
• Acts as an IDS/Firewall hybrid
• Hogwash

17
NIDS on the Cheap

• So you want a NIDS?
• Snort
• Open-source NIDS
• Quickly becoming the Apache of IDS
• Runs on Windows and most Unix variants
• MySQL
• Open-source DBMS
• ACID
• Great web-based front-end for Snort/Mysql
• A place to collect traffic
• Your NIC is fine if you have only one machine
• Use a hub if youve got a LAN

18
Additional Resources

• Fragroute
• http//monkey.org/dugsong/fragroute/
• Insertion, Evasion, and Denial of Service
  Eluding Network Intrusion Detection
• http//secinf.net/info/ids/idspaper/idspaper.html
• HIDS Products
• PortSentry
• http//www.psionic.com/products/portsentry.html
• Tripwire
• http//www.tripwire.com/
• AIDE
• http//www.cs.tut.fi/rammer/aide.html

19
Additional Resources

• NIDS Products
• Snort
• http//www.snort.org
• Dragon
• http//www.enterasys.com/ids/
• CiscoSecure IDS
• ISS RealSecure
• http//www.iss.net/products_services/enterprise_pr
  otection/rsnetwork/index.php
• ACID
• http//www.andrew.cmu.edu/rdanyliw/snort/snortaci
  d.html
• Hogwash
• http//hogwash.sourceforge.net/

20
Questions?