Intrusion Detection System IDS Basics

1
Intrusion Detection System (IDS) Basics

• LTJG Lemuel S. Lawrence
• Presentation for IS-2010
• 13 Sept 2004

2
Agenda

• The Problem
• Protection
• Firewall vs. IDS
• IDS Basics
• Types
• Host
• Network
• Passive and reactive systems
• Conclusion

3
The Problem

• Hackers
• Internal
• External
• Inherent holes in your security set up
• Not configured properly
• Patches not up to date or available
• Virus definitions not up to date or available

4
The Problem

• "There's nothing on my system
• that anybody would want anyway".
• Legal Liability
• Inappropriate content (child pornography, hosting
  illegal files such as .mp3 files, etc.)
• You are potentially liable for damages caused by
  a hacker using your machine.
• Must be able to prove to the court that you took
  "reasonable" measures to defend yourself from
  hackers (i.e. cyber bank robbery from your
  computer as the host).

5
How do you protect yourself?

• Layered security setup
• IDS
• Firewall
• Antivirus
• Applying the 3 basic security principles
• Vulnerabilities
• Threats
• Countermeasures

6
Firewall vs. IDS

• Firewall Software that is designed to restrict
  access to an organization's network or its
  Intranet (The Fence)
• IDS A system that tries to identify attempts to
  hack or break into a computer system or to misuse
  it.  IDS's may monitor packets passing over the
  network, monitor system files, monitor log files,
  or set up deception systems that attempt to trap
  hackers (The Guard Dog)

7
Why do we need both?

• Firewalls as stated are designed to block
  unwanted traffic.
• A common misunderstanding is that firewalls
  recognize attacks and block them. This is not
  true.
• The firewall administrator carefully adds "rules"
  that allow specific types of traffic to go
  through the firewall. For example, a typical
  corporate firewall allowing access to the
  Internet would stop all UDP, stops incoming TCP
  connections, but allows outgoing TCP connections.
  This stops all incoming connections from Internet
  hackers, but still allows internal users to
  connect in the outgoing direction.
• Firewalls only limit access they dont
  recognize but merely block what the
  administrator tells it to.

8
Why do we need both?

• firewalls are only at the boundary to your
  network.
• Roughly 80 of all financial losses due to
  hacking come from inside the network!
• A firewall at the perimeter of the network sees
  nothing going on inside it only sees that
  traffic which passes between the internal network
  and the Internet
• IDS capabilities
• Double-checks misconfigured firewalls
• Catches attacks that firewalls legitimately allow
  through (such as attacks against web servers and
  internal attacks)
• Catches attempts that fail
• Catches insider hacking

9
Why do we need both?

• Hackers are much more capable than you think the
  more defense you have, the better. And they still
  won't protect you from the determined hacker.
  They will, however, raise the bar on
  determination needed by the hackers.

10
Types of IDS

• Host Based
• Network Based (NIDS)

11
Host Based IDS

• Host based Intrusion Detection Systems role is to
  identify tampering or malicious activity
  occurring on the system.
• Monitors log files, users, and the file system
  for evidence of malicious or suspicious
  application activity in real time. 
• Can use system logs, application logs, host
  traffic, key system files, and in some instances
  firewall logs as its data source.

12
Host Based

• Some of the activities that Host based can
  monitor include
• user specific actions
• Access to system log files, running processes,
  and files system
• success/failure of an attack
• Attacks that use NIDS evasion techniques
• i.e. makes it through firewall, undetected by
  NIDS and has a successful attack on system/network

13
Network Based

• Monitor both incoming and outgoing traffic.
• Typically deployed on standalone systems in front
  of firewalls or at key network choke points for
  large or complicated networks. 
• There are two forms of NIDS,
• Pattern Matching
• Anomaly based.
• NIDS use network traffic as its source
  monitoring network traffic in real time, and
  alerting in near real time.

14
Network Based

• Pattern matching
• Most IDS follow this standard.
• Is a Knowledge based system
• The intrusion detection system contains prior
  information about specific attacks and
  vulnerabilities.
• Applies this to incoming and outgoing traffic by
  inspecting each packet against its signature
  database.
• When such a condition is met, an alarm is
  triggered and the administrator is notified. The
  accuracy of a Knowledge based system relies on
  its signature databases

15
Network Based

• Anomoly matching
• Creates a profile of normal network traffic.
• Any anomalous/irregular traffic that is seen will
  be considered suspicious, thus an alarm is
  generated.
• Detection of suspicious events can be implemented
  in various ways i.e. Protocol analysis/decoding,
  traffic doesn't comply with normal traffic
  criteria. 

16
Passive and Reactive IDS

• Host and Network based systems can either be
  passive systems or reactive based systems
• Most network-based systems are passive with
  reactive capabilities
• Passive
• detect possible attacks, log the information and
  issue an alert
• Reactive
• attempt to react in some way to the malicious
  content it has spotted such as change firewall
  settings and/or permissions as appropriate
• Though reactive systems implement nice defensive
  mechanisms, they are still prone to false
  positives

17
Reactive Network Based

• Have the ability to react while watching the
  network, instead of a per system basis.
• Authority to be reactive for a wide range of
  systems.
• More control per one intrusion detection system
• Methods of preventing/reacting
• prevent known network/host based attacks from
  occurring
• Insertion of Firewall rules
• Packet Scrubbing

18
Reactive Host Based

• Events are entered into log files after
  completion, thus to rely on reading log files for
  reactive tactics won't work.
• Reactive host based systems tend to watch the
  actual file system (i.e. kernel) for malicious or
  illegal content
• Improper privilege escalation
• While watching system calls and the kernel, an
  attempt to escalate privileges can be seen, a
  reactive host based IDS can attempt to defeat
  this by ending the process.
• Logging off malicious users
• If activity is encountered that appears to be
  malicious, a reactive system can log the
  offending user off the system and block him from
  accessing the system until further notice and
  inform an administrator of that host.

19
Conclusion

• Problem
• Hackers
• Protecting yourself
• Legal liability
• IDS vs. Firewall
• Need for both the Fence and the Guard Dog
• Host and Network based IDS
• Passive and Reactive IDS

20

• Questions?