Distributed IDS

1
Distributed IDS

• The implementation of a Distributed Intrusion
  Detection System over a medium scale open network
  where the focus is availability of services.
• Darian Jenik - Network Management
• Queensland University of Technology

2
What IDS is

• IDS is a combination of methods for determining
  the presence and location of unauthorized
  activity on the computer network.
• IDS is the detection and reporting of security
  vulnerabilities.
• IDS is the logging and detection of internal
  users misdemeanors to protect liability

3
What IDS is not

• IDS in NOT security
• For security you need
• Good security policy that is both documented and
  adhered to.
• Good security practice by system administrators.
• Hardened perimeter firewalls and DMZ firewalls.
• IDS is not a product.
• IDS is not a sensor.

4
The scale of the problem

• Approximately 10000 hosts
• 100 web servers
• 300 servers of other type
• Students
• System Administrators
• IAS

5
IDS should perform the following tasks

• Detect known violations to host integrity by
  passively watching network traffic.
• Respond to attempted violations by blocking
  external IP addresses.
• Respond to probes from outside by blocking
  external IP addresses.
• Find and report usage inconsistencies that
  indicate account/quota theft.
• Detect violations by monitoring information (web
  pages etc.)
• Help log and establish traffic/host usage
  patterns for future reference and comparison

6
Detect known violations to host integrity by
passively watching network traffic.

• Just one type of sensor?
• IDS sensors
• Gateways Traditionally
• Put IDS sensors on hosts to look after specific
  services running on the hosts and detect port
  scans.

7
Respond to attempted violations by blocking
external IP addresses.

• Make sure the IDS is able to respond and send
  commands to firewalls and/or hosts.
• IDS sends RST packets to both ends of the
  connection.
• IDS is able to insert rules into border firewall.

8
Respond to probes from outside by blocking
external IP addresses.

• Attempts to open ports on servers that are not
  enabled. (Collate multiple servers to report to
  single location.)
• Make flypaper IP addresses that have never been
  used for anything that serve to pickup slow
  probes.

9
Find and report usage inconsistencies that
indicate account/quota theft.

• Determine that the accounts authorized at the
  locations (dial in/pc) are the same accounts
  using other services (mail/proxy/other logins).
• Failed attempts to login to services that are not
  successful.
• Accounts being used simultaneously at various
  locations.

10
Detect violations by monitoring information. (web
pages etc.)

• Graffiti, DNS spoofing, wares repositories.
• Ensure that the monitoring is external as well as
  internal.
• http//forced.attrition.org/mirror/attrition/

11
Help log and establish traffic usage patterns for
future reference and comparison.

• Central syslog collecting and analysis.
• Tripwire
• Nmap database
• Performance and Usage analysis.

12

• Open Source
• Just about any platform(Including windows)
• Many plugins and external modules.
• Frequent rules updates.

13
Snort Plugins

• Databases
• mySQL
• Oracle
• Postgresql
• unixODBC
• Spade (Statistical Packet Anomaly Detection
  engine)
• FlexResp (Session response/closing)
• XML output
• TCP streams (stream single-byte reassembly)

14
Snort Add-ons

• Acid(Analysis Console for Intrusion Detection) -
  PHP
• Guardian IPCHAINS rules modifier.(Girr
  remover)
• SnortSnarf - HTML
• Snortlog syslog
• Ruleset retreive automatic rules updater.
• Snorticus central multi-sensor manager shell
• LogSnorter Syslog gt snort SQL database
  information adder.
• a few win32 bits and pieces.

15
Acid Snort

• Acid is a Cert project.
• Pretty simple PHP3 to mySQL
• Quite customizable.
• Simple GUI for casual browsing.

16

• Main Console

17

• Individual alerts

18

• Securityfocus
• Whitehats
• CVE

19

• Rule details

20

• Incident details

21

• Incident Details

22
Questions ?
23
URLS

• www.snort.org
• http//www.cert.org/kb/acid/
• www.whitehats.com (Intrusion signatures data)
• www.securityfocus.com (Intrusion signatures data)
• http//cve.mitre.org/ (Intrusion signatures data)
• http//www.psionic.com/ (logcheck hostsentry)