Intrusion Detection System(IDS) Overview

1
Intrusion Detection System(IDS) Overview

• Manglers
• 
  Gopal Paliwal
• 
  Roshni Zawar
• 
  SenthilRaja Velu
• 
  Sreevathsa Sathyanarayana
• 
  VijayaPriya Mani

2
Agenda

• What is IDS
• Why do I need IDS, I have a firewall?
• Types of IDS
• IDS Techniques
• Common ID Framework
• Issues in IDS
• Popular IDS
• Demo
• References
• QA

3
What is IDS

• A system that detects break-ins or misuse of a
  system in network.
• In short, its burglar alarm for the network.
• An IDS can detect network scans, DoS,
  unauthorized attempt to connect to services in
  the network, improper activity etc..

4
Why do I need IDS, I have a firewall?

• Todays security infrastructure include
  firewalls, virus scanners, authentication
  systems, VPN etc..
• Given their role, these are prime targets and
  being managed by humans, they are error prone.
• Failure of one of these tools will jeopardize the
  security!.

5
Why do I need IDS, I have a firewall? Contd..

• Firewall is just not enough. Not all traffic go
  through them.
• Firewall does not protect against application
  level weaknesses and are subject to attack
  themselves.

6
Where should IDS go?

• Depends primarily on the network setup
• In a DMZ area immediately inside firewall.
• Important locations in network
• On a service host (like a webserver)

7
Types of IDS

• Host Based
• Collect and analyze data that originate from a
  host (e.g., web server)
• Network Based
• Collect and analyze packets that travel over
  network
• Stack Based (recent)
• Integrated into TCP/IP stack, so that the
  malicious packets are caught even before packets
  reach application

8
IDS Techniques

• Anomaly Detection
• Establish a baseline pattern and generates an
  alert when a flow of traffic deviates from
  baseline pattern.
• Misuse Detection (or) Signature Detection
• Generates an alert when a known intrusion matches
  existing signatures. Predict and Detect
  subsequent similar attempts.
• Target Monitoring
• Corrective control designed to uncover
  unauthorized action (file modification) after it
  occurs.
• Stealth Probes
• Checks for methodical attacks over a prolonged
  period of time.
• Discover correlating attacks.

9
Common ID Framework
10
Issues in IDS

• Large number of false positives.
• Very difficult to configure the security rules.
• Continuous update of signature database is must.
• NIDS is unreliable on high-speed and switched
  networks.

11
Popular IDS Tools

• Snort
• Cisco IDS
• RealSecure, by Internet Security Systems
• Dragon, by Enterasys
• NFR, by Flight Recorder (also available in a free
  research version)
• Tripwire, by the Tripwire Open Source team
• Tcpwrappers, by Wietse Venema
• PortSentry, by Psionic Technologies
• AIDE (Advanced Intrusion Detection Environment)

12
Demo

• Snort is a light weight open source NIDS,
  capable of performing real time traffic analysis
  and packet logging.
• Snort works in various modes
• sniffer mode (acts as protocol analyzer)
• packet-logger mode
• NIDS mode.

13
Network Topology

• SNORT
• Web server
• FTP server

• Internal Node

supernova (192.168.1.102)
milkyway (192.168.1.103)
The Intruder
trudy (192.168.6.201)
14
References

• Book Intrusion detection system with snort by
  Jack koziol
• Snort IDS (www.snort.org)
• Intrusion Detection Systems (www.certiguide.com/se
  cplus/cg_sp_34IntrustionDetectionSystem.htm)
• An introduction to IDS (http//www.securityfocus.c
  om/infocus/1520)
• Intrusion Detection FAQ Why is intrusion
  detection required in todays computing
  environment? (http//www.sans.org/resources/idfaq/
  id_required.php?
• IDS, what is it and why do we need it?
  (http//www.ixact.ch/english/pagesnav/IN.htm)

15
QA