Intrusion Detection Systems IDS

1
Intrusion Detection Systems (IDS)

• What is an IDS?
• What is available on the market
• Intrusion prevention system (IPS)
• Context for the assignment
• Summary

2
IDS

• An intrusion is a deliberate, unauthorized
  attempt to access or manipulate information or
  system and to render them unreliable or unusable
• When suspicious activity is from your internal
  network it can also be classified as misuse
• An intrusion detection system (IDS) is
  software/hardware that monitors activity on the
  system or network
• And delivers an alert if it notices suspicious
  activity
• A bit like a burglar alarm

3
The Puzzle

• Intrusion Detection Systems are only one piece
  of the whole security puzzle
• IDS must be supplemented by other security and
  protection mechanisms
• They are a very important part of your security
  architecture but does not solve all your problems
• Part of Defence in depth
• More generically, most single defences can fail
• We always need defence in depth multiple
  layers, of different designs and philosophies
• One such layer Intrusion Detection Systems

4
Why do I need an IDS if I have a Firewall?

• Not all traffic may go through a firewall ie
  modem on a user computer
• Not all threats originates from outside. As
  networks uses more and more encryption,
  attackers will aim at the location where it is
  often stored unencrypted (Internal network)
• Firewall does not protect appropriately against
  application level weaknesses and attacks
• Firewalls are subject to attacks themselves
• Protect against misconfiguration or fault in
  other security mechanisms
• Traditional firewall examines header
• IPS examines payload as well

5
Real Life Analogy

• It's like security at the airport... You can put
  up all the fences in the world and have strict
  access control, but the biggest threat are all
  the PASSENGERS (packet) that you MUST let
  through! That's why there are metal detectors to
  detect what they may be hiding (packet content).
• You have to let them get to the planes (your
  application) via the gate ( port 80) but without
  X-rays and metal detectors, you can't be sure
  what they have under their coats.
• Firewalls are really good access control points,
  but they aren't really good for or designed to
  prevent intrusions.
• That's why most security professionals back their
  firewalls up with IDS, either behind the firewall
  or at the host.

6
What can IDS Realistically do?

• Monitor and analyse user and system activities
• Auditing of system and configuration
  vulnerabilities
• Asses integrity of critical system and data files
• Recognition of pattern reflecting known attacks
• Statistical analysis for abnormal activities
• Data trail, tracing activities from point of
  entry up to the point of exit
• Installation of decoy servers (honey pots)
• Installation of vendor patches (some IDS)

7
IDS- Terms and Concepts

• Security policies (see last week) are either
  prohibitive or permissive
• An IDS is sensitive to configuration
• To achieve the goals of your security policy, you
  must be able to configure appropriately
• If not it will produce errors
• There are three basic types of IDS errors
• False positives
• Normal activity considered suspicious
• False negatives
• Suspicious activity or intrusion which has been
  missed
• Subversion error
• Circumventing the IDS itself

8
Intrusion Detection

• Assumption the behavior of the intruder differs
  from the legitimate user.
• But, there is overlap. A loose interpretation of
  intruder may lead to false positives on the
  other hand, a tight interpretation may lead to
  false negatives (risky!)

9
Dealing with Intruders

• Intruders can be external or internal
• External intruders are hackers or crackers
• Internal intruders are equally dangerous and
  surprisingly common
• An organisations security policy (see assignment
  context) should state what steps will be taken to
  handle intrusions and include
• Block and ignore
• Simplest tactic for handling intrusions
• Block the intruder and address the vulnerability
• Dont take any further action

10
Dealing with Intruders

• Block and investigate
• Block the intruder and address the vulnerability
• Collect evidence and try to determine the
  intruders identity
• Although this may result in finding and stopping
  the intruder, it can be costly and time-consuming
• Honeypot (bait the intruder) ltsee this linkgt
• Allow the intruder to access a part of your
  network
• Try to catch the intruder while he/she explores
• This is a potentially dangerous approach
• The intruder does have at least partial access
• Crackers may become interested in your site

11
Detecting Intruders

• An IDS monitors system activity in some way
• When it detects suspicious activity, it performs
  an action
• The action is usually an alert of some type
• E-mail, cell phone, audible alert ltAttacker 3.0gt,
  etc. to a person or process
• All IDS systems continuously sample system
  activity and compare the samples to a database
  (see assignment context)
• E.g. BASE (Basic Analysis and Security Engine)
  used by SNORT
• perform analysis of intrusions that snort has
  detected on your network

12
IDS Design Criteria

• An IDS must run unattended for extended periods
  of time
• The IDS must stay active and secure
• The IDS must be able to recognise unusual
  activity
• The IDS must operate without unduly affecting the
  systems activity
• The IDS must be configurable

13
IDS Cycle

• IDS comprises three logical components
• Sensors to collect data. Input types network
  packets, log files, system call traces
• Analyzers receive input from sensors.
  Responsible for intrusion detection
• User interface may be a manager, director, or
  console

14
Components of an IDS
15
Types of IDS

• Two basic types of intrusions
• Misuse intrusion an attack against a known
  vulnerability
• Relatively easy to detect because the actions
  required for the exploit are known (called the
  attack signature)
• IDS knows what an attack looks like and looks for
  it.
• Anomaly intrusion an attack against a new
  vulnerability or one using an unknown set of
  actions
• Relatively difficult to detect, must compare
  current system activity with some normal baseline
  of activity
• Two types of IDS that correspond to the two
  intrusion types (see practical sheet for this
  week)
• Signature based most popular
• Knowledge based

16
Signature-based IDS

• The use signature-based method that works like an
  antivirus
• They examine the network packets traffic for
  specific patterns of attack.
• Signatures must be developed specifically for the
  attack so the IDS can recognize the attack. These
  systems require large signature databases so that
  every packet can be compared to the database.
• As new attacks are discovered every day, IDS
  which relies solely on this approach will always
  be out of date.
• The other challenge is keeping up with the speed
  of the network, as network speeds increase, the
  sensors lack the resources to look at every
  packet, so some packets are discarded.
• As a the attacks could easily go unnoticed by the
  IDS.
• Higher speeds can increase the false positive
  rate

17
Anomaly Based IDS

• An anomaly is defined as something different,
  abnormal, peculiar, or not easily classified
• It can include things such as traffic patterns,
  user activity, and application behavior
• The general approach used by anomaly detection is
  that something (i.e., a network, a host, a set of
  users, etc.) is observed and compared against
  expected behavior.
• If there is a variation from the expected, that
  variation is flagged as an anomaly.
• rather than defining what is not allowed or
  bad, it defines what is allowed or good.

18
Anomaly Based IDS

• Anomaly detection relies on having some
  definition of allowed behavior
• The definition of what is allowed tends to be
  much shorter.
• It also tends not to require changes as new
  problems are created or discovered
• Anomaly detection systems monitor networks for
  two primary criteria
• Characteristic deviation
• Statistical deviation
• Characteristic deviations tend to be more
  qualitative. For example, User joe123 does not
  normally use transfer files outside of the
  company.
• Statistical deviations tend to be more
  quantitative. For example, This sites ICMP
  traffic never exceeds 15 of capacity.
• Anomaly Detection Approaches
• Behavioral
• Traffic pattern
• Protocol

19
Behavioral Anomaly IDS

• They look for anomalies in behavior
• They may also cover some statistical criteria
• What type of applications protocols are used at
  various time of day
• Relationships b/w source destination networks
• What types of e-mail attachments are sent
• E.g. Credit card fraud systems to monitor credit
  card usage
• E.g. Detection of excessive use, detection of use
  at unusual hours and detection of changes in
  system calls made by user processes.
• Such systems can be constructed to detect very
  subtle qualitative systems
• But are difficult to design as user behavior
  might change

20
Traffic pattern anomaly IDS

• They look for anomalies of network traffic
  patterns
• They are primarily statistical in nature
• E.g. Simple Network Management Systems /
  Denial-of-Service monitoring systems
• Disadvantage is that they are often unable to
  detect subtle quantitative or most qualitative
  anomalies.
• They also present some difficulties in defining a
  reliable baseline upon which to perform the
  statistical analysis.

21
Protocol Anomaly IDS

• It focuses on the content of the network
  communications at the protocol level. Telnet,
  HTTP, RPC, and SMTP.
• Packets are state fully inspected in the context
  of previous packets transmitted of the same
  conversation.
• As a conversation progresses, it is evaluated by
  a protocol state machine to determine if the
  protocol has been abused in any way.
• Attackers can use certain programming errors
  (buffer overflows) to compromise or damage a
  system.
• These attacks exploit poor programming practices
  and are quite common.
• When protocol rules are modeled directly in the
  sensors, it is easy to identify traffic that
  violates the rules, such as unexpected data,
  extra characters, and invalid characters.

22
Network-Based Vs Host-Based IDS

• IDS systems are also classified by their intended
  locations
• A network-based IDS monitors all traffic on a
  network segment (portion of the network)
• Can detect intrusions that cross a specific
  network segment
• Administrators sometimes place one inside and one
  outside of a firewall
• Will not see traffic that passes between LAN
  computers

23
A Network-Based IDS
24
Host-based IDS

• Monitor activities on hosts for
• Known attacks or
• Suspicious behavior
• Designed to detect attacks such as
• Buffer overflow
• Escalation of privilege
• Little or no view of network activities

25
Network-Based Vs Host-Based IDS

• A host-based IDS examines all traffic and
  activity for a particular machine
• Can examine system log files as well as inbound
  and outbound packets
• Each system requires its own IDS
• Which one is best?
• See practical sheet for this week
• Many firewalls provide some IDS functionality
• See practical sheet for this week

26
Inline versus Audit-Based IDS

• Should the IDS detect attacks in real-time or
  using audit log processing?
• Inline will have incomplete data.
• Inline is also computationally expensive.
• Audit log processing is after the fact.
• Audit log formats vary quite a bit.
• A combined approach is feasible, but costly.

27
Choosing an IDS

• 1. determine what your organisations security
  needs are
• 2. research the different IDS packages available
• Could be a mixture of network-based and
  host-based IDS

28
Choosing and Implementing an IDS

• An effective IDS does not stand alone. It must be
  supported by a number of other systems.
• Operating Systems. A good operating system that
  has logging and auditing features. Most of the
  modern operating systems including Windows, Unix,
  and other variants of Unix have these features.
  These features can be used to monitor security
  critical resources.
• Services. All applications on servers such as
  Web servers, e-mail servers, and databases should
  include logging/auditing features as well.
• Firewalls. A good firewall should have some
  network intrusion detection capabilities.
• Network management platform. Whenever network
  management services such as OpenView are used,
  make sure that they do have tools to help in
  setting up alerts on suspicious activity.

29
Using Rules and Setting Thresholds for Detection

• A rule tells the IDS which packets to examine and
  what action to take
• Compare packets to rule sniffs the packets
• Compares to the signature database
• If found to be a known attack then IDS takes
  action and generates an alert
• Example rule
• Alert tcp any any -gt 192.168.1.0/24 111
  (content00 01 86 a5msgmountd access)
• Alert specifies the action to take
• Tcp specifies the protocol
• Any any 192. specifies the source and
  destination within the given subnet
• 111 specifies the port
• Content specifies the value of a payload
• Msg specifies the message to send

30
Using Rules and Setting Thresholds for Detection

• A threshold is a value that represents the
  boundary of normal activity
• For example, if the login failure threshold is
  three, the IDS takes some action after the third
  failed attempt
• Action might be to lock the account and notify an
  administrator
• Other thresholds include
• file Input/Output,
• network activity
• administrator logins and actions

31
A typical IDS

• Snort is an example of an IDS
• Freely available
• Originally written for UNIX, but now available
  for Windows also
• easy deployment and configuration
• May work in host-based and network-based manner
• A configurable packet sniffer
• Snort analyses network traffic in real time
• real-time packet capture and rule analysis
• Sensors can be inline or passive
• Snort can also be used as IPS

32
Exploring a Typical IDS

• Snort sniffs a packet from the network
• A preprocessor looks at the packet header and
  decides whether to analyse it further
• If so, the detection engine compares pattern from
  rules to the packet payload
• If the payload matches, the appropriate action is
  taken
• Snort can be used in a plain packet sniffer mode
  or in full IDS mode
• Snort has numerous options that are used to
  configure its activity

33
Exploring a Typical IDS
34
Exploring a Typical IDS
35
Exploring a Typical IDS
36
(No Transcript)
37
Problems with IDS

• Cost of update and keeping current is growing
• Organizations lack internal expertise
• MSSP industry also suffering
• IDS systems suffer from False Negative Problem
• New augmented IDS with Anomaly Detectors are
  appearing in the commercial market
• Initial focus on protocols
• IDS are inherently noisy and chatty and suffer
  from the False Positive problem
• Volumes of alerts are crushing
• Honing in on most serious threats is hard
• NIDS positioned at the perimeter
• The most serious/predominant threat is the
  insider
• Host and LAN-based IDS now more crucial

38
Intrusion Prevention Systems (IPSs)

• Although IDS have been one of the cornerstones of
  network security, they have covered only one
  component of the total network security picture
  since they have been and they are a passive
  component which only detects and reports without
  preventing.
• A promising new model of intrusion is
  developing and picking up momentum. It is the
  intrusion prevention system (IPS) which, is to
  prevent attacks.
• Like their counterparts the IDS, IPS fall into
  two categories network-based and host-based.

39
Network-Based IPS

• NIDSs passively detect intrusions into the
  network without preventing them from entering the
  networks
• many organizations in recent times have been
  bundling up IDS and firewalls to create a model
  that can detect and then prevent
• The IDS fronts the network with a firewall behind
  it. On the detection of an attack, the IDS then
  goes into the prevention mode by altering the
  firewall access control rules on the firewall.
  The action may result in the attack being blocked
  based on all the access control regimes
  administered by the firewall.

40
NIPS

• IPSs come in different forms
• NIDS with two NICs
• Inline NIDS
• Inline NIDS with scrubber
• IPS with two NICs configured as follows
• One NIC has an IP address and handles traffic
  management
• Second NIC has no IP address and performs
  detecting attacks only

41
IPS with two NICs
42
IPS with inline NIDS
43
IPS with scrubber
44
Host-Based IPS

• Host-based IPSs reside on servers and
  workstations they examine application actions
  and calls to the system to look for anything
  prohibited or out of the ordinary
• HIPS blocks suspicious executables or processes
  from running by default.
• can be effective at detecting viruses attempting
  to infect files and Trojan horses attempting to
  replace files, as well as the use of attacker
  tools, such as rootkits, that often are delivered
  by malware

45
Summary

• An intrusion is the use of a system without
  authorisation
• An intrusion detection system (IDS) is hardware
  or software that monitors system activity, and
  looks for and responds to suspicious behavior
• IDS can help with security audit for an
  organisation
• Intruders can be external or internal
• Responses to intruders are block and ignore,
  block and investigate, and honeypot

46
Summary

• Two basic types of intrusions are misuse
  intrusion and anomaly intrusion
• Corresponding IDS types are
• signature-based
• signature-based IDS compares attack signatures to
  a signature database
• knowledge-based
• knowledge-based IDS compares threshold values to
  current activity
• A mix of different IDS should be used at various
  different locations in the companys enterprise
  server
• Explicit IDS systems should be updated regularly
  with signatures etc.
• Snort is a typical, freely available, IDS