An Introduction To Gateway Intrusion Detection Systems - PowerPoint PPT Presentation

About This Presentation
Title:

An Introduction To Gateway Intrusion Detection Systems

Description:

Nitro Data Systems. What Is a Gateway IDS? Gateway Intrusion Detection System ... Jed Haile, Nitro Data Systems 2002. Basic Theory of Operation ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 19
Provided by: jedh
Category:

less

Transcript and Presenter's Notes

Title: An Introduction To Gateway Intrusion Detection Systems


1
An Introduction To Gateway Intrusion
DetectionSystems
  • Hogwash GIDS
  • Jed Haile
  • Nitro Data Systems

2
What Is a Gateway IDS?
  • Gateway Intrusion Detection System
  • A network intrusion detection system which acts
    as a network gateway
  • Designed to stop malicious traffic and generate
    alerts on suspicious traffic
  • An ideal gateway IDS is able to stop all known
    exploits

3
GIDS vs NIDS
  • GIDS
  • Acts as network gateway
  • Stops suspect packets
  • Prevents successful intrusions
  • False positives are VERY bad
  • NIDS
  • Only observes network traffic
  • Logs suspect packets and generates alerts
  • Cannot stop an intruder
  • False positives are not as big of an issue

4
About Hogwash
  • Based on the Snort intrusion detection system
  • Operation is similar to some bridging firewalls
  • Uses snort rules with some additional keywords to
    make forward/drop decisions
  • Compatible with most snort plugins
  • Freely available under the GPL

5
Basic Theory of Operation
  • Much like a bridging firewall, Hogwash makes
    forward/drop decisions
  • This packet is always good so pass it into my
    network.
  • This packet is always bad so drop it and tell me
    about it.
  • This packet is sometimes bad so tell me about it,
    but don't drop it.

6
Typical Hogwash Installation
7
New Hogwash Keywords
  • drop Drops a packet, sends an rst, logs
    the packet
  • ignore Drops a packet without sending an
    rst
  • sdrop Drops a packet, sends an rst, does
    not log the packet

8
Multipacket Signature Matching
  • Hogwash cannot do traditional stream reassembly
  • Instead, hogwash can watch for partial content
    matches at the end of a packet
  • If there is a partial match, hogwash goes ahead
    and forwards the packet and caches a copy
  • When then next packet comes hogwash will
    reassemble the two packets and run it back
    through the detection engine, if it matches the
    second packet is dropped
  • Works for out of order packets also
  • Enabled by using the multi keyword in a rule

9
Defeating Portscans
  • Hogwash uses state counting to detect portscans
  • Each time a new session (tcp, udp, icmp) is
    initiated in your network, hogwash notes it
  • All sessions are tracked from a host until it is
    idle for some period of time, 60 seconds by
    default
  • If a host hits more than 20 unique ports or 5
    unique targets, he is determined to be
    portscanning. These thresholds are user
    configurable.
  • Hogwash will then drop all that portscanners
    packets

10
Content Replacement
  • Hogwash can replace content in a packet
  • replace keyword tells hogwash to replace a
    detected string with another string.
  • Example
  • alert tcp any any -gt IIS_SERVERS 80
    (contentcmd.exe replaceyyy.yyy)
  • Any content in the packet payload can be
    replaced.
  • A great way to break an exploit without dropping
    the packet!!

11
Stealth
  • Stackless Operation
  • Hogwash does not require an ip stack to be loaded
    on its network interfaces
  • Hogwash can invisibly forward traffic, no
    decreased TTLs, etc

12
Stackless Control Protocol
  • Stackless Control Protocol
  • Hogwash can be remotely controlled, even when
    running in stackless mode
  • To send a command simply send a control packet so
    that it will pass through the hogwash box
  • Packets can be any combination of TCP, UDP, ICMP
  • The stackless control protocol uses twofish or
    AES cryptography and a custom protocol to ensure
    security

13
Stackless Control Protocol Theory
  • Each packet that passes through hogwash is
    checked for a magic token in the payload. If
    the token is found, then hogwash will attempt to
    decrypt the payload following the magic token. If
    the token is found again immediately following
    the first magic token, then hogwash knows it has
    found a control packet and processes the command.

14
Stackless Control Protocol Theory
15
Stackless Control Protocol Commands
  • hping - ping the hogwash box to see if its alive.
  • hstat - get statistics from the hogwash box
  • hbuff -retrieve either RULES, ALERT, or LOG file
  • hfilesync - store the retrieved file in a file,
    can be used to feed standard snort toys
  • hsetbuf - transfer a file to the hogwash box
  • hsetrules - transfer a new rules file to the
    hogwash box, restart hogwash

16
Sample Hogwash Rules
  • To drop incoming port 80 connections
  • drop tcp any any -gt HOMENET 80 (msgPort 80
    tcp)
  • To drop cmd.exe calls to your webservers
  • drop tcp any any -gt HOMENET 80 (msgcmd.exe
    attempt content cmd.exe)

17
Running Hogwash
  • hogwash ltoptionsgt
  • -c ltrules filegt
  • -i ltinternal interfacegt
  • -e ltexternal interfacegt
  • -l ltlog directorygt
  • -n ltno rules modegt
  • hogwash i eth0 e eth1 c hogwash.conf l
    /var/log/hogwash

18
References
  • http//hogwash.sourceforge.net
  • http//www.snort.org
  • Securing an Unpatchable Web Server
    http//www.securityfocus.com/infocus/1208
  • Jed Haile jhaile_at_nitrodata.com
  • Jason Larsen jlarsen_at_nitrodata.com
Write a Comment
User Comments (0)
About PowerShow.com