Presentation is loading. Please wait.

Presentation is loading. Please wait.

Knock, Knock, Knocking on (Network) Doors: Penn State's Intrusion Detection Architecture Copyright Penn State Information Technology Services, 2004. This.

Similar presentations


Presentation on theme: "Knock, Knock, Knocking on (Network) Doors: Penn State's Intrusion Detection Architecture Copyright Penn State Information Technology Services, 2004. This."— Presentation transcript:

1 Knock, Knock, Knocking on (Network) Doors: Penn State's Intrusion Detection Architecture Copyright Penn State Information Technology Services, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Knock, Knock, Knocking on (Network) Doors: Penn State's Intrusion Detection Architecture The Security Professionals Workshop May 18, 2004

3 Security Operations and Services ● A division of Information and Technology Services (ITS) at Penn State ● 8 full time staff members – Director ● Kathy Kimball – Intrusion detection:2 staff members ● Randy Hegarty ● Mike Petkac – Incident response:2 staff members – Virus response:1 staff member – Advanced Forensics:1 staff member – Training:1 staff member

4 Penn State by the Numbers: Enrollment Fall 2003 University Park (Main Campus)41,795 Other campus locations 33,743 College of Medicine 738 Dickinson School of Law 646 PA College of Technology 6,255 Totals83,177

5 Penn State by the Numbers: Information Technology ● 110,000+ active access accounts ● 3 ½ class B networks * – * excludes Hershey Medical Center (another class B) – * ½ class B for residence halls (locked by MAC) – 229,376 IP addresses ● 5,120 modem addresses ● 2,167 mobility addresses ● ????? wireless/VPN addresses

6 Penn State Network View

7 Penn State Network View (cont)

8 Security Status: January 2001 ● Known colleges/departments/campuses with network security devices: 1 ● SOS: 3 full time staff members – Primary function: incident response – Secondary function: intrusion detection ● Based on (ex/in)ternal reports/well-know information (e.g. Sub7) ● “Intrusion Detection” Tools – Nmap – Remote Intrusion Detection (RID) ● Signature-based on individual ports ● TCP port 27374; Signature “connected. time/date” – Much accomplished, but issues loomed – Mission: implementation of SOS five-year plan to address issues

9 Intrusion Detection's Arrival ● A component of SOS five-year plan: security enhancements to existing infrastructure – Two-step process was envisioned ● External (commercial) analysis/recommendation plan ● External (commercial) implementation of recommendations – Step 1 (conducted August – November 2001) results ● Open-source recommendations: ● Snort (signature-based Network Intrusion Detection System (NIDS) ) ● Hogwash (Snort-based early Intrusion Prevention System (IPS) ) – NIDS path chosen for initial pursuit ● Commercial 24x7 managed service pilot (April – June 2002) – 3 NIDS/2 HIDS ● SOS IDS program (June 2002)

10 Snort Network Configuration ● Location: local area network level ● Network Requirements – Network switch with mirrored/monitor port or – Network tap ● System Requirements – Hardened/firewalled host – Two interface cards ● 1 promiscuous (inbound only) ● 1 management/monitoring

11 SOS Deployed IDS Units ● 18 installed units – 2002: 6 units (5 commercial, 1 SOS build) – 2003: 12 units (3 commercial, 9 SOS builds) ● Locations – 8 units at 6 non-UP campus locations – 6 units at 5 UP colleges – 2 units at 2 ITS locations – 1 unit at other UP department – 1 unit at UP residence hall* ● 8,912 addresses covered (~35 class Cs)

12 Initial Experiences ● Overwhelming amount of data – Initial average of 60,000 alerts daily on each sensor ● What does this alert mean? – Initial tendency to analyze false positives – Initial tendency to question/ignore alerts ● How do I write this rule? ● Constant attention needed – No benefit without continuous monitoring – Rule sets/software updates – Mirrors go down ● The insight provided into networks

13 IDS and ID Tool Utilization ● Iterative process using Snort, RID, nmap, flow data, (ex/in)ternal reports, well- known information; for example: – Scanning activity from internal host ( (ex/in)ternal report/Snort detected) ● Nmap of host/connection to open ports for signature detection ● Signature of detected port(s) input into RID or – Compromise (with signature) detected on Snort ● Signature of for detected port(s) input into RID or – Backdoor without signature identified on specific port ● Nmap scans

14 Ex 1: Snort Detected Portscan 05/09-08:26:46 Portscan detected {TCP} xx.xx:7047 -> xx.xx:445 05/09-08:26:56 Portscan detected {TCP} xx.xx: > xx.xx:445 05/09-08:30:00 Portscan detected {TCP} xx.xx:3578 -> xx.xx:445 05/09-08:32:24 Portscan detected {TCP} xx.xx:3975 -> xx.xx:445 05/09-08:38:22 Portscan detected {TCP} xx.xx:1152 -> xx.xx:445 05/09-08:40:16 Portscan detected {TCP} xx.xx:2459 -> xx.xx:445 05/09-08:42:36 Portscan detected {TCP} xx.xx:2320 -> xx.xx:445 Interesting ports on ( xx.xx): Port State Protocol Service 135 open tcp loc-srv 139 open tcp netbios-ssn 206 open tcp at-zis open tcp unknown Ports 206, Rid detected 18 additional hosts/2 additional compromised ports: TCP 90/4711 Rid scan for TCP ports 90/4711 detected 19 addition hosts

15 Ex 2: Snort Detected Compromise 05/14-05:56:47 [1:1326:3] EXPLOIT ssh CRC32 overflow NOOP [Classification: Executable code was detected] [Priority: 1] {TCP} :1898 -> xxx.xxx: /14-05:58:46 [1:1324:3] EXPLOIT ssh CRC32 overflow /bin/sh [Classification: Executable code was detected] [Priority: 1] {TCP} :1903 -> xxx.xxx:22 05/14-06:01:17 LR - Possible SSHD Backdoor [Classification: Misc RID] {TCP} xxx.xxx:101 -> : /14-06:04:27 (spp_portscan2) Portscan detected from xxx.xxx {TCP} xxx.xxx:1039 -> :21 Interesting ports on ( xxx.xxx): Port State Protocol Service 22 open tcp ssh open tcp hostname... SSH

16 IDS and ID Tool Summary ● Caution: numbers do not fully depict situation ● 2002 – 2003 – 2,909 machines attributed to IDS – 1,253 machines attributed to RID/nmap scans – 4,162 machines from IDS/ID tools ● 2004 (January through April) – 1,803 machines attributed to IDS – 120 machines attributed to RID/nmap scans – 1,923 machines from IDS/ID tools ● 6,085 machines from IDS/ID tools (28 months)

17 Location/Type Detections in 2004 (January through April 2004) TotalsMod/Mob/Wireless Res Hall University 1, ,312IRC Bots (full control/Warez) 279Welchia 177Blaster 81Misc Trojans (Backdoors/Spammers) 74Warez

18 Additional Experiences ● Effectiveness? - can't say with certainty – Circumstances often limit monitoring (e.g. crisis management, other tasks, time off) – Things are missed/ignored – Signatures don't exist or not on devices ● What we can say with certainty – Improvement over commercial 24x7 managed service trial – Central detection contributes to effectiveness during crisis – July 2003: border filters applied for vulnerable Microsoft ports (and a few more) ● More internal damage is detected/limited ● July 30/August 7, 2003 experiences – Self-monitoring is important; less external reporting/some attacks remain inside with border filters

19 The Need for Automation ● New attacks/worms require IDS signature development (though portscan may detect) ● Human analysis/response (even 24x7) is insufficient to minimize attack/worm damage – “Triage” experience against recent rapidly propagating attacks: Sadmind/Code Red/Nimda/Blaster/Welchia/Witty – Stealthy, relatively slow attacks with higher risk potential: Gaobot/Phatbot ● Intrusion Prevention: detecting known and unknown attacks and preventing their success

20 Intrusion Prevention Systems ● System/market development still early ● Many players are startup companies ● Some issues common to other security devices – Latency – Network placement – Scalability ● Some issues uncommon to other devices – Escalation of false positive issues – Escalation of false negative or exception issues

21 Some IPS Types ● Inline NIDS ● Firewalls coupled with IDS ● Deceptive/engaging systems ● Layer seven switches - Hogwash - looking for a new maintainer - Flexresp2 - Snort plugin to terminate connections - Checkpoint FW-1 Smart Defense/Application Intelligence - SnortSam - Snort plugin Architecture supports large, distributed response networks Compatible with Checkpoint/Cisco/Netscreen/Watchguard firewalls and Cisco routers - One initially tested/others to be evaluated

22 Future Plans ● Intrusion Detection – Continue with new IDS deployments – Begin life-cycle replacement of initial units – Upgrade ID tool (RID/nmap) resources ● Intrusion Prevention – Proceed cautiously, but proceed – SnortSam test/evaluation – Continue/expand commercial product testing/evaluation – Continue investigating new/enhanced products

23 Security Status: Today ● Known colleges/departments/campuses with firewalls: 22 – 42% of colleges with college-wide deployment – 25% non-UP campuses ● Known colleges/departments/campuses with IDS: 21 – 5 units independently runnning IDS – 6 coupled with firewalls ● SOS security staff: 8 members ● Security state relative to 2001?

24 Questions? Kathy Kimball Randy Hegarty Mike Petkac


Download ppt "Knock, Knock, Knocking on (Network) Doors: Penn State's Intrusion Detection Architecture Copyright Penn State Information Technology Services, 2004. This."

Similar presentations


Ads by Google