Presentation on theme: "Intrusion Detection/Prevention Systems Charles Poff Bearing Point."— Presentation transcript:
Intrusion Detection/Prevention Systems Charles Poff Bearing Point
Intrusion Detection Systems Intrusion Detection System (IDS) –Passive –Hardware\software based –Uses attack signatures –Configuration SPAN/Mirror Ports Generates alerts (email, pager) After the fact response
Intrusion Prevention Systems Intrusion Prevention System (IPS) –Also called Network Defense Systems (NDS) –Inline & active –Hardware\software based –Uses attack signatures –Configuration Inline w/fail over features. Generates alerts (email, pager) Real time response
IDS vs. IPS IPS evolved from IDS Need to stop attacks in real time After the fact attacks have lesser value IDS is cheaper. Several Open Source IDS/IPS –Software based IPS = EXPENSIVE –Hardware based (ASIC & FPGA)
Detection Capabilities Signatures –Based on current exploits (worm, viruses) –Detect malware, spyware and other malicious programs. –Bad traffic detection, traffic normalization Anomaly Detection –Analyzes TCP/IP parameters Normalization Fragmentation/reassembly Header & checksum problems
Evasion Techniques Encryption –IPSec, SSH, Blowfish, SSL, etc. Placement of IPS sensors are crucial Lead to architectural problems False sense of security –Encryption Key Exchange IPS sensors can usually detect/see encryption key exchanges IPS sensors can usually detected unknown protocols
Evasion Techniques (cont.) –Packet Fragmentation Reassembly – 1.) out of order, 2.) storage of fragments (D.o.S) Overlapping – different size packets arrive out of order and in overlapping positions. Newly arrived packets can overwrite older data.
Evasion Techniques (cont.) Zero day exploits (XSS, SQL Injection) –Not caught by signatures –Not detected by normalization triggers –Specific to custom applications/DBs. Social engineering –Verbal communication –Malicious access via legitimate credentials Poor configuration management –Mis-configurations allow simple access not detected. –Increases attack vectors
Vendors Open Source –SNORT (IDS/IPS) – my favorite –Prelude (IDS) –HoneyNet (Honey Pot/IDS) Commercial –TippingPoint –Internet Security Systems –Juniper –RadWare –Mirage Networks
Tools of the Trade Fuzzers – SPIKE, WebScarab, ADMmutate, ISIC, Burp Suite Scanners - Nessus, NMAP, Nikto, Whisker Fragmentation – ADMmutate, Fragroute, Fragrouter, ettercap, dSniff Sniffers – ethereal, dSniff, ettercap, TCPDump Web Sites –www.thc.orgwww.thc.org –packetstormsecurity.nl –www.packetfactory.net
Future of IDS/IPS Many security appliances ONE –IDS/IPS, SPAM, AV, Content Filtering IDS will continue to loose market share IPS, including malware, spyware, av are gaining market share Security awareness is increasing Attacks are getting sophisticated –Worms, XSS, SQL Injection, etc.
Your Organization Whats protecting your organization? Future Plans? Products and vendors? Evolution of security infrastructure.