Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03

What will we discuss? Network-Based Detection Network-based Architecture -Traditional Sensor-based -Distributed Network-node Network Intrusion Detection Engine -Signatures Operational Concepts for network-based detection Benefits of network-based ID Challenges for network-based Technologies

Introduction Why you call it ‘network-based’? - used to analyze network packets. - packets are ‘sniffed’ off the network. TCP/IP is the most common protocol targeted by commercial IDS. Different technologies can resolve different levels of protocols through the application layer.

Network-based Detection Most network-based attacks are directed at OS vulnerabilities. These can be exploited mainly towards following means –Unauthorized Access –Data/Resource Theft –Denial of Service

Unauthorized Access Unauthorized Login - Key is to detect before/while logging in. - TFTP is well-known for lack of security. - SunOS 4.1.x had security problems with file sharing protocol. Jump-off Point - They are ‘bad’ and not ‘stupid’. - A compromised computer can open up several other computers in the same organization. - Why is my mail server contacting DoD?

Data/Resource Theft Information theft - Password file download gives attacker the ability to compromise other systems. (look for ‘/etc/passwd’) - Secret Data file download Credit card numbers, Employee HR data Bandwidth Theft - Firms with lot of bandwidth not used at all times. - If the business of the attacker grows, he will be caught.

Denial of Service Malformed Packets - Not all error conditions are taken care of while coding the protocol stack. - Code is not prepared to handle impossible situations in argument fields. Packet Flooding - Not a very sophisticated attack. - If source address is spoofed, it can be hard to deal with. Distributed DoS -Special case of Flooding (several machines attack at once) - ID is not a very good tool against this attack, but it can be helpful

NID Architecture Two types of NID Traditional Sensor-based (Promiscuous mode) - obtain packets, search for patterns, report alarms to the central command console. Network-node (Distributed) - Agent on each computer (for individual target)

Traditional Sensor-based Architecture Ethernet Chip in Promiscuous mode “sniffed” packets are fed to the detection engine (typically on the same machine) Taps are distributed to all mission-critical segments (generally one per segment) Central command console correlates alarms from multiple sensors.

Life cycle of a Packet Packet is born. “sniffed” off the wire in real-time by the sensor. (a stand-alone machine or a network device in promiscuous mode) Detection engine matches the predefined patterns. If matched, Alert is generated and forwarded to central console. Security officer is notified.

Life cycle of a Packet (Contd.) Response is generated. - Reconfiguring of routers/firewall rules - Terminate session Alert is stored for later review and correlation. Reports are generated. Data forensics for long-term trends.

Distributed Network-node Architecture Sensor on every computer. Every sensor is concerned about the target it resides on. Now confused between host and network based?? - the difference between host and network based ID is the source of data Network-node agents communicate with each other on the network to correlate alarms at the console.

Life cycle of a Packet Packet is born. The packet is read in real-time through a sensor resident on the destination machine. A Detection Engine is used to match signatures of misuse. If a pattern is found, an alarm is generated and forwarded to central console or other sensors on the network.

Life cycle of a Packet (Contd.) Security officer is notified. Response is generated. - Reconfiguring of routers/firewall rules - Terminate session Alert is stored for later review and correlation. Reports are generated. Data forensics for long-term trends.

Misconception  Real-Time ID “I need Intrusion Detection” “Are you interested in network-based or host based?” “Oh, I need real-time Intrusion Detection” “Great, on the host or the network” “What???”

Network Intrusion Detection Engine This is where the real magic is !! A stream of time sequential TCP/IP packets is processed to detect predetermined sequences and patterns (signatures). Speed – An Issue.

Network Signatures Packet Content Signatures -based on contents of packets (smart ??) Traffic Analysis Signatures -based on Header information and flow of traffic More on detection mechanisms in future talks.

Packet Content Signatures Simple Example -Copy password file over FTP. - Look for pattern “passwd” in the packet. (Output of Snoop) Source.com  dest.com ETHER Type=0800(IP), size = 67 bytes IP D= S= LEN=53, ID=34704 TCP D=21 S=2095 Ack= Seq= Len=13 Win=4096 FTP C port=2095 RETR \etc\passwd\r\n

Traffic Analysis Signature Simple Examples - A lot of packets destined to one machine in relatively short period of time. (An attempt of DoS attack) - A packet coming from outside the network with Source IP address as that of the inside network.

Operational Concept A NIDS only performs as well as it is operated. (configured) The value of the system depends on the skills of the operator. Network based ID may be used in a manner that requires very few resources.

How do I use NIDSs? The specific use of a NIDS is dependent on the environment-specific requirement. Sensor placement plays an important role. Example: Sensor placed outside the firewall will identify source addresses attempting to attack you. Sensors placed inside the firewall will detect attacks that successfully circumvent your firewall. (IF you don’t have a Firewall, YOU SHOULDN’T BE HERE ! GO INSTALL IT FIRST !!)

Operational Modes Operational mode describes the manner in which you will operate your NIDS and partially describe the end goals of monitoring. Two primary operational modes: -Tip-Off -Surveillance

Tip-Off and Surveillance The defining characteristic for tip-off The system is detecting something previously unsuspected. Unlike tip-off, Surveillance takes place when misuse is already indicated or suspected. It is an increased effort to observe the behavior of a small set of objects.

Benefits of NID Outside Deterrence - A notification to the hacker can enhance the deterrent value of an IDS. Threat Detection - Can be used deterministically or in a Decision Support Context. Automated Response and Notification. - Pager, SNMP trap, On Screen, Audible, .

Challenges for Network-based Technologies (promiscuous-mode) Packet Reassembly (IP fragmentation) - can only search for patterns after reassembly. High-speed networks (Gig E?) Sniffer Detection Programs (Antisniff) Switched Networks (IP over ATM?) Encryption (IPSec, VPN)

Questions ?

Until then..