Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems

Published byMarshall Ramsey Modified over 6 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems"— Presentation transcript:

1 Intrusion Detection Systems
Xenia Mountrouidou (Dr. X)

2 Outline Start reserving your topology Learning goals Background
Variations

3 Reserve topology Go to: https://goo.gl/Xieh9g
Use RSPEC erPaths/files/DDoS_IDS_RSpec.txt

4 Learning Goals Setup an IDS and verify that it functions properly
Study and understand IDS logs Apply concepts of intrusion detection in a real scenario Create a custom Intrusion Detection System (IDS) rule

5 Intrusion Detection Systems and Mitigation
Goals: Install Snort IDS on monitor machine Duplicate all traffic to monitor Create a custom alert for Snort IDS Use mitigation script Drop malicious traffic Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client

6 Background Intrusion Detection and Prevention Systems
Computer Networks Software Defined Networks Command Line GENI DoS

7 Example Setup Example setup: the position of the IDS is important!
Where would we position the HIDS? Where do we prefer HIDS vs An

8 Detection via Signatures
Signature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

9 Snort Open source IDS Signature detection Lots of available rulesets
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A |root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

10 Intro to Software Defined Networking
Slides modified from GENI openflow tutorial:

11 OpenFlow… Enables innovation in networking
Changes practice of networking Google’s SDN WAN

12 OpenFlow’s basic idea

13 OpenFlow’s basic idea

14 OpenFlow benefits [1] External control Centralized control
Enables network Apps General-purpose computers (Moore’s Law) Deeper integration Network hardware becomes a commodity Centralized control One place for apps to interact (authentication, auth, etc) Simplifies algorithms Global Optimization and planning [1]: OpenFlow: A radical New idea in Networking, Thomas A. Limoncelli CACM 08/12 (Vol 55 No. 8)

15 Deployment Stories Google global private WAN [1]
Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links Stanford Campus deployment Part of Stanford campus migrated to OpenFlow Microsoft Azure DataCenter [2] Internet 2 - AL2S Can build Layer 2 circuits between any Internet 2 end-points NTT’s BGP Free Edge [1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al [2] Keynote ONS June 2015

16 GENI and OpenFlow deployment
Key GENI concept: slices & deep programmability Internet: open innovation in application programs GENI: open innovation deep into the network OpenFlow switches one of the ways GENI is providing deep programmability Good old Internet Slice 0 Slice 1 Slice 2 Slice 3 Slice 4

17 GENI-enabled regionals
OpenFlow Switches GENI Rack GENI-enabled regionals e.g. CENIC Internet2 AL2S

18 OpenFlow controllers Open source controller frameworks NoX – C++
PoX - Python OpenDaylight - Java FloodLight - Java Trema – C / Ruby Maestro - Java Ryu - Python

19 OpenFlow Protocol (SSL/TCP)
The controller is responsible for populating forwarding table of the switch In a table miss the switch asks the controller Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from :

20 OpenFlow Protocol (SSL/TCP)
OpenFlow in action Host1 sends a packet If there are no rules about handling this packet Forward packet to the controller Controller installs a flow Subsequent packets do not go through the controller Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) host2 host1 Modified slide from :

21 OpenFlow Basics (1.0) Rule Action Stats Packet + byte counters
Forward packet to port(s) Encapsulate and forward to controller Drop packet Send to normal processing pipeline Modify Fields Now I’ll describe the API that tries to meet these goals. Switch Port VLAN ID VLAN PCP MAC src MAC dst Eth type IP Src IP Dst IP Prot IP ToS TCP sport TCP dport + mask what fields to match slide from : 21

22 Software Defined Networks
SDN Capabilities Drop flows Redirect flows Duplicate flows Information available & accessible on different network layers Source:

23 Questions? And one last thing… go to nxt slide Let’s experiment!

24 Variations GENI Desktop Different attacks:
Slowloris Privilege escalation Third level: use the power of SDN to detect and mitigate the port(s) from which DoS is coming

25 Correlation and Mitigation
Use monitor to alert correlator Correlator is logic that communicates with controller, gathers info about attack Correlator decides based on controller info if there is an attack Correlator logic is implemented in Python

26 Monitor-Correlator Communication
Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS

27 Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec
Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

28 Monitor – real time snort alert monitoring

29 Monitor – send alert to correlator

30 Correlator Original Flow Table Flow Table Snapshot1
Key Value port1 IP1 port2 IP2 port3 IP3 portn IPn Key Value port1 IP1 port2 IP12345 port3 IP3 portn IPn Key Value port1 IP1 port2 IP6789 port3 IP3 portn IPn Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Original Flow Table Flow Table Snapshot1 Flow Table Snapshot2

31 Correlator – parse and process flowdump

32 Correlator – block the port of attack

33 Role of SDN in Implementation
Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance Questions so far?

34 Questions? Let’s experiment!

Download ppt "Intrusion Detection Systems"

Similar presentations

Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI with Instrumentation and Monitoring Divya Bhat, Umass Amherst Niky Riga, GENI Project.

Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI with Instrumentation and Monitoring Divya Bhat, Umass Amherst Niky Riga, GENI Project.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Mobile Communication and Internet Technologies

Mobile Communication and Internet Technologies
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI.

Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
An Overview of Software-Defined Network

An Overview of Software-Defined Network
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.
Introduction to SDN & OpenFlow Based on Tutorials from: Srini Seetharaman, Deutsche Telekom Innovation Center FloodLight Open Flow Controller, floodlight.openflowhub.org.

Introduction to SDN & OpenFlow Based on Tutorials from: Srini Seetharaman, Deutsche Telekom Innovation Center FloodLight Open Flow Controller, floodlight.openflowhub.org.
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
Brent Salisbury CCIE#11972 Network Architect University of Kentucky 9/22/2012 https://twitter.com/#!/networkstatic OpenStack & OpenFlow Demo.

Brent Salisbury CCIE#11972 Network Architect University of Kentucky 9/22/ OpenStack & OpenFlow Demo.
Aaron Gember Aditya Akella University of Wisconsin-Madison

Aaron Gember Aditya Akella University of Wisconsin-Madison

Similar presentations

Ads by Google