Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection David LaPorte

Published byHeather Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection David LaPorte"— Presentation transcript:

1 Network Intrusion Detection David LaPorte david_laporte@harvard.edu

2 Topics  What is IDS?  HIDS v. NIDS  Signatures  Active Response / IPS  NIDS on the Cheap  Additional Resources

3 What is IDS? the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm

4 HIDS v. NIDS  Defense in depth, layered security  HIDS  Typically software installed on a system  Agent-based  Monitors multiple data sources, including file system meta-data, log files  Wrapper-based  Acts like a firewall – denies or accepts connections or logins based on defined policy

5 HIDS v. NIDS  NIDS  Monitors traffic on a network  Reports on traffic not considered “normal”  Anomaly-based Packet sizes, destinations, protocol distributions, etc Hard to determine what “normal” traffic looks like  Signature-based Most products use signature-based technologies

6 Signature-based NIDS  Signature-based  Matches header fields, port numbers, content Network “grep”  Advantages No learning curve Works out-of-box for well known attacks Snort has ~1900 signatures Dragon has ~1700 signatures  Disadvantages New attacks cannot be detected False positives Maintenance/tweaking Not very hard to evade Stateless, lacks thresholding

7 Signatures T A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt | | | | | | | | | | | | | | | | | SEARCH STRING | | | | | | | EVENT NAME | | | | | | PORT | | | | | | | | COMPARE BYTES | | | | | | | | | DYNAMIC LOG | | | | | BINARY OR STRING | | | | | PROTECTED NETWORKS | | DIRECTION | PROTOCOL

8 Signatures  On the console… Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5

9 NICK [XDCC]SLT-L482{A} USER b0b 32. :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32. :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32. :XDCC{A} MODE [XDCC]SLT-L482 +i{A} {A} :snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@jojo.harvard.edu{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@dhcp-108-176.harv ard.edu{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD{A}

10 NIDS – Management  Correlation is key  Multiple sensors  Single data repository  Syslog  DBMS  Text files

11 NIDS – Placement  Inside firewall  Limits false positives – “cleaner” data  Outside firewall  Shows overall interest  Need to collect all traffic  Switch port won’t cut it  Hub  Switch SPAN port  Passive tap  Difficult on high-bandwidth links (>300Mbps)  Distribution devices (TopLayer, etc)  Hardware

12 NIDS – Drawbacks  False Positives  LOTS of data  We generate 3-4GB of logs each day on a ~250Mbps sustained link  Makes alerting difficult  Interoperability  ESM – Intellitactics, PentaSafe, etc.

13 NIDS - Drawbacks  Evasion  Packet fragmentation  Out of order, overlapping  Fragroute  Character encodings / padding  Unicode, mixed case,../..’s, \0’s  OS stack behavior  A simple “grep” of a packet won’t work

14 Active Response  NIDS is primarily a passive technology  Only monitors traffic  Doesn’t sit in the data stream  Active response  aka “sniping”, flex response

15 Active Response  Several issues  Timing  By the time filters are applied, attack is complete  False alarms / spoofed traffic  Self-inflicted DOS  Lack of formatting standards  CVE, OPSEC

16 Intrusion Prevention  Place system in-line  Hardware  Redundancy  Acts as an IDS/Firewall hybrid  Hogwash

17 NIDS on the Cheap  So you want a NIDS?  Snort  Open-source NIDS  Quickly becoming the “Apache” of IDS  Runs on Windows and most Unix variants  MySQL  Open-source DBMS  ACID  Great web-based front-end for Snort/Mysql  A place to collect traffic  Your NIC is fine if you have only one machine  Use a hub if you’ve got a LAN

18 Additional Resources  Fragroute  http://monkey.org/~dugsong/fragroute/  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection  http://secinf.net/info/ids/idspaper/idspaper.html  HIDS Products  PortSentry  http://www.psionic.com/products/portsentry.html  Tripwire  http://www.tripwire.com/  AIDE  http://www.cs.tut.fi/~rammer/aide.html

19 Additional Resources  NIDS Products  Snort  http://www.snort.org http://www.snort.org  Dragon  http://www.enterasys.com/ids/ http://www.enterasys.com/ids/  CiscoSecure IDS  ISS RealSecure  http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php  ACID  http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html  Hogwash  http://hogwash.sourceforge.net/ http://hogwash.sourceforge.net/

20 Questions?

Download ppt "Network Intrusion Detection David LaPorte"

Similar presentations

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.

K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 3.

Intrusion Detection MIS ALTER 0A234 Lecture 3.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Cs490ns - cotter1 Intrusion Detection. cs490ns - cotter2 Outline What is it? What types are there? –Network based –Host based –Stack based Benefits of.

Cs490ns - cotter1 Intrusion Detection. cs490ns - cotter2 Outline What is it? What types are there? –Network based –Host based –Stack based Benefits of.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

Similar presentations

Ads by Google