INTRUSION DETECTION SYSTEM (IDS)
Download
Report
Transcript INTRUSION DETECTION SYSTEM (IDS)
INTRUSION DETECTION SYSTEMS (IDS)
INTRODUCTION AND OVERVIEW
(What vendors will not tell you)
Clément Dupuis,CD
CISSP, GCFW, GCIA
CCSA, CCSE, ACE
CGI Group / CCCure.Org
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
Intrusion Detection Definition:
• Defined by ICSA as:
– The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate
on logs or other information available from the system
or the network.
• An intrusion is a deliberate, unauthorized attempt
to access or manipulate information or system
and to render them unreliable or unusable.
• When suspicious activity is from your internal
network it can also be classified as misuse
Jargon related to IDS
• False Negative
• False Positive
• Beware, companies uses different names
for exactly the same type of detect.
• What is a DMZ ?
• How to count
- what is byte 9 ?
Is it the tenth byte or really the ninth
The Puzzle
• Intrusion Detection Systems are only
one piece of the whole security puzzle
• IDS must be supplemented by other
security and protection mechanisms
• They are a very important part of your
security architecture but does
not solve all your problems
• Part of “Defense in depth”
Current State of IDS
• Lots of people are still using Firewall and Router
logs for Intrusion Detection (Home Brew)
• IDS are not very mature
• Mostly signature based
• It is a quickly evolving domain
• Giant leap and progress every quarter
• As stated by Bruce Schneier in his book ‘Secret
and Lies in a digital world’:
Prevention
Detection
Reponse
Getting to this point today
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Challenges
• THREATS
• Choosing an IDS
(Criteria & Features)
• I have a good firewall,
why do I need an IDS?
• Products available on
market
• Realistic expectations
• Ongoing Effort
• ID Landscape
• Conclusion
• Type of IDS
• More Info
THREATS – FACT OR FICTION ??
• Frequency vs Difficulty level
• I am not a target (Yeah, right!)
• Examples of TOOLS
• Recent vulnerabilities
• A classic example: CODERED
• Hacktivists or cyber terrorists
• The BIGGEST threat
Frequency vs Difficulty level
• The frequency of probes, attacks, or intrusions
attempts is inversely proportional to the difficulty
level required to perform such attacks.
• A clear trend has been identified over the past 3
years. Graphical tools that are getting very
sophisticated have replaced the combersome
command line utilities.
• They are now available for Windows as well as
other platforms.
• It is no longer necessary to have any computer
knowledge to break through defense mechanisms
that are not properly maintained.
Who are the targets ??
• Simply being connected is a good enough reason to be
a target. Search is ongoing for easy to compromise
hosts.
• Fast bandwidth is now a cheap commodity.
• Cable modem and ADSL access is the equivalent of
having a T1 link in your home.
• Kids of all ages can scan a whole country in a very
short time frame.
• No specific motive: They do it for fame, fun, to show
off, or just because they have nothing else to do. No
technical knowledge is required to be a ‘’Script Kiddie’’
E-COMMERCE + WELL KNOWN NAME = HACKER TARGET
• A clear example is the Denial of service attacks
against Yahoo, Ebay, and other popular sites.
• ISCA Info Security Magazine Sept 2000
– Comparison E-Comm site (left column) vs Non EComm site (right column)
Viruses/Trojan/worm
Denial of service
Active Scripting exploit
Protocol Weaknesses
Insecure Passwords
Buffer Overflow
Bugs in web server
82%
42%
40%
29%
30%
29%
33%
76%
31%
34%
23%
20%
20%
16%
HACKING TOOLS
(EASY TO GET, EASY TO USE, VERY POWERFULL)
My friend SAM SPADE
Execution of arbitrary command through HTTP
(10/10/2000)
http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
•
OUTPUT:
•
NOTE:
%c0%af and %c1%9c are UNICODE representation for the / and \
characters
Directory of c:\ 2000-08-08 18:28
Inetpub
2000-08-09
09:58
Install
2000-08-09
11:17
MDaemon
2000-09-01
09:01
MSSQL7
2000-08-29
13:03
news
2000-10-18
02:53
ooo
2000-10-18
01:37
Program Files 2000-08-09
17:54
sttco
2000-10-17
11:48
WINNT
2000-10-18
02:02
wwww
2000-09-26
12:03
1 File(s) 28,160 bytes 14 Dir(s) 6,377,992,192 bytes free
Plain text password after Directory Server Install
(10/04/2000)
• After installing Netscape's Directory Server 4 for
Solaris, one of the final options is to remove a file
called 'install.inf' which the install process claims
could contain sensitive information. Answering yes to
this question will delete the file.
• However there is another file left behind after
installation which contains the un-encrypted 'admin'
password. This file has world read permissions and is
located in /usr/netscape/server4/adminserv/config/adm.conf
CODERED
• Yet, another buffer overflow
• Disguise as HTTP request
• Goes on to infect other systems
• Could have been stopped by granular
access control, proper FW configuration
• It is not normal traffic when your web
server is surfing the internet and making
outbound requests on port 80
THE TOP 10 INTERNET THREATS
(Top 10 from SANS Institute)
• Bind weakenesses
• Vulnerable CGI and extension on web server
• Remote Procedure (NFS and Remote execution)
• IIS Remote Data Services (for example .htr files)
• Sendmail Buffer Overflow
• Solaris sadmind and mountd
• IMAP/POP buffer overflow or incorrect configuration
• Default SNMP community strings set to ‘public’ and ‘private.’
• Global file sharing (netbios, Macintosh web sharing, UNIX NFS)
• Use of weak password or no password on user id
Hacktivists or Cyber terrorists
• USA TODAY October 9th 2001
• Very Likely
– Denial of services attack
– Computer worms and viruses
• Likely
– Breaking into government computer and stealing
military secrets or encryption technology
– Power grid disruption
– Emergency system being compromised
– Other internet connected services disruption
Hacktivist or Cyber terrorists
• Unlikely
– Cutting off fiber-optic cables between major
hubs
– Bombing or physically attacking domain
name servers or switching centrals.
– Bombing of internet facilities to take down the
Internet
Digging a Tunnel
• You spend great money on concrete walls
(firewalls) but they are of no use of
someone can dig through them.
RelTunnel – ICMP Tunnel
The biggest threat: EXPOSURE
• The biggest threat of all is bad publicity and having
your company reputation and name associated with
an intrusion, site modification and defacement, or
even attack to other sites using your ressources as a
launch platform.
• It could kill all faith in the belief that you can offer a
secure environment to conduct E-Commerce or other
online activities.
• Even thou perception is often not the reality. Outsider
and customers does not care that the specific site was
on a bronze plan or that it was not hosted in house.
• PEOPLE ONLY READ LARGE TITLES such as:
‘’XYZ GOT HACKED!!!’’
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• WHY AN IDS?
• Challenges
• Choosing an IDS
(Criteria & Features)
• Realistic expectations
• Products available on
market
• ID Landscape
• Ongoing Effort
• Type of IDS
• Conclusion
• More Info
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
• IDS are a dedicated assistant used to monitor the
rest of the security infrastructure
• Today’s security infrastructure are becoming
extremely complex, it includes firewalls,
identification and authentication systems, access
control product, virtual private networks,
encryption products, virus scanners, and more.
All of these tools performs functions essential to
system security. Given their role they are also
prime target and being managed by humans, as
such they are prone to errors.
• Failure of one of the above component of your
security infrastructure jeopardized the system
they are supposed to protect
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
• Not all traffic may go through a firewall
i:e modem on a user computer
• Not all threats originates from outside. As
networks uses more and more encryption,
attackers will aim at the location where it is
often stored unencrypted (Internal network)
• Firewall does not protect appropriately against
application level weakenesses and attacks
• Firewalls are subject to attacks themselves
• Protect against misconfiguration or fault in other
security mechanisms
REAL LIFE ANALOGY
• It's like security at the airport... You can put up all the
fences in the world and have strict access control, but the
biggest threat are all the PASSENGERS (packet) that you
MUST let through! That's why there are metal detectors to
detect what they may be hiding (packet content).
• You have to let them get to the planes (your application)
via the gate ( port 80) but without X-rays and metal
detectors, you can't be sure what they have under their
coats.
• Firewalls are really good access control points, but they
aren't really good for or designed to prevent intrusions.
• That's why most security professionals back their firewalls
up with IDS, either behind the firewall or at the host.
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• EXPECTATIONS
• ID Landscape
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
WHAT CAN IDS REALISTICLY DO
– Monitor and analyse user and system activities
– Auditing of system and configuration
vulnerabilities
– Asses integrity of critical system and data files
– Recognition of pattern reflecting known attacks
– Statistical analysis for abnormal activities
– Data trail, tracing activities from point of entry up
to the point of exit
– Installation of decoy servers (honey pots)
– Installation of vendor patches (some IDS)
WHAT IDS CANNOT DO
– Compensate for weak authentication and identification
mechanisms
– Investigate attacks without human intervention
– Guess the content of your organization security policy
– Compensate for weakeness in networking protocols, for
example: IP Spoofing
– Compensate for integrity or confidentiality of information
– Analyze all traffic on a very high speed network
– Deal adequately with attack at the packet level
– Deal adequately with modern network hardware
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• LANDSCAPE
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
ID TECHNOLOGY LANDSCAPE
• PREVENTIVE
• REAL TIME
TYPE OF IDS MONITORING
• Home Brew (Script, Big Brother, Logwatch, swatch)
• Application Based
• Host Based (also called Agent)
• Target Based approach
– Integrity checker such as the tripwire tool.
• Network Based (also called Sensor)
• Hybrid or Integrated approach (Use all or a
combination of two or more of the above)
• Honeypot, Honeynet, and the Sticky Honeypot
• Gateway IDS (IDS/FW Combined)
TYPE OF ANALYSIS
• Signature based (Pattern matching)
– Similar to a virus scanner, look for a specific string in the
network data being presented to the IDS
• Statistical
– Based on time, frequency, lenght of session
– For example: cdupuis logs on at 0300 AM and has never
done so in the past, it will raise a flag
• Integrity Checker
– Based on hashing mechanism. Detects authorized and
unauthorized changes to files within your systems.
• Anomaly Detection/Behavior Based
• Flow Based
TYPE OF RESPONSE
• Alteration to the environment
– Changes a rule on router
– Changes a rule on Firewall
• Striking back (not recommended)
– Execute a script to collect information about attacker
– Send a 20 megs file back to anyone fingering
– Down side: Acknowledgement sent to the attacker
• Real time notification
– Send a pager alert
– SNMP Alarms
– Sends email to one or more recipients
– Visual on screen or audible alarms
TYPE OF RESPONSE
• Throttling
– Limiting rate
– Slowing down attacks
• Session Sniping
– Will hijack a session
– Sends a reset to both side of session
OVERVIEW
• INTRODUCTION
– Overview
– Definitions & Jargon
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• NETWORK vs HOST
• C-I-A
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
HOST BASED (Advantages)
• Monitor in term of who accessed what
• Can map problem activities to a specific user id
• System can track behavior changes associated
with misused
• Can operate in encrypted environment
• Operates in switched networks
• Monitoring load distributed against multiple
hosts and not on a single host, reporting only
relevant data to central console
HOST BASED (Disavantages)
• Cannot see all network activities
• Running audit mechanisms adds overload to
system, performance may be an issue
• Audit trails can take lots of storage
• OS vulnerabilities can undermine the
effectiveness of agents
• Agents are OS specific
• Escalation of false positive
• Greater deployment and maintenance cost
NETWORK BASED (Advantages)
• Can get information quickly without any
reconfiguration of computers or need to
redirect logging mechanisms
• Does not affect network or data sources
• Monitor and detects in real time networks
attacks or misuses
• Does not create system overhead
NETWORK BASED (Disavantages)
• Cannot scan protocols if the data is encrypted
• Can infer from network traffic what is happening
on host but cannot tell the outcome
• Hard to implement on fully switched networks
• Has difficulties sustaining network with a very
large bandwidth
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
WHAT DOES IT PROTECT ME AGAINST
WHAT DOES IT PROTECT ME AGAINST
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• CHALLENGES
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
CHALLENGES
• Deployment & Myths
• Using IDS in fully switched networks
• Substaining OC3 speed or higher
• Interpreting all the data being presented
• Encryption, VPN, Tunnels
• Ongoing Support
• Performance
• Response team
Deployment & Myths
• Deployed before or after the firewall
• One IDS per segment
• The more rule in the product the better the
product.
• Real Time
• 100% Security
Fully Switched & Redundant
CAN’T SEE, CAN’T TELL
RESPONSE TEAM
• An IDS deployment will be only as successful as
the Incident Handling procedures that are in place
to support it.
• It shoud include:
– Statement of scope
– Acceptable computer and network use
– Detection and reporting requirements
– Responsabilities for responding to incidents
– Responsabilities for managing incident response
Evasion Techniques
• Evasion techniques are used in order to navigate
below the radar of your IDS
– Fragmentation
– Slow scan
– Stealth scan
– Out of order packets
– Ambiguous packet (crafting)
– Encoding such as %u, UTF (%xx%xx), HEX (%xx)
– Use of well known port (Codered)
Extra reading: http://secinf.net/info/ids/idspaper/idspaper.html
Evasion Techniques - %u encoding
• Announced 5 Sept 2001 by eEye Digital Security
• Almost all IDS are vulnerable except SNORT,
Symantec, and NAI
• Not a standard and only MS specific, unknown to
other vendors.
• So if an attacker sent a %u encoded request then
they could bypass IDS checking for ".ida".
• An example stealth codered request would look like:
GET /himom.id%u0061 HTTP/1.0
Where does it come from (Source)
• It looks like a duck, it quack like a duck, but it
may not be a duck.
– Anomizer services such as Zero Knowledge
– Public proxies
– Compromised sites
– IP Spoofing
– Distributed attack
CORRELATION
– Is needed for large number of agents and sensor
– Allow to see trends throughout your enterprise
– Can accept input from your web server, DNS, FTP
server and other applications
– Can identify threats in other region before they
happen locally
– Very few IDS have highly scalable correlation
engine or database
– Is a must for long term analysis of pattern
– Ask your vendor about their solution
Performance
• Frag (1/4)-ta (3/4)-men (2/4)-tion (4/4)
• Beware of benchmark
– Hardware used
– Number of rules
– Type of traffic
• Total number of rules x 65535
• ANSWER: It depends……
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• Challenges
• CHOOSING AN IDS
• Products available on
market
• Ongoing Effort
• Conclusion
• More Info
Features to look for
• Number of rules
• Which one apply to your specific environment
• Ability to read whole packet
• Ability to drill down
• Deal adequately with fragmentation
• Updates (how they are done and how often)
• Reporting features (import, export, flexibility)
• Support Issues (OS, Platform)
• Ease of use (What manning is needed)
Features to look for
• What specialized equipment is required
• Is the product Network or Host based
• How much does the update cost
• Is it capable of automated response to attacks
• How customizable is it
• What is the incidence rate of false positive
• What kind of expertise is required to support it
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Challenges
• Threats (Fact or fiction)
• Choosing an IDS
(Criteria & Features)
• I have a good firewall,
why do I need an IDS?
• LEADING PRODUCTS
• Realistic expectations
• ID Landscape
• Type of IDS
• Ongoing Effort
• Conclusion
• More Info
Leading Products
• Dragon from Enterasys
– http://www.enterasys.com/ids/
• CISCO Secure IDS
– http://www.cisco.com/go/ids/
• Snort
– http://www.snort.org/
• ISS Real Secure
– http://www.iss.net/securing_e-business/
• SHADOW
– http://www.whitehats.ca
– ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• ONGOING SUPPORT
• Conclusion
• More Info
ONGOING SUPPORT
• There is a need for a COMPETENT analyst
• Vendors latest signatures may take up to a week
after a new threat has be publicized. You will need
someone in house that can analyse new
vulnerabilities or attacks in order to create your own
rule. May take an hour a day or more.
• Need someone that can fine tune the IDS in order
to avoid false positive or false negative
• Must subscribe to popular advisories and security
newsletters such as bugtraq, CERT, GIAC, SANS,
and others
OVERVIEW
• INTRODUCTION
– Overview
• Network versus host
based IDS
– Definitions & Jargon
• C-I-A
– The Puzzle
– Current State of IDS
• Threats (Fact or fiction)
• I have a good firewall,
why do I need an IDS?
• Realistic expectations
• ID Landscape
• Type of IDS
• Challenges
• Choosing an IDS
(Criteria & Features)
• Products available on
market
• Ongoing Effort
• IN CLOSING
• More Info
IDS GOOD GUYS
• A few initiative is on the way to improve the
early detection, accuracy and terminology
amongst vendors of ID equipment and software
– Incident.org, ARIS, MyNetWatchMan
– CVE ( http://www.mitre.org/cve/
– IDMEF, Intrusion Detection Exchange Message
Format
http://www.ietf.org/html.charters/idwg-charter.html
- CIDF, Common Intrusion Detection Framework
SUMMARY
• Select IDS you wish to use according to your
needs and requirement (Short list)
• Select Hardware
• Decide on positioning of IDS (total, per
customer, per zone, etc…)
• Estimation of costs ???
• Acquire and Install HW and SW (perform tests)
• Minimize false positive and false negative
• Deploy to production environment
• Monitor, tune, update, Monitor, tune, update…
CLOSING
• An IDS is like a three year old kid, it’s not happy
unless you are constantly watching it all the time.
• Contrary to all other devices, An IDS talks back to you
and demand immediate attention.
• One of the most important point is how you are going
to monitor your systems, what are you going to do
when the alarm goes off at three in the morning?
• There is about 400 different IDS on the market. Only a
few of these products integrate well in large
environment, are scalable, and easy to maintain.
• Acquire the IDS that meets your need, not the one that
the vendor think you need.
More Info or presentation copies
You can get more info by sending email to:
[email protected]
Electronic Copies and other fine documents on
Intrusion Detection can be obtained from:
http://www.cccure.org/Documents/IDS/IDS_2002.PPT
SANS TOP 20 VULNERABILITIES
http://www.sans.org/top20.htm