Intrusion Detection Systems

Download Report

Transcript Intrusion Detection Systems

BCIS 4630 Fundamentals of IT Security
PERIMETER SECURITY
Dr. Andy Wu
Overview
• Intrusion detection systems (IDSes)
– Host-based vs. network-based
• Firewalls
– Three major types of firewalls
• Packet filter
• Stateful inspection
• NAT
– Demilitarized Zones (DMZs)
2
Intrusion Detection
• An intrusion is any use or attempted use of a
system that exceeds authentication limits.
• Intrusions are similar to incidents.
– An incident does not necessarily involve an active
system or network device, an intrusion does.
• An intrusion detection system (IDS) is
software/hardware that monitors activity on
the system or network.
– And delivers an alert if it notices suspicious
activity.
3
IDS Architecture
4
Snort Configuration
•
Behaviors of Snort is controlled by a configuration file (as defined by the –c
command line switch) that is loaded when Snort is started. In this file, we can
define:
– What constitute external networks (the EXTERNAL_NET variable)
– What is considered the internal network (the HOME_NET variable)
– Where to find rules files if Snort is instructed to use them (the RULE_PATH variable)
5
Snort Rules
• alert tcp any any -> 10.1.99.0/24 111
(content:"|00 01 86 a5| ";msg:"mountd
access";)
– alert specifies the action to take
– tcp specifies the protocol
– any any specifies the source network and port
– 10.1.99.0/24 specifies the destination network
– 111 specifies the port
– content specifies the value of a payload
– msg specifies the message to send
6
Snort Rules
• If a packet
– comes from a network as defined by the EXTERNAL_NET variable,
regardless of the source port (any),
– goes to a host in the “home” network as defined by the HOME_NET
variable, regardless of the destination port (any),
– and the F, P, and U bits are on (12 meaning if we want to detect a SYN
packet regardless of what are in the 2 reserved bits)
• Then raise an alert with the message “Xmas Scan”.
7
False Responses
• There is no way for an IDS to know the true intent behind an activity
and determine whether or not it is benign or hostile.
– Thus, the IDS can react only as it has been programmed.
• False positive – An IDS matches a pattern and generates an alarm for
benign traffic.
• False negative – Hostile activity does not match an IDS signature
and, therefore, goes undetected.
IDS Alerts
IDS Does not Alert
Intrusion Occurred
Intrusion Not Occurred
OK
False Positive
False Negative
OK
8
Main Categories of IDSs
• Host-Based IDS (HIDS)
– Concerned only with activity on an individual
system and usually has no visibility into the
activity on the network or systems around it.
• Network-Based IDS (NIDS)
– Has visibility only into the traffic crossing the
network link it is monitoring and typically has
no idea of what is happening on individual
systems.
9
Host-Based IDS
• Examines log files, audit trails, and network traffic
coming in to or leaving a specific host.
– Operates in real time, looking for activity as it occurs.
– Operates in batch mode, looking for activity on a periodic
basis.
• They may be self-contained, but many of the newer
commercial products have been designed to report to
and be managed by a central system.
• Host-based systems use local system resources to
operate.
10
HIDS Focus - Log Files
• A HIDS searches the log files or audit trails from
the local OS for hostile actions or misuse activities,
e.g.,
–
–
–
–
–
–
–
–
Logins at odd hours
Login authentication failures
Adding new user accounts
Modification or access of critical system files
Modification or removal of binary files (executables)
Starting or stopping processes
Privilege escalation
Using certain programs
11
HIDS Pros and Cons
• The advantages of host-based IDSs include:
–
–
–
–
–
Operating system-specific and more detailed.
Reduced false positive rates.
Examination of data after decryption.
Application specific.
Can determine an alarm’s impact on the protected system.
• Reduces the number of alarms generated.
• Before deployment, weigh the disadvantages of this technology:
–
–
–
–
–
One HIDS per system watched.
High cost of ownership and maintenance.
Uses local system resources.
Focused view; Cannot relate to activity around it.
A locally logged IDS may be compromised or disabled.
12
Network-Based IDS
• A network IDS (NIDS) examines network traffic as it
passes by.
– Bits and bytes traveling through cables
interconnecting the systems.
– It must be able to analyze traffic by protocol, type,
amount, source, destination, content, and traffic
already seen.
– The analysis must happen quickly.
• The IDS must be able to handle traffic at whatever
speed the network operates to be effective.
13
NIDS Focus – Network Traffic
• An NIDS analyzes traffic patterns to detect activities that
represent hostile actions or misuse.
– Denial-of-Service attacks
– Port scans or sweeps
– Malicious content in the data payload of a packet or
packets
– Vulnerability scanning
– Trojans, viruses, or worms
– Tunneling
– Brute-force attacks
14
NIDS Pros and Cons
• NIDS advantages
– Takes fewer systems to provide IDS coverage.
– Lower deployment, maintenance, and upgrade costs.
– Has visibility into all network traffic and can correlate
attacks among multiple systems.
• NIDS disadvantages
–
–
–
–
Ineffective when traffic is encrypted.
Cannot see traffic that does not cross it.
Must be able to handle high volumes of traffic.
It does not know about activity on the hosts
themselves.
15
Misuse (Signature) Detection Model
• The IDS looks for suspicious activity or activity
that violates specific policies and then reacts
as it has been programmed.
– This is the more efficient model.
• Does not need to learn what “normal” behavior is.
• Generates an alarm whenever a pattern is successfully
matched.
– The greatest weakness of a misuse model is its
reliance on a predefined signature base.
• Any activity that the misuse-based IDS does not have a
signature for will go undetected.
16
Anomaly Detection Model
• The intrusion detection system must know what
“normal” behavior on the host or network being
protected really is.
– Once the “normal” behavior baseline is established,
the IDS can then identify deviations from the norm,
which are further scrutinized to determine if that activity
is malicious.
• Building the profile of normal activity is usually done
by the IDS.
– This is done with some input from security
administrators, and can take days or months.
17
Anomaly Detection Model
• The IDS must be flexible enough to account for
things such as new systems, new users, and
movement of information resources, while being
sensitive enough to detect abnormal traffic.
• An anomaly-based system is not restricted to a
specific signature set and is far more likely to
identify a new exploit or attack tool that would go
unnoticed by a traditional IDS.
• Most anomaly-based systems suffer from high false
positives, especially during the “break-in” period
while it is learning the network.
18
Firewalls
• A device that filters traffic between a protected
or “inside” network and a less trustworthy or
“outside” network.
• Can be implemented as hardware or software.
• Usually runs on a dedicated device because
performance is critical.
• It works based on a series of rules that define
what traffic is permissible and what traffic is to
be blocked or denied (for both directions).
19
Packet Filtering Firewalls
• Use lines of text called “rules” that define what
packets should be allowed or denied, e.g.,
– Any packets coming from the 172.19.0.0 network should
be denied.
– No ICMP traffic should be allowed.
– All traffic through Port 80 should be allowed.
• The filtering is based on Layer 3 information.
• Make decision based on IP header information only.
• Do not keep track of the state of a connection.
20
Firewall Rulebases
• Rulebase is used to provide the definition of
what traffic is allowable and what is not.
• Most firewalls have good user interfaces to
support rule definition.
• General syntax is similar to:
<action> <protocol> from <source_address>
<source_port> to <destination_address>
<destination_port>
• Some firewalls have advanced functionality to
supplement the basic fields above.
21
Cisco PIX Firewall Rule
• Access-list <acl_name> {deny | permit}
<protocol> [host] <src_address>
<src_add_mask> [<operator> <port>]
[host] <dest_addr> <dest_add_mask>
[<operator> <port>]
• ACL Name: Can be word or number
• Address and Mask: “any” means any host
• [host]: Used to specify a single host to control
• Operator and Port: Specify a port or port range and are
used with TCP or UDP. Port can be number or name.
22
23
Cisco Firewall Rules
• line 1 permit tcp any host
129.120.16.221 eq www
–
–
–
–
–
line 1 is line number in the rule set
permit is the action to take
tcp is the transport-layer protocol the packet uses
any is the source IP address
host 129.120.16.221 is the particular destination
host
– eq www is the port number (translated)
• Allows TCP packets coming from any host and any
port to Port 80 on the host 129.120.16.221.
24
Cisco Firewall Rules
• line 4 permit ip 129.120.18.0
255.255.254.0 host 129.120.16.221
–
–
–
–
line 3 is line number in the rule set
permit is the action to take
ip is the network-layer protocol the packet uses
129.120.18.0 255.255.254.0 are the source IP
address and subnet mask
– host 129.120.16.221 is the particular destination host
• Allows IP packets from any host in the 129.120.18.0
network to get to the host 129.120.16.221.
25
Stateful Inspection
• A common approach to foil detection by
firewalls is to break packets involved in an
attack into multiple packets so that the firewall
cannot detect it based on a single packet.
• If a firewall can track all packets belonging to
a session, it has a better chance at detecting
an attack.
• Whereas packet filters only looks into Layer 3
header, stateful inspection firewalls also
checks Layer 4 information.
26
Stateful Inspection Firewalls
• They maintain a state table of sessions.
• When a stateful firewall receives a packet, it first
searches its state table to see whether a connection
has already been established and whether this packet
was requested.
– If a packet arrives with no record of its being part of
legitimate session, the firewall will block access by dropping
it.
• Stateful firewalls work at Layers 3 and 4.
• Stateful monitoring enables a system to determine
which sets of communications are permissible and
which should be blocked.
27
Network Address Translation (NAT)
• NAT translates between two addressing schemes, public and
private.
• This permits enterprises to use the non-routable private IP
address space internally and reduce the number of external IP
addresses used across the Internet.
• When outside, i.e. Internet-based resources are needed, NAT
is required to assign the internal hosts valid external IP
addresses so that they can establish connections to those
resources.
• Typically, a pool of external IP addresses is used by the NAT
firewall, with the firewall keeping track of which internal address
is using which external address at any given time.
28
Network Address Translation (NAT)
29
Dynamic NAT
• The firewall has a pool of public IP addresses, but the number
of public address is smaller than the number of internal hosts.
– If all the hosts wanted to connect externally at the same time,
there wouldn’t be enough to go around. But the exact assumption
of dynamic NAT is that this rarely happens and so we can
conserve public IP addresses by not maintaining one-to-one
mappings between public and private IP addresses.
• When an internal host wants to connect outward, the firewall
picks up an available public address from the pool and assigns
it to the host.
• Once the host is done with a session, the firewall disassociates
the public address with the host and returns the address to the
pool.
• The address becomes available to other hosts.
30
Demilitarized Zone (DMZ)
DMZ
31
Demilitarized Zone (DMZ)
• A buffer zone between the Internet, where no controls exist,
and the inner secure network, where an organization has
security policies in place.
• The idea behind the use of the DMZ topology is to force a user
to make at least one hop in the DMZ before accessing
information inside the trusted network.
• To demarcate the zones and enforce separation, a firewall is
used on each side of the DMZ.
– The area between these firewalls is accessible from either the
inner secure network or the Internet.
– The firewalls are specifically designed to prevent access across
the DMZ directly from the Internet to the inner secure network.
32
DMZ As Layered Security Protection
• Different zones provide layers of defense:
– Successive zones are guarded by firewalls enforcing ever increasingly
strict security policies.
– The outer firewall provides less protection than the inner firewall does.
• Accessibility is inversely related to the level of protection.
– The DMZ is less protected but more accessible to users on the Internet.
– The inner network is more protected but not readily accessible to external
users.
• It is difficult to provide complete protection and unfettered access at
the same time.
– Trade-offs between access and security are handled through zones.
33
Servers in the DMZ
• Servers typically placed in the DMZ include Web servers, FTP
servers, remote access service (RAS) servers, mail servers,
etc.
• Any server directly accessed from the outside, untrusted
Internet zone needs to be in the DMZ.
– All the standard servers used in the trusted network, as well as
the routers and the switches that connect these machines
together, should be behind the inner firewall.
• Special attention should be given to the security settings of the
network devices placed in the DMZ.
– They should be considered compromised to unauthorized use.
– Still, efforts should be made to harden servers in the DMZ.
34