IDS Intrusion Detection Systems

Download Report

Transcript IDS Intrusion Detection Systems 

IDS
Intrusion Detection Systems
CERT definition:
A combination of hardware and software that monitors
and collects system and network information and
analyzes it to determine if an attack or an intrusion has
occurred. Some ID Systems can automatically respond
to an intrusion.
Two Models
_______ Detection Model ________ Detection Model
database of normal activity
search for deviations
database of malicious signatures
search for matches
IDS - What Can It Do?
 Monitor and analyze user/system/network activities
 Audit configuration vulnerabilities
 Assess integrity of critical files
 Recognize patterns of known attacks
 Statistically analyze for abnormal activities
 Respond with warnings and/or actions
 Install decoy servers (honey pots)
 Install vendor patches (some IDS)
false positive
false negative
Two Types of IDS
Host-based Intrusion Detection System (HIDS)
• Searches for patterns in logs, processes, and/or memory.
• Can check file integrity (MD5)
• Observe network traffic flow
• HID also called ________
Network-based Intrusion Detection System (NIDS)
• Searches for patterns in packets, patterns of packets and packets that
don’t belong.
• Can log results or communicate via SMTP/SNMP
• ____________, analyzers and management consoles
• Reactive sensors might alter router/firewall rules
• More extreme response: throttling, session hijacking
Rule-based Appliances
Snort Rules
alert tcp !138.49.38.0/24 any -> 138.49.38.0/24 111\
( content ... msg ...)
log udp any any -> 138.49.38.0/24 1:1024
alert tcp any any -> 138.49.38.0/24
( flags:SF; msg:”possible SYN FIN scan”)
pass icmp any any <> 138.49.38.0/24 (itype:0)
IDS Disadvantages
Host-based Intrusion Detection System (HIDS)
•
•
•
•
•
Network-based Intrusion Detection System (NIDS)
•
•
•
An IDS is another tool in the arsenal.
Deployment
IDS deployment is only as good as its planning.
- Where are sensors located?
- Who monitors logs?
- How are signatures updated?
- What about response planning?
response team
reporting requirements
responsibilities for incident response
management of event recording
CERT
Products
Snort
//www.snort.org
Sourcefire
//www.sourcefire.com
Cisco Secure IDS
//www.cisco.com/go/ids/
ISS Real Secure IDS
//www.iss.net/securing_e-business/
SHADOW
//www.whitehats.ca
Tripwire
//www.tripwire.com