Transcript Network Intrusion Detection By Biju Varghese Siva Jambulingam

Network Intrusion Detection
By
Biju Varghese
Siva Jambulingam
Rohan Belani
Team Roles



Theory of Network Intrusion Detection Systems
- Siva
Problems in Network Intrusion Detection
Systems - Biju
Description of the Different Network Intrusion
Detection Systems - Rohan
Principle
A secure Computer or a Network System
should provide the following services
1.
2.
3.
Data Confidentiality
Data and Communications Integrity
Assurance against Denial of Service
Common Intrusion Detection Systems
Components
 Event Generators - E Box
 Analysis Engines - A Box
 Database Component - D Box
 Counter Measures - C Box
CIDF Model
Passive Analysis




Detects attacks by watching for patterns of
suspicious activities
Acts like a Sniffer and obtains copies of packets
directly from the Network
Contents of actual packets are parsed and
analyzed
It is unobtrusive and extremely difficult to evade
Passive Analysis
Signature Analysis




ID System is programmed to interpret a certain
series of packets as an ATTACK
They use pattern recognition Algorithm
Look for a sub string within the main stream of
data carried by network packets
Also called “Misuse Detection”
Problems with Network ID
Systems
Points of Vulnerability
Insufficiency of Information on the wire
Attacks
Points of Vulnerability in ID systems




E-box : eyes and ears of an IDS
A-box : analysis of the raw input
D-box : data storage
C-box : counter measures
Insufficiency of Information on the wire

Network ID systems work by predicting the behavior of
networked machines based on the packets they
exchange.

A passive network monitor cannot accurately predict
whether a given machine on the network is even going
to see a packet , let alone process it in the expected
manner.
Attacks - Insertion

IDS can accept a packet that an end system rejects.

IDS and the end system reconstruct two different strings.
Attacker can slip attacks past IDS by “inserting” data into
the IDS.

Attacks - Evasion

An end-system can accept a packet that an IDS rejects.

End system sees more data than the IDS.
This information that the IDS misses can be critical to
detection of an attack.

Attacks – Denial of Service


Passive ID systems are “fail open”.
Resource Exhaustion
- CPU cycles
- Memory
- Disk space
- Network bandwidth
ISS RealSecure









Most polished IDS solution currently shipping.
Fails to deliver the flexibility unlike ID-Trak.
Delivers a solid, well-documented and easy-to-use system.
Equipped with more than 100 network-attack signatures.
The architecture uses a sensor (deployed across multiple
networks) to communicate with a management console.
Allows large-scale coverage and a level of fault tolerance.
Any console can view the results of any sensor.
Console interface allows for multiple views of incident data by
administrator.
Attacks can be viewed by target, source or event type.
Cisco Systems NetRanger










First commercial IDS to ship.
Contains an implementation system that is fairly versatile.
Healthy attack signature database + creative signatures.
Heavy dependency on HP’s OpenView.
Lack of documentation on the ins and outs of the product.
Failure to provide an overview of recent attacks.
Difficult to configure for non UNIX administrators.
IDS can reconfigure perimeter devices on the fly.
Absence of functionality: unable to process multiple step
condition-based actions.
Dropped to second place behind ISS Real Secure.
AXENT Tech ID-Trak








Requires a Windows NT platform to run correctly.
Flexible assortment of security-related tools.
Fails to match the level of robustness, or depth that RealSecure
and NetRanger provide.
Requires administrator to define a list of hosts to monitor.
Base of pre-built attack signatures is less than competitors.
Customizability is far superior: Rule-building utility allows
administrators to provide more complex checks.
Provides administrator with visuals on open sessions, in real
time.
Extremely hard to configure, menus are hard to interpret and
navigation is extremely troublesome.
Questions