1

Intrusion Detection Systems

2

Intrusion Detection

• Intrusion is any use or attempted use of a system that exceeds authentication limits

• Intrusions are similar to incidents– An incident does not necessarily involve an active system

or network device, an intrusion does

• Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity

3

Intrusion Detection

• Security policies are either prohibitive or permissive• An IDS is sensitive to configuration• Possible types of IDS errors:

– False positive (unauthorized user let in)

– False negative (authorized user denied access)

– Subversion error (compromised the system from detecting intrusion)

4

Dealing with Intruders

• Intruders can be external or internal– External intruders are hackers or crackers

– Internal intruders are more common and very dangerous

• Security policy should state what steps will be taken to handle intrusions

• Block and ignore– Simplest tactic for handling intrusions

– Block the intruder and address the vulnerability

– Don’t take any further action

5

Dealing with Intruders

• Block and investigate– Block the intruder and address the vulnerability

– Collect evidence and try to determine intruder’s identity

– Investigate

• Honeypot (bait the intruder)– Allow the intruder to access a part of your network

– Try to catch the intruder while he/she explores

– This is a potentially dangerous approach• The intruder does have at least partial access

• Crackers may become interested in your site

6

Detecting Intruders

• An IDS monitors system activity in some way • When it detects suspicious activity, it performs an

action• Action is usually an alert of some type

– E-mail, cell phone, audible alert, etc. to a person or process

– For highly sensitive systems, out-of-band channel is used

• All IDS systems continuously sample system activity and compare the samples to a database

7

IDS Principles

• Run unattended for extended periods of time• Stay active and secure• Recognize unusual activity• Operate without unduly affecting the system’s

activity• Configurable

8

IDS Principles

Sample current activity

Compare with database

Decide what to do

9

IDS Taxonomy

• Misuse intrusion– an attack against a known vulnerability

– Relatively easy to detect

• Anomaly intrusion– an attack against a new vulnerability or one using an

unknown set of actions

– Relatively difficult to detect

• Types of IDS that correspond to intrusion types:– Signature-based

– Knowledge-based

10

IDS Taxonomy

• Signature-based IDS– Detects misuse intrusions– Maintains a database of attack signatures– Compares current activity to database– Database must be current and complete to be effective

• Knowledge-based IDS– Detects anomaly intrusions– Builds a profile of “normal” system activity over time– Produces more false positives and requires more

administration– Requires careful initial configuration

11

Thresholds

• A rule tells the IDS which packets to examine and what action to take– Similar to a firewall rule

– Alert tcp any any -> 192.168.1.0/24 111

(content:”|00 01 86 a5|”;msg:”mountd access”;)• Alert specifies the action to take

• Tcp specifies the protocol

• Any any 192…. specifies the source and destination within the given subnet

• 111 specifies the port

• Content specifies the value of a payload

• Msg specifies the message to send

12

Thresholds

• Threshold is a value that represents the boundary of normal activity

• Example: Maximum three tries for login • Common thresholds:

– file I/O activity

– network activity

– administrator logins and actions

13

Snort IDS

• Snort is an example of an IDS– Freeware

– UNIX and Windows

• A highly configurable packet sniffer• Analyzes network traffic in real time• www.snort.org

14

Snort IDS

• Snort sniffs a packet from the network– Preprocessor looks at the packet header and decides

whether to analyze it further

– Detection engine compares pattern from rules to the packet payload

– If payload matches, then appropriate action is taken

• Snort can be used in a plain packet sniffer mode or in full IDS mode

• Snort has numerous configurable options

15

Snort IDS

16

Snort IDS

17

Snort IDS

18

Network-Based vs Host-Based

• IDS systems are classified by their intended locations• A network-based IDS monitors all traffic on a

network segment– Can detect intrusions that cross a specific network segment

– Administrators sometimes place one inside and one outside of a firewall

– Will not see traffic that passes between LAN computers

19

Network-Based vs Host-Based

• Host-based IDS examines all traffic and activity for a particular machine– Can examine system log files as well as inbound and

outbound packets

– Each system requires its own IDS

• Best choice is to use both network-based and host-based IDS in an organization

• Many firewalls provide some IDS functionality

20

Network-Based IDS

21

Choosing an Appropriate IDS

• Determine organizational security needs• Review the different IDS packages available• medium to large organizations commonly use both

network-based and host-based IDS

22

Security Auditing with an IDS

• Must have periodic security audits– Sometimes mandated by law or by corporate structure

• IDS can contribute to a complete audit• Many host-based IDS can scan and analyze system

log files– They can act as a filter for various behaviors

• Port-sniffing IDS can help to profile network activity

23

Intrusion Prevention System

• IPS combines the knowledge of IDS in an automated manner

• Usually IPS is a combination of a firewall and an IDS• IPSs come in different forms:

– NIDS with two NICs

– Inline NIDS

– Inline NIDS with scrubber

24

Intrusion Prevention System

• IPS with two NICs configured as follows:– One NIC has an IP address and handles traffic management

– Second NIC has no IP address and performs detecting attacks only

25

IPS with two NICs

Network Traffic

Server

with IPS

NIC1

NIC2

No IP address

Has IP address

Copy of traffic Copy of traffic

26

IPS with inline NIDS

Server

with IPS

NIC

NIC NIC

No IP addre

ssNo IP addressHas IP address

Network traffic Network traffic

27

IPS with scrubber

Server

with IPS

NIC

NIC NIC

No IP addre

ssNo IP addressHas IP address

Network traffic Network traffic

Malicious packet

$%&&^#@@*&*&^%$$#+!!*(+%%^^$##@*&&^

Scrubbed packet

Malicious code rendered inactive

28

IPS Enhancements

• Traditionally switches work in OSI layer 2• Most vulnerabilities are on applications• Layer 7 switches control which applications go to

which server• Layer 7 switches also help with load balancing• Layer 7 switch inspects applications such as HTTP,

SMTP and DNS and decide which server to route the application packets to

• Handles DoS and DDoS attacks

29

IPS Enhancements

• IPS systems first profile applications• Helps identify normal behavior of access and

functionality from applications

30

IPS Scenario

Traffic from internet

User: GET /

User: GET /default.asp

Attacker: GET /passwd.txt

User: GET /login.asp

Policy:

Allow: GET /Allow: GET /default.aspAllow: GET /login.aspAllow: /public/default.html

Implicitly deny other requestsTraffic to internal network

User: GET /

User: GET /default.asp

User: GET /login.asp

31

Commercial IPSs

• Hogwash (http://hogwash.sourceforge.net/oldindex.html)

• ISS Guard (http://www.iss.net/products_services/enterprise_protection/rsnetwork/guard.php)

• Netscreen (http://www.juniper.net/products/)

• Tipping Point (http://www.tippingpoint.com/products_ips.html)

• Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/category.htm?cid=10355)

32

References

• IPS http://www.securityfocus.com/infocus/1670• IBM’s IPS

http://www-1.ibm.com/services/us/index.wss/offering/bcrs/a1002441