network intrusion detection david laporte [email protected]
TRANSCRIPT
![Page 2: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/2.jpg)
Topics What is IDS? HIDS v. NIDS Signatures Active Response / IPS NIDS on the Cheap Additional Resources
![Page 3: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/3.jpg)
What is IDS?
the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.
http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
![Page 4: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/4.jpg)
HIDS v. NIDSDefense in depth, layered securityHIDS
Typically software installed on a system Agent-based
Monitors multiple data sources, including file system meta-data, log files
Wrapper-based Acts like a firewall – denies or accepts
connections or logins based on defined policy
![Page 5: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/5.jpg)
HIDS v. NIDSNIDS
Monitors traffic on a network Reports on traffic not considered “normal”
Anomaly-based Packet sizes, destinations, protocol distributions, etc Hard to determine what “normal” traffic looks like
Signature-based Most products use signature-based technologies
![Page 6: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/6.jpg)
Signature-based NIDS Signature-based
Matches header fields, port numbers, content Network “grep”
Advantages No learning curve Works out-of-box for well known attacks
Snort has ~1900 signatures Dragon has ~1700 signatures
Disadvantages New attacks cannot be detected False positives Maintenance/tweaking Not very hard to evade Stateless, lacks thresholding
![Page 7: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/7.jpg)
SignaturesT A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt| | | | | | | | || | | | | | | | SEARCH STRING| | | | | | | EVENT NAME| | | | | | PORT| | | | | || | | | | COMPARE BYTES | | | | || | | | DYNAMIC LOG| | | || | | BINARY OR STRING| | || | PROTECTED NETWORKS| || DIRECTION|PROTOCOL
![Page 8: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/8.jpg)
SignaturesOn the console…Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
![Page 9: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/9.jpg)
NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD{A}
![Page 10: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/10.jpg)
NIDS – ManagementCorrelation is key
Multiple sensors Single data repository
Syslog DBMS Text files
![Page 11: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/11.jpg)
NIDS – Placement Inside firewall
Limits false positives – “cleaner” data Outside firewall
Shows overall interest Need to collect all traffic
Switch port won’t cut it Hub Switch SPAN port Passive tap
Difficult on high-bandwidth links (>300Mbps) Distribution devices (TopLayer, etc) Hardware
![Page 12: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/12.jpg)
NIDS – DrawbacksFalse Positives
LOTS of data We generate 3-4GB of logs each day on a
~250Mbps sustained link Makes alerting difficult
Interoperability ESM – Intellitactics, PentaSafe, etc.
![Page 13: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/13.jpg)
NIDS - DrawbacksEvasion
Packet fragmentation Out of order, overlapping Fragroute
Character encodings / padding Unicode, mixed case, ../..’s, \0’s
OS stack behavior A simple “grep” of a packet won’t work
![Page 14: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/14.jpg)
Active ResponseNIDS is primarily a passive technology
Only monitors traffic Doesn’t sit in the data stream Active response
aka “sniping”, flex response
![Page 15: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/15.jpg)
Active ResponseSeveral issues
Timing By the time filters are applied, attack is complete
False alarms / spoofed traffic Self-inflicted DOS
Lack of formatting standards CVE, OPSEC
![Page 16: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/16.jpg)
Intrusion PreventionPlace system in-line
Hardware Redundancy
Acts as an IDS/Firewall hybrid Hogwash
![Page 17: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/17.jpg)
NIDS on the Cheap So you want a NIDS?
Snort Open-source NIDS Quickly becoming the “Apache” of IDS Runs on Windows and most Unix variants
MySQL Open-source DBMS
ACID Great web-based front-end for Snort/Mysql
A place to collect traffic Your NIC is fine if you have only one machine Use a hub if you’ve got a LAN
![Page 18: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/18.jpg)
Additional Resources Fragroute
http://monkey.org/~dugsong/fragroute/ Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
http://secinf.net/info/ids/idspaper/idspaper.html HIDS Products PortSentry
http://www.psionic.com/products/portsentry.html Tripwire
http://www.tripwire.com/ AIDE
http://www.cs.tut.fi/~rammer/aide.html
![Page 19: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/19.jpg)
Additional Resources NIDS Products
Snort http://www.snort.org
Dragon http://www.enterasys.com/ids/
CiscoSecure IDS ISS RealSecure
http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php ACID
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html Hogwash
http://hogwash.sourceforge.net/
![Page 20: Network Intrusion Detection David LaPorte david_laporte@harvard.edu](https://reader036.vdocument.in/reader036/viewer/2022082817/56649de35503460f94ada78c/html5/thumbnails/20.jpg)
Questions?