Intrusion Detection System Alan TAM Program Committee, PISA

Intrusion Detection System

Alan TAM

Program Committee, PISA

Definition and Needs

• IDS = Intrusion Detection System

• Not firewall

• Content inspection

Technology

• Signature detection

• Anomaly detection

General IDS Model

• Sensor• Analyzer• Manager• Administrator• Operator

Sensor

Analyzer

Manager

Sensor

Administrator

Operator

Data SourceActivity

Sec

urity

Pol

icy

Sec

urity

Pol

icy

Sec

urity

Pol

icy

Sec

urity

Pol

icy

Not

ifica

tions

Res

pons

e

AlertsEvents

Eve

nts

Basic Classification

• NIDS - Network Based– e.g. Cisco Secure IDS , Axent Netpowler,

Snort, ISS RealSecure Network Sensor, NAI Cybercop Monitor

• HIDS - Host Based– e.g. Axent Intruder Alert, ISS RealSecure OS

Sensor, Tripwire

Functional Classification

• Packet capturing + Pattern matching

• Log parser

• Host firewall

• File integrity checker

• Activity monitor

Deployment Tips (1)

• Dual NIC– No TCP/IP binding– Network Performance– Security

• NIC optimization settings

• Promiscuous mode

Deployment Tips (2)

• Locations– DMZ– In front of firewall– Behind firewall– Server segments– “Power user” segments

Deployment Tips (3)

• Generic OS hardening & optimization– TCP/IP services– NetBIOS services– File & directory permission– Useless background process– Peripherals

Deployment Tips (4)

• Miscellaneous– Automatic mass deployment of HIDS– Downtime against SLA– Tuning of false alarms– Do policy customization (no kidding)– Monitor log grow-up rate

Problem Scenarios (1)

• Signature quality– False POSITIVES– False NEGATIVES– Threshold values– Duplicates elimination

• Encrypted traffic– SSL, IPSEC & PPTP tunnels, PGP attachment

Problem Scenarios (2)

• Switch instead of Hub– Collision domain– Port Spanning/Mirroring/Monitoring– Performance degrade

• High speed network– Packet drop– DoS

How to choose an IDS (1)

• Attack Signature– Quality– Update frequency– Update mechanism

How to choose an IDS (2)

• Scalability– Traffic handling capacity– Shutdown mechanism– Supported platforms (HIDS)

How to choose an IDS (3)

• Manageability– Examining log– Cross reference– Archiving– Centralized console

How to choose an IDS (4)

• Hardware platform– Intel based– SPARC based

Response Actions (1)

• Log– Header, significant application data– Raw packet

• Alert– Console– Email– SNMP Traps

Response Actions (2)

• Termination– TCP kill– Kernel drop

• Third-party Integration– Firewall– Router

Response Actions (3)

• User Script– Increase log level– Modem to Pager– Email to SMS– Redirect to Honey Pot

Previous Battlefield

• IP defragmentation

• TCP stream reassembly

Today…

• IDS load balancing

• Hardware IDS– ASIC IDS module in a Chassis– ASIC Switch appliance

Standards

• CVE (Common Vulnerabilities and Exposures)

• IDMEF (Intrusion Detection Message Exchange Format)

CVE (1)

• Standardized name

• Interoperability between tools

• Tool comparison guidelines– CVE-Compatible– No. of signatures

CVE (2)

• Version– As of August 2001: 20010507

• Classification– CVE candidate

(CAN-YYYY-XXXX)

– CVE entry(CVE-YYYY-XXXX)

Discovery

Assign candidatenumber

Editor propose to theboard

Modification votes

Accepted or Rejectedthen Published

Data Sources

• Security Focus - SecurityFocus.com weekly Newsletters(http://www.securityfocus.com/vdb)

• Network Computing and the SANS Institute - weekly Security Alert Consensus(http://archives.neohapsis.com/archives/securityexpress/current/)

• ISS - monthly Security Alert Summary(http://xforce.iss.net/alerts/summaries.php)

• NIPC CyberNotes - biweekly issues(http://www.nipc.gov/cybernotes.htm)

Reference Source

AIXAPAR

ALLAIRE

ASCEND

ATSTAKE

AUSCERT

BID

BINDVIEW

BUGTRAQ

CALDERA

CERT

CERT-VN

CHECKPOINT

CIAC

CISCO

COMPAQ

CONECTIVA

CONFIRM

DEBIAN

EEYE

EL8

ERS

FREEBSD

FarmerVenema

FreeBSD

HERT

HP

IBM

INFOWAR

ISS

KSRT

L0PHT

MANDRAKE

MISC

MS

MSKB

NAI

NETBSD

NETECT

NTBUGTRAQ

NetBSD

OPENBSD

REDHAT

RSI

SCO

SEKURE

SF-INCIDENTS

SGI

SNI

SUN

SUNBUG

SUSE

TURBO

URL

VULN-DEV

WIN2KSEC

XF

Tips for using CVE

• Do not use general terms (e.g. buffer overflow) to search

• Use exact process name (e.g. sendmail)

• Go to the “references” for Fix

IDWG

• Intrusion Detection Working Group• Aims

– Define data format– Define exchange procedure

• Outputs– Requirement document– Common intrusion language specification– Framework document

IDMEF

• Standard data format (using XML)

• Interoperability

• Typical deployments:– Sensor to Manager– Database– Event correlation system– Centralized console

IDMEF Addressed Problems

• Inherently heterogeneous information

• Different sensor types

• Different analyzer capabilities

• Different operation systems

• Different objectives of commercial vendors

Message Classes (1)

• IDMEF-Message Class

• Alert Class– ToolAlert– CorrelationAlert– OverflowAlert

• Heartbeat Class

Message Classes (2)

• Core Classes– Analyzer– Source– Target– Classification– Additional Data

Message Classes (3)

• Time Class– CreatTime– DetectTime– AnalyzerTime

Message Classes (4)

• Support Class– Node– User– Process– Service

Example<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFCxxxx IDMEF v0.3//EN"

"idmef-message.dtd">

<IDMEF-Message version="0.3">

<Alert ident="abc123456789" impact="successful-dos">

<Analyzer analyzerid="hq-dmz-analyzer01">

<Node category="dns">

<location>Headquarters DMZ Network</location>

<name>analyzer01.bigcompany.com</name>

</Node>

</Analyzer>

<CreateTime ntpstamp="0x12345678.0x98765432">

2000-03-09T10:01:25.93464-05:00

</CreateTime>

<Source ident="a1b2c3d4">

<Node ident="a1b2c3d4-001" category="dns">

<name>badguy.hacker.net</name>

<Address ident="a1b2c3d4-002" category="ipv4-net-mask">

<address>123.234.231.121</address>

<netmask>255.255.255.255</netmask>

</Address>

</Node>

</Source>

<Target ident="d1c2b3a4">

<Node ident="d1c2b3a4-001" category="dns">

<Address category="ipv4-addr-hex">

<address>0xde796f70</address>

</Address>

</Node>

</Target>

<Classification origin="bugtraqid">

<name>124</name>

<url>http://www.securityfocus.com</url>

</Classification>

</Alert>

</IDMEF-Message>

Summary

• IDS Classification

• IDS Deployment Considerations

• How to choose an IDS

• Industry standards

HKCERT/CC

• Web - http://www.hongkongcert.org• Telephone - 2788 6060

• Fax - 2190 9760

• Email - mailto:infosecurity@hkpc.org

Reference

• http://cve.mitre.org/cve

• http://www.silicondefense.com/idwg/

• http://www.securityfocus.com/

Thank You

• For suggestions and corrections, please send email to

alan.tam@pisa.org.hk

or

alantam@hk.is-one.net

Discussion

• SLA - cannot stop service immediately

• Switch to standby system if possible• Contingency planning

• Trace the source; Track its activity