8. Intrusion detection and penetration testsjean-marc.thiriet/ipa/8-CourseIDS.pdf · • Intrusion detection and response ... router or the firewall so that this one rejects the traffic

8. Intrusion detection and penetration tests

2Grenoble - JMT - Chapter 8 “Intrusion detection and response - Audit”

Intrusion detection and response

• Purpose: to detect and respond to network attacks and malicious code

• Malicious code– Intended to harm, disrupt, or circumvent computer and network

functions (viruses, trojan horses, worms…)• Network attacks

– Modification attacks: unauthorized alteration of information– Repudiation attack: denial that an event or transaction ever

occurred– Denial-of-service attack: actions resulting in the unavailability of

network resources and services, when required– Access attacks: unauthorized access to network resources and

information


Intrusion Detection Mechanisms

• Anti-virus– client machines – server machines (mail server…)

• Intrusion detection and response– Monitoring systems for evidence of intrusions or inappropriate

usage and responding to this evidence• ID

– Detection of inappropriate, incorrect or anomalous activity• Response

– Notifying the appropriate parties to take action• To determine the extent of the severity of an incident • To remediate the incident’s effects


8.1.1 History of the development of IDS

Today, the products implement concepts dating from the years 1980


8.1.1 Types of ID systems: NIDS• Network-based ID systems (NIDSs, network IDSs): NIDS reside on a

discrete network segment and monitor the traffic on that segment. They usually consist in a network appliance with a network interface card (NIC) that is intercepting and analyzing the network packets in real time. Les cartes d’interface réseau sont en général en mode promiscuité (promiscuous mode), elles sont alors en mode « furtif » afin qu’elles n’aient pas d’adresse IP.

– Packets are identified to be of interest if they match a signature• String signature: look for a text string that indicates a possible attack• Port signature: watch for connection attempts to well-known, frequently attacked ports• Header condition signatures: watch for dangerous or illogical combinations in packet

headers– Generally deployed in front of and behind the firewalls and VPN– Characteristics

• provides reliable, real-time information without consuming network or host resources• Passive when acquiring data and review packets and headers• Can detect DoS attacks• Can respond to an attack in progress to limit damage (thanks to real-time monitoring)• Not able to detect attacks against a host made by an intruder who is logged in at the

host’s terminal


8.1.1 Types of ID systems: HIDS

• Host-based ID systems (host-based IDSs): use small programs that resides on a host computer (web server, mail server…)– Monitor the operating system – Detect inappropriate activity– Write to log files– Trigger alarms– Characteristics

• Monitor accesses and changes to critical system files and changes in user privileges

• Detect trusted insider attacks better than a network-based IDS• Relatively effective for detecting attacks from the outside• Can be configured to look at all the network packets, connection

attempts, login attempts to the monitored machine, including dial-in attempts or other non-network-related communication ports


Signature-based IDSs

• Signature-based IDSs: signature or attributes that characterizes an attack are stored for reference (if there is a match, a response is initiated)– Advantages

• Low false alarm rates• Standardized (generally)• Understandable by security personnel

– Disadvantages• Failure to characterize slow attacks that extend over a long period

of time• Only attack signatures that are stored in the database are detected• Knowledge database needs to be maintained and updated regularly• Because knowledge about attacks is very focused (dependent on

the operating system, version, platform, and application), new, unique, or original attacks often go unnoticed


Statistical anomaly-based IDSs• Statistical anomaly-based or behavior-based IDSs:

dynamically detects deviations from the learned patterns of « normal » user behaviour and trigger an alarm when an intrusive activity occurs

• Needs to learn the « normal » usage profile (which is difficult to determine)– Advantages

• Can dynamically adapt to new, unique, or original vulnerabilities• Not as dependent upon specific operating systems as a knowledge-

based IDS– Disadvantages

• Does not detect an attack that does not significantly change the system-operating characteristics

• High false alarm rates. High positive are the most common failure of behavior-based ID systems

• The network may experienced an attack at the same time the intrusion detection system is learning the behaviour


Some IDSs issues• Many issues confront the effective use of an IDS. These

include the following:– The need to interoperate and correlate data accross

infrastructure environments with diverse technologies and policies

– Ever-increasing network traffic– Risks inherent in taking inappropriate automated response

actions– Attacks on the IDSs themselves– Unacceptably high level of false positives and false negatives =>

difficult to determine the true positives• False negative: non detected incident which can generate security problems• False positive: anomaly which is detected whereas the trigger event does

not have any consequence to security– The lack of objective IDS evaluation and test information


8.1.2 Functionalities of IDS:Responses to the detected intrusions

• Active answers

- To undertake an aggressive action against the intruder• (! Take care of legality issues!)

- To restructure the network architecture• To isolate the attacked system• To modify the environment parameters which made the intrusion possible

- To supervise the attacked system• To collect information in order to understand the intrusion• To identify the author of the intrusion and his approach• To identify security failures

• Passive answers- Generation of an alarm- Emission of a SMS message towards the administrator


8.1.2 Functionalities of IDS:Analyze journals

• The journals provide explanations on the alarms which were set off• Can receive the messages of journalizing of multiple events and

audit the associated events of security (ex: filing of all the protocols of level application which are carried out on a machine). System of journalizing downstream (newspapers W. 2003, syslog Unix, traps SNMP) are given the responsability to correlate these events with other events

• Possibility of consigning packets which set off an alarm to be able to analyze them

• Possibility of configuring to collect additional packets (after an alarm) and even a complete session => essential to be able to understand why a given signature made it possible to identify a positive true


8.1.5 IPS: Intrusion Prevention Systems

• Blocking of the attacks as soon as possible• Operate in conjunction with IDS• IDS and IPS are combined in the same equipment• Three techniques implemented to neutralize the attacks

– Sniping: allows IDS to put an end to a supposed attack by reinitialisation

– Shunning: allows IDS to automatically configure the pre-filtering router or the firewall so that this one rejects the traffic according to what the IDS detected, thus preventing connection

– Blocking: extension of “shunning”: here IDS contacts the router or the firewall and creates an access control list (ACL) to block the IP address of the attacker


8.1.5 IDS Product• Few standard in the field of IDS• SNORT

– Open source free IDS (www.snort.org)– Analyze traffic and journalizing of the packets in real time on IP networks– Support the analysis of protocols and the correspondence of contents.– Can be employed to detect a variety of attacks and explorations

• Buffer Overflow• Furtive Scan of ports• Attack cgi• SMB probe• Identification of the operating system

– Language with flexible rules to describe the traffic to be let pass or to collect• detection Engine• real time alarm Function• Alarms Mechanisms for

– Syslog– File specified by the user– Unix Socket– WinPopup Messages for Windows clients who use smbclient (Samba)

– Three functions• Packet Sniffer• Journalisor of packages (useful for the debugging of the traffic network)• IDS completely functional

– Command line Language– graphic Interface developed by Engage Security (www.engagesecurity.com)– Developed under Linux, some Windows versions exist


8.1.5 Example of IDS• Billy Goat

– Collect information at the network level– Listen to the traffic sent to unused addresses

• Either an error• Or an attack attempt

– Responds to (HTTP, NETBIOS, MS/SQL, MS/RPC) requests and records the data which allows identify their behaviors and origin

– Can be seen as a server• A HTTP server• A SMB (Server Message Block)

– SMB protocol for file sharing, printer, ports series, launched by IBM in 1985 whose Samba, ms Networks are some alternatives

• A MS/SQL database server• A distant procedures MS/RPC server

– Thanks to these properties, Billy Goat can detect several suspect activities

• Kismet


8.1.5 Ex of Enterasys IDS

Description of the attacksAttack packets

Details of the detected attack

More details than only ananalysis of protocols or the detection of anomalies

8.2 Honeypots


Purpose of honeypots• Monitored mechanism that is used to:

– Keep a hacker away of valuable resources – Provide an early indication of an attack

• Purposes– Research mode

• Collects information on new and emerging threats• Attack trends

– Production mode• Preventing attacks• Detecting attacks• Responding to attacks


Honeypots• Preventing attacks

– Slowing or impeding scans initiated by worms or automated attacks by monitoring unused IP space and detecting scanning activities

– Consuming an attacker’s energy through interaction with a honeypot while the attack is detected, analyzed, and handled

• Detecting attacks– Ability to capture new and unknown attacks– Ability to capture polymorphic code– Ability to handle encrypted data– They are reducing the amount of data that has to be analysed by

capturing only attack information– Capable of operating with IPV6

• Current solutions– Honeyd http://www.honeyd.org– Honeynet project http://www.honeypot.net

8.3 Evaluation of security and test of penetration


8.3 Evaluation of security andtest of penetration

• Carry out an evaluation of the security of a network per annum

• Type of evaluations- Evaluation of the vulnerabilities and internal test of

penetration- Evaluation of the vulnerabilities and external test of

penetration- Evaluation of physical security

• We should specify well the contents of the evaluation, the procedures, planning, the duration of the tests…


8.3 Evaluation of security and test of penetration:Evaluation of the vulnerabilities and internal test of

penetration• 60% of the threats come from inside

- Incorrect configuration of the equipment of network- Lack of effective security procedures- Software to which the corrective measures were not applied

• Consultants in security- Should help the companies to knows about new vulnerabilities

discovered each day in the operating systems and applications.- Must recommend corrective measures to set up in order to

satisfy the objectives of your company as regards security


8.3 Evaluation of security and test of penetration: Evaluation of the vulnerabilities

and internal test of penetration• Methodology of evaluation

– Must be done on the site– Must concentrate on the internal risks associated with

the strategies, procedures, hosts and applications– Minimal actions to carry out

• To collect all information which can be provided on the network

• To gather any information publicly available on the network to have an idea of what an attacker can know

• To use the techniques of hacking to determine the topology and the physical topology of the network

• To probe and scan the network



and internal test of penetration• Methodology of evaluation

– Minimal actions to carry out (continuation)• To use the techniques of hacking to identify the operating systems

and to detect the vulnerabilities in order to reveal the exposed hosts• To identify the models and flow of traffic to see whether they

correspond to the activities considered as normal by the company (network supervision)

• To detect the weaknesses of the users authentication systems• To analyze the vulnerabilities of the network and the hosts by

means of public, private and personalized tools• To manually check all the vulnerabilities detected to make sure that

they are not “false positive”• To observe the internal security practices and strategies used

through all the network• To analyze the results and to generate a report by providing specific

recommendations to reinforce security



and internal test of penetration• Methodology of evaluation (end)

– Final result of the internal evaluation = document containing

• Methodology• Work carried out• Details collected for each system, including those exposed to

attacks• Precise List of vulnerabilities

– Give a clearer vision of the network architecture and security risks

– Include the results and conclusions of each phase of the test as concrete recommendations presented with a priority order (realistic in term of cost)



and external test of penetration• Main risks

- Unsuitable configuration of the routers and firewall(s)- Non-protected Web Applications

• Evaluation Methodology– evaluation achieved where the network interacts with

outside• Connections to Internet• Wireless Networks• telephony Systems

– We can use the same methodology as for Internal evaluation

– It is relevant to consider an internal and external evaluation simultaneously


8.3 Other types of evaluation• Evaluation of the security strategies

– To make analyze by experts the security strategies and procedures in order to check their conformities with best practices

• Evaluation of the recovery capacity after a disaster– To have a reliable recovery plan for the infrastructure

• Evaluation of the management of the confidential data for banks and medical institutes (for instance)– Attention with the laws as regards financial and medical

security– Obligation to apply strict protection standards …


Configuration management• Process of tracking and approving changes to a

system– Identifying– Controlling– Auditing– All changes made to the system

• Hardware and software changes• Networking changes• Any other change affecting security

• Configuration management can also be used to protect a trusted system while it is being designed and developed


Primary functions of configuration management

• To ensure that the change is implemented in an orderly manner through formalized testing

• To ensure that the user base is informed of the impending change

• To analyze the effect of the change on the system after implementation

• To reduce the negative impact that the change might have had on the computing service and resources


Procedures to implement and support the change control process

• Applying to introduce a change• Cataloguing the intended change• Scheduling the change• Implementing the change• Reporting the change to the appropriate

parties


Business continuity and disaster recovery planning

• Contigency plan– Documented, organized plan for emergency response, backup

operations, and recovery maintained by an activity as part of its security program that will ensure the availability of critical resources and facilitates the continuity of operations in an emergency situation

• Disaster recovery plan– Plan and procedures that have been developed to recover from a

disaster that has interfered with the network and other information system operations

• Continuity of operations plan– The plans and procedures documented to ensure continued critical

operations during any period where normal operations are impossible• Business continuity plan

– Plan and procedures developed that identify and prioritize the critical business functions that must be preserved and the associated procedures for continued operations of those critical business functions


8.3 Suppliers of services of evaluation

• Cisco Security Services- www.cisco.com/go/securityconsulting

• INRGI- www.inrgi.net/index_security.html

• Aegis Security- www.aegissecurity.com

8.4 Tools for analysis of vulnerabilities


8.4 Tools for vulnerabilities analysis : Nessus

• www.nessus.org: open Source solution• Distant security scanner• test all the services and all the ports (without making assumption on

traditional associations services/ports)• Precision of the scans and detection• The documentation is not very accessible• No technical support but mailing list developers• Reporting

– Many links with a complete analysis of vulnerabilities– risk Level which the vulnerabilities present for the network– Graphs

• Update of the vulnerabilities– Update via scripts which can be automated– Do not function with Windows but has a Windows client allowing to connect itself

to a Nessus server to carry out scans remotely• www.securityprojects.org/nessuswx• http://list.nessus.org


8.4 Tools for vulnerabilities analysis : Retina

• Continuation of security tools developed by eEye• www.eeye.com• can scan in a short time

– machines on the network (Apple, Windows, Unix, Linux…)– network Equipment (switches, firewall)– Databases– Specific applications– Generate at the end of the scan a full report which details

• Vulnerabilities• Corrective actions• Suitable remedies

• Databases of vulnerability is available, downloaded to the beginning of each Retina session• Existence of modules called CHAM (Common Hacking Attack Method) which can be used to carry

out a detection and tests deepened in order to detect still unknown problems of security on the network

• Specified scans and detection – Possibility of personalizing and of planning the scans (ex: scans of servers can be different from the scans of

the users)• Documentation and technical support

– Included in the help file of Windows and complete– on line Form to obtain a support of the technical team (it is a company)

• Reporting– Description of the vulnerabilities detected with links towards additional information

• Update of the vulnerabilities– Can be configured to update not only the list of vulnerability but also its engine

• Once familiarized with its use, it is a very effective scanner


8.4 Summary of vulnerabilities following a scan on Retina


8.4 Details of the vulnerabilities on Retina


8.4 Limits of the vulnerability scanners

• Give a theoretical insurance of security• Identify the vulnerabilities, but not the

consequences of the danger• Produce a long list of weakness (including

“false positive”)• Do not allow to identify the resources likely

to be compromised• Cannot simulate true attacks

8.5 Tools for tests of penetration


8.5 Tools for test of penetration• Intervene where the tools for evaluation show their limits• Core Impact

– Core Security, www.coresecurity.com– Tackles the computer resources and presents a detailed analysis of the

incurred risks– Precision of the scans and detection: allows to explore the ports and to

detect the target operating system– Reporting:

• Report of discovery: enumerate all the hosts discovered and their vulnerabilities

• Report of histories: enumerate all the activities carried out by the user• Update of the vulnerabilities

– Update of the attack modules– The company makes evolve its product


Bibliographical references• E. Cole, R. Krutz, JW Conley - Network security

bible – Wiley, 2005.• La sécurité des réseaux-First steps, Tom

Thomas, Cisco Press, 2005• Les réseaux, édition 2005, G. Pujolle, Eyrolles

2004• MySQL, WebTraining, Jay Greenspan, OEM,

2002• S. Ghernaouti-Helie – Sécurité informatique et

réseaux – Dunod, 2005


• The use of the methods and

tools described in this course

engages the responsibility for

the users!


TD

1. Comparez les systèmes de détection d’intrusions dont la collecte d’information est basée sur les machines hôtes et sur le réseau

2. Quels sont les avantages et inconvénients d’un système de détection d’intrusions utilisant la méthode d’analyse par signature ?

Documents

8. Intrusion detection and penetration testsjean-marc.thiriet/ipa/8-CourseIDS.pdf · • Intrusion detection and response ... router or the firewall so that this one rejects the traffic