Upload
trinhtruc
View
246
Download
4
Embed Size (px)
Citation preview
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs 2nd ed Intrusion Detection and VPNs, 2 ed.
1313Intrusion Detection and
Prevention Systems
By Whitman, Mattord, & Austin © 2008 Course Technology
Learning Objectivesg j
♦ Describe the various technologies that are used to i l t i t i d t ti d tiimplement intrusion detection and prevention
♦ Define honey pots, honey nets, and padded cell systemssystems
♦ Describe the technologies used to create honey pots, honey nets, and padded cell systemsp , y , p y
Slide 2Firewalls & Network Security, 2nd ed. - Chapter 13
Intrusion Detection and Prevention
♦ Intrusion occurs when attacker attempts to gain p gentry or disrupt normal operations of information systems, almost always with intent to do harm
♦ Intrusion detection consists of procedures and systems that identify system intrusions
♦ Intrusion reaction encompasses actions an organization takes when intrusion is detected
♦ Intrusion prevention consists of activities that deter intrusion
Slide 3Firewalls & Network Security, 2nd ed. - Chapter 13
Intrusion Detection and Prevention (continued)(continued)♦ Intrusion correction activities finalize restoration
of operations to a normal state and seek to identify source and method of intrusion to
fensure same type of attack cannot occur again♦ Intrusion detection systems (IDSs) work like a
b l l d t t i l ti ti t lburglar alarm: detect violation, activate alarm♦ Intrusion prevention system (IPS) can detect
intrusion and launch an active responseintrusion and launch an active response♦ IDS and IPS systems often coexist
I t i d t ti / ti t (IDPS)♦ Intrusion detection/prevention system (IDPS) describes current anti-intrusion technologies
Slide 4Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Terminologygy
♦ Alert or alarm: indication a system has just been y jattacked or is under attack
♦ Evasion: process by which attacker changes the format and/or timing of their activities to avoid being detected by the IDPS
♦ False attack stimulus: event that triggers alarm when no actual attack is in progress
♦ False negative: failure of an IDPS to react to an actual attack eventF l iti l t l th t i th♦ False positive: alert or alarm that occurs in the absence of an actual attack
Slide 5Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Terminology (continued)gy ( )
♦ Noise: accurate alarm events that do not pose psignificant threat to information security
♦ Site policy: rules and configuration guidelines governing implementation and operation of IDPSs within an organization
♦ Site policy awareness: IDPS’s ability to dynamically modify its configuration in response to environmental activityto environmental activity
♦ True attack stimulus: event that triggers alarms and causes an IDPS to react as if a real attackand causes an IDPS to react as if a real attack is in progress
Slide 6Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Terminology (continued)gy ( )
♦ Tuning: process of adjusting IDPS to maximize g p j gefficiency in detecting true positives, while minimizing false positives and false negatives
♦ Confidence value: value placed upon an IDPS’s ability to detect/identify certain attacks correctly
♦ Alarm filtering: running system for a while to track types of false positives it generates and then adjusting IDPS alarm classificationsthen adjusting IDPS alarm classifications
♦ Alarm clustering and compaction: process of grouping almost identical alarms occurring atgrouping almost identical alarms occurring at almost same time into single higher-level alarm
Slide 7Firewalls & Network Security, 2nd ed. - Chapter 13
Why Use an IDPS?y
♦ NIST reasons to acquire and use an IDPS:q– To prevent problem behaviors by increasing the
perceived risk of discovery and punishment– To detect attacks and other security violations
not prevented by other security measuresT d t t d d l ith th bl t tt k– To detect and deal with the preambles to attacks
– To document existing threat to an organizationT t lit t l f it d i d– To act as quality control for security design and administration
– To provide useful information about intrusions– To provide useful information about intrusions that do take place
Slide 8Firewalls & Network Security, 2nd ed. - Chapter 13
Why Use an IDPS? (continued)y ( )
♦ IPS technologies can respond to detected threat g pby attempting to prevent it from succeeding while IDS cannot
♦ IDPS operational categories:– Host-based (operates on the hosts themselves)– Network-based (functions at the network level)
• Wireless• Network behavior analysis (NBA)
Slide 9Firewalls & Network Security, 2nd ed. - Chapter 13
Why Use an IDPS? (continued)y ( )
♦ Several IPS response techniques:p q– Terminate network connection or user session
that is being used for the attack– Block access to target from offending user
account, IP address, or other attacker attributeBl k ll t t t d h t i– Block all access to targeted host, service, application, or other resourceChange the security environment– Change the security environment
– Change the attack’s content
Slide 10Firewalls & Network Security, 2nd ed. - Chapter 13
Network-Based IDPS
♦ NIDPSs reside on computer or appliance p ppconnected to network segment and monitor network traffic
♦ Compare measured activity to known signatures to determine whether an attack has occurred or i dis underway
♦ Protocol stack verification: NIDPSs look for invalid data packetsinvalid data packets
♦ Application protocol verification: higher-order protocols (HTTP FTP Telnet) are examined forprotocols (HTTP, FTP, Telnet) are examined for unexpected packet behavior or improper use
Slide 11Firewalls & Network Security, 2nd ed. - Chapter 13
Network-Based IDPS (continued)( )
♦ Some advantages of NIDPSs:g– Good network design and placement of devices
can enable organization to use a few devices to monitor large network
– Usually passive devices and can be deployed into existing networks with little or no disruptioninto existing networks with little or no disruption to normal network operations
– Not usually susceptible to direct attack and mayNot usually susceptible to direct attack and may not be detectable by attackers
Slide 12Firewalls & Network Security, 2nd ed. - Chapter 13
Network-Based IDPS (continued)( )
♦ Some disadvantages of NIDPSs:g– Can become overwhelmed by network volume
and fail to recognize attacks they might otherwise have detected
– Require access to all traffic to be monitoredC t l t d k t ki– Cannot analyze encrypted packets, making some of the network traffic invisible to the processCannot reliably ascertain if an attack was– Cannot reliably ascertain if an attack was successful or not
– Some forms of attack are not easily discerned,Some forms of attack are not easily discerned, specifically those involving fragmented packets
Slide 13Firewalls & Network Security, 2nd ed. - Chapter 13
Wireless NIDPS
♦ Monitors and analyzes wireless network traffic ylooking for potential problems with wireless protocols (Layers 2 and 3 of the OSI model)
♦ Cannot evaluate and diagnose issues with higher-layer protocols like TCP and UDP
♦ Some issues with implementation include:– Physical security– Sensor range– Access point and wireless switch locations– Wired network connections– Cost
Slide 14Firewalls & Network Security, 2nd ed. - Chapter 13
Network Behavior Analysis Systemy y
♦ Examines network traffic to identify problems y prelated to flow of traffic
♦ Uses a version of anomaly detection method♦ Typical flow data relevant to intrusion detection
and prevention includes:– Source and destination IP addresses– Source and destination TCP or UDP ports or
ICMP types and codes– Number of packets and bytes transmitted in the
sessionsession– Starting and ending timestamps for the session
Slide 15Firewalls & Network Security, 2nd ed. - Chapter 13
Network Behavior Analysis System (continued)(continued)♦ Typically monitors internal networks;
i ll it i t l/ t l t koccasionally monitors internal/external network connections
♦ M t i d d l t l♦ Most sensors, passive mode deployment only♦ Types of events most commonly detected by
NBA sensors include:NBA sensors include:– Denial-of-service (DoS) attacks (including DDoS)
Scanning– Scanning– Worms
Unexpected application services– Unexpected application services– Policy violations
Slide 16Firewalls & Network Security, 2nd ed. - Chapter 13
Host-Based IDPS
♦ Resides on particular computer or server (the p p (host) and monitors activity only on that system
♦ Also known as system integrity verifiers♦ Benchmark/monitor status of key system files♦ Triggers alert when file attributes change, new gg g ,
files are created, or existing files are deleted♦ Managed HIDPSs can monitor multiple
computers simultaneously by creating a configuration file on each monitored host and by
ki h HIDPS t b k t tmaking each HIDPS report back to a master console system
Slide 17Firewalls & Network Security, 2nd ed. - Chapter 13
Host-Based IDPS (continued)( )
♦ Some advantages of HIDPSs:– Can detect local events on host systems and
also detect attacks that may elude NIDPSs– Functions on host system, where encrypted
traffic will have been decrypted and is available for processingfor processing
– Unaffected by use of switched network protocols– Can detect inconsistencies in how applicationsCan detect inconsistencies in how applications
and systems programs were used by examining records stored in audit logs, enabling it to detect some types of attacks, including Trojan Horse programs
Slide 18Firewalls & Network Security, 2nd ed. - Chapter 13
Host-Based IDPS (continued)( )
♦ Some disadvantages of HIDPSs:g– Pose more management issues since they are
configured/managed on each monitored host– Vulnerable to direct attacks, attacks on host OS– Not optimized to detect multi-host scanning;
bl t d t t i f h t d iunable to detect scanning of non-host devices– Susceptible to some denial-of-service attacks
C l t f di k t t i– Can use large amounts of disk space to retain the host OS audit logs
– Inflicted overhead on host systems may reduce– Inflicted overhead on host systems may reduce system performance below acceptable levels
Slide 19Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Detection Methods
♦ Signature-based (knowledge-based, misuse-g ( g ,detection) IDPS: examines network traffic in search of patterns that match known signatures
♦ Statistical anomaly-based (stat, behavior-based) IDPS: compares sampled network activity to
t bli h d b liestablished baseline♦ Stateful protocol analysis (SPA) IDPS: uses
profiles to detect anomalous protocol behaviorprofiles to detect anomalous protocol behavior♦ Log file monitor (LFM) IDPS: reviews log files
from servers network devices and other IDPSsfrom servers, network devices, and other IDPSs for signatures indicating an attack or intrusion
Slide 20Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Response Behaviorp
♦ Response depends on organization’s policy, p p g p y,objectives, and system capabilities
♦ Responses classified as active or passive♦ Active response: definitive action automatically
initiated when certain types of alerts are triggered; can include collecting additional data, changing or modifying the environment, and taking action against the intruderstaking action against the intruders
♦ Passive response: report information they have collected and wait for administrator to actcollected and wait for administrator to act
Slide 21Firewalls & Network Security, 2nd ed. - Chapter 13
IDPS Response Behavior (continued)p ( )
♦ Some possible responses IDPSs can produce:– Audible/visual alarm– SNMP traps and plug-ins– E-mail message– Page or phone message– Log entry– Evidentiary packet dump– Take action against the intruder– Launch program– Reconfigure firewall– Terminate session or connection
Slide 22Firewalls & Network Security, 2nd ed. - Chapter 13
Selecting IDPS Approaches and ProductsProducts♦ Technical and policy considerationsp y
– What is your system’s environment?– What are your security goals and objectives?y y g j– What is your existing security policy?
♦ Organizational requirements and constraintsg q– What requirements are levied from outside the
organization?– What are your organization’s resource
constraints?
Slide 23Firewalls & Network Security, 2nd ed. - Chapter 13
Selecting IDPS Approaches and Products (continued)Products (continued)♦ IDPSs product features and qualityp q y
– Is the product sufficiently scalable for your environment?
– How has the product been tested?– What is the user level of expertise targeted by
th d t?the product?– Is the product designed to evolve as the
organization grows?organization grows?– What are the support provisions for the product?
Slide 24Firewalls & Network Security, 2nd ed. - Chapter 13
Strengths and Limitations of IDPSsg
♦ IDPSs perform the following functions well:p g– Monitoring and analysis of system events and
user behaviors– Testing security states of system configurations– Baselining security state of system and then
t ki h t th t b litracking any changes to that baseline– Recognizing patterns of system events that
correspond to known attackscorrespond to known attacks– Recognizing patterns of activity that statistically
vary from normal activityvary from normal activity
Slide 25Firewalls & Network Security, 2nd ed. - Chapter 13
Strengths and Limitations of IDPSs (continued)(continued)♦ More functions that IDPSs perform well:p
– Managing operating system audit and logging mechanisms and the data they generate
– Alerting appropriate staff by appropriate means when attacks are detectedM i f t f it li i– Measuring enforcement of security policies encoded in the analysis engineProviding default information security policies– Providing default information security policies
– Allowing non-security experts to perform important security monitoring functionsimportant security monitoring functions
Slide 26Firewalls & Network Security, 2nd ed. - Chapter 13
Strengths and Limitations of IDPSs (continued)(continued)♦ IDPSs cannot perform the following functions:p g
– Compensating for weak or missing security mechanisms in the protection infrastructure
– Instantaneously detecting, reporting, responding to attack during heavy network/processing loadD t ti l bli h d tt k i t– Detecting newly published attacks or variants
– Effectively responding to sophisticated attacksA t ti ll i ti ti tt k– Automatically investigating attacks
– Resisting all attacks intended to defeat themCompensating for fidelity issues of data sources– Compensating for fidelity issues of data sources
– Dealing effectively with switched networksSlide 27Firewalls & Network Security, 2nd ed. - Chapter 13
Deployment and Implementation of an IDPSIDPS♦ IDPS control strategiesg
– Centralized: all IDPS control functions are implemented and managed in a central location
– Fully distributed: all control functions are applied at the physical location of each IDPS componentP ti ll di t ib t d bi th b t f th– Partially distributed: combines the best of the other two strategies; while individual agents still analyze and respond to local threats theiranalyze and respond to local threats, their reporting to a hierarchical central facility enables the organization to detect widespread attacks
Slide 28Firewalls & Network Security, 2nd ed. - Chapter 13
Deployment and Implementation of an IDPS (continued)IDPS (continued)♦ IDPS deploymentp y
– Great care must be made in deciding where to locate IDPS components, physically and logically
– During deployment, each component should be installed, configured, fine-tuned, tested, and monitoredmonitored
– NIDPS and HIDPS used in tandem can protect individual systems and organizational networksindividual systems and organizational networks
– Use a phased implementation strategy so as not to affect entire organization all at once
– First implement NIDPSs and then install HIDPSsSlide 29Firewalls & Network Security, 2nd ed. - Chapter 13
Deployment and Implementation of an IDPS (continued)IDPS (continued)♦ Deploying network-based IDPSsp y g
– NIST recommends four locations for NIDPS sensors:
• Behind each external firewall, in the network DMZ• Outside an external firewall
O j t k b kb• On major network backbones• On critical subnets
Slide 30Firewalls & Network Security, 2nd ed. - Chapter 13
Deployment and Implementation of an IDPS (continued)IDPS (continued)♦ Deploying host-based IDPSsp y g
– Proper implementation of HIDPSs can be a painstaking and time-consuming task, as each HIDPS must be custom configured to its host
– May be beneficial to practice an implementation on one or more test servers beforehandon one or more test servers beforehand
– Installation continues until either all systems are installed or organization reaches the plannedinstalled or organization reaches the planned degree of coverage it is willing to live with
Slide 31Firewalls & Network Security, 2nd ed. - Chapter 13
Measuring the Effectiveness of IDPSsg
♦ When selecting an IDPS, one typically looks at g , yp yfour measures of comparative effectiveness:– Thresholds– Blacklists and whitelists– Alert settings– Code viewing and editing
Slide 32Firewalls & Network Security, 2nd ed. - Chapter 13
Measuring the Effectiveness of IDPSs (continued)(continued)♦ Once implemented, IDPSs are evaluated using p , g
two dominant metrics: – Administrators evaluate the number of attacks
detected in a known collection of probes– Administrators examine the level of use,
commonl meas red in megabits per second ofcommonly measured in megabits per second of network traffic, at which the IDPSs fail
♦ In order to truly assess effectiveness of IDPS♦ In order to truly assess effectiveness of IDPS systems, test process should be as realistic as possible in its simulation of actual eventp
♦ Couple realistic traffic loads, levels of attacksSlide 33Firewalls & Network Security, 2nd ed. - Chapter 13
Honey Pots, Honey Nets, and Padded Cell SystemsCell Systems♦ Honey pots (decoys, lures, fly-traps): decoy y p ( y , , y p ) y
systems designed to lure potential attackers away from critical systems
♦ Honey net: collection of honey pots connecting several honey pot systems on a subnet
♦ Honey pots are designed to:– Divert an attacker from critical systems– Collect information about the attacker’s activity– Encourage the attacker to stay on the system
long eno gh for administrators to doc ment thelong enough for administrators to document the event and, perhaps, respond
Slide 34Firewalls & Network Security, 2nd ed. - Chapter 13
Honey Pots, Honey Nets, and Padded Cell Systems (continued)Cell Systems (continued)♦ Padded cell: honey pot that has been protected y p p
so it cannot be easily compromised—in other words, a hardened honey pot
♦ In addition to attracting attackers with tempting data, padded cell operates in tandem with t diti l IDPStraditional IDPS
♦ When IDPS detects attackers, it seamlessly transfers them to special simulated environmenttransfers them to special simulated environment where they can cause no harm
♦ Allows organization to observe and document♦ Allows organization to observe and document actions and tactics of an attacker
Slide 35Firewalls & Network Security, 2nd ed. - Chapter 13
Honey Pots, Honey Nets, and Padded Cell Systems (continued)Cell Systems (continued)♦ Advantages of using honey pot or padded cell:g g y p p
– Attackers can be diverted to targets that they cannot damage
– Administrators have time to decide how to respond to an attackerAtt k ’ ti b il d– Attackers’ actions can be easily and more extensively monitored, and the records can be used to refine threat models and improve systemused to refine threat models and improve system protections
– Honey pots may be effective at catching insiders who are snooping around a network
Slide 36Firewalls & Network Security, 2nd ed. - Chapter 13
Honey Pots, Honey Nets, and Padded Cell Systems (continued)Cell Systems (continued)♦ Disadvantages of using honey pot or padded g g y p p
cell:– The legal implications of using such devices are
not well defined– Honey pots and padded cells have not yet been
pro en as generall sef l sec rit technologiesproven as generally useful security technologies– An expert attacker, once diverted into a decoy
system may become angry and launch a moresystem, may become angry and launch a more hostile attack against an organization’s systems
– Administrators and security managers need a y ghigh level of expertise to use these systems
Slide 37Firewalls & Network Security, 2nd ed. - Chapter 13
Trap and Trace Systemsp y
♦ Use a combination of techniques to detect an qintrusion and then to trace it back to its source
♦ Trap usually consists of a honey pot or padded cell and an alarm
♦ Trace feature is process by which organization attempts to determine identity of an intruder
Slide 38Firewalls & Network Security, 2nd ed. - Chapter 13
Trap and Trace Systems (continued)p y ( )
♦ If intruder is someone inside the organization, g ,administrators are within their power to track the individual and turn him or her over to authorities
♦ If intruder is outside security perimeter of the organization, numerous legal issues arise
♦ Back hack: hacking into a hacker’s system to find out as much as possible about the hacker
♦ Enticement or entrapment?
Slide 39Firewalls & Network Security, 2nd ed. - Chapter 13
Active Intrusion Prevention
♦ Some organizations do more than wait for an gattack and implement active countermeasures
♦ When attacker sends ARP request to unused IP address, LaBrea pretends to be a computer at that address, allowing attacker to connect
♦ Once connected, LaBrea changes TCP sliding window size to a low number to hold open the connection from the attackerconnection from the attacker
♦ This greatly slows down network-based worms and other attacks and gives LaBrea system timeand other attacks and gives LaBrea system time to notify system and network administrators
Slide 40Firewalls & Network Security, 2nd ed. - Chapter 13
Chapter Summaryp y
♦ Intrusion occurs when attacker attempts to gain p gentry or disrupt normal operations of information system, almost always with intent to do harm
♦ Intrusion detection consists of procedures and systems that identify system intrusions
♦ Intrusion reaction encompasses actions an organization takes when intrusion is detected
♦ Intrusion prevention consists of activities that deter an intrusion
Slide 41Firewalls & Network Security, 2nd ed. - Chapter 13
Chapter Summary (continued)p y ( )
♦ Intrusion detection system (IDS) works like a y ( )burglar alarm: detects violation, activates alarm
♦ Intrusion prevention system (IPS) can prevent intrusion from successfully attacking the organization by means of some active response
♦ Because these systems often coexist, term intrusion detection/prevention system (IDPS) is used to describe current anti intrusionused to describe current anti-intrusion technologies
Slide 42Firewalls & Network Security, 2nd ed. - Chapter 13
Chapter Summary (continued)p y ( )
♦ IDPSs commonly operate as either network- or y phost-based systems
♦ Network-based IDPS functions at network level♦ Host-based IDPS operates on hosts themselves♦ Systems that use both approaches are called y pp
hybrid IDPSs
Slide 43Firewalls & Network Security, 2nd ed. - Chapter 13
Chapter Summary (continued)p y ( )
♦ IDPSs use variety of detection methods to ymonitor and evaluate network traffic
♦ Three methods dominate: signature-based approach, statistical-anomaly approach, stateful protocol analysis approach
♦ Log file monitor (LFM) IDPS is similar to NIDPS♦ Using LFM, system reviews log files generated
by servers, network devices, and other IDPSs, looking for patterns and signatures that may indicate an attack or intrusion is in progress orindicate an attack or intrusion is in progress or has already occurred
Slide 44Firewalls & Network Security, 2nd ed. - Chapter 13
Chapter Summary (continued)p y ( )
♦ Honey pots: decoy systems designed to lure y p y y gpotential attackers away from critical systems
♦ Honey net: collection of honey pots connecting several honey pot systems on a subnet
♦ A honey pot is configured in ways that make it look vulnerable to lure potential attackers into attacking, thereby revealing themselves
♦ Trap and trace applications use a combination of techniques to detect intrusion and then trace it back to its sourceit back to its source
Slide 45Firewalls & Network Security, 2nd ed. - Chapter 13