Embed Size (px)
Citation preview
Intrusion Detection System
Alan TAM
Program Committee, PISA
Definition and Needs
• IDS = Intrusion Detection System
• Not firewall
• Content inspection
Technology
• Signature detection
• Anomaly detection
General IDS Model
• Sensor• Analyzer• Manager• Administrator• Operator
Sensor
Analyzer
Manager
Sensor
Administrator
Operator
Data SourceActivity
Sec
urity
Pol
icy
Sec
urity
Pol
icy
Sec
urity
Pol
icy
Sec
urity
Pol
icy
Not
ifica
tions
Res
pons
e
AlertsEvents
Eve
nts
Basic Classification
• NIDS - Network Based– e.g. Cisco Secure IDS , Axent Netpowler,
Snort, ISS RealSecure Network Sensor, NAI Cybercop Monitor
• HIDS - Host Based– e.g. Axent Intruder Alert, ISS RealSecure OS
Sensor, Tripwire
Functional Classification
• Packet capturing + Pattern matching
• Log parser
• Host firewall
• File integrity checker
• Activity monitor
Deployment Tips (1)
• Dual NIC– No TCP/IP binding– Network Performance– Security
• NIC optimization settings
• Promiscuous mode
Deployment Tips (2)
• Locations– DMZ– In front of firewall– Behind firewall– Server segments– “Power user” segments
Deployment Tips (3)
• Generic OS hardening & optimization– TCP/IP services– NetBIOS services– File & directory permission– Useless background process– Peripherals
Deployment Tips (4)
• Miscellaneous– Automatic mass deployment of HIDS– Downtime against SLA– Tuning of false alarms– Do policy customization (no kidding)– Monitor log grow-up rate
Problem Scenarios (1)
• Signature quality– False POSITIVES– False NEGATIVES– Threshold values– Duplicates elimination
• Encrypted traffic– SSL, IPSEC & PPTP tunnels, PGP attachment
Problem Scenarios (2)
• Switch instead of Hub– Collision domain– Port Spanning/Mirroring/Monitoring– Performance degrade
• High speed network– Packet drop– DoS
How to choose an IDS (1)
• Attack Signature– Quality– Update frequency– Update mechanism
How to choose an IDS (2)
• Scalability– Traffic handling capacity– Shutdown mechanism– Supported platforms (HIDS)
How to choose an IDS (3)
• Manageability– Examining log– Cross reference– Archiving– Centralized console
How to choose an IDS (4)
• Hardware platform– Intel based– SPARC based
Response Actions (1)
• Log– Header, significant application data– Raw packet
• Alert– Console– Email– SNMP Traps
Response Actions (2)
• Termination– TCP kill– Kernel drop
• Third-party Integration– Firewall– Router
Response Actions (3)
• User Script– Increase log level– Modem to Pager– Email to SMS– Redirect to Honey Pot
Previous Battlefield
• IP defragmentation
• TCP stream reassembly
Today…
• IDS load balancing
• Hardware IDS– ASIC IDS module in a Chassis– ASIC Switch appliance
Standards
• CVE (Common Vulnerabilities and Exposures)
• IDMEF (Intrusion Detection Message Exchange Format)
CVE (1)
• Standardized name
• Interoperability between tools
• Tool comparison guidelines– CVE-Compatible– No. of signatures
CVE (2)
• Version– As of August 2001: 20010507
• Classification– CVE candidate
(CAN-YYYY-XXXX)
– CVE entry(CVE-YYYY-XXXX)
Discovery
Assign candidatenumber
Editor propose to theboard
Modification votes
Accepted or Rejectedthen Published
Data Sources
• Security Focus - SecurityFocus.com weekly Newsletters(http://www.securityfocus.com/vdb)
• Network Computing and the SANS Institute - weekly Security Alert Consensus(http://archives.neohapsis.com/archives/securityexpress/current/)
• ISS - monthly Security Alert Summary(http://xforce.iss.net/alerts/summaries.php)
• NIPC CyberNotes - biweekly issues(http://www.nipc.gov/cybernotes.htm)
Reference Source
AIXAPAR
ALLAIRE
ASCEND
ATSTAKE
AUSCERT
BID
BINDVIEW
BUGTRAQ
CALDERA
CERT
CERT-VN
CHECKPOINT
CIAC
CISCO
COMPAQ
CONECTIVA
CONFIRM
DEBIAN
EEYE
EL8
ERS
FREEBSD
FarmerVenema
FreeBSD
HERT
HP
IBM
INFOWAR
ISS
KSRT
L0PHT
MANDRAKE
MISC
MS
MSKB
NAI
NETBSD
NETECT
NTBUGTRAQ
NetBSD
OPENBSD
REDHAT
RSI
SCO
SEKURE
SF-INCIDENTS
SGI
SNI
SUN
SUNBUG
SUSE
TURBO
URL
VULN-DEV
WIN2KSEC
XF
Tips for using CVE
• Do not use general terms (e.g. buffer overflow) to search
• Use exact process name (e.g. sendmail)
• Go to the “references” for Fix
IDWG
• Intrusion Detection Working Group• Aims
– Define data format– Define exchange procedure
• Outputs– Requirement document– Common intrusion language specification– Framework document
IDMEF
• Standard data format (using XML)
• Interoperability
• Typical deployments:– Sensor to Manager– Database– Event correlation system– Centralized console
IDMEF Addressed Problems
• Inherently heterogeneous information
• Different sensor types
• Different analyzer capabilities
• Different operation systems
• Different objectives of commercial vendors
Message Classes (1)
• IDMEF-Message Class
• Alert Class– ToolAlert– CorrelationAlert– OverflowAlert
• Heartbeat Class
Message Classes (2)
• Core Classes– Analyzer– Source– Target– Classification– Additional Data
Message Classes (3)
• Time Class– CreatTime– DetectTime– AnalyzerTime
Message Classes (4)
• Support Class– Node– User– Process– Service
Example<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFCxxxx IDMEF v0.3//EN"
"idmef-message.dtd">
<IDMEF-Message version="0.3">
<Alert ident="abc123456789" impact="successful-dos">
<Analyzer analyzerid="hq-dmz-analyzer01">
<Node category="dns">
<location>Headquarters DMZ Network</location>
<name>analyzer01.bigcompany.com</name>
</Node>
</Analyzer>
<CreateTime ntpstamp="0x12345678.0x98765432">
2000-03-09T10:01:25.93464-05:00
</CreateTime>
<Source ident="a1b2c3d4">
<Node ident="a1b2c3d4-001" category="dns">
<name>badguy.hacker.net</name>
<Address ident="a1b2c3d4-002" category="ipv4-net-mask">
<address>123.234.231.121</address>
<netmask>255.255.255.255</netmask>
</Address>
</Node>
</Source>
<Target ident="d1c2b3a4">
<Node ident="d1c2b3a4-001" category="dns">
<Address category="ipv4-addr-hex">
<address>0xde796f70</address>
</Address>
</Node>
</Target>
<Classification origin="bugtraqid">
<name>124</name>
<url>http://www.securityfocus.com</url>
</Classification>
</Alert>
</IDMEF-Message>
Summary
• IDS Classification
• IDS Deployment Considerations
• How to choose an IDS
• Industry standards
HKCERT/CC
• Web - http://www.hongkongcert.org• Telephone - 2788 6060
• Fax - 2190 9760
• Email - mailto:[email protected]
Reference
• http://cve.mitre.org/cve
• http://www.silicondefense.com/idwg/
• http://www.securityfocus.com/
Thank You
• For suggestions and corrections, please send email to
or
Discussion
• SLA - cannot stop service immediately
• Switch to standby system if possible• Contingency planning
• Trace the source; Track its activity
