Embed Size (px)
Citation preview
Knock, Knock, Knocking on (Network) Doors: Penn State's
Intrusion Detection Architecture
Copyright Penn State Information Technology Services, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Knock, Knock, Knocking on (Network) Doors: Penn State's
Intrusion Detection Architecture
The Security Professionals WorkshopMay 18, 2004
Security Operations and Services
● A division of Information and Technology Services (ITS) at Penn State
● 8 full time staff members– Director
● Kathy Kimball– Intrusion detection: 2 staff members
● Randy Hegarty● Mike Petkac
– Incident response: 2 staff members– Virus response: 1 staff member– Advanced Forensics: 1 staff member– Training: 1 staff member
Penn State by the Numbers:Enrollment Fall 2003
University Park (Main Campus) 41,795Other campus locations 33,743College of Medicine 738Dickinson School of Law 646PA College of Technology 6,255
Totals 83,177
Penn State by the Numbers: Information Technology
● 110,000+ active access accounts● 3 ½ class B networks *
– * excludes Hershey Medical Center (another class B)– * ½ class B for residence halls (locked by MAC)– 229,376 IP addresses
● 5,120 modem addresses● 2,167 mobility addresses● ????? wireless/VPN addresses
Penn State Network View
Penn State Network View (cont)
Security Status: January 2001
● Known colleges/departments/campuses with network security devices: 1
● SOS: 3 full time staff members– Primary function: incident response– Secondary function: intrusion detection
● Based on (ex/in)ternal reports/well-know information (e.g. Sub7)● “Intrusion Detection” Tools
– Nmap– Remote Intrusion Detection (RID)
● Signature-based on individual ports● TCP port 27374; Signature “connected. time/date”
– Much accomplished, but issues loomed– Mission: implementation of SOS five-year plan to
address issues
Intrusion Detection's Arrival
● A component of SOS five-year plan: security enhancements to existing infrastructure– Two-step process was envisioned
● External (commercial) analysis/recommendation plan● External (commercial) implementation of recommendations
– Step 1 (conducted August – November 2001) results● Open-source recommendations:● Snort (signature-based Network Intrusion Detection System (NIDS) )● Hogwash (Snort-based early Intrusion Prevention System (IPS) )
– NIDS path chosen for initial pursuit● Commercial 24x7 managed service pilot (April – June 2002)
– 3 NIDS/2 HIDS● SOS IDS program (June 2002)
Snort Network Configuration
● Location: local area network level
● Network Requirements– Network switch with
mirrored/monitor portor
– Network tap● System Requirements
– Hardened/firewalled host– Two interface cards
● 1 promiscuous (inbound only)● 1 management/monitoring
SOS Deployed IDS Units
● 18 installed units– 2002: 6 units (5 commercial, 1 SOS build)– 2003: 12 units (3 commercial, 9 SOS builds)
● Locations– 8 units at 6 non-UP campus locations– 6 units at 5 UP colleges– 2 units at 2 ITS locations– 1 unit at other UP department– 1 unit at UP residence hall*
● 8,912 addresses covered (~35 class Cs)
Initial Experiences
● Overwhelming amount of data– Initial average of 60,000 alerts daily on each sensor
● What does this alert mean?– Initial tendency to analyze false positives– Initial tendency to question/ignore alerts
● How do I write this rule?● Constant attention needed
– No benefit without continuous monitoring– Rule sets/software updates– Mirrors go down
● The insight provided into networks
IDS and ID Tool Utilization
● Iterative process using Snort, RID, nmap, flow data, (ex/in)ternal reports, well-known information; for example:– Scanning activity from internal host ( (ex/in)ternal
report/Snort detected)● Nmap of host/connection to open ports for signature detection● Signature of detected port(s) input into RID
or– Compromise (with signature) detected on Snort
● Signature of for detected port(s) input into RIDor
– Backdoor without signature identified on specific port● Nmap scans
Ex 1: Snort Detected Portscan
05/09-08:26:46 Portscan detected {TCP} 128.118.xx.xx:7047 -> 128.118.xx.xx:44505/09-08:26:56 Portscan detected {TCP} 128.118.xx.xx:14494 -> 128.118.xx.xx:44505/09-08:30:00 Portscan detected {TCP} 128.118.xx.xx:3578 -> 128.118.xx.xx:44505/09-08:32:24 Portscan detected {TCP} 128.118.xx.xx:3975 -> 128.118.xx.xx:44505/09-08:38:22 Portscan detected {TCP} 128.118.xx.xx:1152 -> 128.118.xx.xx:44505/09-08:40:16 Portscan detected {TCP} 128.118.xx.xx:2459 -> 128.118.xx.xx:44505/09-08:42:36 Portscan detected {TCP} 128.118.xx.xx:2320 -> 128.118.xx.xx:445
Interesting ports on (128.118.xx.xx):Port State Protocol Service135 open tcp loc-srv139 open tcp netbios-ssn206 open tcp at-zis... 1926 open tcp unknown
Ports 206, 1926220 ...
Rid detected 18 additional hosts/2 additional compromised ports: TCP 90/4711
Rid scan for TCP ports 90/4711 detected 19 addition hosts
Ex 2: Snort Detected Compromise
05/14-05:56:47 [1:1326:3] EXPLOIT ssh CRC32 overflow NOOP [Classification: Executable code was detected] [Priority: 1] {TCP} 210.50.152.189:1898 -> 128.118.xxx.xxx:22 ...05/14-05:58:46 [1:1324:3] EXPLOIT ssh CRC32 overflow /bin/sh [Classification: Executable code was detected] [Priority: 1] {TCP} 210.50.152.189:1903 -> 128.118.xxx.xxx:22 05/14-06:01:17 LR - Possible SSHD Backdoor [Classification: Misc RID] {TCP}128.118.xxx.xxx:101 -> 81.196.33.66:1140 05/14-06:04:27 (spp_portscan2) Portscan detected from 128.118.xxx.xxx {TCP} 128.118.xxx.xxx:1039 -> 81.216.198.11:21
Interesting ports on (128.118.xxx.xxx):Port State Protocol Service22 open tcp ssh...101 open tcp hostname...
SSH-1.5-1.2.32
IDS and ID Tool Summary
● Caution: numbers do not fully depict situation● 2002 – 2003
– 2,909 machines attributed to IDS– 1,253 machines attributed to RID/nmap scans– 4,162 machines from IDS/ID tools
● 2004 (January through April)– 1,803 machines attributed to IDS– 120 machines attributed to RID/nmap scans– 1,923 machines from IDS/ID tools
● 6,085 machines from IDS/ID tools (28 months)
Location/Type Detections in 2004
(January through April 2004)
Totals Mod/Mob/Wireless Res Hall University
1,923 697 445 781
1,312 IRC Bots (full control/Warez) 279 Welchia 177 Blaster 81 Misc Trojans (Backdoors/Spammers) 74 Warez
Additional Experiences
● Effectiveness? - can't say with certainty– Circumstances often limit monitoring (e.g. crisis
management, other tasks, time off)– Things are missed/ignored– Signatures don't exist or not on devices
● What we can say with certainty– Improvement over commercial 24x7 managed service trial– Central detection contributes to effectiveness during crisis– July 2003: border filters applied for vulnerable Microsoft
ports (and a few more) ● More internal damage is detected/limited● July 30/August 7, 2003 experiences
– Self-monitoring is important; less external reporting/some attacks remain inside with border filters
The Need for Automation
● New attacks/worms require IDS signature development (though portscan may detect)
● Human analysis/response (even 24x7) is insufficient to minimize attack/worm damage– “Triage” experience against recent rapidly propagating
attacks: Sadmind/Code Red/Nimda/Blaster/Welchia/Witty– Stealthy, relatively slow attacks with higher risk potential:
Gaobot/Phatbot● Intrusion Prevention: detecting known and
unknown attacks and preventing their success
Intrusion Prevention Systems
● System/market development still early● Many players are startup companies● Some issues common to other security devices
– Latency– Network placement– Scalability
● Some issues uncommon to other devices– Escalation of false positive issues– Escalation of false negative or exception issues
Some IPS Types
● Inline NIDS
● Firewalls coupled with IDS
● Deceptive/engaging systems
● Layer seven switches
- Hogwash - looking for a new maintainer- Flexresp2 - Snort plugin to terminate connections
- Checkpoint FW-1 Smart Defense/Application Intelligence- SnortSam - Snort plugin Architecture supports large, distributed response networks Compatible with Checkpoint/Cisco/Netscreen/Watchguard firewalls and Cisco routers
- One initially tested/others to be evaluated
Future Plans
● Intrusion Detection– Continue with new IDS deployments– Begin life-cycle replacement of initial units– Upgrade ID tool (RID/nmap) resources
● Intrusion Prevention– Proceed cautiously, but proceed– SnortSam test/evaluation– Continue/expand commercial product testing/evaluation– Continue investigating new/enhanced products
Security Status: Today
● Known colleges/departments/campuses with firewalls: 22– 42% of colleges with college-wide deployment– 25% non-UP campuses
● Known colleges/departments/campuses with IDS: 21– 5 units independently runnning IDS– 6 coupled with firewalls
● SOS security staff: 8 members● Security state relative to 2001?
