Upload
faizul-ghazi
View
218
Download
0
Embed Size (px)
Citation preview
7/30/2019 Module 06 - Intrusion Detection System
1/53
Network Security
Administrator
Module VI:
Intrusion Detection System
7/30/2019 Module 06 - Intrusion Detection System
2/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objectives
~ Introduction to IDS
~ History of Intrusion Detection
~ Characteristics of IDS
~ Importance of IDS
~ Deployment of IDS
~ Distributed IDS
~ Aggregate Analysis with IDS
~ Types of IDS
~ IDS Detection Methods
~ Types of Signature~Methods to Detect Signature
~ IDS Tools
~ Prelude IDS and itscomponents
~ Intrusion Prevention System
7/30/2019 Module 06 - Intrusion Detection System
3/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Introduction to IDS History of
Intrusion Detection
Characteristics of IDSImportance of IDS
Deployment of IDS
Intrusion PreventionSystem
Distributed IDS
Aggregate Analysis
with IDS
Types of IDS
Methods toDetect Signature
IDS Detection Methods
Types of Signature
IDS tools Prelude IDS
7/30/2019 Module 06 - Intrusion Detection System
4/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Introduction to IDS
~ Monitors all inbound and outboundhost activity and identifies suspiciouspatterns on network, that indicate anattack that could compromise a system
~ Gathers and analyzes information
regarding the misuse of a particularcomputer or total network
~ The TCP/IP packets are examined in anumber of different ways after they are
confined
7/30/2019 Module 06 - Intrusion Detection System
5/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
History of Intrusion Detection
~ 1980:
James Anderson gave the foundation of IDS bywriting the paper Computer Security ThreatMonitoring and Surveillance
~ 1985:
Early IDES evolved by the support of the U.S.Defense System
~ 1989:
Todd Heberlein presented Network SystemMonitor introducing NIDS
~ 1999: Presidential Decision directive presented final
Federal Intrusion Detection Network to protectnational infrastructure
7/30/2019 Module 06 - Intrusion Detection System
6/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Some Early IDSs at a Glance
~ MIDAS (Multics Intrusion Detection and Alerting System):
Original IDS used on NCSCs public message system
~ Discovery: Used to identify abnormal activity in a database
~ DRISC (Detect and Recover Intrusion using SystemCritically):
Presented HIDS pattern to detect intrusion in system~ PDAT (Protocol Data Analysis Tool):
Gave heterogeneous intrusion detection
~ Essence:
Find doubtful activity in VMS.~ Harris Neural Network Prototype:
Used to calculate deviations from normalcy
7/30/2019 Module 06 - Intrusion Detection System
7/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Some Early IDSs at a Glance (contd.)
~ IDES (Intrusion Detection Expert System):
First system which merged numerical behavioral studywith rule-based signature
~ ISOA (Information Security Officers Assistant):
Based on Indications and Warnings model which giveadvance warning of forthcoming attack.
~ W&S (Wisdom & Sense): System which researched a dataset and created
metarules that explains the uniqueness of the data.
~ Haystack:
Designed to assist security officers in detecting andinvestigating misuse
~ NSM (Network Security Manager):
Intended to examine data from an Ethernet local area
network
7/30/2019 Module 06 - Intrusion Detection System
8/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Characteristics of IDS
~ Runs constantly without human supervision
~ Survives with system crash and must be fault tolerant
~ Enforces least overhead on the system
~ Observes deviations from normal behavior
~ Adaptability of system with technologies
~ System errors cannot be overlooked by IDS
7/30/2019 Module 06 - Intrusion Detection System
9/53EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Importance of IDS
~ Importance in various security function:
Creates a database of the types of attacks
Deals with large amount of data
Possesses built-in forensic and reportingcapabilities
Provides system administrator the ability to
calculate attacks
Identifies both external hackers and internalnetwork based attacks
Offers centralized management for connection of
distributed attacks
7/30/2019 Module 06 - Intrusion Detection System
10/53EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Deployment of IDS
~ Deployment based on the current requirement andinfrastructure of a company
~ According to the standard, first network and then
host machine should be deployed
~ Placement:
NIDS:
First at external internet facing segmentand then at DMZ segment
HIDS:
On all critical DMZ host devices
~ Position of sensors:
After internal firewalls
In Demilitarized zone
Outside main firewall
7/30/2019 Module 06 - Intrusion Detection System
11/53EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Distributed IDS: Introduction and Advantages
~ Constitutes of a number of IDS installed across widenetworks, which exchange information either with eachother or using a central server
~ Centralized details of data can be maintained as reports
~ Advantages:
Early identification of Internet attacks that possibly
damage the enterprise assets
Provides the capability to identify modes of attackshappening world-wide
7/30/2019 Module 06 - Intrusion Detection System
12/53EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Distributed IDS: Components
~ Central Analysis Server:
Consists of database and server, analyzespatterns of attack to identify its strategy
~ Co-operative Agent Network:
Agents from different parts of networktogether produce reports of attacks
~ Attack Aggregation:
Server based on program logic such as byconsidering the IP address of attack etc.,
7/30/2019 Module 06 - Intrusion Detection System
13/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Distributed IDS: Components
D I D S a g e n t 3
D I D S a g e n t 1
L o c a t i o n 1
T h e I n t e r n e t
F i r e w a l l
L o c a t i o n 2
L o c a t i o n 3
D I D S c o n t r o lc e n t e r
R o u t e r
D I D S c o n t r o la g e n t
c e n t e r
1 0 . 2 . 0 . 0 / 1 6
1 0 . 3 . 0 . 0 / 1 6
1 0 . 1 . 0 . 0 / 1 6
l o c a t i o n 4
7/30/2019 Module 06 - Intrusion Detection System
14/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Aggregate Analysis with IDS
~ Considering the details of attacks,advancement of attacks can be
recorded~ Determines the systems feasibility,
strength and restoring capability
~ Enables the analyst to analyze theeffect of attack on the entire networkby considering the effect of attack on
a single network
7/30/2019 Module 06 - Intrusion Detection System
15/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of IDS: Network Based IDS
~ Monitors TCP/IP packets in network
~ Two Types of Architecture:
Traditional Sensor-Based Architecture
Distributed Network-Node architecture
~ Pros and Cons: Detects wide range of threats
Provides response automatically
Difficulty in detection when high networkbandwidth
7/30/2019 Module 06 - Intrusion Detection System
16/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NIDS
INTERNET
HOST
HOST HOST
HOST
FIREWALL
IDS SYSTEM
7/30/2019 Module 06 - Intrusion Detection System
17/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NIDS Architecture: Traditional
Sensor-Based
~ Consists of sensors arranged throughout thenetwork to monitor whole network segments
1 2 3
4
7
6
98
5
TCP/IP Records
DetectionEngine
Log
NetworkPackets
l
Alerts
Response System
Report
DataBase
DataForensics
Command Console Network Sensor
SecurityOfficer
7/30/2019 Module 06 - Intrusion Detection System
18/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NIDS Architecture: Distributed Network-Node
~ Consists of an agent that placed on each computer in the networkto control traffic related only to the individual target
Network Sensor
TCP/IP Records
Network
Packets
DetectionEngine
SecurityO ficer
1
3 4 5 6
7 8
DataForensics
2
DataBase
Report
LocalResponse
Alerts
Command Console
7/30/2019 Module 06 - Intrusion Detection System
19/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of IDS: Host Based IDS
~ Monitors the data that initiates on systems
~ Two Types of Architecture:
Centralized host based
Distributed real-time host based
~ Pros and Cons:
Detects broad range of decision support threats
No requirement of dedicated hardware
Maintenance is difficult due to distributed agents
7/30/2019 Module 06 - Intrusion Detection System
20/53
HIDS Architecture: Centralized
7/30/2019 Module 06 - Intrusion Detection System
21/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
HIDS Architecture: CentralizedHost- Based
~ Data is sent to an analysis engine running on amachine other than the target of attack
Report
Response System
1
8
7
10
DetectionEngine
AuditData
Command Console Target
56
9
432
Raw DataCentralized
CollecterLog
Alert
DataBase
SecurityOfficer
DataForensics
Audit Subsystem
hi i ib d
7/30/2019 Module 06 - Intrusion Detection System
22/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
HIDS Architecture: DistributedReal-time Host Based
~ In real-time, raw data analyzed on target machine and
alerts are forwarded to the command console
DetectionEngine
SecurityOfficer
1
3 4 5 6
7
DataForensics
2
DataBase
Report
LocalResponse
Alerts
Command Console
8
AuditData
Audit Subsystem
Collecter
Target
7/30/2019 Module 06 - Intrusion Detection System
23/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Host Based IDS Vs Network Based IDS
HIDS
~ Uses information obtained
from a system (a singlehost)
~ More adaptable with
version of system~ Requires less training
~ Scans local machine
registry~ Better for detecting
inbound attacks
NIDS
~ Uses the information
gained from a total sectionof network
~ Less adaptable as related
with whole network~ Requires more training
~ Uses LAN bandwidth
~ Better for detectingoutbound attacks
7/30/2019 Module 06 - Intrusion Detection System
24/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Detection Methods
~ Signature Detection:
Identifies intrusions by watching
malicious network traffic or data andcompares it to large databases of attacksignatures
~ Anomaly Detection: Identifies intrusions by notifying traffic
operators about abnormal activity on thenetwork or host
7/30/2019 Module 06 - Intrusion Detection System
25/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Signature: Network Signatures
~ Packet Content Signature:
Provides pattern matching with the packetcontent
~ Packet Header Analysis:
Effective in detecting suspicious activitywithout considering packet content
f i b d i
7/30/2019 Module 06 - Intrusion Detection System
26/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Signature: Host-based Signatures
~ Single-Event Signatures:
Contains only one event with suspicious activity
~ Multi-Event Signatures: Contains multiple events and a set of transitions
between the events
~
Multi-Host Signatures: Set of events that triggered by multiple hosts
~ Enterprise Signatures:
Implies multi-event signatures from variousarrangement of target machines in thatenterprise
f d
7/30/2019 Module 06 - Intrusion Detection System
27/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Signature: Compound Signatures
~ Correlates multiple online sources likecombination of network and host-based
events
~ Advantages of compound signatures overnetwork and host-based signatures:
Gives stronger indication of meaningful attacks
Gives a pattern of activity that can be evaluatedvia reporting
Combines host-based alerts with correspondingsource information to detect remote attacks
h d i
7/30/2019 Module 06 - Intrusion Detection System
28/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Methods to Detect Signature
~ Embedded:
Embedded in the system and exposedthrough an editor only
~ Programmable:
Writes the rules using programmingor scripting languages
~ Expert System:
Creates conclusions about the dataset based on knowledge base
T /F l P i i /N i
7/30/2019 Module 06 - Intrusion Detection System
29/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
True/False-Positive/Negative:
Positive
Negative
True-Positive False-Positive
True-Negative False-Negative
An alarm wasgenerated and apresent conditionshould be alarmed
An alarm was NOTgenerated andthere is nocondition presentto warrant one
An alarm wasNOT generatedand a presentcondition should
be alarmed
An alarm was notgenerated and thereis no conditionpresent to warrant
one
IDS T l S
7/30/2019 Module 06 - Intrusion Detection System
30/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: Snort
~ Network Intrusion Detection System (NIDS) based onlibcap, performs packet sniffing and works as logger
~ Freeware developed by Martin Roesch
~ Runs on Linux, Solaris, BSD, and MacOS X
~ Features:
Real-time alerting mechanism using syslog, pop-up messagesin Windows, Server Message Block (SMB) etc,. during run-
time Provides pay load verification in the Application layer of
packets; ability to order the layer to collect the suspectedtraffic
Packet filtering using Berkeley Packet Filter (BPF) commands
Competes the weakness of other IDS tools
S t I t ll ti
7/30/2019 Module 06 - Intrusion Detection System
31/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Snort: Installation
~ Snort is a "lightweight" NIDS, non-intrusive, easilyconfigured, utilizes familiar methods for rule development,and takes only a few minutes to install
~ Pre-requisites:
pcap-library or WinPcap library should be installed prior to Snortinstallation
Available at http://www.tcpdump.org/
~ ./oinkmaster.pl -o $RULE_PATH 2>&1 | logger -toinkmaster , downloads the snort rules in $RULE_PATH
~ SNORTSNARF comes with a load of options that performsautomatic review
IDS T l Bl kICE
7/30/2019 Module 06 - Intrusion Detection System
32/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: BlackICE
~ Consists of an intrusion detection system that warns ofattacks and resists threats against the Systems
~ Product of Internet Security Systems
~ PC and Server protection for Windows-based systems
~ Features: Blocks illegitimate communications
Warns the user of threat
Reports the details of threats Consists of integrated Firewall, Intrusion detection system
IDS T l Bl kICE
7/30/2019 Module 06 - Intrusion Detection System
33/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: BlackICE
IDS Tool: BlackICE
7/30/2019 Module 06 - Intrusion Detection System
34/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: BlackICE
IDS Tool: BlackICE
7/30/2019 Module 06 - Intrusion Detection System
35/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: BlackICE
IDS Tool: M ICE
7/30/2019 Module 06 - Intrusion Detection System
36/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: M-ICE
~ Created byThomas Biege using C, C++programming languages
~ M-ICE: Modular Intrusion Detection andCountermeasure Environment
~ Designed for BSD, Unix-like, Linux platforms
~Features:
Bridges gap between research and development of IDS
Work on host based and other IDS systems
Requires use of open and consistent message format
IDS Tool: Secure4Audit (auditGUARD)
7/30/2019 Module 06 - Intrusion Detection System
37/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: Secure4Audit (auditGUARD)
~ Controls and configures auditing of system through aninterface
~ Unix-based tool, runs on HP/UX 10.x +,AIX 4.x +, Solaris2.x +
~ Developed by S4Software
~ Features: Integrates with various access control tools
Same operation capability on all UNIX flavors
Wide variety of configuration options
Report system audits in standardized format from various sources Defines several review configuration files
Operates similarly on all UNIX environments
IDS Tool: EMERALD
7/30/2019 Module 06 - Intrusion Detection System
38/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: EMERALD
~ EMERALD: Event Monitoring Enabling Responses toAnomalous Live Disturbances
~ Aims at threatening agents by restraining the systemfrom illegitimate users accessing its resources
~ Developed byPhillip A. Porras and Peter G. Neumann
~ Features:
Presents a structure to associate the results of the toolsdistributed analysis
Enables world-wide exposure and reaction ability towardssynchronized attacks
Monitors are set of units that analyze, operate and respond inthe network
IDS Tool: NIDES
7/30/2019 Module 06 - Intrusion Detection System
39/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: NIDES
~ NIDES: Next-Generation Intrusion Detection ExpertSystem
~ Performs real-time check of user action on severaltarget systems linked via Ethernet
~ Developed by SRI International
~ Program uses C, Perl languages to write agen processfor both Sun and non-Sun platforms
~ Features:
Optimized storage structures
Reports the status of System and target host
Increase of number of rules that generate alert information
IDS Tool: SecureHost
7/30/2019 Module 06 - Intrusion Detection System
40/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
IDS Tool: SecureHost
~Avoids attacks by immediately halting thesuspected applications
~ Supports Win 2000, NT and Solaris 8 platforms
~Features:
Supervises the Enterprise network for applicationperformance
Integrates with other SecureNet intrusion detection
products thus maximizing security Monitors file integrity in real time
Downtime of network components is reduced
Prelude IDS: The Hybrid IDS framework
7/30/2019 Module 06 - Intrusion Detection System
41/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Prelude IDS: The Hybrid IDS framework
~ Product that makes all security applicationsaccountable to a central system
Security applications can be of open source orproprietary
~ Uses IDMEF (Intrusion Detection messageExchange Format) which is a IETF (InternetEngineering Task Force) standard to manageevents in diverse languages of various sensors
Prelude IDS: Components
7/30/2019 Module 06 - Intrusion Detection System
42/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Prelude IDS: Components
~ Sensors:
Generates events when malevolent activity
is sensed in the data stream~ Managers:
Accessible servers that gather informationfrom sensors, Prelude managers and stores
in the database
~ Frontends:
Interface for security analysts to view
statistical data
Interaction between Prelude components
7/30/2019 Module 06 - Intrusion Detection System
43/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Interaction between Prelude components
Sensor A
Sensor C
Manager
DatabaseFrontend
Sensor B
Interaction between Prelude Components: Relaying
7/30/2019 Module 06 - Intrusion Detection System
44/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Interaction between Prelude Components: Relaying
Manager
BranchA
DatabaseFrontendSensor A
SensorBSensor C
Manager
Database Frontend
Securitycenter
Sensor E
SensorF
SensorD
Interaction between Prelude Components: ReverseR l i
7/30/2019 Module 06 - Intrusion Detection System
45/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Relaying
Sensor C
Sensor B
ManagerManager
DatabaseFrontend
Manager
Sensor A
data
connection DMZ
Intrusion Prevention System
7/30/2019 Module 06 - Intrusion Detection System
46/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Intrusion Prevention System
~ Device that employs access control for securing systems from abuse
Enhancement of IDS
~ IPS needs to function as an IDS to output considerably less falsepositives
~ Application content is the key for making access control decisions
IDS Vs IPS
7/30/2019 Module 06 - Intrusion Detection System
47/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
S s S
IDS IPS
Placed on Network inactively Placed inline (actively)
Cannot parse encryptedtraffic
Better at defendingapplications
Installed on NetworkSegments (NIDS) and onHosts (HIDS)
Installed on NetworkSegments (NIPS) and onHosts (HIPS)
Becomes reactive byproviding alerts
Becomes proactive byblocking
Ideal for identifying hacking
attacks
Ideal for blocking web
destruction
IPS Tool: Sentivist
7/30/2019 Module 06 - Intrusion Detection System
48/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Identifies attacks using false positives and permits the useof automated response features without disturbing critical
applications~ Developed by NFR Security
~ Sentivist runs on Free BSD platform and MySQL and
collector sensors on Solaris and Red Hat Linux~ Features:
Confidence index scoring
Based on threshold setting, identifies both slow and less intenseattacks
Centralized data management
Reporting with 42 different templates
IPS Tool: Sentivist
7/30/2019 Module 06 - Intrusion Detection System
49/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
7/30/2019 Module 06 - Intrusion Detection System
50/53
IPS Tool: McAfee
7/30/2019 Module 06 - Intrusion Detection System
51/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Defends the servers and desktops absolutely fromvariety of identified and unidentified attacks
~
Copy righted by Networks Associates Technology~ Designed for Windows NT, 2000, XP; Solaris 7, 8,
9; HP-UX 11i, 11.0
~ Features:
Sole host IPS that combines signatures withregulating characteristics
Prevents Buffer Overflow
System Firewall
Obscure to End-Users
Encapsulates the Applications
Centralized Management
Network Antivirus Softwares
7/30/2019 Module 06 - Intrusion Detection System
52/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
~Anti-vir
~Avast!
~AVG free edition~ClamWin
~Vcatch
~TrendMicro HouseCall
~McAfees Virusscan Online
~Omniquad Personal
Firewall Freeware~ GFI Email security test
~R-Firewall
~SensiveGuard
~
Shields Up!~Bootminder
~NOD32
~BitDefender
~SpamDel
Summary
7/30/2019 Module 06 - Intrusion Detection System
53/53
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
~ James Anderson gave the foundation of IDS by writing the paper ComputerSecurity Threat Monitoring and Surveillance
~ Network based IDS is used to monitor TCP/IP packets in network.
~ Host-based IDS is used to monitor the data that initiates on systems.
~ Implementation of IDS is affected by the ability to confirm a system for itsenvironment specific requirement
~ Snort is a Network Intrusion Detection System (NIDS) based on libcap,performs packet sniffing and works as logger
~ Prelude uses IDMEF (Intrusion Detection message Exchange Format) an IETFstandard for managing events in diversified languages of various sensors