Module 06 - Intrusion Detection System

7/30/2019 Module 06 - Intrusion Detection System

1/53

Network Security

Administrator

Module VI:

Intrusion Detection System


2/53

EC-CouncilCopyright byEC-Council

All Rights reserved. Reproduction is strictly prohibited

Module Objectives

~ Introduction to IDS

~ History of Intrusion Detection

~ Characteristics of IDS

~ Importance of IDS

~ Deployment of IDS

~ Distributed IDS

~ Aggregate Analysis with IDS

~ Types of IDS

~ IDS Detection Methods

~ Types of Signature~Methods to Detect Signature

~ IDS Tools

~ Prelude IDS and itscomponents

~ Intrusion Prevention System


3/53



Module Flow

Introduction to IDS History of

Intrusion Detection

Characteristics of IDSImportance of IDS

Deployment of IDS

Intrusion PreventionSystem

Distributed IDS

Aggregate Analysis

with IDS

Types of IDS

Methods toDetect Signature

IDS Detection Methods

Types of Signature

IDS tools Prelude IDS


4/53EC-CouncilCopyright byEC-Council


Introduction to IDS

~ Monitors all inbound and outboundhost activity and identifies suspiciouspatterns on network, that indicate anattack that could compromise a system

~ Gathers and analyzes information

regarding the misuse of a particularcomputer or total network

~ The TCP/IP packets are examined in anumber of different ways after they are

confined




History of Intrusion Detection

~ 1980:

James Anderson gave the foundation of IDS bywriting the paper Computer Security ThreatMonitoring and Surveillance

~ 1985:

Early IDES evolved by the support of the U.S.Defense System

~ 1989:

Todd Heberlein presented Network SystemMonitor introducing NIDS

~ 1999: Presidential Decision directive presented final

Federal Intrusion Detection Network to protectnational infrastructure




Some Early IDSs at a Glance

~ MIDAS (Multics Intrusion Detection and Alerting System):

Original IDS used on NCSCs public message system

~ Discovery: Used to identify abnormal activity in a database

~ DRISC (Detect and Recover Intrusion using SystemCritically):

Presented HIDS pattern to detect intrusion in system~ PDAT (Protocol Data Analysis Tool):

Gave heterogeneous intrusion detection

~ Essence:

Find doubtful activity in VMS.~ Harris Neural Network Prototype:

Used to calculate deviations from normalcy




Some Early IDSs at a Glance (contd.)

~ IDES (Intrusion Detection Expert System):

First system which merged numerical behavioral studywith rule-based signature

~ ISOA (Information Security Officers Assistant):

Based on Indications and Warnings model which giveadvance warning of forthcoming attack.

~ W&S (Wisdom & Sense): System which researched a dataset and created

metarules that explains the uniqueness of the data.

~ Haystack:

Designed to assist security officers in detecting andinvestigating misuse

~ NSM (Network Security Manager):

Intended to examine data from an Ethernet local area

network




Characteristics of IDS

~ Runs constantly without human supervision

~ Survives with system crash and must be fault tolerant

~ Enforces least overhead on the system

~ Observes deviations from normal behavior

~ Adaptability of system with technologies

~ System errors cannot be overlooked by IDS




Importance of IDS

~ Importance in various security function:

Creates a database of the types of attacks

Deals with large amount of data

Possesses built-in forensic and reportingcapabilities

Provides system administrator the ability to

calculate attacks

Identifies both external hackers and internalnetwork based attacks

Offers centralized management for connection of

distributed attacks


10/53EC-Council

Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

Deployment of IDS

~ Deployment based on the current requirement andinfrastructure of a company

~ According to the standard, first network and then

host machine should be deployed

~ Placement:

NIDS:

First at external internet facing segmentand then at DMZ segment

HIDS:

On all critical DMZ host devices

~ Position of sensors:

After internal firewalls

In Demilitarized zone

Outside main firewall


11/53EC-Council


Distributed IDS: Introduction and Advantages

~ Constitutes of a number of IDS installed across widenetworks, which exchange information either with eachother or using a central server

~ Centralized details of data can be maintained as reports

~ Advantages:

Early identification of Internet attacks that possibly

damage the enterprise assets

Provides the capability to identify modes of attackshappening world-wide


12/53EC-Council


Distributed IDS: Components

~ Central Analysis Server:

Consists of database and server, analyzespatterns of attack to identify its strategy

~ Co-operative Agent Network:

Agents from different parts of networktogether produce reports of attacks

~ Attack Aggregation:

Server based on program logic such as byconsidering the IP address of attack etc.,


13/53



Distributed IDS: Components

D I D S a g e n t 3

D I D S a g e n t 1

L o c a t i o n 1

T h e I n t e r n e t

F i r e w a l l

L o c a t i o n 2

L o c a t i o n 3

D I D S c o n t r o lc e n t e r

R o u t e r

D I D S c o n t r o la g e n t

c e n t e r

1 0 . 2 . 0 . 0 / 1 6

1 0 . 3 . 0 . 0 / 1 6

1 0 . 1 . 0 . 0 / 1 6

l o c a t i o n 4


14/53



Aggregate Analysis with IDS

~ Considering the details of attacks,advancement of attacks can be

recorded~ Determines the systems feasibility,

strength and restoring capability

~ Enables the analyst to analyze theeffect of attack on the entire networkby considering the effect of attack on

a single network


15/53



Types of IDS: Network Based IDS

~ Monitors TCP/IP packets in network

~ Two Types of Architecture:

Traditional Sensor-Based Architecture

Distributed Network-Node architecture

~ Pros and Cons: Detects wide range of threats

Provides response automatically

Difficulty in detection when high networkbandwidth


16/53



NIDS

INTERNET

HOST

HOST HOST

HOST

FIREWALL

IDS SYSTEM


17/53



NIDS Architecture: Traditional

Sensor-Based

~ Consists of sensors arranged throughout thenetwork to monitor whole network segments

1 2 3

4

7

6

98

5

TCP/IP Records

DetectionEngine

Log

NetworkPackets

l

Alerts

Response System

Report

DataBase

DataForensics

Command Console Network Sensor

SecurityOfficer


18/53



NIDS Architecture: Distributed Network-Node

~ Consists of an agent that placed on each computer in the networkto control traffic related only to the individual target

Network Sensor

TCP/IP Records

Network

Packets

DetectionEngine

SecurityO ficer

1

3 4 5 6

7 8

DataForensics

2

DataBase

Report

LocalResponse

Alerts

Command Console


19/53



Types of IDS: Host Based IDS

~ Monitors the data that initiates on systems

~ Two Types of Architecture:

Centralized host based

Distributed real-time host based

~ Pros and Cons:

Detects broad range of decision support threats

No requirement of dedicated hardware

Maintenance is difficult due to distributed agents


20/53

HIDS Architecture: Centralized


21/53



HIDS Architecture: CentralizedHost- Based

~ Data is sent to an analysis engine running on amachine other than the target of attack

Report

Response System

1

8

7

10

DetectionEngine

AuditData

Command Console Target

56

9

432

Raw DataCentralized

CollecterLog

Alert

DataBase

SecurityOfficer

DataForensics

Audit Subsystem

hi i ib d


22/53



HIDS Architecture: DistributedReal-time Host Based

~ In real-time, raw data analyzed on target machine and

alerts are forwarded to the command console

DetectionEngine

SecurityOfficer

1

3 4 5 6

7

DataForensics

2

DataBase

Report

LocalResponse

Alerts

Command Console

8

AuditData

Audit Subsystem

Collecter

Target


23/53



Host Based IDS Vs Network Based IDS

HIDS

~ Uses information obtained

from a system (a singlehost)

~ More adaptable with

version of system~ Requires less training

~ Scans local machine

registry~ Better for detecting

inbound attacks

NIDS

~ Uses the information

gained from a total sectionof network

~ Less adaptable as related

with whole network~ Requires more training

~ Uses LAN bandwidth

~ Better for detectingoutbound attacks


24/53



IDS Detection Methods

~ Signature Detection:

Identifies intrusions by watching

malicious network traffic or data andcompares it to large databases of attacksignatures

~ Anomaly Detection: Identifies intrusions by notifying traffic

operators about abnormal activity on thenetwork or host


25/53



Types of Signature: Network Signatures

~ Packet Content Signature:

Provides pattern matching with the packetcontent

~ Packet Header Analysis:

Effective in detecting suspicious activitywithout considering packet content

f i b d i


26/53



Types of Signature: Host-based Signatures

~ Single-Event Signatures:

Contains only one event with suspicious activity

~ Multi-Event Signatures: Contains multiple events and a set of transitions

between the events

~

Multi-Host Signatures: Set of events that triggered by multiple hosts

~ Enterprise Signatures:

Implies multi-event signatures from variousarrangement of target machines in thatenterprise

f d


27/53



Types of Signature: Compound Signatures

~ Correlates multiple online sources likecombination of network and host-based

events

~ Advantages of compound signatures overnetwork and host-based signatures:

Gives stronger indication of meaningful attacks

Gives a pattern of activity that can be evaluatedvia reporting

Combines host-based alerts with correspondingsource information to detect remote attacks

h d i


28/53



Methods to Detect Signature

~ Embedded:

Embedded in the system and exposedthrough an editor only

~ Programmable:

Writes the rules using programmingor scripting languages

~ Expert System:

Creates conclusions about the dataset based on knowledge base

T /F l P i i /N i


29/53



True/False-Positive/Negative:

Positive

Negative

True-Positive False-Positive

True-Negative False-Negative

An alarm wasgenerated and apresent conditionshould be alarmed

An alarm was NOTgenerated andthere is nocondition presentto warrant one

An alarm wasNOT generatedand a presentcondition should

be alarmed

An alarm was notgenerated and thereis no conditionpresent to warrant

one

IDS T l S


30/53



IDS Tool: Snort

~ Network Intrusion Detection System (NIDS) based onlibcap, performs packet sniffing and works as logger

~ Freeware developed by Martin Roesch

~ Runs on Linux, Solaris, BSD, and MacOS X

~ Features:

Real-time alerting mechanism using syslog, pop-up messagesin Windows, Server Message Block (SMB) etc,. during run-

time Provides pay load verification in the Application layer of

packets; ability to order the layer to collect the suspectedtraffic

Packet filtering using Berkeley Packet Filter (BPF) commands

Competes the weakness of other IDS tools

S t I t ll ti


31/53



Snort: Installation

~ Snort is a "lightweight" NIDS, non-intrusive, easilyconfigured, utilizes familiar methods for rule development,and takes only a few minutes to install

~ Pre-requisites:

pcap-library or WinPcap library should be installed prior to Snortinstallation

Available at http://www.tcpdump.org/

~ ./oinkmaster.pl -o $RULE_PATH 2>&1 | logger -toinkmaster , downloads the snort rules in $RULE_PATH

~ SNORTSNARF comes with a load of options that performsautomatic review

IDS T l Bl kICE


32/53



IDS Tool: BlackICE

~ Consists of an intrusion detection system that warns ofattacks and resists threats against the Systems

~ Product of Internet Security Systems

~ PC and Server protection for Windows-based systems

~ Features: Blocks illegitimate communications

Warns the user of threat

Reports the details of threats Consists of integrated Firewall, Intrusion detection system

IDS T l Bl kICE


33/53



IDS Tool: BlackICE

IDS Tool: BlackICE


34/53



IDS Tool: BlackICE

IDS Tool: BlackICE


35/53



IDS Tool: BlackICE

IDS Tool: M ICE


36/53



IDS Tool: M-ICE

~ Created byThomas Biege using C, C++programming languages

~ M-ICE: Modular Intrusion Detection andCountermeasure Environment

~ Designed for BSD, Unix-like, Linux platforms

~Features:

Bridges gap between research and development of IDS

Work on host based and other IDS systems

Requires use of open and consistent message format

IDS Tool: Secure4Audit (auditGUARD)


37/53



IDS Tool: Secure4Audit (auditGUARD)

~ Controls and configures auditing of system through aninterface

~ Unix-based tool, runs on HP/UX 10.x +,AIX 4.x +, Solaris2.x +

~ Developed by S4Software

~ Features: Integrates with various access control tools

Same operation capability on all UNIX flavors

Wide variety of configuration options

Report system audits in standardized format from various sources Defines several review configuration files

Operates similarly on all UNIX environments

IDS Tool: EMERALD


38/53



IDS Tool: EMERALD

~ EMERALD: Event Monitoring Enabling Responses toAnomalous Live Disturbances

~ Aims at threatening agents by restraining the systemfrom illegitimate users accessing its resources

~ Developed byPhillip A. Porras and Peter G. Neumann

~ Features:

Presents a structure to associate the results of the toolsdistributed analysis

Enables world-wide exposure and reaction ability towardssynchronized attacks

Monitors are set of units that analyze, operate and respond inthe network

IDS Tool: NIDES


39/53



IDS Tool: NIDES

~ NIDES: Next-Generation Intrusion Detection ExpertSystem

~ Performs real-time check of user action on severaltarget systems linked via Ethernet

~ Developed by SRI International

~ Program uses C, Perl languages to write agen processfor both Sun and non-Sun platforms

~ Features:

Optimized storage structures

Reports the status of System and target host

Increase of number of rules that generate alert information

IDS Tool: SecureHost


40/53



IDS Tool: SecureHost

~Avoids attacks by immediately halting thesuspected applications

~ Supports Win 2000, NT and Solaris 8 platforms

~Features:

Supervises the Enterprise network for applicationperformance

Integrates with other SecureNet intrusion detection

products thus maximizing security Monitors file integrity in real time

Downtime of network components is reduced

Prelude IDS: The Hybrid IDS framework


41/53



Prelude IDS: The Hybrid IDS framework

~ Product that makes all security applicationsaccountable to a central system

Security applications can be of open source orproprietary

~ Uses IDMEF (Intrusion Detection messageExchange Format) which is a IETF (InternetEngineering Task Force) standard to manageevents in diverse languages of various sensors

Prelude IDS: Components


42/53



Prelude IDS: Components

~ Sensors:

Generates events when malevolent activity

is sensed in the data stream~ Managers:

Accessible servers that gather informationfrom sensors, Prelude managers and stores

in the database

~ Frontends:

Interface for security analysts to view

statistical data

Interaction between Prelude components


43/53



Interaction between Prelude components

Sensor A

Sensor C

Manager

DatabaseFrontend

Sensor B

Interaction between Prelude Components: Relaying


44/53



Interaction between Prelude Components: Relaying

Manager

BranchA

DatabaseFrontendSensor A

SensorBSensor C

Manager

Database Frontend

Securitycenter

Sensor E

SensorF

SensorD

Interaction between Prelude Components: ReverseR l i


45/53



Relaying

Sensor C

Sensor B

ManagerManager

DatabaseFrontend

Manager

Sensor A

data

connection DMZ

Intrusion Prevention System


46/53



Intrusion Prevention System

~ Device that employs access control for securing systems from abuse

Enhancement of IDS

~ IPS needs to function as an IDS to output considerably less falsepositives

~ Application content is the key for making access control decisions

IDS Vs IPS


47/53



S s S

IDS IPS

Placed on Network inactively Placed inline (actively)

Cannot parse encryptedtraffic

Better at defendingapplications

Installed on NetworkSegments (NIDS) and onHosts (HIDS)

Installed on NetworkSegments (NIPS) and onHosts (HIPS)

Becomes reactive byproviding alerts

Becomes proactive byblocking

Ideal for identifying hacking

attacks

Ideal for blocking web

destruction

IPS Tool: Sentivist


48/53



~ Identifies attacks using false positives and permits the useof automated response features without disturbing critical

applications~ Developed by NFR Security

~ Sentivist runs on Free BSD platform and MySQL and

collector sensors on Solaris and Red Hat Linux~ Features:

Confidence index scoring

Based on threshold setting, identifies both slow and less intenseattacks

Centralized data management

Reporting with 42 different templates

IPS Tool: Sentivist


49/53




50/53

IPS Tool: McAfee


51/53



~ Defends the servers and desktops absolutely fromvariety of identified and unidentified attacks

~

Copy righted by Networks Associates Technology~ Designed for Windows NT, 2000, XP; Solaris 7, 8,

9; HP-UX 11i, 11.0

~ Features:

Sole host IPS that combines signatures withregulating characteristics

Prevents Buffer Overflow

System Firewall

Obscure to End-Users

Encapsulates the Applications

Centralized Management

Network Antivirus Softwares


52/53



~Anti-vir

~Avast!

~AVG free edition~ClamWin

~Vcatch

~TrendMicro HouseCall

~McAfees Virusscan Online

~Omniquad Personal

Firewall Freeware~ GFI Email security test

~R-Firewall

~SensiveGuard

~

Shields Up!~Bootminder

~NOD32

~BitDefender

~SpamDel

Summary


53/53



~ James Anderson gave the foundation of IDS by writing the paper ComputerSecurity Threat Monitoring and Surveillance

~ Network based IDS is used to monitor TCP/IP packets in network.

~ Host-based IDS is used to monitor the data that initiates on systems.

~ Implementation of IDS is affected by the ability to confirm a system for itsenvironment specific requirement

~ Snort is a Network Intrusion Detection System (NIDS) based on libcap,performs packet sniffing and works as logger

~ Prelude uses IDMEF (Intrusion Detection message Exchange Format) an IETFstandard for managing events in diversified languages of various sensors

Documents

Module 06 - Intrusion Detection System