Intrusion Detection and
Prevention Systems Jim Thavisay
University of Tulsa
SFS Cyber Corps
Security+, CNSS, NSTISSI
Overview
• Intrusion Detection and Prevention Systems
• Documentation
• Types of IDS/IPS
• Available Tools
• Sample Implementation
• Concerns
• IDS/IPS Evasion
• Development Needs
Intrusion Detection and
Prevention Systems
• “Intrusion detection is a process of
monitoring the events occurring in a
computer system or network and
analyzing them for signs of possible
incidents, which are violations or
imminent threats…” (NIST SP800-94, 2007)
IDS vs. IPS
http://cache.gawkerassets.com/assets/images/17/2011/10/face-punch.png
Documentation
• National Security Agency (NSA)
– Factfeet: Best Practices for Keeping Your
Home Network Security
– Highlight: Install a comprehensive host-
based security suite
• National Institute of Standards and
Technology (NIST)
– Guide to Intrusion Detection and
Prevention Systems
Type of IDS/IPS
• Signature
• Anomaly (Non-baseline activities)
• Stateful Protocol (Appropriate protocol usage)
• Logging
• Detection
• Prevention
• Host
• Network
Available Tools
• OSSEC (IDS/IPS)
• Snort (IDS/IPS)
• OSSIM (SIEM)
• Splunk (SIEM)
• Squil (NetSec Monitoring)
• Arcsight SIEM Platform (NetSec Monitoring)
• HoneyD (Honeypot)
• Hippo (Logs brute force SSH Attacks)
• PortSentry (Detects/Prevent Port Scanning)
Sample Implementation
• Tools
– Webmin
– PortSentry
– Nmap
– Wireshark
• OS
– Ubuntu 11.04
(Oneiric Ocelot)
Tools: Webmin
Tools: PortSentry
Tools: PortSentry, cont’d
Tools: Nmap
• Nmap
– sudo nmap –v 192.168.1.100
– sudo nmap –v 192.168.1.100 -S
192.168.1.192 –e wlan0
Wireshark Capture
Thresholds
• Compatibility
– Software/OS/Hardware
• User-friendly Interface
– Home-users/”Average Joes”
• Evasion
IDS/IPS Evasion
• String Matching Weaknesses
• Polymorphic Shell Code
• Session Splicing
• Fragmentation Attacks
• Fragmentation Overlap
• Snort Signatures
• Denial-of-Service
• Spoofing
• 0-day Attacks
Development Needs
• Easy UI for home-users
• Professional concern:
– IDS/IPS services should be integrated by
professionals to ensure integrity of host
and networks are to baseline activity
Summary
• IDS/IPS
• Documentation available
• Types of IDS/IPS
• Available Applications
• Thresholds
• IDS/IPS Evasion
• Development Needs
References
• http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
• http://www.symantec.com/connect/articles/ids-evasion-techniques-and-tactics
• http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
• http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf
• http://rfc-ref.org/RFC-TEXTS/3514/kw-intrusion_detection_system.html
• http://sectools.org/tag/ids/
Questions?