1、IDS 1Intro to Network SecurityIntrusion Detection SystemsText:Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.Chapter 14Objectives:The student should be able to: Define how a signature-based, anomaly-based, and rule-based IDS works. Define stealth mode for a NIDS. De
2、fine false positives, false negatives, and how both affect the sensitivity of an IDS. Describe the difference between an IDS and IPS and the advantages/disadvantages of each. Describe when you would use a host IDS and/or a network IDS and some advantages of each. Describe functions of different Host
3、 IDS systems: System integrity verifiers, statistics monitors, deception systems, and configuration auditors. Draw the internal configuration of a tap, and describe how a switch SPAN port works. Describe the three responses that CISCO IDSs can support in response to an attack. Describe the capabilit
4、ies and cost of Snort, including its features, its programmability, its configurability, and its directory structure.Class Time:Lecture Intro 1 hourLecture NIDS 1 hourLab 1 hourTotal: 3 hoursIDS 2Intrusion Detection SystemsIntrusion Detection Systems (IDS): Security violation detector raises alarm w
5、hen violation occurs.Attacks come from Inside: Unintentional (e.g., virus on floppy or misuse causes crash) or Deliberate Outside: Internet script kiddies and knowledgeable hackersFirewalls only protect against outsideTypes of attacks IDS try to catch Protocol attacks: E.g., Flag exploits, fragmenta
6、tion attacks Attempts at impersonation Password cracking Buffer overflows Cannot detect attacks near normIDS 3False positive: Innocent action logged as an attackFalse negative: Attack not recognizedSensitivity of the system: The degree of False positives to False negatives Administrator must achieve
7、 the right balance of sensitivityIntrusion Detection System (IDS): Sniffs and reports possible violations Difference between Firewall/IDS: Can name attackIntrusion Prevention System (IPS): Reports violations and prevents attacks from occurring Does inline processing, similar to a Firewall: drop pack
8、ets, reset connections, route suspicious traffic for analysis Problems: Delays in processing; bottleneck Since IDS often has high rate of False Positives, IPS is in early stagesWhat an IDS Cannot Detect Passwords not changed from default File transfer of confidential files Social engineering techniq
9、ues Decipher encrypted messages on a networkIDS 4Network- versus Host-BasedNetwork-Based IDS: Searches network traffic in promiscuous mode for attack patternsHost-based IDS: Three types: Log Based: Scans logs of the host for attack patterns Stack Based: Examines network traffic arriving at host for
10、attack patterns Combination of Log-based data analysis Sort events and analyze from multiple Agents Countermeasure: Take action to thwart attack Alert: Send email/SMS, pager message; sound alarm; display dialog box; SNMP trap Log: Requires massive, fast storage Can update agents with new configurati
11、onIDS Database Server: Retains collected events, configuration. Storage: Database Server: Log events Driven by Management Console may be part of Management ConsoleEnterprise-Management System: Management console interfacing with different types of security systems: firewalls, antivirus scanners, ope
12、rating systems :)Direction= - or $HTTP_SERVERS 80 (msg:”WEB-IIS cmd.exe access”; flags: A+; content:”cmd.exe”; nocase; classtype:web_application-attack;)Keywords can include: dsize: maximum packet size; larger sizes indicate problems. ttl: IP time to live value. fragbits: R=Reserved, D=Dont Fragment
13、, M=More Fragment. ipopts: IP options: lsrr: loose source routing; ssrr=strict source routing. flags: S=Syn, A=Ack, F=Fin, R=Reset, +=and/or more; itype: ICMP packet type content: uricontent: Content of the URL (e.g., ”/bin/ps”) offset: ,resp_keyword = rst_snd, rst_rcv, rst_all, icmp_net, icmp_host,
14、 icmp_port, icmp_all Where sends RST to packet sender/recipient/both; Sends host/port/network Unreachable react:,react_keyword = block, warn, msg, proxy Used with HTTP-based attacks.IDS 12 E.g.: alert tcp any any ”nocmd.exe”New commands used for inline configurations: drop: Alert and drop the packet
15、 sdrop: Drop the packet but dont trigger the alert E.g.: sdrop udp $EXTERNAL_NET any SnortSAM: Changes ACLs for a set of firewalls and routers dynamically.IDS 13Anomaly/Host IDSTools range from: System Integrity Verifiers: Logs changes in configuration Statistics Monitors: Logs usage statistics Conf
16、iguration Aid Tools: Vendor-supplied tools which aid in verifying configurations Deception Systems: HoneypotsSystem Integrity Verifiers: Example: Generates a list of files and a hash value for each file. If file values change or new files emerge in specified directories, logs are generated. Used to
17、monitor changes in operating system files (date created, modified, deleted, file size, permissions, alternate streams, hash). Used to save logs, preventing fraudulent changes. Used to monitor changes in configurations of network equipment (routers) Can be run in real time or batch at off-peak period
18、File Integrity Packages monitor file changes (in snapshot mode) and include: Unix: Tripwire: Pedestal Softwares INTACT () Filechk: Monitors O.S. files every N minutes Cannot detect realtime registry changes Cannot detect alternate data streams: filename.ext:troubleBehavior Monitoring HIDS: monitors
19、 in real-time commands impacting passwords, permissions, system file changes, cron changes. Includes: Cisco IDS Host Sensor ( Okenas StormWatch () Entercept Security Technologeis IDS solutions ()Statistics Monitor: Provides statistics on network use including packet statistics Establishes a Baseline
20、 of normal behavior Monitors for deviations from norm for off-use time, after hours, etc. Deviations measured as a number, percentage, or number of standard deviations HIDS stats to monitor: high number of sessions; unusual login frequency; high CPU utilization; unusual user account activity; high n
21、umber of concurrent lgins, etc. Example NIDS: NTOP: www.ntop.org/ntop.html Per protocol: TCP / UDP / ICMP / IPX / ARP / OSPF / IGMP/ IPv6 / Per time: by hour Providing current, average, peak statisticsConfiguration Aid Tools: Vendor-supplied tools which aid in verifying configurations Example: Route
22、r audit tool: www.cisecurity.org Batch file verifies that Cisco routers are configured properlyIDS 14HoneypotHoneypot: A computer system left open for attackersWhat is it? System with NO OTHER USERS or USED APPLICATIONS LOG all access attempts Honeypots are not legally a form of entrapment Types may
23、 include: Port Monitor: Sockets-based program that listens for connections. Deception System: Pretends it is a real application by sending valid replies (e.g. mail) Multi-protocol Deception System: Pretends to support multiple applications Full System plus Intrusion Detection System: Unpatched syste
24、m with careful loggingAdvantages: Can watch and learn from attackers to strengthen defense Lure an attacker to a safe place to identify and stop the attacker Keep attackers busy in a safe environment for hoursDisadvantages: Once the system is hacked it can serve as launching pad into rest of network
25、 Honeypots must be maintained and monitoredHoneypot Products: Honeyd: Mimics 100 different systems simultaneously LaBrea: Answers malicious requests http:/ SMTP honeypots track spammers: www.honenet.org Fred Cohens Deception Toolkit: Specter: www.specter.ch NAI CyberCop Sting: Netcat: can be used
26、 to respond with deceptive bannersHoneypot Plan should include: What attacks is it meant to catch? How will the honeypot be configured? What maintenance will occur? How will alarms be monitored and analyzed?How will team react to attacks once they occur?IDS 15LAB: Snort IDSTo start this lab we need
27、to start up telnet. Telnet is normally disabled (which is a good thing with respect to security). Since it is important for you to know how to start up and stop services, it is a good idea to work with Telnet in this lab.Control Panel -Administrative Tools- ServicesSelect Telnet content: “String you
28、 want to monitor”; nocase;)Input the following rule at the end of the telnet.rules file:alert tcp any any - any any (msg:“Accessed the Program Files directory!”; content:”Program Files”; nocase;)alert tcp any any - any any (msg:“Accessed the Program Files directory!”; content:”Progra1”; nocase;)Save
29、 the file and exit.4) Testing the SignatureNow we will start up snort specifying that the snort configuration file is to be used for searching for attack signatures (and only recognized signatures will be logged).cd Snortbinsnort i2 l c:snortlog c c:Snortetcsnort.conf E K ASCIIThe options include:-l
30、: log to -c: use rules from configuration file -E: send events to NT event log.-K ASCII: save the logs in ASCIITelnet to the another Windows VMware:telnet 10.1.1.nTest changing directory to the illegal directory in your Telnet session. Open the Windows event viewer to verify that the signature worke
31、d:Start-Control Panel-Administrative Tools-Event Viewer-Application LogClick on the snort logs and read the info. You should see your alarm text.You can also do a refresh and clear logs to see how new entries are logged. Try doing change directories into and out of the Program Files directory and other directories. IDS 174a) Does the rule work?With any spare time, exit snort and go to the Snortlog directory. Verify that only the new logs are in the Snortlog directory. 4b) How do these logs look? When you are done delete these logs too.
