Professional Documents
Culture Documents
MM Clements A Adekunle
Lecture Overview
Taxonomy of intrusion detection system Promiscuous & Inline Mode Protection: IDS, IPS IDS and IPS Deployment Considerations & example Cisco IDS family Snort IDS/IPS Vulnerabilities How to protect IDS? Unified Threat Management (UTM) Summary
Engineering and Management of Secure Computer Networks 2
Intrusion Detection
Detection and protection from attacks against networks Three types of network attacks
Reconnaissance Access Denial of service
Alerts the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. Example: Snort Spade plug-in Prone to high number of false-positives
Examples: Cisco Sensors 4200 series, Snort Less prone to false positives Unable to detect zero-day threats whose signatures are not available
Engineering and Management of Secure Computer Networks 6
Signature Types
AtomicTrigger contained in a single packet
Example: Looking for the pattern /etc/passwd in the traffic
Firewall
Untrusted network
Agent
Agent
Agent
WWW server
DNS server
Software: Sensor software installed on server and placed in network to monitor network traffic.
Examples: Snort, Bro, Untangle
10
Sensor Firewall
Untrusted network
Management System
WWW server
DNS server
11
Monitoring Interface
Router
Switch
Sensor
Router
12
2 3 The sensor can send an alarm to a management console and take a response action such as resetting the connection.
Management System Engineering and Management of Secure Computer Networks Sensor
Target 13
Sensor
Target 14
15
Internet
Sensor on Outside:
Sees all traffic destined for your network Has high probability of raising false alarms (false positives) Does not detect internal attacks
Sensor on Inside:
Sees only traffic permitted by firewall Has lower probability of false alarms (false positives) Requires immediate response to alarms
16
Router
Management Server
IDS Sensor
Switch
Untrusted Network
Corporate Network
WWW Server
Engineering and Management of Secure Computer Networks
DNS Server
DMZ
17
Router Firewall
Untrusted Network
Sensor
Sensor
Management Server
DMZ
Agent Agent
WWW Server
DNS Server
18
Performance (Mbps)
250
200
IPS 4240
80
AIP-SSM
45
NM-CIDS
10/100/1000 TX
IPS 4215
10/100 TX 10/100/1000 TX 10/100/1000 TX 1000 SX 10/100/1000 TX Switched/1000
Network Media
Snort
Open source, freely available software except for rules Installed as dedicated server on Windows and Linux, Solaris operating systems Placed as network sensor in a network Rules are set of instructions defined to take certain action after matching some sort of signatures (atomic or composite)
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com;msg:"someone visited YouTube";)
20
Snort Modes
Sniffer Mode
Used to sniff traffic from network Traffic will be captured using libpcap or winpcap.
Logger Mode
Simple logging into a file. Two possible formats are Binary and ASCII.
IDS/IPS Vulnerabilities
Cisco IPS Packet Handling DoS In July 2006, a DoS vulnerability was discovered on Cisco IPS 4200 series models which were running version 5.1 software. Snort Rule Matching Backtrack DoS Snort versions 1.8 through 2.6 had a DoS vulnerability , found on January 11, 2007 which can exploit Snort's rule matching algorithm by using a crafted packet. This could cause the algorithm to slow down to the point where detection may become unavailable. Snort was quick to release version 2.6.1 which corrected this issue.
22
23
24
Summary
Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to network traffic . Can be classified as Profile or Signature based intrusion detection. Signatures can be defined as Atomic or Composite. Can be available as Host or Network based Intrusion detection . IDS is used as promiscuous mode protection in DMZ IPS is used as Inline mode protection for securing internal network Cisco 4200 series IDS and IPS sensors offer rich set of features for ISD and IPS Snort is an open source, free IDS and can operate in sniff , logging and Intrusion detection/prevention modes. Snort uses rules to analyze traffic. IDS/IPS software can be vulnerable to exploits so run patched version, and shutdown unnecessary services. Unified Threat Management (UTM) is a network device that have many features in one box. E.g, Untangle, Watchguard.
Engineering and Management of Secure Computer Networks 25