Net Sec U11 - Intrusion Detection Systems (IDS)

Why IDS?
1. Perimeter security devices only prevent attacks by outsiders
  1. why fail
    1. firewall badly configured
    2. attack too new
    3. password sniffed
  2. attacks
    1. don't detect
    2. don't react
2. insider threats
  1. can elevate privileges
  2. easier to map & exploit weak points
Ad Hoc
1. Unix - CERT checklist
  1. 1. check logs for unusual connection locations
  2. 2. "hacker activity"
  3. 3. system binaries not altered
  4. 4. network sniffers
  5. 5. check files run by 'cron' & 'at'
  6. 6. check sys files for unauthorised services
  7. 7. check "/etc/password" file
  8. 8. check sys & network config files re: unauthorised entries
  9. 9. check for hidden files
2. not recommended
3. automated systems
  1. monitor multiple hosts
  2. report & react
Knowledge-based aka Misuse detection
1. what attack signatures based on
  1. Security policy
  2. known vulnerabilities
  3. known attacks
2. limits
  1. new vulnerabilities
  2. large dbase
  3. time lag
Behaviour-based aka Statistical Anomaly Detection
1. base-line statistical behaviour
  1. gather new data
  2. exceed threshold = alarm
2. false: +'s and -'s
3. no dbase to maintain
Architecture
1. distributed set of sensors
2. centralised console
  1. manage, analyse, report & react
3. protected communication
4. secured signature updates from vendor
NIDS
1. data source = network packets
2. network adaptor = promiscuous mode
3. attack recognition module
  1. pattern/byte code matching
  2. freq./threshold crossing
  3. correlation of lesser events
4. deployment
  1. firewall
    1. outside
    2. inside
  2. between business units
  3. behind remote access server
  4. between Corp. & Partner networks
5. Strengths
  1. cheap
    1. fewer detection points
  2. missed HIDS attacks
  3. harder to hide evidence
  4. real-time detection & response
  5. OS independence
  6. detects unsuccessful attacks/malicious intent
6. Weaknesses
  1. placement critical
    1. switched networks
  2. partial matching
    1. loaded/high-speed networks
  3. indecipherable packets
  4. packet spoofing
  5. frag attacks
  6. DoS
HIDS
1. monitors sys/event/security logs in NT & syslog in Unix
  1. checks key sys files & .exe via checksums
2. regular expressions
3. port activity
4. deployment
  1. key servers
    1. sensitive info
      1. "mission critical"
  2. servers
    1. Web
    2. FTP/DNS
    3. E-commerce
5. Strengths
  1. missed NIDS attacks
  2. verifies attack success/failure
  3. monitors specific activities
  4. needs little/no h/ware
  5. encrypted & switched environments
6. Weaknesses
  1. placement critical
  2. indirect info
    1. attacker fingerprints
  3. full coverage hard
  4. detection = too late?
The Future
1. integrated approach
  1. NIDS + HIDS
2. better tools
  1. reporting
  2. management
  3. visualisation
3. event correlation
4. Statistical Anomaly Detection
5. Intrusion Protection Systems?

Next up

Net Sec U11 - Intrusion Detection Systems (IDS)

Description

Resource summary

Similar

	Created by Nick.Bell2013 over 11 years ago