Introduction To NIDS


Published on

Introduction to NIDS presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction To NIDS

  1. 1. Introduction to Network IDS <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Network IDS </li></ul></ul><ul><ul><li>Linux User Group Singapore </li></ul></ul><ul><ul><li>Friday 7 th May 2004 </li></ul></ul><ul><ul><li>By </li></ul></ul><ul><ul><li>Michael Boman </li></ul></ul><ul><ul><li><> </li></ul></ul>
  2. 2. What we will cover: <ul><li>What to expect from a Network IDS </li></ul><ul><li>How to physically connect a Network IDS </li></ul><ul><li>Where to connect the Network IDS </li></ul><ul><li>Different types of Network IDS </li></ul><ul><li>Interoperability between different vendors NIDS </li></ul><ul><li>What false positives / false negatives are </li></ul><ul><li>Classify network events using severity ratings </li></ul><ul><li>Q & A </li></ul>
  3. 3. Why Network Intrusion Detection ? <ul><li>Prevention is ideal, but detection is a must. </li></ul><ul><li>Provides forensic capabilities of network traffic </li></ul><ul><ul><li>Compare with CCTV camera and recording equipment. </li></ul></ul><ul><li>Side effect: You learn more about your network and discover protocols, services and other resource stealing objects. </li></ul>
  4. 4. Think about this before installing a Network IDS <ul><li>Do you: </li></ul><ul><ul><li>Keep your system up-to-date with patches? </li></ul></ul><ul><ul><li>Remove unneeded services? </li></ul></ul><ul><ul><li>Configured IPTables to protect your host(s)? </li></ul></ul><ul><ul><li>Actually read (and understand) the IPTables generated log files? </li></ul></ul><ul><li>If not, you are not ready to do Network IDS. </li></ul><ul><ul><li>NIDS will not protect you against malicious traffic. </li></ul></ul><ul><ul><li>NIDS will generate even more logs. </li></ul></ul><ul><ul><li>NIDS will take a considerable amount of time to configure properly, and is several times more complicated compared to IPTables. </li></ul></ul>
  5. 5. How to connect your Network IDS <ul><li>A NIDS can be connected to a network in 3 ways </li></ul><ul><ul><li>Network TAP </li></ul></ul><ul><ul><li>Using a switch' SPAN port </li></ul></ul><ul><ul><li>Using a hub </li></ul></ul>
  6. 6. Using a network TAP <ul><li>Features </li></ul><ul><ul><li>Replicates cable signals for TX pair to two new cables </li></ul></ul><ul><ul><li>Have additional power to boost network signal </li></ul></ul><ul><ul><li>Fails open </li></ul></ul><ul><li>Drawbacks </li></ul><ul><ul><li>Expensive (can cost over S$1000 per unit) </li></ul></ul><ul><ul><li>Requires 2 NIC on the NIDS </li></ul></ul><ul><ul><li>Can only monitor one link </li></ul></ul>( TAP = Test Administrative Port)
  7. 7. Inside a Network TAP Device A Network IDS Device B TX TX RX RX RX RX
  8. 8. Can anyone spot the problem? <ul><li>Can anyone spot the problem with this TAP design? </li></ul>
  9. 9. Did you figure it out? <ul><li>The problem with this tap is: </li></ul><ul><li>If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops! </li></ul>
  10. 10. Using a switch SPAN port <ul><li>SPAN: S witched P ort An alyzer (Cisco) </li></ul><ul><ul><li>Known as mirror port (port mirror) by other vendors </li></ul></ul><ul><li>Mirrors one or more port data to a 2 nd port. </li></ul><ul><li>Features </li></ul><ul><ul><li>Can monitor several ports at the same time </li></ul></ul><ul><ul><li>No extra cost if hardware is already available </li></ul></ul><ul><li>Drawbacks </li></ul><ul><ul><li>Not all switches supports SPAN ports </li></ul></ul><ul><ul><li>Creates additional load on switch (decreased switch performance) </li></ul></ul><ul><ul><li>Drop packets if you try to push too much traffic to a single port </li></ul></ul>
  11. 11. Using a HUB <ul><li>Features </li></ul><ul><ul><li>Low cost </li></ul></ul><ul><ul><li>Ideal for home network / ADSL / cable connection for “playing around” </li></ul></ul><ul><li>Drawbacks </li></ul><ul><ul><li>Packet collisions (packet drop) </li></ul></ul><ul><ul><li>10/100 hubs requires extra care (10 and 100 Mbit links does not propagate) </li></ul></ul>
  12. 12. Where to connect your NIDS
  13. 13. Different types of NIDS <ul><li>Pattern matching </li></ul><ul><ul><li>Looks for fingerprints of vulnerabilities or exploits </li></ul></ul><ul><ul><li>Signature database needs to be kept up-to-date </li></ul></ul><ul><li>Anomaly detection </li></ul><ul><ul><li>Creates a profile of normal network traffic </li></ul></ul><ul><ul><li>Suspicious events can be defined in various ways </li></ul></ul><ul><ul><ul><li>RFC compliance checking </li></ul></ul></ul><ul><ul><ul><li>Protocol analysis/decoding </li></ul></ul></ul><ul><ul><ul><li>Traffic doesn't comply with normal traffic criteria. </li></ul></ul></ul><ul><ul><li>The fact that protocols are well defined makes the use of Protocol Analysis a strong contender, but many implementations of protocols fail to follow their respective RFC. </li></ul></ul>
  14. 14. False Positives / False Negatives Alert generated Alert not generated Malicious traffic Non-malicious traffic
  15. 15. False Positives / False Negatives Explained <ul><li>False positive: Alert generated for non-malicious traffic </li></ul><ul><ul><li>The biggest published drawback with NIDS </li></ul></ul><ul><ul><li>Having too many false positives and the analyst(s) will be tired looking at them. </li></ul></ul><ul><ul><li>Can be reduced with tuning </li></ul></ul><ul><li>False negative: Alert not generated for malicious traffic </li></ul><ul><ul><li>Even more dangerous then false positives, as you don't get alerted on it. </li></ul></ul><ul><ul><li>Can be reduced with tuning </li></ul></ul>
  16. 16. Detector capability Property Result in it's absence Reliability Sensitivity The level of certainty provided by detector when receive warning of possible event The capability detector has for extensive and complex analysis in locating possible attacks False Positives False Negatives
  17. 17. Network IDS Interoperability <ul><li>Network IDS has been, and in large extent still is, vendor proprietary technology. </li></ul><ul><li>Signatures are written in different ways for different vendors. </li></ul><ul><ul><li>This is starting to change, more and more NIDS products are at least incorporating part of the Snort signature language. </li></ul></ul><ul><li>Alerts are sent and stored in vendor proprietary formats </li></ul><ul><ul><li>Proposed solutions </li></ul></ul><ul><ul><ul><li>IDMEF/IDXP </li></ul></ul></ul><ul><ul><ul><li>SDEE </li></ul></ul></ul>
  18. 18. IDMEF / IDXP <ul><li>I ntrusion D etection M essage E xchange F ormat </li></ul><ul><li>Internet draft (proposed RFC) by IDWG </li></ul><ul><li>Uses IDXP ( I ntrusion D etection E x change P rotocol) for transport, also a proposed RFC, by IDWG </li></ul><ul><ul><li>IDWG = I ntrusion D etection W orking G roup, appointed by IETF </li></ul></ul><ul><ul><li> </li></ul></ul>
  19. 19. SDEE <ul><li>Released by ICSA Labs in February 2004 </li></ul><ul><li>Cisco Systems, ISS, Sourcefire and TruSecure Corporation co-developed the SDEE transport protocol specification format </li></ul><ul><li>Is not really free... See next slide.. </li></ul>
  20. 20. SDEE Quote <ul><li>“What thing particularly made me looking quite negatively at the SDEE spec is the ICSAlab involvement. I contacted the iscalab people on the day when SDEE was officially out, with a question of joining ids forum and contributing to the SDEE review. The response to my mail included an invoice for 9,000+ USD (5k for general forum membership, and 4k for the IDS cntm).” </li></ul><ul><ul><li>Fyodor Y, </li></ul></ul><ul><ul><li>Snort discussion forum on Orkut, </li></ul></ul><ul><ul><li>21 March 2004 </li></ul></ul>
  21. 21. <ul><li>SANS Institute has developed the following formula to classify how bad an attack effects the target: </li></ul><ul><li>Where each item has a value between 1 and 5 assigned to it. </li></ul>SANS Severity Ratings Criticality + Lethality System Countermeasures + Network Countermeasures ) ( ( ) -
  22. 22. SANS Severity Ratings (cont'd) <ul><li>Criticality: How critical is the target to the rest of the network or operations? </li></ul><ul><li>Lethality: How dangerous is the attack? </li></ul><ul><li>System Countermeasures: What countermeasures has been been implemented on the system to defend against this threat? </li></ul><ul><li>Network Countermeasures: What countermeasures has been implemented on the network to defend against this threat? </li></ul>
  23. 23. What have we learned? <ul><li>Network IDS is resource intensive </li></ul><ul><li>Placement of the NIDS depends on what you want to monitor </li></ul><ul><li>The difference between a signature based and a abnormality based NIDS </li></ul><ul><li>IDMEF, SDEE and proprietary alert and storage formats </li></ul><ul><li>Calculate network event's severity level </li></ul>
  24. 24. Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>
  25. 25. Recommended reading material <ul><li>TCP/IP Illustrated Vol. 1 </li></ul><ul><ul><li>W. Richard Stevens; ISBN: 0201633469 </li></ul></ul><ul><li>Network Intrusion Detection (3 rd ed) </li></ul><ul><ul><li>Stephen Northcutt, Judy Novak; ISBN: 0735712654 </li></ul></ul><ul><li>Intrusion Signatures and Analysis </li></ul><ul><ul><li>Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederick; ISBN: 0735710635 </li></ul></ul>