Introduction To Intrusion Detection Systems


Published on

A brief introduction to the concepts of Intrusion Detection Services

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction To Intrusion Detection Systems

  1. 1. Introduction to Intrusion Detection Systems Paul Green CISSP
  2. 2. What is IDS? <ul><li>Software or hardware device </li></ul><ul><li>Monitors network or hosts for: </li></ul><ul><ul><li>Malware (viruses, trojans, worms) </li></ul></ul><ul><ul><li>Network attacks via vulnerable ports </li></ul></ul><ul><ul><li>Host based attacks, e.g. privilege escalation </li></ul></ul>
  3. 3. What is in an IDS? <ul><li>An IDS normally consists of: </li></ul><ul><ul><li>Various sensors based within the network or on hosts </li></ul></ul><ul><ul><ul><li>These are responsible for generating the security events </li></ul></ul></ul><ul><ul><li>A central engine </li></ul></ul><ul><ul><ul><li>This correlates the events and uses heuristic techniques and rules to create alerts </li></ul></ul></ul><ul><ul><li>A console </li></ul></ul><ul><ul><ul><li>To enable an administrator to monitor the alerts and configure/tune the sensors </li></ul></ul></ul>
  4. 4. Different types of IDS <ul><li>Network IDS (NIDS) </li></ul><ul><ul><li>Examines all network traffic that passes the NIC that the sensor is running on </li></ul></ul><ul><li>Host based IDS (HIDS) </li></ul><ul><ul><li>An agent on the host that monitors host activities and log files </li></ul></ul><ul><li>Stack-Based IDS </li></ul><ul><ul><li>An agent on the host that monitors all of the packets that leave or enter the host </li></ul></ul><ul><ul><li>Can monitor a specific protocol(s) (e.g. HTTP for webserver) </li></ul></ul>
  5. 5. Why do we need IDS? <ul><li>Firewalls use rules to reject unwanted network traffic </li></ul><ul><li>Hackers can hide attacks in “acceptable” network traffic, therefore bypassing the firewall </li></ul><ul><li>IDS actually monitor the network traffic, packet by packet </li></ul><ul><li>IDS use rules as well as signatures to identify unwanted network traffic </li></ul><ul><li>IDS can learn acceptable network traffic </li></ul>
  6. 6. Passive versus Reactive (IPS) <ul><li>A passive system detects the anomaly, logs the information and creates an alert </li></ul><ul><ul><li>Can be used to track a potential security breach without alerting the hacker </li></ul></ul><ul><li>A reactive system detects the anomaly and performs an action to limit the impact </li></ul><ul><ul><li>Also known as Intrusion Prevention System (IPS) </li></ul></ul><ul><ul><li>Example actions: </li></ul></ul><ul><ul><ul><li>Reset the suspicious connection </li></ul></ul></ul><ul><ul><ul><li>Create a new firewall rule to block the attack </li></ul></ul></ul>
  7. 7. NIDS in more detail <ul><li>Detects malicious activity such as port scans by monitoring network traffic </li></ul><ul><ul><li>Monitors incoming and outgoing network traffic </li></ul></ul><ul><ul><li>Does not alter or affect the traffic on the wire, non-intrusive </li></ul></ul><ul><ul><li>Compares activity to known attack signatures </li></ul></ul><ul><ul><li>Can sometimes detect shellcodes in transit </li></ul></ul><ul><ul><li>Example : snort </li></ul></ul>
  8. 8. HIDS in more detail <ul><li>Monitors which program accesses what resources and when </li></ul><ul><ul><li>Monitors log files (syslog, event log etc) </li></ul></ul><ul><ul><li>Monitors access to system files (e.g. password database) using a checksum database </li></ul></ul><ul><ul><li>Monitors use of privileged users (administrator, root etc) </li></ul></ul><ul><ul><li>Monitors system memory structures (vtables) </li></ul></ul><ul><ul><li>Examples : Tripwire, OSSEC </li></ul></ul>
  9. 9. Host-based IDS in more detail <ul><li>Monitors network packets as they traverse up the OSI layers </li></ul><ul><ul><li>Can monitor for specific protocols </li></ul></ul><ul><ul><li>Allows the IDS to pull the packet before it gets to the application or OS </li></ul></ul><ul><ul><li>Normally a hybrid HIDS agent </li></ul></ul><ul><ul><li>Implementations differ from various vendors </li></ul></ul><ul><ul><li>Examples : RealSecure </li></ul></ul>
  10. 10. Simple implementation of IDS
  11. 11. Simple implementation of IDS <ul><li>Place HIDS on all hosts to be monitored </li></ul><ul><ul><li>Use hybrid HIDS where specific applications can be monitored </li></ul></ul><ul><li>Set the NIDS server NIC to promiscuous mode (to enable the NIDS to see all traffic) </li></ul><ul><ul><li>The HUB broadcasts all traffic on the network segment to all network nodes </li></ul></ul><ul><li>Need a NIDS on all network segments that need to be monitored </li></ul>
  12. 12. IDS in a switched network <ul><li>Switches do not broadcast network traffic to all nodes (point to point) </li></ul><ul><ul><li>Therefore, you need to copy traffic </li></ul></ul><ul><li>Need to use either a TAP or SPAN the required ports </li></ul><ul><ul><li>A tap will splice the data line copying all traffic without interfering with the original traffic </li></ul></ul><ul><ul><li>SPAN is a switch feature that copies all traffic from a range of ports to another port (SPAN port), the IDS is then connected to the SPAN port </li></ul></ul>
  13. 13. IDS in a switched network (TAP) <ul><li>TAP copies all packets to the NIDS </li></ul><ul><li>There is no change or delay to existing packets </li></ul><ul><li>To enable the copying of packets in both directions the TAP will need to provide two connections to NIDS </li></ul>
  14. 14. IDS in a switched network (SPAN) <ul><li>SPAN copies all packets (TX and RX) to the Span port </li></ul><ul><li>Some packets are not copied (e.g. undersize/oversize packets) </li></ul><ul><li>Can easily overload the Span port </li></ul><ul><li>IDS is vulnerable to attack </li></ul><ul><ul><li>Need to use stealth mode </li></ul></ul><ul><li>Can affect the performance of the switch </li></ul>
  15. 15. Further reading <ul><li>Snort Intrusion Detection and Prevention Toolkit Brian Caswell et al </li></ul><ul><li>Implementing Intrusion Detection Systems Tim Crothers </li></ul><ul><li>Wikipedia – Search for IDS </li></ul>
  16. 16. Paul Green CISSP, MACS <ul><li>Paul is an information security practitioner, currently residing in Brisbane, Queensland. He has worked with government and financial institutions to help them understand their information security risks and identify suitable process and technical solutions to mitigate those risks. </li></ul><ul><li>He has experience working with authentication and access control; network security; and monitoring solutions, as well as performing information security reviews and creation of security policies. </li></ul><ul><li>Paul may be contacted through LinkedIN or via personal email : [email_address] </li></ul>