Cours_4_IDS_IPS.pptx

Course 4: IDS & IPS
S. MAKHLOUF, University of Oran 1, Ahmed Ben Bella
sidahmed.makhlouf@gmail.com
Information Systems Security

Introduction to Intrusion Detection
• Firewalls that are used to block unwanted incoming as well as
outgoing traffic of data.
• Intrusion detection systems (IDS) that are used to find out if someone
has gotten into or is trying to get into your network.
• The most popular IDS is Snort, which is available at
http://www.snort.org.

Introduction to Intrusion Detection

What is Intrusion Detection ?
• Intrusion detection is a set of techniques and methods that are used
to detect suspicious activity both at the network and host level.
• Intrusion detection systems fall into two basic categories: signature-
based intrusion detection systems and anomaly detection systems.
• Intruders have signatures, like computer viruses, that can be detected
using software.

What is Intrusion Detection ?
• You try to find data packets that contain any known intrusion-related
signatures or anomalies related to Internet protocols.
• Based upon a set of signatures and rules, the detection system is able
to find and log suspicious activity and generate alerts.
• Usually an intrusion detection system captures data from the network
and applies its rules to that data or detects anomalies in it.

Network IDS or NIDS
• NIDS are intrusion detection systems that capture data packets
traveling on the network media (cables, wireless) and match them to
a database of signatures.
• Depending upon whether a packet is matched with an intruder
signature, an alert is generated or the packet is logged to a file or
database.

Host IDS or HIDS
• Host-based intrusion detection systems or HIDS are installed as agents on a host.
• These intrusion detection systems can look into system and application log files to detect any
intruder activity.
• Some of these systems are reactive, meaning that they inform you only when something has
happened.
• Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which
the HIDS is installed and alert you in real time.

Signatures
• Signature is the pattern that you look for inside a data packet.
• A signature is used to detect one or multiple types of attacks.
• For example, the presence of “scripts/iisadmin” in a packet going to your web server
may indicate an intruder activity.
• Signatures may be present in different parts of a data packet depending upon the
nature of the attack.
• For example, you can find signatures in the IP header, transport layer header (TCP or
UDP header) and/or application layer header or payload.

Alerts
• Alerts are any sort of user notification of an intruder activity.
• When an IDS detects an intruder, it has to inform security administrator about this using alerts.
• Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on.
• Alerts are also stored in log files or databases where they can be viewed later on by security
experts.

False Alarms
• False alarms are alerts generated due to an indication that is not an
intruder activity.
• For example, misconfigured internal hosts may sometimes broadcast
messages that trigger a rule resulting in generation of a false alert.
• In some cases you may need to disable some of the rules to avoid
false alarms.

Sensor
• The machine on which an intrusion detection system is running is also
called the sensor in the literature because it is used to “sense” the
network.

Where IDS Should be Placed in Network Topology
• It depends upon what type of intrusion activities you want to detect:
internal, external or both.
• Typically you should place an IDS behind each of your firewalls and
routers.

Where IDS Should be Placed in Network Topology

Dealing with Switches
• Depending upon the type of switches used, you can use Snort on a switch
port.
• Some switches, like Cisco, allow you to replicate all ports traffic on one port
where you can attach the Snort machine.
• These ports are usually referred to as spanning ports.
• The best place to install Snort is right behind the firewall or router so that all
of the Internet traffic is visible to Snort before it enters any switch or hub.

How to Protect IDS Itself
• If security of the IDS is compromised, you may start getting false
alarms or no alarms at all.
• The intruder may disable IDS before actually performing any attack.

IDS on Stealth Interface
• Run Snort on a stealth interface which only listens to the incoming
traffic but does not send any data packets out.
• A special cable is used on the stealth interface.

IDS with no IP Address Interface
• use IDS on an interface where no IP address is assigned.
• The advantage is that when the Snort host doesn’t have an IP address
itself, nobody can access it.

IDS with no IP Address Interface

Implementing Intrusion Prevention

IDS and IPS Characteristics
Zero-Day Attacks
Worms and viruses can spread across the world
in minutes.
 Zero-day attack (zero-day threat) is a computer attack that
tries to exploit software vulnerabilities.
 Zero-hour describes the moment when the exploit is
discovered.

Monitor for Attacks
• IDSs were implemented to passively monitor the traffic on a network.
• IDS-enabled device copies the traffic stream, and analyzes the copied traffic
rather than the actual forwarded packets.
• Working offline, it compares the captured traffic stream with known
malicious signatures.
• This offline IDS implementation is referred to as promiscuous mode.
• The advantage of operating with a copy of the traffic is that the IDS does not
negatively affect the actual packet flow.
• The disadvantage of operating on a copy of the traffic is that the IDS cannot
stop malicious single-packet attacks from reaching the target before
responding to the attack.
• A better solution is to use a device that can immediately detect and stop an
attack. An IPS performs this function.

Detect and Stop Attacks
• An IDS monitors traffic
offline and generates an
alert (log) when it detects
malicious traffic including:
• Reconnaissance attacks
• Access attacks
• Denial of Service attacks
• An IDS is a passive device
because it analyzes copies
of the traffic stream.
• Only requires a
promiscuous interface.
• Does not slow network
traffic.
• Allows some malicious
traffic into the network.

Detect and Stop Attacks Cont.
• An IPS builds upon IDS
technology to detect attacks.
• However, it can also immediately
address the threat.
• An IPS is an active device
because all traffic must pass
through it.
• Referred to as “inline-mode”, it
works inline in real time to
monitor Layer 2 through Layer 7
traffic and content.
• It can also stop single-packet
attacks from reaching the target
system (IDS cannot).

IDS and IPS Characteristics Cont.
An IDS or IPS sensor can be any of the following devices:
• Router configured with Cisco IOS IPS software.
• Appliance specifically designed to provide dedicated IDS or IPS services.
• Network module installed in an adaptive security appliance (ASA), switch,
or router.
IDS and IPS technologies use signatures to detect patterns in network
traffic.
A signature is a set of rules that an IDS or IPS uses to detect malicious
activity.
Signatures are used to detect severe security breaches, common network
attacks, and to gather information.

Advantages and Disadvantages of IDS and IPS

Network-Based IPS Implementations
Network IPS Sensors
• Implementation analyzes
network-wide activity
looking for malicious
activity.
• Configured to monitor
known signatures, but can
also detect abnormal traffic
patterns.
• Configured on:
• Dedicated IPS appliances
• ISR routers
• ASA firewall appliances
• Catalyst 6500 network
modules

Network IPS Sensors Cont.
• Sensors are connected to network segments. A single sensor can monitor many
hosts.
• Sensors are network appliances tuned for intrusion detection analysis.
• The OS is stripped of unnecessary services - “hardened.”
• The hardware is dedicated to intrusion detection analysis.
• The hardware includes three components:
• Network interface card (NIC) - Able to connect to any network.
• Processor - Requires CPU power to perform intrusion detection
analysis and pattern matching.
• Memory - Intrusion detection analysis is memory-intensive.
• Growing networks are easily protected.
• New hosts and devices can be added without adding sensors.
• New sensors can be easily added to new networks.

Cisco IPS Solutions

Cisco IPS Solutions Cont.

Choose an IPS Solution
There are several factors
that affect the IPS sensor
selection and deployment:
• Amount of network traffic
• Network topology
• Security budget
• Available security staff to
manage IPS
Organization Site

IPS Advantages and Disadvantages

IPS Signature Characteristics
Signature Attributes
• Malicious traffic displays distinct characteristics or
“signatures.”
• These signatures uniquely identify specific worms,
viruses, protocol anomalies, or malicious traffic.
• IPS sensors are tuned to look for matching signatures or
abnormal traffic patterns.
• When a sensor matches a signature with a data flow, it
takes action, such as logging the event or sending an
alarm to IDS or IPS.
• Signatures have three distinctive attributes:
• Type
• Trigger (alarm)
• Action

Signature Types- Atomic Signature
Signature types are categorized as atomic or composite.
• An atomic signature is the simplest type of signature.
It consists of a single packet, activity, or event.
• Detecting atomic signatures consumes minimal
resources. These signatures are easy to identify and
understand because they are compared against a
specific event or packet.

Signature Types- Atomic Signature
Cont.
A land attack contains a spoofed TCP SYN packet with the IP address
of the target host as both source and destination, causing the machine
to reply to itself continuously.

Signature Types - Composite Signature
• A composite signature is also called a stateful
signature.
• A composite signature identifies a sequence of
operations distributed across multiple hosts over an
arbitrary period of time.
• An IPS uses a configured event horizon to determine
how long it looks for a specific attack signature.

Signature File
• As new threats are identified, new signatures must be
created and uploaded to an IPS.
• To make this process easier, all signatures are
contained in a signature file and uploaded to an IPS on
a regular basis.

Signature Micro-Engines
• To make the scanning of
signatures more efficient, the
Cisco IOS software relies on
signature micro-engines (SME),
which categorize common
signatures in groups.
• The Cisco IOS software can then
scan for multiple signatures based
on group characteristics, instead
of one at a time.
• The available SMEs vary
depending on the platform, Cisco
IOS version, and version of the
signature file.

Acquire the Signature File
• Cisco investigates/creates signatures for new threats as
they are discovered, and publishes them regularly.
• Lower priority IPS signature files are published biweekly.
• If the threat is severe, Cisco publishes signature files within
hours of identification.
• Update the signature file regularly to protect the
network.
• Each update includes new signatures and all the signatures in
the previous version.
• For example, the IOS-S595-CLI.pkg signature file includes all
signatures in file IOS-S594-CLI.pkg, plus signatures created for
threats discovered subsequently.
• New signatures are downloadable from CCO, and
required a valid CCO login.

IPS Signature Alarms
Signature Alarm
The heart of any IPS signature is the signature alarm, often referred to as the
signature trigger.

Signature Alarm
Pattern-Based Detection
Pattern-based detection, also known as signature-based
detection, compares the network traffic to a database of
known attacks and triggers an alarm, or prevents
communication if a match is found.

Signature Alarm
Anomaly-Based Detection
• Anomaly-based detection, also known as profile-based
detection, involves first defining a profile of what is
considered normal for the network or host.
• The signature triggers an action if excessive activity
occurs beyond a specified threshold that is not included
in the normal profile.

Policy-Based Detection
• Policy-based detection is also known as behavior-based
detection.
• The administrator defines behaviors that are suspicious
based on historical analysis.
• Honeypot-based detection uses a dummy server to
attract attacks.
• The honeypot approach is to distract attacks away from real
network devices.
• Honeypot systems are rarely used in production
environments.

Benefits of Implementing an IPS
• IPS use the underlying routing infrastructure to provide an
additional layer of security.
• Since Cisco IOS IPS is inline, attacks can be effectively
mitigated by denying malicious traffic from both inside and
outside the network.
• When used in combination with Cisco IDS, Cisco IOS
Firewall, VPN, and Network Admission Control (NAC)
solutions, Cisco IOS IPS provides threat protection at all
entry points to the network.
• It is supported by easy and effective management tools,
such as the Cisco Configuration Professional.
• The size of the signature database used by the device can be
adapted to the amount of available memory in the router.

Tuning IPS Signature Alarms
Trigger False Alarms
• Triggering mechanisms can generate alarms that are
false positives or false negatives.
• These alarms must be addressed when implementing
an IPS sensor.

Tune Signature
• An administrator must balance the number of incorrect
alarms that can be tolerated with the ability of the
signature to detect actual intrusions.
• If IPS systems use untuned signatures, they produce
many false positive alarms.

Tune Signature Cont.
• Low
•Abnormal network activity is detected that could be perceived
as malicious, but an immediate threat is unlikely.
• Medium
•Abnormal network activity is detected that could be perceived
as malicious, and an immediate threat is likely.
• High
•Attacks used to gain access or cause a DoS attack are
detected, and an immediate threat is extremely likely.
• Informational
•Activity that triggers the signature is not considered an
immediate threat, but the information provided is useful
information.

IPS Signature Actions
Signature Actions
• Whenever a signature detects the activity for which
it is configured, the signature triggers one or more
actions.
• Several actions can be performed:
• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.

Signature Actions Cont.

Generate an Alert
• An IPS can be enabled to produce alert or a verbose
alert.
• Atomic alerts are generated every time a signature
triggers
• Some IPS solutions enable the administrator to
generate summary alerts, which indicates multiple
occurrences of the same signature from the same
source address or port.

Log the Activity
• Used when an administrator does not necessarily have
enough information to stop an activity.
• An IPS can be enabled to log the attacker packets, pair
packets, or just the victim packets.
• An administrator can then perform a detailed analysis,
and identify exactly what is taking place and make a
decision as to whether it should be allowed or denied
in the future.

Drop or Prevent the Activity
An IPS can be enabled to deny the attacker packets, deny
the connection, or deny the specific packet.

Reset, Block, and Allow Traffic

Manage and Monitor IPS
Monitor Activity
Monitoring the security-related events on a network is
also a crucial aspect of protecting a network from attack.

Monitoring Considerations

Monitor IPS Using CCP
GUI-based IPS device managers include:
• Cisco Configuration Professional (CCP) - Allows administrators to
control the application of Cisco IOS IPS on interfaces, import and
edit signature definition files (SDFs) from cisco.com, and to
configure the action that Cisco IOS IPS is to take if a threat is
detected.
• Cisco IPS Manager Express (IME) - An all-in-one IPS management
application to provision, monitor, troubleshoot, and generate
reports for up to 10 IPS sensors.
• Cisco Security Manager - Can be used to manage multiple IPS
sensors and other infrastructure devices. It supports automatic
policy-based IPS sensor software and signature updates and
includes a signature update wizard allowing easy review and editing
prior to deployment.

Secure Device Event Exchange
• IPS sensors and Cisco IOS IPS generate alarms when an
enabled signature is triggered. These alarms are stored
on the sensor and can be viewed locally, or through a
management application, such as IPS Manager Express.
• The Cisco IOS IPS feature can send a syslog message or
an alarm in Secure Device Event Exchange (SDEE)
format.
• CCP can monitor syslog and SDEE-generated events and
keep track of alarms that are common in SDEE system
messages, including IPS signature alarms.

IPS Configuration Best Practices
 The need to upgrade sensors
with the latest signature packs
must be balanced with the
momentary downtime during
which the network becomes
vulnerable to attack.
 Update signature packs
automatically.
 Download new signatures to a
secure server within the
management network.
 Place signature packs on a
dedicated SFTP server within
the management network.

IPS Configuration Best Practices Cont.
 Configure the sensors to
regularly check the SFTP server
for new signature packs.
 Keep the signature levels that
are supported on the
management console
synchronized with the
signature packs on the sensors.

IPS Global Correlation
Cisco Global Correlation
 Cisco IPS includes a security feature called Cisco Global
Correlation.
 Cisco IPS devices receive regular threat updates from a
centralized Cisco threat database called the Cisco SensorBase
Network.
 The Cisco SensorBase Network contains real-time, detailed
information about known threats on the Internet.

Cisco SensorBase Network
 When participating in global correlation, the Cisco SensorBase
Network provides information to the IPS sensor about IP
addresses with a reputation.
 The sensor uses this information to determine which actions, if
any, to perform when potentially harmful traffic is received from
a host with a known reputation.

Cisco Security Intelligence Operation
 The SensorBase Network is part of a larger, back-end security
ecosystem, known as the Cisco Security Intelligence Operation
(SIO).
 Its purpose is to detect threat activity, research and analyze
threats, and provide real-time updates and best practices to keep
organizations informed and protected.
 Cisco SIO consists of three elements:
• Threat intelligence from the Cisco SensorBase Network.
• The Threat Operations Center is the combination of automated and
human processing and analysis.
• The automated and best practices content that is pushed to network
elements in the form of dynamic updates.

Summary
• A network must be able to instantly recognize and
mitigate worm and virus threats.
• A network-based IPS should be implemented inline to
defend against fast-moving Internet worms and
viruses.
• IPS signatures provide an IPS with a list of identified
problems.
• The IPS signatures are configured to use various
triggers and actions.
• Security staff must continuously monitor an IPS
solution and tune signatures as necessary to ensure an
adequate level of protection.

Cours_4_IDS_IPS.pptx

More Related Content

Similar to Cours_4_IDS_IPS.pptx

Recently uploaded

Cours_4_IDS_IPS.pptx