Embed Size (px)
Citation preview
Intrusion Detection, Intrusion Detection, Access Control & Other Access Control & Other Security ToolsSecurity ToolsPrinciples of Information SecurityChapter 7 Part 1
ReferencesReferences
NIST Intrusion Detection Systems◦ http://csrc.nist.gov/publications/nistpubs/800-31/sp800-3
1.pdf#search=%22NIST%20SP%20800-31%22
http://en.wikipedia.org/wiki/Intrusion-detection_system http://netsecurity.about.com/cs/hackertools/a/
aa030504.htm http://sectools.org/ids.html http://www.softpanorama.org/Security/integrity_checkers.shtml http://www.sans.org/resources/idfaq/index.php http://www.sans.org/resources/idfaq/
integrity_checker.php http://en.wikipedia.org/wiki/
Host_based_intrusion_detection_system http://sourceforge.net/projects/tripwire/ http://sourceforge.net/projects/integrit/ http://freshmeat.net/projects/integrit/ 2
Topic ObjectivesTopic Objectives
Upon completion of this chapter you should be able to:◦ Identify and describe the categories and operating models of
intrusion detection systems.◦ Identify and describe honey pots, honey nets, and padded
cell systems◦ List and define the major categories of scanning and
analysis tools◦ Describe the tools used in each major category of scanning
and analysis tools◦ Discuss various approaches to access control, including the
use of biometric access mechanisms
3
Role of Technology in Information Role of Technology in Information SecuritySecurityTechnical solutions, properly
implemented, can enhance the confidentiality, integrity and availability of an organization's information assets.
4
IntrusionIntrusion An attempt to gain entry into a system or disrupt
normal operations of a system Usually, but not always, with malicious intent
5
Incident ResponseIncident Response Identification of, classification of, response to, and
recovery from an incident (intrusion). Includes
◦ Intrusion prevention Efforts to deter intrusions via policy, security programs,
technology based countermeasures◦ Intrusion detection
Use of procedures and systems created to detect intrusions
◦ Intrusion reaction Actions taken when an intrusion is detected including
limiting losses and initiating procedures to return to normal operations
◦ Intrusion correction Finalizing restoration to a normal state, identifying source
and methods used for intrusion, and taking action to prevent the same type of intrusion from occurring again.
6
Intrusion Detection Systems Intrusion Detection Systems (IDSs)(IDSs)Similar to burglar alarmsDetect violations of configuration
and activates an alarm◦audible (noise)◦visual (lights, etc.)◦silent (email msg, pager alert)
NIST SP 800-31 Intrusion Detection Systems◦ http://csrc.nist.gov/publications/nistpubs/800-
31/sp800-31.pdf#search=%22NIST%20SP%20800-31%22
7
IDS is not a firewallIDS is not a firewallFirewall is software/hardware that
prevents access◦ Firewall examines each packet, checks if the
packet satisfies the “rules” for acceptance, and either drops it or lets it in
◦ Like a guard at the gate – you must show the guard the ID to get in, or you are turned back
Firewall rules are not all that sophisticated, they are the most basic and most crude level of sorting packets.
ACL tables should have 30-50 rules, typically
8
Add the camera to the Add the camera to the security guardsecurity guardIDS is software that monitors the
network quietly, logs activities, and alerts if it sees anything “wrong.” ◦ Like a burglar alarm, or an alarmed
security camera at the gate. ◦ IDS will have rather sophisticated rules
because it has signatures of many different types of attack, e.g. SYN flood, etc.
“Secure perimeters” will have both an IDS and firewall
9
Key Terminology for IDSsKey Terminology for IDSs Alert or alarm
◦ indication that an attack/intrusion has been detected and may be in progress
False Negative◦ a failure to detect an actual attack◦ a major problem for an IDS
False Positive◦ a false indication of an attack occurring◦ can lead users to become insensitve to alarms
Noise◦ activity that is not particularly significant, such as
unsuccessful intrusion attempts
10
Key Terminology (2)Key Terminology (2) Site Policy
◦ organizational rules and guidelines with respect to use of IDSs
Site Policy Awareness◦ ability of an IDS to dynamically modify site policies◦ SMART IDSs can adapt reaction to activity
Confidence Value◦ measure of ability of IDS to detect and identify an
attack correctly Alarm Filtering
◦ similar to packet filters --- can filter alarms based on source/dest IP addresses, OS, confidence value, alarm type or severity
◦ used to filter out known false positives from actual attacks
11
Reasons to Use an IDSReasons to Use an IDS Deterrence
◦ deter attacks by increasing perceived risk of discovery and punishment
Detection◦ detect attacks and violations not prevent by other
means such as scanning tools or vulnerability assessments
◦ detect preambles (precursors) to attacks such as footprinting or fingerprinting activities
Documentation ◦ document existing threats to organization for
justification of defensive measures and tools Quality Assurance
◦ Verify adequacy and improve security design and administration
Information◦ Determine causes and methods used in attacks to
prevent the same attack strategy being used again.◦ Obtain forensic evidence for legal action. 12
Types of IDSsTypes of IDSs Network-based (NIDS)
◦ Monitor network traffic to look for recognizable attack patterns
Host-based (HIDS)◦ Focus on server or host assets, such as files
Application-based◦ Focus on one application, either on one or more
hosts/servers.◦ E.g., distributed database system
13
Detection MethodsDetection Methods Signature-based
◦ Recognize characteristics of a particular type of attack
Statistical anomaly-based◦ Recognize anomalies in operation or performance
that may signal an attack.
14
**Network-Based IDS **Network-Based IDS (NIDS)(NIDS)
Monitors traffic on a network segment◦ Sends alerts when an attack pattern is recognized.◦ May use the monitoring port or switched analysis
port (SPAN) of a hub or switch Specially configured connection capable of viewing all
traffic traversing the device Necessary for switches in particular
Snort is an example of a NIDS
15
NIDS Signature MatchingNIDS Signature Matching Must compare observed activity to known attack
patterns◦ Uses special implementation of TCP/IP stack to
reassemble packets for use with verification and comparison techniques
Protocol stack verification◦ Look for invalid (malformed)TCP/IP data packets◦ Exploits of packet structure◦ Example: DoS and DDoS frequently use malformed
packets to exploit vulnerabilities in the protocal Application protocol verification
◦ Application layer protocols (HTTP, FTP, etc.) are examined for unexpected behavior, or improper use
◦ Exploits of protocol use◦ Example: DNS cache poisoning◦ Can significantly affect system throughput.
May be necessary to use separate systems for protocol stack verification and application protocol verification
16
**Pros & Cons of NIDS**Pros & Cons of NIDS Pros
◦ Conservation of equipment through strategic design and placement
◦ Little or no disruption to normal network operations because of passive monitoring
◦ Not usually susceptible to attack and may not be detectable by attackers
Cons◦ Easily overwhelmed by network traffic -> fail to recognize
attacks◦ Must be able to monitor all network traffic. May not be
possible if switches to not have adequate monitoring ports.◦ Cannot analyze encrypted packets (e.g., ssh)◦ Cannot reliably determine whether an attack was successful◦ Cannot recognized all forms of attacks. E.g., malformed
packets
17
**Host-Based IDS (HIDS)**Host-Based IDS (HIDS) Monitors activity only on a single server or host AKA, system integrity verifiers
◦ benchmark and monitor status of key system files and detect changes or deletions to these files.
◦ capable of monitoring system configuration files and databases such as Windows registry, .ini, .cfg and .dat files.
◦ based on change or configuration management record sizes, locations, attributes of system files triggers alert when changes occur
◦ monitor system logs for predefined events Very reliable. Integrit and Tripwire are examples of HIDS
18
**Pros & Cons of HIDS**Pros & Cons of HIDS Pros
◦ Can detect events missed by NIDS◦ Files on host system decrypted and available to HIDS
for analysis (compared to NIDS)◦ Not affected by switched networking◦ Able to detect inconsistencies in use of applications and
system programs Cons
◦ Administration overhead because of host-based configuration
◦ Vulnerable to direct attacks and attacks against the OS◦ Not optimized for multi-host or multi-device scanning◦ Susceptible to some DoS attacks◦ Can require large amounts of disk space◦ Can impose a performance penalty on host systems
19
**Application-Based IDS **Application-Based IDS (AppIDS)(AppIDS)
Variation of HIDS Examines one application for abnormal events
◦ users exceeding authorization, invalid file executions, etc Pros
◦ Able to track users (accountability)◦ Ability to view encrypted data while unencrypted
Cons◦ May be more susceptible to attack because of not being as
well protected as network and host based systems◦ Less capable of detecting software tampering. Should be
used in conjunction with NIDS and HIDS
20
Signature-Based IDSSignature-Based IDSAKA, knowledge-based IDS looks for traffic patterns that match known
signature --- attack patterns◦ footprinting and fingerprinting activities◦ exploits that use a known sequence of
activitiesCons
◦ Signatures must continually be updated as new attack strategies develop
◦ May not detect attacks that are purposely slow and methodical --- e.g., sneaky or paranoid attacks
21
**Statistical Anomaly-Based IDS **Statistical Anomaly-Based IDS (stat IDS)(stat IDS)
AKA, behavior-based IDS based on frequency with which certain network activities
occur Establish baseline performance by collecting statisical
summaries of normal network traffic Periodically sample network traffic and use statistical methods
to compare sampled activity with the baseline.◦ Measured activity outside baseline parameters - exceeds
the clipping level & triggers alert Pro
◦ IDS can detect new types of attacks Cons
◦ Require more overhead and processing capability Must constantly compare patterns of activity against baseline
◦ May not detect minor changes to system variables and may generate false positives
◦ May not be suitable for networks with wide variations in usage and traffic patterns
22
**Log File Monitors (LFM)**Log File Monitors (LFM) Similar to NIDS Look for patterns and signatures in log files, including system
log files, network log files, IDS log files. Able to examine log files from multiple systems Resource intensive to support collection, movement,
storage and analysis of large quantities of data
23
IDS ResponseIDS Response Be careful that the response does not make the problem
worse, e.g.◦ shut down network connection (leads to loss of
business, i.e. “we attacked ourselves successfully”◦ go after/attack the attackers (it is illegal!)◦ make a huge negative advertisement (e.g. reporters,
police, etc.) Active response
◦ A clear action is initiated when certain types of alerts are triggered --- data collection, modify environment, block intruders
Passive response◦ Report information and wait for administrator to take
some action - administrator becomes the active component
24
Examples of IDS Response Examples of IDS Response OptionsOptions
Audible / visual alarm SNMP traps and plug-ins
◦ send message to SNMP management console E-mail message
◦ Problem - intruder may block email system Page or phone message Log entry
◦ IDS system log file on separate device Evidentiary packet dump
◦ Allow further analysis on data for possible legal use Action against intruder
◦ traceback to identify source of attack◦ ill-advised may not be legal
Launch program, reconfigure firewall Terminate connection or session
25
**Some Limitations of IDS**Some Limitations of IDS Cannot compensate for weaknesses or holes in
security mechanisms◦ firewalls, identification and authentication
methods, link encryption, etc. Do not respond instantaneously in heavy network
load scenarios Cannot detect new attacks or variations of
existing attacks Cannot automatically investigate attacks Do not work effectively in switched networks
26
27
**Honey Pots, Honey Nets, and **Honey Pots, Honey Nets, and Padded Cell SystemsPadded Cell Systems
Powerful security tools that go beyond intrusion detection Honey Pots or Honey Pot Systems
◦ Decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the decoy
◦ Designed to divert attackers from critical systems, collect information about their activity, and encourage attackers to stay on the system long enough to be documented.
Honey Net◦ A collection of several honey pot systems on one subnet.◦ Contains pseudo-devices configured in ways to make it look
vulnerable. Padded Cell
◦ A honey pot that has been protected so it cannot be easily compromised --- a hardened honey pot.
◦ When IDS detects attackers, it transfers them to a specialized environment where they can do no harm.
Use of these techniques may be construed as illegal.
28
**Pros & Cons of Honey Pot **Pros & Cons of Honey Pot SystemsSystems
Pros◦ Attackers diverted to targets where they can do no damage◦ Allows time to decide how to respond to an attacker◦ Attacks can be monitored to obtain useful information that
can be used to develop better defensive methods◦ May be effective for identifying insiders who are snooping
around the network Cons
◦ Legal implications not well defined◦ Not yet shown to be generally useful technologies◦ May provoke expert hackers to more hostile attacks◦ High level of expertise required to use these types of
systems
29
**Trap and Trace Systems**Trap and Trace Systems Trace incidents back to source similar to caller ID
◦ If originator is inside the organization, individual can be dealt with internally or externally.
◦ If originator is outside the organization, numerous legal issues must be addressed
back-hacking --- reverse hacks◦ deemed unethical by most codes of professional conduct◦ vigilante justice
Enticement vs Entrapment◦ Enticement
attract attention to a system by placing tantalizing bits of information in key locations
legal and ethical
◦ Entrapment lure an individual into committing a crime to get a conviction not legal and not ethical
30
Active Intrusion DetectionActive Intrusion Detection LaBrea (in “real life” this is the name of a famous ancient
large tar (i.e. asphalt) pit in LA full of dinosaurs bones, because they would get stuck in tar and die http://www.tarpits.org/education/guide/geology/entrap.html)
◦ Uses the unused IP address space on a network◦ Monitors ARP requests for invalid destination IP
addresses Responds as if it were the target device Completes TCP 3-way handshake, then reduces sliding
window to very small size to slow down data connection.
Allows time for network administrator response
31
**Access Control **Access Control MechanismsMechanisms
Process for controlling access to protected systems◦ User (supplicant) seeks to use a protected system◦ User must be identified and authenticated before being
authorized to use the protected system **Identification
◦ Provide an identity (username) **Authentication
◦ Provide some form of evidence that the supplicant is in fact the stated user Password, passphrase, biometric, key, etc.
**Authorization◦ Allow the user access to authorized systems, once the identification
and authentication requirements have been met.◦ Domain based (single-sign on) systems frequently issue a "token" that
is then used on other devices in the domain
32
**Authentication**Authentication Process that validates the user's identity **4 general methods for authentication
◦ Knowledge something the supplicant KNOWS password, passphrase, personal identification code
◦ Possession something the supplicant HAS mag stripe cards, smart cards, tokens
synchronous tokens - generate one-time password used to complete authentication
asynchronous tokens - challenge response mechanisms
◦ Unique Characteristics who the supplicant IS biometrics
◦ Distinguishable Characteristics what the supplicant PRODUCES signature recognition, voice recognition
33
**Biometrics**Biometrics Process of using unique body characteristics of the supplicant
for authentication Includes
◦ Fingerprint comparisons◦ Palm print comparisons◦ Hand geometry comparisons◦ Facial recognition using photo ID◦ Retinal print comparison◦ Iris pattern comparison
Only 3 bodily characteristics considered truly unique◦ Fingerprints◦ Retina (blood vessel pattern)◦ Iris
34
**Effectiveness of **Effectiveness of BiometricsBiometrics
**Criteria for evaluation◦ false rejection rate
% of authorized supplicants who are falsely rejected Type I error nuisance to authorized users, but no threat to security
◦ false acceptance rate % of unauthorized supplicants who are falsely accepted Type II error clear breach of security, unacceptable to security professionals
◦ crossover error rate (CER) level at which false rejections = false acceptances most common measure of accuracy for biometric systems indicator of optimal balance between false rejection and false
acceptance rates. 1% CER is superior to a 5% CER
35
**Effectiveness and Acceptance of **Effectiveness and Acceptance of BiometricsBiometrics
Many highly effective and reliable biometric systems are considered intrusive to users.
Preference for using systems that are effective and acceptable to users.
Table 7-3 Effectiveness vs Acceptance
Effectiveness
Most to Least Secure
Acceptance
Most to Least Accepted
Retinal scans Keystroke patterns
Fingerprint Signature recognition
Handprint Voice pattern
Voice pattern Handprint
Keystroke patterns Fingerprint
Signature Retinal scans
36
