1 Guide to Network Defense and Countermeasures Chapter 8.

1

Guide to Network Defense and Countermeasures

Chapter 8

2

Chapter 8 - Intrusion Detection: An Overview

Describe intrusion detection system components

Follow the intrusion detection process step-by-step

Understand options for configuring intrusion detection systems

Know the issues involved in choosing an intrusion detection system

3

Intrusion detection systems, in an overall network defense configuration, involve three core functions: Intrusion prevention, or stopping intrusions at the

edge of the network; firewalls perform this function Intrusion detection, or checking for security

breaches on a network; intrusion detection systems (IDSs) perform this function

Intrusion response, or swift, safe, and purposeful reaction to an intrusion; network administrators perform this function

Intrusion Detection System Components

4

5

Network sensor: Sensors are the electronic eyes of an IDS; they

monitor in- and outbound network traffic in real time When sensors detect suspicious events, an alarm is

triggered; attacks are either single-session, in which the intruder makes a single isolated attempt to gain network access, or they are multiple-session, in which the intruder makes many attempts, over time, to gain network access (port/network scans)

Place sensors at common entry points, such as: gateways; LAN connections; remote access servers; and at VPN devices


6

7

8

Alert systems: An IDS sounds or sends an alert when it encounters

packets or traffic patterns that seem suspicious To respond to such events, the IDS uses a trigger, a

set of conditions that cause an alert to be sent; alerts result from two types of triggers, anomaly detection (an unsuspected event) and misuse detection (recognition of a known attack)

Alert messages come as pop-up windows, e-mail messages, sounds, pager messages, or as any combination of these forms


9

Alert systems (cont.): An anomaly detection system requires the use of

profiles for each authorized user or group; the profile describes user normal network access

Effective anomaly detection depends on the accuracy of the profiles created for the IDS

Misuse detection triggers alarms based on the characteristic signatures of known attacks

Misuse detection has a jumpstart in that IDSs come with a set of signatures; attack signatures not in the initial list need to be added periodically


10

11

Command console: A command console is software that provides a

network administrator with a graphical front-end interface to the IDS; administrators receive/analyze alert messages and manage log files at consoles

Response system: Some of the more sophisticated IDS devices can be

set up to take countermeasures when intrusions are detected; however, this is not a substitute for the judgement of a network administrator in the determination of appropriate countermeasures


12

13

Database of attack signatures or behaviors: Misuse-based systems call upon a database of

known attack signatures in order to have a source of information against which they can compare traffic

The key with attack signature databases is that they are kept up-to-date; the SecurityFocus online database of known vulnerabilities is frequently updated, and can be searched for attack data

Anomaly detection can make use of “normal traffic” databases against which network traffic is compared; SecurVantage 3.0 is such a database


14

15

The process of network intrusion detection can be broken into seven general steps that apply to virtually all IDS systems Step 1: Installing signature and profile databases,

along with the IDS hardware and software itself Step 2: Gather data by allowing network sensors to

read and monitor every network packet Step 3: Sending alert messages when the sensor

determines that a packet matches an attack signature or deviates from normal network usage

Intrusion Detection Step-by-Step

16

17

The intrusion detection process (cont.): Step 4: The IDS responds if it is configured to take

action at the same time a suspicious packet is received and an alert message sent; actions include sending an alarm to the console, dropping the packet without notifying sender, and resetting TCP traffic by stopping and restarting network traffic

Step 5: The administrator assesses damage by examining the alert; false alarms may mean that the database needs to be fine tuned; incidents that should cause alarms, but don’t, must be considered


18

19

The intrusion detection process (cont.): Step 6: Pursuing escalation procedures if necessary,

where a predetermined set of procedures is followed if an attack is detected; attacks are often classified based on their severity, level one being the lowest, level three the highest

Step 7: Logging and reviewing the event enables an administrator to determine if this was a single-session attack, or whether patterns of misuse have been occurring such as they do in multiple-session attacks


20

21

22

Network-based IDS (NIDS): A NIDS is a set of components that includes a

command console and sensors positioned at the network perimeter where they monitor/sniff traffic

Three common locations for NIDS sensors are behind the firewall and before the LAN, between the firewall and the DMZ, or on any network segment

A NIDS typically has its primary management and analysis software installed on a dedicated computer

NIDS must keep up with a large volume of traffic, and they must respond quickly to detected packets

Options for Implementing an IDS

23

24

Host-based IDS (HIDS): A HIDS is deployed on each host in the LAN that is

protected by the firewall; packets generated by the host itself are monitored and evaluated by the HIDS

The HIDS gathers system variables such as system processes, CPU usage, and file access; system events that match signatures of known attacks reach the IDS on the host, which sends an alert

A HIDS does not sniff packets like a NIDS; instead, it monitors log file entries and user activity


25

HIDS (cont.): A HIDS can have a centralized or distributed

configuration; if centralized, the HIDS sends all gathered data to a central location (command console) for analysis; if distributed, the data analysis is distributed among the individual hosts

Host computer performance requirements are minimal on a centralized configuration, but must be well equipped for distributed configuration use

A HIDS can inform if host attack attempts were successful; A HIDS cannot detect a network-wide intrusion attempt


26

27

28

Hybrid IDS implementations: A hybrid IDS increases flexibility and security by

combining the functionality from multiple systems One type of hybrid combines host- and network-based

systems; this enables positioning of sensors on network segments and on individual hosts; this system responds to both network and host attacks

Another hybrid type combines anomaly and misuse detection; this has the ability to detect internal use that deviates from normal usage patterns and has a database of well-known attacks; this system responds to both internal and external attacks


29

Hybrid IDS implementations (cont.): A shim IDS is a type of NIDS, but the sensors are

installed in selected hosts and network segments A distributed IDS, or a DID, is a system where multiple

IDSs are deployed to monitor traffic and report suspicious events; administrators are better able to assess developing patterns and distinguish between harmless anomalies and genuine attacks

A key advantage of hybrid IDS systems is being able to monitor the network as a whole; drawbacks include getting disparate systems to work together, and the data gathered can be difficult to analyze


30

31

The first step in evaluating an IDS, is to review the topology of the network to protect Pay particular attention to those parts of the network

that have direct interaction with the IDS, such as, the number of network entry points, the use of firewalls, the segmenting of the network

The next step involves choosing the best IDS type for meeting network security needs The freeware NIDS, Snort, is ideal for monitoring

traffic on a small network or an individual host

Evaluating an IDS

32

33

Choosing an IDS (cont.): The commercial HIDS, Norton Internet Security, is

designed for home-based standalone computer, or a computer on a small network; it also contains a limited number of intrusion detection features

The anomaly-based IDS, Tripwire, has long been one of the most highly regarded software IDS packages; after establishing a baseline for normal usage, any configuration changes trigger an alert; Tripwire is excellent for situations in which employee activity needs to be closely monitored

Evaluating an IDS

34

Choosing an IDS (cont.): The network-based IDS, RealSecure, is one of the most

comprehensive and widely used IDS products; RealSecure makes use of a distributed client-server architecture; it can be implemented as a hybrid IDS with multiple RealSecure Sensor products to scan network and host traffic

IDS hardware appliances have a greater ability to handle network traffic and scalability than software IDS packages; a big advantages of hardware devices is the plug-and-play capability; as well, hardware appliances do need periodic updates

Evaluating an IDS

35

Choosing an IDS (cont.): The signature-based IDS, Cisco Secure IDS, draws

on a database of attack signatures to detect intrusion attempts; the signatures available to the system are broken into various types of of network traffic (IP, ICMP, TCP, UDP, Web/HTTP, string-matching, etc.); this NIDS makes use of sensors and it also watches for patterns of attacks as it monitors network traffic

Evaluating an IDS

36

Chapter Summary

This chapter presented an overview of intrusion detection systems (IDSs), which provide a supplementary line of defense behind firewalls and anti-virus software. Some IDSs go beyond simply transmitting alarms, they reset TCP communications, block selected IP addresses, and provide evidence used in disciplinary actions or used to prevent attacks

37

Chapter Summary

Some IDS systems consist of software programs and others combine hardware devices, but they all use similar elements. A network sensor should be placed at the openings to the network and individual network segments. Alert messages are sent from triggers, which can result from anomaly detection or misuse detection, or a combination of both. The alert message is sent to a command console, which provides the administrator with a single interface to the data gathered by the IDS. A response system built into the IDS instructs it to drop packets or reset traffic if attacks are detected. In order to remain accurate and avoid false alarms, the database of signatures or user profiles must remain current

38

Chapter Summary

The step-by-step intrusion detection process begins with the installation of a set of attack signatures (for misuse detection) or normal network usage profiles (for anomaly detection). Next, the sensors monitor packets. Alert messages are sent when a packet matches an attack signature or deviates from normal network usage. An alert message is transmitted to the command console. In addition, the IDS can also respond by dropping the packets or resetting a connection. False alarms are likely and will require the system to be fine-tuned to allow legitimate traffic to pass through without an alarm. If the intrusion is found to be an attack, escalation procedures should be pursued. The IDS also logs each alarmed event so it can be reviewed later on. Exporting the data to a database for analysis can reveal the real nature and intent of attacks

39

Chapter Summary

Next, the IDS is implemented. A network-based intrusion detection system (NIDS) uses sensors positioned around the perimeter of the network or of network segments. A host-based intrusion detection system (HIDS) uses sensors that are deployed on each host that needs to be protected. A HIDS uses data generated by each host. A hybrid IDS combines the functionality of a NIDS and a HIDS. It can also combine anomaly- and misuse-based detection. A shim IDS makes use of sensors installed both on network segments and hosts. A distributed IDS collects data gathered from multiple IDSs and firewall logs in order to analyze data across a wide area

40

Chapter Summary

Different types if IDSs exist. In the freeware and shareware category, the best known program is called Snort, which makes use of a set of predetermined rules and that is designed to monitor traffic on a small-scale network. Commercial firewall programs such as Norton Internet Security include limited sets of IDS features. Anomaly-based systems like the highly regarded Tripwire for Network Devices establish a baseline for normal network usage. RealSecure is a network-based IDS that makes use of one or more network sensors and a command console.

41

Chapter Summary

Hardware appliances can handle a higher traffic load than software programs and offer plug-and-play functionality. The Cisco Secure IDS system draws on the database of attack signatures, but also monitors suspicious traffic patterns, much like a firewall

1 Guide to Network Defense and Countermeasures Chapter 8.

Documents

anomaly detection system

misuse detection recognition

network firewalls

intrusion prevention

outbound network traffic

consoles response system

ids administrators

misusebased systems