1 Guide to Network Defense and Countermeasures Chapter 8
Jan 01, 2016
1
Guide to Network Defense and Countermeasures
Chapter 8
2
Chapter 8 - Intrusion Detection: An Overview
Describe intrusion detection system components
Follow the intrusion detection process step-by-step
Understand options for configuring intrusion detection systems
Know the issues involved in choosing an intrusion detection system
3
Intrusion detection systems, in an overall network defense configuration, involve three core functions: Intrusion prevention, or stopping intrusions at the
edge of the network; firewalls perform this function Intrusion detection, or checking for security
breaches on a network; intrusion detection systems (IDSs) perform this function
Intrusion response, or swift, safe, and purposeful reaction to an intrusion; network administrators perform this function
Intrusion Detection System Components
4
5
Network sensor: Sensors are the electronic eyes of an IDS; they
monitor in- and outbound network traffic in real time When sensors detect suspicious events, an alarm is
triggered; attacks are either single-session, in which the intruder makes a single isolated attempt to gain network access, or they are multiple-session, in which the intruder makes many attempts, over time, to gain network access (port/network scans)
Place sensors at common entry points, such as: gateways; LAN connections; remote access servers; and at VPN devices
Intrusion Detection System Components
6
7
8
Alert systems: An IDS sounds or sends an alert when it encounters
packets or traffic patterns that seem suspicious To respond to such events, the IDS uses a trigger, a
set of conditions that cause an alert to be sent; alerts result from two types of triggers, anomaly detection (an unsuspected event) and misuse detection (recognition of a known attack)
Alert messages come as pop-up windows, e-mail messages, sounds, pager messages, or as any combination of these forms
Intrusion Detection System Components
9
Alert systems (cont.): An anomaly detection system requires the use of
profiles for each authorized user or group; the profile describes user normal network access
Effective anomaly detection depends on the accuracy of the profiles created for the IDS
Misuse detection triggers alarms based on the characteristic signatures of known attacks
Misuse detection has a jumpstart in that IDSs come with a set of signatures; attack signatures not in the initial list need to be added periodically
Intrusion Detection System Components
10
11
Command console: A command console is software that provides a
network administrator with a graphical front-end interface to the IDS; administrators receive/analyze alert messages and manage log files at consoles
Response system: Some of the more sophisticated IDS devices can be
set up to take countermeasures when intrusions are detected; however, this is not a substitute for the judgement of a network administrator in the determination of appropriate countermeasures
Intrusion Detection System Components
12
13
Database of attack signatures or behaviors: Misuse-based systems call upon a database of
known attack signatures in order to have a source of information against which they can compare traffic
The key with attack signature databases is that they are kept up-to-date; the SecurityFocus online database of known vulnerabilities is frequently updated, and can be searched for attack data
Anomaly detection can make use of “normal traffic” databases against which network traffic is compared; SecurVantage 3.0 is such a database
Intrusion Detection System Components
14
15
The process of network intrusion detection can be broken into seven general steps that apply to virtually all IDS systems Step 1: Installing signature and profile databases,
along with the IDS hardware and software itself Step 2: Gather data by allowing network sensors to
read and monitor every network packet Step 3: Sending alert messages when the sensor
determines that a packet matches an attack signature or deviates from normal network usage
Intrusion Detection Step-by-Step
16
17
The intrusion detection process (cont.): Step 4: The IDS responds if it is configured to take
action at the same time a suspicious packet is received and an alert message sent; actions include sending an alarm to the console, dropping the packet without notifying sender, and resetting TCP traffic by stopping and restarting network traffic
Step 5: The administrator assesses damage by examining the alert; false alarms may mean that the database needs to be fine tuned; incidents that should cause alarms, but don’t, must be considered
Intrusion Detection Step-by-Step
18
19
The intrusion detection process (cont.): Step 6: Pursuing escalation procedures if necessary,
where a predetermined set of procedures is followed if an attack is detected; attacks are often classified based on their severity, level one being the lowest, level three the highest
Step 7: Logging and reviewing the event enables an administrator to determine if this was a single-session attack, or whether patterns of misuse have been occurring such as they do in multiple-session attacks
Intrusion Detection Step-by-Step
20
21
22
Network-based IDS (NIDS): A NIDS is a set of components that includes a
command console and sensors positioned at the network perimeter where they monitor/sniff traffic
Three common locations for NIDS sensors are behind the firewall and before the LAN, between the firewall and the DMZ, or on any network segment
A NIDS typically has its primary management and analysis software installed on a dedicated computer
NIDS must keep up with a large volume of traffic, and they must respond quickly to detected packets
Options for Implementing an IDS
23
24
Host-based IDS (HIDS): A HIDS is deployed on each host in the LAN that is
protected by the firewall; packets generated by the host itself are monitored and evaluated by the HIDS
The HIDS gathers system variables such as system processes, CPU usage, and file access; system events that match signatures of known attacks reach the IDS on the host, which sends an alert
A HIDS does not sniff packets like a NIDS; instead, it monitors log file entries and user activity
Options for Implementing an IDS
25
HIDS (cont.): A HIDS can have a centralized or distributed
configuration; if centralized, the HIDS sends all gathered data to a central location (command console) for analysis; if distributed, the data analysis is distributed among the individual hosts
Host computer performance requirements are minimal on a centralized configuration, but must be well equipped for distributed configuration use
A HIDS can inform if host attack attempts were successful; A HIDS cannot detect a network-wide intrusion attempt
Options for Implementing an IDS
26
27
28
Hybrid IDS implementations: A hybrid IDS increases flexibility and security by
combining the functionality from multiple systems One type of hybrid combines host- and network-based
systems; this enables positioning of sensors on network segments and on individual hosts; this system responds to both network and host attacks
Another hybrid type combines anomaly and misuse detection; this has the ability to detect internal use that deviates from normal usage patterns and has a database of well-known attacks; this system responds to both internal and external attacks
Options for Implementing an IDS
29
Hybrid IDS implementations (cont.): A shim IDS is a type of NIDS, but the sensors are
installed in selected hosts and network segments A distributed IDS, or a DID, is a system where multiple
IDSs are deployed to monitor traffic and report suspicious events; administrators are better able to assess developing patterns and distinguish between harmless anomalies and genuine attacks
A key advantage of hybrid IDS systems is being able to monitor the network as a whole; drawbacks include getting disparate systems to work together, and the data gathered can be difficult to analyze
Options for Implementing an IDS
30
31
The first step in evaluating an IDS, is to review the topology of the network to protect Pay particular attention to those parts of the network
that have direct interaction with the IDS, such as, the number of network entry points, the use of firewalls, the segmenting of the network
The next step involves choosing the best IDS type for meeting network security needs The freeware NIDS, Snort, is ideal for monitoring
traffic on a small network or an individual host
Evaluating an IDS
32
33
Choosing an IDS (cont.): The commercial HIDS, Norton Internet Security, is
designed for home-based standalone computer, or a computer on a small network; it also contains a limited number of intrusion detection features
The anomaly-based IDS, Tripwire, has long been one of the most highly regarded software IDS packages; after establishing a baseline for normal usage, any configuration changes trigger an alert; Tripwire is excellent for situations in which employee activity needs to be closely monitored
Evaluating an IDS
34
Choosing an IDS (cont.): The network-based IDS, RealSecure, is one of the most
comprehensive and widely used IDS products; RealSecure makes use of a distributed client-server architecture; it can be implemented as a hybrid IDS with multiple RealSecure Sensor products to scan network and host traffic
IDS hardware appliances have a greater ability to handle network traffic and scalability than software IDS packages; a big advantages of hardware devices is the plug-and-play capability; as well, hardware appliances do need periodic updates
Evaluating an IDS
35
Choosing an IDS (cont.): The signature-based IDS, Cisco Secure IDS, draws
on a database of attack signatures to detect intrusion attempts; the signatures available to the system are broken into various types of of network traffic (IP, ICMP, TCP, UDP, Web/HTTP, string-matching, etc.); this NIDS makes use of sensors and it also watches for patterns of attacks as it monitors network traffic
Evaluating an IDS
36
Chapter Summary
This chapter presented an overview of intrusion detection systems (IDSs), which provide a supplementary line of defense behind firewalls and anti-virus software. Some IDSs go beyond simply transmitting alarms, they reset TCP communications, block selected IP addresses, and provide evidence used in disciplinary actions or used to prevent attacks
37
Chapter Summary
Some IDS systems consist of software programs and others combine hardware devices, but they all use similar elements. A network sensor should be placed at the openings to the network and individual network segments. Alert messages are sent from triggers, which can result from anomaly detection or misuse detection, or a combination of both. The alert message is sent to a command console, which provides the administrator with a single interface to the data gathered by the IDS. A response system built into the IDS instructs it to drop packets or reset traffic if attacks are detected. In order to remain accurate and avoid false alarms, the database of signatures or user profiles must remain current
38
Chapter Summary
The step-by-step intrusion detection process begins with the installation of a set of attack signatures (for misuse detection) or normal network usage profiles (for anomaly detection). Next, the sensors monitor packets. Alert messages are sent when a packet matches an attack signature or deviates from normal network usage. An alert message is transmitted to the command console. In addition, the IDS can also respond by dropping the packets or resetting a connection. False alarms are likely and will require the system to be fine-tuned to allow legitimate traffic to pass through without an alarm. If the intrusion is found to be an attack, escalation procedures should be pursued. The IDS also logs each alarmed event so it can be reviewed later on. Exporting the data to a database for analysis can reveal the real nature and intent of attacks
39
Chapter Summary
Next, the IDS is implemented. A network-based intrusion detection system (NIDS) uses sensors positioned around the perimeter of the network or of network segments. A host-based intrusion detection system (HIDS) uses sensors that are deployed on each host that needs to be protected. A HIDS uses data generated by each host. A hybrid IDS combines the functionality of a NIDS and a HIDS. It can also combine anomaly- and misuse-based detection. A shim IDS makes use of sensors installed both on network segments and hosts. A distributed IDS collects data gathered from multiple IDSs and firewall logs in order to analyze data across a wide area
40
Chapter Summary
Different types if IDSs exist. In the freeware and shareware category, the best known program is called Snort, which makes use of a set of predetermined rules and that is designed to monitor traffic on a small-scale network. Commercial firewall programs such as Norton Internet Security include limited sets of IDS features. Anomaly-based systems like the highly regarded Tripwire for Network Devices establish a baseline for normal network usage. RealSecure is a network-based IDS that makes use of one or more network sensors and a command console.
41
Chapter Summary
Hardware appliances can handle a higher traffic load than software programs and offer plug-and-play functionality. The Cisco Secure IDS system draws on the database of attack signatures, but also monitors suspicious traffic patterns, much like a firewall