Security Perimeter Eng. Mohammad Adly, M. Sc.
Dec 28, 2015
Security Perimeter
Eng. Mohammad Adly, M. Sc.
Intrusion Detection
• Host-based– HIDS, HIPS
• Network-based– NIDS, NIPS
What is IDS
• Reports attacks against monitored systems/networks– Alarm System
• Mature Technology that has significant utilization
What IDS is NOT?
• Not a replacement for firewalls, strong policies, system hardening, timely patching, and other DiD techniques
• Not a low maintenance tool• Not an inexpensive tool• Not a silver bullet
IDS in Action
• Attacker used nmap to scan a host for open ports
• Attacker managed to scan and find the open ports already
• Victim used TCP_Xmas_Scan that logged the attacker’s activity and IP address
• This tool just presented data to an analyst to take action
IDS Alerts
• Alerts are generated from Events of Intrest EOI
• 4 types of events:– True Positive, True Negative– False Positive, False Negative
• Which one is the worst to have on your network?
NIDS Overview
• Deployed as a passive sensor at network aggregation points– Captures traffic like a sniffer
• Detects EOI on the network
• Uses signature, anomaly, or application/protocol analysis
Signature Analysis
• Rules indicate criteria in packet that represent EOI
• Rules are applied to packets as they are received by the IDS
• Alerts are created when matches are found
Rules and Signature Criteria
• Protocol, address and port information
• Payload contents• String matching
• Traffic flow analysis• Flags in protocol headers
Anomaly Analysis
• Flags anomalous conditions in traffic on the network– Unexpected conditions are identified as suspicious
• Requires understanding of what “normal” is• Usually based on good traffic as baseline for
future analysis• Usually an inclusive detection method
Application/Protocol Analysis
• IDS has understanding of the logic for a specific application or protocol
• Any protocol activity that is not known as normal is flagged
• Difficult to implement– Few protocol implementations are standard
• Usually an exclusive detection method
Deep Vs Shallow Inspection
• Shallow– Fast, but provides little fidelity– Examines header information, limited payload
data
• Deep– Slow, requires stateful tracking of data– Inspects all fields including variable length fields
NIDS Challenges
• Deployment challenges including deployment and access limitations
• Analyzing encrypted traffic• Quantity Vs quality of signatures• Performance limitations (Speed of Processing,
and Size of Storage)• Very costly for proper management
Where to put NIDS?
TCPDump as NIDS
• Uses libpcap for packet capture• Always available• Complies on many unix platforms• Runs on Windows• High fedelity• Same program for data collection and first
order analysis
Snort
• Low cost, lightweight
• Suitable for monitoring multiple sites/sensors
• Low false alarm rate
• Low effort for reporting
Snort Capture
Basic Snort Rule
• Rule : – alert tcp any any -> 192.168.1.0/24 80 (msg: "Inbound
HTTP Traffic"; )
• Output:– [**] [1:0:0] Inbound HTTP Traffic [**] 09/02-
13:03:22.734392 192.168.1.104:1460 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:28581 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2550D716 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
Advanced Snort Rule
• Rule:– alert tcp any any -> 192.168.1.0/24 80 (content:
"/cgibin/ test.cgi"; msg: "Attempted CGI-BIN Access!!";)
• Output :– [**] [1:0:0] Attempted CGI-BIN Access!! [**] 09/02-
13:18:30.550445 192.168.1.104:1472 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:29951 IpLen:20 DgmLen:466 DF ***AP*** Seq: 0x32D8E9C1 Ack: 0xB427699E Win: 0x4470 TcpLen:20
Additional Snort Tools
• Log Analysis Tools• Snort Stat
– http://www.snort.org/dl/contrib/data_analysis/snort_stat.pl
• Snort Snarf– http://www.silicondefense.com/software/snortsnar
f/index.htm• Snort Log
– http://www.snort.org/dl/contrib/data_analysis/snortlog3.pl
• Real-Time Alerting Tools– SWATCH . the Simple WATCHer
Snort Stat
Snort Snarf
Core_Host Filter
• DNS, Web, and mail servers draw a lot of fire– About 20% of all our attacks
• If you lose control of DNS, they own you
• Worth the time to give connection attempts to these systems an extra look
Core_Host Filter- Web Server
HR IDS Application
• Content monitoring systems• Spy on employees• Monitors web, IM, e-mail, for confidential
information leakage• Helps address the inside attacker• Identifies violations against the company
acceptable use policy
NIDS Pros
• Internet is a large attack vector
• Fairly easy to setup
• Does not affect the speed of the network or add load to the systems it monitors
NIDS Cons
• Sensors have limited speed
• Almost impossible to detect attacks not in rule set
• Very susceptible to “low” and “slow” attacks
NIDS Summary
• NIDS is an important part of a robust perimeter defense.
• NIDS tools such as BlackICE, Defender, Snort, and Ethereal are available and viable products
• Add-ons provide additional features
Why NIDS is not Enough?
• Very fast networks• Switched networks• Encrypted networks• Backdoors in local network• Insider on network• NIDS may miss attack• Don’t trust corporate security that much
HIDS
• Host-based systems monitor their network connections and file system status.
• Have to acquire the aggregate logs of ALL critical systems at a minimum
• When potential problems are found, alerts are raised
HIDS
• Monitoring and controlling traffic into and out of the host
• Generating logs that record activity on the host
• Performing actions based on what is found in the logs
• Managing file changes on the host- authorized or otherwise
Unix Based- HIDS
• TCPWrappers and Xinetd• Port Sentry (reacts to port scans)• Syslog• Swatch• Tripwire
TCPWrappers
• Monitors and filters incoming TCP network service requests
• Valuable logging tool
• Currently included in most Unix / Linux distributions
Without TCPWrappers
With TCPWrappers
TCPWrappers Configuration
• The ACLs for TCP Wrappers are configured in the /etc/hosts.deny and /etc/hosts.allow files.
• The default setting in /etc/hosts.deny is a single line:
• ALL: ALL – # Deny everything, add back with /etc/hosts.allow– “deny everything not expressly permitted”
Host Allow
ALL: .nnnn.abc.org,192.168.2,friend.somewhere.edusshd:trustedhost.somewhere.org
TCPWrappers
• Checks both forward and reverse DNS lookup
• Both answers must match or connection is dropped
• Adds a layer of security against spoofing
DNS Review
TCPWrappers in Action
Psionic Port Sentry
• Runs on TCP and UDP
• Stealth scan detection for Linux
• Reacts to a port scan attempt by blocking the host in real-time
• Remembers hosts that connected previously
Port Sentry Log
• Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host: node10453.a2000.nl/24.132.4.83 to TCP port: 143
• Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via wrappers with string: "ALL: 24.132.4.83"
• Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked via dropped route using command: "/sbin/route add –host 24.132.4.83 gw 333.444.555.666"
Syslog
• Unix system logger can be on a local system or other system
• TCPWrappers logs to Syslog by default
• Logs can offer valuable information, but they can also be compromised
• Swatch or other tools can monitor syslog and raise alerts
Syslog Example
• Nov 13 01:28:36 ns1 named[22988]: unapproved AXFR from [192.168.1.2].3209 for abc.nnnn.org
• Nov 13 01:28:36 ns2 named[89]: unapproved AXFR from [192.168.1.2].3250 for abc.nnnn.org
• AXFR= Zone Transfer Attempt
Swatch
• Swatch (Simple WATCHer) is one such tool that monitors selected log files
• Completes one or more user-specified actions when it encounters a match to a user defined search string
Swatch
• Keywords:
– watchfor regular expression
– ignore regular expression
Swatch
• Actions:– echo attributes– bell length– mail recipient,subject line– write user– exec “command”– pipe “command”
Swatch- Sample Configuration File
Swatch Notification
Tripwire
• It will examine some or all of the file system (configurable)
• Create one or more cryptographic hashes of each file
• If a file changes, the change can be detected
Tripwire
• It will examine some or all of the file system (configurable)
• Create one or more cryptographic hashes of each file
• If a file changes, the change can be detected
Windows Based HIDS
• System Tools: Event Viewer, Netstat
• Port and Process Tools: Fport
• File Integrity Checkers: Tripwire for Windows
• Host-based Sensors
Event Viewer
Netstat -a
Fport
Tripwire for Windows
Change in Registry Entry
Windows HIDS Sensors
• Searches log files for signatures that may indicate suspicious activity
• Can monitor events that a NIDS may miss
• Can be configured to take certain actions based on the severity of the event
• Examples: Dragon Squire by Enterasys5, and RealSecure by ISS6
HIDS Summary
• Intrusion detection software must be present on every protected host– This is expensive from a system administration point
of view
• Requires system resources
• HIDS can detect intrusions that cannot be detected from a NIDS
Internet Storm Center
HIDS and NIDS
Network-based IDS + Host-based intrusion detection on core hosts (DNS, Mail, Web, high value servers)= an excellent combination
What is IPS?
• IPS stops attacks on systems and netwroks from being effective
• Technology more recent, but rapidly maturing
Product Examples
• McAfee HIPS• IBM ISS Proventia• CheckPoint’s VPN, Smart Defens and
InterSpect• Norton Internet Security• Tipping Point IPS
IDS Plus Something
• McAfee– Uses application and anomaly analysis– Uses file integrity checks– Runs on Windows, Solaris and HP-UX
• IBM ISS Proventia– Appliance based NIPS– Throughput support from 100M to 2G
Firewall Plus Something
• Check Point• Smart Defense• InterSpect
Antivirus Plus Something
• Norton Internet Security– Norton Antivirus
– Norton firewall
– Norton IPS identifies common attacks which assists in protecting against spyware, rootkits, phishing and spamming attempts
An extra widget
• Tipping point IPS– Identifies and drops malicious traffic– Uses complex and deep packet inspection– Boasts gigabit speeds, low latency– Identifies evasion techniques– Can use real-time updates for new threats
IPS Challenges
• HIPS– False positives– Supports a limited suite of applications– Requires more system resources– Limitation on number of managed nodes by every
console• NIPS– Can you afford false positives?– Keeping up with traffic demands– Tend to have less expensive rule-base
Recommendations
• Learning Mode– IPS should support the network learning mode to
learn more about “normal” traffic, topology, and architecture
• Trained analysts
• Not a replacement for firewalls
Lab Three
• TCPWrappers• Port Sentry• Syslog• Swatch• Tripwire (Linux and Windows)• Fport• Black Ice• Snort