Scribd Logo
Carica

Benvenuto in Scribd!

  • Intrusion Detection System: Alan TAM Program Committee, PISA

    Caricato da

    mrk64
    58 visualizzazioni41 pagine
    NIDS - Network Based +e.g. Cisco Secure IDS, Axent Netpowler, Snort, ISS RealSecure network Sensor, NAI Cybercop Monitor, Tripwire Functional Classification Packet capturing + Pattern matching log parser Host firewall File integrity checker Activity monitor Deployment Tips (1) Dual NIC +No TCP / IP binding +Network Performance +NetBIOS services +Useless background process +Peripher

    Descrizione originale:

    Titolo originale

    ids

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    NIDS - Network Based +e.g. Cisco Secure IDS, Axent Netpowler, Snort, ISS RealSecure network Sensor, NAI Cybercop Monitor, Tripwire Functional Classification Packet capturing + Pattern matching log parser Host firewall File integrity checker Activity monitor Deployment Tips (1) Dual NIC +No TCP / IP binding +Network Performance +NetBIOS services +Useless background process +Peripher

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    58 visualizzazioni41 pagine

    Intrusion Detection System: Alan TAM Program Committee, PISA

    Caricato da

    mrk64
    NIDS - Network Based +e.g. Cisco Secure IDS, Axent Netpowler, Snort, ISS RealSecure network Sensor, NAI Cybercop Monitor, Tripwire Functional Classification Packet capturing + Pattern matching log parser Host firewall File integrity checker Activity monitor Deployment Tips (1) Dual NIC +No TCP / IP binding +Network Performance +NetBIOS services +Useless background process +Peripher

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 41

    Intrusion Detection System

    Alan TAM
    Program Committee, PISA
    Definition and Needs
    • IDS = Intrusion Detection System
    • Not firewall
    • Content inspection
    Technology
    • Signature detection
    • Anomaly detection
    General IDS Model
    Activity
    Data Source Sensor

    • Sensor
    • Analyzer

    Events
    Sensor Operator

    • Manager

    Notifications

    Response
    Events Alerts
    Analyzer

    • Administrator
    Manager

    • Operator
    Security Policy

    Security Policy

    Security Policy
    Security Policy
    Administrator
    Basic Classification
    • NIDS - Network Based
    – e.g. Cisco Secure IDS , Axent Netpowler,
    Snort, ISS RealSecure Network Sensor, NAI
    Cybercop Monitor
    • HIDS - Host Based
    – e.g. Axent Intruder Alert, ISS RealSecure OS
    Sensor, Tripwire
    Functional Classification
    • Packet capturing + Pattern matching
    • Log parser
    • Host firewall
    • File integrity checker
    • Activity monitor
    Deployment Tips (1)
    • Dual NIC
    – No TCP/IP binding
    – Network Performance
    – Security
    • NIC optimization settings
    • Promiscuous mode
    Deployment Tips (2)
    • Locations
    – DMZ
    – In front of firewall
    – Behind firewall
    – Server segments
    – “Power user” segments
    Deployment Tips (3)
    • Generic OS hardening & optimization
    – TCP/IP services
    – NetBIOS services
    – File & directory permission
    – Useless background process
    – Peripherals
    Deployment Tips (4)
    • Miscellaneous
    – Automatic mass deployment of HIDS
    – Downtime against SLA
    – Tuning of false alarms
    – Do policy customization (no kidding)
    – Monitor log grow-up rate
    Problem Scenarios (1)
    • Signature quality
    – False POSITIVES
    – False NEGATIVES
    – Threshold values
    – Duplicates elimination
    • Encrypted traffic
    – SSL, IPSEC & PPTP tunnels, PGP attachment
    Problem Scenarios (2)
    • Switch instead of Hub
    – Collision domain
    – Port Spanning/Mirroring/Monitoring
    – Performance degrade
    • High speed network
    – Packet drop
    – DoS
    How to choose an IDS (1)
    • Attack Signature
    – Quality
    – Update frequency
    – Update mechanism
    How to choose an IDS (2)
    • Scalability
    – Traffic handling capacity
    – Shutdown mechanism
    – Supported platforms (HIDS)
    How to choose an IDS (3)
    • Manageability
    – Examining log
    – Cross reference
    – Archiving
    – Centralized console
    How to choose an IDS (4)
    • Hardware platform
    – Intel based
    – SPARC based
    Response Actions (1)
    • Log
    – Header, significant application data
    – Raw packet
    • Alert
    – Console
    – Email
    – SNMP Traps
    Response Actions (2)
    • Termination
    – TCP kill
    – Kernel drop
    • Third-party Integration
    – Firewall
    – Router
    Response Actions (3)
    • User Script
    – Increase log level
    – Modem to Pager
    – Email to SMS
    – Redirect to Honey Pot
    Previous Battlefield
    • IP defragmentation
    • TCP stream reassembly
    Today…
    • IDS load balancing
    • Hardware IDS
    – ASIC IDS module in a Chassis
    – ASIC Switch appliance
    Standards
    • CVE (Common Vulnerabilities and
    Exposures)
    • IDMEF (Intrusion Detection Message
    Exchange Format)
    CVE (1)
    • Standardized name
    • Interoperability between tools
    • Tool comparison guidelines
    – CVE-Compatible
    – No. of signatures
    CVE (2) Discovery

    • Version Assign candidate


    number

    – As of August 2001: 20010507


    • Classification Editor propose to the
    board
    – CVE candidate
    (CAN-YYYY-XXXX)
    – CVE entry Modification votes

    (CVE-YYYY-XXXX)

    Accepted or Rejected
    then Published
    Data Sources
    • Security Focus - SecurityFocus.com weekly
    Newsletters
    (http://www.securityfocus.com/vdb)
    • Network Computing and the SANS Institute -
    weekly Security Alert Consensus
    (http://archives.neohapsis.com/archives/securityexpres
    s/current/)
    • ISS - monthly Security Alert Summary
    (http://xforce.iss.net/alerts/summaries.php)
    • NIPC CyberNotes - biweekly issues
    (http://www.nipc.gov/cybernotes.htm)
    Reference Source
    AIXAPAR CIAC FreeBSD NAI SGI
    ALLAIRE CISCO HERT NETBSD SNI
    ASCEND COMPAQ HP NETECT SUN
    ATSTAKE CONECTIVA IBM NTBUGTRAQ SUNBUG
    AUSCERT CONFIRM INFOWAR NetBSD SUSE
    BID DEBIAN ISS OPENBSD TURBO
    BINDVIEW EEYE KSRT REDHAT URL
    BUGTRAQ EL8 L0PHT RSI VULN-DEV
    CALDERA ERS MANDRAKE SCO WIN2KSEC
    CERT FREEBSD MISC SEKURE XF
    CERT-VN FarmerVenema MS SF-INCIDENTS
    CHECKPOINT MSKB
    Tips for using CVE
    • Do not use general terms (e.g. buffer
    overflow) to search
    • Use exact process name (e.g. sendmail)
    • Go to the “references” for Fix
    IDWG
    • Intrusion Detection Working Group
    • Aims
    – Define data format
    – Define exchange procedure
    • Outputs
    – Requirement document
    – Common intrusion language specification
    – Framework document
    IDMEF
    • Standard data format (using XML)
    • Interoperability
    • Typical deployments:
    – Sensor to Manager
    – Database
    – Event correlation system
    – Centralized console
    IDMEF Addressed Problems
    • Inherently heterogeneous information
    • Different sensor types
    • Different analyzer capabilities
    • Different operation systems
    • Different objectives of commercial vendors
    Message Classes (1)
    • IDMEF-Message Class
    • Alert Class
    – ToolAlert
    – CorrelationAlert
    – OverflowAlert
    • Heartbeat Class
    Message Classes (2)
    • Core Classes
    – Analyzer
    – Source
    – Target
    – Classification
    – Additional Data
    Message Classes (3)
    • Time Class
    – CreatTime
    – DetectTime
    – AnalyzerTime
    Message Classes (4)
    • Support Class
    – Node
    – User
    – Process
    – Service
    Example
    <?xml version="1.0" encoding="UTF-8"?> <Target ident="d1c2b3a4">
    <!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFCxxxx <Node ident="d1c2b3a4-001" category="dns">
    IDMEF v0.3//EN" <Address category="ipv4-addr-hex">
    "idmef-message.dtd"> <address>0xde796f70</address>
    <IDMEF-Message version="0.3"> </Address>
    <Alert ident="abc123456789" impact="successful-dos"> </Node>
    <Analyzer analyzerid="hq-dmz-analyzer01"> </Target>
    <Node category="dns"> <Classification origin="bugtraqid">
    <location>Headquarters DMZ Network</location> <name>124</name>
    <name>analyzer01.bigcompany.com</name> <url>http://www.securityfocus.com</url>
    </Node> </Classification>
    </Analyzer> </Alert>
    <CreateTime ntpstamp="0x12345678.0x98765432"> </IDMEF-Message>
    2000-03-09T10:01:25.93464-05:00
    </CreateTime>
    <Source ident="a1b2c3d4">
    <Node ident="a1b2c3d4-001" category="dns">
    <name>badguy.hacker.net</name>
    <Address ident="a1b2c3d4-002" category="ipv4-net-
    mask">
    <address>123.234.231.121</address>
    <netmask>255.255.255.255</netmask>
    </Address>
    </Node>
    </Source>
    Summary
    • IDS Classification
    • IDS Deployment Considerations
    • How to choose an IDS
    • Industry standards
    HKCERT/CC
    • Web - http://www.hongkongcert.org
    • Telephone - 2788 6060
    • Fax - 2190 9760
    • Email - mailto:infosecurity@hkpc.org
    Reference
    • http://cve.mitre.org/cve
    • http://www.silicondefense.com/idwg/
    • http://www.securityfocus.com/
    Thank You
    • For suggestions and corrections, please send
    email to
    alan.tam@pisa.org.hk
    or
    alantam@hk.is-one.net
    Discussion
    • SLA - cannot stop service immediately
    • Switch to standby system if possible
    • Contingency planning
    • Trace the source; Track its activity

    Potrebbero piacerti anche