INTRUSION DETECTION SYSTEM (IDS)

D’souza Adam Jerry Joseph

0925910
I MCA
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations
 Type of IDS
 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
DEFINITIONS:
 What is Intrusion?...

 What is Intrusion Detection?...

 What is Intrusion Detection System?....

THE PUZZLE
 Intrusion Detection Systems are only one
piece of the whole security puzzle
 IDS must be supplemented by other security
and protection mechanisms
 They are a very important part of your
security architecture but does not solve all
your problems
 Within its limitations, it is useful as one
portion of a defensive posture, but should not
be relied upon as a sole means of protection
 Part of “Defense in depth”
CURRENT STATE OF IDS
 Lotsof people are still using Firewall and
Router logs for Intrusion Detection
 IDS are not very mature
 Mostly signature based
 It is a quickly evolving domain
 Giant leap and progress every quarter
 The current state of intrusion detection
systems relies on careful assessment of
vendor proposals and requires a trained
systems and network administrator to run
the IDS.
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS

 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations
 Type of IDS
 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
THREATS – FACT OR FICTION ??
 Frequency vs Difficulty level
 I am not a target (Yeah, right!)

 Examples of TOOLS

 Hacktivists or cyber terrorists

 The BIGGEST threat

FREQUENCY VS DIFFICULTY LEVEL
 The frequency of probes, attacks, or intrusions
attempts is proportional to the difficulty level
required to perform such attacks.
 Itis no longer necessary to have any computer
knowledge to break through defense mechanisms
that are not properly maintained.
 Many early attackers simply wanted to prove that
they could break into systems
 As e-commerce sites become attractive targets and
the emphasis turns from break-ins to denials of
service, the situation will likely worsen.
 WHO ARE THE TARGETS ??
 Simply being connected is a good enough reason
to be a target.

 Fast bandwidth is now a cheap commodity.

 No specific motive: They do it for fame, fun, to

show off, or just because they have nothing else
to do. No technical knowledge is required to be a
‘’Script Kiddie’’
E-COMMERCE + WELL KNOWN NAME = HACKER TARGET

A clear example is the Denial of service attacks

against Yahoo, Ebay, and other popular sites.
 ISCA Info Security Magazine Sept 2000
 Comparison E-Comm site (left column) vs Non E-Comm
site (right column)

Viruses/Trojan/worm 82% 76%

Denial of service 42% 31%
Active Scripting exploit 40% 34%
Protocol Weaknesses 29% 23%
Insecure Passwords30% 20%
Buffer Overflow 29% 20%
Bugs in web server 33% 16%
 HACKING TOOLS
(EASY TO GET, EASY TO USE, VERY POWERFULL)
MY FRIEND SAM SPADE
HACKTIVISTS OR CYBER
TERRORISTS
 Very Likely
 Denial of services attack
 Computer worms and viruses
 Likely

 Breaking into government computer and

stealing military secrets or encryption
technology
 Power grid disruption
 Emergency system being compromised
 Other internet connected services disruption
DIGGING A TUNNEL
 You spend great money on concrete walls
(firewalls) but they are of no use of someone
can dig through them.
THE BIGGEST THREAT: EXPOSURE
 The biggest threat of all is bad publicity and
having your company reputation and name
associated with an intrusion, site modification and
defacement, or even attack to other sites using
your ressources as a launch platform.
 It could kill all faith in the belief that you can offer
a secure environment to conduct E-Commerce or
other online activities.
 Even thou perception is often not the reality.
Outsider and customers does not care that the
specific site was on a bronze plan or that it was
not hosted in house.
 PEOPLE ONLY READ LARGE TITLES such as:

‘’XYZ GOT HACKED!!!’’

OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations
 Type of IDS
 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
 IDS are a dedicated assistant used to monitor
the rest of the security infrastructure
 Today’s security infrastructure are becoming
extremely complex, it includes firewalls,
identification and authentication systems,
access control product, virtual private
networks, encryption products, virus scanners,
and more. All of these tools performs functions
essential to system security. Given their role
they are also prime target and being managed
by humans, as such they are prone to errors.
 Failure of one of the above component of your
security infrastructure jeopardized the system
they are supposed to protect
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
 Not all traffic may go through a firewall
i:e modem on a user computer
 Not all threats originates from outside. As
networks uses more and more encryption,
attackers will aim at the location where it is often
stored unencrypted (Internal network)
 Firewall does not protect appropriately against
application level weakenesses and attacks
 Firewalls are subject to attacks themselves
 Protect against misconfiguration or fault in other
security mechanisms
 REAL LIFE ANALOGY

 It's like security at the airport...

 You have to let them get to the planes (your
application) via the gate ( port 80) but without X-
rays and metal detectors, you can't be sure what
they have under their coats.
 Firewalls are really good access control points, but
they aren't really good for or designed to prevent
intrusions.
 That's why most security professionals back their
firewalls up with IDS, either behind the firewall or
at the host.
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations
 Type of IDS
 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
WHAT CAN IDS REALISTICLY DO
 Monitor and analyse user and system activities
 Auditing of system and configuration vulnerabilities
 Asses integrity of critical system and data files
 Recognition of pattern reflecting known attacks
 Statistical analysis for abnormal activities
 Data trail, tracing activities from point of entry up to
the point of exit
 Installation of decoy servers (honey pots)
 Installation of vendor patches (some IDS)
WHAT IDS CANNOT DO
 Compensate for weak authentication and
identification mechanisms
 Investigate attacks without human intervention
 Guess the content of your organization security
policy
 Compensate for integrity or confidentiality of
information
 Analyze all traffic on a very high speed network
 Deal adequately with modern network hardware
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS
 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
 TYPE OF IDS MONITORING
 Host Based (also called Agent)
-These systems collect and analyze
data that originate on a computer that
hosts a service, such as a Web server

 Network Based (also called Sensor)

-Network-based intrusion detection
analyzes data packets that travel over the
actual network. These packets are
examined and sometimes compared with
empirical data to verify their nature:
malicious or benign.
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS

 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
TYPE OF ANALYSIS
 Signature based (Pattern matching)
 Statistical
 Integrity Checker
HOST BASED (ADVANTAGES)

 Monitor in term of who accessed what

 Can map problem activities to a specific
user id
 System can track behavior changes
 Can operate in encrypted environment
 Operates in switched networks
 Monitoring load distributed against
multiple hosts and not on a single host,
reporting only relevant data to central
console
HOST BASED (DISAVANTAGES)

 Cannot see all network activities

 Running audit mechanisms adds overload
to system, performance may be an issue
 Audit trails can take lots of storage
 OS vulnerabilities can undermine the
effectiveness of agents
 Agents are OS specific
 Escalation of false positive
 Greater deployment and maintenance
cost
NETWORK BASED (ADVANTAGES)

 Can get information quickly without any

reconfiguration of computers or need to
redirect logging mechanisms
 Does not affect network or data sources
 Monitor and detects in real time networks
attacks or misuses
 Does not create system overhead
 NETWORK BASED (DISAVANTAGES)
 Cannot scan protocols if the data is encrypted
 Can infer from network traffic what is happening on
host but cannot tell the outcome
 Hard to implement on fully switched networks

 Has difficulties sustaining network with a very large

bandwidth
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS

 Analyzing Patterns

 Choosing an IDS
 Products available on market
 Ongoing Effort
 Conclusion / Summary
FEATURES TO LOOK FOR
 Number of rules
 Which one apply to your specific environment
 Ability to read whole packet
 Ability to drill down
 Deal adequately with fragmentation
 Updates (how they are done and how often)
 Reporting features (import, export, flexibility)
 Support Issues (OS, Platform)
 Ease of use (What manning is needed)
FEATURES TO LOOK FOR
 What specialized equipment is required
 Is the product Network or Host based

 How much does the update cost

 Is it capable of automated response to

attacks
 How customizable is it

 What is the incidence rate of false positive

 What kind of expertise is required to

support it
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS

 Analyzing Patterns
 Choosing an IDS

 Products available on market

 Ongoing Effort
 Conclusion / Summary
LEADING PRODUCTS

 Dragon from Enterasys

 http://www.enterasys.com/ids/
 CISCO Secure IDS
 http://www.cisco.com/go/ids/
 Snort
 http://www.snort.org/
 ISS Real Secure
 http://www.iss.net/securing_e-business/
 SHADOW
 http://www.whitehats.ca
 ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS

 Analyzing Patterns
 Choosing an IDS
 Products available on market

 Ongoing Effort
 Conclusion / Summary
 ONGOING SUPPORT
 There is a need for a COMPETENT analyst
 Vendors latest signatures may take up to a week
after a new threat has be publicized. You will need
someone in house that can analyse new
vulnerabilities or attacks in order to create your
own rule. May take an hour a day or more.
 Need someone that can fine tune the IDS in order
to avoid false positive or false negative
 Must subscribe to popular advisories and security
newsletters such as bugtraq, CERT, GIAC, SANS,
and others
OVERVIEW
 Introduction
 Overview
 The IDS Puzzle
 Current State of IDS
 Threats
 I have a good firewall, why do I need an
IDS?
 Expectations

 Type of IDS

 Analyzing Patterns
 Choosing an IDS
 Products available on market
 Ongoing Effort

 Conclusion / Summary
IDS GOOD GUYS
A few initiative is on the way to improve
the early detection, accuracy and
terminology amongst vendors of ID
equipment and software
 Incident.org,ARIS, MyNetWatchMan
 CVE ( http://www.mitre.org/cve/
 IDMEF, Intrusion Detection Exchange Message
Format
http://www.ietf.org/html.charters/idwg-charter.html
- CIDF, Common Intrusion Detection Framework
CLOSING
 An IDS is like a three year old kid, it’s not happy
unless you are constantly watching it all the time.
 Contrary to all other devices, An IDS talks back to
you and demand immediate attention.
 One of the most important point is how you are going
to monitor your systems, what are you going to do
when the alarm goes off at three in the morning?
 There is about 400 different IDS on the market. Only
a few of these products integrate well in large
environment, are scalable, and easy to maintain.
 Acquire the IDS that meets your need, not the one
that the vendor think you need.