IDS - Introduction to Information Security - Lecture Slides, Slides of Network security

Download IDS - Introduction to Information Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Intrusion Detection Systems

2

Intrusion Detection

• Intrusion is any use or attempted use of a system that

exceeds authentication limits

• Intrusions are similar to incidents
  • An incident does not necessarily involve an active system or network device, an intrusion does
• Intrusion Detection System (IDS) can be either

software or hardware based that monitors network

activity and delivers an alert if it notices suspicious

activity

4

Dealing with Intruders

• Intruders can be external or internal
  • External intruders are hackers or crackers
  • Internal intruders are more common and very dangerous
• Security policy should state what steps will be taken

to handle intrusions

• Block and ignore
  • Simplest tactic for handling intrusions
  • Block the intruder and address the vulnerability
  • Don’t take any further action

5

Dealing with Intruders

• Block and investigate
  • Block the intruder and address the vulnerability
  • Collect evidence and try to determine intruder’s identity
  • Investigate
• Honeypot (bait the intruder)
  • Allow the intruder to access a part of your network
  • Try to catch the intruder while he/she explores
  • This is a potentially dangerous approach
    • The intruder does have at least partial access
    • Crackers may become interested in your site

7

IDS Principles

• Run unattended for extended periods of time
• Stay active and secure
• Recognize unusual activity
• Operate without unduly affecting the system’s

activity

• Configurable

8

IDS Principles

Sample current activity

Compare with database

Decide what to do

10

IDS Taxonomy

• Signature-based IDS
  • Detects misuse intrusions
  • Maintains a database of attack signatures
  • Compares current activity to database
  • Database must be current and complete to be effective
• Knowledge-based IDS
  • Detects anomaly intrusions
  • Builds a profile of “normal” system activity over time
  • Produces more false positives and requires more administration
  • Requires careful initial configuration

11

Thresholds

• A rule tells the IDS which packets to examine and what action to take - Similar to a firewall rule - Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;) - Alert specifies the action to take - Tcp specifies the protocol - Any any 192…. specifies the source and destination within the given subnet - 111 specifies the port - Content specifies the value of a payload - Msg specifies the message to send

13

Snort IDS

• Snort is an example of an IDS
  • Freeware
  • UNIX and Windows
• A highly configurable packet sniffer
• Analyzes network traffic in real time
• www.snort.org

14

Snort IDS

• Snort sniffs a packet from the network
  • Preprocessor looks at the packet header and decides whether to analyze it further
  • Detection engine compares pattern from rules to the packet payload
  • If payload matches, then appropriate action is taken
• Snort can be used in a plain packet sniffer mode or in

full IDS mode

• Snort has numerous configurable options

16

Snort IDS

17

Snort IDS

19

Network-Based vs Host-Based

• Host-based IDS examines all traffic and activity for a

particular machine

• Can examine system log files as well as inbound and outbound packets
• Each system requires its own IDS
• Best choice is to use both network-based and host-

based IDS in an organization

• Many firewalls provide some IDS functionality

20

Network-Based IDS