nids lecture
TRANSCRIPT
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 1/34
Network Intrusion DetectionSystems
Randy MarchanyVA Tech Computing Center
Blacksburg, VA 24060
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 2/34
FAQ Information
These notes come from the Network
Intrusion Detection Systems FAQ byRobert Graham ([email protected]
http://www.robertgraham.com/pubs/network-intrusion-detection.html
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 3/34
Introduction
Intrusion – an attempt to compromise ormisuse a computer system or network.
Network Intrusion Detection System (NIDS) monitors packets on the network wire andattempts to discover if hackers are attempting
to break into a system or cause a DOS. NIDS can run on the target or independent
system.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 4/34
Introduction
Network NIDS monitor many machines.
System Integrity Verifiers (SIV) monitorsystem files to detect trojan versions ofsystem binaries. It may log the attemptas it occurs.
Log File Monitors (LFM) monitor log filesgenerated by network services.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 5/34
Introduction
Deception Systems aka honeypots, fly-
traps contain pseudo-services thatemulate well-known holes in an attemptto trap hackers.
Intruders – outsiders or insiders
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 6/34
How do Intruders Get In?
Physical Intrusion – console passwords,disk removal, etc.
System Intrusion – hacker has a lowprivilege account on the system anduses a tool that exploits a weakness to
gain system privilege. Remote Intrusion – gains access via a
remote service on the system.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 7/34
Vulnerability Types
Race Conditions – 2 programs accessing
the same data at the same time. Software bugs – Buffer Overflows
Unexpected Combinations – input is
meaningless at 1 level but not at another. Unhandled Input – what happens when
input doesn‟t match specifications.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 8/34
System Configuration
Default – vendor shipped configurations
Lazy – sysadmins too lazy to tighten thesystem.
Hole Creation – most programs can run
in non-secure mode. Trust Relationships – one system trusts
another. R-commands are an example.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 9/34
Password Cracking
Trivial – names of people, places, things
Dictionary – Unix Crack or NT/L0phtpassword cracking programs
Brute Force – programs that try all
possible combinations of characters.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 10/34
Sniffers & Design Flaws
Shared Medium – base ethernet
Server – sniffer runs on the server. Works onswitched nets.
Remote – SNMP based
TCP/IP Protocol Flaws – smurf, synflood, IP
spoofing. IP allows data to be changedanytime. IPSEC is a fix.
System Flaws – Windows, Unix
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 11/34
How Do They Get
Passwords? Clear Text Passwords
Encrypted Sniffing
Replay Attack – the intruders don‟t decrypt the
passwords. They use the encrypted form tologin the systems.
Password file stealing Observation/Social Engineering – piece of
paper attack
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 12/34
Intrusion Steps
Outside Reconnaissance – whois, DNS,WWW, FTP
Inside Reconnaissance – ping sweep,inverse mapping, port scanning, rpcinfo,showmount, snmpwalk.
Exploit – exploiting vulnerabilitiesdiscovered earlier.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 13/34
Intrusion Steps
Foothold – gained entrance into themachine and now starts to hide theevidence. Install rootkits, trojans.
Profit – taking advantage of the entry, thehacker now goes after the real target – information, $$, credit card info, etc.
Joyride – systems used in a relay attack.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 14/34
Common WWW Exploits
CGI – passing data to the commandshell via shell metacharacters, usinghidden variables, phf.
WWW server
IIS/RDP - ../../../../ attack to get files fromthe server.
Alternate data streams ( Win95 names).
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 15/34
Common WWW Exploits
URL – fields can cause buffer overflows as it‟s
parsed in the HTTP header, displayed on the
screen or saved in the cache history. Old IEbug would execute .LNK or .URL commands.
HTTP headers can be used to exploit bugs
because some fields are passed to functionsthat expect only certain information.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 16/34
Common WWW Exploits
HTML – MIME-type overflow in NetscapeCommunicator‟s <EMBED> command.
Javascript – usually tries to exploit the“file upload” function by generating a
filename and automatically hidden theSUBMIT button. Many fixes for this butequal # of circumventions.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 17/34
Common WWW Exploits
Frames – part of JavaScript or Java hack(hiding web bugs). Hackers include link to valid
site that uses frames then replace some ofthose frames with bad www pages.
Java – normal Java applets have no access tothe local system but sometimes they‟d be more
useful if they did have local access. Active X – works purely on trust model and
runs in native mode.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 18/34
Buffer Overflows & DNS
Attacks DNS – extra long DNS name is sent to the
server. DNS names are limited to 256 bytes.
RPC – statd, ttdbserverd, cmsd, snmpXdmid
DNS Cache Poisoning – Every DNS packetcontains a Question/Answer section.
Vulnerable servers will believe and cache Answer you provide.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 19/34
Common Reconnaissance
Scans and DOS Attacks Ping Sweeps
TCP/UDP Scans
OS identification
Account Scans
Ping of Death
SYN Flood Land
DDoS
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 20/34
How Do NIDS Detect
Intrusions? Anomaly detection – measures a baseline of
stats like CPU utilization, disk activity, user
logins, file activity. NIDS triggers when adeviation from this baseline occurs.
Signature recognition – pattern matching
attack probes. Uses large databases to detectthe attack. Antiviral software uses this. Worksonly for known attacks.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 21/34
Matching Signatures with
Incoming Traffic NIDS consists of special TCP/IP stack that
reassembles datagrams and TCP streams. It
uses:
Protocol Stack Verification – search forprotocol violations (SYN/FIN, etc.)
Application Protocol Verification New Event Creation – log all application layer
protocols for later correlation.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 22/34
NIDS Detect the Attack
Firewall reconfiguration to block IP address.
Chime – “Danger, Will Robinson!” alarm. Email
or page admins. SNMP trap – send trap datagram to console.
Syslog – record it in NT Event log or Unixsyslog
Save Evidence.
Launch Program to handle the event.
Terminate the TCP connection by sending a
FIN.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 23/34
Other Countermeasures
Firewalls – should be considered as the LASTline of defense.
Authentication – password policies, singlesignon, removing cleartext protocols.
VPN – secure connection for remote access.
However, they decrease corporate securitybecause both ends of the pipe are wide open.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 24/34
Where to locate IDS
Network hosts
Network Perimeter WAN/LAN Backbone
Server farms
Need to be on low-bandwidth nets tokeep up with traffic.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 25/34
Fitting IDS with Security
Framework Put firewalls between networks with different
security requirements.
Use scanners to check for exploits.
Set host policy to conform with standards.
Use NIDS to see what is actually happening.
Use Host based IDS to flag intrusions.
Create effective IRP.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 26/34
Implementing IDS
OS – enable logging/auditing features
Services – build/enable security in WWWservers, Email Servers, DB servers.
NIDS – install in appropriate places.
Firewalls – enable detection facilities.
Install SNMP traps (Openview, Tivoli)
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 27/34
Some NIDS Products
BlackIce Defender (Network Ice)
CyberCop Monitor (Network Associates)
RealSecure (ISS) NetRanger (WheelGroup/Cisco)
eTrust Intrusion Detection (CA)
NetProwler (Axent)
Centrax (CyberSafe)
NFR (Network Flight Recorder)
Dragon (Security Wizards)
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 28/34
Network Grep System
Based on raw packet capture andsearching for patterns using a „grep‟ tool.
Extract the suspect string and compareto attack database.
Libpcap ( library for packet capture) isthe library used by Unix-based IDS.
Feed output from libpcap to grep filters.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 29/34
Network Grep System
Advantage – easy to update. Largest DBof signatures, fastest time-to-market fordetecting attack scripts.
Disadvantage – they detect the fewest #of serious intrusions. Example: scanningfor default BO passwords. Can set offfalse positives.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 30/34
Network Grep System
Advantages – system based on protocolanalysis result in fewer false positives.
Able to fully diagnose a problem.Example: BO PING is harmless. BOcompromise is more serious.
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 31/34
Sample IDS Placement
INTERNET
IDS #3
FIREWALL
IDS #2
INTERNAL
NETWORK
IDS #4
IDS #1
IDS #1 – FW don’t produce enough info to effectively detect hits.
IDS #2 – detects attacks that penetrate the FW
IDS #3 – detects attacks attempted against the FW
IDS #4 – Insider attacks will be detected
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 32/34
Attacks Against the NIDS
Blind the sensor with high traffic rates.
Blind the event storage. Use decoyscans to fill up log space.
DOS
Packet Fragmentation
Slow Scan
Coordinated low-bandwidth attacks
8/10/2019 Nids Lecture
http://slidepdf.com/reader/full/nids-lecture 33/34
Attacks Against the NIDS
Address spoofing
Pattern Change Ptacek‟s Paper on NIDS evasion.