logging in or signing up intrusion detection and internet service avimani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 531 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: December 06, 2008 This Presentation is Public Favorites: 0 Presentation Description intrustion detection and failure reporting Comments Posting comment... Premium member Presentation Transcript INTRUSION DETECTION SYSTEMS (IDS)INTRODUCTION AND OVERVIEW(What vendors will not tell you) : INTRUSION DETECTION SYSTEMS (IDS)INTRODUCTION AND OVERVIEW(What vendors will not tell you) Clément Dupuis,CDCISSP, GCFW, GCIACCSA, CCSE, ACECGI Group / CCCure.Org OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info Intrusion Detection Definition: : Intrusion Detection Definition: Defined by ICSA as: The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network. An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse Jargon related to IDS : Jargon related to IDS False Negative False Positive Beware, companies uses different names for exactly the same type of detect. What is a DMZ ? How to count- what is byte 9 ? Is it the tenth byte or really the ninth The Puzzle : The Puzzle Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but doesnot solve all your problems Part of “Defense in depth” Current State of IDS : Current State of IDS Lots of people are still using Firewall and Router logs for Intrusion Detection (Home Brew) IDS are not very mature Mostly signature based It is a quickly evolving domain Giant leap and progress every quarter As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’: PreventionDetection Getting to this point today Reponse OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS THREATS I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info THREATS – FACT OR FICTION ?? : THREATS – FACT OR FICTION ?? Frequency vs Difficulty level I am not a target (Yeah, right!) Examples of TOOLS Recent vulnerabilities A classic example: CODERED Hacktivists or cyber terrorists The BIGGEST threat Frequency vs Difficulty level : Frequency vs Difficulty level The frequency of probes, attacks, or intrusions attempts is inversely proportional to the difficulty level required to perform such attacks. A clear trend has been identified over the past 3 years. Graphical tools that are getting very sophisticated have replaced the combersome command line utilities. They are now available for Windows as well as other platforms. It is no longer necessary to have any computer knowledge to break through defense mechanisms that are not properly maintained. Who are the targets ?? : Who are the targets ?? Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. Fast bandwidth is now a cheap commodity. Cable modem and ADSL access is the equivalent of having a T1 link in your home. Kids of all ages can scan a whole country in a very short time frame. No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’ E-COMMERCE + WELL KNOWN NAME = HACKER TARGET : E-COMMERCE + WELL KNOWN NAME = HACKER TARGET A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. ISCA Info Security Magazine Sept 2000 Comparison E-Comm site (left column) vs Non E-Comm site (right column) Viruses/Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16% HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) : HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) My friend SAM SPADE : My friend SAM SPADE Execution of arbitrary command through HTTP(10/10/2000) : Execution of arbitrary command through HTTP(10/10/2000) http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ OUTPUT:Directory of c:\ 2000-08-08 18:28 Inetpub 2000-08-09 09:58 Install 2000-08-09 11:17 MDaemon 2000-09-01 09:01 MSSQL7 2000-08-29 13:03 news 2000-10-18 02:53 ooo 2000-10-18 01:37 Program Files 2000-08-09 17:54 sttco 2000-10-17 11:48 WINNT 2000-10-18 02:02 wwww 2000-09-26 12:03 1 File(s) 28,160 bytes 14 Dir(s) 6,377,992,192 bytes free NOTE:%c0%af and %c1%9c are UNICODE representation for the / and \ characters Plain text password after Directory Server Install (10/04/2000) : Plain text password after Directory Server Install (10/04/2000) After installing Netscape's Directory Server 4 for Solaris, one of the final options is to remove a file called 'install.inf' which the install process claims could contain sensitive information. Answering yes to this question will delete the file. However there is another file left behind after installation which contains the un-encrypted 'admin' password. This file has world read permissions and is located in /usr/netscape/server4/admin-serv/config/adm.conf CODERED : CODERED Yet, another buffer overflow Disguise as HTTP request Goes on to infect other systems Could have been stopped by granular access control, proper FW configuration It is not normal traffic when your web server is surfing the internet and making outbound requests on port 80 THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) : THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) Bind weakenesses Vulnerable CGI and extension on web server Remote Procedure (NFS and Remote execution) IIS Remote Data Services (for example .htr files) Sendmail Buffer Overflow Solaris sadmind and mountd IMAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’ Global file sharing (netbios, Macintosh web sharing, UNIX NFS) Use of weak password or no password on user id Hacktivists or Cyber terrorists : Hacktivists or Cyber terrorists USA TODAY October 9th 2001 Very Likely Denial of services attack Computer worms and viruses Likely Breaking into government computer and stealing military secrets or encryption technology Power grid disruption Emergency system being compromised Other internet connected services disruption Hacktivist or Cyber terrorists : Hacktivist or Cyber terrorists Unlikely Cutting off fiber-optic cables between major hubs Bombing or physically attacking domain name servers or switching centrals. Bombing of internet facilities to take down the Internet Digging a Tunnel : Digging a Tunnel RelTunnel – ICMP Tunnel You spend great money on concrete walls (firewalls) but they are of no use of someone can dig through them. The biggest threat: EXPOSURE : The biggest threat: EXPOSURE The biggest threat of all is bad publicity and having your company reputation and name associated with an intrusion, site modification and defacement, or even attack to other sites using your ressources as a launch platform. It could kill all faith in the belief that you can offer a secure environment to conduct E-Commerce or other online activities. Even thou perception is often not the reality. Outsider and customers does not care that the specific site was on a bronze plan or that it was not hosted in house. PEOPLE ONLY READ LARGE TITLES such as: ‘’XYZ GOT HACKED!!!’’ OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) WHY AN IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHY DO I NEED AN IDS, I HAVE A FIREWALL? : WHY DO I NEED AN IDS, I HAVE A FIREWALL? IDS are a dedicated assistant used to monitor the rest of the security infrastructure Today’s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect WHY DO I NEED AN IDS, I HAVE A FIREWALL? : WHY DO I NEED AN IDS, I HAVE A FIREWALL? Not all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Firewalls are subject to attacks themselves Protect against misconfiguration or fault in other security mechanisms REAL LIFE ANALOGY : REAL LIFE ANALOGY It's like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats. Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions. That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host. OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? EXPECTATIONS ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHAT CAN IDS REALISTICLY DO : WHAT CAN IDS REALISTICLY DO Monitor and analyse user and system activities Auditing of system and configuration vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS) WHAT IDS CANNOT DO : WHAT IDS CANNOT DO Compensate for weak authentication and identification mechanisms Investigate attacks without human intervention Guess the content of your organization security policy Compensate for weakeness in networking protocols, for example: IP Spoofing Compensate for integrity or confidentiality of information Analyze all traffic on a very high speed network Deal adequately with attack at the packet level Deal adequately with modern network hardware OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations LANDSCAPE Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info ID TECHNOLOGY LANDSCAPE : ID TECHNOLOGY LANDSCAPE PREVENTIVE REAL TIME TYPE OF IDS MONITORING : TYPE OF IDS MONITORING Home Brew (Script, Big Brother, Logwatch, swatch) Application Based Host Based (also called Agent) Target Based approach Integrity checker such as the tripwire tool. Network Based (also called Sensor) Hybrid or Integrated approach (Use all or a combination of two or more of the above) Honeypot, Honeynet, and the Sticky Honeypot Gateway IDS (IDS/FW Combined) TYPE OF ANALYSIS : TYPE OF ANALYSIS Signature based (Pattern matching) Similar to a virus scanner, look for a specific string in the network data being presented to the IDS Statistical Based on time, frequency, lenght of session For example: cdupuis logs on at 0300 AM and has never done so in the past, it will raise a flag Integrity Checker Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems. Anomaly Detection/Behavior Based Flow Based TYPE OF RESPONSE : TYPE OF RESPONSE Alteration to the environment Changes a rule on router Changes a rule on Firewall Striking back (not recommended) Execute a script to collect information about attacker Send a 20 megs file back to anyone fingering Down side: Acknowledgement sent to the attacker Real time notification Send a pager alert SNMP Alarms Sends email to one or more recipients Visual on screen or audible alarms TYPE OF RESPONSE : TYPE OF RESPONSE Throttling Limiting rate Slowing down attacks Session Sniping Will hijack a session Sends a reset to both side of session OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS NETWORK vs HOST C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info HOST BASED (Advantages) : HOST BASED (Advantages) Monitor in term of who accessed what Can map problem activities to a specific user id System can track behavior changes associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console HOST BASED (Disavantages) : HOST BASED (Disavantages) Cannot see all network activities Running audit mechanisms adds overload to system, performance may be an issue Audit trails can take lots of storage OS vulnerabilities can undermine the effectiveness of agents Agents are OS specific Escalation of false positive Greater deployment and maintenance cost NETWORK BASED (Advantages) : NETWORK BASED (Advantages) Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms Does not affect network or data sources Monitor and detects in real time networks attacks or misuses Does not create system overhead NETWORK BASED (Disavantages) : NETWORK BASED (Disavantages) Cannot scan protocols if the data is encrypted Can infer from network traffic what is happening on host but cannot tell the outcome Hard to implement on fully switched networks Has difficulties sustaining network with a very large bandwidth OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHAT DOES IT PROTECT ME AGAINST : WHAT DOES IT PROTECT ME AGAINST WHAT DOES IT PROTECT ME AGAINST : WHAT DOES IT PROTECT ME AGAINST OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A CHALLENGES Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info CHALLENGES : CHALLENGES Deployment & Myths Using IDS in fully switched networks Substaining OC3 speed or higher Interpreting all the data being presented Encryption, VPN, Tunnels Ongoing Support Performance Response team Deployment & Myths : Deployment & Myths Deployed before or after the firewall One IDS per segment The more rule in the product the better the product. Real Time 100% Security Fully Switched & Redundant : Fully Switched & Redundant CAN’T SEE, CAN’T TELL : CAN’T SEE, CAN’T TELL RESPONSE TEAM : RESPONSE TEAM An IDS deployment will be only as successful as the Incident Handling procedures that are in place to support it. It shoud include: Statement of scope Acceptable computer and network use Detection and reporting requirements Responsabilities for responding to incidents Responsabilities for managing incident response Evasion Techniques : Evasion Techniques Evasion techniques are used in order to navigate below the radar of your IDS Fragmentation Slow scan Stealth scan Out of order packets Ambiguous packet (crafting) Encoding such as %u, UTF (%xx%xx), HEX (%xx) Use of well known port (Codered) Extra reading: http://secinf.net/info/ids/idspaper/idspaper.html Evasion Techniques - %u encoding : Evasion Techniques - %u encoding Announced 5 Sept 2001 by eEye Digital Security Almost all IDS are vulnerable except SNORT, Symantec, and NAI Not a standard and only MS specific, unknown to other vendors. So if an attacker sent a %u encoded request then they could bypass IDS checking for ".ida". An example stealth codered request would look like: GET /himom.id%u0061 HTTP/1.0 Where does it come from (Source) : Where does it come from (Source) It looks like a duck, it quack like a duck, but it may not be a duck. Anomizer services such as Zero Knowledge Public proxies Compromised sites IP Spoofing Distributed attack CORRELATION : CORRELATION Is needed for large number of agents and sensor Allow to see trends throughout your enterprise Can accept input from your web server, DNS, FTP server and other applications Can identify threats in other region before they happen locally Very few IDS have highly scalable correlation engine or database Is a must for long term analysis of pattern Ask your vendor about their solution Performance : Performance Frag (1/4)-ta (3/4)-men (2/4)-tion (4/4) Beware of benchmark Hardware used Number of rules Type of traffic Total number of rules x 65535 ANSWER: It depends…… OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges CHOOSING AN IDS Products available on market Ongoing Effort Conclusion More Info Features to look for : Features to look for Number of rules Which one apply to your specific environment Ability to read whole packet Ability to drill down Deal adequately with fragmentation Updates (how they are done and how often) Reporting features (import, export, flexibility) Support Issues (OS, Platform) Ease of use (What manning is needed) Features to look for : Features to look for What specialized equipment is required Is the product Network or Host based How much does the update cost Is it capable of automated response to attacks How customizable is it What is the incidence rate of false positive What kind of expertise is required to support it OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) LEADING PRODUCTS Ongoing Effort Conclusion More Info Leading Products : Leading Products Dragon from Enterasys http://www.enterasys.com/ids/ CISCO Secure IDS http://www.cisco.com/go/ids/ Snort http://www.snort.org/ ISS Real Secure http://www.iss.net/securing_e-business/ SHADOW http://www.whitehats.ca ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market ONGOING SUPPORT Conclusion More Info ONGOING SUPPORT : ONGOING SUPPORT There is a need for a COMPETENT analyst Vendors latest signatures may take up to a week after a new threat has be publicized. You will need someone in house that can analyse new vulnerabilities or attacks in order to create your own rule. May take an hour a day or more. Need someone that can fine tune the IDS in order to avoid false positive or false negative Must subscribe to popular advisories and security newsletters such as bugtraq, CERT, GIAC, SANS, and others OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort IN CLOSING More Info IDS GOOD GUYS : IDS GOOD GUYS A few initiative is on the way to improve the early detection, accuracy and terminology amongst vendors of ID equipment and software Incident.org, ARIS, MyNetWatchMan CVE ( http://www.mitre.org/cve/ IDMEF, Intrusion Detection Exchange Message Format http://www.ietf.org/html.charters/idwg-charter.html CIDF, Common Intrusion Detection Framework SUMMARY : SUMMARY Select IDS you wish to use according to your needs and requirement (Short list) Select Hardware Decide on positioning of IDS (total, per customer, per zone, etc…) Estimation of costs ??? Acquire and Install HW and SW (perform tests) Minimize false positive and false negative Deploy to production environment Monitor, tune, update, Monitor, tune, update… CLOSING : CLOSING An IDS is like a three year old kid, it’s not happy unless you are constantly watching it all the time. Contrary to all other devices, An IDS talks back to you and demand immediate attention. One of the most important point is how you are going to monitor your systems, what are you going to do when the alarm goes off at three in the morning? There is about 400 different IDS on the market. Only a few of these products integrate well in large environment, are scalable, and easy to maintain. Acquire the IDS that meets your need, not the one that the vendor think you need. More Info or presentation copies : More Info or presentation copies You can get more info by sending email to:CDUPUIS@CCCURE.ORG Electronic Copies and other fine documents on Intrusion Detection can be obtained from: http://www.cccure.org/Documents/IDS/IDS_2002.PPT SANS TOP 20 VULNERABILITIES http://www.sans.org/top20.htm You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
intrusion detection and internet service avimani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 531 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: December 06, 2008 This Presentation is Public Favorites: 0 Presentation Description intrustion detection and failure reporting Comments Posting comment... Premium member Presentation Transcript INTRUSION DETECTION SYSTEMS (IDS)INTRODUCTION AND OVERVIEW(What vendors will not tell you) : INTRUSION DETECTION SYSTEMS (IDS)INTRODUCTION AND OVERVIEW(What vendors will not tell you) Clément Dupuis,CDCISSP, GCFW, GCIACCSA, CCSE, ACECGI Group / CCCure.Org OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info Intrusion Detection Definition: : Intrusion Detection Definition: Defined by ICSA as: The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network. An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse Jargon related to IDS : Jargon related to IDS False Negative False Positive Beware, companies uses different names for exactly the same type of detect. What is a DMZ ? How to count- what is byte 9 ? Is it the tenth byte or really the ninth The Puzzle : The Puzzle Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but doesnot solve all your problems Part of “Defense in depth” Current State of IDS : Current State of IDS Lots of people are still using Firewall and Router logs for Intrusion Detection (Home Brew) IDS are not very mature Mostly signature based It is a quickly evolving domain Giant leap and progress every quarter As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’: PreventionDetection Getting to this point today Reponse OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS THREATS I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info THREATS – FACT OR FICTION ?? : THREATS – FACT OR FICTION ?? Frequency vs Difficulty level I am not a target (Yeah, right!) Examples of TOOLS Recent vulnerabilities A classic example: CODERED Hacktivists or cyber terrorists The BIGGEST threat Frequency vs Difficulty level : Frequency vs Difficulty level The frequency of probes, attacks, or intrusions attempts is inversely proportional to the difficulty level required to perform such attacks. A clear trend has been identified over the past 3 years. Graphical tools that are getting very sophisticated have replaced the combersome command line utilities. They are now available for Windows as well as other platforms. It is no longer necessary to have any computer knowledge to break through defense mechanisms that are not properly maintained. Who are the targets ?? : Who are the targets ?? Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. Fast bandwidth is now a cheap commodity. Cable modem and ADSL access is the equivalent of having a T1 link in your home. Kids of all ages can scan a whole country in a very short time frame. No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’ E-COMMERCE + WELL KNOWN NAME = HACKER TARGET : E-COMMERCE + WELL KNOWN NAME = HACKER TARGET A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. ISCA Info Security Magazine Sept 2000 Comparison E-Comm site (left column) vs Non E-Comm site (right column) Viruses/Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16% HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) : HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) My friend SAM SPADE : My friend SAM SPADE Execution of arbitrary command through HTTP(10/10/2000) : Execution of arbitrary command through HTTP(10/10/2000) http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ OUTPUT:Directory of c:\ 2000-08-08 18:28 Inetpub 2000-08-09 09:58 Install 2000-08-09 11:17 MDaemon 2000-09-01 09:01 MSSQL7 2000-08-29 13:03 news 2000-10-18 02:53 ooo 2000-10-18 01:37 Program Files 2000-08-09 17:54 sttco 2000-10-17 11:48 WINNT 2000-10-18 02:02 wwww 2000-09-26 12:03 1 File(s) 28,160 bytes 14 Dir(s) 6,377,992,192 bytes free NOTE:%c0%af and %c1%9c are UNICODE representation for the / and \ characters Plain text password after Directory Server Install (10/04/2000) : Plain text password after Directory Server Install (10/04/2000) After installing Netscape's Directory Server 4 for Solaris, one of the final options is to remove a file called 'install.inf' which the install process claims could contain sensitive information. Answering yes to this question will delete the file. However there is another file left behind after installation which contains the un-encrypted 'admin' password. This file has world read permissions and is located in /usr/netscape/server4/admin-serv/config/adm.conf CODERED : CODERED Yet, another buffer overflow Disguise as HTTP request Goes on to infect other systems Could have been stopped by granular access control, proper FW configuration It is not normal traffic when your web server is surfing the internet and making outbound requests on port 80 THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) : THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) Bind weakenesses Vulnerable CGI and extension on web server Remote Procedure (NFS and Remote execution) IIS Remote Data Services (for example .htr files) Sendmail Buffer Overflow Solaris sadmind and mountd IMAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’ Global file sharing (netbios, Macintosh web sharing, UNIX NFS) Use of weak password or no password on user id Hacktivists or Cyber terrorists : Hacktivists or Cyber terrorists USA TODAY October 9th 2001 Very Likely Denial of services attack Computer worms and viruses Likely Breaking into government computer and stealing military secrets or encryption technology Power grid disruption Emergency system being compromised Other internet connected services disruption Hacktivist or Cyber terrorists : Hacktivist or Cyber terrorists Unlikely Cutting off fiber-optic cables between major hubs Bombing or physically attacking domain name servers or switching centrals. Bombing of internet facilities to take down the Internet Digging a Tunnel : Digging a Tunnel RelTunnel – ICMP Tunnel You spend great money on concrete walls (firewalls) but they are of no use of someone can dig through them. The biggest threat: EXPOSURE : The biggest threat: EXPOSURE The biggest threat of all is bad publicity and having your company reputation and name associated with an intrusion, site modification and defacement, or even attack to other sites using your ressources as a launch platform. It could kill all faith in the belief that you can offer a secure environment to conduct E-Commerce or other online activities. Even thou perception is often not the reality. Outsider and customers does not care that the specific site was on a bronze plan or that it was not hosted in house. PEOPLE ONLY READ LARGE TITLES such as: ‘’XYZ GOT HACKED!!!’’ OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) WHY AN IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHY DO I NEED AN IDS, I HAVE A FIREWALL? : WHY DO I NEED AN IDS, I HAVE A FIREWALL? IDS are a dedicated assistant used to monitor the rest of the security infrastructure Today’s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect WHY DO I NEED AN IDS, I HAVE A FIREWALL? : WHY DO I NEED AN IDS, I HAVE A FIREWALL? Not all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Firewalls are subject to attacks themselves Protect against misconfiguration or fault in other security mechanisms REAL LIFE ANALOGY : REAL LIFE ANALOGY It's like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats. Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions. That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host. OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? EXPECTATIONS ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHAT CAN IDS REALISTICLY DO : WHAT CAN IDS REALISTICLY DO Monitor and analyse user and system activities Auditing of system and configuration vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS) WHAT IDS CANNOT DO : WHAT IDS CANNOT DO Compensate for weak authentication and identification mechanisms Investigate attacks without human intervention Guess the content of your organization security policy Compensate for weakeness in networking protocols, for example: IP Spoofing Compensate for integrity or confidentiality of information Analyze all traffic on a very high speed network Deal adequately with attack at the packet level Deal adequately with modern network hardware OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations LANDSCAPE Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info ID TECHNOLOGY LANDSCAPE : ID TECHNOLOGY LANDSCAPE PREVENTIVE REAL TIME TYPE OF IDS MONITORING : TYPE OF IDS MONITORING Home Brew (Script, Big Brother, Logwatch, swatch) Application Based Host Based (also called Agent) Target Based approach Integrity checker such as the tripwire tool. Network Based (also called Sensor) Hybrid or Integrated approach (Use all or a combination of two or more of the above) Honeypot, Honeynet, and the Sticky Honeypot Gateway IDS (IDS/FW Combined) TYPE OF ANALYSIS : TYPE OF ANALYSIS Signature based (Pattern matching) Similar to a virus scanner, look for a specific string in the network data being presented to the IDS Statistical Based on time, frequency, lenght of session For example: cdupuis logs on at 0300 AM and has never done so in the past, it will raise a flag Integrity Checker Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems. Anomaly Detection/Behavior Based Flow Based TYPE OF RESPONSE : TYPE OF RESPONSE Alteration to the environment Changes a rule on router Changes a rule on Firewall Striking back (not recommended) Execute a script to collect information about attacker Send a 20 megs file back to anyone fingering Down side: Acknowledgement sent to the attacker Real time notification Send a pager alert SNMP Alarms Sends email to one or more recipients Visual on screen or audible alarms TYPE OF RESPONSE : TYPE OF RESPONSE Throttling Limiting rate Slowing down attacks Session Sniping Will hijack a session Sends a reset to both side of session OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS NETWORK vs HOST C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info HOST BASED (Advantages) : HOST BASED (Advantages) Monitor in term of who accessed what Can map problem activities to a specific user id System can track behavior changes associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console HOST BASED (Disavantages) : HOST BASED (Disavantages) Cannot see all network activities Running audit mechanisms adds overload to system, performance may be an issue Audit trails can take lots of storage OS vulnerabilities can undermine the effectiveness of agents Agents are OS specific Escalation of false positive Greater deployment and maintenance cost NETWORK BASED (Advantages) : NETWORK BASED (Advantages) Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms Does not affect network or data sources Monitor and detects in real time networks attacks or misuses Does not create system overhead NETWORK BASED (Disavantages) : NETWORK BASED (Disavantages) Cannot scan protocols if the data is encrypted Can infer from network traffic what is happening on host but cannot tell the outcome Hard to implement on fully switched networks Has difficulties sustaining network with a very large bandwidth OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info WHAT DOES IT PROTECT ME AGAINST : WHAT DOES IT PROTECT ME AGAINST WHAT DOES IT PROTECT ME AGAINST : WHAT DOES IT PROTECT ME AGAINST OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A CHALLENGES Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort Conclusion More Info CHALLENGES : CHALLENGES Deployment & Myths Using IDS in fully switched networks Substaining OC3 speed or higher Interpreting all the data being presented Encryption, VPN, Tunnels Ongoing Support Performance Response team Deployment & Myths : Deployment & Myths Deployed before or after the firewall One IDS per segment The more rule in the product the better the product. Real Time 100% Security Fully Switched & Redundant : Fully Switched & Redundant CAN’T SEE, CAN’T TELL : CAN’T SEE, CAN’T TELL RESPONSE TEAM : RESPONSE TEAM An IDS deployment will be only as successful as the Incident Handling procedures that are in place to support it. It shoud include: Statement of scope Acceptable computer and network use Detection and reporting requirements Responsabilities for responding to incidents Responsabilities for managing incident response Evasion Techniques : Evasion Techniques Evasion techniques are used in order to navigate below the radar of your IDS Fragmentation Slow scan Stealth scan Out of order packets Ambiguous packet (crafting) Encoding such as %u, UTF (%xx%xx), HEX (%xx) Use of well known port (Codered) Extra reading: http://secinf.net/info/ids/idspaper/idspaper.html Evasion Techniques - %u encoding : Evasion Techniques - %u encoding Announced 5 Sept 2001 by eEye Digital Security Almost all IDS are vulnerable except SNORT, Symantec, and NAI Not a standard and only MS specific, unknown to other vendors. So if an attacker sent a %u encoded request then they could bypass IDS checking for ".ida". An example stealth codered request would look like: GET /himom.id%u0061 HTTP/1.0 Where does it come from (Source) : Where does it come from (Source) It looks like a duck, it quack like a duck, but it may not be a duck. Anomizer services such as Zero Knowledge Public proxies Compromised sites IP Spoofing Distributed attack CORRELATION : CORRELATION Is needed for large number of agents and sensor Allow to see trends throughout your enterprise Can accept input from your web server, DNS, FTP server and other applications Can identify threats in other region before they happen locally Very few IDS have highly scalable correlation engine or database Is a must for long term analysis of pattern Ask your vendor about their solution Performance : Performance Frag (1/4)-ta (3/4)-men (2/4)-tion (4/4) Beware of benchmark Hardware used Number of rules Type of traffic Total number of rules x 65535 ANSWER: It depends…… OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges CHOOSING AN IDS Products available on market Ongoing Effort Conclusion More Info Features to look for : Features to look for Number of rules Which one apply to your specific environment Ability to read whole packet Ability to drill down Deal adequately with fragmentation Updates (how they are done and how often) Reporting features (import, export, flexibility) Support Issues (OS, Platform) Ease of use (What manning is needed) Features to look for : Features to look for What specialized equipment is required Is the product Network or Host based How much does the update cost Is it capable of automated response to attacks How customizable is it What is the incidence rate of false positive What kind of expertise is required to support it OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) LEADING PRODUCTS Ongoing Effort Conclusion More Info Leading Products : Leading Products Dragon from Enterasys http://www.enterasys.com/ids/ CISCO Secure IDS http://www.cisco.com/go/ids/ Snort http://www.snort.org/ ISS Real Secure http://www.iss.net/securing_e-business/ SHADOW http://www.whitehats.ca ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market ONGOING SUPPORT Conclusion More Info ONGOING SUPPORT : ONGOING SUPPORT There is a need for a COMPETENT analyst Vendors latest signatures may take up to a week after a new threat has be publicized. You will need someone in house that can analyse new vulnerabilities or attacks in order to create your own rule. May take an hour a day or more. Need someone that can fine tune the IDS in order to avoid false positive or false negative Must subscribe to popular advisories and security newsletters such as bugtraq, CERT, GIAC, SANS, and others OVERVIEW : OVERVIEW INTRODUCTION Overview Definitions & Jargon The Puzzle Current State of IDS Threats (Fact or fiction) I have a good firewall, why do I need an IDS? Realistic expectations ID Landscape Type of IDS Network versus host based IDS C-I-A Challenges Choosing an IDS (Criteria & Features) Products available on market Ongoing Effort IN CLOSING More Info IDS GOOD GUYS : IDS GOOD GUYS A few initiative is on the way to improve the early detection, accuracy and terminology amongst vendors of ID equipment and software Incident.org, ARIS, MyNetWatchMan CVE ( http://www.mitre.org/cve/ IDMEF, Intrusion Detection Exchange Message Format http://www.ietf.org/html.charters/idwg-charter.html CIDF, Common Intrusion Detection Framework SUMMARY : SUMMARY Select IDS you wish to use according to your needs and requirement (Short list) Select Hardware Decide on positioning of IDS (total, per customer, per zone, etc…) Estimation of costs ??? Acquire and Install HW and SW (perform tests) Minimize false positive and false negative Deploy to production environment Monitor, tune, update, Monitor, tune, update… CLOSING : CLOSING An IDS is like a three year old kid, it’s not happy unless you are constantly watching it all the time. Contrary to all other devices, An IDS talks back to you and demand immediate attention. One of the most important point is how you are going to monitor your systems, what are you going to do when the alarm goes off at three in the morning? There is about 400 different IDS on the market. Only a few of these products integrate well in large environment, are scalable, and easy to maintain. Acquire the IDS that meets your need, not the one that the vendor think you need. More Info or presentation copies : More Info or presentation copies You can get more info by sending email to:CDUPUIS@CCCURE.ORG Electronic Copies and other fine documents on Intrusion Detection can be obtained from: http://www.cccure.org/Documents/IDS/IDS_2002.PPT SANS TOP 20 VULNERABILITIES http://www.sans.org/top20.htm