INTRUSION DETECTION SYSTEMS (IDS)

INTRODUCTION AND OVERVIEW

 Intrusion Detection Definition:
• Defined by ICSA as:
– The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate
on logs or other information available from the system
or the network.

• An intrusion is a deliberate, unauthorized attempt

to access or manipulate information or system
and to render them unreliable or unusable.
• When suspicious activity is from your internal
network it can also be classified as misuse
The Puzzle
• Intrusion Detection Systems are only
one piece of the whole security puzzle
• IDS must be supplemented by other
security and protection mechanisms
• They are a very important part of your
security architecture but does
not solve all your problems
• Part of “Defense in depth”
Current State of IDS
• Lots of people are still using Firewall and Router
logs for Intrusion Detection (Home Brew)
• IDS are not very mature
• Mostly signature based
• It is a quickly evolving domain
• Giant leap and progress every quarter
• As stated by Bruce Schneier in his book ‘Secret and
Lies in a digital world’:
Prevention
Detection  Getting to this point today
Reponse
Frequency vs Difficulty level

• The frequency of probes, attacks, or intrusions

attempts is inversely proportional to the difficulty
level required to perform such attacks.
• A clear trend has been identified over the past 3
years. Graphical tools that are getting very
sophisticated have replaced the combersome
command line utilities.
• They are now available for Windows as well as
other platforms.
• It is no longer necessary to have any computer
knowledge to break through defense mechanisms
that are not properly maintained.
 Who are the targets ??
• Simply being connected is a good enough reason to be
a target. Search is ongoing for easy to compromise
hosts.
• Fast bandwidth is now a cheap commodity.
• Cable modem and ADSL access is the equivalent of
having a T1 link in your home.
• Kids of all ages can scan a whole country in a very
short time frame.
• No specific motive: They do it for fame, fun, to show
off, or just because they have nothing else to do. No
technical knowledge is required to be a ‘’Script Kiddie’’
E-COMMERCE + WELL KNOWN NAME = HACKER TARGET

• A clear example is the Denial of service attacks

against Yahoo, Ebay, and other popular sites.
• ISCA Info Security Magazine Sept 2000
– Comparison E-Comm site (left column) vs Non E-
Comm site (right column)

Viruses/Trojan/worm 82% 76%

Denial of service 42% 31%
Active Scripting exploit 40% 34%
Protocol Weaknesses 29% 23%
Insecure Passwords 30% 20%
Buffer Overflow 29% 20%
Bugs in web server 33% 16%
THE TOP 10 INTERNET THREATS
(Top 10 from SANS Institute)
• Bind weakenesses
• Trojan horses
• Falsification of identity
• Send mail flood(flooding with hundreds of thousands of
messages in a short period of time)
• Flooding(compromising a system by sending huge amounts of
useless information to lock out legitimate traffic and deny
services:
• IMAP/POP buffer overflow or incorrect configuration
• Default SNMP community strings set to ‘public’ and ‘private.’
• Global file sharing (netbios, Macintosh web sharing, UNIX NFS)
• Use of weak password or no password on user id
Hacktivists or Cyber terrorists

• Very Likely
– Denial of services attack
– Computer worms and viruses
– Password cracking and access violation
• Likely
– Breaking into government computer and stealing
military secrets or encryption technology
– Power grid disruption
– Emergency system being compromised
– Other internet connected services disruption
Hacktivist or Cyber terrorists

• Unlikely
– Cutting off fiber-optic cables between major
hubs
– Bombing or physically attacking domain
name servers or switching centrals.
– Bombing of internet facilities to take down the
Internet
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
• IDS are a dedicated assistant used to monitor the
rest of the security infrastructure
• Today’s security infrastructure are becoming
extremely complex, it includes firewalls, identification
and authentication systems, access control product,
virtual private networks, encryption products, virus
scanners, and more. All of these tools performs
functions essential to system security. Given their
role they are also prime target and being managed
by humans, as such they are prone to errors.
• Failure of one of the above component of your
security infrastructure jeopardized the system they
are supposed to protect
WHY DO I NEED AN IDS, I HAVE A FIREWALL?

• Not all traffic may go through a firewall

i:e modem on a user computer
• Not all threats originates from outside. As
networks uses more and more encryption,
attackers will aim at the location where it is often
stored unencrypted (Internal network)
• Firewall does not protect appropriately against
application level weakenesses and attacks
• Firewalls are subject to attacks themselves
• Protect against misconfiguration or fault in other
security mechanisms
 REAL LIFE ANALOGY

• It's like security at the airport... You can put up all the fences
in the world and have strict access control, but the biggest
threat are all the PASSENGERS (packet) that you MUST let
through! That's why there are metal detectors to detect what
they may be hiding (packet content).
• You have to let them get to the planes (your application) via
the gate ( port 80) but without X-rays and metal detectors,
you can't be sure what they have under their coats.
• Firewalls are really good access control points, but they
aren't really good for or designed to prevent intrusions.
• That's why most security professionals back their firewalls
up with IDS, either behind the firewall or at the host.
WHAT CAN IDS REALISTICLY DO
– Monitor and analyse user and system activities
– Auditing of system and configuration
vulnerabilities
– Asses integrity of critical system and data files
– Recognition of pattern reflecting known attacks
– Statistical analysis for abnormal activities
– Data trail, tracing activities from point of entry up
to the point of exit
– Installation of decoy servers (honey pots)
– Installation of vendor patches (some IDS)
Intrusion Detection System
Activities
 TYPE OF IDS MONITORING
• Host Based
Run on individual hosts or devices on the network
Alert the user of suspicious activity detected

• Target Based approach

Integrity checker such as the tripwire tool.

• Network Based (also called Sensor)

Placed at points within the network
Monitor traffic to and from all devices on the network
• Signature based (Pattern matching)
– Similar to a virus scanner, look for a specific string in the
network data being presented to the IDS

• Statistical
– Based on time, frequency, lenght of session
– For example: cdupuis logs on at 0300 AM and has never
done so in the past, it will raise a flag

• Integrity Checker
– Based on hashing mechanism. Detects authorized and
unauthorized changes to files within your systems.

• Anomaly Detection/Behavior Based

 TYPE OF RESPONSE
• Alteration to the environment
– Changes a rule on router
– Changes a rule on Firewall

• Striking back
– Execute a script to collect information about attacker
– Send a 20 megs file back to anyone fingering
– Down side: Acknowledgement sent to the attacker

• Real time notification

– Send a pager alert
– SNMP Alarms
– Sends email to one or more recipients
– Visual on screen or audible alarms
Intrusion Detection System
Typical Locations For An
Intrusion Detection System
 Évasion Techniques
• Intrusion Detection System evasion techniques are
modifications made to attacks in order to prevent
detection by an Intrusion Detection System (IDS).
Almost all published evasion techniques modify
network attacks
• Almost all IDS are vulnerable except SNORT,
Symantec, and NAI
Evasion Techniques
• Fragmentation and Small Packet- to split the
attack payload into multiple small packets, so that the
IDS must reassemble the packet stream to detect the
attack.

• Overlapping Fragments-An IDS evasion technique

is to craft a series of packets with TCP sequence
numbers configured to overlap.

• Protocol Violations-Some IDS evasion techniques

involve deliberately violating the TCP or IP protocols in
a way the target computer will handle differently than
the IDS.
• Inserting Traffic at the IDS-send packets
that the IDS will see but the target computer will
not.

• Denial of Service-exploiting a bug in the IDS,

using up computational resources on the IDS, or
deliberately triggering a large number of alerts to
disguise the actual attack.
CORRELATION
– identify patterns, which are seen across multiple
destinations and display the events, which occurs
most of the times.
– identify those common pattern or attacks that were
followed by the attackers before generating a
serious attack
– Can accept input from your web server, DNS, FTP
server and other applications
– help the security analyst in identifying the pattern
followed by the attackers and change his security
policy.
– Very few IDS have highly scalable correlation
engine or database
Features to look for
• Number of rules
• Which one apply to your specific environment
• Ability to read whole packet
• Ability to drill down
• Deal adequately with fragmentation
• Updates (how they are done and how often)
• Reporting features (import, export, flexibility)
• Support Issues (OS, Platform)
• Ease of use (What manning is needed)
Leading Products
• Dragon from Enterasys
– http://www.enterasys.com/ids/

• CISCO Secure IDS

– http://www.cisco.com/go/ids/

• Snort
– http://www.snort.org/

• ISS Real Secure

– http://www.iss.net/securing_e-business/

• SHADOW
– http://www.whitehats.ca
– ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.iso
IDS GOOD GUYS
• A few initiative is on the way to improve the
early detection, accuracy and terminology
amongst vendors of ID equipment and software
– Incident.org, ARIS, MyNetWatchMan
– CVE ( http://www.mitre.org/cve/
– IDMEF, Intrusion Detection Exchange Message
Format
http://www.ietf.org/html.charters/idwg-charter.html
- CIDF, Common Intrusion Detection Framework
QUESTIONS???