Wekk 12 – IDS/IPS – Flashcards

Intrusion Detection Systems

Detect an anomaly based on a set of rules and alert a contact list

* Work like Burglar alarms * Administrators can choose the alarm level

* Collectors: Gather raw data * Director: Reduces incoming traffic and finds relationships * Notifier: Accepts data from director and takes appropriate action

* Network IDS (NIDS): Sniff traffic traversing your network looking for events * Host IDS (HIDS): Investigate events on a system and alerts if issues are found IDSs use one of two detection methods: - Signature based or anomaly based

First job is to classify normal system and data access. - Monitoring applications that access file system, system APIs, and network sockets. - Categories of possible malware behavior are compared against the processes and alerts generated when thresholds are met. - Management consoles can aggregate and monitor many HIDS

- The knowledge base of NIDS is very important to keep up to date - Knowledge base must be written by experts, such that the signatures match tightly against only the attack packets, and not only generic traffic. - False positives must be reviewed and exceptions created for traffic. * Monitor Network traffic when a predefined condition occurs - notify * The network-based IDS looks for patterns of network traffic * Often more false-positive alarms than HIDSs, because they read the network activity pattern to determine what is normal and what is not. * Two types: Signature based and Statical anomaly based

* Examines data traffic for something that matches the signatures, which compromise preconfigured predetermined attack patterns. * Signatures must be continually updated, as new attack strategies emerge. * Time frame over which attacks occur * If attackers are slow and methodical, they may slip undetected through the IDS, low and slow - Low and slow attacks: Open a TCP connection then send one packet every x minutes very slow. - The attack can take place over a multi-hour period. - These type of attacks can confuse IDSs as most IDSs are configured to remove sessions after a timeout period. This means the attack signature will never match as the combination of all the packets over a number of hours will not be in the state table of the IDS.

* Collects data from normal traffic and establishes a baseline. * Periodically samples network activity and compares to the baseline (Network based anomaly detection NBAD) * When the activity falls outside the baseline parameters, the IDS notifies the administrator * System is able to detect new types of attacks, because it looks for abnormal activity of any type. * Traffic graphs can be a poor-mans NBAD - A poor mans statical IDS can be simple network traffic diagrams. - Using a Tool like RRD you are able to visually see when traffic is not at normal rates and investigate.

* Monitor and respond * IDS must be configured using technical knowledge and adequate business and security knowledge to differentiate between the routine and low, moderate, or severe threats. * A properly configured IDS can translate a security alert into different types of notification. * A poorly configured IDS may yield only noise.

* IDS with a block Notifier * Recent addition to security product which: - Inline net/host-based IDS that can block traffic - Functional addition to firewall that adds IDS capabilities * Can block traffic like a firewall * Using IDS algorithms * May be network or host based

- There are two complementary ways of looking at an IPs: 1. An IPS is an inline network-based IDS (NIDS) that has the capability to block traffic by discarding packets as well as simply detect suspicious traffic. - For host based systems, an IPS is a host-based IDS that can discard incoming traffic. 2. An IPS is a functional addition to a firewall that adds IDS types of algorithms to the repertoire of the firewall - An IPS block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs. - IPS can be either host-based or network based.

* Inline NIDS that can discard packets or terminate TCP connections. * Uses signature and anomaly detection. * May provide flow data protection: Monitoring full application flow content * Can identify malicious packets using: - Pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly * Example: SNORT inline can drop/ modify packets

- Is in essence an inline NIDS with the authority to discard packets and tear down TCP connections - NIPS makes use of techniques such as signature detection and anomaly detection, flow data protection: this last one requires that the application payload in a sequence of packets be reassembled. The IPS device applies filters to the full content of the flow every time a new packet for the flow arrives. - When a flow is determined to be malicious, the latest and all subsequent packets belonging to the suspect flow are dropped.

-Pattern matching: Scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks. - Stateful matching: Scans for attack signatures in the context of traffic stream rather than individual packets. - Protocol anomaly: Looks for deviation from standards set forth in RFCs - Traffic anomaly: Watches for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network. - Statistical anomaly: Develops baseline of normal traffic activity and throughput, and alerts on deviations from those baselines. A modified version of snort (snort line) gives Snort an intrusion prevention capability. Snort inline includes a replace option, which allows Snort user modify

* Identifies attacks using both: - Signature techniques: Malicious application packets. - Anomaly detection techniques: Behaviour patterns that indicate malware * Can be tailored to the specific platform. - General purpose, web/database server specific. * Can also sandbox applets to monitor behavior * May give desktop file, registry, I/O protection Evolved into application white-listing

-Examples of the types of malicious behavior addressed by a HIPS include: Modification of system resources; Privilege-escalation exploits; Buffer- overflow exploits; Access to email contact list; Directory traversal. Attacks such as these result in behaviors that can be analyzed by a HIPS. - Some HIPS packages are designed to protect specific types of servers, such as Web servers and database servers. In this case, the HIPS looks for particular application attacks. - In addition to signature and anomaly-detection techniques, a HIPS can use a sandbox approach. - Sandboxes are especially suited to mobile code, such as Java applets and scripting languages. The HIPS quarantines such code in an isolated system area, then runs the code and monitors its behavior. If the code violates predefined policies or matches predefined behavior signatures, it is halted and prevented from executing in the normal system environment. - The following as areas for which a HIPS typically offers desktop protection: System calls; File system access; System registry; Host input/output.

* Most HIDs monitor system by means of agents, software that resides on a system and reports back to a management server. * System Information Manager (SIM): Collects data from multiple host- and network- based IDSs and look for patterns across systems and networks, used to identify cross-system probes and intrusions. - SEM - security event manager is a central point where events will be reported. The device will have better visibility into events occurring across the network and is able to corralate them into an aggregate view. This view can reduce false positives and allow for an over view of the state of the network. keep in mind these devices cost a lot because they requirement specialized software and very fast hardware to keep up with number of events.

One approach to reducing the administrative and performance burden is to replace all inline network products (firewall, IPS, IDS, VPN, antispam, antisypware, and so on) with a single device, a unified threat management (UTM) system, that integrates a variety of approaches to dealing with network-based attacks. A significant issue with a UTM device is performance, both throughput and latency, e.g. typical throughput losses for current commercial devices is 50%. 1. inbound traffic is decrypted if necessary before its initial inspection. If the device functions as a VPN boundary node, then IPSec decryption would take place here. 2. an initial firewall module filters traffic, discarding packets that violate rules and/or passing packets that conform to rules set in the firewall policy. 3. then, a number of modules analyze individual packets and flows of packets at various protocols levels. A data analysis engine is responsible for keeping track of packet flows and coordinating the work of antivirus, IDS, and IPS engines. 4. the data analysis engine also reassembles multipacket payloads for content analysis by the antivirus engine and the Web filtering and antispam modules. 5. some incoming traffic may need to be re-encrypted to maintain internal security 6. all detected threats are reported to the logging and reporting module, which is used to issue alerts for specified conditions and for forensic analysis.

* Ensures endpoints are not vulnerable to attack before enabling network access. * Generally include some form of user computer registration. * Verifies policy compliance. * Multiple competing "Standards" - NAP (Microsoft) -NAC (Cisco) - TNC - Ad-Hoc-ad-Hoc

- allows an admin to control what systems have access to the network. This control allows for decisions such as "only patched systems which have authenticated are able to get a internal IP address" - NAC is most common in open environments like hotels and universities. It is also common in environments which require high degree of control of the systems which access the network, such as banks or critical infrastructure

*Isolation *Notification *Remediation *Detection *Registration: Identity, Integrity

* VLAN: Virtual Local Area Network * 802.1x: IETF Standard * ARP: Address Resolution Protocol * DHCP: Dynamic Host Configuration Protocol

* Network VLANs are "registered", and "unregistered" * Port becomes active: SNMP Trap is sent, Host is detected during pulling, or default VLAN is used * MAC address is checked in DB and assigned to correct VLAN via: SNMP write, or CLI expect script - Common scenario for implementing NAC is VLANs. you will have an initial VLAN which all systems enter, then after passing some criteria they will move on to a second VLAN for known good systems.

* Isolated hosts are segmented from registered hosts * Harder to bypass

* Doesn't work with: - hubs - Older Switches - Shared Ports - APs * Slow *CLI Expect Scripts

* On link up network device (switch/ap) negotiates EAP session * Client supplicant prompts for username password * Network devices passes info to Radius * Radius server returns accept/denny - 802.1x is used effectively in WPA/WPA2 enterprise networking. This same technology can be applied to a wired network. If your clients have 802.1x supplicants this form of authentication before access allows for easier infrastructure implementation of NAC

* Encrypted communication * Windows/MAC OS X built in support * Realms - Pass secure tunnel to home institution * Almost every AP and most smart switches have support.

* No Pre auth scan * Switch, AP, RADIUS Server, and client must support EAP type (PEAP, TTLS,..) and encryption type (WEP, WPA, WPA2,..) * Most difficult to implement * No fail open support in the standard * Windows supplicant limited - can not perform posture assessment before authentication of the system. before authentication, the system does not have an ip and is not on the network. The biggest issue is client support and configuration. It is a heavy burden to manage all supplicant client configuration for your wireless systems.

* System comes online and broadcast for DHCP gateway * ARP is seen by all * Server checks DB for this MAC * Gateway Router responds with his MAC address * Server responds with his MAC address and over writes the gateway MAC * After registration, the gateway address is updated - ARP isolation process is similar to a MITM attack, the NAC enforcement point responds with it's MAC address whenever a system has not been registered yet. After registration, the enforcement point, stops responding.

* Layer 3 Independent * Static IPs don't circumvent * Immediate isolation, no timeout required * Faster then other methods * no Network infrastructure changes - Plug and play protocol, which allows enforcement of NAC policy to be plug and play

* ARP was not designed for this * Server needs to be same physical segment * Harder to debug * Static ARP entries possible

* DHCP Broadcast request * Assigned "Unregistered" IP * Registration * Scope change & often DHCP restart * After lease timeout or reboot, the host will get a "registered" IP - control of the subnet given to clients allows for NAC policy enforcement. for example for systems which are unknown or unregsitered, the DHCP server will allocate a ' isolated subnet with the router as the NAC gateway. for all others known systems they are give the proper subnet which is routed.

* Easiest method to implement * Vendor agnostic * DHCP is a mature technology - Simple and well understood NAC method

* Static IPs * Easy to bypass * Slow, need to wait 50-100% of lease tim for the client to request new address. * Less control of violations.