Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Security and safety features new to Windows Vista wikipedia , lookup
Network tap wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
Intrusion Detection Systems: Snort & Tripwire Becky Newell-Nicosia June 4, 2004 COEN 150 Intrusion Detection Systems (IDS) Complexities of networking technologies result in multiple vulnerabilities at all layers of the network. Instruments for intrusion detection, intrusion prevention, and forensic analysis are needed. IDS designed to monitor networking and computing activities for the purpose of detecting and potentially preventing security violations. 2 Types of IDS: Network-based (NIDS) – (e.g. Snort) Host-based (HIDS) – (e.g. Tripwire) IDS Analogy An intrusion detection system is not a firewall. It is designed to sound alarms when malicious activity occurs but does not necessarily stop it from happening. You can think of a firewall as the lock on a door and the intrusion detection system as the alarm that notifies the police of an intruder break-in. IDS: A Brief History Origins of intrusion detection traced back to electronic data processing (EDP) auditing – DoD’s Tan Book of the Rainbow Series, A Guide to Understanding Audit in Trusted Systems (lasted updated June 1, 1988) (1980) James Anderson published paper for Air Force (1987) Dorothy Denning & Peter Neumann – published paper explaining the correlation between anomalous activity and an indication of potential security breaches. (1988 – 1995) UC Davis developed and enhanced the Network Security Monitor (NSM), one of the first network-based intrusion detection systems. IDS Preparedness There does not exist a true “out-of-the-box” solution for intrusion detection - avoid being misled by vender “hype” about a panacea solution. 1st Step: Establish firm, realistic goals 2nd Step: Prioritize specific requirements needed for an organization’s unique networking environment. 3rd Step: Budget & Resources Proper understanding of capabilities and limitations of signature-based intrusion detection requires relatively solid understanding of TCP/IP protocol. IDS Architecture & Design Every network is unique and there are many types of IDS deployments. Determine good rule selection (signature-based alerting) for environment being monitored: Ensure good performance Ensure good detection capabilities Ensure a reasonable number of alerts. IDS Deployment Example Network-Based IDS (NIDS) Uses hardware, software or both to analyze network activity by capturing data packets traveling on network. Some NIDS are anomaly-based: All activity measured against a baseline of “normal” activity Most NIDS are signature-based. Signature-Based NIDS Each specific attack is examined to find a sequence of data in a network packet that matches a previously uniquely-defined type of attack or “signature”. All known signatures stored in database or library for IDS software to cross-reference and compare with internet traffic in real-time. When match is made, IDS program processes the alert information and creates log entry or initiates some notification mechanism (i.e. email or pager alert). NIDS Challenges Overwhelming amount of information is logged by IDS and is common to generate thousands of alerts per day. Attackers continuously developing strategies to bypass intrusion detection systems just about as fast as IDS is being further developed and improved. The use of switches, gigabit Ethernet, firewalls, and encryption present architectural challenges. OSI & TCP/IP Model TCP Handshake Process TCP Disconnection Process TCP/IP 4-Layer Model & Associated Threats Network Interface Layer: Media Access Control (MAC) Spoofing Internet Layer: IP Spoofing ICMP “Ping” Reconnaissance Probing Transport Layer: Stealth Port Scanning (e.g. SYN-ACK & FIN) SYN Flood Attacks Application Layer: FTP Bounce Attack – Port Scanning Vulnerability Exploitation (e.g. Blaster Worm) Snort Open-source network-based IDS. One of the most popular NIDS because it is free and highly customizable. Complete installation of Snort makes use of other software packages MySQL provides database server to store Snort logs ACID (Analysis Control for Intrusion Database) is an output module that uses Apache web server to display Snort analysis data. Snort Components ACID Web Interface Host-Based IDS (HIDS) Application installed on the system being monitored. Analyzes system logs or activity to detect intrusions. Advantages over NIDS: Actual results of attack recorded after packets have left the network. Less reliant on signatures and can catch unknown attacks. Analyzes traffic after decryption. Disadvantages: Cannot guarantee integrity of log files if they reside on compromised system. Reactive – alerts when a breach has already occurred. Can substantially degrade performance on monitored system. HIDS Logging System and application attributes monitored for potential indicators of malicious activity. Computer misuse can be defined as: Data modification, deletion, or access System modification Program execution Privilege escalation (i.e. root or system access) Program installations (i.e. Trojan horse programs) Avoidance of detection by modifying files to cover intruder’s tracks Useful logs available with UNIX/Linux & Windows Router logging useful when IP spoofing events occur. Cisco routers can be configured to send log events to remote syslog server for analysis. Other useful log files: firewalls, web servers, FTP servers, etc. UNIX/Linux & Windows Log Files UNIX/Linux: File types: simple plaintext, binary (i.e. TCP-Dump), and database files Wtmp – logs all logins, logouts, system startups and shutdowns. Lastlog – list of most recent successful or unsuccessful logins for each user. Syslog – extensive log of system and application information; syslog daemon can run with –r option to accept logs from other systems. (It is best to encrypt the log files while in transit over the network.) Windows: Logs kept in Application, Security, and System message repositories System and user-level logon events Account management Directory service access Object access Audit policy changes Privilege usage Process tracking System events Tripwire Target-based host monitoring system. Popular for its relative ease of deployment Freely available for UNIX-based systems. Creates database of message digests (i.e. one-way hashes) for files or directories that it is configured to monitor. Recalculates every message digest at a preset interval (usually daily). Alert is generated if calculated digest differs from database. Tripwire Challenges Protection of database, configuration, and policy files. Current versions of Tripwire encrypt these files and a passphrase is required if changes are needed to be made to any of them. Plaintext versions of the configuration and policy files are available for making modifications, but should be deleted after implementing those changes. Frequent software patches = frequent database updates Initial setup requires a manual configuration of the entire policy file. Tripwire Report Example Conclusion Network and host-based intrusion detection systems provide a significant level of accountability and damage prevention or mitigation. Snort is a network-based intrusion detection system that performs network packet analysis by each packet to identify malicious activity based on previously-designed rule sets. Tripwire is a host-based intrusion detection system that can alert administrators to successful intrusions by discovering modifications of system files. With proper preparation, implementing Snort and Tripwire in a particular computing environment provides a complete intrusion detection solution by analyzing both successful and unsuccessful intrusion attempts over any network topology.