distributed ids the implementation of a distributed intrusion detection system over a medium scale...
TRANSCRIPT
Distributed IDS
• The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
• Darian Jenik - Network Management
Queensland University of Technology
What IDS is:
• IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network.
• IDS is the detection and reporting of security vulnerabilities.
• IDS is the logging and detection of internal users “misdemeanors” to protect liability
What IDS is not:
• IDS in NOT security –• For security you need:
• Good security policy that is both documented and adhered to.
• Good security practice by system administrators.
• Hardened perimeter firewalls and “DMZ” firewalls.
• IDS is not a product.
• IDS is not a sensor.
The scale of the problem
• Approximately 10000 hosts100 web servers300 “servers” of other type
• Students
• System Administrators
• IAS
IDS should perform the following tasks
• Detect known violations to host integrity by passively watching network traffic.
• Respond to attempted violations by blocking external IP addresses.
• Respond to probes from outside by blocking external IP addresses.
• Find and report usage inconsistencies that indicate account/quota theft.
• Detect violations by monitoring information (web pages etc….)
• Help log and establish traffic/host usage patterns for future reference and comparison
Detect known violations to host integrity by passively watching network traffic.
• Just one type of sensor?
• IDS sensors:• Gateways – Traditionally
• Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.
Respond to attempted violations by blocking external IP addresses.
• Make sure the IDS is able to respond and send commands to firewalls and/or hosts.• IDS sends RST packets to both ends of the
connection.
• IDS is able to insert rules into border firewall.
Respond to probes from outside by blocking external IP addresses.
• Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.)
• Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.
Find and report usage inconsistencies that indicate account/quota theft.
• Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins).
• Failed attempts to login to services that are not successful.
• Accounts being used simultaneously at various locations.
Detect violations by monitoring information. (web pages etc….)
• Graffiti, DNS spoofing, wares repositories.
• Ensure that the monitoring is external as well as internal.
• http://forced.attrition.org/mirror/attrition/
Help log and establish traffic usage patterns for future reference and comparison.
• Central syslog collecting and analysis.
• Tripwire
• Nmap database
• Performance and Usage analysis.
• Open Source
• Just about any platform(Including windows)
• Many plugins and external modules.
• Frequent rules updates.
Snort Plugins
• Databases• mySQL
• Oracle
• Postgresql
• unixODBC
• Spade (Statistical Packet Anomaly Detection engine)
• FlexResp (Session response/closing)
• XML output
• TCP streams (stream single-byte reassembly)
Snort Add-ons
• Acid(Analysis Console for Intrusion Detection) - PHP
• Guardian – IPCHAINS rules modifier.(Girr – remover)
• SnortSnarf - HTML
• Snortlog – syslog
• “Ruleset retreive” – automatic rules updater.
• Snorticus – central multi-sensor manager – shell
• LogSnorter – Syslog > snort SQL database information adder.
• + a few win32 bits and pieces.
Acid + Snort
• Acid is a Cert project.
• Pretty simple PHP3 to mySQL
• Quite customizable.
• Simple GUI for casual browsing.
• Main Console
• Individual alerts
• Securityfocus
• Whitehats
• CVE
• Rule details
• Incident details
• Incident Details
Questions ?
URLS
• www.snort.org
• http://www.cert.org/kb/acid/• www.whitehats.com (Intrusion signatures data)
• www.securityfocus.com (Intrusion signatures data)
• http://cve.mitre.org/ (Intrusion signatures data)
• http://www.psionic.com/ (logcheck + hostsentry)