Lecture 12 - IDS and Honey Pots PDF
Document Details
Uploaded by CompatibleCopernicium7088
University of the Fraser Valley
Tags
Summary
This document provides a lecture on intrusion detection systems (IDS) and concepts like honey pots. It discusses different types of IDS, their functionalities, and deployment strategies. The lecture also delves into the concepts of how IDS operates and functions and the different methodologies of IDS.
Full Transcript
Learning Objectives IDS Honey pots IDS IDS gathers and analyses information from within a computer or a network It also refers as a packet sniffer, which intercepts packets travelling along various communication mediums and protocols The packets are a...
Learning Objectives IDS Honey pots IDS IDS gathers and analyses information from within a computer or a network It also refers as a packet sniffer, which intercepts packets travelling along various communication mediums and protocols The packets are analysed after they are captured An IDS evaluates a suspected intrusion once it has taken place and signals an alarm How IDS Works Monitoring the activity of the network and activity of the threat in the network has ability to detect the viruses, malware, spyware and different form of viruses and the important thing about this it can also locate their restore point IDS can work by observing the unauthenticated and unauthorized use of different programs of networking Intrusion Detection Systems Detects a violation of its configuration and activates alarm Many IDSs enable administrators to configure systems to notify them directly of trouble via e-mail or pagers Systems can also be configured to notify an external security service organization of a “break- in” IDS Terminology Alert or False attack False False alarm stimulus negative positive Site policy True attack Noise Site policy awareness stimulus Confidence Alarm value filtering Why Use an IDS? Prevent problem behaviors by increasing the perceived risk of discovery and punishment Detect attacks and other security violations Detect and deal with preambles to attacks Document existing threat to an organization Act as quality control for security design and administration, especially of large and complex enterprises Provide useful information about intrusions that take place Ways to detect an Intrusion Signature Recognition also known as misuse detection. It tries to identify events that misuse a system Anomaly Detection It detects the intrusion based on fixed behavioural characteristics of the users and components in a computer system Protocol Anomaly Detection Models are build on TCP/IP protocols using their specifications Types of IDS Network-based Intrusion Detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious Host-based Intrusion Detection collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine The drawbacks of HIDS Difficult to analyse the intrusion attempts on multiple computers. Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large networks with different operating systems and configurations Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the system is compromised. Network Intrusion Repeated probes of the available services on your machine Connection from unusual locations Arbitrary data in log files, indicating an attempt at creating a Denial of Service, or crash service Repeated log in attempts from remote hosts General indications of system Intrusions Modifications to system software and configuration files Gaps in the system accounting System crashes or reboots Short or incomplete logs Missing logs Unfamiliar processes Unusual graphic displays or text messages Selecting IDS Approaches and Products Technical and policy considerations – What is your systems environment? – What are your security goals and objectives? – What is your existing security policy? Organizational requirements and constraints – What are requirements that are levied from outside the organization? – What are your organization’s resource constraints? IDSs Product Features and Quality Is the product What is the user How has the sufficiently level of expertise product been scalable for your targeted by the tested? environment? product? Is the product What are the designed to evolve support provisions as the organization for the product? grows? IDS Control Strategies An IDS can be implemented via one of three basic control strategies – Centralized: all IDS control functions are implemented and managed in a central location – Fully distributed: all control functions are applied at the physical location of each IDS component – Partially distributed: combines the two; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organization to detect widespread attacks IDS Deployment Overview Like decision regarding control strategies, decisions about where to locate elements of intrusion detection systems can be art in itself Planners must select deployment strategy based on careful analysis of organization’s information security requirements but, at the same time, causes minimal impact NIDS and HIDS can be used in tandem to cover both individual systems that connect to an organization’s networks and networks themselves Deploying Network-Based IDSs NIST recommends four locations for NIDS sensors – Location 1: behind each external firewall, in the network DMZ – Location 2: outside an external firewall – Location 3: On major network backbones – Location 4: On critical subnets Deploying Host-Based IDSs Proper implementation of HIDSs can be painstaking and time-consuming task Deployment begins with implementing most critical systems first Installation continues until either all systems are installed, or the organization reaches planned degree of coverage it is willing to live with Measuring the Effectiveness of IDSs IDSs are evaluated using two dominant metrics: Administrators evaluate the number of attacks detected in a known collection of probes Administrators examine the level of use at which IDSs fail Evaluation of IDS might read: at 100 Mb/s, IDS was able to detect 97% of directed attacks Since developing this collection can be tedious, most IDS vendors provide testing mechanisms that verify systems are performing as expected Measuring the Effectiveness of IDSs Some of these testing processes will enable the administrator to: – Record and retransmit packets from real virus or worm scan – Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP session connections (missing SYN packets) – Conduct a real virus or worm scan against an invulnerable system Honey Pots, Honey Nets, and Padded Cell Systems Honey Honey Honey Honey pots: decoy Honey nets: Honey pots designed systems designed to collection of honey to: lure potential pots connecting Divert attacker from attackers away from several honey pot accessing critical systems critical systems and systems on a subnet Collect information about encourage attacks attacker’s activity against the Encourage attacker to stay on system long themselves enough for administrators to document event and, perhaps, respond Honey Pots, Honey Nets, and Padded Cell Systems Padded cell: honey pot that has been protected so it cannot be easily compromised In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS When the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm—the nature of this host environment is what gives approach the name padded cell Honey Pots, Honey Nets, and Padded Cell Systems Advantages – Attackers can be diverted to targets they cannot damage – Administrators have time to decide how to respond to attacker – Attackers’ actions can be easily and more extensively monitored, and records can be used to refine threat models and improve system protections – Honey pots may be effective at catching insiders who are snooping around a network Honey Pots, Honey Nets, and Padded Cell Systems Disadvantages – Legal implications of using such devices are not well defined – Honey pots and padded cells have not yet been shown to be generally useful security technologies – Expert attacker, once diverted into a decoy system, may become angry and launch a more hostile attack against an organization’s systems – Administrators and security managers will need a high level of expertise to use these systems Trap and Trace Systems Use combination of techniques to detect an intrusion and trace it back to its source Trap usually consists of honey pot or padded cell and alarm Legal drawbacks to trap and trace Enticement: process of attracting attention to system by placing tantalizing bits of information in key locations Entrapment: action of luring an individual into committing a crime to get a conviction. Enticement is legal and ethical, whereas entrapment is not Scanning and Analysis Tools Typically used to collect information that attacker would need to launch successful attack Attack protocol is series of steps or processes used by an attacker, in a logical sequence, to launch attack against a target system or network Footprinting: the organized research of Internet addresses owned or controlled by a target organization Tools Snort KFSSensor
