IDSIntrusionDetectionSystems.pptVIP

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID Systems can automatically respond to an intrusion. Two Models Anomaly Detection Model database of normal activity search for deviations Misuse Detection Model database of malicious signatures search for matches IDS - What Can It Do? ? Monitor and analyze user/system/network activities ? Audit configuration vulnerabilities ? Assess integrity of critical files ? Recognize patterns of known attacks ? Statistically analyze for abnormal activities ? Respond with warnings and/or actions ? Install decoy servers (honey pots) ? Install vendor patches (some IDS) false positive false negative Two Types of IDS Network-based Intrusion Detection System (NIDS) Host-based Intrusion Detection System (HIDS) ? Searches for patterns in packets, patterns of packets and packets that don’t belong. ? Can log results or communicate via SMTP/SNMP ? Sensors, analyzers and management consoles ? Searches for patterns in logs, processes, and/or memory. ? Can check file integrity (MD5) ? Observe network traffic flow ? HID also called agent ? Reactive sensors might alter router/firewall rules ? More extreme response: throttling, session hijacking Rule-based Appliances Snort Rules alert tcp !/24 any - /24 111\ ( content ... msg ...) log udp any any - /24 1:1024 alert tcp any any - /24 ( flags:SF; msg:”possible SYN FIN scan”) pass icmp any any /24 (itype:0) IDS Disadvantages Network-based Intrusion Detection System (NIDS) Host-based Intrusion Detection System (HIDS) ? Large bandwidth can overwhelm sensor ? Sensor can view network flow, but not its impact upon host(s) ? Encryption ? Cannot see all network traffic ? Processor time ? Log file requirements ? OS vulnerabilities may impact agent An IDS is another tool in the arsenal.