Intrusion Detection on a Shoestring Budget Shane Williams
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security 2000
Setting • Public university department – Lean budget – Priority on openness – Limited technical knowledge – Independent faculty – Heterogeneous computing environment 2
Setting • Implications for security – Prime target for crackers – Not everyone understands need for security – Policy can be hard to implement – Solutions must be: • Inexpensive • Unobtrusive 3
Solutions • Focus on Open Source Software – Often cost-free – Can run on inexpensive hardware • Prioritize security activities – Prevention – Detection – Maintenance – Only then identify 4
Prevention • Verify clean systems or detection can be subverted • Identify platform specific vulnerabilities – Patch operating systems – Patch server software (www, ftp, etc. ) • Enforce good user practices (especially as regards passwords). 5
Detection • Network based – Network Flight Recorder (NFR) • Academic Research version – Snort – Tcpdump • Host based – Tripwire 6
Detection • Create a watchtower – Minimal open ports • SSH • Only visible from within subnet – Used many of the same tools mentioned above • About $2000 to $2500 – Free. BSD OS – Commodity components 7
Network Based IDS • Switched versus shared may cause complications – Network IDS needs to see the network – Can work in a switched environment, but: • Depends on switching equipment • Switches are often controlled outside departments • False positives 8
Network Flight Recorder • Created to act as a “black box” for intrusion detection • Advantages – Records all network traffic – Alerts on specific signatures – Good query tools – Remote interface 9
Network Flight Recorder • Disadvantages – Data collection takes up space – Space management feature didn’t always work – No longer freely available 10
Snort • Created to be a lightweight network IDS – Lightweight meaning compact and efficient – Not lightweight on performance • Advantages – Small size – Easy to install – Open source development means continued enhancement 11
Snort • Disadvantages – Only saves suspect traffic – No query features • But other developers are working on this – Experiencing growing pains 12
Tcpdump • Simple but powerful utility for listening to network traffic • Advantages – Can collect packet payload – Indispensable in understanding exploits • Disadvantages – Massive data storage requirements 13
Tripwire • Host-based IDS that calculates digital signatures of specified files • Differences between older open source version and newer commercial version – Signed files require pass phrase to change – Levels of violation 14
Tripwire • Advantages – Doesn’t depend on network – Minimal false positives – Can catch local exploits 15
Tripwire • Disadvantages – Requires careful setup to prevent subversion – Databases must be kept up to date • Best in hierarchical structure – Minimizes possibility of tampering 16
Conclusions • There are plenty of free tools out there • Host based better than network based – IPv 6 – Encrypted traffic • Tripwire is a preferred tool – Works well now to detect attacks – Potential to be enhanced even more 17
Questions? Comments? 18
URLs • Network Flight Recorder – http: //www. nfr. com/ • Snort – http: //www. snort. org/ • Tripwire – http: //www. tripwire. com/ • Updated info – http: //www. gslis. utexas. edu/~shanew/security. html 19
- Slides: 19