Intrusion DetectionPrevention Systems Charles Poff Bearing Point Intrusion

Intrusion Detection/Prevention Systems Charles Poff Bearing Point

Intrusion Detection Systems • Intrusion Detection System (IDS) – Passive – Hardwaresoftware based – Uses attack signatures – Configuration • SPAN/Mirror Ports • Generates alerts (email, pager) • After the fact response

Intrusion Prevention Systems • Intrusion Prevention System (IPS) – Also called Network Defense Systems (NDS) – Inline & active – Hardwaresoftware based – Uses attack signatures – Configuration • Inline w/fail over features. • Generates alerts (email, pager) • Real time response

IDS vs. IPS • • • IPS evolved from IDS Need to stop attacks in real time After the fact attacks have lesser value IDS is cheaper. Several Open Source IDS/IPS – Software based • IPS = EXPENSIVE – Hardware based (ASIC & FPGA)

Detection Capabilities • Signatures – Based on current exploits (worm, viruses) – Detect malware, spyware and other malicious programs. – Bad traffic detection, traffic normalization • Anomaly Detection – Analyzes TCP/IP parameters • Normalization • Fragmentation/reassembly • Header & checksum problems

Evasion Techniques • Encryption – IPSec, SSH, Blowfish, SSL, etc. • Placement of IPS sensors are crucial • Lead to architectural problems • False sense of security – Encryption Key Exchange • IPS sensors can “usually” detect/see encryption key exchanges • IPS sensors can “usually” detected unknown protocols

Evasion Techniques (cont. ) – Packet Fragmentation • Reassembly – 1. ) out of order, 2. ) storage of fragments (D. o. S) • Overlapping – different size packets arrive out of order and in overlapping positions. • Newly arrived packets can overwrite older data.

Evasion Techniques (cont. ) • Zero day exploits (XSS, SQL Injection) – Not caught by signatures – Not detected by normalization triggers – Specific to custom applications/DB’s. • Social engineering – Verbal communication – Malicious access via legitimate credentials • Poor configuration management – Mis-configurations allow simple access not detected. – Increases attack vectors

Vendors • Open Source – SNORT (IDS/IPS) – my favorite – Prelude (IDS) – Honey. Net (Honey Pot/IDS) • Commercial – – – Tipping. Point Internet Security Systems Juniper Rad. Ware Mirage Networks

Tools of the Trade • Fuzzers – SPIKE, Web. Scarab, ADMmutate, ISIC, Burp Suite • Scanners - Nessus, NMAP, Nikto, Whisker • Fragmentation – ADMmutate, Fragrouter, ettercap, d. Sniff • Sniffers – ethereal, d. Sniff, ettercap, TCPDump • Web Sites – www. thc. org – packetstormsecurity. nl – www. packetfactory. net

Future of IDS/IPS • Many security appliances ONE – IDS/IPS, SPAM, AV, Content Filtering • IDS will continue to loose market share • IPS, including malware, spyware, av are gaining market share • Security awareness is increasing • Attacks are getting sophisticated – Worms, XSS, SQL Injection, etc.

Your Organization • • What’s protecting your organization? Future Plans? Products and vendors? Evolution of security infrastructure.

Question • Question & comments