1 / 23

Distributed IDS

Distributed IDS. The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology. What IDS is:.

analu
Download Presentation

Distributed IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed IDS • The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. • Darian Jenik - Network Management Queensland University of Technology

  2. What IDS is: • IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network. • IDS is the detection and reporting of security vulnerabilities. • IDS is the logging and detection of internal users “misdemeanors” to protect liability

  3. What IDS is not: • IDS in NOT security – • For security you need: • Good security policy that is both documented and adhered to. • Good security practice by system administrators. • Hardened perimeter firewalls and “DMZ” firewalls. • IDS is not a product. • IDS is not a sensor.

  4. The scale of the problem • Approximately 10000 hosts 100 web servers 300 “servers” of other type • Students • System Administrators • IAS

  5. IDS should perform the following tasks • Detect known violations to host integrity by passively watching network traffic. • Respond to attempted violations by blocking external IP addresses. • Respond to probes from outside by blocking external IP addresses. • Find and report usage inconsistencies that indicate account/quota theft. • Detect violations by monitoring information (web pages etc….) • Help log and establish traffic/host usage patterns for future reference and comparison

  6. Detect known violations to host integrity by passively watching network traffic. • Just one type of sensor? • IDS sensors: • Gateways – Traditionally • Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.

  7. Respond to attempted violations by blocking external IP addresses. • Make sure the IDS is able to respond and send commands to firewalls and/or hosts. • IDS sends RST packets to both ends of the connection. • IDS is able to insert rules into border firewall.

  8. Respond to probes from outside by blocking external IP addresses. • Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.) • Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

  9. Find and report usage inconsistencies that indicate account/quota theft. • Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins). • Failed attempts to login to services that are not successful. • Accounts being used simultaneously at various locations.

  10. Detect violations by monitoring information. (web pages etc….) • Graffiti, DNS spoofing, wares repositories. • Ensure that the monitoring is external as well as internal. • http://forced.attrition.org/mirror/attrition/

  11. Help log and establish traffic usage patterns for future reference and comparison. • Central syslog collecting and analysis. • Tripwire • Nmap database • Performance and Usage analysis.

  12. Open Source • Just about any platform(Including windows) • Many plugins and external modules. • Frequent rules updates.

  13. Snort Plugins • Databases • mySQL • Oracle • Postgresql • unixODBC • Spade (Statistical Packet Anomaly Detection engine) • FlexResp (Session response/closing) • XML output • TCP streams (stream single-byte reassembly)

  14. Snort Add-ons • Acid(Analysis Console for Intrusion Detection) - PHP • Guardian – IPCHAINS rules modifier.(Girr – remover) • SnortSnarf - HTML • Snortlog – syslog • “Ruleset retreive” – automatic rules updater. • Snorticus – central multi-sensor manager – shell • LogSnorter – Syslog > snort SQL database information adder. • + a few win32 bits and pieces.

  15. Acid + Snort • Acid is a Cert project. • Pretty simple PHP3 to mySQL • Quite customizable. • Simple GUI for casual browsing.

  16. Main Console

  17. Individual alerts

  18. Securityfocus • Whitehats • CVE

  19. Rule details

  20. Incident details

  21. Incident Details

  22. Questions ?

  23. URLS • www.snort.org • http://www.cert.org/kb/acid/ • www.whitehats.com(Intrusion signatures data) • www.securityfocus.com(Intrusion signatures data) • http://cve.mitre.org/(Intrusion signatures data) • http://www.psionic.com/(logcheck + hostsentry)

More Related