1 / 52

Network Monitoring

Network Monitoring. Stolen from: Daniel Schatz @virturity. Announcements. Structure of FooCorp Web Services. 2. GET /amazeme.exe?profile=xxx. 8. 200 OK Output of bin/amazeme. Internet. FooCorp Servers. FooCorp’s border router. Front-end web server. Remote client. bin/amazeme -p xxx.

rosalynm
Download Presentation

Network Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Monitoring Stolen from:Daniel Schatz @virturity

  2. Announcements

  3. Structure ofFooCorp Web Services 2. GET /amazeme.exe?profile=xxx 8. 200 OK Output of bin/amazeme Internet FooCorpServers FooCorp’sborder router Front-end web server Remote client bin/amazeme -p xxx

  4. Network Intrusion Detection

  5. Structure ofFooCorp Web Services 2. GET /amazeme.exe?profile=xxx 8. 200 OK Output of bin/amazeme Internet Monitor sees a copyof incoming/outgoingHTTP traffic FooCorpServers FooCorp’sborder router Front-end web server NIDS Remote client bin/amazeme -p xxx

  6. Network Intrusion Detection

  7. How They Work: Scalable Network Intrusion Detection Systems Tap Do this in OpenFlow:100 Gbps installat LBNL High Volume Filter Is Not BitTorrent? H(SIP, DIP) Load Balancer Linear Scaling:10x the money... 10x the bandwidth! 1u gives 1-5 Gbps NIDS Node NIDS Node NIDS Node

  8. Inside the NIDS HTTP Request URL = /fubar/ Host = .... GET HT TP /fu bar/ 1.1.. HTTP Request URL = /baz/?id=... ID = 1f413 GET HTTP /b az/?id= 1f413 1.1... Sendmail From = someguy@... To = otherguy@... 220 mail.domain.target ESMTP Sendmail...

  9. Network Intrusion Detection (NIDS)

  10. Break Random fact about … Scott Shenker

  11. Evasion /etc/p RST NIDS

  12. Evasion /%65%74%63/%70%61%73%73%77%64 NIDS

  13. Evasion

  14. Evasion Attacks (High-Level View)

  15. Beware! seq=1, TTL=22 r r seq=1, TTL=16 X n Packet discarded in transit due to TTL hop count expiring seq=2, TTL=16 X i seq=2, TTL=22 Sender / Attacker o o Receiver seq=3, TTL=16 X c seq=3, TTL=22 o o seq=4, TTL=22 t t seq=4, TTL=16 X e ~~~~ root roo~ r~~~ ro~~ rice? roce? rict? roct? riot? root? rioe? rooe? nice? noce? nict? noct? niot? noot? nioe? nooe? TTL field in IP header specifies maximum forwarding hop count Assume the Receiver is 20 hops away ri~~? ro~~? ni~~? no~~? r~~~? n~~~? ri~~? ni~~? ric~? roc~? rio~? roo~? nic~? noc~? nio~? noo~? ~~~~ r~~~ Firewall Assume firewall is 15 hops away

  16. Network-Based Detection

  17. Host-based Intrusion Detection

  18. Structure ofFooCorp Web Services Internet FooCorpServers FooCorp’sborder router Front-end web server HIDS instrumentation added inside here 4. amazeme.exe?profile=xxx Remote client 6. Output of bin/amazeme sent back bin/amazeme -p xxx

  19. Host-based Intrusion Detection

  20. Log Analysis

  21. Structure ofFooCorp Web Services Internet FooCorpServers FooCorp’sborder router Run Nightly AnalysisOf Logs Here Front-end web server Remote client bin/amazeme -p xxx

  22. Log Analysis:Aka "Log It All and let Splunk Sort It Out"

  23. System Call Monitoring (HIDS)

  24. Structure ofFooCorp Web Services Internet FooCorpServers FooCorp’sborder router Real-time monitoring of system calls accessing files Front-end web server Remote client 5. bin/amazeme -p xxx

  25. System Call Monitoring (HIDS)

  26. Detection Accuracy

  27. Perfect Detection

  28. Detection Tradeoffs

  29. Base Rate Fallacy

  30. Composing Detectors:There Is No Free Lunch

  31. Styles of Detection: Signature-Based

  32. Signature-Based Detection

  33. Vulnerability Signatures

  34. Styles of Detection: Anomaly-Based

  35. Anomaly Detection Problems

  36. Specification-Based Detection

  37. Styles of Detection: Behavioral

  38. Behavioral-Based Detection

  39. Summary of Evasion Issues

  40. Inside a Modern HIDS (“AV”)

  41. Inside a Modern HIDS

  42. Inside a Modern NIDS

  43. NIDS vs. HIDS

  44. Key Concepts for Detection

  45. Detection vs. Blocking

  46. Can We Build An IPSThat Blocks All Attacks?

  47. An Alternative Paradigm

  48. Styles of Detection: Honeypots

  49. Honeypots

  50. Forensics

More Related