1. Lesson 13-Intrusion Detection Overview
Define the types of Intrusion Detection Systems (IDS).
Set up an IDS.
Manage an IDS.
Understand intrusion prevention (IPS).
中央資管 陳奕明 1 中央資管 陳奕明 2
Overview Overview
Intrusion detection is a reactive concept that tries to Night watchmen and guard dogs are forms of IDS.
identify a hacker when they attempt a penetration. They serve two purposes. They provide a means of
Intrusion detection can also assist in the proactive identifying that something bad was happening, while
identification of active threats. It provides indications and deterring the perpetrator.
warnings that a threat is gathering information for an
attack.
中央資管 陳奕明 3 中央資管 陳奕明 4
Define the types of Intrusion
Host-Based IDS
Detection Systems
There are two primary types of A Host-based Intrusion Detection System (HIDS) resides on
IDS: a particular host and looks out for indications of attacks on
Host-based that host.
Network-based
HIDS is a system of sensors that are loaded onto various
servers within an organization. They are controlled by some
central manager.
中央資管 陳奕明 5 中央資管 陳奕明 6
1
2. Host-Based IDS Host-based IDS
The sensors can: There are five basic types of HIDS sensors:
Look for various types of events. Log analyzers
Take action on the particular server. Signature-based sensors
Send out a notification. System call analyzers
Application behavior analyzers
File integrity checkers
中央資管 陳奕明 7 中央資管 陳奕明 8
Host-based IDS Host-based IDS
Log analyzers are reactive in nature and look for events System call analyzers sit between the OS and the
that may be a security breach. applications to analyze calls being sent. It compares the
They are particularly adapted to track authorized users. calls to a database of signatures.
Signature-based sensors compare incoming traffic to a Application behavior analyzers sit between the OS and the
built-in signature. applications and examine calls to check for authorization.
They are also reactive in nature and may be used to track File integrity checkers look for changes in the file, typically
authorized users.
through checksums or digital signatures.
中央資管 陳奕明 9 中央資管 陳奕明 10
Network-based IDS Network-based IDS
A NIDS resides on a separate system that watches network NIDS systems have two NICs: one is configured in stealth
traffic, looking for indications of attacks that traverse the mode to monitor the network and the second is used to
network. send alarms. (see Figure 13-2)
A NIDS places the Network Interface Card (NIC) on the The advantages of using a NIDS are the following:
It can be hidden on the network.
system into promiscuous mode to pass traffic to the NIDS
It can capture the contents of all packets traveling to a target
software for analysis.
system.
NIDS are primarily signature-based.
It monitors traffic for a large number of systems.
中央資管 陳奕明 11 中央資管 陳奕明 12
2
3. NIDS Configuration Network-based IDS
The disadvantages of using a NIDS are as follows:
It will only alarm if traffic matches preconfigured rule.
It can miss traffic of interest because of high bandwidth usage.
It cannot determine if an attack was successful.
It cannot examine encrypted traffic.
Switched networks require special configuration.
中央資管 陳奕明 13 中央資管 陳奕明 14
Set up an IDS Defining the Goals of the IDS
The effective use of an IDS must include the proper The goals of the IDS provide the requirements for the IDS
planning and involvement of executive management. policy. Potential goals include the following:
1. Detection of attacks.
The steps for creating IDS implementation are:
2. Prevention of attacks.
1. Define the goals of the IDS.
3. Detection of policy violations.
2. Choose what to monitor.
4. Enforcement of use policies.
3. Choose the response.
5. Enforcement of connection policies.
4. Set thresholds.
6. Collection of evidence.
5. Implement the policy.
中央資管 陳奕明 15 中央資管 陳奕明 16
Choosing What to Monitor Example of Choosing What to Monitor
The choice of what an IDS should monitor is governed by
the goals of the IDS and the environment in which the IDS
will function.
The choice of what an IDS should monitor governs the
placement of sensors, as they must be able to see the
events of interest. (See Figure 13-3 and Table 13-1)
中央資管 陳奕明 17 中央資管 陳奕明 18
3
4. Choosing What to Monitor Choosing How to Respond
For a network using Response choices are governed by the goals of the IDS.
switches, a NIDS sensor
When an event occurs, there are two types of responses:
will not function properly if
Passive response: a response that does not directly impede
it is just connected to a
the attacker’s actions.
switch port.
Active response: a response that does directly attempt to
Instead, you should use
impede that attacker’s actions.
the switch monitoring port
or a network tap.
中央資管 陳奕明 19 中央資管 陳奕明 20
Passive Response Passive Response
A passive response is the most common type of action Passive responses include:
when an intrusion is detected. Shunning: ignoring the attack.
Passive responses have a lower probability of causing Logging: gathering basic information.
disruptions to legitimate traffic while being the easiest to Additional logging: collecting more information about the
event than is normally captured.
implement in a completely automated fashion.
Notification: informing an individual about the event.
中央資管 陳奕明 21 中央資管 陳奕明 22
Active Response Active Response
Active responses include: It can also cause disruption or complete denial of service to
Termination of connections, sessions, or processes legitimate users.
Network reconfiguration Network reconfiguration may stop the intruder, but can
Deception have a negative impact on partners and customers, causing
An active response to an event allows the quickest possible loss of productivity.
action to reduce the impact of the event. See Table 13-2 for examples of responses given an IDS
policy.
中央資管 陳奕明 23 中央資管 陳奕明 24
4
5. Setting Thresholds Setting Thresholds
Thresholds provide protection against false positive Parameters that must be considered in setting thresholds are:
indications. User expertise
They enhance the overall effectiveness of an IDS policy. Network speed
They can be used to filter out accidental events from Expected network connections
intentional events. Administrator/security officer workload
Thresholds that detect attacks should be set to ignore low- Sensor sensitivity
level probes or single information-gathering events. Security program effectiveness
中央資管 陳奕明 25 中央資管 陳奕明 26
Implementing the System Implementing the System
The actual implementation of the IDS policy must be Once the IDS policy has been developed and the initial
carefully planned. threshold settings calculated, it should be put into place
There are few easier ways to disrupt a well-managed with the final policy, less any active measures.
network than to introduce a badly configured IDS. The IDS should be monitored closely for some period of
time while the thresholds are evaluated.
中央資管 陳奕明 27 中央資管 陳奕明 28
Understand What an IDS Can
Manage an IDS
Tell You
To make a decision for an organization to implement an IDS, There are two components to an IDS configuration:
the organization should understand the goals of the program. The attack signatures that have been programmed into the
They are: system.
Understand what an IDS can tell. Any additional events that the administrator has identified as
being of interest.
Investigate suspicious events.
中央資管 陳奕明 29 中央資管 陳奕明 30
5
6. Understand What an IDS Can
Investigate Suspicious Events
Tell You
When the IDS has been properly configured, the four types of When a suspicious activity occurs, any of these four steps can be
events that the IDS will show are: taken to determine if the activity constitutes an actual or attempted
intrusion:
1. Reconnaissance events
Identify the systems.
2. Attacks
Log additional traffic between the source and destination.
3. Policy violations
Log all traffic from the source.
4. Suspicious or unexplained events
Log the contents of packets from the source.
See Table 13-3~13-5 for example IDS configurations.
中央資管 陳奕明 31 中央資管 陳奕明 32
Understand Intrusion
Configuration for IPS
Prevention
Intrusion prevention involves a proactive rather than reactive
approach to IDS.
To prevent an intrusion, the attack must be stopped before it
reaches the target system.
To prevent an intrusion, the actual attack must be either stopped
before it reaches the target system or stopped before the target
system can execute the code that exploits the vulnerability.
See Figure 13-5 for IPS placement.
中央資管 陳奕明 33 中央資管 陳奕明 34
Understand Intrusion
Summary
Prevention
HIDS sensors such as system call analyzers and application Intrusion detection is a reactive concept that tries to
behavior analyzers have the potential to prevent an attack. identify a hacker when a penetration is attempted.
For a NIDS to prevent attacks, the standard configuration A HIDS resides on a particular host and looks for indications
must be changed to place the NIDS in line with the traffic. of attacks on that host.
IDS that are proactive can raise the potential for denial of A NIDS resides on a separate system that watches network
service and cause overall availability issues. traffic and looks for indications of attacks that traverse the
network.
中央資管 陳奕明 35 中央資管 陳奕明 36
6
7. Summary Summary
The effective use of an IDS must include the proper An active response to an event allows the quickest possible
planning and involvement of executive management. action to reduce the impact of the event.
Passive responses have a lower probability of causing To prevent an intrusion, the attack must be stopped before
disruptions to legitimate traffic while being the easiest to it reaches the target system.
implement in a completely automated fashion.
中央資管 陳奕明 37 中央資管 陳奕明 38
7