IDS goals
IDS most general goals are:
- Response: capability to recognize an activity as an attack and then take action to block it.
- Accountability: capability to link a given event back to who is responsible.
IDS Architecture: logical components
- Different IDS are characterized by different monitoring and analysis approaches but all can be described in terms of 3 logical components:
- Information sources:
- Network-based.
- Host-based.
- Application-based.
- Analysis component to decide when an event indicates that intrusions are occurring:
- Misuse detection.
- Anomaly detection.
- Response component: determines the set of actions that the system takes once it detects intrusion:
Information sources: Network-based IDS (NIDS)
A NIDS detects attacks by:
- a) capturing;
- b) analyzing network packets of a LAN segment.
NIDS Advantages and Disadvantages
- A single NIDS can monitor a wide subnet.
- The impact on the system is very little, it is a passive device which just listens.
- It is not pervasive.
- It is difficult to process all packets in a busy network.
- It cannot analyze encrypted information.
- It can only discern whether an attack was initiated not if it was successful.
Information sources: Host – based IDS (HIDS)
An HIDS operates on information collected from a single device to analyze activities and determine which processes are involved in a particular attack; it can utilize both system logs and OS audit trails and system variables.
HIDS Advantages and Disadvanteges
- Monitor host local events (reveals attacks not detectable by NIDS).
- Work well even if traffic is encrypted.
- When it works on OS audit trails it can reveal Trojan Horse or other attacks to SW integrity.
- It is harder to manage and must be configured for each different host.
- May be disabled under attack.
- It is not suitable for revealing preamble attacks which usually scan the network.
- It uses the resources of the host, very pervasive.
Information sources: Application -based IDS AIDS Advantages and disadvantages
- Can monitor the interaction between user and application (trace unauthorized activity to individual users).
- At end-point level all data are not encrypted.
- Are more vulnerable than IDS (application logs are not well protected).
- Monitor events at the user-level cannot detect sw tampering intrusion.
- It’s advisable to use it with an HIDS and/or NIDS.
IDS Analysis Component
Misuse (or signature-based) detection: analyze system activity looking for events or sets of events that match a predefined pattern of events that describe a known attack (called signature).
IDS Analysis Component (follows)
Anomaly detection: look for abnormal patterns of activity; to identify unusual behaviour on a host/network, they construct profiles representing normal behaviour of users, host or network connections (statistical and/or historical approach).
IDS Analysis comparison
Misuse detection
- Don’t generate a lot of false alarms.
- It is easy to account the type of attack acting.
- It is possible to detect only Known attacks (signature DB must be continuously updated).
- It is not able to detect little variants.
Anomaly detection
- It is able to detect symtoms of attacks.
- Produces information that can be used to define new signatures.
- Generates a large number of false alarms.
- Requires extensive training set of system event records.
Response Component
Passive Response
- Alarm and notifications.
- SNMP: generate e-mail message with alarms.
After gathering and analyzing events, IDS should generate two kinds of response.
Active Response
- Include automatic actions, for example:
- Collect other info to be sure.
- Block the attacker (close the connection, reconfigure the firewall,..).
- Take action against the attacker (ATT: this could be illegal).
SNORT Architecture
Main Features
- NIDS to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic.
- It has a rules-based traffic collection engine to perform content pattern matching.
- Network.
SNORT Architecture (follows)
- It is especially suited to detect attacks like: buffer overflow, stealth port scans, SMB probes and more.
- furthermore it is very simple to add new rules to detect new form of attacks.
- It has 3 basic action directives when a packet matches a rule: pass, log, alert.
Putting all togheter
Security in many layers
Security in many layers
To guarantee the infrastructure security, we need to enforce different strategies and mechanisms at different architectural levels:
- Network level.
- System level.
- Application level.
- User Level.
Network Security Level
Data and functions need to be protected in different ways and we can enforce proper security policies for both components.
A network infrastructure should be designed including the following subsystems:
- Internet.
- Outer firewall.
- DMZ and public servers.
- Inner firewall.
- Intranet and internal servers.
A secure network design
We need more IDS within the different segments, with different features.
DMZ (demilitarized zone)
- DEF: A DMZ is a network segment that divides the internal network from the external one.
- The components adopted for such separation are FIREWALLS that avoid external attacks and prevent inner data from begin improperly disclosed.
- All services that should be available form the external internet are put in the DMZ, for example:
- WWW, DNS, Mail, Log servers.
Firewalls
- The external firewall controls access to public server by filtering the traffic.
- The external firewall controls access to the intranet and avoids data outcome.
Filtering methods and the Intranet
Address filtering
- analysis of the source address in the IP packet;
- analysis of the destination address in the IP packet;
Service filtering
- analysis of the transport protocol;
- analysis of the port;
- analysis of ACK signals;
Secure intranet
- Internal address should be not visible (use of a private class as 10.x.y.z and a Network Address Translation (NAT) to map internal host address to external addresses.
Security in the other layers
Reasons
- Network security is able to protect data by encrypting all data in the datagrams and cannot provide user-level security.
- It is easier to deploy new Internet services at the higher layers of the stack; application developers introduce in their application many security features.
Example: Oracle Access Controls andDMZ
Example: a reliable three-tiers system
Access Control is only a small piece of security…
How to guarantee Business Continuity in case of system damage?
How to guarantee Data access in case of DB damage?
It is of fundamental importance to define:
- Back up Policy.
- Recovery Strategies.
- Service Level Agreements.