Post

NetworkSec - Advanced SecDevices - IDSs and IPSs

[toc]


IDSs and IPSs


basic

When attacker launches an attack against a network,

  • intrusion detection system (IDS) and intrusion prevention system (IPS) technologies are often able to recognize the attack and respond appropriately.
  1. Intrusion detection systems (IDSs)
    • passive and not in-band
    • monitor a network and send alerts when they detect suspicious events on a system or network.
  2. Intrusion prevention systems (IPSs)
    • in-band
    • react to attacks in progress, prevent them from reaching systems and networks.
  3. same capability:
    • capture the traffic, analyze it to detect potential attacks or anomalies using similar detection methods.
    • inspect traffic using the same functionality as a protocol analyzer.
    • protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks.
  4. Biggest difference:
    • responses to an attack.
    • See if the analyzed traffic flow through the device:
      • No: IDS
      • Yes: IPS
  5. Detection Methods
    • Signature-Based Detection
    • policy-Based Detection
    • 启发式 anomaly/Heuristic/Behavioral Detection

pic


IDS vs IPS?

  1. IDS, passive role
    • receives a copy of traffic to be analyzed, passive
    • (identify, log and alert)
    • can only detect an attack, cannot prevent attacks.
    • But the initially offending traffic reaches its destination.
  2. IPS, active role
    • resides in-line with the traffic.
    • prevents attacks by detecting them and stopping them before they reach the target.
    • IPS also blocks network traffic
    • can drop the traffic in-line,
    • Can prevent even the first malicious packet from reaching its intended target.

pic

both devices can recognize network attacks, primarily differ in network placement.

  • See if the analyzed traffic flow through the device:

IPS or IDS, dependent the network environments:

  • Example:
    • IDS device
    • can add to a network that already have IPS device, verify the IPS device is still operational.
    • might also identify suspicious traffic, send alerts without having the IPS device drop the traffic.

IPS

IPS software can be installed.

  • dedicated network-based intrusion prevention system (NIPS) sensors
  • Or on a host to provide a host-based intrusion prevention system (HIPS) solution.

Detection Methods

how they detect malicious traffic:

  • Signature / definition based
  • Policy Based Detection
  • Heuristic / behavioral / anomaly based.

whether they run on a network device or on a host.

  • HIDS monitors the network traffic reaching its NIC
  • NIDS monitors the traffic on the network.

Signature-Based Detection

The primary method used to detect and prevent attacks using IDS or IPS technologies.

  • use database of known vulnerabilities or known attack patterns
  • uses signatures to detect known attacks or vulnerabilities.
  • need to update IDS signatures and antivirus definitions from vendor regular.

  • A signature could be a string of bytes, in a certain context, that triggers detection.

However, this is a known attack with a specific pattern of successive SYN packets from one IP to another IP.

  • The IDS can detect these patterns when the signature database includes the attack definitions.
  • The process is very similar to what antivirus software uses to detect malware.

Example:

  • attacks against a web server typically take the form of URLs.
    • Therefore, URLs could be searched for a certain string that would identify an attack against a web server.
  • the IDS or IPS device could search for a pattern in the MIME header of an e-mail message.
    • because signature-based IDS/IPS is based on signatures, the administrator needs to routinely update those signature files.
  • tools for an attacker to launch a SYN flood attack on a server
    • attacker simply entering the IP address of the system to attack.
    • The attack tool then floods the target system with synchronize (SYN) packets,
    • but never completes the three-way Transmission Control Protocol (TCP) handshake with the final ACK packet.
    • it consume resources on a system and ultimately cause it to crash.

Policy-Based Detection:

  • needs a specific declaration of the security policy
  • write a network access policy,
    • identified which networks could communicate with other networks.
    • The IDS/IPS device could then recognize out-of-profile traffic that does not conform to the policy, and then report that activity.

启发式 Heuristic/Behavioral Detection

  1. identifying normal operation / behavior of the network.
    • creating a performance baseline under normal operating conditions.
    • detect attacks based on anomalies or traffic outside expected boundaries.
    • uses algorithms to analyze the traffic passing through the network?
  2. provides continuous monitoring
    • by constantly comparing current network behavior against the baseline.
  3. When detects abnormal activity (outside normal boundaries as identified in the baseline),
    • it gives an alert indicating a potential attack.
    • examine activity and detect abnormal activity is beyond the capability of signature-based detection.
  4. can be effective at discovering zero-day exploits.
    • zero-day vulnerability: unknown to the vendor or know but has not written, tested, and released a patch to close the vulnerability yet.
  5. prone to false positives, because a normal condition is difficult to measurably define.
    • couple of options for detecting anomalies:
      • Statistical anomaly detection
        • watches network-traffic patterns over a period of time
        • and dynamically builds a baseline.
        • If traffic patterns significantly vary from the baseline, an alarm can be triggered.
      • Non-statistical anomaly detection
        • allows an administrator to define what traffic patterns are supposed to look like.
        • could lead to a false positive
          • (an alarm being triggered in the absence of malicious traffic).
    • example:
      • Microsoft released a large service pack for its Windows 7 OS,
      • computers automatically download that service pack.
      • in same time, multiple copies of the service pack simultaneously start to download from www.microsoft.com,
      • the IDS/IPS device might consider that traffic pattern to be significantly outside of the baseline.
      • lead to a false positive
      • an alarm being triggered in the absence of malicious traffic.

both cases, the vulnerability exists and systems are unprotected.

  • If attackers discover the vulnerabilities, they try to exploit them.
  • However, the attack has the potential to create abnormal traffic allowing an anomaly-based system to detect it.
  • Any time administrators make any significant changes to a system or network that cause the normal behavior to change, they should re-create the baseline.
  • the IDS will constantly alert on what is now normal behavior.

Any type of IDS will use various raw data sources to collect information on activity.

  • This includes a wide variety of logs, such as firewall logs, system logs, and application logs.
  • These logs can be analyzed to provide insight on trends.
  • These trends can detect a pattern of attacks and provide insight into how to better protect a network.

Many IDSs have the capability to monitor logs in real time.

  • Each time a system records a log entry,
  • the IDS examines the log to determine if it is an item of interest or not.
  • Other IDSs will periodically poll relevant logs and scan new entries looking for items of interest.

Reporting Based on Rules

IDSs report on events of interest based on rules configured within the IDS.

  • All events aren’t attacks or actual issues, but instead, they provide a report indicating an event might be an alert or an alarm. Administrators investigate to determine if it is valid.

Some systems consider an alarm and an alert as the same thing.

  • Other systems use an alarm for a potentially serious issue
  • an alert as a relatively minor issue.
    • to encourage administrators to give a higher precedence to alarms than alerts.

The actual reporting mechanism varies from system to system and in different organizations.

  • Example:
  • one IDS might write the event into a log as an alarm or alert, and then send an email to an administrator account.
  • In a large network operations center (NOC), the IDS might send an alert to a monitor easily viewable by all personnel in the NOC.
  • The point is that administrators configure the rules within the IDS based on the needs of the organization.

False Positives vs False Negatives

IDSs use advanced analytics to examine traffic, are susceptible to both false positives and false negatives.

  • false positive:
    • an alert or alarm on an event that is nonthreatening, benign, or harmless.
    • increase the workload of administrators.
  • false negative:
    • when an attacker is actively attacking the network, but the system does not detect it.
  • Neither is desirable, but it’s impossible to eliminate both.
  • Most IDSs trigger an alert or alarm when an event exceeds a threshold.

example: SYN Flood Attack

The SYN flood attack is a common denial-of-service (DoS) attack.

  • the attacker sends multiple SYN packets
  • but never completes the third part of the TCP handshake with the last ACK packet,
  • the server keeps answering every SYN packet with a SYN/ACK packet.
  • This leaves the server with open connections that can ultimately disrupt services.
    • Each uncompleted session consumes resources on the server,
    • crash the server.
    • Some servers reserve a certain number of resources for connections, once the attack consumes these resources, the system blocks additional connections.
  • the attack prevents legitimate users from connecting to the server.

IDSs and IPSs can detect a SYN flood attack and IPSs can prevent the attack.

  • many firewalls have SYN flood guard to detect SYN flood attacks and take steps to close the open sessions
  • different than a flood guard on a switch to stop MAC flood attacks.

If a system receives 1 SYN packet without the accompanying ACK packet, is it an attack? Probably not. This can happen during normal operations. If a system receives over 1,000 SYN packets from a single IP address in less than 60 seconds, without the accompanying ACK packet, is it an attack? Absolutely.

Administrators configure rules within the IDS and set the threshold to a number between 1 and 1,000 to indicate an attack.

  • If administrators set it too low, false positives, high workload as they spend their time chasing ghosts.
  • If threshold too high, actual attacks will get through without administrators knowing about them.
  • configure settings based on the analytics and capabilities of the IDS.

Most administrators want to know if their system is under attack. That’s the primary purpose of the IDS.

  • IDS that constantly cries “Wolf!” will be ignored when the real wolf attacks.
  • It’s important to set the threshold high enough to reduce the number of false positives, but low enough to alert on any actual attacks.

Network-Based and Host-Based Solutions

network-based IDS (NIDS), network-based IPS (NIPS),

  • NIPS and HIPS solutions can work in tandem. 串联

  • Network-Based Solutions:
    • prevent a DoS attack or recognize network reconnaissance patterns
  • Host-Based Solutions:
    • focus on the protection of applications and host resources.
  • Example:
    • NIPS solution can inspect traffic flowing through the network
      • but if a host had a SSL connection to a server,
      • and the malicious traffic traveled over the SSL connection?
      • Then, the NIPS hardware is unable to analyze the malicious traffic,
      • because it would be encrypted inside of the SSL connection.
    • However, a HIPS software solution could analyze the malicious traffic after the traffic was decrypted on the host.

the deployment of NIDS, NIPS, and HIPS technologies in the same network.

  • the sensors are strategically deployed at network boundaries
    • (that is, coming into the network from the Internet and going into the DMZ).
  • both NIDS and NIPS devices complement the functions of one another.

  • Additionally, HIPS software is deployed on strategic hosts (the HTTP, DNS, and e-mail hosts in there)

  • The NIDS, NIPS, and HIPS devices can all send any alarms triggered on their respective devices to a management console.

  • Using input from these diverse sources, the management console software might be able to perform event correlation to recognize broader network attack patterns, rather than just examining a single
  • attack against a single device.

.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.