1 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 1 Intrusion Detection The Big Picture – Part II Stephen Northcutt This page intentionally left blank. 2 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 2 Introduction • Introductory Example - Mitnick Attack • Is There A Business Case For Intrusion Detection? • What We Will Cover in This Course OK, after that brief message to Your Sponsors, let’s look at what we plan to cover in the rest of the course. 3 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 3 Intrusion Detection Roadmap What are the pieces and how they play together • Host-Based Intrusion Detection –Unix – WinNT, Win95, Win98 • Network-Based Intrusion Detection –Shadow – ISS RealSecure –Cisco NetRanger Before we can understand how intrusion detection fits into the Big Picture, we need to examine it in more detail. We’ll look at the differences between host-based and network-based intrusion detection systems, and note their respective strengths and weaknesses. Then we’ll see how popular examples of both free and commercial ID implement these concepts. 4 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 4 Intrusion Detection Roadmap (2) What are the pieces and how they play together •Honeypots •Firewalls – Proxy, State Aware, Filtering Routers After we’ve examined the active defences of intrusion detection, we’ll look back at more passive measures, namely firewalls and honeypots. (They can be called active defences because if you aren’t active in monitoring it’s output, it’s no defense.) ;) We’ll look at how intrusion detection systems interact with the different types of firewalls, and how honeypots and ID play together. 5 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 5 Intrusion Detection Roadmap (3) What are the pieces and how they play together • Vulnerability Scanners • Response, automated and manual – Manual Response • Emergency Action Plan, 7 Deadly Sins • Evidence preservation - Chain of Custody • Threat Briefing - Know your enemy – Ankle Biters – Journeyman Hackers/ Espionage – Cyberwar Scenario We’ll look at vulnerability scanners, and how you can scan your network before the bad guys do it for you, and get a handle on specific risks. Then we’ll get into the exciting world of incident response, covering what to do when your intrusion detection systems detect an attack in progress, or already completed. (Incident response may be exciting, but it’s seldom fun when it’s for real.) And to round off the section, we’ll look at the different types of attacker you might find assailing your network, and finish with a full-blown cyber-wargame. 6 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 6 Intrusion Detection Roadmap (4) Using What We Have Learned • Risk Assessment and Auditing • Introduction to Risk Management • Knowledge-Based Risk Assessment • Online Auditing Tools • Business Case for Intrusion Detection – How All These Capabilities Work Together • Future Directions – Intrusion Detection in the Network – Program-Based Intrusion Detection In our last section, we’ll look at risk assessment, and then combine everything we’ve learned into a revised business case. Finally, we’ll glance at some of the trends in intrusion detection, and what the playing field might look in 6 months or so. (We won’t be brave enough to guess further than that). 7 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 7 Tools • TCP Wrappers •Syslog •Tripwire • Nuke Nabber •Tripwire NT • Firewall-1 •Cisco Router • ISS RealSecure •DTK •Saint • Nessus In this course we’re going to examine the various types of security tools and look at particular examples of them in some detail. We obviously can’t cover all the products out there, as the security industry is growing rapidly, but we will try to cover the best-known and most popular in each category. There is no one product or product suite that solves every problem, so your organization will benefit from your understanding of how these different components work together, and how to mix and match them to provide the level of risk reduction you need. We’ll cover both free and commercial tools and we’ll show you where to get hold of them (evaluation versions of the commercial tools are normally available) so you can try them yourselves. 8 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 8 Processes • 7 Steps to Security • 5 Deadly Management Mistakes • 6 Steps to Incident Handling • Chain of Custody • Knowledge-Based Risk Assessment After that list of products, to remind you that security is a process, not a product, here are some of the processes we’ll cover. 9 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 9 The Hard Questions (Why I wrote this overview course) • What are the components of a full court intrusion detection strategy? – What do the various components do? • Many IDS web sites never state what the infernal things do! – How do we implement them? • Where do the components fit in the “big picture”? To summarize the course in a single slide ☺, these are the questions we are trying to answer today. 10 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 10 Introduction • Introductory Example - Mitnick Attack • Is There a Business Case for Intrusion Detection? • What We Will Cover in This Course Q u e s t i o n s ? Any questions before we dive in? [...]... Network-Based Intrusion Detection • Host-Based Intrusion Detection – Unix – Windows NT, 95, 98 • Network-Based Intrusion Detection – Shadow – ISS RealSecure – Cisco Netranger Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 11 In the second and largest section of the course, we’ll examine intrusion detection in greater depth We’ll examine and compare host-based and network-based intrusion detection. .. Network-based intrusion detection systems rely on promiscuous mode for their NICs; this is not possible with switched networks • Intrusion detection in the switch is the future direction, not really here yet • Host-based is one reasonable solution Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 15 Promiscuous mode allows the network interface adapter to collect all the packets, not just the ones... throughout the organization, the costs are usually prohibitive for commercial intrusion detection systems Typical costs range from $50 to $500 per host This makes the tradeoff ratio around 20 to 200 host intrusion detection systems for the cost of a single network sensor The other issue influencing the deployment decision is that the more frequently a host is reconfigured, the more false positives the intrusion. .. course say you need both 11 Host-Based Intrusion Detection Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 12 Host-based intrusion detection could also be called host-specific intrusion detection, in that its primary purpose is to detect suspicious activity or known attack patterns on the specific host it is installed on Some host-based intrusion detection systems (HIDS) have a number of host... alerts are raised Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 18 Deployment and the choice of which systems to monitor is the major decision in your host intrusion detection plan Your core servers, perimeter servers, firewalls, web servers, DNS servers, and mail servers are the obvious first choice for deployment While it would be desirable to roll out host intrusion detection to all... add –host 24.132.4.83 gw 333.444.555.666" Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 29 Psionic Port Sentry combines host intrusion detection with automated response The first log entry shows Port Sentry detecting an IMAP scan; the second entry shows it adding a “deny all” rule for all traffic from that address; in the last log entry, it “blackholes” that address by insuring the. .. service attack on the log server, so it’s worth considering having additional measures - such as a single network intrusion detection sensor watching your log server or having your security management servers behind an internal firewall 19 Unix Host-Based Intrusion Detection • • • • TCP Wrappers Syslog Tripwire CMDS Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 20 OK, enough theory, let’s... the popular host-based intrusion detection tools We first look at Unix tools, before doing Windows 20 TCP Wrappers • Where to get it – ftp://coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers/ • What does it do? – Without TCP Wrappers Inetd.conf 21 ftp 21 TCP 23 telnet Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 21 With this package you can monitor and filter incoming requests for the. .. it wakes up the FTP daemon and lets it process the request If the ACL doesn’t allow the connection (based on source IP), the connection is dropped and the event is logged 22 Host Deny • ALL : ALL • # Deny everything, add back with /etc/hosts.allow Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 23 This is TCP Wrappers’ default setting in the /etc/hosts.deny file, a suitably paranoid “deny... being unaware of the spanning port’s purpose or the intrusion detection sensor’s presence Of course, the first you know of the problem is when you notice that the sensor isn’t reporting any detects This is a problem with many current intrusion detection systems, namely that they don’t see “no traffic” as an error condition worth reporting, but merely fail silently unless connectivity to the management . 1 Intrusion Detection - The Big Picture - SANS GIAC © 2000, 2001 1 Intrusion Detection The Big Picture – Part II Stephen Northcutt This. for Intrusion Detection – How All These Capabilities Work Together • Future Directions – Intrusion Detection in the Network – Program-Based Intrusion Detection In