Network Intrusion Detection
Systems
(NIDS)
� IDS Definitions
An IDS is any combination of hardware & software that
monitors a system or network for malicious activity.
Examples of IDSs in real life
◦ Car alarms
◦ Fire detectors
◦ House alarms
◦ Surveillance systems
2
� Defined by ICSA as:
◦ The detection of intrusions or intrusions attempts either
manually or via software expert systems that operate on
logs or other information available from the system or the
network.
An intrusion is a deliberate, unauthorized attempt to
access or manipulate information or system and to
render them unreliable or unusable.
When suspicious activity is from your internal
network it can also be classified as misuse
Another definition:
◦ - detecting inappropriate, incorrect, or anomalous activity
◦ - misuse detection != intrusion detection
3
�The Puzzle
Intrusion Detection Systems are only
one piece of the whole security puzzle
IDS must be supplemented by other
security and protection mechanisms
They are a very important part of your
security architecture but does not solve
all your problems
Part of “Defense in depth”
4
�Why IDS?
Can be detected:
o Many organizations deploy
◦ Mapping IDS systems
◦ Port scans o Provide warnings to
Tens of thousands of packets network administrator
◦ TCP stack scans – Administrator can then
Hundreds of thousands of packets improve network’s
Identify any of the following security
types of intrusion: – Vigorous investigation
◦ Input validation errors could lead to attackers
o Typical responses to an
◦ Buffer overflow
attack include the
◦ Boundary Conditions following:
◦ Access Validation Errors – Terminating the session
◦ Exceptional Condition Handling (TCP resets)
Errors – Block offending traffic
◦ Environmental Errors (usually implemented
◦ Race Conditions with ACLs)
– Creating session log files
– Dropping the packet 5
�WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
IDSare a dedicated assistant used to monitor
the rest of the security infrastructure.
Today’s security infrastructure are becoming
extremely complex, it includes firewalls,
identification and authentication systems,
access control product, virtual private networks,
encryption products, virus scanners, and more.
All of these tools performs functions essential to
system security. Given their role they are also
prime target and being managed by humans,
as such they are prone to errors.
Failure
of one of the above component of your
security infrastructure jeopardized the system
they are supposed to protect
6
�WHY DO I NEED AN IDS, I HAVE A
FIREWALL?
Not all traffic may go through a firewall
i:e modem on a user computer
Not all threats originates from outside.
As networks uses more and more encryption,
attackers will aim at the location where it is
often stored unencrypted (Internal network)
Firewall does not protect appropriately
against application level weakenesses and
attacks
Protect against misconfiguration or fault in
other security mechanisms
7
� REAL LIFE ANALOGY
It'slike security at the airport... You can put up all the fences in
the world and have strict access control, but the biggest threat
are all the PASSENGERS (packet) that you MUST let through!
That's why there are metal detectors to detect what they may
be hiding (packet content).
You have to let them get to the planes (your application) via the
gate ( port 80) but without X-rays and metal detectors, you can't
be sure what they have under their coats.
Firewallsare really good access control points, but they aren't
really good for or designed to prevent intrusions.
That's why most security professionals back their firewalls up
with IDS, either behind the firewall or at the host.
8
� 2. IDS Categories
In-Kernel vs. Userspace
Distributed vs. Atomic
Host-based vs. Network-based
Statistical vs. Signature
Detection
Active vs. Passive
Proactive vs. Retroactive
Flat vs. Hierarchial
IDS
9
�We consider some basic categories of
intrusion detection mechanisms:
◦ By sensor location:
Network-based Intrusion Detection System (NIDS)
Host-base Intrusion Detection System (HIDS)
◦ By method of detection
Statistical Detection
Signature Detection
10
�NIDS vs HIDS
11
�IDS sensors
= IDS sensor
application
gateway firewall
Internet
Underlying OS needs
Internal Web
server DNS to be hardened:
network FTP server stripped of unnecessary
server network services
Demilitarized zone
12
�Network based IDS
Protects an entire network segment
Is usually a passive device on the network
and users are unaware of its existence
Cannot detect malicious code in encrypted
packets
Is cost effective for mass protection
Requires its own sensor for each network
segment
13
� Host-based IDS
Protects a single system.
Uses system resources such as the CPU and memory
from system.
Provides application level security.
Provides day-one security as a shunt between high
and low level processes
Intrusion detection is performed after decryption.
Used on servers and sensitive workstations, but is
costly for mass protection
14
�Anomaly/Statistical
detection
Mostly on statistical basis
◦ Based on time, frequency, lenght of session
◦ For example: person logs on at 0300 AM and has
never done so in the past, it will raise a flag
Detects statistically exceptional events
Learning: Watching activity during ‘normal’ state and
storing patterns (who logs in, what is the origin, when,
etc.)
Experience shows that 90% of attacks can be considered
as protocol usage anomalies.
Does not require signatures (except what it learns)
We should carefully add knowledge about “normal”
activity, such as RFC compilant state machines, it needs
much work.
A non-RFC compilant client is not always an attacker –
we need flexibility
15
�Signature-based detection
Sniff traffic on network
◦ border router
◦ within a LAN
◦ multiple sensors
Match attack signatures
◦ attack signatures in database
◦ signature: set of rules pertaining to a typical
intrusion activity
Simple example rule: any ICMP packet > 10,000
bytes
Example: Several thousand SYN packets to different
ports on same host under a second
◦ skilled security engineers research known
attacks; put them in database
◦ can configure IDS to exclude certain
signatures; can modify signature parameters
Warns administrator
◦ send e-mail, SMS
◦ send message to network management system
16
� Limitations to signature
detection
Requires previous knowledge of attack to
generate accurate signature
◦ Blind to unknown attacks
No knowledge of intention of activity
◦ Triggers alarms even if traffic is benign
Signature bases are getting larger
◦ Every packet must be compared with each
signature
◦ IDS can get overwhelmed with processing,
miss packets
17
�Current State of IDS
Lots of people are still using Firewall and
Router logs for Intrusion Detection
IDS are not very mature
Mostly signature based
It is a quickly evolving domain
Giant leap and progress every quarter
As stated by Bruce Schneier in his book
‘Secret and Lies in a digital world’:
Prevention
Detection Getting to this point today
Reponse
18
�WHAT CAN IDS REALISTICLY
DO
◦ Monitor and analyse user and system activities
◦ Auditing of system and configuration vulnerabilities
◦ Asses integrity of critical system and data files
◦ Recognition of pattern reflecting known attacks
◦ Statistical analysis for abnormal activities
◦ Data trail, tracing activities from point of entry up to
the point of exit
◦ Installation of decoy servers (honey pots)
◦ Installation of vendor patches (some IDS)
19
�WHAT IDS CANNOT DO
◦ Compensate for weak authentication and identification
mechanisms
◦ Investigate attacks without human intervention
◦ Guess the content of your organization security policy
◦ Compensate for weakeness in networking protocols, for example:
IP Spoofing
◦ Compensate for integrity or confidentiality of information
◦ Analyze all traffic on a very high speed network
◦ Deal adequately with attack at the packet level
◦ Deal adequately with modern network hardware
20
� Intrusion Detection System
Intrusion Prevention System
21
�5. IDS Products
Dragon from Enterasys
◦ [Link]
CISCO Secure IDS
◦ [Link]
Snort
◦ [Link]
ISS Real Secure
◦ [Link]
SHADOW
◦ [Link]
◦ [Link]
22
�References
Knowledge Net CISSP
[Link]
23
