2.

Intrusion Detection / Prevention

Systems (IDS/IPS)
Definitions

Intrusion
– set of actions meant to compromise the security of a computer /
computers network

Intrusion detection
– the process of identifying and responding to intrusions

Intrusion Detection Systems
– tools and methods to help identify, assess, and report intrusions
– equivalent to an alarm system: cameras, motion sensors, etc

2
Need of IDS

The second line of defense, after
the firewall
– defense in depth principle
– some attacks cannot be stopped by
the firewall (CodeRed, Nimda, etc)

3
Need of IDS (cont.)

It detects attacks that can not be stopped by other security
mechanisms

It offers a view of the attacks that an organization is usually
exposed to

Evaluation tool for the efficiency of the implemented security
mechanisms

It supplies the evidence needed to condemn the attacker

4
Terminology

false positive
– normal activities that are detected as attacks

false negative
– undetected malicious activities

“low and slow” attack

“in the wild” attack / virus

“in the zoo” attack / virus

5
IDS architecture

6
IDS types

By scope of protection (or by location):
– Network based IDS (NIDS)
– Host-based IDS (HIDS)
– Application level IDS

By detection model:
– Signature based IDS
– Anomaly based IDS

By response to intrusions:
– passive IDS
– active IDS

7
Network based IDS

Monitors network traffic
– packet capture and analysis

Network sensors that operate in promiscuous mode (capturing
all network packets)
– switched environments (spanning port)

Packet reassembling
– fragmentation, damaged packets , etc

Attack resistant (hardening)

8
Network based IDS (cont.)

Advantages:
– high scalability (the whole network could be monitored using
several well positioned sensors)
– it does not affect the performance of the monitored systems
– OS independent
– could operate in stealth mode (invisible for the attackers)

Disadvantages:
– it cannot protect the systems against internal users
– could miss packets when the network traffic is high (~Gbps)
• using many sensors in parallel
• hardware based implementation of critical functions (appliances)
– it cannot analyze encrypted traffic (VPN)
– it can detect that an attack was initiated but it cannot tell if it succeeded

9
Network based IDS (cont.)

10
Host-based IDS

Monitors events within a computer systems
– system logs
– active processes (hacker tools, rootkits)
– file system integrity

Allows attack detection and damage assessment

11
Host-based IDS (cont.)

Advantages:
– it does not require additional equipment – it is installed on the
monitored systems
– it detects attacks that can not be detected by a NIDS (ex. Trojan Horse)
– it works even network traffic is encrypted

Disadvantages:
– low scalability
– it affects performance of the monitored systems
– once the system is compromised, the IDS can be deactivated
– it can not detect network scanning attacks, DoS, etc

12
Host-based IDS (cont.)

13
Application level IDS

Subclass of HIDS

Monitor events within an application

Advantages:
– it can monitor the interaction between the users and the application

Disadvantages:
– generally, application logs are less protected

14
Signature based IDS

Similar to anti-virus systems

Each known attack has a signature (specific pattern)
– Example: land attack - IP packets with the same source and destination
address

The IDS has a signatures database that needs to be updated
regularly

It requires knowledge acquisition for each type of attack to
generate the signature
– knowledge based IDS

The most used type of IDS

15
Signature based IDS (cont.)

16
Signature based IDS (cont.)

Advantages:
– the IDS's efficiency depends on the frequency the signatures database
is updated
– fewer false positives alarms
– offers detailed information about the attack

Disadvantages:
– it can not detect new types of attack
– if the signatures database increases, then the IDS performance
decreases (hardware implementation)

17
Anomaly based IDS

Anomaly = deviation from the normal state

Learning mode – building a profile for the normal state of the
system
– the accuracy of the profile depends on the duration of the learning
process
– during the learning process, there must be no attacks to the system

Detection mode – compare the current state of the system with
the desired state
– any deviation from the normal behavior is interpreted as a possible
attack that must be investigated

Statistical analysis of network traffic or user activity to detect
anomalies
– when an anomaly reaches a threshold, an alarm is triggered
– the choice of the threshold value is very important!

18
Anomaly based IDS (cont.)

19
Anomaly based IDS (cont.)

Behavior anomalies
– who, when and from where connects to the computer systems?
– average load of processors

Protocol anomalies
– verifies the correctness of network protocols (packet formats,
transmission order, etc)
– 90% of attacks are of this type!
– theoretically behavior (according to RFC) / practical implementation
(vendor specific)

Traffic anomalies
– usually, it is known who with whom communicates and the network
traffic is analyzed to detect anomalies

20
Anomaly based IDS (cont.)

Advantages:
– it may detect new types of attacks
– it may detect “low and slow” attacks

Disadvantages:
– generates relatively high number of false positives alarms
• systems configuration modifies over the time!
– sends generic alarms
• trained personnel to investigate the alarms!

21
IDS attack response

Passive response
– alarms and notifications
– SNMP traps

Active response
– TCP reset
– ACL modification on router/firewall
– collect additional information about the attacker
– counter-attack

22
IDS attack response (cont.)

23
IDS attack response (cont.)

24
IDS attack response (cont.)

25
IDS attack response (cont.)

26
Intrusion Prevention Systems

Intrusion Prevention Systems (IPS)
– prevents intrusions
– operates inline

Combines IDS and firewall functionalities
– application layer firewall

The new generation of IDS

27
IDS vs. IPS

28
IDS/IPS products

Sourcefire / Snort

Juniper IDP

Cisco IPS

IBM (ISS) IPS

HP (TippingPoint) IPS

McAfee Network Security Platform

Stonesoft IPS

Radware NBAD

29
Gartner Magic Quadrant for Intrusion Prevention Systems

30
Conclusions

Most of existing IDS/IPS use signatures and protocol
anomalies as detection mechanisms

Operating an IDS/IPS requires significant effort
– tuning, alarms investigation, etc
– managed services (outsourcing)

Low efficiency against "low and slow" attacks

Hardware vs. software IDS

Reacts to attacks instead of preventing them

The trend is to integrate IDS into firewalls (Gartner)

31
32