07-10-2016, 11:12 AM
Intrusion Detection and Prevention final.ppt (Size: 82.5 KB / Downloads: 6)
Objectives
After this seminar, you will learn
Is your Network Secure?
What an NIDS can Detect and Miss
How various Intrusion detection mechanisms work.
Why an intrusion detection and prevention solutions must operate in-line.
NetScreen Approach
Is your Network Secure?
First step taken is to install a firewall.
Second to detect the presence of attacks within the traffic allowed by NIDS.
NIDS does not protect an organization from those attacks because
False Alarms
Low Managebility, High Maintanance
Perceived Need to Outsource
No Prevention of Attacks
What an NIDS can Detect and Miss?
It is the job of NIDS to tell you about the attack.
The system is only as good as its detection capabilities.
It is critical that the system’s detection mechanisms are accurate enough to differentiate between the good and bad traffic that gets into your network.
Following are possible results of intrusion detection
In Bad Traffic: Failure to identify malicious traffic as an attack
In Bad Traffic: Identifying “real attacks” as an attack
In Good Traffic: Identifying good traffic as an attack
In Good Traffic: Identifying good traffic as good traffic
Detection Techniques
Ideal performance of NIDS : identify as many attacks as possible and limit the number of false alarms.
No single detection mechanism can detect every type of network-based attack.
Different Techniques available
Intrusion Detection Using Protocol Anomalies
Intrusion Detection Using Stateful Signatures
Intrusion Detection Using Backdoor Detection
Intrusion Detection Using Traffic Anomalies
Pattern Matching Using Regular Expressions
Intrusion Detection Using Protocol Anomalies
It is the ability to analyze packet flows to identify irregularities in the generally accepted Internet rules of communication.
Rules are defined by open-protocols and RFC’s.
Objective is to implement a mechanism that identify traffic that doesn’t meet specifications or violates the relevant standards.
This is very effective in detecting suspicious activity, such as a buffer-overflow attack.
Advantages of protocol anomaly detection
It can detect….
Unknown and new attacks.
Attacks that bypass systems that implement other detection methods.
Slightly modified attacks that change the format of known attack patterns.
Example1: Detecting an FTP Bounce Attack
Example2: Detecting an Undocumented Buffer Overflow Attack.
Intrusion Detection Using Stateful Signatures
Based on recognizing and matching attack signatures(patterns).
Evolution of NIDSes started with the implementation of a non-intrusive packet monitor, called a Sniffer.
Intrusion detection vendors applied the packet-monitoring concept to build systems that performed packet signature detection.
NIDSes look at the raw bytes of each and every packet in a flow to try to find a match for an attack pattern.
This introduces two problems
Performance is significantly hurt
False positives are more likely to occur
Optimized Analysis=Stateful Signatures
Identifies attack patterns by utilizing both Stateful Inspection and protocol analysis.
It understand the context of each data byte and the state of client and server at the time of transmission.
It only look for an attack in the state of the communication where that attack can cause damage.
Significantly improves performance and reduces false positives.
Example : Detecting the SMTP Wiz Attack.
thewizard[at]company.com
Intrusion Detection Using Backdoor Detection
How to detect attacks that are unknown that don’t violate a protocol, such as a Trojan or Worm.
These attacks, install and open up a backdoor on a network resource.
Remains dormant until the attacker activates it and takes control over the resource through a series of interactions.
Backdoor detection - NetScreen approach to detect the unique characteristics of this interactive traffic.
NetScreen-IDP looks for all interactive traffic and then detects that which is unauthorized, based on what the administrator has defined as “allowed” in the rule-base.
Intrusion Detection Using Traffic Anomalies
To detect the attacks that occur in traffic spanning multiple sessions – port and network scans.
Port and Network scans used to determine which services are allowed and responding on a system.
Attacker uses this information to exploit known vulnerabilities for the responding services on those open ports.
Traffic anamoly performs pattern matching against the entire flow of traffic.
Pattern Matching Using Regular Expressions
Accuracy is not only affected by the types of detection methods a system uses, but also the way the system defines and looks for attack patterns.
The ideal method is to provide support for regular expression pattern matching.
It provide wildcard and complex pattern matching, resulting in a more accurate representation of an attack.
It also offer flexibility over the control of the system’s behavior.
Example: name= “<some-name>.EXE”.
Intrusion Detection and Prevention Must Operate In-line
“Passive “, sniffer-based intrusion detection systems can only “listen” to the traffic.
They can’t control the traffic, by either dropping, modifying etc.
Evading Intrusion Detection Systems
Basic idea behind evasion is to fool the intrusion detection mechanism into “seeing” different data than the target host, often referred to as the “victim”.
This allows an attacker to attack the host without being detected.
Manageability
An integral element of any NIDS is how you interact with the system.
If the NIDS is difficult to configure and manage, it will be difficult to benefit from its capabilities, even if it contains all of the detection mechanisms and response options.
The best solution is the one that provide very granular control of system capabilities, using a centralized, rule-based management scheme.
This approach has proven effective in the management of firewalls.
The NetScreen Approach
NetScreenIDP is the first product on the market to use many of the advanced technologies.
First innovation implements a technique called Multi-Method Detection(MMD).
Second innovation is NetScreen-IDP operates as an in-line solution, which is the only way to protect against evasion techniques and provide true intrusion prevention.
Third innovation delivers a centralized, rule-based management framework.
Multi-Method Detection(MMD) Improves Accuracy
By implementing eight different detection methods, NetScreen-IDP system can accurately identify intrusions.
These methods share information and work together to identify, in most efficient manner, all types of attacks at both network and application layer.
The detection mechanisms are optimized to perform analysis at very high data rates, with no performance degradation.
Administrators can trust that the alarms they get are real and don’t have to worry about wasting time investigating false alarms.
In-line operation provides real protection
The NetScreen-IDP is designed to work in-line, in the path of packets.
In this configuration, NetScreen-IDP is usually placed behind the firewall, inspecting each and every packet going in and coming out of each of the protected networks.
When a malicious traffic is detected, it can drop the connection, so that it never gets onto the network.
When a passive NIDS detects malicious traffic, its only real recourse is to send a TCP reset to try and stop the attack.
Advantages to operating in the path of packets
Attacks can be stopped (dropped) the moment they are detected.
You can be certain that intrusions that were dropped were unsuccessful, so you only need to investigate on a caseby-case basis.
This frees up your time, so you can concentrate on other projects.
Common methods of evading IDS devices can be avoided
This prevents an attacker from taking advantage of ambiguities.
Centralized, Rule-based management
True three-tier management architecture, comprised of a detection and enforcement tier(sensor), a management tier(server) and a an application tier(user interface).
Multiple user interfaces can connect to a single management server to perform all management operations.
Rule-based management
Provides granular control over how the NetScreen-IDP behaves.
You set the rules by specifying the source, destination, service and attacks that need to be searched for and matched, in order for the rule to apply.
The rule then specifies what to do when those attacks are detected, such as drop or allow the connection, and how to log the attack.
Centralized Security Policy
Centralized Security Policy, allowing the application of the same Security Policy to as many enforcement points as required.
Deviation from one device to another does not require a new Security Policy.
Closed loop Investigation : gives ability to correlate data points and move between levels of information .
This makes it easy to understand exactly what is going on in your network and immediately react to protect against new threats
Conclusion
Firewall systems needs second layer of defense to detect and prevent all types of attacks.
The current intrusion detection solutions generally implement only a single intrusion detection mechanism.
The NetScreen-IDP system over come these deficiencies, giving you a product that protects your corporate assets.
The NetScreen-IDP system brings many proven and well-known concepts together in a single product, delivering a solution that you can trust.