In this chapter, we will learn about Intrusion Detection Systems, ways to detect an intrusion, and various types of Intrusion Detection Systems. This chapter focuses on firewalls, types of firewalls, honeypots, and types of honeypots. This chapter covers firewall evading tools and firewall and IDS penetration testing.
16.1 Understand Intrusion Detection Systems (IDS)
Exam Focus: Understand Intrusion Detection Systems (IDS). Objective includes:
· Understand Intrusion Detection Systems (IDS).
· Learn ways to detect an intrusion.
· Acquire knowledge on various types of Intrusion Detection Systems.
Intrusion Detection System
An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and its computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device.
The following is the working of an IDS:
Types of IDS
The following are the types of IDS:
· Network-based IDS: A Network-based Detection System (NIDS) analyzes data packets flowing through a network. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. It is responsible for detecting anomalous or inappropriate data that may be considered 'unauthorized' on a network. An NIDS captures and inspects all data traffic, regardless of whether it is permitted for checking or not.
· Host-Based IDS: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to be monitored. HIDS monitors only the data that is directed to or originating from that particular system on which HIDS is installed. Besides network traffic for detecting attacks, it can also monitor other parameters of the system such as running processes, file system access and integrity, and user logins for identifying malicious activities. BlackICE Defender and Tripwire are good examples of HIDS. Tripwire is an HIDS tool that automatically calculates the cryptographic hashes of all system files as well as any other files that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected.
· Log file monitoring: It is generally a program that parses log files after the occurrence of an event such as failed log in attempts.
· File integrity checking: It checks for Trojan horses, or files that have otherwise been modified, indicating that an intruder has already been there.
Types of IDS responses
The following are the different types of responses generated by an IDS:
1. True Positive: A valid anomaly is detected, and an alarm is generated.
2. True Negative: No anomaly is present, and no alarm is generated.
3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and not used.
4. False Negative: A valid anomaly is present, and no alarm is generated.
IDS detection methods
The following are IDS detection methods:
· Statistical Anomaly Detection: The Statistical Anomaly Detection method, also known as behavior-based detection, compares the current system operating characteristics on many base-line factors such as CPU utilization, file access activity and disk usages, etc. In this method, the Intrusion Detection System provides the facility for either a Network Administrator to make the profiles of authorized activities or place the IDS in learning mode so that it can learn what is to be added as normal activity. A large amount of time needs to be dedicated to ascertain whether the IDS is producing few false negatives or not. Hence, the main drawback of an IDS is that if an attacker slowly changes his activities over time, the IDS might be fooled into accepting the new behavior.
· Pattern Matching Detection: The Pattern Matching IDS, also known as knowledge-based or signature-based IDS, is mainly based on a database of known attacks. These known attacks are loaded into the IDS as signatures. When this happens, the IDS begins to guard the network. These signatures are usually given a number or name so that the network administrator can easily identify the occurring attack. Alerts from this IDS can be triggered for fragmented IP packets, streams of SYN packets (DoS), or any malformed Internet Control Message Protocol (ICMP) packets. The main disadvantage of the Pattern Matching System is that such an IDS can only trigger on signatures that are stored in the database of the IDS. However, any new or any obfuscated attack performed by an attacker will be undetected.
· Protocol Detection Method: In the Protocol Detection Method, an IDS keeps state information and can detect abnormal activities of protocols such as IP, TCP, and UDP protocols. If there is any violation in an incoming protocol rule, the IDS sends an alert message to the Network Administrator. Such an IDS is usually installed on the Web server and monitors the communication between a user and the system on which it is installed.
Ways to detect an intrusion
The following ways are used to detect an intrusion:
· Signature recognition: It is also referred to as misuse detection. It tries to recognize events that misuse a system.
· Anomaly detection: It detects the intrusion depending on the fixed behavioral characteristics of the users and components in a computer system.
· Protocol anomaly detection: It involves building of models on TCP/IP protocols using their specifications.
Indications of intrusions
The following are indications of file system intrusions:
· Presence of new, unfamiliar files, or programs
· Changes in file permissions
· Unexplained changes in the size of the file
· Rogue files on the system that do not correspond to the master list of signed files
· Unfamiliar file names in directories
· Missing files
The following are indications of network intrusions:
· Repeated probes of the available services on the machines
· Connections from unusual locations
· Repeated log in attempts from remote host
· Arbitrary data in log files, indicating an attempt of creating either a Denial of Service or a crash service
The following are indications of system intrusions:
· Modifications to system software and configuration files
· Gaps in the system accounting
· Unusually slow system performance
· Crashing or rebooting of system
· Short or incomplete logs
· Missing logs or logs with incorrect permissions or ownership
· Unfamiliar processes
· Unusual graphic displays or test messages
Snort
Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
The three main modes in which snort can be configured are as follows:
· Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.
· Packet logger mode: It logs the packets to the disk.
· Network intrusion detection mode: It is the most complex and configurable configuration, allowing snort to analyze network traffic for matches against a user-defined rule set.
Working of snort
The following image shows the working of snort:
Decoder performs the following functions:
· It saves the captured packets into heap.
· It identifies link level protocols.
· It decodes IP.
Detection Engine matches packet against rules previously charged into memory since snort initialization. Output Plug-ins format the notifications for a user so that the user can access them in different ways.
Snort rules
Snort's rule engine enables a user to write rules in order to meet the requirements of the network. Snort rules are useful in differentiating between normal Internet activities and malicious activities. Snort rules must be included on a single line. Rules on multiple lines are not handled by the snort rule parser. Rule header and rule options are two logical parts of snort rules. Rule header identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. Rule options identifies rule's alert messages.
Rule action: The rule header stores the complete information of a packet and finds the action that is to be carried out and what rule to be applied. When the rule action finds a packet that matches the rule criteria, it alerts snort. The following actions are available in snort:
1. Alert: The selected alert method is used to generate an alert.
2. Log: The packet is logged.
3. Pass: The packet is dropped.
IP protocols: TCP, UDP, and ICMP are available IP protocols that that are supported by snort for suspicious behavior.
Direction operator: It indicates the direction of the traffic. The traffic can flow either in one direction or bi-directionally. The following is an example of snort rules using the bidirectional operator:
log !192.168.1.0/24 any <> 192.168.1.0/24 23
IP addresses: The "any" keyword is used to identify any IP address. Addresses that are formed by straight numeric IP address is accepted by snort. Netmask is applied to the rule's address and to incoming packets that are verified against the rule by a CIDR block.
Port numbers: Port numbers can be listed in various ways, including "any" ports, static port definitions, ranges, and by negation. The range operator ":" is used to indicate port ranges. The following is an example of Port Negation:
log tcp any any -> 192.168.1.0/24 !6000:6010
Tipping Point
Tipping Point IPS is an inline device. It is placed seamlessly and transparently into the network. Each packet is thoroughly inspected in order to determine whether they are malicious or legitimate. It delivers performance, application, and infrastructure protection at gigabit speeds via total packet inspection.
Intrusion detection tools
The following are intrusion detection tools:
· Security Network Intrusion Prevention System
· Strata Guard
· Peek & Spy
· CRCMd5 Data Validation
· Cisco IDS 4250 Appliance
· DiskSearch 32
· INTOUCH INSA-Network Security Agent
· IDP8200
· OSSEC
· AIDE (Advanced Intrusion Detection Environment
· Netifera
· Tripwire
· eXpert-BSM
· SNARE (System iNtrusion Analysis & Reporting Environment)
· Cisco Intrusion Detection
· Vanguard Enforcer
Tripwire
Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes made by an intruder. The tripwire utility can be used to check the file size, the file signature, and the integrity of a file. Tripwire is a tool that automatically calculates the cryptographic hashes of all system files as well as any other file that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected.
BlackICE Defender
BlackICE Defender is a Host-Based Intrusion Detection System (HIDS). It provides a firewall that detects, reports, and blocks all suspected access attempts. It provides a notification by flashing tray icons when any intrusion is detected. It also provides detailed information regarding the different types of attacks that can harm the security of the network.
IPS
Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that use particular patterns of messages, and other factors. The IPS tools sit in the packet's forwarding path and then rate and report each potential threat by analyzing the traffic. The IPS tool has the ability to react and filter the traffic. There are two types of IPS:
· Host intrusion prevention system (HIPS)
· Network intrusion prevention system (NIPS)
Anti-x
Anti-x is a component of Cisco Adaptive Security Appliance (ASA). Anti-x provides in-depth security design that prevents various types of problems such as viruses. The security provided by the tool includes the following:
· Anti-virus: It scans network traffic and prevents the transmission of known viruses. It detects viruses through their virus signatures.
· Anti-spyware: It scans network traffic and prevents the transmission of spyware programs. As spyware does a lot of damage, this tool becomes very critical for any organization. Spyware eats a lot of precious bandwidth too.
· Anti-spam: It deletes and segregates all junk e-mails before forwarding them to users. It examines all e-mails that arrive in the network.
· Anti-phishing: It prevents phishing attacks from reaching network users.
· URL filtering: It filters Web traffic based on URL to prevent users from connecting to inappropriate sites.
· E-mail filtering: Apart from providing anti-spamming feature, it also filters e-mails containing offensive material, potentially protecting an organization from lawsuits.
Cisco ASA appliance can be configured for network-based role for all functions of Anti-x.
16.2 Understand what is a firewall, types of firewalls, and identify firewall identification techniques
Exam Focus: Understand what is a firewall, types of firewalls, and identify firewall identification techniques. Objective includes:
· Understand what is a firewall.
· Types of firewalls.
· Identify firewall identification techniques.
Firewall
A firewall is a combination of software and hardware that prevents data packets from coming in or going out of a specified network or computer. It is used to separate an internal network from the Internet. It analyzes all the traffic between a network and the Internet, and provides centralized access control on how users should use the network. A firewall can also perform the following functions:
· Block unwanted traffic.
· Direct the incoming traffic to more trustworthy internal computers.
· Hide vulnerable computers that are exposed to the Internet.
· Log traffic to and from the private network.
· Hide information, such as computer names, network topology, network device types, and internal user IDs from external users.
The firewall is placed at the junction point or gateway between the two networks. It may be concerned with the type of traffic or with the source or destination addresses and ports.
The firewall architecture includes bastion host, screened subnet, and multi-homed firewall.