A robust SNMP based Infrastructure for Intrusion Detection and - - PowerPoint PPT Presentation

Computer Networks RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS

July 2006

KIE

July 2006

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

Marko Jahnke, Jens Tölle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg, Germany Computer Networks Dept. Sascha Lettgen University of Bonn, Germany

• Inst. of Computer Science IV

2

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Outline

• Introduction
• Deployment Scenario: Tactical MANETs
• Network Management Domain: SNMP
• Modelling IDS Infrastructures w/ SNMP
• Performance Simulation
• Implementation Status
• Conclusions & Further Work

3

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Terminology: Distributed IDS Components

• Agent

– Sensors – Detectors – Responders – Message processing modules

• Console

– Message consolidation – Databases – Correlation engines – Other analysis modules

4

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Types of IDS Infrastructures

• Event Message IS
• Sensor Data IS
• Response Trigger IS
• Configuration IS

Observed node

IDS Agent

Console node(s)

IDS Console IDS Agent

Observed node

IDS Agent

Observed node

IDS Agent To Meta IDS

5

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

• IETF IDWG

Recommendations

• Drawbacks: Overhead

– TCP/SSL/BEEP Handshakes – Channel Management – XML Encoding

Existing Data Models & Communication Protocols

who when where what happened who reports

<IDMEF-Message version="1.0"> <Alert ident="abc123456789"> <Analyzer analyzerid="hq-dmz-analyzer01"> <Node category="dns"> <location>Headquarters DMZ Network</location> <name>analyzer01.example.com</name> </Node> </Analyzer> <CreateTime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </CreateTime> <Source ident="a1b2c3d4"> <Node ident="a1b2c3d4-001" category="dns"> <name>badguy.example.net</name> <Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <address>192.0.2.50</address> <netmask>255.255.255.255</netmask> </Address> </Node> </Source> <Target ident="d1c2b3a4"> <Node ident="d1c2b3a4-001" category="dns"> <Address category="ipv4-addr-hex"> <address>0xde796f70</address> </Address> </Node> </Target> <Classification origin="bugtraqid"> <name>124</name> <url>http://www.securityfocus.com</url> </Classification> </Alert> </IDMEF-Message>

IDMEF IDXP BEEP TLS TCP IP

6

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Deployment Scenario: Tactical MANETs

Challenges:

– Limited Resources – Attacks e.g. against MANET routing – Insider attacks

Environment:

– Infantry Mission – 5-15 high performance PDAs – Network characteristics similar to IEEE 802.11 – IPsec and application encryption – Fully equipped node w/ HQ Backlink

Differences to civilian scenarios:

– Precisely defined, homogeneous environment – Significant resources for security measures

7

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

• Monitoring & Configuration
• Agent/Manager based concept
• UDP based
• Security in SNMPv3
• Management Information Base (MIB)
• Object and Instance Identifier (OID/IID)
• get/setValue Requests (single value, list or bulk)
• Traps and Notifications

Management Domain: SNMPv3

8

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

• Sensor IS

– getValue – getNext / Bulk

• Response Trigger IS

– setValue

• Configuration IS

– get/setValue

• Message IS

– Insert new alerts into MIB as single subtree structure – Send an acknowledged notification to console, containing most important fields – Console may request additional message fields

Modeling IDS Infrastructure w/ SNMP

Aligned to IDMEF Structure

9

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

• Network

– IEEE 802.11b

• Applications

– VoIP (2.4 kbit/s) – C2IS (JMS) – UChat – SMTP/HTTP

• IDS Messages

– Events/Heartbeats (E/H) n→1 – Neighborhood Watching (NW) n→m – Traffic Statistics (TS) n→1

Performance Simulations (1): Overall Traffic

10

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Performance Simulations (2): Packet Delivery

• PDF decreases due

to significant amount of IDS traffic

• Maximum rates for IDS

Messages for PDF>99% – E/H: 2 Hz – NW: 0.1 Hz – TS: 0.1 Hz

• Higher packet loss can

be expected in reality: – Buffer overflows – Radio interference

11

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Advantages of SNMP approach

• Characteristics of MANETs are considered

– Dynamic behaviour and short link lifetimes Connectionless and robust communication – Low CPU performance and limited battery capacity Lightweight protocol and architecture

• Compatibility w/ existing protocols & data models

(Meta-)IDS-interconnection Integration into SNMP Management Frameworks

• Free configurability for different IDS setups

due to different deployment scenarios and network sizes

• Usage of existing products for message transport and security

12

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

Implementation: IDS Agents

Sensor Data Request/Response Infrastructure (SNMPd) Sensors Procs Detectors Encr. Integr. Authent. Neigh- bour- hood Ass. Trust Management Resp. Selec- tor CPU Routing Signal GPS Check sums IDMEF / SNMP Message Engine Responders Kill Procs. Reconf. Routing Shutd. System IMF Server Notific. Generator Request Handler Encr. Integr. Authent. Detectors Integr. Checker IMF SNMPv3 Traps / Notifications Internal External CPU Profiler GPS Checker Wrapper NIDS MIB Manager Wrapper Logfile Watcher External Sensor Data Local Trust Ass. SNMP API SNMP API IMF

MANET MANET MANET MANET

IMF = InterMediate Format

13

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

• Current IDS infrastructure protocols do not meet the

requirements of tactical MANETs.

• SNMPv3 provides mechanisms for implementing all

necessary types of IDS infrastructures.

• Development of architecture components
• Prototypical implementation

– Sensor / detector / responder infrastructure – Dynamic storage of IDS event messages in the Management Information Base (MIB)

• Further Work:

– Integration of more sensors / detectors / responders – Anomaly detection approach for traffic statistics

Conclusions & Further Work

14

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

15

RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks

July 2006

KIE

SNMPd IMF Server Request Handler MIB Manager Encr. Integr. Authent. Notification Engine

ACM

XML Connector Trap Receiver Detector

MANET MANET

Detector IMF Encr. Integr. Authent. XML Adapter IDMEF based Wired IDS XML Message Engine SNMPv3 SNMPv3 SNMPTrapd IDMEF

NG

Lightweight Node Fully Equipped Node G U I SNMPd Buffer Pipe Sockets IMF = InterMediate Format NG = Notification Generator ACM = Agent Connection Manager

Implementation (2): Event Message Handling