Expansion of the SURFnet Intrusion Detection System R. Buijs P. - - PowerPoint PPT Presentation

▶

Apr 06, 2024 270 likes •457 views

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

SLIDE 1

Expansion of the SURFnet Intrusion Detection System

R. Buijs
P. Siekerman

System and Network Engineering

7-2-2007

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 1 / 18

SLIDE 2

1

Assignment

2

Intrusion Detection Systems

3

SURFnet IDS

4

IDS Software

5

Conclusion

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 2 / 18

SLIDE 3

Assignment

Suggest improvements to SURFnet IDS. Greater diversity IDS product research

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 3 / 18

SLIDE 4

Intrusion Detection Systems

What is an IDS? HIDS

Host based Monitors attacks to host

NIDS

Network based Monitors malicious traffic on network, multiple hosts

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 4 / 18

SLIDE 5

Intrusion Detection Systems

Low-interaction

Service emulator Limited to emulation Easier to detect

High-interaction

Runs real services Real host, or virtual Zero day attacks

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 5 / 18

SLIDE 6

SURFnet IDS

Distributed sensor-based HIDS Sensor

Any PC USB stick Remastered Knoppix OpenVPN

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 6 / 18

SLIDE 7

SURFnet IDS

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 7 / 18

SLIDE 8

SURFnet IDS server

Nepenthes

Simulates vulnerabilities, and collects mallware More than 20 simulations currently available Reports to PostgreSQL database

Argos

High interaction IDS Can be used to analyse Zero day attacks

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 8 / 18

SLIDE 9

SURFnet IDS Webinterface

Customer can log in Access to information of their sensor Which attacks Statistics

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 9 / 18

SLIDE 10

IDS Software: Filesystem Integrity Checking

Tripwire Samhain

Client-server based

Aide

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 10 / 18

SLIDE 11

IDS Software: Low-interaction honeypots

Honeyd:

Simulates a host with vulnerable services Simulates complicated networks Well documented Infrequently updated

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 11 / 18

SLIDE 12

IDS Software: Low-interaction honeypots

Honeytrap:

Simple: ”Poor man’s service emulator” Mirror mode Regularly updated Badly documented No community

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 12 / 18

SLIDE 13

IDS Software: Prelude (1)

Prelude:

IDS Framework Sensors IDMEF (XML) Policies Web-interface Prewikka

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 13 / 18

SLIDE 14

IDS Software: Prelude (2)

Prelude test:

Slow Web-interface needs to be modified

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 14 / 18

SLIDE 15

IDS Software: Snort

Network traffic analyse tool Operation Modes

Sniffer / logger mode Inline mode Network intrusion detection mode

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 15 / 18

SLIDE 16

IDS Software: Snort NIDS mode

Rules Alerts Logging Implementation Maintenance

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 16 / 18

SLIDE 17

Conclusion

Let SURFnet IDS detect more malicious traffic Our advice: Integrate Snort SURFnet IDS will cover a greater diversity of malicious traffic

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 17 / 18

SLIDE 18

Questions?

R. Buijs P. Siekerman (SNE)

Expansion of SURFnet IDS 7-2-2007 18 / 18