SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion - - PowerPoint PPT Presentation

surfnet ids os3 uva project extension of the surfnet
SMART_READER_LITE
LIVE PREVIEW

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion - - PowerPoint PPT Presentation

Nov 18, 2023 23 likes •207 views

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-1
SLIDE 1

SURFnet IDS / OS3 UvA Project

7 February 2007 Michael Rave Coen Steenbeek

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-2
SLIDE 2

2/18

Overview

  • Intrusion Detection Systems
  • SURFnet IDS
  • Problem Definition
  • Research
  • Solutions
  • Conclusion
  • Future Work
  • Questions

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-3
SLIDE 3

3/18

Intrusion Detection Systems

  • What is IDS?

– detects unwanted manipulations – Hackers, script kiddies, worms, e.c. – Detection, no prevention

  • Different sorts of IDS’s

– Network IDS – Host-based IDS – Hybrid IDS

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-4
SLIDE 4

4/18

SURFnet IDS

  • Distributed IDS

– Client - Server model

  • Distributed sensors

– Modified Knoppix distribution – Layer-2 VPN tunnel in bridging mode

  • Honeypot

– Nepenthes

  • Logging Server

– PostgreSQL Database – Apache webserver

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-5
SLIDE 5

5/18

SURFnet IDS

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-6
SLIDE 6

6/18

Problem Definition

“How to give a desktop computer the same functionality of the current SURFnet IDS sensors without affecting the current functionality of the desktop computer?”

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-7
SLIDE 7

7/18

Sub-questions

  • How to obtain unused ports on

Windows XP

  • How to forward certain ports on

Windows XP

  • How to forward incoming traffic on

certain ports to the honeypot without changing the source IP-address of the incoming packets

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-8
SLIDE 8

8/18

Research

  • Unused Ports

– Netstatp – Nmap – Winpcap – …

  • Port forwarding

– Trivial Port Forward – Netsh – Wintunnel – …

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-9
SLIDE 9

9/18

Solutions

  • “How to forward incoming traffic on

certain ports to the honeypot without changing the source IP-address of the incoming packets”

  • Indirect Solution
  • Direct Solution

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-10
SLIDE 10

10/18

Solution

Indirect

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-11
SLIDE 11

11/18

Implementation

Indirect

  • Challenges Indirect

– Source IP-address of attacker

  • Solution

– IP-tunneling/IPSec/IPv6? – Not tested

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-12
SLIDE 12

12/18

Advantages/Disadvantages

Indirect

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

  • Advantages

– Sensor Server already present in current setup – Only one VPN connection – Better structure

  • Disadvantages

– IP-tunneling/IPSec/IPv6 introduces difficulties – No working concept so not tested

slide-13
SLIDE 13

13/18

Solution

Direct

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-14
SLIDE 14

14/18

Implementation

Direct

  • Challenges Direct

– Source IP-address of attacker – Routing through same tunnel

  • Solutions

– Netsh, pre-routed NAT – Source based routing

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-15
SLIDE 15

15/18

Advantages/Disadvantages

Direct

  • Advantages

– Secure VPN tunnel – No changes to current sensor – Already tested succesfully

  • Disadvantages

– Every sensors needs its own VPN tunnel – Many rules in source based routing tables

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-16
SLIDE 16

16/18

Future Work

  • IP-tunneling/IPv6/IPSec for indirect

solutions

  • Further tests
  • Efficient port checking

– No opening of ports – Opening when attacked

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-17
SLIDE 17

17/18

Conclusion

  • Summary

– Two Solutions – First tested successfully – Second needs more research and testing

  • We recommend

– Direct solution

  • Secure VPN tunnel
  • Successfully tested
  • No modifications to old-style sensor
  • Only small modifications to honeypot server
  • Both sensors (old and new) in conjunction

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

slide-18
SLIDE 18

18/18

Questions?

Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP