Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18
Contents Assignment 1 Intrusion Detection Systems 2 SURFnet IDS 3 IDS Software 4 Conclusion 5 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 2 / 18
Assignment Suggest improvements to SURFnet IDS. Greater diversity IDS product research R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 3 / 18
Intrusion Detection Systems What is an IDS? HIDS Host based Monitors attacks to host NIDS Network based Monitors malicious traffic on network, multiple hosts R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 4 / 18
Intrusion Detection Systems Low-interaction Service emulator Limited to emulation Easier to detect High-interaction Runs real services Real host, or virtual Zero day attacks R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 5 / 18
SURFnet IDS Distributed sensor-based HIDS Sensor Any PC USB stick Remastered Knoppix OpenVPN R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 6 / 18
SURFnet IDS R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 7 / 18
SURFnet IDS server Nepenthes Simulates vulnerabilities, and collects mallware More than 20 simulations currently available Reports to PostgreSQL database Argos High interaction IDS Can be used to analyse Zero day attacks R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 8 / 18
SURFnet IDS Webinterface Customer can log in Access to information of their sensor Which attacks Statistics R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 9 / 18
IDS Software: Filesystem Integrity Checking Tripwire Samhain Client-server based Aide R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 10 / 18
IDS Software: Low-interaction honeypots Honeyd: Simulates a host with vulnerable services Simulates complicated networks Well documented Infrequently updated R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 11 / 18
IDS Software: Low-interaction honeypots Honeytrap: Simple: ”Poor man’s service emulator” Mirror mode Regularly updated Badly documented No community R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 12 / 18
IDS Software: Prelude (1) Prelude: IDS Framework Sensors IDMEF (XML) Policies Web-interface Prewikka R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 13 / 18
IDS Software: Prelude (2) Prelude test: Slow Web-interface needs to be modified R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 14 / 18
IDS Software: Snort Network traffic analyse tool Operation Modes Sniffer / logger mode Inline mode Network intrusion detection mode R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 15 / 18
IDS Software: Snort NIDS mode Rules Alerts Logging Implementation Maintenance R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 16 / 18
Conclusion Let SURFnet IDS detect more malicious traffic Our advice: Integrate Snort SURFnet IDS will cover a greater diversity of malicious traffic R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 17 / 18
Questions? Questions? R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 18 / 18
Recommend
More recommend