IS 2150 / TEL 2810IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssociateProfessor, SIS,Lecture 10Dec 2 2008Dec 2, 2008Intrusion Detection,Firewalls & VPNAuditing System1Intrusion DetectionIntrusion Detection2Intrusion Detection/Response Denning: Systems under attack fail to meet one or more of the following characteristics1. Actions of users/processes conform to statistically predictable patternsstatistically predictable patterns2. Actions of users/processes do not include sequences of commands to subvert security lipolicy3. Actions of processes conform to specifications describing allowable actions3describing allowable actionsIntrusion Detection Idea: Attack can be discovered by one of the above being violatedPracticalgoals of intrusion detection systems:Practicalgoals of intrusion detection systems: Detect a wide variety of intrusions (known + unknown) Detect in a timely fashion Present analysis in a useful manner Need to monitor many components; proper interfaces needed Be (sufficiently) accurate Minimize false positives and false negatives4IDS Types:ypAnomaly Detection Compare system characteristics with expected valuesThreshold metric: statistics deviate / thresholdThreshold metric: statistics deviate / threshold E.g., Number of failed logins Statistical moments: mean/standard deviationNmbeof seeentsinasstemNumber of user events in a system Time periods of user activity Resource usages profilesMarkov model: based on state expectedMarkov model: based on state, expected likelihood of transition to new states If a low probability event occurs then it is considered suspicious5suspiciousIDS Types:Misuse Modeling Does sequence of instructions violate security policy? Problem: How do we know all violating sequences? Solution: capture knownviolating sequences Generate a rule set for an intrusion signatureAlternate solution: Statetransition approachAlternate solution: State-transition approach Known “bad” state transition from attack Capture when transition has occurred (user Æ root)p()6Specification Modeling Does sequence of instructions violate system specification?system specification? What is the system specification?Need to formally specify operations ofNeed to formally specify operations of potentially critical codetrustedcodetrustedcode Verify post-conditions met7IDS Systems Anomaly Detection Intrusion Detection Expert System (IDES) – successor is NIDES Network Security MonitorNSM y Misuse Detection Intrusion Detection In Our Time- IDIOT (colored Petri-nets) USTAT? ASAX (Rule-based) Hybrid NADIR (Los Alamos)() Haystack (Air force, adaptive) Hyperview (uses neural network) Distributed IDS (Haystack + NSM)8IDS ArchitectureAgent Similar to Audit system Log eventsAnalyze logHost 1gDirectorDirectorAnalyze log Difference: happens real-time -timelyfashionHost 1Agent (Distributed) IDS idea: Agent generates log Director analyzes logsMbdtiAgentNotifierNotifierMay be adaptive Notifier decides how to handle result GrIDS displays attacks in Host 19progressWhere is the Agent? Host based IDSwatches events on the hostwatches events on the host Often uses existing audit logsNetworkbased IDSNetwork-based IDS Packet sniffingFi ll lFirewall logs10IDS Problem IDS useless unless accurate Significant fraction of intrusions detected Significant number of alarms correspond to intrusionsGliGoal is Reduce false positivesReports an attack but no attack underwayReports an attack, but no attack underway Reduce false negatives An attack occurs but IDS fails to report11Intrusion Response Incident Prevention Stop attack before it succeedsMeasures to detect attackerMeasures to detect attacker Example: Jailing (also Honepots) Intrusion handling Preparation for detecting attacks Identification of an attack Contain attack Eradicate attack Recover to secure stateFollow-up to the attack-Punish attacker12Followup to the attack Punish attackerContainment Passive monitoringTrack intruder actionsTrack intruder actions Eases recovery and punishmentConstraining accessConstraining access Downgrade attacker privilegesP t t iti i f tiProtect sensitive information Why not just pull the plug13Eradication Terminate network connectionTerminate processesTerminate processes Block future attacksCl tClose ports Disallow specific IP addresses Wrappers around attacked applications14Follow-Up Legal actionTrace through networkTrace through network Cut off resourcesNotify ISP of actionNotify ISP of action Counterattack Is this a good idea?15Firewalls & VPNFirewalls & VPN16What is a VPN? A network that supports a closed community of authorized usersUse the public Internet as part of the virtual private networkUse the public Internet as part of the virtual private network There is traffic isolation Contents, Services, Resources – securePidi!Provide security! Confidentiality and integrity of data User authentication Network access controlIPSec can be usedIPSec can be usedTunneling in VPNPerimeter Defense Organization system consists of a network of many host machines–of many host machines the system is as secure as the weakest linkUse perimeter defenseUse perimeter defense Define a border and use gatekeeper (firewall)If h t hi tt d d dIf host machines are scattered and need to use public network, use encryption Virtual Private Networks (VPNs)Perimeter Defense Is it adequate?Locating and securing all perimeter points isLocating and securing all perimeter points is quite difficult Less effective for large borderg Inspecting/ensuring that remote connections are adequately protected is difficult Insiders attack is often the most damagingFirewalls Total isolation of networked systems is undesirableUse firewalls to achieve selective border controlUse firewalls to achieve selective border control Firewall Is a configuration of machines and software Limits network access “for free” inside many devices Alternate:a firewall is a host that mediates access to a network, allowing and disallowing certain type of access based on a configuredand disallowing certain type of access based on a configured security
View Full Document