Linux Intrusion Detection Systems(08/07/2008) 
11:33
Basic Security - If youa ren't doing the basics right, then intrusion detection is not going to help you.

Thursday August 7, 2008 11:33 
11:33
It's like locking your front door, but leaving the back door or windows open.
Thursday August 7, 2008 11:33 
11:33
Security is all about process - it is not a magic product!
Thursday August 7, 2008 11:33 
11:34
Understanding the types of services you have running helps - only run things that really need to be there!   Otherwise, you may be allowing holes you did not count on.
Thursday August 7, 2008 11:34 
11:34
One of the best and easiest basic things is keeping you software updates current.
Thursday August 7, 2008 11:34 
11:35
You should also have as your basic plan that you are scan and auditing your systems regularly.
Thursday August 7, 2008 11:35 
11:35
What is an Intrusion Detection System?

Thursday August 7, 2008 11:35 
11:36
It's a system that scans - does reconnaissance, watches hacing atempts, and keeps an eye on traffic.
Thursday August 7, 2008 11:36 
11:36
There are network based and hardware based IDS.
Thursday August 7, 2008 11:36 
11:37
If you are attached to the Internet - you are subject to attack!
Thursday August 7, 2008 11:37 
11:37
Hoever, 80-90% of attacks come from internal sources.
Thursday August 7, 2008 11:37 
11:38
How do IDS work?
Thursday August 7, 2008 11:38 
11:38
NIDS will get info from HUB or Switch with mirrored ports
Thursday August 7, 2008 11:38 
11:39
HIDS get their data from traffic to and from the host as well as process info
Thursday August 7, 2008 11:39 
11:39
NIDS sends it info through some type of packet capture module - like a sniffer/sensor   - referred to as pcap
Thursday August 7, 2008 11:39 
11:40
The info captured is sent to a IDS engine that has a set of rules (ruleset) that the info is compared.
Thursday August 7, 2008 11:40 
11:41
If there is a hit, the report is logged in various configurable places
Thursday August 7, 2008 11:41 
11:43
In concept - a IDS sever sits on a mirrored port off of a high speed switch blade.   It sees the information to servers, desktop, or other network attached devices.
Thursday August 7, 2008 11:43 
11:43
NIDS could sit in a couple of places - one in front of the firewall, and one behind.   The collection database is located inside.
Thursday August 7, 2008 11:43 
11:44
The NIDS on the outside is used to analize all traffic - whether it gets in or not, for research.
Thursday August 7, 2008 11:44 
11:44
The NIDS on the inside is used to actually see the "real" transactions through the firewall.
Thursday August 7, 2008 11:44 
11:45
Mny times, large companies allow the politics of ownership to get in the way of Intrusion Detection...i.e. security dept. vs. network dept.
Thursday August 7, 2008 11:45 
11:47
There are also ways of setting up large scale distributed intrusion detection - this is done through network taps across the backbone and internal networks.   Servers can be dedicated to their function and centralized for ease of management.
Thursday August 7, 2008 11:47 
11:47
What casues problems in IDS?
Thursday August 7, 2008 11:47 
11:47
Switches - require prot mirroring
Thursday August 7, 2008 11:47 
11:48
Encryption - NIDS can't decode the traffic
Thursday August 7, 2008 11:48 
11:48
Busy high speed traffic >100Mbs - packets can and will be dropped
Thursday August 7, 2008 11:48 
11:48
Noise generators - "Stick" and "Snot"

Thursday August 7, 2008 11:48 
11:49
False positives - creates a lot of extra work for the admin
Thursday August 7, 2008 11:49 
11:49
Filp side - False negatives - something happens but is not reported!
Thursday August 7, 2008 11:49 
11:49
IDS requires continual care and feeding!
Thursday August 7, 2008 11:49 
11:50
It is important to configure a dynamic system that will be contantly maintained - high maintenance is a element that is just part of IDS
Thursday August 7, 2008 11:50 
11:51
Intrusion Prevention - create restrictive configs, adhere to basic security, and configure a layered security approach.
Thursday August 7, 2008 11:51 
11:52
Intrusion Response - Network node shunning and containment - where systems are disallowed from communication to questionable systems.

Thursday August 7, 2008 11:52 
11:52
You have to be careful - false positives can cause key infrastructure to be shut out because of network shunning
Thursday August 7, 2008 11:52 
11:53
TCP reset packets - session sniping - if an attack packet is detected - it sends a TCP reset packet.   Basically stops the traffic immediately - remember ComCast!
Thursday August 7, 2008 11:53 
11:53
So - the practical real world...
Thursday August 7, 2008 11:53 
11:53
SNORT - it's about 10 years old now, very reliable, and probably the leading open source NIDS
Thursday August 7, 2008 11:53 
11:55
SNORT - performs stateful real-time traffic analysis and packet logging.   This means it can keep track of the various attacks on the fly.
Thursday August 7, 2008 11:55 
11:55
SNORT can be a packet sniffer, packet logger, or Network intrusion mode.
Thursday August 7, 2008 11:55 
11:55
The first two are like TCPdump
Thursday August 7, 2008 11:55 
11:56
SNORT logs to mySQL, PostgrSQL, and other odbc compliant DB's
Thursday August 7, 2008 11:56 
11:56
winpopup, SNMP, and custom alerts
Thursday August 7, 2008 11:56 
11:56
Webmin supports SNORT plugin
Thursday August 7, 2008 11:56 
11:57
snort.org has a lot of info and tools
Thursday August 7, 2008 11:57 
11:57
Prelude - is a hybrid intrusion detection, uses snort rulesets by default
Thursday August 7, 2008 11:57 
11:57
Prelude has a HTML report generator with GUI front-end
Thursday August 7, 2008 11:57 
11:58
Works with other industry standard equipment
Thursday August 7, 2008 11:58 
11:58
Prelude has sensors that detect and forward suspicious activity to managers.
Thursday August 7, 2008 11:58 
11:59
TRIPWIRE, AIDE, and Samhain - host based / file based IDS
Thursday August 7, 2008 11:59 
12:00
These types look for file checksums that have changes since last scan.
Thursday August 7, 2008 12:00 
12:00
Uses a CVS based approach - http://www.linuxjournal.com/article.php?sid=5569
Thursday August 7, 2008 12:00 
12:01
Linux Intrusion Detection System, grsecurity, and SELinux/LSM - if you are using this, you are probably using a custom kernel
Thursday August 7, 2008 12:01 
12:02
Takes away all powerful nature of 'root'
Thursday August 7, 2008 12:02 
12:02
These approaches seal the kernel - therefore things like 'rootkit' are prevented.
Thursday August 7, 2008 12:02 
12:02
It enforces the file permissions and ACL's, even against root
Thursday August 7, 2008 12:02 
12:03
These also provide a very verbose trail
Thursday August 7, 2008 12:03 
12:04
Based on Analysis Console for Intrusion Detection (ACID) project
Thursday August 7, 2008 12:04 
12:05
The previous was for (BASE) - speaker got ahead of himself!
Thursday August 7, 2008 12:05 
12:05
Swatch and Logheck - these are logfile checkers looking for specific keywords or events and alert admins
Thursday August 7, 2008 12:05 
12:06
May be combined with other IDS products to allow email alerts of malicious traffic detection.
Thursday August 7, 2008 12:06 
12:06
Swatch is highly rated - saves admins a lot of time and effort iwth logging
Thursday August 7, 2008 12:06 
12:07
PSAD - dynamically will update iptables rulesets
Thursday August 7, 2008 12:07 
12:07
This runs a a collections of lightweight apps.
Thursday August 7, 2008 12:07 
12:08
Commercial IDS Systems

Cisco
ISS - bought by Cisco
Symantec
Sourcefire
Enterasys
Thursday August 7, 2008 12:08 
12:09
Other places for great info

http://www.securityfocus.com
http://www.sans.org
http://www.linuxsecurity.com
Thursday August 7, 2008 12:09 
12:11
OSSec - comment by listener felt this was something that was missed. Is a solid solution
Thursday August 7, 2008 12:11 
12:11
Question - what are the pros and cons?

Thursday August 7, 2008 12:11 
12:12
It's different in each case depending on the goals and staff.   Therefore the limitations are hard to specify.
Thursday August 7, 2008 12:12 
12:12
Question - What is the best way to sell the ideas to management?
Thursday August 7, 2008 12:12 
12:13
Short of a real security breach - Nessus is a great chart generator.   Find a couple of servers and run Nessus to generate the potential vulnerability.   Of course, get security approval.
Thursday August 7, 2008 12:13 
12:14



 
 
 
English  English
简体中文  简体中文
Dansk  Dansk
Deutsch  Deutsch
Español  Español
Français  Français
Italiano  Italiano
日本語  日本語
Nederlands  Nederlands
Norsk  Norsk
Português  Português
Русский  Русский
Svenska  Svenska
Close