Intrusion Detection The Big Picture

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:35

0
138
lượt xem
13
download

Intrusion Detection The Big Picture

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which will notify you of attempted connections to user-defined ports. Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotected shares. In the back of your materials are additional references. (Editor’s note: for students taking this course online, the Glossary is included as a separate download file. – JEK)

Chủ đề:
Lưu

Nội dung Text: Intrusion Detection The Big Picture

  1. Intrusion Detection The Big Picture Stephen Northcutt Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 S. Northcutt – v1.0 – Jul 2000 Edited by J. Kolde – v1.1 – Aug 2000 1
  2. Pagers and Cell Phones The high rate of slide delivery means that distractions will cause your fellow students to miss material. If you are a “high interrupt” person, please consider moving to the back of the room or disabling your pagers and phones. Questions are fine anytime. Intrusion Detection - The Big Picture - SANS GIAC © 2000 2 In this course we’ll be covering the following types of security tools and countermeasures: • firewalls • host-based intrusion detection • network-based intrusion detection • vulnerability scanners • honeypots We’ll also touch on incident response and discuss less technical issues of information security, such as risk assessment and how to justify these tools to management. 2
  3. Frequently Referred to URLs • SANS – www.sans.org • NSWC CD2S web page – www.nswc.navy.mil/ISSEC – click on forms to get the knowledge-based risk assessment forms for WinNT, Unix, Win95, Mac 8.X, etc. Intrusion Detection - The Big Picture - SANS GIAC © 2000 3 The SANS website is home to GIAC, the Global Incident Analysis Center, and to the SANS training materials, with courses like this one available online. 3
  4. More URLs • SHADOW & CIDER – www.nswc.navy.mil/ISSEC/CID • Coast – ftp://coast.cs.purdue.edu • SecurityFocus – www.securityfocus.com • Snort – www.snort.org (Win32 version at www.datanerds.net/~mike/snort.html) Intrusion Detection - The Big Picture - SANS GIAC © 2000 4 SHADOW and CIDER are free intrusion detection system projects. The Coast archive is Gene Spafford’s security tool archive. SecurityFocus is home of the Bugtraq mailing list, and has a good vulnerability database and tool archive. Snort is currently the most popular free network intrusion detection system “as seen on GIAC”. 4
  5. URLs Continued • DTK Deception Toolkit – www.all.net • CIDF – www.gidos.org – www.isi.edu/gost/brian/cidf/ • Tripwire – ftp://coast.cs.purdue.edu/pub/tools/unix/Tripwire – www.Tripwiresecurity.com/ • SPI – ciac.llnl.gov/cstc/ Intrusion Detection - The Big Picture - SANS GIAC © 2000 5 Fred Cohen’s DTK (Deception Toolkit) is an excellent tool kit for building honeypots. CIDF is the Common Intrusion Detection Framework, a standards initiative by the IETF’s Intrusion Detection working group, designed to improve IDS interoperability. Tripwire is the de facto standard in file and registry integrity checking. SPI does integrity checks for US government systems. 5
  6. Even More URLs • Vulnerability Scanners – Saint: wwdsilx.wwdsi.com/saint/ – Nessus: www.nessus.org – Nmap: www.insecure.org/nmap/ – Cerberus: www.cerberus- infosec.co.uk/cis.shtml • Phonesweep – www.sandstorm.net Intrusion Detection - The Big Picture - SANS GIAC © 2000 6 SAINT and NESSUS are general vulnerability scanners. Nmap does stealthy port scanning, OS identification and too many other functions to list. CIS is a vulnerability scanner for improving the security of Windows NT machines. They were all free last time we looked. (Editor’s note: nmap was ported to Windows NT in July 2000 by eEye Digital Security. The Windows version can be downloaded from http://www.eeye.com. – JEK) Phonesweep is a ‘wardialer’ or modem-finding tool. 6
  7. URLs URLs URLs • NukeNabber (from Puppet’s Place) – www.dynamsol.com/puppet/ • Legion (detect unprotected shares) – Rhino9 has disbanded; you will need to do a net search. NOTE: Appendix A has a glossary Intrusion Detection - The Big Picture - SANS GIAC © 2000 7 NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which will notify you of attempted connections to user-defined ports. Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotected shares. In the back of your materials are additional references. (Editor’s note: for students taking this course online, the Glossary is included as a separate download file. – JEK) 7
  8. Goal of This Course To understand how the primary components of intrusion detection capability (such as vulnerability assessments, firewalls, network- and host- based IDS systems) work together to provide information assurance. Intrusion Detection - The Big Picture - SANS GIAC © 2000 8 8
  9. GIAC Tracks • Information Security KickStart • Security Essentials Certification • Firewalls and Perimeter Protection • Intrusion Detection In-Depth • Advanced Incident Handling and Hacker Exploits • Windows NT and Windows 2000 Security • Unix Security • Systems and Network Auditing Intrusion Detection - The Big Picture - SANS GIAC © 2000 9 Clearly, there will be some repetition between the classes. These classes have been designed to be very high content. There is more material than people can normally absorb in a single sitting; when we repeat, this is done to help the student learn as much of the total material as possible. 9
  10. Introduction • Introductory Example - Mitnick Attack • Is There a Business Case for Intrusion Detection? • What We Will Cover in This Course Intrusion Detection - The Big Picture - SANS GIAC © 2000 10 Let’s get started then. In our introductory section, we are first going to show you a real attack, so we can see the type of things an attacker does in the real world, and we’ll discuss how the security components of this course could have detected or prevented it. We’ll then take a step back and put our business hats on when we examine the question of a business case for intrusion detection. Because the fact is, this stuff costs money and even with free tools, it takes up valuable time. So we’ll see how to decide on it’s worth to your organization. Finally, we’ll look at how we are going to divide up the rest of the course. 10
  11. What better introduction to Intrusion Detection than the Mitnick Attack? Intrusion Detection - The Big Picture - SANS GIAC © 2000 11 We start by examining the intrusion by possibly the world’s most infamous computer criminal, Kevin Mitnick, on the system of Tsutomu Shimomura. This system compromise and the subsequent successful pursuit of Mitnick have been described in several books and elsewhere, but the technical details described come from Shimomura’s original posting on the comp.security.misc newsgroup, 25 Jan 1995. The obvious first question is why we are bothering with an attack which is over 5 years old, when several new attacks are discovered every week. First, because it uses well-known techniques like SYN flooding and IP Spoof to accomplish trust hijacking. The second, more disturbing point is that little has changed since late 1994. These attacks still work on many systems and so are still common attacks today. 11
  12. Two Systems, Trust Relationship A trusts B A B A is talking to B Intrusion Detection - The Big Picture - SANS GIAC © 2000 12 A trust relationship existed between two machines, both administered by the good guy. (One was an office machine, the other a home machine.) Administrators often set up these sort of relationships, usually as a convenience. In this particular example, the systems are Unix and the trust relationship is the use of “r” utilities. But similar trust relationships exist in other systems (for example, Windows “shares”). The attacker is going to pretend to be one side of the trust relationship using a technique called IP Spoof to appear to be computer B and then take advantage of the trust relationship. 12
  13. Enter the Badguy(tm) A trusts B A B A is talking to B Attacker probes to determine a trust relationship, A trusts B. Attacker Intrusion Detection - The Big Picture - SANS GIAC © 2000 13 The attack started when the attacker detected a trust relationship was in place between two systems of interest. The trust relationship in particular was that A allows B to make rshell connections, providing a remote shell service. The badguy™ uses finger, showmount, rpcinfo, and so forth to ferret out the trust relationship. It should be noted there is often a recon phase for complex attacks. If these recon probes can be detected, they can provide a valuable early-warning function. 13
  14. Set Up the Attack A trusts B A A B B A is talking to B Attacker predicts the sequence SYN Attack to B number A will expect renders B unable “IP Spoof” to reply to A Attacker Intrusion Detection - The Big Picture - SANS GIAC © 2000 14 After the recon phase, the initial attack occurs. He first gags B with a flood of SYN packets, a technique that involves bombarding B with TCP connection requests until B is too busy to respond to anyone. (A SYN packet is the first part of TCP’s three-part handshake for connection establishment, which goes SYN, SYN/ACK, ACK). Next, he sends a connection request (SYN) to A,spoofing the source address so the packet is apparently from B. Since A allows connections from B, it will reply with a SYN/ACK packet that gives an initial sequence number for the connection. This reply goes to B, which would usually deny sending it and close the connection with a RST packet, but because it’s been gagged, it can’t reply. Since the attacker hasn’t seen the reply, he must predict the sequence number if he is to continue the connection. Sequence number prediction code has been widely available on the Internet for a number of years. 14
  15. Make ‘A’ Defenseless Content of rshell packet “+ + in /.rhosts” open A to attack A B SYN Attack to B Attacker sends keeps B unable expected to warn A ACK with fake SRC IP ADDRESS to Attacker establish rshell Intrusion Detection - The Big Picture - SANS GIAC © 2000 15 Having guessed the next sequence number, and assuming A has sent the SYN/ACK back to B, the attacker completes the connection establishment by sending a final ACK, still with B’s source address. Now the attacker has a connection to A, that A believes is from it’s trusted friend B. That trust is exploited to gain further access. To maintain the hijacked connection and continue successfully masquerading as B, the attacker must keep B gagged, since every reply from A goes back to B, not the attacker, and B would refute the connection if it could. 15
  16. Finish the Job Content of rshell packet “+ + in /.rhosts” open A to attack A Attacker uses Attacker # rlogin -l root to takeover ‘A’ Intrusion Detection - The Big Picture - SANS GIAC © 2000 16 Now, the attacker goes in for the kill to crack open A’s security. He sends an rshell command to add the string “++” to the file “/.rhosts”. This string is a wild-card which says “trust as root all users on all systems”. Once ./rhosts has been modified the attacker can stop the masquerade, and stop gagging B, and he simply logs in directly as root. Game Over. Fortunately, Shimomura noticed the attack. Would you notice a similar one on your system? 16
  17. What Common Tools Could Have Prevented The Attack? Intrusion Detection - The Big Picture - SANS GIAC © 2000 17 “An ounce of prevention is worth a pound of cure.” This statement was probably coined by an ancient incident handler. Of the 3 parts of the security cycle “Prevention-Detection-Response”, prevention can be the most cost-effective. 17
  18. Network Vulnerability Scanner AA B Scanner Warning: A trusts B A has potential rshell vulnerability Intrusion Detection - The Big Picture - SANS GIAC © 2000 18 Vulnerability scanners can probe a network or host to identify problems that, if fixed, can prevent an attack from succeeding. The fact that A trusts B isn’t a vulnerability in itself, but may be a violation of your organization’s security policy. It is the combination of that trust decision and the rshell vulnerability that allowed the attack to succeed. Since networks and host configurations change so often, vulnerability scans must be frequent. 18
  19. Firewalls Violation, the “R” Protocols are not allowed Cat “+ +” > ./rhosts Many attack attempts fail to penetrate well-configured firewalls, especially if they have a “deny everything not specifically allowed” policy. Intrusion Detection - The Big Picture - SANS GIAC © 2000 19 Firewalls or filtering routers can be configured not to let “risky” services pass into the protected network. This is normally by blocking access to the ports used by those services. Most firewall administrators would call letting inbound connections to the “r” services through a firewall very risky indeed. There are more secure replacements available for these services, like SSH for remote shells. Many firewalls would also stop the spoofed packets from the attacker, correctly noticing that packets from machine B shouldn’t be originating from outside the firewall (assuming both A and B were inside the firewall). Similarly, responsible egress filtering on the part of the attacker’s organization or ISP would also have blocked the spoofed packets. The firewall wouldn’t have protected from the attack if B had been outside the firewall, and hence connections pretending to be from B would have been allowed through. 19
  20. What Intrusion Detection Techniques Could Have Detected The Attack? Intrusion Detection - The Big Picture - SANS GIAC © 2000 20 Detecting the attack is one thing. Most intrusion detection systems would also have detected the recon probes before the attacker went in for the kill. Early warning is much better than real-time or after the fact notification of system compromise. (The problem is, a recon probe is often hard to distinguish from a legitimate query. The bad guys’ recon techniques are becoming stealthier, which is both good and bad. Harder to spot, but if you can spot it, it’s easier to recognize as hostile, since legitimate users don’t sneak about.) 20
Đồng bộ tài khoản