Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are a significant growth area in the security market today -- and there's no sign of a slowdown.
Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.
IP Security and NAT
Despite popular wisdom, IPsec and NAT can be employed together—in some configurations. We explore what you can do and what you can't, and the limitations inherent in today's solutions. One question asked frequently by those planning to implement virtual private networks concerns the ability to combine IP security (IPsec) and Network Address Translation (NAT). Many have heard rumors and war stories about incompatibilities between IPsec and NAT. Others have seen blanket denials issued by vendors who successfully combine IPsec and NAT within a single product.
What is Network Address Translation?
Most ISP admins are familiar with NAT (RFC 1631) and its many incarnations. Originally developed as an interim solution to combat IPv4 address depletion, NAT maps IP addresses from one realm to another, most often by mapping private IPs to public IPs.
The Intrusion Prevention System (IPS) feature set of Cisco IOS® contains several vulnerabilities.
These include:
Fragmented IP packets may be used to evade signature inspection.
IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.
Cisco IOS IPS Security Bypass and Denial of Service
Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).
1) Cisco IOS IPS signatures using regular expressions may not correctly identify malicious traffic within fragmented IP packets. This can be exploited to bypass the detection mechanism by sending specially crafted, fragmented IP packets.
2) An error exists within the ATOMIC.TCP scanning mechanism and signatures, which use regular expressions (e.g. Signature 3123.0 for Netbus Pro Traffic). This can be exploited to crash a device by producing specially crafted network traffic.
TippingPoint Intrusion Prevention Systems
The TippingPoint Intrusion Prevention System (IPS) delivers the most powerful network protection in the world. The TippingPoint IPS is an in-line device that is inserted seamlessly and transparently into the network. As packets pass through the IPS, they are fully inspected to determine whether they are legitimate or malicious. This instantaneous form of protection is the most effective means of preventing attacks from ever reaching their targets.
Wednesday, April 23, 2008
Intrusion Prevention Systems (IPS)
Monday, April 7, 2008
Authentication using Smart Card Technology
1. Microprocessor
2. Rom, for encryption and decryption and installing operating system.
Do not be confused between concept of this posting (smart card) and RFID. Actually, RFID is just an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags. A RFID tag does not have both paths mentioned above.
Smart Card sub-system Architecture
Basic components of the smart card subsystem
o A resource manager that uses a Windows application programming interface (API)
o The smart card Resource Manager runs as a trusted service in a single process.
o Resource manager have access of all the information which is passed to smart card and smart card reader that contains the requested card.
o So the resource manager is responsible for managing and manipulating all the access for application for any smart card which is used with any reader and it can also control all the application for inserted smart card in any smart card reader.
o The Resource Manager provides a given application with a virtual direct connection to the requested smart card.
o The Resource Manager performs three basic tasks in managing access to multiple readers and cards. First, it identifies and tracks resources. Second, it controls the allocation of readers and resources across multiple applications. Finally, it supports transaction primitives for accessing services available on a specific card.
o This is important because current cards are single-threaded devices that often require execution of multiple commands to complete a single function. Transaction control allows multiple commands to be executed without interruption, ensuring that intermediate state information is not corrupted.
* A user interface (UI) that works with the resource manager.
Authentication Techniques
o Dynamic Password Authentication
o User Authentication
o Symmetric key cryptography
o Asymmetric key cryptography
Dynamic Password Authentication
Smart Card creates different passwords for each authentication attempt
Generates new pass codes many times a day.
The host executes the same algorithm as the smart card, so it knows the current valid password at any given time.
This method ensures card authenticity as the password keeps on changing dynamically and the algorithm is hard to crack down.
Symmetric key cryptography & Asymmetric key cryptography
Symmetric Key Authentication
Fig: Authenticating using Symmetric Key Crytography
There are many ways and method are available for the authentication of smart card. We can implement an authentication method using PKI infrastructure and without using Smart Card too. However these simpler cards have considerably lower prices because they do not require a cryptographic coprocessor that is needed for executing public key cryptographic operations with reasonable speed.
Fig: Public Key Authentication using RSA (Rivest Shamir Adelman Cryptosystem)
The server gives a random challenge to the smart card and requests a message authentication code (MAC, a kind of signature) generated over the card ID (identifier) and the challenge. Often, a password provided by the user has to be given to the smart card before the card generates the MAC. This procedure ensures that a thief or finder of a card cannot use it without knowledge of the password.
The smart card uses a key to generate the MAC over the card ID and the challenge obtained from the server. Then it will sends both the ID and the MAC back to the server and The server uses the card ID to derive the card key from a master key and uses that card key to verify the MAC sent from the card.
Here is the example of Authentication using public key smart cards. Here first The server sends a random challenge to the smart card then in reply The smart card uses its private key to generate a digital signature over the challenge then The digital signature and the certificate associated with the private key of the smart card are sent to the server. The server verifies the certificate and then uses the public key contained in the certificate to verify the signature .
Applications
o Secure network access Smart Cards can carry an individual's digital signature .
o Cellular phones, Smart Cards offer a mechanism to secure cellular phones against fraudulent use.
o Financial , The applications of smart cards include their use as credit or ATM cards
Benefits
o Strengthen security: The two-factor authentication of smart cards requires more than entering valid credentials. You must possess the smart card and know the personal identification number (PIN).
o Flexible: Smart card memory contains security certificates, and can be used for in-house development projects.
o Simple: Smart cards are easy to use. No cumbersome password generators to carry around. No bulky device to break.
o Leverage existing infrastructure: Using the PKI of Windows 2000 Server or Windows Server 2003, you can create your own security certificates and manage the process internally without dependence upon an external partner
Sunday, April 6, 2008
IDS Techniques
This posting will summarize the interesting techniques used in IDS system for both software IDS and hardware IDS (appliance).
Signature Detection
In this technique known representations of intrusions are stored in the IDS and are then compared to the system activity. When a known intrusion matches these signatures, an alert is raised. Signatures must be created to exactly match the characteristics (protocols or the contents of traffic) of a specific intrusion and no other activities to avoid false positives. This technique is most accurate for detecting known attacks e.g. DoS attack.
Signature engines also have their disadvantages. Because they only detect known attacks, a signature must be created for every attack, and novel attacks cannot be detected. Signature engines are also prone to false positives since they are commonly based on regular expressions and string matching. Both of these mechanisms merely look for strings within packets transmitting over the wire.
Anomaly Detection
An Anomaly-Based IDS, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls outwith normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.
Anomaly detection detects a misuse by measuring norm overtime and then generating alert when a pattern differs from a norm. In this technique a set of data is gathered from the system activity of the user and this data set is base lined. If the flow of traffic deviates from the base lined data set pattern an alarm is raised.
A disadvantage of anomaly-detection engines is the difficultly of defining rules. Each protocol being analyzed must be defined, implemented and tested for accuracy. The rule development process is also compounded by differences in vendor implementations of the various protocols. Custom protocols traversing the network cannot be analyzed without great effort. Moreover, detailed knowledge of normal network behavior must be constructed and transferred into the engine memory for detection to occur correctly. On the other hand, once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.
Target Monitoring
Target monitoring works by means of generating a cryptographic hash for every file on the system and periodically comparing that hash to the original file to ensure that no change has occurred. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals we wish on either all files or just the critical files.
Stealth Probes
Stealth probe technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period, and wait another two months to actually launch the attacks. This technique will collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks.
Conclusion
However, anomaly detection has an advantage over signature-based engines in that a new attack for which a signature does not exist can be detected if it falls out of the normal traffic patterns. The best example of this is how such systems detect new automated worms. When a new system is infected with a worm it usually starts scanning for other vulnerable systems at an accelerated or abnormal rate flooding the network with malicious traffic, thus triggering a TCP connection or bandwidth abnormality rule.
Five major types of IDS
Intrusion Detection System as the name implies detects intrusion in the network. It implies both intrusions from inside and from outside the network.
IDS, these days, have become vital component in the security toolbox.
This posing will provide an overview of IDS, their types, detection techniques employed and various popular IDS tools that are widely used. This report also gives the overview of Snort IDS tool followed by a short demo showing the actual working of snort to catch intrusion based on the rules set. The intent of this presentation and report is to make the audience aware of the importance of IDS and also to make them familiar with the usage of Snort IDS tool.
Introduction
Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. This is mainly used for detecting break-ins or misuse of the network. In short, we can say that IDS is the ‘burglar alarm’ for the network because much like a burglar alarm, IDS detects the presence of an attack in the network and raises an alert. An IDS provides three functions: monitoring, detecting and generating an alert.
IDS are often considered as the functionality of firewall. But there is a thin line of difference between them. A firewall must be regarded as a fence that protects the information flow and prevent intrusions where as IDS detects if the network is under attack or if the security enforced by the firewall has been breached. Together firewall and IDS enhance the security of network.
Intrusion Detection System uses a security policy (or rules) to detect unusual activity. These rules are defined by the administrator based on the needs of the organization. Any activity that violates this security policy will be considered a security threat and will be reported to the administrator via email or as page or as SNMP traps. These policies must be updated regularly to keep up with the threats and needs.
Of the security incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder come from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure. Intrusion detection systems remain the only proactive means of detecting and responding to threats that stem from both inside and outside a corporate network.
Types of IDS
There are three main types of Intrusion Detection Systems:
• Host Based
• Network Based
• Stack Based
• Signature Based
• Anomaly Based
Host Based IDS
Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as passwd files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor.
Although HIDS is far better than NIDS in detecting malicious activities for a particular host, they have limited view of entire network topology and they cannot detect attack that is targeted for a host in a network which does not have HIDS installed.
Network Based IDS
Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease.
NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner.
Stack Based IDS
Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.
Signature-Based IDS
Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.
These types of systems are normally presumed to be able to detect only attacks “known” to its database. Thus, if the database is not updated with regularity, new attacks could slip through. It can, however, detect new attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous.
Also, signature based IDS’s may affect performance in cases when intrusion patterns match several attack signatures. In cases such as these, there is a noticeable performance lag. Signature definitions stored in the database need to be specific so that variations on known attacks are not missed. This sometimes leads to building up of huge databases which eat up a chunk of space.
Anomaly Based IDS
Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies.
It works on the notion that “attack behavior” differs enough from “normal user behavior” such that it can be detected by cataloging and identifying the differences involved.
In most anomaly-based IDS’s the system administrator defines the baseline of normal behavior. This includes the state of the network's traffic load, breakdown, protocol, and typical packet size.
Anomaly detectors monitor network segments to compare their state to the normal baseline and look for current behavior which deviate statistically from the normal. This capability theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for which signatures have been created.
On the other hand, anomaly-based IDS systems have been known to be prone to a lot of false positives. In these cases, the attacks are reported based on changes to the current system on which the IDS is installed. This is because there is a change in the normal state of the system which is not perceived by the IDS.
Sometimes, anomaly-based IDS systems can cause heavy processing overheads on the computer system they are installed on. It takes a short period of time for anomaly-based systems to create statistically significant baselines. During this period, they are relatively open to attack.
Packet sniffer
A packet sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network.[1] As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.
Capabilities
On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the traffic from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch. When systems (computers) are connected to a switch port rather than a hub the analyzer will be unable to read the data due to the intrinsic nature of switched networks. In this case a shadow port must be created in order for the sniffer to capture the data.
On wireless LANs, one can capture traffic on a particular channel.
On wired broadcast and wireless LANs, in order to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored; in order to see those packets, the adapter must be put into monitor mode.
Uses
The versatility of packet sniffers means they can be used to:
Analyze network problems.
Detect network intrusion attempts.
Gain information for effecting a network intrusion.
Monitor network usage.
Gather and report network statistics.
Filter suspect content from network traffic.
Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
Reverse engineer protocols used over the network.
Debug client/server communications.
Debug network protocol implementations.
Example uses
A packet sniffer for a token ring network could detect that the token has been lost or the presence of too many tokens (verifying the protocol).
A packet sniffer could detect that messages are being sent to a network adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter.
A packet sniffer could detect excessive messages being sent by a port, detecting an error in the implementation.
A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method.
A packet sniffer could be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse engineered.
A packet sniffer could be used to diagnose operating system connectivity issues like web,ftp,sql,active directory,etc.
A packet sniffer could be used to analyse data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities.
A packet sniffer can passively capture data going between a web visitor and the web servers, decode it at the HTTP and HTML level and create web log files as a substitute for server logs and page tagging for web analytics.
This information was obtained from www.wikipedia.org :)
Saturday, April 5, 2008
Honey Pots
Network IDS: An IDS (Intrusion Detection System) detects unwanted manipulation to the computer network in a network. An intrusion detection system is used to detect all types of malicious network traffic and computer usage like network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malwares.
We all know that in today’s society there are hackers and intruders attacking our computers from all directions. Moreover, most of these people feel as though the hackers will never fall victim to such a crime much less even be targeted by such an individual. But, there are some new advances in technology that allow users to actually set traps for hackers and virtually fight back. This trap is known as the Honeypot. Honeypot is an advance technology which is used to trace and catch the hackers/attackers who intend to attack a secure system.
• Prevention: Honeypots can be used to slow down or stop automated attacks
Honeypot in a real network environment:
Honeypots can be classified on the basis of their deployment and on basis of their level of interaction/involvement in the network. On the basis of their deployment Honeypots can be classified in to two categories:
• Production Honeypots
Production Honeypots:
The main purpose of this production honeypots is to mitigate the risk in an organization. Production Honeypots are placed under the production network with other production servers by the organization to improve their overall state of security .These are basically have a low level involvement with the network.
Research Honeypots:
Research Honeypots are run by volunteer non profit organization whose aim is to gather information about the black hat community .These Honeypots do not add any value to any companies but work independently.
On the basis of level of interaction Honeypots are classified as:
• Low-Interaction Honeypots: Honeyd• High Interaction Honeypots: HoneyNet
Honeyd:
Honeyd is an open-source solution which was created and maintained by NielsProvos. The primary purpose of Honeyd is intrusion detection; it does this by monitoring all the unused IPs in a network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity. After all, if there is no system using that IP, why is someone or something attempting to connect to it? For example, if your network has a class C address, it is unlikely that every one of those 254 IP addresses is being used. Any connection attempted to one of those unused IP addresses is most likely a threat to the network.
Honeyd can monitor all of these unused IPs at the same time. Whenever a connection is attempted to one of them, Honeyd automatically assumes the identity of the unused IP addresses and then interacts with the attacker. Honeyd can detect any activity on any UDP or TCP port, as well as some ICMP activity. The user doesn’t have to create a service or port listener on ports he wants to detect connections to, Honeyd does this all.
HoneyNet:
It is a high-interaction honeypot designed to capture extensive information on threats. High-interaction means a honeynet provides real systems, applications, and services for attackers to interact with, as opposed to low-interaction honeypots such as Honeyd which provide emulated services and operating systems. What makes a honeynet different from most honeypot is that it is a network of real computers for attackers to interact with. Conceptually honeynets are very simple; they are a network that contains one or more honeypots. Since honeypots are not production systems, the honeynet itself has no production activity, no authorized services. As a result, any interaction with a honeynet implies malicious or unauthorized activity. Any connections initiated inbound to your honeynet is most likely a threat. This makes analyzing activity within your honeynet very simple. With traditional security technologies, such as firewall logs or IDS sensors, you have to sift through gigabytes of data. A great deal of time and effort is spent looking through this information, attempting to eliminate false positives while identifying attacks or unauthorized activity.
Honeynet Architecture:
To successfully deploy a honeynet, you must correctly deploy the honeynet architecture. The key to the honeynet architecture is what we call a honeywall. This is a gateway device that separates your honeypots from the rest of the world. Any traffic going to or from the honeypots must go through the honeywall. This gateway is traditionally a layer 2 bridging device, meaning the device should be invisible to anyone interacting with the honeypots. Below we see a diagram of this architecture. Our honeywall has 3 interfaces. The first 2 interfaces (eth0 and eth1) are what separate our honeypots from everything else; these are bridged interfaces that have no IP stack. The 3rd interface (eth2, which is optional) has an IP stack allowing for remote administration.
There are several key requirements that a ho neywall must implement; Data Control, Data Capture, Data Analysis, Data Collection.
1) Data Control: Our aim is to prevent the data from an attacker once he has entered the network.
Advantages and Disadvantages of Honeypots
Advantages:
Disadvantages: