manajemen sistem file

25
Isbat Uzzin Keamanan Jaringan Intrusion Detection System Keamanan Jaringan Politeknik Elektronika Negeri Surabaya 2007

Upload: sandra4211

Post on 11-May-2015

1.766 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Intrusion Detection System

Keamanan Jaringan

Politeknik Elektronika Negeri Surabaya

2007

Page 2: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Firewall Saja Tdk Cukup

• Tidak semua akses melalui firewall• Ada beberapa aplikasi yang memang diloloskan oleh

firewall (Web, Email, dll)• Tidak semua ancaman berasal dari luar firewall, tapi

dari dalam jaringan sendiri• Firewall kadang merupakan object serangan• Perlu suatu aplikasi sebagai pelengkap Firewall yang

bisa mendeteksi ancaman yang tidak bisa diproteksi oleh firewall

Page 3: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Mobile worker

Web site

Hacker

Hacker

Supplier

Branch Office

Mailserver

Manufacturing

Engineering

HR/Finance

Corporate Intranet

Hacker

Internet

Page 4: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Pengertian IDS

• IDS kepanjangan Intrusion Detection System• Sistem untuk mendeteksi dan merespons adanya “intrusion”

yang dilakukan oleh “intruder”• Pendeteksian bisa dilakukan sebelum, selama dan sesudah

kejadian.– Terdeteksi sebelum, maka bisa melakukan tindakan pencegahan– Terdeteksi selama : bisa diputuskan untuk diblok dan alarm– Terdeteksi setelah : melihat akibat yang ditimbulkan

• IDS mengumpulkan info dari dari berbagai sistem dan source network kemudian melakukan analisa terhadap info tsb sesuai dengan rule yang sudah ditetapkan

Page 5: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Pengertian IDS (Cont…)• Intrusion

– Didefinisikan sebagai kegiatan yang bersifat anomaly, incorrect, inappropriate yang terjadi di jaringan atau di host

– Klasifikasi intrusi :• Attempted Break-ins• Masquerade attacks• Penetration of Security Control Systems• Leakage• Denial of Service• Malicious Use

• Anomaly merupakan Traffic/aktivitas yang tidak sesuai dgn policy:– akses dari/ke host yang terlarang– memiliki content terlarang (virus)– menjalankan program terlarang (web directory traversal:GET ../..;cmd.exe

)

Page 6: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Konsep IDS

TargetSystem

IntrusionDetectionSystem

Intrusion Detection System Infrastructure

Monitor

Respond Report

Page 7: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Teknologi IDS

• Network Based

• Host Based

• Application Based

• Target Based

• HoneyPots

Page 8: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Teknologi IDS…• Network-based

– memantau anomali di jaringan,misal melihat adanya network scanning

– Menyediakan real-time monitoring activity jaringan: • mengcapture, menguji header dan isi paket, • membandingkan dengan pattern dengan threat yang ada di database dan • memberikan respon jika dianggap intruder.

– Packet monitors bisa ditempatkan di luar firewall (mendeteksi Internet-based attacks) and di dalam jaringan(mendeteksi internal attacks).

– Respons berupa : notifying a console, sending an e-mail message, terminating the session.– Tools : Snort

• Host-basedmemantau anomali di host,misal memonitor logfile, process, file owenership, mode

– Tools :Log scanners

– Swatch– Log check

File System Integrity Checkers– Tripwire

Page 9: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Teknologi IDS

• Application Based– Special subset of Host-Based IDS, that analyzes the events

transpiring within a software.– The most common information source for Application-

Based IDS is the application’s transaction log file– Interaction between user and application, wich traces

activity to individual users• HoneyNet

– Merupakan sebuah resource yang berpura-pura menjadi sebuah target real, yang diharapkan untuk diserang.

– Tujuan utamanya :• membelokkan attacker dari serangan ke productive system• mendapatkan informasi tentang jenis-jenis serangan dan penyerang.

Page 10: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Snort

• Open source IDShost-basednetwork-basedpacket snifferimplementasi di UNIX & Windows

• Beroperasi berdasarkan “rules”

Page 11: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Log Snort• The log begins from: Mar 9 09:11:05• The log ends at: Mar 9 12:22:24• Total events: 161• Signatures recorded: 6• Source IP recorded: 12• Destination IP recorded: 44

• # of attacks from to method• ===========================================• 61 202.138.228.73 202.138.228.74

IDS135-CVE-1999-0265-MISC-ICMPRedirectHost• 31 192.168.1.51 192.168.1.11 ICMP

Destination Unreachable {ICMP}• 5 202.110.192.93 202.138.228.74

spp_http_decode: ISS Unicode

Page 12: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Masalah IDS

• Serangan baru memiliki signature yang baru sehingga daftar signature harus selalu diupdate

• Network semakin cepat (giga) sehingga menyulitkan untuk menganalisa setiap paket

• Jumlah host makin banyak: distributed IDS

• Terlalu banyak laporan (false alarm)

Page 13: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Honeypot

• Merupakan sebuah resource yang berpura-pura menjadi sebuah target real, yang diharapkan untuk diserang.

• Tujuan utamanya :– membelokkan attacker dari serangan ke productive

system– mendapatkan informasi tentang jenis-jenis

serangan dan penyerang.

Page 14: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

honeypot HTTP DNS

Page 15: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Value Honeypot• Research Honeypots

– gather as much as information as possible• help to understand the blackhat community and their attacks• help to build some better defenses against security threats

– 'counter-intelligence'• Prevention

– Honeypots add little value to prevention.• conflict with definition

• Detection– Honeypots add extensive value to detection.

• simple and easy to detect cf) IDS• Reaction

– Honeypots also add value to reaction.• Easy to analyze & recover

If a honeypot does not get attacked, it is worthless.

Page 16: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

What is a Honeynet?

• High-Involvement Honeypot designed primarily for research, to gather information on the enemy

• differences from a traditional honeypots– not a single system - a network of multiple systems – standard production systems - Nothing is emulated.

• The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today.

• value lies in research

Page 17: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Requirements

• Data Capture– capturing of all of the blackhat's activities– Challenge

• capture as much data as possible, without the blackhat knowing their every action is captured

– capture the blackhats every move without them knowing, but we have to store the information remotely

Page 18: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Requirements

• Third requirement : Data Collection– for organizations that have multiple Honeynets in

distributed environments– collecting all of the captured information securely

from distributed Honeynets

Page 19: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Implement

• firewall separating the Honeynet into three different networks

syslog Sparc Linux NT

switch

Firewall

IDS

Log/AlertServer

router

Internet

Honeynet

AdministrativeNetwork

Page 20: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Implement

• Data Control– firewall is our primary tool for the data control

• allow any inbound connections, but control outbound connections

• if a honeypot has reached a certain limit of outbound connections, the firewall will then block any more attempts

• firewall implement– CheckPoint FireWall-1 and shell script

– IPTables with its limit functionality

– OpenBSD's pf with a session-limit pf patch

Page 21: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Implement

• Data Control (cont’d)– router is used to supplement this filtering

• hides the firewall

• act as second access control device– allows only packets with the source IP address of the

Honeynet

– block ICMP outbound traffic

Page 22: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Implement

• Data Capture– firewall

• the first layer of capturing activity• logs all connections initiated to and from the Honeynet• Alert

– IDS• capture all network activity - important• alert us to any suspicious activity

– not critical but it can give detailed information

• IDS Implement– snort - alerts are forwarded to the syslog server

Page 23: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Implement

• Data Capture (cont’d)– System themselves

• capture all system and user activity that occurs on a system– all system logs not only log locally, but to a remote log server

» UNIX : adding an entry for a remote syslog server in the configuration file

» Windows : third party applications– do not hide the use of a remote syslog server

• capture keystrokes and screen shots and remotely forward that data» Unix : modified version of bash» Windows : ComLog

Page 24: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Virtual Honeynet

• implement honeynet into a single system • advantages

– reduced cost – easier management

• disadvantages– limited types of operating system – risk

• attacker can break out of the virtualization software and take over the Honeynet system, bypassing Data Control and Data Capture mechanisms.

Page 25: Manajemen Sistem File

Isbat Uzzin

Keamanan Jaringan

Virtual Honeynet

• Implement– VMware

Internet

Host Operating System

Guest OS Guest OS Guest OS