Chapter 14

 Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems  Describe how an IDS responds, detects threats and where it runs  Describe how to perform a vulnerability assessment  Harden a network and its devices  Identify switch port security methods

14.1

 After implementing security, you don’t wait for an attack  Use an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System)  Two types of IDS’  Passive (IDS)  Active (IPS)  Classified by how they detect & respond to attacks

 Passive IDS  Monitors network for threats  Alert if threat is found  ONLY DETECTS - DOES NOT TRY TO STOP THREAT  Active IDS  AKA Intrusion Prevention System (IPS)  Detects attack – Takes action! Example: A port is attacked; it closes the port until the attack stops

 Signature Recognition  Has a list of known attacks  MATCH= take action  Can only detect identified/listed attacks  Anomaly Recognition  Identifies typical network traffic  Then looks for abnormal traffic  Uses a measurement above normal values to determine if action should be taken

 Host-based  Runs on a single PC  Monitors application activity & system files  Anti-virus software Uses list of virus definitions to detect; SIGNATURE-BASED IDS  Network-based  Acts like a firewall  Put AV on the device so it can scan all PCs  Centralized admin point

 Create fake resources  Honeypot  Device or virtual machine that entices intruders by having an obvious vulnerability  Distracts hackers from valuable resources  You can observe them, gather info about them, prosecute them

 Identifies vulnerabilities in a network  Vulnerability scanner  Scans open ports, software holes, missing patches, misconfigurations, default passwords  Ping scanner  Detects incoming ICMP requests  Allows you to block them on each device’s firewall  Port scanner  Scans for open ports  Password Cracker  Identifies weak passwords by trying to crack them

 TestOut DEMO Configuring an IDS/IPS  TestOut LAB Configure Intrusion Prevention  TestOut LAB Enable Wireless Intrusion Prevention  TestOut Practice Questions (15)

14.3

 Switches, routers, firewalls  Installed in secure location; locked doors  Change default username/password  Limit admin user access  Switches & routers  Use VLANs to isolate traffic  ACLs  Port security/MAC address  SSH (not Telnet)

 Servers  Install only needed software (no extras)  Install anti-malware software  Apply patches & service packs  User Accounts  Multi-factor; username/password & smartcard  Account lockout  Time of day restrictions  Passwords  Aging- change password every so often  Can’t reuse old passwords

 Switches have CAM table with MAC addresses learned & port they are on  Two security methods:  Restrict each port to a specific MAC address  Set max # of MAC addresses a port can learn

 Actions for port security  Protect Disallow unknown MAC  Restrict Disallow unknown MAC, creates a log message  Shut down Port shuts down & admin must reset it

 On a switch  Filters out untrusted DHCP messages  Prevents rogue DHCP servers (possibly from outside the network) from offering clients an IP address

 TestOut DEMO Configuring Switch Port Security  TestOut LAB Configure Port Security

 Complete the study guide handout  Complete TestOut  Practice in Packet Tracer  Jeopardy review

Chapter 14