KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence Response Instructor – Jan McDanolds, MS, Security+ Contact Information: AIM – JMcDanolds – Office Hours: Tuesday, 7:00 PM ET or Wednesday, 8:00 PM ET
UNIT 5 Agenda for Unit 5 Readings: Chapter 7 and 8 in Cisco book Chapter 7 – Network Intrusion Prevention Overview - Capabilities - Benefits - Limitations - Hybrid IPS/IDS systems - Shared IDS/IPS capabailities Chapter 8 – NIPS Components - NIPS uses sensors to analyze network traffic: standalone appliance sensors, blade-based sensors, and IPS software integrated into the OS
UNIT 5 Unit 5 NIPS Field Trip: NSS Labs View list of reports – most of these cost $$ to view, a few older ones are free.
UNIT 4 REVIEW Unit 4 Review Readings: Chapter 5 – Host Intrusion Prevention Overview - Capabilities - Benefits - Limitations Chapter 6 – HIPS Components - Essential elements of HIPS products: a software package installed on the endpoint (client or agent) AND a management infrastructure to manage the agents
UNIT 4 REVIEW Unit 4 Review Q and A #1 Name one limitation of a HIPS #2 Name two of the most common methods of gathering data for HIPS #3 What is a shim? For Cisco's CSA, name the Windows shims.
UNIT 5 Network Intrusion Prevention Capabilities, Benefits and Limitations Capabilities - Stops intrusion traffic before it enters the network by placing the sensor as a Layer 2 forwarding device. - Dropping a single packet - Dropping all packets for a connection - Dropping all traffic from a source IP Benefits – provides traffic normalization and security policy enforcement
UNIT 5 Network Intrusion Prevention Capabilities, Benefits and Limitations (cont.) Limitations – deployment location impacts effectiveness. Issue of excessive traffic for a single IDS sensor. - Attacker located on the Internet attacks internal network - Attacker located on the internal network attacks another system on the internal network - Attacker located on the internal network attacks a system on the Internet
UNIT 5 Hybrid IPS/IPS System Hybrid provides IPS protection to prevent an attack coming and going to the Internet, plus the same device can watch for attacks between two internal systems. Capabilities: generating alerts, initiating IP logging, resetting TCP connections and initiating IP blocking.
UNIT 5 NIPS Components Types of sensors: standalone appliance sensors, blade- based sensors and IPS software integrated into the OS Capture traffic: atomic operations, stateful operations, protocol decode operations, anomaly operations and normalizing operations Response: alerting actions, logging actions, blocking actions and dropping actions
UNIT 5 Sensor Capabilities Selection of IPS sensors depends upon: Security budget, amount of network traffic, network topology and security staff to operate the components. Sensor Processing Capability – besides bandwidth, consider average packet size and average number of new TCP connections per second Sensor Interfaces – monitor more locations with multiple interfaces Sensor Form Factor – deploy the correct sensor for the location
UNIT 5 Capturing Network Traffic Capturing traffic for in-line mode: Deploying in-line IPS between: two routers, a firewall and a router, a switch and a router, a switch and a firewall, or between two switches Capturing traffic for promiscuous mode: Cisco mechanisms to capture traffic at the switch – Switch Port Analyzer (SPAN), Remote Switch Port Analyzer (RSPAN) and VLAN Accesss Control List (VACL) Mirror Traffic – send a copy of the network traffic
UNIT 5 Analyzing Network Traffic IPS sensor traffic categories: - Atomic operations - Stateful operations - Protocol decode operations - Anomaly operations - Normalizing operations
UNIT 5 Responding to Network Traffic Actions fall into these categories: - Alerting actions - Logging actions - Blocking actions - Dropping actions
UNIT 5 Sensor Management and Monitoring Two categories: small and large sensor deployments Small Sensor Deployments: device monitoring, web-based monitoring, and custom reporting Large Sensor Deployments: sensor appliances, IDS modules, router modules, IOS routers, and PIX firewalls
UNIT 5 Web Field Trip IBM on YouTube 8 minutes video – shows dashboards intrusion-prevention/
UNIT 5 NIPS articles Review documents in Doc Sharing NIST – Guide to Security Log Management SANS – Experimental Study of IDS
UNIT 5 Readings Unit 5 Readings: Chapter 7 and 8 in Intrusion Prevention Fundamentals ALSO Web Readings
UNIT 5 Unit 5 Assignment Review the rubric to see the point totals. Three questions – 15 points each.
UNIT 5 Unit 5 Assignments Download chapters from Doc Sharing Read chapters and web readings Post to Discussion Attend Seminar Complete Assignment – review rubric any questions: Or you can call me