IDS D EPLOYMENT 1. C HARACTERISTICS OF A G OOD I NTRUSION D ETECTION S YSTEM 1.It must run continually without human supervision. The system must be reliable.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Firewalls Uyanga Tserengombo
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS ALTER 0A234 Lecture 3.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Intrusion Detection Chapter 12.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
C HAPTER 16 C ISCO IOS IPS. S ECURING N ETWORKS WITH IDS AND IPS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect.
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Cryptography and Network Security Sixth Edition by William Stallings.
PERIMETER SECURITY Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Some Great Open Source Intrusion Detection Systems (IDSs)
Basics of Intrusion Detection
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Outline Introduction Characteristics of intrusion detection systems
Intrusion Detection system
Presentation transcript:

IDS D EPLOYMENT 1

C HARACTERISTICS OF A G OOD I NTRUSION D ETECTION S YSTEM 1.It must run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box". That is, its internal workings should be examinable from outside. 2.It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart. 3.On a similar note to above, it must resist subversion. The system can monitor itself to ensure that it has not been subverted. 4.It must impose minimal overhead on the system. A system that slows a computer to a crawl will simply not be used. 5.It must observe deviations from normal behavior. 6.It must be easily tailored to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns. 7.It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt. 8.Finally, it must be difficult to fool. 2

D ETECTION M ETHODS Attack signatures E.g. virus/malware Anomaly detection Look for things that is out of the ordinary Stateful protocol analysis Integrity checking Hybrid Pros and cons ©2009 KRvW 3

Stateful protocol analysis E.g. If a terminal A, after receiving ACK, sends out SYN-ACK => A is running a port service, i.e. it is a server, even though it is only a desktop/laptop. Is it authorized? (somebody might be running a server on my laptop!) Integrity Checkers Check (vital files for unauthorized change Compare against previous snapshots Assumptions? Effective strategy? 4

S IGNATURE B ASED Based on a set of signatures and rules: Find and log suspicious activity Generate alerts Intruders have signatures like computer viruses Can be detected using software Analyst must find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols Signature-based (misuse detection) Pattern matching Cannot detect new attacks Low false positive rate 5 mms©

A NOMALY D ETECTION Depends on packet anomalies present in protocol header parts In some cases these methods procure better results compared to signature-based IDS Usually IDS captures data from the network, applies its rules to that data or detects anomalies in it Snort is primarily a rule-based IDS, however, input plug-ins are present to detect anomalies in protocol headers 6 mms©

A NOMALY DETECTION Anomaly-based (Statistical-based) Activity monitoring Has the ability to detect new attacks Higher false positive rate 7 mms©

P ROS AND C ONS 8 Signature Accurate for known attacks Negative validation model Can stem outbreaks easily? Analysis and response time critical Maintenance of signatures Anomaly Theoretically accurate for novel attacks What is “normal”? ©2009 KRvW

P ROS AND C ONS 9 NIDS No load on business processing Eroding in effectiveness SSL/TLS and SSH If NIDS is placed in front of SSL, then NIDS can’t see beyond the encryption data Lacking business context If NIDS can detect attacks meant for Windows, but the web server/computers are running Solaris => no use HIDS “ Footprint” on servers Put loads on business – needs to be installed on PCs Closer to problem Partially immune to encryption Subject to application reporting ©2009 KRvW

IDS D EPLOYMENT Network-based Inspect network traffic Monitor user activity (packet data) Host-based Inspect local network activity OS audit functionality Monitor user activity (function calls) 10 mms©

IDS D EPLOYMENT A RCHITECTURES Simple Single tap Tap with management net In-line Separation of data Keep IDS management traffic separate Performance Security Completely separate IDS net Network interfaces are cheap Although this still costs more, it’s considered a best practice 11 ©2009 KRvW

IDS A RCHITECTURES – S IMPLE 12 Simple net and sensor Completely detectable Stand-alone ©2009 KRvW Snort

IDS A RCHITECTURES – S INGLE T AP 13 Simple sensor with network tap Single net interface Relatively inexpensive Not detectable Stand-alone ©2009 KRvW Snort

IDS A RCHITECTURES –T AP WITH M GMT 14 Dedicated management network Snort administration Monitoring Maintenance Separates security traffic Optimizes performance Management ©2009 KRvW Snort Production

IDS A RCHITECTURES –I N -L INE 15 In-line deployment Similar to a firewall layout Generally deployed behind firewall Separate management net Allows for IPS functions Management ©2009 KRvW Snort Production External Production Internal

IDS D EPLOYMENT M ETHODOLOGY 16

IDS D EPLOYMENT M ETHODOLOGY 17

IDS D EPLOYMENT M ETHODOLOGY 18

S ELECTION 19

S ELECTION 20

D EPLOYMENT 21

D EPLOYMENT 22

D EPLOYMENT 23

S TEP 1: P LANNING SENSOR POSITION AND ASSIGNING POSITIONAL RISK 24

IDS S ENSORS IN A T YPICAL C ORPORATE N ETWORK 25

Sensor 2 – this is the ideal position for a sensor. The network segment it is on contains servers that require protection (reason 1). However, the DMZ is traditionally considered as an intermediate stepping-stone to the main network – correspondingly, a sensor could be justly positioned for pre-emptive reasons (reason 2). Sensor 3 – is justified by reason 1 entirely. Sensor 1 – is justified by reason 2 and probably provides no more security functionality than the firewall logging and alerting functions already provide. 26

27

S TEP 2: E STABLISH MONITORING POLICY AND ATTACK GRAVITY 28

This process is expanded below: 29

D EPLOYMENT 30

31

32

33

S TEP 3: R EACTION 34

35

H OST DETECTORS 36

A PPLICATION I NTERFACE 37

I NFORMATION M ANAGEMENT This stage is usually very short but is often forgotten. It deals with: Where is the info delivered What form the info is What time frame it is delivered in What form it is retained in 38

C ONSOLE AND L OG M ANAGEMENT 39

40

I NCIDENT R ESPONSE & C RISIS M NGMT 41

T EST 42

T EST 43

HIDS D EPLOYMENT 44

NIDS D EPLOYMENT 45

E XERCISES : Discuss the pros and cons of the followings: Signature vs. anomaly detection NIDS vs. HIDS 46 Signature-based detection Anomaly-based detection Pros Cons NIDSHIDS Pros Cons

D ISCUSS : Explain the table below (using the diagram given), i.e. the meaning of each gravity level (L,M,H) for each sensor, and each network event. 47

E XERCISE : Based on network diagram given, where should the IDS sensors be located? Explain briefly the reasons on the placement of these sensors. 48

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.