DIYTP 2009
Computer Security – Virus Scanners Works in two ways: List of known ‘bad’ files Suspicious activity Terminate and Stay Resident (TSR) program File that persists in memory after execution Five ways of scanning /attachment Download File Heuristic Rules that determine if a file is behaving like a virus Active code (i.e. Java, ActiveX)
Computer Security – Virus Scanners Mcafee Symantec AVG Trend Micro
Computer Security – Anti- Spyware Spyware Toolbars, skins, enhancements Threat to privacy Ad-aware Spybot Search and Destroy
Computer Security – Intrusion Detection Systems Intrusion Detection Systems (IDS) Inspects incoming and outgoing activity and looks for patterns Common categorizations: Misuse vs. Anomaly Passive vs. Reactive Network-based vs. Host-based
Computer Security – Intrusion Detection Systems Misuse Detection vs. Anomaly Detection Misuse detection Attack signatures Anomaly detection Detects intrusions and notifies administrator Passive Systems vs. Reactive Systems Passive Detects, logs, and sends alert Reactive Reacts by logging off user or blocking traffic on firewall
Computer Security – Intrusion Detection Systems Network-Based vs. Host-Based Network-based Analyzes packets on network Host-based Analyzes a specific host/computer
Computer Security – Intrusion Detection Systems Figure 1.0 – Intrusion Detection System typical setup
Computer Security – Intrusion Detection Systems Snort Cisco IDS w/sqidsz/index.shtml w/sqidsz/index.shtml BASE
Computer Security - Firewalls Firewall Barrier between network and the outside world Filters packets based on certain parameters IP address Protocol Components Screening Application gateway Circuit-level gateway
Computer Security - Firewalls Screening Also known as ‘packet-filtering’ Most basic type Works in ‘Network’ layer of OSI Examines incoming packets and allows or prohibits based on a set of pre-established rules Example: Windows firewall
Computer Security - Firewalls Application Gateway Also known as ‘application proxy’ Runs on firewall Client connects to program and then proxy establishes connection for client Protects client computers Supports user authentication
Computer Security - Firewalls Circuit-level Gateway More secure than application gateway Generally found on high-end equipment User must be verified before communication can take place Passes traffic on to destination and vice versa Internal systems are not visible to outside world
Computer Security - Firewalls How firewalls look at packets Stateful packet inspection (SPI) Examine each packet Bases decision on current and previous packets Can look at actual contents of packet Stateless packet inspection Very basic Only looks at current packet Does not look at contents
Computer Security - Firewalls Software-based Zone Alarm Mcafee Personal Firewall Norton Personal Firewall Hardware-based Cisco Juniper NetScreen