Host Intrusion Prevention Systems & Beyond

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Guide to Network Defense and Countermeasures Third Edition
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
seminar on Intrusion detection system
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
The Next Stage in Linux IDS - Prelude-IDS and Auditd
COEN 252 Computer Forensics
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
COEN 252 Computer Forensics Collecting Network-based Evidence.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
Chapter 5: Implementing Intrusion Prevention
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Some Great Open Source Intrusion Detection Systems (IDSs)
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
CompTIA Security+ Study Guide (SY0-401)
6.6 Firewalls Packet Filter (=filtering router)
Security+ Guide to Network Security Fundamentals, Third Edition
Intrusion Prevention Systems
Intrusion Detection system
Presentation transcript:

Host Intrusion Prevention Systems & Beyond By Dilsad Sera SAHINTEPE

Outline What is Intrusion Detection? Host Based & Network Based What does IDS Detect? IDS types Importance of HIPS IDS Implementation HIDS Difference btw IDS & Firewall Passive/Reactive System Prevention System What is HIPS? IDS differ from HIPS

What is Intrusion Detection ? It is a device or software application that monitors network or system activities for malicious activities or policy violation and produces reports to a management station.

What does IDS Detect? It is a system used to detect unauthorized intrusions into computer systems and network. Example: It detects attacks to FTP, Data driven attacks at the application layer such as SQL injection error could be used to crash an application. IDS Components Sensors – Generate security events such as log files Console – Monitors events, alerts and controls sensors Engine – Analyzes the data using artificial intelligence to generate alerts from the events received *** 3 in 1 (sometimes all three are in one appliance)

Types of Intrusion Detection System NDS – Network Based It is an independent platform which identifies intrusion by examining network traffic and monitors multiple hosts. It gains access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. Example : Snort- KSU (Academic Freedom) PIDS – Protocol Based Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) APIDS – Application Protocol Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database. HIDS – Host Based Hybrid System

How IDS is implemented?

Host Based Intrusion Detection System Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC

IDS vs. Firewalls Both related to network security. Firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between network to prevent intrusion and do not signal an attack from inside the network. IDS evaluates a suspected intrusion once it has taken place and signals an alarm. IDS watches for attacks that’s originate from within a system.

Passive vs. Reactive Systems In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. They both has signature based systems depends on activity on host or network.(skype) tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"Skype client login -- reply from server"; flags:AP,SUFR12; flow:to_client,established; dsize:5; content:"|17 03 01 00|"; depth:4; sid:1000010; rev:2; )

Prevention System An enemy can send packets that the IPS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IPS but not the target computers it protects. This technique will result in an IPS with different state than the target. An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.

Host Intrusion Prevention System Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. They also have signature based system.

How IDS differ from IPS * IPSs are designed to sit inline with traffic flows and prevent attacks in real-time Deep packet inspection; In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP RBIPS(Rate) can identify abnormal rates for certain types of traffic (botnet- zombie-ddos) Ex : Connections per second, packets per connection Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.

Host-based vs. Network IPS HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host. NIPS does not use processor and memory on computer hosts but uses its own CPU and memory NIPS drawback AND benefit, depending on how you look at it NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. Use failover or load balancing to combat this NIPS disadvantage

Host-based vs. Network IPS - 2 NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react With a HIPS, only the host’s data itself is available to take a decision It would take too much time to report it to a central decision making engine and report back to block.

Importance of HIPS Well known security companies realized how important HIPS and they all published their HIPS products.

Questions????