Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

An Introduction to System Administration Chapter 1.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Guide to Network Defense and Countermeasures Second Edition

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

Intrusion Detection Systems and Practices

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

Host Intrusion Prevention Systems & Beyond

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Department Of Computer Engineering

INTRUSION DETECTION SYSTEM

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Security Guidelines and Management

1 Host – Based Intrusion Detection “Working of Tripwire”

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

COEN 252 Computer Forensics

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.

COEN 252 Computer Forensics Collecting Network-based Evidence.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Guide to Network Defense and Countermeasures

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Chapter 2 Securing Network Server and User Workstations.

Network Security & Accounting

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

CompTIA Security+ Study Guide (SY0-401)

IDS Intrusion Detection Systems

Securing the Network Perimeter with ISA 2004

MONITORING MICROSOFT WINDOWS SERVER 2003

CompTIA Security+ Study Guide (SY0-401)

NETWORK SECURITY LAB Lab 9. IDS and IPS.

IS4680 Security Auditing for Compliance

PLANNING A SECURE BASELINE INSTALLATION

An Introduction to System Administration

Presentation transcript:

Intrusion Prevention, Detection & Response

IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system

IDS Monitors a system for Malicious activities. Policy violations not all policy violations are malicious.

IDS Categories Two categories of IDS: A network-based IDS monitors network data packets for malicious activity.  Example: Snort, Comodo-firewall A host-based IDS analyzes any combination of system calls, applications logs, file modifications, and other host activities.  Example: Tripwire, WinPatrol, Anti-Virus software

Passive vs Reactive IDS

Passive IDS Logs the possible intrusion, and sends an alert. The alert could be an to SA staff; or posting the alert on a monitored console (or both). This is how Tripwire behaves.

Reactive IDS The reactive IDS, (aka IPS), would respond to an intrusion with a pre-configured defense strategy in real time. Snort, filters, and many anti-virus packages can be configured to be reactive.

Revised Taxonomy Revised Taxonomy for IDS vs IPS IDS is either Passive or Reactive. An IPS prevents intrusions.

IPS (Revised Taxonomy) Passwords Login Server (example: Kerberos) Firewalls : Consists of a combination of hardware and software. Access controls applied to hardware, software, and data. Physical security

IPS (Revised Taxonomy) In Summary, the IPS is a barrier. The IDS is needed when the IPS barrier is breached.

IPS : Firewall A combination of software and hardware used to implement security policies governing the network traffic between two or more networks. A firewall is a system used to enforce network traffic security policy.

IPS: Firewall System 1. Design the system 2. Acquire the hardware and software 3. Acquire training, documentation and support 4. Install and configure the system 5. Test the system 6. Maintain the system (sustainability cycle)

IPS : Other Systems Implement Access controls Physical security Login Server

IPS Access Controls Windows Professional provides access control lists. Unix/Linux has a simple access control system: User, Group, World + read, write, execute Princeton study showed that complex access controls lead to mis-configuration. Proper training is essential.

IPS : Physical Security Previously covered: Locks on doors, limited access, keycards, proximity badges, etc

IPS : Login Server Kerberos is a common login server that goes beyond the user-id & password authentication process. Kerberos was developed at MIT

Kerberos

Intrusion Detection Data: Characterization Information Collect characterization information, CI. Characterization information must be monitored regularly

IDS : Characterization Info System logs File checksums System performance metrics provided by system monitoring applications Expected activities by users and applications

CI : System Logs System logs require 1) access controls 2) back-up 3) encrypted. Unix/Linux /var/log MS Windows systemroot\WINDOWS\System32\Config\*.evt Enable event logging and use the event viewer (eventvwr.msc)

System Log Files Log files can grow and use up space. Log files should periodically be backed-up then removed to make space for new log information.

Checksums Tripwire creates a database of checksums for a list of specified files (data, source, binary, etc). The data base of checksums acts as a baseline for comparison. Common checksum algorithms: MD5 SHA CRC

System Performance Metrics Server/computer system metrics Network activity metrics

System Resource CI Report the top resource users (examples: top, sysstat) CPU time usage Memory usage (example: free) Number of active processes (by all user-ids, including system ids) Number of active open files Number of files IO data transfer Disk space usage and free space IO transfer rate Other devices used by processes Login sessions Login attempts

Network Resource CI Connection attempts Connection duration Number of connections Source & destination of data packets Bandwidth usage (by user and total) Transfer rates Error counts

CI Number of sent messages Number of received messages Mail message sizes read/unread message count Consider logs of other possible communication devices like telephones and company issued cell phones.

System Security Logging & Auditing Documentation Document the characterization information to collect log files network CI computing system CI, etc. Document which events should produce an alert Document system and application updates Document roles and responsibilities of SA staff. Document a sustainability cycle Document an intrusion detection response

Intrusion Response Team Create a security response team Document the responsibilities of the intrusion response team members Document a contact list for the team Update the documentation regularly (sustainability cycle) Document what to do in an emergency.