Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Slides:



Advertisements
Similar presentations
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Advertisements

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Guide to Network Defense and Countermeasures Second Edition
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format
Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.
FIREWALL Mạng máy tính nâng cao-V1.
Penetration Testing Security Analysis and Advanced Tools: Snort.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Web Server Administration Chapter 10 Securing the Web Environment.
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Honeypot and Intrusion Detection System
Software Security Testing Vinay Srinivasan cell:
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Network Intrusion Detection System. Network Intrusion Detection Basics  Network intrusion detection systems are designed to sniff network traffic and.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Firewalls.
NET 412 Network Security protocols
Lecture 8: Intrusion Detection
Intrusion Detection system
Session 20 INST 346 Technologies, Infrastructure and Architecture
Lecture 7: Intrusion Detection
Presentation transcript:

Intrusion Detection and Prevention

Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize the IDS signature database

IDS What are they? ● Dedicated hardened host ● Sensors ● Sits on a network that you want to protect ● Network sniffer ● Packet pattern analyzer ● Unlike firewalls an IDS is passive (this is changing) ● They are often on each layer of your layered network

Location of IDS's Exterior Firewall Internet Protected Network Internal Clients Internal DNS Mail Server External DNS SMTP Server Web Server IDS Interior Firewall Logging Alerting Server Internal Servers Public Network Internal IDS

IDS The Need ● Detection of probes, scans ● Detection of network reconnaissance activity ● Record of attempted exploits ● Location of a compromised host on your network ● Determined compromised information

The Attack Plan ● Usually multiphased ● Phase 1: Network scan ● Characterizing the hosts on the network ● Looking for particular services, e.g DNS, HTTP ● Determining the versions and OS types ● Phase 2: Exploits a buffer overflow in DNS ● Compromises the DNS host ● Phase 3: Compromises other hosts on the network ● Without IDS you would not know

Protection Plan ● Analyze all packets continuously ● Look for patterns of known attacks ● Network IDS Signatures ● The science behind IDS ● Like virus signatures IDS signatures must be updated ● Do it your self signature writing ● Sometime necessary ● Look for statistical anomalies ● Not a very well developed science as yet

Land Attack 1997 ● Based on hand crafted packets ● Source IP and destination IP addresses are the same ● Older systems would crash ● NT & 95 depended on proper packets ● Basically a denial of service attack ●

Teardrop Attack 1997 – 1998 ● Improper packet sequence ● The IP fragment offset is malformed ● Consecutive packets overlap ● Newtear.c (on web site) ● Another DoS attack

Teardrop cont'd ● Packet 1 ● Total length of IP datagram ● 48 bytes ● More fragments flag is set ● Fragment offset is 0 ● UDP length ● 48 bytes – incorrect length should be length – 20 = 28

Teardrop cont'd ● Packet 2 ● Total length of IP datagram ● 24 bytes ● Fragment offset is 3 (* 8 bytes) ● More fragments bit is cleared ● 24 bytes are sent

Teardrop cont'd IP Datagram headerUDP Segment header Lengt h 48 More Frags Bit 1 Offset 0 Src port Dest port Length 48 Checksu m Packet 1 Byte 20Byte 28Byte 47Byte 0 IP Datagram header IP Payload Lengt h 24 More Frags Bit 0 Offset 3 Src port Dest port Packet 2 Byte 20 Byte 23Byte 0 Length 48 Checku m Byte 0 Byte 27 Byte 3 UDP payload Byte 7 New fragment Fragment reconstruction Byte 23 Should be 28

nimda worm 2001 ● Scan phase ● Determine if a web server is an unpatched MS IIS box ● Is it vulnerable to a Unicode-related exploit? ● Attack phase ● Exploit a buffer overflow

nimda worm cont'd ● IDS can detect the scan phase of nimda attack ● “%c0%af../winnt/etc” is contained in the URL ● %c0%af is the Unicode of a slash ● Most web servers scan for a “/”stuff indicating a cd to root ● Success of this attempt to change to the root directory indicates an unpatched IIS

nimda worm cont'd ● IDS rule ● /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir ● Specific text search for %c0%af ● Attack may change and this rule would not catch it ● Better approach ● Convert %c0%af to “/” and then check for validity of URL ● More robust

False +/- ● False positives ● Classifying benign activity as malicious ● Get a lot of attention since people see the alerts ● Annoying, usually the rule gets shut off entirely ● False negatives ● Missing a malicious activity ● Not seen and ignored ● Dangerous ● The risks in classification

IDS Evasion Techniques ● The attacker is patient ● The attacker is clever ● The attacker has nothing else to do ● Examples ● cmd.exe in the URL is often bad ● However cmd.exe-analysis.html may be OKcmd.exe-analysis.html ● cmd.%65xe is the same thing ● Text searches are not always good or effective

IDS Software ● Popular systems ● Snort – open source ● Cisco recommends using snort ● ISS RealSecure ● NFR Security NID ● Centralizing all IDS logs ● Easier analysis ● Alerts – logs, s, pagers, etc.

Distributed IDS ● IDS logs submitted to third party for collective analysis ● Attack Registry &Intelligence Service ● ttp://aris.securityfocus.com ttp://aris.securityfocus.com ● Dshield ● ttp:// ttp://

Outsourced IDS ● Counterpane ● Trusecure ● Deloitte & Touche

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.