FORESEC Academy FORESEC Academy Security Essentials (III)

Slides:



Advertisements
Similar presentations
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Advertisements

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls Anand Sharma Austin Wellman Kingdon Barrett.
Distributed Intrusion Detection Mamata Desai ( ) M.Tech.,CSE dept, IIT Bombay.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Chapter 12.
COEN 252 Computer Forensics
Intrusion Detection Chapter 12.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
COEN 252 Computer Forensics Collecting Network-based Evidence.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FORESEC Academy FORESEC Academy Security Essentials (III)
Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Network Security: Lab#5 Port Scanners and Intrusion Detection System
CHAPTER 9 Sniffing.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari.
FORESEC Academy FORESEC Academy Security Essentials (III)
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Power of OSSEC By Donovan Thorpe CS 5910 Fall 2010.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Computer Security Firewalls and Intrusion Prevention Systems.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
IDS Intrusion Detection Systems
Snort – IDS / IPS.
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Digital Pacman: Firewall Edition
Intrusion Detection Systems (IDS)
Network hardening Chapter 14.
Presentation transcript:

FORESEC Academy FORESEC Academy Security Essentials (III)

FORESEC Academy Agenda  The need for host-based ID  Host-based ID Methodology  Unix host-based ID Tools  Windows host-based ID Tools

FORESEC Academy Need for Host-based ID  Very fast networks  Switched networks  Encrypted networks  Backdoors in local network  Insider on network  Network-based IDS may miss attack  Don't trust corporate security that much

FORESEC Academy Very Fast Networks  The current limits for network-based IDS boxes are about 80 MB/sec fully loaded  A 200 MHz Pentium bus would only partially increase this  Bandwidth at large sites will probably always exceed network detection and processing speed  HIDS does not face bandwith challenges, but does present deployment issues

FORESEC Academy Switched Networks  Network-based intrusion detection systems rely on promiscuous mode for their NICs; this is not possible with switched networks  Intrusion detection in the switch is the future direction, not really here yet  Spanning ports and network taps provide semi-effective options

FORESEC Academy Switched Network Diagram In a switched network, a virtual circuit is created between two peers across the switch fabric. Each port on the switch only supports the circuits to that host.

FORESEC Academy Spanning Port Switched Networks Sensors can be placed on a spanning port, but can usually only monitor one VLAN at a time. This does not work very well in practice.

FORESEC Academy Network Taps

FORESEC Academy Encrypted Networks  NIDS sensors can't analyze what they can't read  The use of encryption for network traffic is growing  Encryption can be used by attackers to hide their traffic  Traffic must be read before/after the encryption process  NIDS and HIDS can work together to address these challenges

FORESEC Academy Host-based Intrusion Detection Methodology  Host-based systems monitor their network connections and file system status. For this to work, we have to acquire the aggregate logs of ALL critical systems at a minimum  Local processing/alerting may be done, but data is generally sent to a central location for parsing  When potential problems are found, alerts are raised

FORESEC Academy Host-based Intrusion Detection Methodology (2) 1)A connects to B 3) Logserver records A-> B connection, checks ruleset, A -> B is OK, waits. 2) B logs connection and informs Logserver

FORESEC Academy Unix Host-based Intrusion Detection  TCPWrappers  Port Sentry  Syslog  Swatch  Tripwire

FORESEC Academy TCPWrappers  Monitors and filters incoming TCP network service requests  Valuable logging tool  Where to get it - ftp://ftp.porcupine.org/pub/security/index.html - Currently included in most Unix / Linux distributions

FORESEC Academy Without TCPWrappers All incoming TCP requests serviced

FORESEC Academy With TCPWrappers All requests checked and logged

FORESEC Academy Host Deny ALL : ALL # Deny everything, add back with /etc/hosts.allow

FORESEC Academy Host Allow ALL:.nnnn.abc.org, , friend.somewhere.edu sshd: trustedhost.somewhere.org

FORESEC Academy Paranoid Mode  Default for TCPWrappers -Checks both forward and reverse DNS lookup -Both answers must match or connection is dropped -Adds a layer of security against spoofing

FORESEC Academy Brief DNS Review ( TCPWrappers Paranoid mode)

FORESEC Academy TCPWrappers in Action (Intrusion detection AND prevention)

FORESEC Academy TCPWrappers Threat List  Outsider attack from network  Outsider attack from telephone  Insider attack from local network  Insider attack from local system  Attack from malicious code

FORESEC Academy Psionic Port Sentry (TCPWrappers with an attitude)  Runs on TCP and UDP  Stealth scan detection for Linux  SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans  Port Sentry will react to a port scan attempt by blocking the host in real-time  Will remember hosts that connected previously

FORESEC Academy Psionic Port Sentry Log  Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host:node10453.a2000.nl/ to TCP port: 143  Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host has been blocked viawrappers with string: "ALL: “  Jul 3 11:30:20 shepherd portsentry[418]:attackalert: Host has been blocked viadropped route using command: "/sbin/route add –host gw "

FORESEC Academy Syslog  Unix system logger can be on a local system or other system  TCPWrappers logs to Syslog by default  Logs can offer valuable information, but they can also be compromised  Swatch or other tools can monitor syslog and raise alerts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.