Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETWORKS Fall 2010.

Published byKelley Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "NETWORKS Fall 2010."— Presentation transcript:

1 NETWORKS Fall 2010

2 Review – IDS What is Intrusion Detection ?
The process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions Need for Intrusion Detection Systems Detect attacks not prevented by other security systems Detect and deal with Preambles to attacks Document existing threat to an organization Act as quality control for secure design and administration

3 Review – Why Not Firewalls?
Need real time detection of intrusion Not all access to internet is through Firewalls Not all threats originate outside Firewalls Firewalls are subject to attack themselves IDSs and Firewalls should compliment each other

4 OUTLINE Intrusion Detection Systems

5 Intrusion Detection Systems

6 Intrusion Detection Capabilities
Scan packet contents for classified or proprietary data Scan traffic for attack signatures Terminate suspicious TCP sessions Update firewall rules or router filters to deny all access from suspicious sources Alert administrators about violations/attacks Provide database of attacks and possible countermeasures

7 IDS Limitations Monitor traffic across routers, bridges or switches
Find classified or proprietary information in encrypted transmissions Perform statistical analysis of traffic over time (not yet, anyway) Replace diligent, human review of logs/traces

8 Burglar Alarm 1 Based on site policy, alert administrator to policy violations Detect events that may not be “security” events which may indicate a policy violation New routers New subnets New web servers

9 Burglar Alarm 2 A burglar alarm is a misuse detection system that is carefully targeted You may not care about people port-scanning your firewall from the outside You may care profoundly about people port-scanning your mainframe from the inside Set up a misuse detector to watch for misuses violating site policy

10 Burglar Alarm 3 The ideal burglar alarm is situated so that it fires when an attacker performs an ordinary action, e.g., Mapping the network Scanning the network After successfully breaking in: Adding a userid Zapping a log file Making a program setuid root Starting a sniffer

11 Burglar Alarm Construction
Burglar alarms can be built using firewall/router logs, e.g., Watch for attempts to access non-existent hosts on your network, which could indicate network scanning or mapping activity Send an or other alert to the administrator Refer to the following URL for numerous examples of host-based burglar alarms:

12 Reporting Suspicious Hosts
Always follow official channels first Don’t info if you’re not reasonably sure that the attacker doesn’t “own” the mail host. Include dates and times Include log information if you can (may want to edit IP addresses to protect the innocent)

13 A Simple IDS Model A simple model of an Intrusion Detection system looks like CPU IDS monitor respond report IDS Control

14 IDS Components Audit Data Preprocessor Audit Records Activity Data
system activities are observable Detection Models Detection Engine Alarms normal and intrusive activities have distinct evidence Decision Table Decision Engine Action/Report

15 Why use an IDS? Why would we want to do intrusion detection? Why not just keep intruders out? Stallings' list. Second line of defense. Even the best intrusion detection system can fail. Many intruders are insiders. Ejection. Catch intruders before they can do much damage. Deterrent. Intruders may stay out if they think they'll be caught. Educational. Learn how intruders do what they do and use this to improve both prevention and detection techniques.

16 Security principles: layered mechanisms
Second Line of Defense Since Firewalls fail, detection is our second line of defense Prevent Detect React/ Survive Security principles: layered mechanisms

17 Fundamentals 1 What methods are used? Audit Trail Processing
On the fly processing Profiles of normal behavior Signatures of abnormal behavior Parameter Pattern Matching

18 Processing Engine (Algorithms)
Fundamentals 2 How is it organized? What are the basic components and how are they interconnected To target system To other IDS GUI/Display Sensor Audit/ Archive System Management Processing Engine (Algorithms) Knowledge Base Alarms To operators

19 Fundamentals 3 What is an intrusion?
Is an attack the same thing as an intrusion? What actions constitute an intrusion? How is the identity of an intruder obtained? How is information correlated? Single or multiple packets Real time vs after the fact In-band and all-band

20 Fundamentals 4 How can an intruder be trapped?
Can the intruder be diverted to a special trap system? What methods are available for incident response?

21 IDS Methods While there are automatic intrusion detections tools available it worth while to note that nearly all incidents in which an intruder has been caught in real time have involved manual intrusion detection methods. However there are five specific methods of practical intrusion detection. Audit Trail Processing On-the-fly processing Profiles of Normal Behavior Signature of Abnormal Behavior Parameter Pattern Matching

22 Audit Trail Processing
Activity on audit probes is logged and stored in an audit trail The audit probes are selected by system administrators based on their view of what is a security critical event Logins / file opens / . . . GOAL: have a good set of probes that cover the threat environment PROBLEM: system performance decreases as the number of probes increase

23 Sample Audit Trail An audit record might look like: Example:
<source IP addr, destination IP addr, source port, destination port, protocol, time session initiated, session initiation direction, success or failure of session> some external IP address Example: telnet output port <in, out, 3000, 23, TCP, 13:04, outbound, success> some internal IP address some user port

24 YES Example Audit Record Below is an example of an audit record:
<in, in, 4050, 80, TCP, 07:36:04, inbound, success> <out(X), gw, 6025, 23, TCP, 07:51:12, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:51:55, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:17, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:58, inbound, failure> <out(X), in, 3000, 23, TCP, 13:04:22, inbound, success> <out(Y), gw, 5000, 23, TCP, 23:54:22, inbound, success> Your intranet gateway Is there anything suspicious going on?

25 Audit Trail Analysis 1 Consider the first entry:
<in, in, 4050, 80, TCP, 07:36:04, inbound, success> An inbound session should have a out source IP address It appears that some intruder is changing the source IP address in an IP gateway spoof attack

26 Audit Trail Analysis 2 Consider the next few entries:
<out(X), gw, 6025, 23, TCP, 07:51:12, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:51:55, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:17, inbound, failure> <out(X), gw, 6025, 23, TCP, 07:52:58, inbound, failure> Someone from out address X is trying to telnet to the gateway

27 Consider the 6th entry: Audit Trail Analysis 3
<out(X), in, 3000, 23, TCP, 13:04:22, inbound, success> The previously suspicious IP address X manages to telnet to a internal address

28 Audit Trail Analysis 4 Consider the final entry:
<out(Y), gw, 5000, 23, TCP, 23:54:22, inbound, success> This is suspicious because of the time (around midnight)

29 General Principles Things to look for in an Audit record:
Users logging in at odd hours Unexplained reboots or changes to the system clock Unusual error messages from mailers, daemons or other servers Failed login attempts with bad passwords Unauthorized use of the su command Users logging in from unfamiliar sites on the network

Download ppt "NETWORKS Fall 2010."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Security Guidelines and Management

Security Guidelines and Management
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google