Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition

Similar presentations


Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition"— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition
Chapter 7 Intrusion Detection System Concepts

2 Objectives Identify the components of an intrusion detection system
Explain the steps of intrusion detection Describe options for implementing intrusion detection systems Evaluate different types of IDS products Guide to Network Defense and Countermeasures, Second Edition

3 Examining Intrusion Detection System Components
Network intrusion Attempt to gain unauthorized access to network resources Intrusion Detection System (IDS) Consists of more than one application or hardware device Incorporates more than just detection Intrusion Detection Involves prevention, detection, and response Guide to Network Defense and Countermeasures, Second Edition

4 Guide to Network Defense and Countermeasures, Second Edition

5 Examining Intrusion Detection System Components (continued)
Network sensors Alert systems Command console Response system Database of attack signatures or behaviors Guide to Network Defense and Countermeasures, Second Edition

6 Network Sensors Sensor IDS types Electronic “eyes” of an IDS
Hardware or software that monitors traffic in your network and triggers alarms Attacks detected by an IDS sensor Single-session attacks Multiple-session attacks IDS types Host-based IDS Network-based IDS Guide to Network Defense and Countermeasures, Second Edition

7 Network Sensors (continued)
Sensors should be placed at common-entry points Internet gateways Connections between one LAN and another Remote access server that receives dial-up connections from remote users Virtual private network (VPN) devices Management program controls sensors Sensors could be positioned at either side of the firewall Behind the firewall is a more secure location Guide to Network Defense and Countermeasures, Second Edition

8 Guide to Network Defense and Countermeasures, Second Edition

9 Guide to Network Defense and Countermeasures, Second Edition

10 Alert Systems Trigger Types of triggers
Circumstances that cause an alert message to be sent Types of triggers Detection of an anomaly Detection of misuse Guide to Network Defense and Countermeasures, Second Edition

11 Alert Systems (continued)
Anomaly detection Requires you to make use of profiles For each authorized user or group of users Describe services and resources normally accessed by users Some IDSs can create user profiles During “training period” Accuracy problems False negatives False positives Guide to Network Defense and Countermeasures, Second Edition

12 Alert Systems (continued)
Misuse detection Triggers alarms based on characteristic signatures of known attacks IDS comes equipped with a set of signatures Can start protecting the network immediately Need to maintain state information Other detection mechanisms Traffic rate monitoring Protocol state tracking IP packet reassembly Guide to Network Defense and Countermeasures, Second Edition

13 Guide to Network Defense and Countermeasures, Second Edition

14 Command Console Provides a graphical front-end interface to an IDS
Enables administrators to receive and analyze alert messages and manage log files IDS can collect information from security devices throughout a network Command console should run on a computer dedicated solely to the IDS To maximize the speed of response Guide to Network Defense and Countermeasures, Second Edition

15 Response System IDS can be setup to take some countermeasures
Response systems do not substitute network administrators Administrators can use their judgment to distinguish a false positive Administrators can determine whether a response should be escalated Increased to a higher level Guide to Network Defense and Countermeasures, Second Edition

16 Database of Attack Signatures or Behaviors
IDSs don’t have the capability to use judgment Can make use of a source of information for comparing the traffic they monitor Misuse detection References a database of known attack signatures If traffic matches a signature, it sends an alert Keep database updated Passive detection mode Anomaly-based IDS Store information about users in a database Guide to Network Defense and Countermeasures, Second Edition

17 Guide to Network Defense and Countermeasures, Second Edition

18 Examining Intrusion Detection Step by Step
Steps Installing the IDS database Gathering data Sending alert messages The IDS responds The administrator assesses damage Following escalation procedures Logging and reviewing the event Guide to Network Defense and Countermeasures, Second Edition

19 Guide to Network Defense and Countermeasures, Second Edition

20 Step 1: Installing the IDS Database
IDS uses the database to compare traffic detected by sensors Anomaly-based systems Require a training period (over a week) IDS observes traffic and compile a network baseline Misuse-based IDS Can use database immediately You can provide it with your own database Guide to Network Defense and Countermeasures, Second Edition

21 Step 2: Gathering Data Network sensors gather data by reading packets
Sensors need to be positioned where they can capture all packets Sensors on individual hosts capture information that enters and leaves the host Sensors on network segments read packets as they pass throughout the segment Sensors on network segments cannot capture all packets If traffic levels become too heavy Guide to Network Defense and Countermeasures, Second Edition

22 Step 3: Sending Alert Messages
Sensors capture packets IDS software compares captured packets with information in its database IDS sends alert messages If captured packets match an attack signature or Deviates from normal network behavior Guide to Network Defense and Countermeasures, Second Edition

23 Step 4: The IDS Responds Command console receives alert messages
Notifies the administrator IDS can be configured to take actions when a suspicious packet is received Send an alarm message Drop the packet Stop and restart network traffic Guide to Network Defense and Countermeasures, Second Edition

24 Step 5: The Administrator Assesses Damage
Administrator monitors alerts And determines whether countermeasures are needed Administrator need to fine-tune the database The goal is avoiding false negatives Line between acceptable and unacceptable network use is not always clear Guide to Network Defense and Countermeasures, Second Edition

25 Guide to Network Defense and Countermeasures, Second Edition

26 Step 6: Following Escalation Procedures
Set of actions to be followed if the IDS detects a true positive Should be spelled out in company’s security policy Incident levels Level One Might be managed quickly Level Two Represents a more serious threat Level Three Represents the highest degree of threat Guide to Network Defense and Countermeasures, Second Edition

27 Step 7: Logging and Reviewing the Event
IDS events are stored in log files Or databases Administrator should review logs To determine patterns of misuse Administrator can spot a gradual attack IDS should also provide accountability Capability to track an attempted attack or intrusion back to the responsible party Some systems have built-in tracing features Guide to Network Defense and Countermeasures, Second Edition

28 Guide to Network Defense and Countermeasures, Second Edition

29 Guide to Network Defense and Countermeasures, Second Edition

30 Options for Implementing Intrusion Detection Systems
Network-based IDS Host-base IDS Hybrid implementations Guide to Network Defense and Countermeasures, Second Edition

31 Network-Based Intrusion Detection Systems
Locating an NIDS on the Network Network-based IDS (NIDS) Monitors network traffic Common locations for NIDS sensors Behind the firewall and before the LAN Between the firewall and the DMZ Any network segment Management and analysis software must be installed on a dedicate computer Positioning sensors at network perimeter Enables IDS to sniff traffic Guide to Network Defense and Countermeasures, Second Edition

32 Guide to Network Defense and Countermeasures, Second Edition

33 Network-Based Intrusion Detection Systems (continued)
Advantages and disadvantages of NIDS NIDS handles a high volume of traffic Requires dedicated hardware appliance Guide to Network Defense and Countermeasures, Second Edition

34 Host-Based Intrusion Detection Systems
Host-based IDS (HIDS) Deployed on a host in the LAN Protected by the firewall Evaluates traffic generated by the host Gathers system variables such as System processes CPU use File accesses Does not sniff packets as they enter the LAN Guide to Network Defense and Countermeasures, Second Edition

35 Host-Based Intrusion Detection Systems (continued)
Configuring an HIDS Centralized configuration HIDS sends all data to a central location Host’s level of performance is unaffected by the IDS Alert messages that are generated do not occur in real time Distributed configuration Processing of events is distributed between host and console Host generates and analyzes it in real time Performance reduction in host Guide to Network Defense and Countermeasures, Second Edition

36 Guide to Network Defense and Countermeasures, Second Edition

37 Guide to Network Defense and Countermeasures, Second Edition

38 Host-Based Intrusion Detection Systems (continued)
Choosing the host computer Centralized configuration RAM, hard disk memory, and processor speed requirements are minimal Distributed configuration Host should be equipped with maximum memory and processor speed Guide to Network Defense and Countermeasures, Second Edition

39 Host-Based Intrusion Detection Systems (continued)
Advantages and disadvantages of HIDSs Advantages Detect events on host systems Can process encrypted traffic Not affected by use of switched network protocols Can compare records stored in audit logs Guide to Network Defense and Countermeasures, Second Edition

40 Host-Based Intrusion Detection Systems (continued)
Disadvantages More management issues Vulnerable to direct attacks and attacks against host Susceptible to some denial-of-service attacks Can use large amounts of disk space Could cause increased performance overhead on host Guide to Network Defense and Countermeasures, Second Edition

41 Hybrid IDS Implementations
Combines the features of HIDSs and NIDSs Gains flexibility and increases security Combining IDS sensor locations Put sensors on network segments and network hosts Can report attacks aimed at particular segments or the entire network Guide to Network Defense and Countermeasures, Second Edition

42 Hybrid IDS Implementations (continued)
Combining IDS detection methods IDS combines anomaly and misuse detection Database enables IDS to run immediately Anomaly-based systems keep the alert system flexible Can respond to the latest, previously unreported attacks Both external and internal attacks Administrators have more configuration and coordination work to do Guide to Network Defense and Countermeasures, Second Edition

43 Hybrid IDS Implementations (continued)
Shim IDS Acts like a type of NIDS Involves sensors being distributed around a network Data collected by sensors is sent to a central location Sensors are installed in selected hosts and network segments Those that require special protection Guide to Network Defense and Countermeasures, Second Edition

44 Hybrid IDS Implementations (continued)
Distributed IDS Multiple IDS devices are deployed on a network Reduces response time Two popular DIDSs myNetWatchman DShield Guide to Network Defense and Countermeasures, Second Edition

45 Guide to Network Defense and Countermeasures, Second Edition

46 Hybrid IDS Implementations (continued)
Advantages Combine aspects of NIDS and HIDS configurations Can monitor network as a whole Can monitor attacks that reach individual hosts Disadvantages Need to get disparate systems to work in coordinate fashion Data gathered by multiple systems can be difficult to absorb and analyze Guide to Network Defense and Countermeasures, Second Edition

47 Evaluating Intrusion Detection Systems
Survey various options and match them to your needs Review topology of your network identifying Number of entry points Use of firewalls Number of network segments Evaluating IDSs can be time consuming Guide to Network Defense and Countermeasures, Second Edition

48 Freeware NIDS: Snort Ideal for monitoring traffic on a small network or individual host Does not consume extensive system resources Intended for installation on a computer at network perimeter Comes with a collection of rule files Separate rules exist for Port scans Back door attacks Web attacks Guide to Network Defense and Countermeasures, Second Edition

49 Guide to Network Defense and Countermeasures, Second Edition

50 Commercial HIDS: Norton Internet Security
Firewall designed to protect a home-based standalone computer Or a computer on a small network Contains a limited number of intrusion detection features Block port scans Block attack attempts on ports used by known Trojan programs Can be trained to identify normal network use Alert messages appear as pop-up windows Guide to Network Defense and Countermeasures, Second Edition

51 Guide to Network Defense and Countermeasures, Second Edition

52 IDS Hardware Appliances
Can handle more network traffic Have better scalability than software IDSs Plug-and-play capabilities One of its major advantages Do not need to be configured to work with a particular OS Examples iForce Intrusion SecureNet StealthWatch G1 Guide to Network Defense and Countermeasures, Second Edition

53 IDS Hardware Appliances (continued)
You should create a custom configuration To reduce the number of false positives and false negatives Upgrade appliances periodically Can be complicated and expensive Guide to Network Defense and Countermeasures, Second Edition

54 Summary Intrusion Detection System (IDS) IDS components
Supplementary line of defense behind firewalls and antivirus software IDS components Network sensors Alert messages Command console Response system Database of signatures Guide to Network Defense and Countermeasures, Second Edition

55 Summary (continued) IDS steps False positives are highly likely
Install set of attack signatures Sensors monitor packets IDS responds False positives are highly likely Require administrators to fine-tune the system If attack is legitimate, escalation procedures should be followed IDS logs alarmed events They can be reviewed later Guide to Network Defense and Countermeasures, Second Edition

56 Summary (continued) IDS implementation Types of IDS products
Network-based IDS (NIDS) Host-based IDS (HIDS) Hybrid IDS Shim IDS Distributed IDS (DIDS) Types of IDS products Open-source IDSs such as Snort Commercial firewalls such as Norton Internet Security IDS hardware appliances Guide to Network Defense and Countermeasures, Second Edition


Download ppt "Guide to Network Defense and Countermeasures Second Edition"

Similar presentations


Ads by Google