Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Intrusion Prevention Systems & Beyond

Published byStephany Brooks Modified over 9 years ago

Similar presentations

Presentation on theme: "Host Intrusion Prevention Systems & Beyond"— Presentation transcript:

1 Host Intrusion Prevention Systems & Beyond
By Dilsad Sera SAHINTEPE

2 Outline What is Intrusion Detection? Host Based & Network Based
What does IDS Detect? IDS types Importance of HIPS IDS Implementation HIDS Difference btw IDS & Firewall Passive/Reactive System Prevention System What is HIPS? IDS differ from HIPS

3 What is Intrusion Detection ?
It is a device or software application that monitors network or system activities for malicious activities or policy violation and produces reports to a management station.

4 What does IDS Detect? It is a system used to detect unauthorized intrusions into computer systems and network. Example: It detects attacks to FTP, Data driven attacks at the application layer such as SQL injection error could be used to crash an application. IDS Components Sensors – Generate security events such as log files Console – Monitors events, alerts and controls sensors Engine – Analyzes the data using artificial intelligence to generate alerts from the events received *** 3 in 1 (sometimes all three are in one appliance)

5 Types of Intrusion Detection System
NDS – Network Based It is an independent platform which identifies intrusion by examining network traffic and monitors multiple hosts. It gains access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. Example : Snort- KSU (Academic Freedom) PIDS – Protocol Based Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) APIDS – Application Protocol Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database. HIDS – Host Based Hybrid System

6 How IDS is implemented?

7 Host Based Intrusion Detection System
Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC

8 IDS vs. Firewalls Both related to network security.
Firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between network to prevent intrusion and do not signal an attack from inside the network. IDS evaluates a suspected intrusion once it has taken place and signals an alarm. IDS watches for attacks that’s originate from within a system.

9 Passive vs. Reactive Systems
In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. They both has signature based systems depends on activity on host or network.(skype) tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"Skype client login -- reply from server"; flags:AP,SUFR12; flow:to_client,established; dsize:5; content:"| |"; depth:4; sid: ; rev:2; )

10 Prevention System An enemy can send packets that the IPS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IPS but not the target computers it protects. This technique will result in an IPS with different state than the target. An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.

11 Host Intrusion Prevention System
Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. They also have signature based system.

12 How IDS differ from IPS * IPSs are designed to sit inline with traffic flows and prevent attacks in real-time Deep packet inspection; In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP RBIPS(Rate) can identify abnormal rates for certain types of traffic (botnet- zombie-ddos) Ex : Connections per second, packets per connection Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.

13 Host-based vs. Network IPS
HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host. NIPS does not use processor and memory on computer hosts but uses its own CPU and memory NIPS drawback AND benefit, depending on how you look at it NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. Use failover or load balancing to combat this NIPS disadvantage

14 Host-based vs. Network IPS - 2
NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react With a HIPS, only the host’s data itself is available to take a decision It would take too much time to report it to a central decision making engine and report back to block.

15 Importance of HIPS Well known security companies realized how important HIPS and they all published their HIPS products.

16 Questions????

Download ppt "Host Intrusion Prevention Systems & Beyond"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
seminar on Intrusion detection system

seminar on Intrusion detection system
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google