Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Published bySheryl Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich."— Presentation transcript:

1 Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich

2 Intrusion Detection Detection and protection from attacks against networks Three types of network attacks – Reconnaissance – Access – Denial of service 2Engineering and Management of Secure Computer Networks

3 Intrusion detection system (IDS) An Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to events occurring in a computer system or network for signs of possible incidents of violation in security policies. – These incidents of violations can be unwanted attempts to access, manipulate or disable computer systems, mainly via a network, such as the Internet. 3Engineering and Management of Secure Computer Networks

4 Classification of Intrusion Detection Profile or Anomaly based intrusion detection – Monitors network traffic and compares it against an established baseline for normal use Bandwidth, protocols, ports and devices generally connecting to each other – Alerts the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. – Example: Snort Spade plug-in – Prone to high number of false-positives 4Engineering and Management of Secure Computer Networks

5 Classification of Intrusion Detection Signature based intrusion detection – Also known as Misuse Detection A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. Similar to the way most antivirus software detects malware. – Examples: Cisco Sensors 4200 series, Snort – Less prone to false positives – Unable to detect zero-day threats whose signatures are not available 5Engineering and Management of Secure Computer Networks

6 Types of Intrusion Detection Systems Host based intrusion detection Systems – Software (Agents) installed on computers to monitor input and output packets from device – It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. – Examples: Cisco Security Agent (CSA), OSSEC, Tripwire 6Engineering and Management of Secure Computer Networks

7 Firewall Corporate network Agent Untrusted network Agent DNS serverWWW server Agent Host-Based Intrusion Detection 7Engineering and Management of Secure Computer Networks

8 Types of Intrusion Detection Systems Network-Based Intrusion Detection Systems – Connected to network segments to monitor, analyze and respond to network traffic. – A single IDS sensor can monitor many hosts – NIDS sensors are available in two formats Appliance: It consists of specialized hardware sensor and its dedicated software. The hardware consists of specialized NIC’s, processors and hard disks to efficiently capture traffic and perform analysis. – Examples: Cisco IDS 4200 series, IBM Real Secure Network Software: Sensor software installed on server and placed in network to monitor network traffic. – Examples: Snort, Bro, Untangle 8Engineering and Management of Secure Computer Networks

9 Corporate network DNS server WWW server Sensor Firewall Untrusted network Network-Based Intrusion Detection Management System 9 Engineering and Management of Secure Computer Networks

10 Sensor Appliance Interfaces Monitoring Interface Command and Control Interface Protected Network Management System Sensor Switch Router Untrusted Network 10 Engineering and Management of Secure Computer Networks

11 Promiscuous-Mode Protection: IDS A network device sends copies of packets to the sensor for analysis. If the traffic matches a signature, the signature fires. The sensor can send an alarm to a management console and take a response action such as resetting the connection. Target Management System Sensor 2 2 3 1 Switch Switched Port Analyzer (SPAN ) 11Engineering and Management of Secure Computer Networks

12 Inline-Mode Protection: IPS Target Management System The sensor resides in the data forwarding path. If a packet triggers a signature, it can be dropped before it reaches its target. An alert can be sent to the management console. Sensor 12 Engineering and Management of Secure Computer Networks

13 IDS and IPS Deployment Considerations – Deploy an IDS sensor in areas where you cannot deploy an inline device or where you do not plan to use deny actions. – Deploy an IPS sensor in those areas where you need and plan to use deny actions. 13Engineering and Management of Secure Computer Networks

14 IDS and IPS Deployment Comparison Attacker Inside Sensor on Outside: Sees all traffic destined for your network Has high probability of raising false alarms (false positives) Does not detect internal attacks Sensor on Inside: Sees only traffic permitted by firewall Has lower probability of false alarms (false positives) Requires immediate response to alarms Internet 14 Engineering and Management of Secure Computer Networks

15 Corporate Network Network based IDS and IPS Deployment Management Server IPS Sensor Firewall Router Switch Untrusted Network DNS Server WWW Server DMZ Switch IDS Sensor 15Engineering and Management of Secure Computer Networks

16 IDS and IPS deployment example in an Enterprise Network Branch Management Server Sensor Firewall Router NM-CIDS Corporate Network Untrusted Network DNS Server WWW Server Sensor DMZ Agent 16Engineering and Management of Secure Computer Networks

17 Performance (Mbps) Network Media Cisco IDS Family IDSM-2 IDS 4255 IPS 4240 45 600 80 250 200 IPS 4215 10/100/1000 TX NM-CIDS 10/100 TX AIP-SSM 10/100/1000 TX 1000 SX 10/100/1000 TX Switched/100010/100/1000 TX

18 Snort Open source, freely available software except for rules Installed as dedicated server on Windows and Linux, Solaris operating systems Placed as network sensor in a network Rules are set of instructions defined to take certain action after matching some sort of signatures (atomic or composite) Example: alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube"; )‏ 18Engineering and Management of Secure Computer Networks

19 Snort Modes Sniffer Mode Used to sniff traffic from network Traffic will be captured using libpcap or winpcap. Traffic will be captured directly from the sensor. Logger Mode Simple logging into a file. Two possible formats are Binary and ASCII. Logging into a Database (eg. MySQL)‏ Can be used for creating the normal traffic profile Intrusion Detection / Prevention The rules will be used in this mode of snort to detect unwanted activity 19Engineering and Management of Secure Computer Networks

20 IDS/IPS Vulnerabilities Cisco IPS Packet Handling DoS - In July 2006, a DoS vulnerability was discovered on Cisco IPS 4200 series models which were running version 5.1 software. Snort Rule Matching Backtrack DoS - Snort versions 1.8 through 2.6 had a DoS vulnerability, found on January 11, 2007 which can exploit Snort's rule matching algorithm by using a crafted packet. This could cause the algorithm to slow down to the point where detection may become unavailable. Snort was quick to release version 2.6.1 which corrected this issue. 20Engineering and Management of Secure Computer Networks

21 How to protect IDS? Don't run any service on your IDS sensor. The platform on which you are running IDS should be patched with the latest releases from your vendor. Configure the IDS machine so that it does not respond to ping (ICMP Echo-type) packets. User accounts should not be created except those that are absolutely necessary. 21Engineering and Management of Secure Computer Networks

22 Unified Threat Management (UTM) Unified Threat Management (UTM) is a network device that have many features in one box, including: – IDS, IPS, Firewall, Spyware, Anti Spam, Anti Phishing – Anti Virus, Content (www) Filter, VPN – Example: Untangle, Watchguard – Untangle Demo: http://www.untangle.com/video_overview/ http://www.untangle.com/video_overview/ 22 Engineering and Management of Secure Computer Networks

23 Summary Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to network traffic. – Can be classified as Profile or Signature based intrusion detection. Signatures can be defined as Atomic or Composite. – Can be available as Host or Network based Intrusion detection. – IDS is used as promiscuous mode protection in DMZ – IPS is used as Inline mode protection for securing internal network – Cisco 4200 series IDS and IPS sensors offer rich set of features for ISD and IPS – Snort is an open source, free IDS and can operate in sniff, logging and Intrusion detection/prevention modes. Snort uses rules to analyze traffic. – IDS/IPS software can be vulnerable to exploits so run patched version, and shutdown unnecessary services. Unified Threat Management (UTM) is a network device that have many features in one box. E.g, Untangle, Watchguard. Engineering and Management of Secure Computer Networks23

Download ppt "Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich."

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 3.

Intrusion Detection MIS ALTER 0A234 Lecture 3.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google