Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Published byDale Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are."— Presentation transcript:

1 1 Intrusion Detection Systems

2 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are similar to incidents –An incident does not necessarily involve an active system or network device, an intrusion does Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity

3 3 Intrusion Detection Security policies are either prohibitive or permissive An IDS is sensitive to configuration Possible types of IDS errors: –False positive (unauthorized user let in) –False negative (authorized user denied access) –Subversion error (compromised the system from detecting intrusion)

4 4 Dealing with Intruders Intruders can be external or internal –External intruders are hackers or crackers –Internal intruders are more common and very dangerous Security policy should state what steps will be taken to handle intrusions Block and ignore –Simplest tactic for handling intrusions –Block the intruder and address the vulnerability –Don’t take any further action

5 5 Dealing with Intruders Block and investigate –Block the intruder and address the vulnerability –Collect evidence and try to determine intruder’s identity –Investigate Honeypot (bait the intruder) –Allow the intruder to access a part of your network –Try to catch the intruder while he/she explores –This is a potentially dangerous approach The intruder does have at least partial access Crackers may become interested in your site

6 6 Detecting Intruders An IDS monitors system activity in some way When it detects suspicious activity, it performs an action Action is usually an alert of some type –E-mail, cell phone, audible alert, etc. to a person or process –For highly sensitive systems, out-of-band channel is used All IDS systems continuously sample system activity and compare the samples to a database

7 7 IDS Principles Run unattended for extended periods of time Stay active and secure Recognize unusual activity Operate without unduly affecting the system’s activity Configurable

8 8 IDS Principles Sample current activity Compare with database Decide what to do

9 9 IDS Taxonomy Misuse intrusion –an attack against a known vulnerability –Relatively easy to detect Anomaly intrusion –an attack against a new vulnerability or one using an unknown set of actions –Relatively difficult to detect Types of IDS that correspond to intrusion types: –Signature-based –Knowledge-based

10 10 IDS Taxonomy Signature-based IDS –Detects misuse intrusions –Maintains a database of attack signatures –Compares current activity to database –Database must be current and complete to be effective Knowledge-based IDS –Detects anomaly intrusions –Builds a profile of “normal” system activity over time –Produces more false positives and requires more administration –Requires careful initial configuration

11 11 Thresholds A rule tells the IDS which packets to examine and what action to take –Similar to a firewall rule –Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;) Alert specifies the action to take Tcp specifies the protocol Any any 192…. specifies the source and destination within the given subnet 111 specifies the port Content specifies the value of a payload Msg specifies the message to send

12 12 Thresholds Threshold is a value that represents the boundary of normal activity Example: Maximum three tries for login Common thresholds: –file I/O activity –network activity –administrator logins and actions

13 13 Snort IDS Snort is an example of an IDS –Freeware –UNIX and Windows A highly configurable packet sniffer Analyzes network traffic in real time www.snort.org

14 14 Snort IDS Snort sniffs a packet from the network –Preprocessor looks at the packet header and decides whether to analyze it further –Detection engine compares pattern from rules to the packet payload –If payload matches, then appropriate action is taken Snort can be used in a plain packet sniffer mode or in full IDS mode Snort has numerous configurable options

15 15 Snort IDS

16 16 Snort IDS

17 17 Snort IDS

18 18 Network-Based vs Host-Based IDS systems are classified by their intended locations A network-based IDS monitors all traffic on a network segment –Can detect intrusions that cross a specific network segment –Administrators sometimes place one inside and one outside of a firewall –Will not see traffic that passes between LAN computers

19 19 Network-Based vs Host-Based Host-based IDS examines all traffic and activity for a particular machine –Can examine system log files as well as inbound and outbound packets –Each system requires its own IDS Best choice is to use both network-based and host- based IDS in an organization Many firewalls provide some IDS functionality

20 20 Network-Based IDS

21 21 Choosing an Appropriate IDS Determine organizational security needs Review the different IDS packages available medium to large organizations commonly use both network-based and host-based IDS

22 22 Security Auditing with an IDS Must have periodic security audits –Sometimes mandated by law or by corporate structure IDS can contribute to a complete audit Many host-based IDS can scan and analyze system log files –They can act as a filter for various behaviors Port-sniffing IDS can help to profile network activity

23 23 Intrusion Prevention System IPS combines the knowledge of IDS in an automated manner Usually IPS is a combination of a firewall and an IDS IPSs come in different forms: –NIDS with two NICs –Inline NIDS –Inline NIDS with scrubber

24 24 Intrusion Prevention System IPS with two NICs configured as follows: –One NIC has an IP address and handles traffic management –Second NIC has no IP address and performs detecting attacks only

25 25 IPS with two NICs Network Traffic Server with IPS NIC1 NIC2 No IP address Has IP address Copy of traffic

26 26 IPS with inline NIDS Server with IPS NIC No IP address Has IP address Network traffic

27 27 IPS with scrubber Server with IPS NIC No IP address Has IP address Network traffic Malicious packet $%&&^#@@*&* &^%$$#+!!*(+% ^^$##@*&&^ Scrubbed packet Malicious code rendered inactive

28 28 IPS Enhancements Traditionally switches work in OSI layer 2 Most vulnerabilities are on applications Layer 7 switches control which applications go to which server Layer 7 switches also help with load balancing Layer 7 switch inspects applications such as HTTP, SMTP and DNS and decide which server to route the application packets to Handles DoS and DDoS attacks

29 29 IPS Enhancements IPS systems first profile applications Helps identify normal behavior of access and functionality from applications

30 30 IPS Scenario Traffic from internet User: GET / User: GET /default.asp Attacker: GET /passwd.txt User: GET /login.asp Policy: Allow: GET / Allow: GET /default.asp Allow: GET /login.asp Allow: /public/default.html Implicitly deny other requests Traffic to internal network User: GET / User: GET /default.asp User: GET /login.asp

31 31 Commercial IPSs Hogwash (http://hogwash.sourceforge.net/oldindex.html)http://hogwash.sourceforge.net/oldindex.html ISS Guard (http://www.iss.net/products_services/enterprise_protection/rs network/guard.php)http://www.iss.net/products_services/enterprise_protection/rs network/guard.php Netscreen (http://www.juniper.net/products/)http://www.juniper.net/products/ Tipping Point (http://www.tippingpoint.com/products_ips.html)http://www.tippingpoint.com/products_ips.html Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/cate gory.htm?cid=10355)http://www.mcafee.com/us/products/mcafee/network_ips/cate gory.htm?cid=10355

32 32 References IPS http://www.securityfocus.com/infocus/1670 IBM’s IPS http://www- 1.ibm.com/services/us/index.wss/offering/bcrs/a1002 441

Download ppt "1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are."

Similar presentations

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google