Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Chapter 12.

Published byJared Wiggins Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Chapter 12."— Presentation transcript:

1 Intrusion Detection Chapter 12

2 Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection Identify active detection and passive detection features of both host- and network-based IDS products continued…

3 Learning Objectives Explain what honeypots are and how they are employed to increase network security Clarify the role of security incident response teams in the organization

4 Intrusion Detection System (IDS)
Detects malicious activity in computer systems Identifies and stops attacks in progress Conducts forensic analysis once attack is over

5 The Value of IDS Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers) Expands available options to manage risk from threats and vulnerabilities

6 Negatives and Positives
IDS must correctly identify intrusions and attacks True positives True negatives False negatives IDS missed an attack False positives Benign activity reported as malicious

7 Dealing with False Negatives and False Positives
Obtain more coverage by using a combination of network-based and host-based IDS Deploy NIDS at multiple strategic locations in the network False positives Reduce number using the tuning process

8 Types of IDS Network-based (NIDS) Host-based (HIDS)

9 Network-based IDS Uses a dedicated platform for purpose of monitoring network activity Analyzes all passing traffic Sensors have two network connections One operates in promiscuous mode to sniff passing traffic An administrative NIC sends data such as alerts to a centralized management system Most commonly employed form of IDS

10 NIDS Architecture Place IDS sensors strategically to defend most valuable assets Typical locations of IDS sensors Just inside the firewall On the DMZ On network segments connecting mainframe or midrange hosts

11 Switch Port Analyzer (SPAN)
Allows traffic sent or received in one interface to be copied to another monitoring interface Typically used for sniffers or NIDS sensors

12 How SPAN Works

13

14 Limitations of SPAN Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link Switch may offer limited number of SPAN ports or none at all

15 Hub Device for creating LANs that forward every packet received to every host on the LAN Allows only a single port to be monitored

16 Using a Hub in a Switched Infrastructure

17 Tap Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures

18 NIDS Signature Types Signature-based IDS Port signature
Header signatures

19 Network IDS Reactions TCP resets IP session logging
Shunning or blocking

20 Host-based IDS Primarily used to protect only critical servers
Software agent resides on the protected system Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity Use of resources can have impact on system performance

21 HIDS Method of Operation
Auditing logs (system logs, event logs, security logs, syslog) Monitoring file checksums to identify changes Elementary network-based signature techniques including port activity Intercepting and evaluating requests by applications for system resources before they are processed Monitoring of system processes for suspicious activity

22 HIDS Software Host wrappers Agent-based software
Inexpensive and deployable on all machines Do not provide in-depth, active monitoring measures of agent-based HIDS products Agent-based software More suited for single purpose servers

23 HIDS Active Monitoring Capabilities
Log the event Alert the administrator Terminate the user login Disable the user account

24 Advantages of Host-based IDS
Verifies success or failure of attack by reviewing HIDS log entries Monitors use and system activities; useful in forensic analysis of the attack Protects against attacks that are not network based Reacts very quickly to intrusions continued…

25 Advantages of Host-based IDS
Not reliant on particular network infrastructure; not limited by switched infrastructures Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure

26 Passive Detection Systems
Can take passive action (logging and alerting) when an attack is identified Cannot take active actions to stop an attack in progress

27 Active Detection Systems
Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic Options IDS shunning or blocking TCP reset Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

28 TCP Reset

29 Signature-based and Anomaly-based IDS
Signature detections Also know as misuse detection IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures Anomaly detection Baseline is defined to describe normal state of network or host Any activity outside baseline is considered to be an attack

30 Intrusion Detection Products
Aladdin Knowledge Systems Entercept Security Technologies Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Enterasys Networks Inc. Internet Security Systems Inc. Intrusion.com Inc. family of IDS products

31 Honeypots False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks Simulate unsecured network services Make forensic process easy for investigators

32 Commercial Honeypots ManTrap Specter Smoke Detector NetFacade

33 Open Source Honeypots BackOfficer Friendly BigEye Deception Toolkit
LaBrea Tarpit Honeyd Honeynets User Mode Linux

34 Honeypot Deployment Goal Options
Gather information on hacker techniques, methodology, and tools Options Conduct research into hacker methods Detect attacker inside organization’s network perimeter

35 Honeypot Design Must attract, and avoid tipping off, the attacker
Must not become a staging ground for attacking other hosts inside or outside the firewall

36 Honeypots, Ethics, and the Law
Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host Honeypot does not convince one to attack it; it merely appears to be a vulnerable target Doubtful that honeypots could be used as evidence in court

37 Incident Response Every IDS deployment should include two documents to answer “what now” questions IDS monitoring policy and procedure Requires well-documented monitoring procedures that detail actions for specific alerts Incident response plan Responsible for assigning personnel to assemble resources required to handle security incidents

38 Typical SIRT Objectives
Determine how incident happened Establish process for avoiding further exploitations of the same vulnerability Avoid escalation and further incidents Assess impact and damage of the incident Recover from the incident continued…

39 Chapter Summary Two major types of intrusion detection Honeypots
Network-based IDS (monitor network traffic) Host-based IDS (monitor activity on individual computers) Honeypots Incident response

Download ppt "Intrusion Detection Chapter 12."

Similar presentations

Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 3.

Intrusion Detection MIS ALTER 0A234 Lecture 3.
seminar on Intrusion detection system

seminar on Intrusion detection system
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Cs490ns - cotter1 Intrusion Detection. cs490ns - cotter2 Outline What is it? What types are there? –Network based –Host based –Stack based Benefits of.

Cs490ns - cotter1 Intrusion Detection. cs490ns - cotter2 Outline What is it? What types are there? –Network based –Host based –Stack based Benefits of.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google