Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORESEC Academy FORESEC Academy Security Essentials (III)

Published byClyde Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "FORESEC Academy FORESEC Academy Security Essentials (III)"— Presentation transcript:

1 FORESEC Academy FORESEC Academy Security Essentials (III)

2 FORESEC Academy Agenda  The need for host-based ID  Host-based ID Methodology  Unix host-based ID Tools  Windows host-based ID Tools

3 FORESEC Academy Need for Host-based ID  Very fast networks  Switched networks  Encrypted networks  Backdoors in local network  Insider on network  Network-based IDS may miss attack  Don't trust corporate security that much

4 FORESEC Academy Very Fast Networks  The current limits for network-based IDS boxes are about 80 MB/sec fully loaded  A 200 MHz Pentium bus would only partially increase this  Bandwidth at large sites will probably always exceed network detection and processing speed  HIDS does not face bandwith challenges, but does present deployment issues

5 FORESEC Academy Switched Networks  Network-based intrusion detection systems rely on promiscuous mode for their NICs; this is not possible with switched networks  Intrusion detection in the switch is the future direction, not really here yet  Spanning ports and network taps provide semi-effective options

6 FORESEC Academy Switched Network Diagram In a switched network, a virtual circuit is created between two peers across the switch fabric. Each port on the switch only supports the circuits to that host.

7 FORESEC Academy Spanning Port Switched Networks Sensors can be placed on a spanning port, but can usually only monitor one VLAN at a time. This does not work very well in practice.

8 FORESEC Academy Network Taps

9 FORESEC Academy Encrypted Networks  NIDS sensors can't analyze what they can't read  The use of encryption for network traffic is growing  Encryption can be used by attackers to hide their traffic  Traffic must be read before/after the encryption process  NIDS and HIDS can work together to address these challenges

10 FORESEC Academy Host-based Intrusion Detection Methodology  Host-based systems monitor their network connections and file system status. For this to work, we have to acquire the aggregate logs of ALL critical systems at a minimum  Local processing/alerting may be done, but data is generally sent to a central location for parsing  When potential problems are found, alerts are raised

11 FORESEC Academy Host-based Intrusion Detection Methodology (2) 1)A connects to B 3) Logserver records A-> B connection, checks ruleset, A -> B is OK, waits. 2) B logs connection and informs Logserver

12 FORESEC Academy Unix Host-based Intrusion Detection  TCPWrappers  Port Sentry  Syslog  Swatch  Tripwire

13 FORESEC Academy TCPWrappers  Monitors and filters incoming TCP network service requests  Valuable logging tool  Where to get it - ftp://ftp.porcupine.org/pub/security/index.html - Currently included in most Unix / Linux distributions

14 FORESEC Academy Without TCPWrappers All incoming TCP requests serviced

15 FORESEC Academy With TCPWrappers All requests checked and logged

16 FORESEC Academy Host Deny ALL : ALL # Deny everything, add back with /etc/hosts.allow

17 FORESEC Academy Host Allow ALL:.nnnn.abc.org, 192.168.2, friend.somewhere.edu sshd: trustedhost.somewhere.org

18 FORESEC Academy Paranoid Mode  Default for TCPWrappers -Checks both forward and reverse DNS lookup -Both answers must match or connection is dropped -Adds a layer of security against spoofing

19 FORESEC Academy Brief DNS Review ( TCPWrappers Paranoid mode)

20 FORESEC Academy TCPWrappers in Action (Intrusion detection AND prevention)

21 FORESEC Academy TCPWrappers Threat List  Outsider attack from network  Outsider attack from telephone  Insider attack from local network  Insider attack from local system  Attack from malicious code

22 FORESEC Academy Psionic Port Sentry (TCPWrappers with an attitude)  Runs on TCP and UDP  Stealth scan detection for Linux  SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans  Port Sentry will react to a port scan attempt by blocking the host in real-time  Will remember hosts that connected previously

23 FORESEC Academy Psionic Port Sentry Log  Jul 3 11:30:20 shepherd portsentry[418]: attackalert: SYN/Normal scan from host:node10453.a2000.nl/24.132.4.83 to TCP port: 143  Jul 3 11:30:20 shepherd portsentry[418]: attackalert: Host 24.132.4.83 has been blocked viawrappers with string: "ALL: 24.132.4.83“  Jul 3 11:30:20 shepherd portsentry[418]:attackalert: Host 24.132.4.83 has been blocked viadropped route using command: "/sbin/route add –host24.132.4.83 gw 333.444.555.666"

24 FORESEC Academy Syslog  Unix system logger can be on a local system or other system  TCPWrappers logs to Syslog by default  Logs can offer valuable information, but they can also be compromised  Swatch or other tools can monitor syslog and raise alerts

Download ppt "FORESEC Academy FORESEC Academy Security Essentials (III)"

Similar presentations

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls Anand Sharma Austin Wellman Kingdon Barrett.

Firewalls Anand Sharma Austin Wellman Kingdon Barrett.
Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay.

Distributed Intrusion Detection Mamata Desai ( ) M.Tech.,CSE dept, IIT Bombay.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.

K. Salah1 Intrusion Detection Systems. K. Salah2 Firewalls are not enough Don’t solve the real problems Don’t solve the real problems  Buggy software.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google