Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring.

Published byJohn Francis Modified over 9 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring

2 CIT 380: Securing Computer SystemsSlide #2 Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. –Inline: can perform blocking itself. –Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions.

3 Active Responses by Network Layer Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 380: Securing Computer SystemsSlide #3

4 CIT 380: Securing Computer SystemsSlide #4 Host IDS and IPS Anti-virus and anti-spyware –AVG anti-virus, SpyBot S&D Log monitors –swatch, logwatch Integrity checkers –tripwire, osiris, samhain –Monitor file checksums, etc. Application shims –mod_security

5 CIT 380: Securing Computer SystemsSlide #5 Evading IDS and IPS Alter appearance to prevent sig match –URL encode parameters to avoid match. –Use ‘ or 783>412-- for SQL injection. Alter context –Change TTL so IDS sees different packets than target hosts receives. –Fragment packets so that IDS and target host reassemble the packets differently.

6 CIT 380: Securing Computer SystemsSlide #6 Fragment Evasion Techniques Use fragments –Older IDS cannot handle reassembly. Flood of fragments –DoS via heavy use of CPU/RAM on IDS. Tiny fragment –Break attack into multiple fragments, none of which match signature. –ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments –Offset of later fragments overwrites earlier fragments. –ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” –Different OSes deal differently with overlapping.

7 CIT 380: Securing Computer SystemsSlide #7 Web Evasion Techniques URL encoding –GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion –GET /./cgi-bin/./bad.cgi Long directory insertion –GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi –IDS may only read first part of URL for speed. Tab separation –GET /cgi-bin/bad.cgi –Tabs usually work on servers, but may not be in sig. Case sensitivity –GET /CGI-BIN/bad.cgi –Windows filenames are case insensitive, but signature may not be.

8 CIT 380: Securing Computer SystemsSlide #8 Countering Evasion Keep IDS/IPS signatures up to date. –On daily or weekly basis. Use both host and network IDS/IPS. –Host-based harder to evade as runs on host. –Fragment attacks can’t evade host IDS. –Network IDS still useful as overall monitor. Like any alarm, IDS/IPS has –False positives –False negatives

9 CIT 380: Securing Computer SystemsSlide #9 Key Points Models of IDS: –Anomaly detection: unexpected events. –Misuse detection: violations of policy. IDS Architecture: –Agents. –Director. –Notifiers. Types of IDS –Host: agent on host checks files, procs to detect attacks. –Network: sniffs and analyzes packets to detect intrusions. IDS/IPS Evasion –Alter appearance to avoid signature match. –Alter context to so IDS interprets differently than host.

10 CIT 380: Securing Computer SystemsSlide #10 References 1.Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004. 2.Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2003. 3.Brian Caswell, et. al., Snort 2.0 Intrusion Detection, Snygress, 2003. 4.William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 5.The Honeynet Project, Know Your Enemy, 2 nd edition, Addison-Wesley, 2004. 6.Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30. 7.Steven Northcutt and Julie Novak, Network Intrusion Detection, 3 rd edition, New Riders, 2002. 8.Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005. 9.Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003. 10.Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006. 11.Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, 2003.

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Network Monitoring.

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Network Monitoring.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Similar presentations

Ads by Google