Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS-2010 13 Sept 2004.

Published bySolomon Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS-2010 13 Sept 2004."— Presentation transcript:

1 Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS-2010 13 Sept 2004

2 Agenda The Problem Protection Firewall vs. IDS IDS Basics –Types Host Host Network Network –Passive and reactive systems Conclusion

3 The Problem Hackers –Internal –External Inherent holes in your security set up –Not configured properly –Patches not up to date or available –Virus definitions not up to date or available

4 The Problem "There's nothing on my system that anybody would want anyway". that anybody would want anyway". Legal Liability –Inappropriate content (child pornography, hosting illegal files such as.mp3 files, etc.) –You are potentially liable for damages caused by a hacker using your machine. Must be able to prove to the court that you took "reasonable" measures to defend yourself from hackers (i.e. cyber bank robbery from your computer as the host).

5 How do you protect yourself? Layered security setup –IDS –Firewall –Antivirus Applying the 3 basic security principles –Vulnerabilities –Threats –Countermeasures

6 Firewall vs. IDS Firewall: Software that is designed to restrict access to an organization's network or its Intranet (The Fence) IDS: A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDS's may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems that attempt to trap hackers (The Guard Dog)

7 Why do we need both? Firewalls as stated are designed to block unwanted traffic. A common misunderstanding is that firewalls recognize attacks and block them. This is not true. The firewall administrator carefully adds "rules" that allow specific types of traffic to go through the firewall. For example, a typical corporate firewall allowing access to the Internet would stop all UDP, stops incoming TCP connections, but allows outgoing TCP connections. This stops all incoming connections from Internet hackers, but still allows internal users to connect in the outgoing direction. Firewalls only limit access they don’t “recognize” but merely block what the administrator tells it to.

8 Why do we need both? firewalls are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network! –A firewall at the perimeter of the network sees nothing going on inside; it only sees that traffic which passes between the internal network and the Internet IDS capabilities –Double-checks misconfigured firewalls –Catches attacks that firewalls legitimately allow through (such as attacks against web servers and internal attacks) –Catches attempts that fail –Catches insider hacking

9 Why do we need both? Hackers are much more capable than you think; the more defense you have, the better. And they still won't protect you from the determined hacker. They will, however, raise the bar on determination needed by the hackers.

10 Types of IDS Host Based Network Based (NIDS)

11 Host Based IDS Host based Intrusion Detection Systems role is to identify tampering or malicious activity occurring on the system. –Monitors log files, users, and the file system for evidence of malicious or suspicious application activity in real time. –Monitors log files, users, and the file system for evidence of malicious or suspicious application activity in real time. –Can use system logs, application logs, host traffic, key system files, and in some instances firewall logs as its data source.

12 Host Based Some of the activities that Host based can monitor include: –user specific actions –Access to system log files, running processes, and files system –success/failure of an attack –Attacks that use NIDS evasion techniques i.e. makes it through firewall, undetected by NIDS and has a successful attack on system/network

13 Network Based Monitor both incoming and outgoing traffic. Typically deployed on standalone systems in front of firewalls or at key network choke points for large or complicated networks. Typically deployed on standalone systems in front of firewalls or at key network choke points for large or complicated networks. There are two forms of NIDS, –Pattern Matching –Anomaly based. NIDS use network traffic as its source; monitoring network traffic in real time, and alerting in near real time.

14 Network Based Pattern matching –Most IDS follow this standard. –Is a Knowledge based system –The intrusion detection system contains prior information about specific attacks and vulnerabilities. –Applies this to incoming and outgoing traffic by inspecting each packet against its signature database. –When such a condition is met, an alarm is triggered and the administrator is notified. The accuracy of a Knowledge based system relies on its signature databases

15 Network Based Anomoly matching –Creates a profile of normal network traffic. –Any anomalous/irregular traffic that is seen will be considered suspicious, thus an alarm is generated. –Detection of suspicious events can be implemented in various ways i.e. Protocol analysis/decoding, traffic doesn't comply with normal traffic criteria. –Detection of suspicious events can be implemented in various ways i.e. Protocol analysis/decoding, traffic doesn't comply with normal traffic criteria.

16 Passive and Reactive IDS Host and Network based systems can either be passive systems or reactive based systems Most network-based systems are passive with reactive capabilities Passive –detect possible attacks, log the information and issue an alert Reactive –attempt to react in some way to the malicious content it has spotted such as change firewall settings and/or permissions as appropriate –Though reactive systems implement nice defensive mechanisms, they are still prone to false positives

17 Reactive Network Based Have the ability to react while watching the network, instead of a per system basis. Authority to be reactive for a wide range of systems. More control per one intrusion detection system Methods of preventing/reacting –prevent known network/host based attacks from occurring –Insertion of Firewall rules –Packet Scrubbing

18 Reactive Host Based Events are entered into log files after completion, thus to rely on reading log files for reactive tactics won't work. Reactive host based systems tend to watch the actual file system (i.e. kernel) for malicious or illegal content –Improper privilege escalation While watching system calls and the kernel, an attempt to escalate privileges can be seen, a reactive host based IDS can attempt to defeat this by ending the process. –Logging off malicious users If activity is encountered that appears to be malicious, a reactive system can log the offending user off the system and block him from accessing the system until further notice and inform an administrator of that host.

19 Conclusion Problem –Hackers –Protecting yourself –Legal liability IDS vs. Firewall –Need for both the “Fence” and the “Guard Dog” Host and Network based IDS Passive and Reactive IDS

20 Questions?

Download ppt "Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS-2010 13 Sept 2004."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
DIYTP 2009. Computer Security – Virus Scanners  Works in two ways:  List of known ‘bad’ files  Suspicious activity  Terminate and Stay Resident (TSR)

DIYTP Computer Security – Virus Scanners  Works in two ways:  List of known ‘bad’ files  Suspicious activity  Terminate and Stay Resident (TSR)
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google