1 / 16

NETWORK SECURITY

NETWORK SECURITY. INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M. Clarkson University, Potsdam, New York. Introduction to IDS. Why we need IDS? Fire Walls and IDS. Analogy Based Example Classification of IDSs Models of IDS Anomaly based model Signature based model.

thais
Download Presentation

NETWORK SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

  2. Introduction to IDS • Why we need IDS? • Fire Walls and IDS. • Analogy Based Example • Classification of IDSs • Models of IDS • Anomaly based model • Signature based model.

  3. A Typical Fire Wall DeploymentSource:http://www.scs-ca.com/images/topos/2-AV-01.gif

  4. Anomaly Based IDS • General Functional Mechanism • Behavioral Anomaly • Statistical Approach • Example: Traffic analysis • Protocol Anomaly • Based on Protocols and communication Structure • Example : Insecure Protocols • Pros • Captures all the headers of IP • Filters out respective (Mail, Web, DNS,. etc) legal traffic • More Pro- active. • Quickly Identifies Probes and Scans towards Network Hardware • Best Suited for Larger networks and Networks vulnerable to frequent hacking.

  5. Anomaly Based IDS • Cons • Often makes False Alarms (False Positives) • Need skilled personnel to analyze the possible intrusions. • Need Sophisticated Hardware and Software • Creates large amount of Log data • Increase network traffic (some)

  6. Signature Based IDS • Based on known Attack patterns • There are two (Basic) kinds of Signature Based IDSs: • NIDS (Network Intrusion Detection System) • HIDS (Host Intrusion Detection System)

  7. What is an attack Signature? • Sequence of Events A->B->C, D->E • Examples of Signature (Unix Systems) • Gaining root privileges • Suspected repetitive actions • Using the command “sudo –s” or “su – root” • Using Cgi scripts to access the file by fetching arguments. http://www.host.com/~xxxx or http://www.host.com/../../etc/passwd

  8. Signature Based IDS • General Functional Mechanism • Pros: • Ease of Use • Looks for O/S level changes (Biggest Advantage) • No need for skilled personal • Commercial and Open Source • Regular updates of new signatures to the signature database

  9. Signature Based IDS • Cons: • More Re-active • More reliable updates only for Commercial versions • More suited for Hosts than Networks • Why? • Depends on Network Traffic • Consumes CPU time • Can be hacked easily.

  10. Network Intrusion Detection Systems (NIDS). • Functional Mechanism • Uses huge standby databases with signatures • Components of NIDS • Sensors and Consoles

  11. NIDS....A typical Deployment

  12. NIDS …… • Selection Criteria • Deployment of NIDS • Interference with Net work Traffic • Commercial NIDS • Example : Snort • Open Source NIDS • Example : Bro • Monitors network in Passive mode • No Direct Interference with the Network.

  13. HIDS • Functional Mechanism • Analogy example… • O/S level Changes • Sensors and Killing the session • Most efficient Among all IDSs • Strips down all the packets including encrypted ones. • Commercial Vs Open Source • Example Tripwire

  14. HIDS..A typical Deployment

  15. Advancements in IDS • Hybrid IDS • Combination of NIDS functionality and HIDS. • Decoy Based IDS • Example: Our Honey Pot machine • *No problem with False Positive • Captures only unauthorized activities • All traffic are considered to be suspected ones

  16. On Progress…. • Circumstances where unnoticed attacks take place • Hybrid NIDS • Detection Points.

More Related