470 likes | 625 Views
Concepts of Network Security and Intrusion Detection. Jianhua Yang Department of Math & Computer Science University of Maryland Eastern Shore. Goals. Network Security Intrusion Detection. 3.1 What is Network Security?. Security is a continuous process of protecting an object from attack.
E N D
Concepts of Network Security and Intrusion Detection Jianhua Yang Department of Math & Computer Science University of Maryland Eastern Shore
Goals • Network Security • Intrusion Detection
3.1 What is Network Security? • Security is a continuous process of protecting an object from attack. • Object • A person • Organization, or • A computer system or a file.
Computer System • Its security involves all its resources: • Physical resources • Reader, printers, CPU, monitor, memories,…. • Non-physical resources • Data • File information • …
Distributed computer system • The protection covers: • Communication channels • Network connectors: • Modems, bridges, switches, routers, servers • Network file system
In General, security • Means preventing unauthorized access, use, alteration, and theft or physical damage to the resources • Involves three elements • Confidentiality • Integrity • Availability To prevent unauthorized disclosure of information to third parties. To prevent unauthorized modification of resources and maintain the status To prevent unauthorized withholding of system resources from those who need them when they need them
Some basic concepts and methods Is the process of trying to stop intruders from gaining access to the resources of the system • Prevention • Detection • Response • Firewalls • Passwords Occurs when the intruder has succeeded or is in the process of gaining access of the system Is an aftereffect mechanism that tries to respond to the failure of prevention and detection A firewall is hardware or software used to isolate the sensitive portions of an information system facility from the outside world and limit the potential damage that can be done by a malicious intruder. A password is a string of usually six to eight characters, with restrictions on length and start character, to verify a user to an information system facility, usually a computer system.
Security Services • The prevention of unauthorized access to system resources is achieved through a number of security services. • They include: • Access control • Authentication • Confidentiality • Integrity • Non-repudiation
Access control • Hardware access control systems • Access terminal • Visual event monitoring • Identification cards • Biometric identification • Video surveillance • Software access control systems • Point of access monitoring • Remote monitoring
Authentication • It is a service to identify a user, especially a remote user. • It is a process whereby the system gathers and builds up information about the user to ensure the user is genuine. • It is based on: • Username and password • Retinal images • face images • Fingerprints • Physical location • Identity cards • Typing mode
Authentication Techniques It is a key management scheme that authenticates unknown principals who want to communicate with each other. • Kerberos • IPSec • SSL (secure sockets layer) • S/Key • ANSI X9.9 • ISO 8730 • Indirect OTP (one time password) It provides the capability to ensure security of data in a communication network. It makes all the Internet applications including client/server, e-mail, file transfer, and web access secure. It ends up with a secret key that both the client and server use for sending encrypted messages. It is a one-time password scheme based on a one-way hash function. It is a U.S. banking standard for authentication of financial transaction.
Confidentiality • It is a service to protect system data and information from unauthorized disclosure. • Encryption protects the communication channel from sniffers. Sniffers are programs written for and installed on the communication channels to eavesdrop on network traffic, examining all traffic on selected network segments.
Integrity • It is a service to protect data against active threats such as those that may alter it. • Hashing algorithms
Non-repudiation • It is a security service that provides proof of origin and delivery of service and/or information. • Digital signature
Security Standards • Security organizations • Security standards
Security Organizations • IETF: Internet Engineering Task Force • IEEE: Institute of Electronic and Electric Engineer • ISO: International Standards Organization • ITU: International Telecommunications Union • ECBS: European Committee for Banking standards • ECMA: European Computer Manufacturers Association • NIST: National Institute of Standards and Technology • W3C: World Wide Web Consortium • RSA: Rivest, Shamir and Adleman
Security Standards-Organizations • IETF: IPSec, XML-Signature, Kerberos, S/MIME • ISO: OSI • ITU: X.2xx, X.5xx, X.7xx, X.80xx • ECBS: TR-40x • ECMA: ECMA-13x, ECMA-20x • NIST: X3, X9.xx Financial, X12.xx Electronic Data Exchange • IEEE: IEEE802.xx • RSA: Public Key Cryptographic Standard • W3C: XML Encryption, XML Signature, XKMS (exXensible Key Management Specification)
Security Standards -Services • Internet security • Digital signature and encryption • Login and authentication • Firewall and system security
Internet Security • Network authentication • Kerberos • Secure TCP/IP communications over the Internet • IPSec • Privacy-enhanced electronic mail • S/MIME, PGP • Public key cryptography • 3-DES, DSA, RSA, MD-5, SHA-1, PKCS • Secure hypertext transfer protocol • S-HTTP • Security protocol for privacy on Internet/transport security • SSL, TLS, SET
Digital Signature and Encryption • Advanced Encryption Standards • X509, DES, AES, DSS/DSA, SHA/SHS • Digital certificates/XML digital signatures • XMLDSIG, XMLENC, XKMS
Login and Authentication • Authentication of user’s right to use system or network resources • SAML • Liberty Alliance • FIPS 112
Firewall and system security • Security of local, wide and metropolitan area networks • Secure Data Exchange (SDE) for IEEE 802 • ISO/IEC 10164
3.2 Intrusion Detection and Prevention • Definition of ID • Intrusion Detection Systems (IDS) • Types of IDS • Response to System Intrusion • Challenges to IDS • Intrusion Prevention Systems (IPS) • Intrusion Detection Tools
Definitions • Intrusion Detection • It is a technique of detecting unauthorized access to a computer system or a computer network. • Intrusion Prevention • It is the art of preventing an unauthorized access of a system’s resources.
The Types of Intrusion • Attempted break-ins • Masquerade attacks • Penetrations • Denial of service • Malicious use
System Intrusion Process • Reconnaissance • Information collection and weak points analysis • Physical Intrusion • Attack • Denial of service (DoS): the intruder attempts to crash a service, overload network links, overload CPU, or fill up the disk. • Common DoS: • Ping-of-Death • SYN Flooding • Land/Latierra • WinNuke
Land/Latierra, WinNuke • Land/Latierra: • Sends forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection. • WinNuke • Sends and URG data on a TCP connection to port 139 (for NetBIOS session), which causes the Windows system to hang.
Intrusion Detection Systems • What is an IDSs? • An IDSs is a system used to detect unauthorized intrusions into computer systems and networks.
Three Models • Anomaly-based detection • Signature-based detection • Hybrid detection
Anomaly detection • Creating “norms” of activities • Collecting current activity • Comparing the current one with ‘norm’ one • Based on the comparison result to determine if there is an Intrusion
Problems • Not efficient • Easy to introduce false positive error
Misuse detection • Signature-based detection • Each intrusive activity is represented by a unique pattern or a signature • New activity can be compared with existing pattern
Problems • Cannot detect unknown attacks • Easy to introduce false negative errors
Types of IDSs • Network-based IDS (NIDSs) • Host-based IDS (HIDS)
NIDSs • They take the whole network as the monitoring scope • They monitor the traffic on the network to detect intrusions • They are mainly for outside attackers
Components of a NIDS • Network sensor • Analyzer • Alert notifier • Response system
Advantages of NIDSs • The ability to detect attacks that a HIDS would miss because NIDS monitor network at a transport layer. • Difficulty to remove evidence. • Real-time detection and response. • Ability to detect unsuccessful attacks and malicious intent.
Disadvantages • Blind spots • Encrypted data
HIDSs • Detect intrusions based on the information of a single target computer • The information includes system, event, and security logs on Windows and syslog in Unix environments • Focus on inside attacks
Advantages • Ability to verify success or failure of an attack quickly • Efficiency • Near real-time detection and response • Ability to deal with encrypted environments
Disadvantages • Limited view of the network • It is not possible for large deployment
Victim Attacker Stepping-stones Monitor Point Stepping-stone intrusion
Intrusion Detection Tools • Realsecure v3.0 (ISS) • Net Perver 3.1 (Axent Technologies) • Net Ranger v2.2 (CISCO) • FlightRemohe v2.2 (NFR Network) • Sessi-Wall-3 v4.0 (Computer Associates) • Kane Security Monitor (Security Dynamics)
Summary • Concepts of Network Security • Basics of IDSs