1 / 13

Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems. Charles Poff Bearing Point. Intrusion Detection Systems. Intrusion Detection System (IDS) Passive Hardwaresoftware based Uses attack signatures Configuration SPAN/Mirror Ports Generates alerts (email, pager) After the fact response.

lionel
Download Presentation

Intrusion Detection/Prevention Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection/Prevention Systems Charles Poff Bearing Point

  2. Intrusion Detection Systems • Intrusion Detection System (IDS) • Passive • Hardware\software based • Uses attack signatures • Configuration • SPAN/Mirror Ports • Generates alerts (email, pager) • After the fact response

  3. Intrusion Prevention Systems • Intrusion Prevention System (IPS) • Also called Network Defense Systems (NDS) • Inline & active • Hardware\software based • Uses attack signatures • Configuration • Inline w/fail over features. • Generates alerts (email, pager) • Real time response

  4. IDS vs. IPS • IPS evolved from IDS • Need to stop attacks in real time • After the fact attacks have lesser value • IDS is cheaper. • Several Open Source IDS/IPS • Software based • IPS = EXPENSIVE • Hardware based (ASIC & FPGA)

  5. Detection Capabilities • Signatures • Based on current exploits (worm, viruses) • Detect malware, spyware and other malicious programs. • Bad traffic detection, traffic normalization • Anomaly Detection • Analyzes TCP/IP parameters • Normalization • Fragmentation/reassembly • Header & checksum problems

  6. Evasion Techniques • Encryption • IPSec, SSH, Blowfish, SSL, etc. • Placement of IPS sensors are crucial • Lead to architectural problems • False sense of security • Encryption Key Exchange • IPS sensors can “usually” detect/see encryption key exchanges • IPS sensors can “usually” detected unknown protocols

  7. Evasion Techniques (cont.) • Packet Fragmentation • Reassembly – 1.) out of order, 2.) storage of fragments (D.o.S) • Overlapping – different size packets arrive out of order and in overlapping positions. • Newly arrived packets can overwrite older data.

  8. Evasion Techniques (cont.) • Zero day exploits (XSS, SQL Injection) • Not caught by signatures • Not detected by normalization triggers • Specific to custom applications/DB’s. • Social engineering • Verbal communication • Malicious access via legitimate credentials • Poor configuration management • Mis-configurations allow simple access not detected. • Increases attack vectors

  9. Vendors • Open Source • SNORT (IDS/IPS) – my favorite • Prelude (IDS) • HoneyNet (Honey Pot/IDS) • Commercial • TippingPoint • Internet Security Systems • Juniper • RadWare • Mirage Networks

  10. Tools of the Trade • Fuzzers – SPIKE, WebScarab, ADMmutate, ISIC, Burp Suite • Scanners - Nessus, NMAP, Nikto, Whisker • Fragmentation – ADMmutate, Fragroute, Fragrouter, ettercap, dSniff • Sniffers – ethereal, dSniff, ettercap, TCPDump • Web Sites • www.thc.org • packetstormsecurity.nl • www.packetfactory.net

  11. Future of IDS/IPS • Many security appliances  ONE • IDS/IPS, SPAM, AV, Content Filtering • IDS will continue to loose market share • IPS, including malware, spyware, av are gaining market share • Security awareness is increasing • Attacks are getting sophisticated • Worms, XSS, SQL Injection, etc.

  12. Your Organization • What’s protecting your organization? • Future Plans? • Products and vendors? • Evolution of security infrastructure.

  13. Question • Question & comments

More Related