1 / 23

Chapter 7

Chapter 7. Intrusion Detection. Objectives. In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion detection Learn about host intrusion detection Recognize the importance of honeypots Learn how operators analyze and respond to events.

locke
Download Presentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 Intrusion Detection

  2. Objectives In this chapter, you will: • Understand intrusion detection benefits and problems • Learn about network intrusion detection • Learn about host intrusion detection • Recognize the importance of honeypots • Learn how operators analyze and respond to events

  3. Intrusion Detection Overview

  4. Intrusion Detection Overview • Layered detection to proactively monitor networks and systems • 1st layer: Network monitoring • 2nd layer: System (host) monitoring • 3rd layer: Trending and analysis • 4th layer: Current news and information

  5. Intrusion Detection Overview • Recording activity to provide another mechanism with monitoring • IDS • Network device logging (e.g., firewalls, routers, etc.) • System logging

  6. Intrusion Detection Overview • Distraction and setting traps to entice attackers for monitoring purposes • Emulating OS or applications • Delaying network responses • Displaying deceptive error messages • Restricting the number of connections • Restricting the time allowed for connections • Running all applications as a non-privileged user

  7. Intrusion Detection Overview • False positives are biggest problem for IDS • Some solutions include: • Filtering • Summation of events • Rule modification

  8. Network Intrusion Detection

  9. Network Intrusion Detection • Sensors • Hardware devices • Software applications • Commercial vendors: Cisco, Enterasys, ISS • Freeware: Snort

  10. Network Intrusion Detection • Sensor placement • Use multiple sensors • Do not overwhelm sensors with traffic • Place at every Internet access point • Place at every extranet access point • Place on both sides of a firewall • Do not flood network with NIDS traffic

  11. Network Intrusion Detection

  12. Network Intrusion Detection • Sensor deployment • Determine placement • Configure sensor • Place sensor on network • Upload latest signatures • Test sensor for a period of time • Place sensor in production • Continue to patch and update signatures

  13. Network Intrusion Detection • Other NIDS components • NIDS manager • NIDS database • NIDS console

  14. Host Intrusion Detection

  15. Host Intrusion Detection • Sensors • Software application • Commercial vendors: Cisco, Enterasys, ISS, Tripwire, Symantec • Freeware: Tripwire, LIDS

  16. Host Intrusion Detection • Placement • Use on critical systems • Watch resource utilization • Deploy infrastructure where sensor software can be easily updated

  17. Host Intrusion Detection • Deployment • Install HIDS software • Configure HIDS software • Test software for a period of time • Place sensor in production • Continue to patch and update signatures

  18. Honeypots

  19. Honeypots • Various flavors: • Secure system that alerts whenever security controls are bypassed • Insecure systems that alerts whenever activity takes place • Emulates another OS • Modifies network communication to trap or slow down attackers

  20. Analyzing IDS Monitoring and Responding to Events • Operator must determine if event is real threat: • Understand network or system “personality” • Correlate events • Bring in analyst for further investigation • Hand-off to incident management team

  21. Summary • Network IDS provides the first layer in detective defenses by monitoring network activity. • Host IDS and honeypots offer a second layer of defenses in monitoring the activity on the systems themselves. • Data collection and analysis provide another layer to help organizations determine trending of attacks. • Finally, current news provides organizations with critical information on newly discovered attacks.

  22. Summary • Intrusion detection systems can record malicious activity, distract attackers from real targets, and stall would-be attackers to buy response time. • The single biggest problem with IDS technologies is the false positives generated. • Using filtering, summarization, and rule modification, organizations can effectively lessen the number of false positives received. • NIDS sensors are an essential part of intrusion detection because they can view all traffic on a particular network segment.

  23. Summary • HIDS sensors are useful for detecting attacks against a specific computer. • Honeypots are extremely flexible and useful in watching attackers in action. Additionally, honeypots can distract attackers away from real data targets. • Proper monitoring is comprised of two components of equal importance: intrusion detection devices and operators who are trained to analyze and respond to events.

More Related