310 likes | 458 Views
Intrusion Prevention, Detection & Response. IDS vs IPS. IDS = Intrusion detection system IPS = intrusion prevention system. IDS. Monitors a system for Malicious activities. Policy violations not all policy violations are malicious. IDS Categories. Two categories of IDS:
E N D
IDS vs IPS • IDS = Intrusion detection system • IPS = intrusion prevention system
IDS • Monitors a system for • Malicious activities. • Policy violations • not all policy violations are malicious.
IDS Categories • Two categories of IDS: • A network-based IDS monitors network data packets for malicious activity. • Example: Snort, Comodo-firewall • A host-based IDS analyzes any combination of system calls, applications logs, file modifications, and other host activities. • Example: Tripwire, WinPatrol, Anti-Virus software
Passive IDS • Logs the possible intrusion, and sends an alert. • The alert could be an e-mail to SA staff; or posting the alert on a monitored console (or both). This is how Tripwire behaves.
Reactive IDS • The reactive IDS, (aka IPS), would respond to an intrusion with a pre-configured defense strategy in real time. Snort, e-mail filters, and many anti-virus packages can be configured to be reactive.
Revised Taxonomy • Revised Taxonomy for IDS vs IPS • IDS is either Passive or Reactive. • An IPS prevents intrusions.
IPS (Revised Taxonomy) • Passwords • Login Server (example: Kerberos) • Firewalls : Consists of a combination of hardware and software. • Access controls applied to hardware, software, and data. • Physical security
IPS (Revised Taxonomy) • In Summary, the IPS is a barrier. • The IDS is needed when the IPS barrier is breached.
IPS : Firewall • A combination of software and hardware used to implement security policies governing the network traffic between two or more networks. A firewall is a system used to enforce network traffic security policy.
IPS: Firewall System • Design the system • Acquire the hardware and software • Acquire training, documentation and support • Install and configure the system • Test the system • Maintain the system (sustainability cycle)
IPS : Other Systems • Implement • Access controls • Physical security • Login Server
IPS Access Controls • Windows Professional provides access control lists. • Unix/Linux has a simple access control system: • User, Group, World + read, write, execute • Princeton study showed that complex access controls lead to mis-configuration. Proper training is essential.
IPS : Physical Security • Previously covered: • Locks on doors, limited access, keycards, proximity badges, etc
IPS : Login Server • Kerberos is a common login server that goes beyond the user-id & password authentication process. • Kerberos was developed at MIT
Intrusion Detection Data: Characterization Information • Collect characterizationinformation, CI. • Characterization information must be monitored regularly
IDS : Characterization Info • System logs • File checksums • System performance metrics provided by system monitoring applications • Expected activities by users and applications
CI : System Logs • System logs require 1) access controls 2) back-up 3) encrypted. • Unix/Linux /var/log • MS Windows systemroot\WINDOWS\System32\Config\*.evt • Enable event logging and use the event viewer (eventvwr.msc)
System Log Files • Log files can grow and use up space. • Log files should periodically be backed-up then removed to make space for new log information.
Checksums • Tripwire creates a database of checksums for a list of specified files (data, source, binary, etc). The data base of checksums acts as a baseline for comparison. • Common checksum algorithms: MD5 SHA CRC
System Performance Metrics • Server/computer system metrics • Network activity metrics
System Resource CI • Report the top resource users (examples: top, sysstat) • CPU time usage • Memory usage (example: free) • Number of active processes (by all user-ids, including system ids) • Number of active open files • Number of files • IO data transfer • Disk space usage and free space • IO transfer rate • Other devices used by processes • Login sessions • Login attempts
Network Resource CI • Connection attempts • Connection duration • Number of connections • Source & destination of data packets • Bandwidth usage (by user and total) • Transfer rates • Error counts
E-mail CI • Number of sent messages • Number of received messages • Mail message sizes • read/unread message count • Consider logs of other possible communication devices like telephones and company issued cell phones.
System Security Logging & Auditing Documentation • Document the characterization information to collect log files network CI computing system CI, etc. • Document which events should produce an alert • Document system and application updates • Document roles and responsibilities of SA staff. • Document a sustainability cycle • Document an intrusion detection response
Intrusion Response Team • Create a security response team • Document the responsibilities of the intrusion response team members • Document a contact list for the team • Update the documentation regularly (sustainability cycle) • Document what to do in an emergency.