1 / 38

Security Technology: Intrusion Detection, Access Control and Other Security Tools

Security Technology: Intrusion Detection, Access Control and Other Security Tools. Chapter 7. Intrusion.

marc
Download Presentation

Security Technology: Intrusion Detection, Access Control and Other Security Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Technology: Intrusion Detection, Access Control and Other Security Tools Chapter 7

  2. Intrusion “Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.”

  3. Definitions • Intrusion prevention: activities that deter an intrusion • Writing &implementing a good enterprise information security policy • Planning & executing effective information security programs • Installing & testing technology-based countermeasures • Conducting & measuring the effectiveness • Employee training and awareness activities • Intrusion detection: procedures and systems that identify sys intrusions • Intrusion correction: • Activities finalize the restoration of operations to a normal state • Activities seek to identify the source & method of attack for prevention

  4. Intrusion Detection Systems • Commercially available in late 1990 • Works like a burglar alarm • Detects a violation and sounds alarm • Extension – Intrusion prevention systems • Detect and prevent intrusion • Generally accepted combination • Intrusion detection and prevention system (IDPS)

  5. IDPS Terminology • Alarm or alert: indication that attack is happening • Evasion: attacker change the format and/or timing of activities to avoid being detected • False attack stimulus: event triggers alarm – no real attack • False negative: failure of IDPS to react to attack • False positive: alarm activates in the absence of an actual attack • Noise: alarms events that are accurate but do not pose threats • Site policy: rules & configuration guidelines governing the implementation & operation of IDPS

  6. IDPS Terminology • Site policy awareness: ability to dynamically modify config in response to environmental activity • True attack stimulus: event that triggers alarms in event of real attack • Tuning: adjusting an IDPS • Confidence value: measure IDPS ability correctly detect & identify type of attacks • Alarm filtering: Classification of IDPS alerts • Alarm clustering and compaction: grouping almost identical alarms happening at close to the same time

  7. Why Use an IDS • Prevent problem behaviors by increasing the perceived risk of discovery and punishment • Detect attacks and other security violations • Detect and deal with preambles to attacks • Document existing threat to an organization • Act as quality control for security design & administration • Provide useful information about intrusions that take place

  8. Types of IDS • Network based • Focused on protection network information assets • Wireless • Network behavior analysis • Host-based • Focused on protection server of host’s information assets

  9. Network-Based • Resides on computer or appliance connected to an a segment of orgs. network • Monitors network traffic on the segment • Monitors packets • Monitoring port (switched port analysis) • Monitors all ingoing and outgoing traffic • Looks for attack patterns • Compares measured activity to known signatures • Protocol verification – packet structure • Application verification – packet use

  10. Advantages and Disadvantages • Advantages • Needs few devices to monitor large network • Little or no disruption to normal operations • May not be detectable by attackers • Disadvantages • Overwhelmed by network volume • Requires access to all traffic • Cannot analyze encrypted packets • Cannot ascertain if an attack was successful • Some forms of attack are not easily discerned • Fragmented packets • Malformed packets

  11. Wireless NIDPS • Monitors and analyzes wireless network traffic • Looks for potential problems with the wireless protocols (layers 2 and 3) • Cannot evaluate & diagnose issue with higher level layers • Issues associated with implementation • Physical security • Sensor range • Access point and wireless switch locations • Wired network connections • Cost

  12. Wireless NIDPS • Can detect conditions in addition to traditional types of IDSPS • Unauthorized WLAN and WLAN devices • Poorly secured WLAN devices • Unusual usage patterns • The use of wireless network scanners • DoS attacks and condition • Man-in-middle attacks • Unable to detect • Passive wireless protocol attacks • Susceptible to evasion techniques • Susceptible to logical and physical attacks on wireless access point

  13. Host-Based • Resides on a particular computer or server & monitors traffic only on that system • Also known as system integrity verifiers • Works on principle of configuration and change management • Classifies files in categories & applies various notification actions based on rules • Maintains own log file • Can monitor multiple computers simultaneously

  14. Advantages • Reliable • Can detect local events • Operates on host system where encrypted files already decrypted and available • Use of switched network protocols does not affect • Can detect inconsistencies in how application and system programs were used

  15. Disadvantages • Pose more management issues • Configured and maintained on each host • Vulnerable both to direct attacks and attacks against the host operating system • Not optimized to detect multi-host scanning

  16. Disadvantages • Not able to detect scanning of non-host devices (routers and switches) • Susceptible to Denial of Service attacks • Can use large amounts of disk space – audit logs • Can inflict a performance overhead on host systems

  17. Application Based • Examines application for abnormal events • Looks for files created by application • Anomalous occurrences – user exceeding authorization • Tracks interaction between users and applications • Able to tract specific activity back to individual user • Able to view encrypted data • Can examine encryption/decryption process

  18. Advantages & Disadvantages • Advantages • Aware of specific users • Able to operate on encrypted data • Disadvantages • More susceptible to attack • Less capable of detecting software tampering

  19. IDS Methodologies • Types determined by where placed for monitoring purposes • IDS methodologies based on detection methods • Two dominate methodologies • Signature-based (knowledge-based) • Statistical-anomaly approach

  20. Signature Based • Examines data traffic in search of patterns that match known signature • Foot printing and fingerprinting activities • Specific attack sequences • DOS • Widely used • Signature database must be continually updated • Attack time-frame sometimes problematic • Slow and methodical may slip through

  21. Statistical Anomaly Based • Based on frequency on which network activities take place • Collect statistical summaries of “normal” traffic to form baseline • Measure current traffic against baseline • Traffic outside baseline will generate alert • Can detect new type of attacks • Requires much more overhead and processing capacity • May not detect minor changes to baseline

  22. Log file Monitors • Similar to NIDS • Reviews logs • Looks for patterns & signatures in log files • Able to look at multiple log files from different systems • Large storage requirement

  23. Responses to IDS • Vary according to organization policy, objectives, and system capabilities • Administrator must be careful not to increase the problem • Responses active or passive

  24. Which One? • Consider system environment • Technical specification of systems environment • Technical specification of current security protections • Goals of enterprise • Formality of system environment and management culture

  25. Which One? • Consider Security Goals and Objectives • Protecting from threats out organization? • Protecting against inside? • Use output of IDS to determine new hardware/software needs • Maintain managerial over one-security related network usage

  26. Which One? • Security policy • Structure • Job descriptions of system user • Include reasonable use policy • What are you going to do if violation occurs

  27. Which One? • Organization Requirements and Constraints? • Outside Requirements • Resource Constraints • Features and Quality • Tested Product • User Level of Expertise • Product Support

  28. Strengths of IDS • Monitoring & analysis of system events & user behaviors • Testing security states of system configuration • Base lining security state of the system & track changes to baseline • Pattern recognition • Auditing and logging • Alerting • Measuring performance

  29. Limitations of IDS • Compensate for weak or missing security mechanisms • Instantly report or detect during heavy operations • Detect newly published attacks • Effectively respond to sophisticated attackers • Automatic investigate • Keep attacks from circumventing them • Deal effectively with switched networks

  30. Control Strategies • Centralized • Partially distributed • Fully distributed

  31. Centralized • All IDS control functions are implemented and managed in a centralized location • 1 management system • Advantages • Cost and control • Specialization • Disadvantage

  32. Fully Distributed • Opposite of centralized • All control functions applied at the physical location of each IDS component • Each sensor/agent is best configured to deal with its own environment • Reaction to attacks sped up

  33. Partially Distributed Control • Individual agents respond to local threats • Report to a hierarchical central facility • One of the more effective methods

  34. Honey Pots / Honey Nets / Padded Cell Systems • Honey Pots • Decoy systems • Lure potential attackers away from critical systems • Encourages attacks against themselves • Honey Net • Collection of honey pots • Connects honey pots on a subnet • Contains pseudo-services the emulated well-known services • Filled with factious information

  35. Honey Pots / Honey Nets / Padded Cell Systems • Padded Cell • Protected honey pot • IDS detects attacks and transfers to simulated environment • Monitors action of attacker

  36. Trap and Trace Systems • Detect intrusion and trace incident back • Consist of honey pot or padded cell & alarm • Similar to concept of caller ID • Back-hack • Considered unethical • Legal drawbacks to trap and trace • Enticement and entrapment

  37. Scanning and Analysis Tools • Help find vulnerabilities in system, holes in security components, and unsecure aspects of the network • Allow system admin to see what the attacker sees • May run into problems with ISP • Port scanners – what is active on computer • Firewall analysis tools • Operating system detection tools • Vulnerability scanners • Packet sniffers

  38. Access Control Tools • Authentication – validation of users identity • 4 general ways carried out • What he knows • What he has • Who he is • What he produces

More Related