1 / 47

Intrusion Detection

Intrusion Detection. Chapter 12. Learning Objectives. Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection

sitara
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Chapter 12

  2. Learning Objectives • Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products • Detail the differences between host-based and network-based intrusion detection • Identify active detection and passive detection features of both host- and network-based IDS products continued…

  3. Learning Objectives • Explain what honeypots are and how they are employed to increase network security • Clarify the role of security incident response teams in the organization

  4. Intrusion Detection System (IDS) • Detects malicious activity in computer systems • Identifies and stops attacks in progress • Conducts forensic analysis once attack is over

  5. The Value of IDS • Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers) • Expands available options to manage risk from threats and vulnerabilities

  6. Negatives and Positives • IDS must correctly identify intrusions and attacks • True positives • True negatives • False negatives • IDS missed an attack • False positives • Benign activity reported as malicious

  7. Dealing with False Negatives and False Positives • False negatives • Obtain more coverage by using a combination of network-based and host-based IDS • Deploy NICS at multiple strategic locations in the network • False positives • Reduce number using the tuning process

  8. Types of IDS • Network-based (NIDS) • Monitors network traffic • Provides early warning system for attacks • Host-based (HIDS) • Monitors activity on host machine • Able to stop compromises while they are in progress

  9. Network-based IDS • Uses a dedicated platform for purpose of monitoring network activity • Analyzes all passing traffic • Sensors have two network connections • One operates in promiscuous mode to sniff passing traffic • An administrative NIC sends data such as alerts to a centralized management system • Most commonly employed form of IDS

  10. NIDS Monitoring and Management Interfaces

  11. NIDS Architecture • Place IDS sensors strategically to defend most valuable assets • Typical locations of IDS sensors • Just inside the firewall • On the DMZ • On the server farm segment • On network segments connecting mainframe or midrange hosts

  12. Connecting the Monitoring Interface • Using Switch Port Analyzer (SPAN) configurations, or similar switch features • Using hubs in conjunction with switches • Using taps in conjunction with switches

  13. SPAN • Allows traffic sent or received in one interface to be copied to another monitoring interface • Typically used for sniffers or NIDS sensors

  14. How SPAN Works

  15. Limitations of SPAN • Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link • Switch may offer limited number of SPAN ports or none at all

  16. Hub • Device for creating LANs that forward every packet received to every host on the LAN • Allows only a single port to be monitored

  17. Using a Hub in a Switched Infrastructure

  18. Tap • Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures

  19. NIDS Signature Types • Signature-based IDS • Port signature • Header signatures

  20. Network IDS Reactions • TCP resets • IP session logging • Shunning or blocking

  21. Host-based IDS • Primarily used to protect only critical servers • Software agent resides on the protected system • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance

  22. HIDS Method of Operation • Auditing logs (system logs, event logs, security logs, syslog) • Monitoring file checksums to identify changes • Elementary network-based signature techniques including port activity • Intercepting and evaluating requests by applications for system resources before they are processed • Monitoring of system processes for suspicious activity

  23. HIDS Software • Host wrappers • Inexpensive and deployable on all machines • Do not provide in-depth, active monitoring measures of agent-based HIDS products • Agent-based software • More suited for single purpose servers

  24. HIDS Active Monitoring Capabilities • Log the event • Alert the administrator • Terminate the user login • Disable the user account

  25. Advantages of Host-based IDS • Verifies success or failure of attack by reviewing HIDS log entries • Monitors use and system activities; useful in forensic analysis of the attack • Protects against attacks that are not network based • Reacts very quickly to intrusions continued…

  26. Advantages of Host-based IDS • Not reliant on particular network infrastructure; not limited by switched infrastructures • Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure

  27. Passive Detection Systems • Can take passive action (logging and alerting) when an attack is identified • Cannot take active actions to stop an attack in progress

  28. Active Detection Systems • Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic • Options • IDS shunning or blocking • TCP reset • Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

  29. TCP Reset

  30. Signature-based andAnomaly-based IDS • Signature detections • Also know as misuse detection • IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures • Anomaly detection • Baseline is defined to describe normal state of network or host • Any activity outside baseline is considered to be an attack

  31. Intrusion Detection Products • Aladdin Knowledge Systems • Entercept Security Technologies • Cisco Systems, Inc. • Computer Associates International Inc. • CyberSafe Corp. • Cylant Technology • Enterasys Networks Inc. • Internet Security Systems Inc. • Intrusion.com Inc. family of IDS products continued…

  32. Intrusion Detection Products • NFR Security • Network-1 Security Solutions • Raytheon Co. • Recourse Technologies • Sanctum Inc. • Snort • Sourcefire, Inc. • Symantec Corp. • TripWire Inc.

  33. Honeypots • False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks • Simulate unsecured network services • Make forensic process easy for investigators

  34. Commercial Honeypots • ManTrap • Specter • Smoke Detector • NetFacade

  35. Open Source Honeypots • BackOfficer Friendly • BigEye • Deception Toolkit • LaBrea Tarpit • Honeyd • Honeynets • User Mode Linux

  36. Honeypot Deployment • Goal • Gather information on hacker techniques, methodology, and tools • Options • Conduct research into hacker methods • Detect attacker inside organization’s network perimeter

  37. Honeypot Design • Must attract, and avoid tipping off, the attacker • Must not become a staging ground for attacking other hosts inside or outside the firewall

  38. Honeypots, Ethics, and the Law • Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host • Honeypot does not convince one to attack it; it merely appears to be a vulnerable target • Doubtful that honeypots could be used as evidence in court

  39. Incident Response • Every IDS deployment should include two documents to answer “what now” questions • IDS monitoring policy and procedure • Incident response plan

  40. IDS Monitoring • Requires well-documented monitoring procedures that detail actions for specific alerts

  41. Information Security Incident Response Team (SIRT) • Responsible for assigning personnel to assemble resources required to handle security incidents

  42. Typical SIRT Objectives • Determine how incident happened • Establish process for avoiding further exploitations of the same vulnerability • Avoid escalation and further incidents • Assess impact and damage of the incident • Recover from the incident continued…

  43. Typical SIRT Objectives • Update procedures as needed • Determine who was responsible • Involve legal counsel and law enforcement officials, as appropriate

  44. Chapter Summary • Two major types of intrusion detection • Network-based IDS (monitor network traffic) • Host-based IDS (monitor activity on individual computers) • Honeypots • Incident response

More Related