Presentation on theme: "1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion."— Presentation transcript:
2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion detection Learn about host intrusion detection Recognize the importance of honeypots Learn how operators analyze and respond to events
4 Layered detection to proactively monitor networks and systems –1 st layer: Network monitoring –2 nd layer: System (host) monitoring –3 rd layer: Trending and analysis –4 th layer: Current news and information
5 Intrusion Detection Overview Recording activity to provide another mechanism with monitoring –IDS –Network device logging (e.g., firewalls, routers, etc.) –System logging
6 Intrusion Detection Overview Distraction and setting traps to entice attackers for monitoring purposes –Emulating OS or applications –Delaying network responses –Displaying deceptive error messages –Restricting the number of connections –Restricting the time allowed for connections –Running all applications as a non-privileged user
7 Intrusion Detection Overview False positives are biggest problem for IDS Some solutions include: –Filtering –Summation of events –Rule modification
10 Network Intrusion Detection Sensor placement Use multiple sensors Do not overwhelm sensors with traffic Place at every Internet access point Place at every extranet access point Place on both sides of a firewall Do not flood network with NIDS traffic
12 Network Intrusion Detection Sensor deployment 1.Determine placement 2.Configure sensor 3.Place sensor on network 4.Upload latest signatures 5.Test sensor for a period of time 6.Place sensor in production 7.Continue to patch and update signatures
19 Honeypots Various flavors: Secure system that alerts whenever security controls are bypassed Insecure systems that alerts whenever activity takes place Emulates another OS Modifies network communication to trap or slow down attackers
20 Analyzing IDS Monitoring and Responding to Events Operator must determine if event is real threat: Understand network or system “personality” Correlate events Bring in analyst for further investigation Hand-off to incident management team
21 Summary Network IDS provides the first layer in detective defenses by monitoring network activity. Host IDS and honeypots offer a second layer of defenses in monitoring the activity on the systems themselves. Data collection and analysis provide another layer to help organizations determine trending of attacks. Finally, current news provides organizations with critical information on newly discovered attacks.
22 Summary Intrusion detection systems can record malicious activity, distract attackers from real targets, and stall would-be attackers to buy response time. The single biggest problem with IDS technologies is the false positives generated. Using filtering, summarization, and rule modification, organizations can effectively lessen the number of false positives received. NIDS sensors are an essential part of intrusion detection because they can view all traffic on a particular network segment.
23 Summary HIDS sensors are useful for detecting attacks against a specific computer. Honeypots are extremely flexible and useful in watching attackers in action. Additionally, honeypots can distract attackers away from real data targets. Proper monitoring is comprised of two components of equal importance: intrusion detection devices and operators who are trained to analyze and respond to events.