Presentation is loading. Please wait.

Presentation is loading. Please wait.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate."— Presentation transcript:

1 1

2  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate the IDS policy 2

3  IDS location  Honey pots vs. IDS  IDS policy 3

4  NIDS  E.g. Snort or Cisco Secure IDS  Monitor network traffic or suspicious activity  Often reside on subnets that are directly connected to the firewall, as well as at critical points on the internal network  HIDS  E.g. Tripwire or ISS BlackICE  Resides on monitor individual hosts mms© 4

5  IDS  Like a burglar alarm system in the network. It detects and alerts on malicious events  Many different IDS sensors placed at strategic points in your network  Watch for predefined signatures of malicious events, and might perform statistical and anomaly analysis  When detects suspicious events,  it alerts in several different ways:  E.g. email, paging, or simply logging the occurrence  Reports to a central database that correlates their information to view the network from multiple points mms© 5

6 6

7  Depending upon your network topology  Depend upon what type of intrusion activities you want to detect – internal, external, or both  Depends on security policy mms© 7

8 Example scenario:  If you want to detect only external intrusion activities and have only 1 router connecting to the Internet Recommendation:  The best place for IDS may be just inside the router or a firewall  If you have multiple paths to the Internet, you may want to place one IDS box at every entry point  However, if you want to detect internal threats as well, you may want to place a box in every network segment. mms© 8

9 Typical locations for an IDS:  Behind each firewall and router  If your network contains a DMZ (demilitarized zone), IDS may be placed in that zone as well  However, alert generation policy should not be as strict in a DMZ compared to private parts of the network mms© 9

10 Consists of:  Snort  data is captured and analyzed  MySQL  DB based on captured data from Snort  Apache web server  Help from ACID, PHP, PHPLOT  Displays data in browser windows to user mms© 10

11 11 A user looking at intrusion data collected by Snort through web browser MySQL Database Apache web server with PHP, GD Library, and PHPLOT installed Snort server captures the intruder data and stores it in MySQL database using output plug-in Intruder tries to attack hosts present on this network mms©

12  You can build a single computer with Snort, MySQL, Apache, ACID, PHP, PHPLOT, and GD library 12 A user looking at intrusion data collected by Snort through web browser Intruder tries to attack hosts present on this network A computer with Snort, MySQL, Apache, ACID, PHPLOT, GD library installed

13  In the enterprise – have multiple Snort sensors behind every router or firewall.  In that case, can use a single centralized DB to collect data from all sensors  Can run Apache web server on this centralized DB server 13 mms©

14 14 mms© A user looking at intrusion data collected by Snort through web browser Network cloud Centralized DB server running MySQL, Apache, ACID, PHPLOT, GD library Snort sensor

15  Sniffer  Packet Logger  IDS  Free and Open Source IDS  Monitor network traffic  Scan for protocol anomalies  Scan for packet payload signatures that represent potential attacks, worms, and unusual activities  Monitoring consoles available  Can be configured as an IPS mms© 15

16 Previously logged network traffic Snort rules Network traffic log Alerts (file) Alerts (Database) Snort NIDS Live network traffic OR 16

17  Snort Tap Placement  Natural Choke Points  Areas where the network topology creates a single traffic path  Artificial Choke Points  Exist due to logical topology of the network  Intranet Trust/Un-trust Zone Boundaries  Similar to Natural Choke Points but are intra-network mms© 17

18 [!] [!]  Primarily a signature based detection engine  Example:  While indicative of attacks, leaks, and protocol violations, false positives are generated mms© 18

19 mms© Example 1: “log tcp traffic from any port going to ports less than or equal to 6000” log tcp any any -> 192.168.1.0/24 :6000 Example 2: RPC alert call alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *,3; msg:RPC getport (TCP);) see Snort Users Manual for more information 19

20 mms© 20

21 mms© 21

22 mms© 22

23  BASE (Basic Analysis and Security Engine)  Number of unique alerts  Alerts ordered by category  Today’s alert  Most frequent src/dest ports mms© 23

24 24 mms©

25 25 mms©

26 26 mms©

27 27 mms©

28  ~ a system that is deliberately named and configured so as to invite attack  Goals:  Make it look inviting  Make it look weak and easy to crack  Instrument every piece of the system  Monitor all traffic going in or out  Alert administrator whenever someone accesses the system  Trivial honey pots can be built using tools like:  tcpwrapper  Restricted/logging shells (sudo, adminshell) 28 mms©

29  Pros:  Easy to implement  Easy to understand  Reliable  No performance cost  Cons:  Assumes hackers are really stupid – they aren’t! 29 mms©

30  When should you install:  …if your organization has enough resources (hardware and personnel) to track down hackers.  Otherwise, no need to install a honey pot, as you can’t use the data  A honey pot is useful only if you want to use the info gathered  Also if you want to prosecute hackers by gathering evidence of their activities 30 mms©

31  project.honeypot.org/  Honeyd: www.citi.umich.edu/u/provos/honeydwww.citi.umich.edu/u/provos/honeyd  South Florida Honeynet Project: www.sfhn.netwww.sfhn.net  etc… 31 mms©

32  Before you install an IDS on your network, you must have a policy:  To detect intruders and take action when you find such activity  A policy must dictate IDS rules and how they will be applied  Depending upon your requirements  Who will monitor the IDS  Who will administer the IDS, rotate logs and so on  Who will handle incidents and how  What will be the escalation process (level 1, level 2, and so on)  Reporting  Signature updates  Documentation is required for every project 32 mms©

33  Snort provides another tool in the toolkit and can help provide info about exactly who is talking to whom on the network  The usage of different types of IDS depends on the type of the user/organization  Different types of IDS has its own strengths and weaknesses  To position the IDS in the network depends on your network topology and the type of intrusion activities you want to detect  Based on the IDS policy you will get a clear idea on how many IDS sensors and other resources are required for your network 33

Download ppt "1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate."

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google