Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Similar presentations

Presentation on theme: "Intrusion Detection/Prevention Systems Charles Poff Bearing Point."— Presentation transcript:

1 Intrusion Detection/Prevention Systems Charles Poff Bearing Point

2 Intrusion Detection Systems Intrusion Detection System (IDS) –Passive –Hardware\software based –Uses attack signatures –Configuration SPAN/Mirror Ports Generates alerts (email, pager) After the fact response

3 Intrusion Prevention Systems Intrusion Prevention System (IPS) –Also called Network Defense Systems (NDS) –Inline & active –Hardware\software based –Uses attack signatures –Configuration Inline w/fail over features. Generates alerts (email, pager) Real time response

4 IDS vs. IPS IPS evolved from IDS Need to stop attacks in real time After the fact attacks have lesser value IDS is cheaper. Several Open Source IDS/IPS –Software based IPS = EXPENSIVE –Hardware based (ASIC & FPGA)

5 Detection Capabilities Signatures –Based on current exploits (worm, viruses) –Detect malware, spyware and other malicious programs. –Bad traffic detection, traffic normalization Anomaly Detection –Analyzes TCP/IP parameters Normalization Fragmentation/reassembly Header & checksum problems

6 Evasion Techniques Encryption –IPSec, SSH, Blowfish, SSL, etc. Placement of IPS sensors are crucial Lead to architectural problems False sense of security –Encryption Key Exchange IPS sensors can usually detect/see encryption key exchanges IPS sensors can usually detected unknown protocols

7 Evasion Techniques (cont.) –Packet Fragmentation Reassembly – 1.) out of order, 2.) storage of fragments (D.o.S) Overlapping – different size packets arrive out of order and in overlapping positions. Newly arrived packets can overwrite older data.

8 Evasion Techniques (cont.) Zero day exploits (XSS, SQL Injection) –Not caught by signatures –Not detected by normalization triggers –Specific to custom applications/DBs. Social engineering –Verbal communication –Malicious access via legitimate credentials Poor configuration management –Mis-configurations allow simple access not detected. –Increases attack vectors

9 Vendors Open Source –SNORT (IDS/IPS) – my favorite –Prelude (IDS) –HoneyNet (Honey Pot/IDS) Commercial –TippingPoint –Internet Security Systems –Juniper –RadWare –Mirage Networks

10 Tools of the Trade Fuzzers – SPIKE, WebScarab, ADMmutate, ISIC, Burp Suite Scanners - Nessus, NMAP, Nikto, Whisker Fragmentation – ADMmutate, Fragroute, Fragrouter, ettercap, dSniff Sniffers – ethereal, dSniff, ettercap, TCPDump Web Sites – – –

11 Future of IDS/IPS Many security appliances ONE –IDS/IPS, SPAM, AV, Content Filtering IDS will continue to loose market share IPS, including malware, spyware, av are gaining market share Security awareness is increasing Attacks are getting sophisticated –Worms, XSS, SQL Injection, etc.

12 Your Organization Whats protecting your organization? Future Plans? Products and vendors? Evolution of security infrastructure.

13 Question Question & comments

Download ppt "Intrusion Detection/Prevention Systems Charles Poff Bearing Point."

Similar presentations

Ads by Google