Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures

Published byAntony Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Network Defense and Countermeasures"— Presentation transcript:

1 Guide to Network Defense and Countermeasures
Chapter 8

2 Chapter 8 - Intrusion Detection: An Overview
Describe intrusion detection system components Follow the intrusion detection process step-by-step Understand options for configuring intrusion detection systems Know the issues involved in choosing an intrusion detection system

3 Intrusion Detection System Components
Intrusion detection systems, in an overall network defense configuration, involve three core functions: Intrusion prevention, or stopping intrusions at the edge of the network; firewalls perform this function Intrusion detection, or checking for security breaches on a network; intrusion detection systems (IDSs) perform this function Intrusion response, or swift, safe, and purposeful reaction to an intrusion; network administrators perform this function

4

5 Intrusion Detection System Components
Network sensor: Sensors are the electronic eyes of an IDS; they monitor in- and outbound network traffic in real time When sensors detect suspicious events, an alarm is triggered; attacks are either single-session, in which the intruder makes a single isolated attempt to gain network access, or they are multiple-session, in which the intruder makes many attempts, over time, to gain network access (port/network scans) Place sensors at common entry points, such as: gateways; LAN connections; remote access servers; and at VPN devices

6

7

8 Intrusion Detection System Components
Alert systems: An IDS sounds or sends an alert when it encounters packets or traffic patterns that seem suspicious To respond to such events, the IDS uses a trigger, a set of conditions that cause an alert to be sent; alerts result from two types of triggers, anomaly detection (an unsuspected event) and misuse detection (recognition of a known attack) Alert messages come as pop-up windows, messages, sounds, pager messages, or as any combination of these forms

9 Intrusion Detection System Components
Alert systems (cont.): An anomaly detection system requires the use of profiles for each authorized user or group; the profile describes user normal network access Effective anomaly detection depends on the accuracy of the profiles created for the IDS Misuse detection triggers alarms based on the characteristic signatures of known attacks Misuse detection has a jumpstart in that IDSs come with a set of signatures; attack signatures not in the initial list need to be added periodically

10

11 Intrusion Detection System Components
Command console: A command console is software that provides a network administrator with a graphical front-end interface to the IDS; administrators receive/analyze alert messages and manage log files at consoles Response system: Some of the more sophisticated IDS devices can be set up to take countermeasures when intrusions are detected; however, this is not a substitute for the judgement of a network administrator in the determination of appropriate countermeasures

12

13 Intrusion Detection System Components
Database of attack signatures or behaviors: Misuse-based systems call upon a database of known attack signatures in order to have a source of information against which they can compare traffic The key with attack signature databases is that they are kept up-to-date; the SecurityFocus online database of known vulnerabilities is frequently updated, and can be searched for attack data Anomaly detection can make use of “normal traffic” databases against which network traffic is compared; SecurVantage 3.0 is such a database

14

15 Intrusion Detection Step-by-Step
The process of network intrusion detection can be broken into seven general steps that apply to virtually all IDS systems Step 1: Installing signature and profile databases, along with the IDS hardware and software itself Step 2: Gather data by allowing network sensors to read and monitor every network packet Step 3: Sending alert messages when the sensor determines that a packet matches an attack signature or deviates from normal network usage

16

17 Intrusion Detection Step-by-Step
The intrusion detection process (cont.): Step 4: The IDS responds if it is configured to take action at the same time a suspicious packet is received and an alert message sent; actions include sending an alarm to the console, dropping the packet without notifying sender, and resetting TCP traffic by stopping and restarting network traffic Step 5: The administrator assesses damage by examining the alert; false alarms may mean that the database needs to be fine tuned; incidents that should cause alarms, but don’t, must be considered

18

19 Intrusion Detection Step-by-Step
The intrusion detection process (cont.): Step 6: Pursuing escalation procedures if necessary, where a predetermined set of procedures is followed if an attack is detected; attacks are often classified based on their severity, level one being the lowest, level three the highest Step 7: Logging and reviewing the event enables an administrator to determine if this was a single-session attack, or whether patterns of misuse have been occurring such as they do in multiple-session attacks

20

21

22 Options for Implementing an IDS
Network-based IDS (NIDS): A NIDS is a set of components that includes a command console and sensors positioned at the network perimeter where they monitor/sniff traffic Three common locations for NIDS sensors are behind the firewall and before the LAN, between the firewall and the DMZ, or on any network segment A NIDS typically has its primary management and analysis software installed on a dedicated computer NIDS must keep up with a large volume of traffic, and they must respond quickly to detected packets

23

24 Options for Implementing an IDS
Host-based IDS (HIDS): A HIDS is deployed on each host in the LAN that is protected by the firewall; packets generated by the host itself are monitored and evaluated by the HIDS The HIDS gathers system variables such as system processes, CPU usage, and file access; system events that match signatures of known attacks reach the IDS on the host, which sends an alert A HIDS does not sniff packets like a NIDS; instead, it monitors log file entries and user activity

25 Options for Implementing an IDS
HIDS (cont.): A HIDS can have a centralized or distributed configuration; if centralized, the HIDS sends all gathered data to a central location (command console) for analysis; if distributed, the data analysis is distributed among the individual hosts Host computer performance requirements are minimal on a centralized configuration, but must be well equipped for distributed configuration use A HIDS can inform if host attack attempts were successful; A HIDS cannot detect a network-wide intrusion attempt

26

27

28 Options for Implementing an IDS
Hybrid IDS implementations: A hybrid IDS increases flexibility and security by combining the functionality from multiple systems One type of hybrid combines host- and network-based systems; this enables positioning of sensors on network segments and on individual hosts; this system responds to both network and host attacks Another hybrid type combines anomaly and misuse detection; this has the ability to detect internal use that deviates from normal usage patterns and has a database of well-known attacks; this system responds to both internal and external attacks

29 Options for Implementing an IDS
Hybrid IDS implementations (cont.): A shim IDS is a type of NIDS, but the sensors are installed in selected hosts and network segments A distributed IDS, or a DID, is a system where multiple IDSs are deployed to monitor traffic and report suspicious events; administrators are better able to assess developing patterns and distinguish between harmless anomalies and genuine attacks A key advantage of hybrid IDS systems is being able to monitor the network as a whole; drawbacks include getting disparate systems to work together, and the data gathered can be difficult to analyze

30

31 Evaluating an IDS The first step in evaluating an IDS, is to review the topology of the network to protect Pay particular attention to those parts of the network that have direct interaction with the IDS, such as, the number of network entry points, the use of firewalls, the segmenting of the network The next step involves choosing the best IDS type for meeting network security needs The freeware NIDS, Snort, is ideal for monitoring traffic on a small network or an individual host

32

33 Evaluating an IDS Choosing an IDS (cont.):
The commercial HIDS, Norton Internet Security, is designed for home-based standalone computer, or a computer on a small network; it also contains a limited number of intrusion detection features The anomaly-based IDS, Tripwire, has long been one of the most highly regarded software IDS packages; after establishing a baseline for normal usage, any configuration changes trigger an alert; Tripwire is excellent for situations in which employee activity needs to be closely monitored

34 Evaluating an IDS Choosing an IDS (cont.):
The network-based IDS, RealSecure, is one of the most comprehensive and widely used IDS products; RealSecure makes use of a distributed client-server architecture; it can be implemented as a hybrid IDS with multiple RealSecure Sensor products to scan network and host traffic IDS hardware appliances have a greater ability to handle network traffic and scalability than software IDS packages; a big advantages of hardware devices is the plug-and-play capability; as well, hardware appliances do need periodic updates

35 Evaluating an IDS Choosing an IDS (cont.):
The signature-based IDS, Cisco Secure IDS, draws on a database of attack signatures to detect intrusion attempts; the signatures available to the system are broken into various types of of network traffic (IP, ICMP, TCP, UDP, Web/HTTP, string-matching, etc.); this NIDS makes use of sensors and it also watches for patterns of attacks as it monitors network traffic

36 Chapter Summary This chapter presented an overview of intrusion detection systems (IDSs), which provide a supplementary line of defense behind firewalls and anti-virus software. Some IDSs go beyond simply transmitting alarms, they reset TCP communications, block selected IP addresses, and provide evidence used in disciplinary actions or used to prevent attacks

37 Chapter Summary Some IDS systems consist of software programs and others combine hardware devices, but they all use similar elements. A network sensor should be placed at the openings to the network and individual network segments. Alert messages are sent from triggers, which can result from anomaly detection or misuse detection, or a combination of both. The alert message is sent to a command console, which provides the administrator with a single interface to the data gathered by the IDS. A response system built into the IDS instructs it to drop packets or reset traffic if attacks are detected. In order to remain accurate and avoid false alarms, the database of signatures or user profiles must remain current

38 Chapter Summary The step-by-step intrusion detection process begins with the installation of a set of attack signatures (for misuse detection) or normal network usage profiles (for anomaly detection). Next, the sensors monitor packets. Alert messages are sent when a packet matches an attack signature or deviates from normal network usage. An alert message is transmitted to the command console. In addition, the IDS can also respond by dropping the packets or resetting a connection. False alarms are likely and will require the system to be fine-tuned to allow legitimate traffic to pass through without an alarm. If the intrusion is found to be an attack, escalation procedures should be pursued. The IDS also logs each alarmed event so it can be reviewed later on. Exporting the data to a database for analysis can reveal the real nature and intent of attacks

39 Chapter Summary Next, the IDS is implemented. A network-based intrusion detection system (NIDS) uses sensors positioned around the perimeter of the network or of network segments. A host-based intrusion detection system (HIDS) uses sensors that are deployed on each host that needs to be protected. A HIDS uses data generated by each host. A hybrid IDS combines the functionality of a NIDS and a HIDS. It can also combine anomaly- and misuse-based detection. A shim IDS makes use of sensors installed both on network segments and hosts. A distributed IDS collects data gathered from multiple IDSs and firewall logs in order to analyze data across a wide area

40 Chapter Summary Different types if IDSs exist. In the freeware and shareware category, the best known program is called Snort, which makes use of a set of predetermined rules and that is designed to monitor traffic on a small-scale network. Commercial firewall programs such as Norton Internet Security include limited sets of IDS features. Anomaly-based systems like the highly regarded Tripwire for Network Devices establish a baseline for normal network usage. RealSecure is a network-based IDS that makes use of one or more network sensors and a command console.

41 Chapter Summary Hardware appliances can handle a higher traffic load than software programs and offer plug-and-play functionality. The Cisco Secure IDS system draws on the database of attack signatures, but also monitors suspicious traffic patterns, much like a firewall

Download ppt "Guide to Network Defense and Countermeasures"

Similar presentations

Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Firewall Configuration Strategies

Firewall Configuration Strategies
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 3.

Intrusion Detection MIS ALTER 0A234 Lecture 3.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Similar presentations

Ads by Google