Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Slides:



Advertisements
Similar presentations
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Advertisements

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intrusion Detection Chapter 12.
COEN 252 Computer Forensics
Intrusion Detection Chapter 12.
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Operating system Security By Murtaza K. Madraswala.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Linux Networking and Security
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Chapter 5: Implementing Intrusion Prevention
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Security fundamentals Topic 13 Detecting and responding to incidents.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Eric Van Horn Cosc 356.  Nearly every organization in todays era uses computers and a network to send, receive, and store information  Very important.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Security Methods and Practice CET4884
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-401)
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
CompTIA Security+ Study Guide (SY0-501)
Intrusion Detection & Prevention
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Presentation transcript:

Lesson 13-Intrusion Detection

Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Overview Intrusion detection is a reactive concept that tries to identify a hacker when they attempt a penetration. Intrusion detection can also assist in the proactive identification of active threats. It provides indications and warnings that a threat is gathering information for an attack.

Overview Night watchmen and guard dogs are forms of IDS. They serve two purposes. They provide a means of identifying that something bad was happening, while deterring the perpetrator.

Define the types of Intrusion Detection Systems There are two primary types of IDS: Host-based Network-based

Host-Based IDS A Host-based Intrusion Detection System (HIDS) resides on a particular host and looks out for indications of attacks on that host. HIDS is a system of sensors that are loaded onto various servers within an organization. They are controlled by some central manager.

Host-Based IDS The sensors can: Look for various types of events. Take action on the particular server. Send out a notification.

Host-based IDS There are five basic types of HIDS sensors: Log analyzers Signature-based sensors System call analyzers Application behavior analyzers File integrity checkers

Host-based IDS Log analyzers are reactive in nature and look for events that may be a security breach. They are particularly adapted to track authorized users. Signature-based sensors compare incoming traffic to a built-in signature. They are also reactive in nature and may be used to track authorized users.

Host-based IDS System call analyzers sit between the OS and the applications to analyze calls being sent. It compares the calls to a database of signatures. Application behavior analyzers sit between the OS and the applications and examine calls to check for authorization. File integrity checkers look for changes in the file, typically through checksums or digital signatures.

Network-based IDS A NIDS resides on a separate system that watches network traffic, looking for indications of attacks that traverse the network. A NIDS places the Network Interface Card (NIC) on the system into promiscuous mode to pass traffic to the NIDS software for analysis. NIDS are primarily signature-based.

Network-based IDS NIDS systems have two NICs: one is configured in stealth mode to monitor the network and the second is used to send alarms. The advantages of using a NIDS are the following: It can be hidden on the network. It can capture the contents of all packets traveling to a target system. It monitors traffic for a large number of systems.

Network-based IDS The disadvantages of using a NIDS are as follows: It will only alarm if traffic matches preconfigured rule. It can miss traffic of interest because of high bandwidth usage. It cannot determine if an attack was successful. It cannot examine encrypted traffic. Switched networks require special configuration.

Set up an IDS The effective use of an IDS must include the proper planning and involvement of executive management. The steps for creating IDS implementation are: Define the goals of the IDS. Choose what to monitor. Choose the response. Set thresholds. Implement the policy.

Defining the Goals of the IDS The goals of the IDS provide the requirements for the IDS policy. Potential goals include the following: Detection of attacks. Prevention of attacks. Detection of policy violations. Enforcement of use policies. Enforcement of connection policies. Collection of evidence.

Choosing What to Monitor The choice of what an IDS should monitor is governed by the goals of the IDS and the environment in which the IDS will function. The choice of what an IDS should monitor governs the placement of sensors, as they must be able to see the events of interest.

Choosing What to Monitor For a network using switches, a NIDS sensor will not function properly if it is just connected to a switch port. Instead, you should use the switch monitoring port or a network tap.

Choosing How to Respond Response choices are governed by the goals of the IDS. When an event occurs, there are two types of responses: Passive response: a response that does not directly impede the attacker’s actions. Active response: a response that does directly attempt to impede that attacker’s actions.

Passive Response A passive response is the most common type of action when an intrusion is detected. Passive responses have a lower probability of causing disruptions to legitimate traffic while being the easiest to implement in a completely automated fashion.

Passive Response Passive responses include: Shunning: ignoring the attack. Logging: gathering basic information. Additional logging: collecting more information about the event than is normally captured. Notification: informing an individual about the event.

Active Response Active responses include: Termination of connections, sessions, or processes Network reconfiguration Deception An active response to an event allows the quickest possible action to reduce the impact of the event.

Active Response It can also cause disruption or complete denial of service to legitimate users. Network reconfiguration may stop the intruder, but can have a negative impact on partners and customers, causing loss of productivity.

Setting Thresholds Thresholds provide protection against false positive indications. They enhance the overall effectiveness of an IDS policy. They can be used to filter out accidental events from intentional events. Thresholds that detect attacks should be set to ignore low- level probes or single information-gathering events.

Setting Thresholds Parameters that must be considered in setting thresholds are: User expertise Network speed Expected network connections Administrator/security officer workload Sensor sensitivity Security program effectiveness

Implementing the System The actual implementation of the IDS policy must be carefully planned. There are few easier ways to disrupt a well-managed network than to introduce a badly configured IDS.

Implementing the System Once the IDS policy has been developed and the initial threshold settings calculated, it should be put into place with the final policy, less any active measures. The IDS should be monitored closely for some period of time while the thresholds are evaluated.

Manage an IDS To make a decision for an organization to implement an IDS, the organization should understand the goals of the program. They are: Understand what an IDS can tell. Investigate suspicious events.

Understand What an IDS Can Tell You There are two components to an IDS configuration: The attack signatures that have been programmed into the system. Any additional events that the administrator has identified as being of interest.

Understand What an IDS Can Tell You When the IDS has been properly configured, the four types of events that the IDS will show are: Reconnaissance events Attacks Policy violations Suspicious or unexplained events

Investigate Suspicious Events When a suspicious activity occurs, any of these four steps can be taken to determine if the activity constitutes an actual or attempted intrusion: Identify the systems. Log additional traffic between the source and destination. Log all traffic from the source. Log the contents of packets from the source.

Understand Intrusion Prevention Intrusion prevention involves a proactive rather than reactive approach to IDS. To prevent an intrusion, the attack must be stopped before it reaches the target system. To prevent an intrusion, the actual attack must be either stopped before it reaches the target system or stopped before the target system can execute the code that exploits the vulnerability.

Understand Intrusion Prevention HIDS sensors such as system call analyzers and application behavior analyzers have the potential to prevent an attack. For a NIDS to prevent attacks, the standard configuration must be changed to place the NIDS in line with the traffic. IDS that are proactive can raise the potential for denial of service and cause overall availability issues.

Summary Intrusion detection is a reactive concept that tries to identify a hacker when a penetration is attempted. A HIDS resides on a particular host and looks for indications of attacks on that host. A NIDS resides on a separate system that watches network traffic and looks for indications of attacks that traverse the network.

Summary The effective use of an IDS must include the proper planning and involvement of executive management. Passive responses have a lower probability of causing disruptions to legitimate traffic while being the easiest to implement in a completely automated fashion.

Summary An active response to an event allows the quickest possible action to reduce the impact of the event. To prevent an intrusion, the attack must be stopped before it reaches the target system.