By Edith Butler Fall 2008
Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
History about IDS It began in 1980, with James Anderson's paper: Computer Security Threat Monitoring and SurveillanceComputer Security Threat Monitoring and Surveillance The setting of protocols in place to detect 1. Misuse 2. Or Malicious attacks in computer systems.
History of IDS Cont’d In 1983, Dr. Dorothy Denning and SRI International began working on a government project. In 1984, Dr. Denning assisted in the development of the Intrusion Detection Expert system which was the first model of IDS.
History about IDS continues…
WHAT IS IDS? IDS stands for Intrusion Detection System. 1. security countermeasure 2. Looks for signs of intruders. 3. Software and/or hardware designed
What is IDS? Cont’d Intrusion Detection System inspects all inbound and outbound network activity : 1. Computer system. 2. On-line transmissions 3. Private documents 4. Networks and overall privacy.
IDS FUNCTIONS Functions of IDS: “Monitoring users and system activity Auditing system configuration for vulnerabilities and misconfigurations Assessing the integrity of critical system and data files Recognizing known attack patterns in system activity. Identifying abnormal activity through statistical analysis Managing audit trails and highlighting user violation of policy or normal activity Correcting system configuration errors Installing and operating traps to record information about intruders
WHY IDS? To protect our network. From the outside environment Malicious attacks From the inside as well Possible manipulation, destruction, transferring, altering files or unintentionally mistakes.
TYPES OF ATTACK Some known attacks are: network attacks against vulnerable services. Data attacks on applications. Host based attacks such as : privilege escalation unauthorized logins access to sensitive files malware.
IDS COMPONENTS IDS Components: Sensors which generate security events. A console to monitor events and alerts, will also control the sensors. Central engine that records events logged by the sensors in a database and uses a system of rules to generate alert from security events that are encountered. Possible Sensors are: A sensor to monitor TCP connections requests. Log file Monitors File integrity Checker
TYPES OF IDS Two general types of intrusion detection systems are: 1. The host based intrusion system known as HIDS - 2. The network based intrusions systems (NIDS)
HIDS HIDS – Host based Intrusion Detection Systems Used within a local computer Analyzes the data entering and leaving within a workstation such as a desktop, server, and/or laptop HIDS works along with anti-threat applications : firewalls antivirus software spy ware-detection
HIDS CONT’D HIDS protects : Workstations and servers Used in conjunction with the operation system to catch any suspicious activity and block it from the system. HIDS monitors activities : Application or data requests Network Connection attempts Read or Write attempts. Audit System Logs
Diagram of HIDS
NETWORK BASED INTRUSION SYSTEM NIDS is used in conjunction with the LAN network. Anti-threat software is installed only at specific points: servers that interface between the outside environment and the network segment to be protected. can be a combination of standalone hardware or software that analyzes data packets that come in and out of the network. NIDS oversees and monitors the network traffic to detect any malicious activity or ensure the traffic is indeed valid.
Diagram of NIDS
NIDS VS HIDS Which one is better? No definite answer You really need both. one for your network NIDS one for your servers/workstations that is HIDS A proper IDS implementation should have: An environemnt that would filter alters and notification In addition to your firewall, NIDS/HIDS IDS technology will keep your environment secure from malicious virus and guard files that are highly sensitive. The difference between host-based and network-based intrusion detection is that NIDS deals with data transmitted from host to host while HID is concerned with what occurs on the hosts themselves.
IDS Statistics Just over 90% of interconnected networks that were running IDS detected computer security breaches in the last 12 months defiant of several implemented firewall protections that were installed. Computer Security Institute, 4/7/02 reported that 80% reported financial losses in excess of $455M was caused by intrusion and malicious acts thereafter. Millions of jobs have been affected because of intrusion Only 0.1% of companies are spending the appropriate budget on IDS. IDS are mostly misunderstood and are thought of as a firewall product or a substitute. If you use an antivirus then should also consider adding an IDS as a complimentary product to your security strategy. Most organizations using antivirus software do not use IDS.
TOP Computer Associate International's eTrust 2. Cisco Systems' Secure IDS 3. CyberSafe Corp.'s Centrax 4. Enterasys Networks' Dragon 5. Internet Security Systems' BlackICE 6. ISS' RealSecure 7. Intrusion.com's SecureNet Pro 8. NFR Security's NFR Network Intrusion Detection System 9. NFR Anzen Computing's Flight Jacket 10. the open-source Snort and 11. Symantec Corp.'s NetProwler