Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Slides:



Advertisements
Similar presentations
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Advertisements

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Intrusion Detection Systems and Practices
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Guide to Network Defense and Countermeasures
(CISCO) Self-Defending Networks Ben Sangster. Agenda (CISCO) Self-Defending Network Concept Why do we need SDN’s? Foundation of the CSDN? Endpoint Protection.
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
Applied Watch Technologies The Enterprise Open Source Security Infrastructure open.freedom Go ahead. Be free.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Chapter 5: Implementing Intrusion Prevention
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cryptography and Network Security Sixth Edition by William Stallings.
1 ForeScout Technologies Inc. Frontline Defense against Network Attack Tim Riley, Forescout.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Final Project: Advanced security blade
IDS Intrusion Detection Systems
Defeat Tomorrow’s Threats Today
Intrusion Prevention Systems
Click to edit Master subtitle style
Introduction to Networking
Firewalls.
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Computer & Network Forensics
IS4680 Security Auditing for Compliance
Intrusion Prevention Systems
12/6/2018 Honeypot ICT Infrastructure Sashan
Red Team Exercise Part 3 Week 4
Intrusion Detection system
Network hardening Chapter 14.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Honeypots Visit for more Learning Resources 1.
Intrusion-Detection Systems
Presentation transcript:

Lesson 7 Intrusion Prevention Systems

UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth

UTSA IS 3523 ID & Incident Response Intrusion Detection Systems IDS – “Combination of Hardware and Software Designed to Detect Suspect Activity on a Network” Types of IDS Solutions and Deployments –Network, Host and Application Detection Methods –Signature, Anomaly and Behavior Based IDS Evolution – Three Evolutions of IDS Products and Solutions –Detect, Shore-Up and Proactively Block (IPS)

UTSA IS 3523 ID & Incident Response What Should an IDS Do Detect scans against a network –Helps determine who might attack Provide info on DoS attacks Alert on possible worm infections Alert administrator about brute force, password cracks, dictionary attacks, etc. Block Some Worms –Code Red, Nimda, SQL Slammer – If Linked to a Firewall

UTSA IS 3523 ID & Incident Response IDS Challenges Performance –Network Based IDS Systems must handle large throughput, i.e. large amounts of packets Reliability - false positives plague early IDS –Misnomer: “bad string development” Cost –Extensive IDS Deployments Can Be a expensive Labor intensive –IDS tuning and maintenance requires much expertise Host based IDS systems can use up lots of resources on their hosts

UTSA IS 3523 ID & Incident Response Intrusion Prevention Systems HW/SW that pro-actively block attacks –Little or no human intervention Normally stand alone solutions but may integrate with firewalls, switches or routers Usually less maintenance than traditional IDS Usually requires more set-up—have to know your network traffic May be network or host based Emerging sub-sector of IDS market

UTSA IS 3523 ID & Incident Response What an IPS Can Do Detect and Block Network Block DoS attacks in real time Completely stop nuisance attacksBlock Worm propagation

UTSA IS 3523 ID & Incident Response Intrusion Detection –vs- Intrusion Prevention Often viewed as a blending of firewalls and IDS Definition: A device (HW or SW) that has the ability to detect an attack and to prevent the attack from being successful. –Must handle known and unknown attack methods Will look at 4 general types of IPS –Inline NIDS –Layer Seven Switches –Application Firewall/IDS –Deceptive Applications

Inline NIDS From: Offers the capabilities of a regular NIDS with the blocking capabilities of a firewall. Examines traffic, decides whether to send it on or not. Generally needs to know what it is looking for (e.g. signatures).

UTSA IS 3523 ID & Incident Response Layer Seven Switch Usually think of switching as a layer 2 function. Due to bandwidth intensive content, some switching now going on a layer seven (e.g. load balancers) where application traffic can be examined. Decisions can be made as to whether data is sent. Generally needs to know what it is looking for. One of best uses is to address DoS attacks.

UTSA IS 3523 ID & Incident Response Application Firewall/IDS Loaded on each server to be protected. Customized for the application to be protected. Don’t look at packets, look at API calls, memory management (for overflows), and interaction of user with OS. Can help prevent new attacks since it is not looking for signatures but rather attempted actions.

UTSA IS 3523 ID & Incident Response Deceptive Applications Idea has been around for a while Concept is to first watch network to determine profile of normal traffic If traffic comes along later, such as scan for a service on a system that doesn’t exist, then respond with bogus data so packets are “marked” and future traffic from attacker will be noticed and handled easily.

Deceptive Applications No system ! From:

UTSA IS 3523 ID & Incident Response Network Commercial IPS Cisco Secure IDS (son of Netranger) ISS Proventia NetScreen IDP-500 McAfee Intrushield 4000 TippingPoint UnityOne TopLayer Mitigator IPS-2400

UTSA IS 3523 ID & Incident Response

IPS Pictures _series.php

UTSA IS 3523 ID & Incident Response Honey Pot New Player..not quite an IDS, but results are the same Decoy System Mislead Hackers Begin Incident Response (early!)

UTSA IS 3523 ID & Incident Response Defense-in-Depth Key Security Concept Usually considered in shallow ways We don’t so good job implementing organization wide Very seldom do we simultaneously simplify and improve security

UTSA IS 3523 ID & Incident Response 5 Different Control Types Protect - firewalls/router ACLs Detect - IDSes Recover - Incident Response/Recovery Plans Deter - Laws and marketing Transfer - Insurance

UTSA IS 3523 ID & Incident Response Problem with Approaches Each control has binary effectiveness No security is perfect Better approach is “synergistic security” –Success hinges on redundancy of security controls

UTSA IS 3523 ID & Incident Response Security Synergy Baye’s Theorem: –Effectivness (TOTAL) = 1-((1-E1)*(1-E2)*(1-E3)…) #Synergistic ControlsEfficiency of Each Control 60%70%80%90%

UTSA IS 3523 ID & Incident Response The Challenge “The real challenge is for people who can write good models for the data that comes out. The problem we have is that different enterprise networks create quite different traffic. Trying to model it and pull out interesting patterns with it while minimizing false positives and things like that, is very difficult. Bob Gleichauf Cisco Systems

UTSA IS 3523 ID & Incident Response Summary IDSes are still maturing IDSes are not silver bullets…they cannot overcome inherent security weaknesses But, IDSes are usually the primary “detectors” to start the incident response process Synergistic Security (Defense-in-depth) is the key

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.