Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Intrusion Detection Systems and Network Security Chapter 13

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Objectives Apply the appropriate network tools to facilitate network security. Determine the appropriate use of tools to facilitate network security. Apply host-based security applications.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms Access control lists (ACLs) Antispam Antivirus Content-based signature Context-based signature False negative False positive Firewall Heuristic scanning Honeypot Host-based IDS (HIDS) Internet content filter Intrusion detection system (IDS)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Network Security: A Layered Approach As need for security increases, layers of security should be added. –Layers could include passwords, firewalls, access lists, file permissions, and intrusion detection systems Intrusion detection systems are one of the more complex layers. –Detects inappropriate or malicious activity on a computer or network.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition History of Intrusion Detection Systems Stalker (host-based) released 1989 Mid-1990s IDS gain popularity commercially. WheelGroup develops first network-based IDS under the name NetRanger. Internet Security Systems’ Realsecure released in By 1998 IDS was considered a vital part of network security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition History of the Internet and IDS

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Traffic collector / sensor Analysis engine Signature database User interface and reporting IDS Components

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition IDS Components (continued)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Host-based IDS (HIDS) Network-based IDS (NIDS) Distinguished by detection method: –Signature-based IDS - Relies heavily on a predefined set of attack and traffic patterns called signatures. –Anomaly-based (heuristic) IDS - Monitors activity and attempts to classify it as either “normal” or “anomalous.” Types of IDS

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Network IDS Components

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Advantages of NIDS –Providing IDS coverage requires fewer systems. –Deployment, maintenance, and upgrade costs are usually lower. –A NIDS has visibility into all network traffic and can correlate attacks among multiple systems. Disadvantages of NIDS –It is ineffective when traffic is encrypted. –It can’t see traffic that does not cross it. –It must be able to handle high volumes of traffic. –It doesn’t know about activity on the hosts themselves.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Passive NIDS –Generates an alarm when it matches a pattern and does not interact with the traffic in any way. Active NIDS –Reactive response to an attack such as a TCP reset. TCP reset –The most common defensive ability for an active NIDS. –The reset message (RST) tells both sides of the connection to drop the session and stop communicating immediately. Active vs. Passive NIDS

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Content-based signatures –Matching characters or strings –Generally the simplest types –Easy to build and look for simple things, such as a certain string of characters or a certain flag set in a TCP packet Context-based signatures (heuristics) –Matching patterns of activity –Generally more complex Signatures

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition A network device—hardware, software, or a combination thereof Determines what traffic should be allowed or denied to pass in or out of a network Firewalls

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Firewall Mechanisms –Network Address Translation (NAT) –Basic packet filtering (header information) –Stateful inspection (header and contents) pg 335 –Access control lists (ACLs) Rules applied to ports and IP addresses How Firewalls Work

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition In addition to IDS functions, it has the capability of stopping or preventing malicious attack. Some can inspect encrypted traffic (SSL traffic) Often rated by the amount of traffic that can be processed without dropping packets. Intrusion Prevention Systems

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Used to: –Filter undesirable content –Filter malicious code such as browser hijacking attempts Challenges: –Blacklists of websites difficult to maintain –Keyword filtering may generate false positives –Determined users will attempt to bypass the system Barracuda Case Study Internet Content Filters

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition A honeypot is a system or group of systems designed to attract an attacker’s attention. –Allows the attackers methods to be observed without putting real systems at risk –Activity recorded for later analysis –Afford information and additional security but require significant cost and effort to maintain A honeynet is a group of honeypots. Honeypots and Honeynets

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Examines activity only on a specific host –Examines logs, audit trails, and network traffic coming into or leaving the host –Examination is done in real time or periodically Flags that may raise the alarm in a HIDS –Login failures –Logins at irregular hours –Privilege escalation –Additions of new user accounts Host-Based IDS (HIDS)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The traffic collector aggregates information. The analysis engine reviews the data. –May implement a decision tree to classify activities and make decisions –Signature database may be used to match activities to predefined activity or patterns Users work with HIDS through the user interface which include the visible components of the HIDS. How HIDS Work

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Used to identify, neutralize, or remove malicious programs, macros, and files. Scanning approaches: –Signature-based scanning –Heuristic scanning Modern antivirus products have: Antivirus Products –Automated updates –Automated scanning –Media scanning –Manual Scanning – scanning –Resolution

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Host-based protective mechanism that controls traffic going into and out of a single system. Various free and commercial firewall software is available. Zone Alarm Personal Software Firewalls

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

© 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Pop-up Blockers –Attempts to prevent web pages from opening a new tab or window Windows Defender –Designed to remove spyware and unwanted programs from your PC –Includes spyware detection and removal, scheduled scanning, automatic updates, real-time protection, software explorer, and configurable responses Pop-up Blockers and Windows Defender

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Apply the appropriate network tools to facilitate network security. Determine the appropriate use of tools to facilitate network security. Apply host-based security applications.