Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Published byJulius Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system."— Presentation transcript:

1 Intrusion Prevention, Detection & Response

2 IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system

3 IDS Monitors a system for Malicious activities. Policy violations not all policy violations are malicious.

4 IDS Categories Two categories of IDS: A network-based IDS monitors network data packets for malicious activity.  Example: Snort, Comodo-firewall A host-based IDS analyzes any combination of system calls, applications logs, file modifications, and other host activities.  Example: Tripwire, WinPatrol, Anti-Virus software

5 Passive vs Reactive IDS

6 Passive IDS Logs the possible intrusion, and sends an alert. The alert could be an e-mail to SA staff; or posting the alert on a monitored console (or both). This is how Tripwire behaves.

7 Reactive IDS The reactive IDS, (aka IPS), would respond to an intrusion with a pre-configured defense strategy in real time. Snort, e-mail filters, and many anti-virus packages can be configured to be reactive.

8 Revised Taxonomy Revised Taxonomy for IDS vs IPS IDS is either Passive or Reactive. An IPS prevents intrusions.

9 IPS (Revised Taxonomy) Passwords Login Server (example: Kerberos) Firewalls : Consists of a combination of hardware and software. Access controls applied to hardware, software, and data. Physical security

10 IPS (Revised Taxonomy) In Summary, the IPS is a barrier. The IDS is needed when the IPS barrier is breached.

11 IPS : Firewall A combination of software and hardware used to implement security policies governing the network traffic between two or more networks. A firewall is a system used to enforce network traffic security policy.

12 IPS: Firewall System 1. Design the system 2. Acquire the hardware and software 3. Acquire training, documentation and support 4. Install and configure the system 5. Test the system 6. Maintain the system (sustainability cycle)

13 IPS : Other Systems Implement Access controls Physical security Login Server

14 IPS Access Controls Windows Professional provides access control lists. Unix/Linux has a simple access control system: User, Group, World + read, write, execute Princeton study showed that complex access controls lead to mis-configuration. Proper training is essential.

15 IPS : Physical Security Previously covered: Locks on doors, limited access, keycards, proximity badges, etc

16 IPS : Login Server Kerberos is a common login server that goes beyond the user-id & password authentication process. Kerberos was developed at MIT

17 Kerberos

18

19 Intrusion Detection Data: Characterization Information Collect characterization information, CI. Characterization information must be monitored regularly

20 IDS : Characterization Info System logs File checksums System performance metrics provided by system monitoring applications Expected activities by users and applications

21 CI : System Logs System logs require 1) access controls 2) back-up 3) encrypted. Unix/Linux /var/log MS Windows systemroot\WINDOWS\System32\Config\*.evt Enable event logging and use the event viewer (eventvwr.msc)

22 System Log Files Log files can grow and use up space. Log files should periodically be backed-up then removed to make space for new log information.

23

24 Checksums Tripwire creates a database of checksums for a list of specified files (data, source, binary, etc). The data base of checksums acts as a baseline for comparison. Common checksum algorithms: MD5 SHA CRC

25 System Performance Metrics Server/computer system metrics Network activity metrics

26 System Resource CI Report the top resource users (examples: top, sysstat) CPU time usage Memory usage (example: free) Number of active processes (by all user-ids, including system ids) Number of active open files Number of files IO data transfer Disk space usage and free space IO transfer rate Other devices used by processes Login sessions Login attempts

27 Network Resource CI Connection attempts Connection duration Number of connections Source & destination of data packets Bandwidth usage (by user and total) Transfer rates Error counts

28 E-mail CI Number of sent messages Number of received messages Mail message sizes read/unread message count Consider logs of other possible communication devices like telephones and company issued cell phones.

29 System Security Logging & Auditing Documentation Document the characterization information to collect log files network CI computing system CI, etc. Document which events should produce an alert Document system and application updates Document roles and responsibilities of SA staff. Document a sustainability cycle Document an intrusion detection response

30 Intrusion Response Team Create a security response team Document the responsibilities of the intrusion response team members Document a contact list for the team Update the documentation regularly (sustainability cycle) Document what to do in an emergency.

Download ppt "Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
An Introduction to System Administration Chapter 1.

An Introduction to System Administration Chapter 1.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google