idps (intrusion detection & prevention system )

IDPS (Intrusion Detection & Prevention System )

By

Varang Amin (004805672)

Guided By Prof. Richard Sinn

Agenda

Introduction IDPS Why IDPS Detection Engine Features &Functions Evaluation Test Case Future Available IDPS in Market

Introduction

Secure Environment

Introduction

Various options are available IDPS , based on behavior of network and contents of

each and every packet.

Firewall , based on Access Control List .

VPN,communication network tunneled through public network.

Why IDPS……

Firewall ,based on policy defined in Access Control List Policy based filtering when session is established

Not able to check each packet in network

Tend to stop search when find any match.

Able to shutdown the connection but not able to throttle the traffic

IDPS

Detection method Specification Detection , based on the application

reorganization rules for detecting application and attacks.

Anomaly Detection, based on the behavior of the available pattern in IDPS .

Integrity Check , detection based on hash values and signatures for verify the integrity of data.

Architecture of Detection Engine

Fig

Deployment IPS

Network Based

Host Based

Hybrid

Deployment & Working Principals

IDPS Terminology

Signatures , basically regular or fixed expression .

Depth Of Search

Offset Example : Regular Expressions

eDonkey Login Connection “\xe3.{4}[\x01\xc5] ”

Continue……….

Fixed Expression

eDonkey File sharing Connection “http://emul-Projectinfo.org”

Implemented with the help of sniffers.

Continue….

Traffic AnomalyThrottle the network traffic.

Protocol AnomalyFor Standard Service

False Positives Incorrect application detected .

False NegativesApplication Not Detected

Evaluation of IDPS

Generate some manual traffic of open source attacks .

IXIA

Smart bits

Existing service from Windows or Linux OS.

Test Case 1

By pass the IPS.

Test Case 2

Fragment the Attack

Test Case 3

TTL based attacks

Future Enhancement ……

Can be more sophisticated application

Session Monitoring

Learning

UTM

IDPS Example

Cisco 6000 Family IDS

Snap Gear by Secure Computing

Linux IP Tables (Open Source)

Snort

Intrupro

Sonic Wall Gateway

References

Article “IDS Evaluation” published on Network world Magazine .

Insertion, Evasion and Denial Of Service:-Eluding Network Intrusion detection System -Thomas H. Ptacek, Timothy N. Newsham .

www.securityfocus.com

Thanks

Question ????