intrusion detection

Download Intrusion Detection

Post on 17-Nov-2014

88 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

Special Publication 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS)Recommendations of the National Institute of Standards and TechnologyKaren Scarfone Peter Mell

NIST Special Publication 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS) Recommendations of the National Institute of Standards and Technology Karen Scarfone Peter Mell

C O M P U T E R

S E C U R I T Y

Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 February 2007

U.S. Department of Commerce

Carlos M. Gutierrez, SecretaryTechnology Administration

Robert C. Cresanti, Under Secretary of Commerce for TechnologyNational Institute of Standards and Technology

William Jeffrey, Director

GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS (IDPS)

Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nations measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITLs responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITLs research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.

National Institute of Standards and Technology Special Publication 800-94 Natl. Inst. Stand. Technol. Spec. Publ. 800-94, 127 pages (February 2007)

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

iii

GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS (IDPS)

Acknowledgements

The authors, Karen Scarfone and Peter Mell of the National Institute of Standards and Technology (NIST), wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors would like to acknowledge John Connor, Tim Grance, Anoop Singhal, and Murugiah Souppaya of NIST; Michael Gerdes, Ralph Martins, Angela Orebaugh, and Mike Zeberlein of Booz Allen Hamilton; and Steve Sharma of Project Performance Corporation for their keen and insightful assistance throughout the development of the document. The authors particularly want to thank Rebecca Bace of KSR for her careful review of the publication and for her work on the predecessor publication, NIST Special Publication 800-31, Intrusion Detection Systems. The authors would also like to express their thanks to security experts Andrew Balinsky (Cisco Systems), Anton Chuvakin (LogLogic), Jay Ennis (Network Chemistry), John Jerrim (Lancope), and Kerry Long (Center for Intrusion Monitoring and Protection, Army Research Laboratory), as well as representatives from the Department of State and Gartner, for their particularly valuable comments and suggestions. Additional acknowledgements will be added to the final version of the publication.

TrademarksAll product names are registered trademarks or trademarks of their respective companies.

iv

GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS (IDPS)

Table of ContentsExecutive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 1.2 1.3 1.4 2. 2.1 2.2 2.3 Authority...................................................................................................................1-1 Purpose and Scope .................................................................................................1-1 Audience ..................................................................................................................1-1 Document Structure .................................................................................................1-1 Uses of IDPS Technologies .....................................................................................2-1 Key Functions of IDPS Technologies ......................................................................2-2 Common Detection Methodologies..........................................................................2-3 2.3.1 Signature-Based Detection...........................................................................2-4 2.3.2 Anomaly-Based Detection ............................................................................2-4 2.3.3 Stateful Protocol Analysis.............................................................................2-5 Types of IDPS Technologies ...................................................................................2-6 Summary..................................................................................................................2-7 Components and Architecture .................................................................................3-1 3.1.1 Typical Components.....................................................................................3-1 3.1.2 Network Architectures ..................................................................................3-1 Security Capabilities ................................................................................................3-2 3.2.1 Information Gathering Capabilities ...............................................................3-2 3.2.2 Logging Capabilities .....................................................................................3-2 3.2.3 Detection Capabilities...................................................................................3-3 3.2.4 Prevention Capabilities.................................................................................3-4 Management ............................................................................................................3-4 3.3.1 Implementation .............................................................................................3-4 3.3.2 Operation and Maintenance .........................................................................3-6 3.3.3 Building and Maintaining Skills .....................................................................3-9 Summary................................................................................................................3-10 Networking Overview ...............................................................................................4-1 4.1.1 Application Layer ..........................................................................................4-1 4.1.2 Transport Layer ............................................................................................4-2 4.1.3 Network Layer ..............................................................................................4-2 4.1.4 Hardware Layer ............................................................................................4-3 Components and Architecture .................................................................................4-3 4.2.1 Typical Components.....................................................................................4-3 4.2.2 Network Architectures and Sensor Locations...............................................4-4 Security Capabilities ................................................................................................4-7 4.3.1 Information Gathering Capabilities ...............................................................4-7 4.3.2 Logging Capabilities .....................................................................................4-8 4.3.3 Detection Capabilities...................................................................................4-9 4.3.4 Prevention Capabilities...............................................................................4-12 Management ..........................................................................................................4-13

Intrusion Detection and Prevention Principles .............................................................2-1

2.4 2.5 3. 3.1

IDPS Technologies...........................................................................................................3-1

3.2

3.3

3.4 4. 4.1

Network-Based IDPS........................................................................................................4-1

4.2

4.3

4.4

v

GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS (IDPS)

4.5 5. 5.1

4.4.1 Implementation ...........................................................................................4-14 4.4.2 Operation and Maintenance .......................................................................4-14 Summary................................................................................................................4-14 Wireless Networking Overview ................................................................................5-1 5.1.1 WLAN Standards..........................................................................................5-1 5.1.2 WLAN Components.........................

Recommended

View more >