intrusion detection chapter 12. learning objectives explain what intrusion detection systems are and...
TRANSCRIPT
![Page 1: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/1.jpg)
Intrusion Detection
Chapter 12
![Page 2: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/2.jpg)
Learning Objectives
Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products
Detail the differences between host-based and network-based intrusion detection
Identify active detection and passive detection features of both host- and network-based IDS products
continued…
![Page 3: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/3.jpg)
Learning Objectives
Explain what honeypots are and how they are employed to increase network security
Clarify the role of security incident response teams in the organization
![Page 4: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/4.jpg)
Intrusion Detection System (IDS)
Detects malicious activity in computer systems Identifies and stops attacks in progress Conducts forensic analysis once attack is
over
![Page 5: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/5.jpg)
The Value of IDS
Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers)
Expands available options to manage risk from threats and vulnerabilities
![Page 6: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/6.jpg)
Negatives and Positives
IDS must correctly identify intrusions and attacks True positives True negatives
False negatives IDS missed an attack
False positives Benign activity reported as malicious
![Page 7: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/7.jpg)
Dealing with False Negatives and False Positives
False negatives Obtain more coverage by using a combination
of network-based and host-based IDS Deploy NIDS at multiple strategic locations in
the network False positives
Reduce number using the tuning process
![Page 8: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/8.jpg)
Types of IDS
Network-based (NIDS)
Host-based (HIDS)
![Page 9: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/9.jpg)
Network-based IDS
Uses a dedicated platform for purpose of monitoring network activity
Analyzes all passing traffic Sensors have two network connections
One operates in promiscuous mode to sniff passing traffic
An administrative NIC sends data such as alerts to a centralized management system
Most commonly employed form of IDS
![Page 10: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/10.jpg)
NIDS Architecture
Place IDS sensors strategically to defend most valuable assets
Typical locations of IDS sensors Just inside the firewall On the DMZ On network segments connecting mainframe
or midrange hosts
![Page 11: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/11.jpg)
Switch Port Analyzer (SPAN)
Allows traffic sent or received in one interface to be copied to another monitoring interface
Typically used for sniffers or NIDS sensors
![Page 12: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/12.jpg)
How SPAN Works
![Page 13: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/13.jpg)
![Page 14: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/14.jpg)
Limitations of SPAN
Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link
Switch may offer limited number of SPAN ports or none at all
![Page 15: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/15.jpg)
Hub
Device for creating LANs that forward every packet received to every host on the LAN
Allows only a single port to be monitored
![Page 16: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/16.jpg)
Using a Hub in a Switched Infrastructure
![Page 17: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/17.jpg)
Tap
Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures
![Page 18: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/18.jpg)
NIDS Signature Types
Signature-based IDS Port signature Header signatures
![Page 19: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/19.jpg)
Network IDS Reactions
TCP resets IP session logging Shunning or blocking
![Page 20: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/20.jpg)
Host-based IDS
Primarily used to protect only critical servers Software agent resides on the protected system Detects intrusions by analyzing logs of operating
systems and applications, resource utilization, and other system activity
Use of resources can have impact on system performance
![Page 21: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/21.jpg)
HIDS Method of Operation
Auditing logs (system logs, event logs, security logs, syslog)
Monitoring file checksums to identify changes Elementary network-based signature techniques
including port activity Intercepting and evaluating requests by
applications for system resources before they are processed
Monitoring of system processes for suspicious activity
![Page 22: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/22.jpg)
HIDS Software
Host wrappers Inexpensive and deployable on all machines Do not provide in-depth, active monitoring
measures of agent-based HIDS products Agent-based software
More suited for single purpose servers
![Page 23: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/23.jpg)
HIDS Active Monitoring Capabilities
Log the event Alert the administrator Terminate the user login Disable the user account
![Page 24: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/24.jpg)
Advantages of Host-based IDS
Verifies success or failure of attack by reviewing HIDS log entries
Monitors use and system activities; useful in forensic analysis of the attack
Protects against attacks that are not network based
Reacts very quickly to intrusions
continued…
![Page 25: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/25.jpg)
Advantages of Host-based IDS
Not reliant on particular network infrastructure; not limited by switched infrastructures
Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure
![Page 26: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/26.jpg)
Passive Detection Systems
Can take passive action (logging and alerting) when an attack is identified
Cannot take active actions to stop an attack in progress
![Page 27: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/27.jpg)
Active Detection Systems
Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic
Options IDS shunning or blocking TCP reset
Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms
![Page 28: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/28.jpg)
TCP Reset
![Page 29: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/29.jpg)
Signature-based andAnomaly-based IDS
Signature detections Also know as misuse detection IDS analyzes information it gathers and compares it to
a database of known attacks, which are identified by their individual signatures
Anomaly detection Baseline is defined to describe normal state of
network or host Any activity outside baseline is considered to be an
attack
![Page 30: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/30.jpg)
Intrusion Detection Products
Aladdin Knowledge Systems Entercept Security Technologies Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Enterasys Networks Inc. Internet Security Systems Inc. Intrusion.com Inc. family of IDS products
![Page 31: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/31.jpg)
Honeypots
False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks
Simulate unsecured network services Make forensic process easy for
investigators
![Page 32: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/32.jpg)
Commercial Honeypots
ManTrap Specter Smoke Detector NetFacade
![Page 33: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/33.jpg)
Open Source Honeypots
BackOfficer Friendly BigEye Deception Toolkit LaBrea Tarpit Honeyd Honeynets User Mode Linux
![Page 34: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/34.jpg)
Honeypot Deployment
Goal Gather information on hacker techniques,
methodology, and tools Options
Conduct research into hacker methods Detect attacker inside organization’s network
perimeter
![Page 35: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/35.jpg)
Honeypot Design
Must attract, and avoid tipping off, the attacker
Must not become a staging ground for attacking other hosts inside or outside the firewall
![Page 36: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/36.jpg)
Honeypots, Ethics, and the Law
Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host
Honeypot does not convince one to attack it; it merely appears to be a vulnerable target
Doubtful that honeypots could be used as evidence in court
![Page 37: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/37.jpg)
Incident Response
Every IDS deployment should include two documents to answer “what now” questions IDS monitoring policy and procedure
Requires well-documented monitoring procedures that detail actions for specific alerts
Incident response plan Responsible for assigning personnel to assemble
resources required to handle security incidents
![Page 38: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/38.jpg)
Typical SIRT Objectives
Determine how incident happened Establish process for avoiding further
exploitations of the same vulnerability Avoid escalation and further incidents Assess impact and damage of the incident Recover from the incident
continued…
![Page 39: Intrusion Detection Chapter 12. Learning Objectives Explain what intrusion detection systems are and identify some major characteristics of intrusion](https://reader036.vdocuments.mx/reader036/viewer/2022062717/56649e265503460f94b15b87/html5/thumbnails/39.jpg)
Chapter Summary
Two major types of intrusion detection Network-based IDS (monitor network traffic) Host-based IDS (monitor activity on
individual computers) Honeypots Incident response