Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system

Download Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system

Post on 23-Dec-2015

223 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Intrusion Prevention, Detection &amp; Response </li> <li> Slide 2 </li> <li> IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system </li> <li> Slide 3 </li> <li> IDS Monitors a system for Malicious activities. Policy violations not all policy violations are malicious. </li> <li> Slide 4 </li> <li> IDS Categories Two categories of IDS: A network-based IDS monitors network data packets for malicious activity. Example: Snort, Comodo-firewall A host-based IDS analyzes any combination of system calls, applications logs, file modifications, and other host activities. Example: Tripwire, WinPatrol, Anti-Virus software </li> <li> Slide 5 </li> <li> Passive vs Reactive IDS </li> <li> Slide 6 </li> <li> Passive IDS Logs the possible intrusion, and sends an alert. The alert could be an e-mail to SA staff; or posting the alert on a monitored console (or both). This is how Tripwire behaves. </li> <li> Slide 7 </li> <li> Reactive IDS The reactive IDS, (aka IPS), would respond to an intrusion with a pre-configured defense strategy in real time. Snort, e-mail filters, and many anti-virus packages can be configured to be reactive. </li> <li> Slide 8 </li> <li> Revised Taxonomy Revised Taxonomy for IDS vs IPS IDS is either Passive or Reactive. An IPS prevents intrusions. </li> <li> Slide 9 </li> <li> IPS (Revised Taxonomy) Passwords Login Server (example: Kerberos) Firewalls : Consists of a combination of hardware and software. Access controls applied to hardware, software, and data. Physical security </li> <li> Slide 10 </li> <li> IPS (Revised Taxonomy) In Summary, the IPS is a barrier. The IDS is needed when the IPS barrier is breached. </li> <li> Slide 11 </li> <li> IPS : Firewall A combination of software and hardware used to implement security policies governing the network traffic between two or more networks. A firewall is a system used to enforce network traffic security policy. </li> <li> Slide 12 </li> <li> IPS: Firewall System 1. Design the system 2. Acquire the hardware and software 3. Acquire training, documentation and support 4. Install and configure the system 5. Test the system 6. Maintain the system (sustainability cycle) </li> <li> Slide 13 </li> <li> IPS : Other Systems Implement Access controls Physical security Login Server </li> <li> Slide 14 </li> <li> IPS Access Controls Windows Professional provides access control lists. Unix/Linux has a simple access control system: User, Group, World + read, write, execute Princeton study showed that complex access controls lead to mis-configuration. Proper training is essential. </li> <li> Slide 15 </li> <li> IPS : Physical Security Previously covered: Locks on doors, limited access, keycards, proximity badges, etc </li> <li> Slide 16 </li> <li> IPS : Login Server Kerberos is a common login server that goes beyond the user-id &amp; password authentication process. Kerberos was developed at MIT </li> <li> Slide 17 </li> <li> Kerberos </li> <li> Slide 18 </li> <li> Slide 19 </li> <li> Intrusion Detection Data: Characterization Information Collect characterization information, CI. Characterization information must be monitored regularly </li> <li> Slide 20 </li> <li> IDS : Characterization Info System logs File checksums System performance metrics provided by system monitoring applications Expected activities by users and applications </li> <li> Slide 21 </li> <li> CI : System Logs System logs require 1) access controls 2) back-up 3) encrypted. Unix/Linux /var/log MS Windows systemroot\WINDOWS\System32\Config\*.evt Enable event logging and use the event viewer (eventvwr.msc) </li> <li> Slide 22 </li> <li> System Log Files Log files can grow and use up space. Log files should periodically be backed-up then removed to make space for new log information. </li> <li> Slide 23 </li> <li> Slide 24 </li> <li> Checksums Tripwire creates a database of checksums for a list of specified files (data, source, binary, etc). The data base of checksums acts as a baseline for comparison. Common checksum algorithms: MD5 SHA CRC </li> <li> Slide 25 </li> <li> System Performance Metrics Server/computer system metrics Network activity metrics </li> <li> Slide 26 </li> <li> System Resource CI Report the top resource users (examples: top, sysstat) CPU time usage Memory usage (example: free) Number of active processes (by all user-ids, including system ids) Number of active open files Number of files IO data transfer Disk space usage and free space IO transfer rate Other devices used by processes Login sessions Login attempts </li> <li> Slide 27 </li> <li> Network Resource CI Connection attempts Connection duration Number of connections Source &amp; destination of data packets Bandwidth usage (by user and total) Transfer rates Error counts </li> <li> Slide 28 </li> <li> E-mail CI Number of sent messages Number of received messages Mail message sizes read/unread message count Consider logs of other possible communication devices like telephones and company issued cell phones. </li> <li> Slide 29 </li> <li> System Security Logging &amp; Auditing Documentation Document the characterization information to collect log files network CI computing system CI, etc. Document which events should produce an alert Document system and application updates Document roles and responsibilities of SA staff. Document a sustainability cycle Document an intrusion detection response </li> <li> Slide 30 </li> <li> Intrusion Response Team Create a security response team Document the responsibilities of the intrusion response team members Document a contact list for the team Update the documentation regularly (sustainability cycle) Document what to do in an emergency. </li> </ul>