1 / 33

Intrusion Detection Systems and Network Security

Intrusion Detection Systems and Network Security. Chapter 13. Objectives. Apply the appropriate network tools to facilitate network security. Determine the appropriate use of tools to facilitate network security. Apply host-based security applications. Key Terms. Access control lists (ACLs)

dooley
Download Presentation

Intrusion Detection Systems and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systemsand Network Security Chapter 13

  2. Objectives • Apply the appropriate network tools to facilitate network security. • Determine the appropriate use of tools to facilitate network security. • Apply host-based security applications.

  3. Key Terms • Access control lists (ACLs) • Antispam • Antivirus • Content-based signature • Context-based signature • False negative • False positive • Firewall • Heuristic scanning • Honeypot • Host-based IDS (HIDS) • Internet content filter • Intrusion detection system (IDS)

  4. Network Security: A Layered Approach As need for security increases, layers of security should be added. Layers could include passwords, firewalls, access lists, file permissions, and intrusion detection systems Intrusion detection systems are one of the more complex layers. Detects inappropriate or malicious activity on a computer or network.

  5. History of Intrusion Detection Systems • Stalker (host-based) released 1989 • Mid-1990s IDS gain popularity commercially. • WheelGroup develops first network-based IDS under the name NetRanger. • Internet Security Systems’ Realsecure released in 1996. • By 1998 IDS was considered a vital part of network security.

  6. History of the Internet and IDS

  7. IDS Components • Traffic collector / sensor • Analysis engine • Signature database • User interface and reporting

  8. IDS Components (continued)

  9. Types of IDS • Host-based IDS (HIDS) • Network-based IDS (NIDS) • Distinguished by detection method: • Signature-based IDS - Relies heavily on a predefined set of attack and traffic patterns called signatures. • Anomaly-based (heuristic) IDS - Monitors activity and attempts to classify it as either “normal” or “anomalous.”

  10. Network IDS Components

  11. Advantages of NIDS • Providing IDS coverage requires fewer systems. • Deployment, maintenance, and upgrade costs are usually lower. • A NIDS has visibility into all network traffic and can correlate attacks among multiple systems. • Disadvantages of NIDS • It is ineffective when traffic is encrypted. • It can’t see traffic that does not cross it. • It must be able to handle high volumes of traffic. • It doesn’t know about activity on the hosts themselves.

  12. Active vs. Passive NIDS • Passive NIDS • Generates an alarm when it matches a pattern and does not interact with the traffic in any way. • Active NIDS • Reactive response to an attack such as a TCP reset. • TCP reset • The most common defensive ability for an active NIDS. • The reset message (RST) tells both sides of the connection to drop the session and stop communicating immediately.

  13. Signatures • Content-based signatures • Matching characters or strings • Generally the simplest types • Easy to build and look for simple things, such as a certain string of characters or a certain flag set in a TCP packet • Context-based signatures (heuristics) • Matching patterns of activity • Generally more complex

  14. Firewalls • A network device—hardware, software, or a combination thereof • Determines what traffic should be allowed or denied to pass in or out of a network

  15. How Firewalls Work • Firewall Mechanisms • Network Address Translation (NAT) • Basic packet filtering (header information) • Stateful inspection (header and contents) pg 335 • Access control lists (ACLs) • Rules applied to ports and IP addresses

  16. Intrusion Prevention Systems • In addition to IDS functions, it has the capability of stopping or preventing malicious attack. • Some can inspect encrypted traffic (SSL traffic) • Often rated by the amount of traffic that can be processed without dropping packets.

  17. Internet Content Filters • Used to: • Filter undesirable content • Filter malicious code such as browser hijacking attempts • Challenges: • Blacklists of websites difficult to maintain • Keyword filtering may generate false positives • Determined users will attempt to bypass the system • Barracuda Case Study

  18. Honeypots and Honeynets • A honeypot is a system or group of systems designed to attract an attacker’s attention. • Allows the attackers methods to be observed without putting real systems at risk • Activity recorded for later analysis • Afford information and additional security but require significant cost and effort to maintain • A honeynet is a group of honeypots.

  19. Host-Based IDS (HIDS) • Examines activity only on a specific host • Examines logs, audit trails, and network traffic coming into or leaving the host • Examination is done in real time or periodically • Flags that may raise the alarm in a HIDS • Login failures • Logins at irregular hours • Privilege escalation • Additions of new user accounts

  20. How HIDS Work • The traffic collector aggregates information. • The analysis engine reviews the data. • May implement a decision tree to classify activities and make decisions • Signature database may be used to match activities to predefined activity or patterns • Users work with HIDS through the user interface which include the visible components of the HIDS.

  21. Antivirus Products • Used to identify, neutralize, or remove malicious programs, macros, and files. • Scanning approaches: • Signature-based scanning • Heuristic scanning • Modern antivirus products have: • Automated updates • Automated scanning • Media scanning • Manual Scanning • E-mail scanning • Resolution

  22. Personal Software Firewalls • Host-based protective mechanism that controls traffic going into and out of a single system. • Various free and commercial firewall software is available. • Zone Alarm

  23. Pop-up Blockers and Windows Defender • Pop-up Blockers • Attempts to prevent web pages from opening a new tab or window • Windows Defender • Designed to remove spyware and unwanted programs from your PC • Includes spyware detection and removal, scheduled scanning, automatic updates, real-time protection, software explorer, and configurable responses

  24. Chapter Summary • Apply the appropriate network tools to facilitate network security. • Determine the appropriate use of tools to facilitate network security. • Apply host-based security applications.

More Related