1 / 18

Network Intrusion Detection

Network Intrusion Detection. By Biju Varghese Siva Jambulingam Rohan Belani. Team Roles. Theory of Network Intrusion Detection Systems - Siva Problems in Network Intrusion Detection Systems - Biju Description of the Different Network Intrusion Detection Systems - Rohan. Principle.

nash
Download Presentation

Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Intrusion Detection By Biju Varghese Siva Jambulingam Rohan Belani

  2. Team Roles • Theory of Network Intrusion Detection Systems - Siva • Problems in Network Intrusion Detection Systems - Biju • Description of the Different Network Intrusion Detection Systems - Rohan

  3. Principle A secure Computer or a Network System should provide the following services • Data Confidentiality • Data and Communications Integrity • Assurance against Denial of Service

  4. Common Intrusion Detection Systems Components • Event Generators - E Box • Analysis Engines - A Box • Database Component - D Box • Counter Measures - C Box

  5. CIDF Model

  6. Passive Analysis • Detects attacks by watching for patterns of suspicious activities • Acts like a Sniffer and obtains copies of packets directly from the Network • Contents of actual packets are parsed and analyzed • It is unobtrusive and extremely difficult to evade

  7. Passive Analysis

  8. Signature Analysis • ID System is programmed to interpret a certain series of packets as an ATTACK • They use pattern recognition Algorithm • Look for a sub string within the main stream of data carried by network packets • Also called “Misuse Detection”

  9. Problems with Network ID Systems Points of Vulnerability Insufficiency of Information on the wire Attacks

  10. Points of Vulnerability in ID systems • E-box : eyes and ears of an IDS • A-box : analysis of the raw input • D-box : data storage • C-box : counter measures

  11. Insufficiency of Information on the wire • Network ID systems work by predicting the behavior of networked machines based on the packets they exchange. • A passive network monitor cannot accurately predict whether a given machine on the network is even going to see a packet , let alone process it in the expected manner.

  12. Attacks - Insertion • IDS can accept a packet that an end system rejects. • IDS and the end system reconstruct two different strings. • Attacker can slip attacks past IDS by “inserting” data into the IDS.

  13. Attacks - Evasion • An end-system can accept a packet that an IDS rejects. • End system sees more data than the IDS. • This information that the IDS misses can be critical to detection of an attack.

  14. Attacks – Denial of Service • Passive ID systems are “fail open”. • Resource Exhaustion - CPU cycles - Memory - Disk space - Network bandwidth

  15. ISS RealSecure • Most polished IDS solution currently shipping. • Fails to deliver the flexibility unlike ID-Trak. • Delivers a solid, well-documented and easy-to-use system. • Equipped with more than 100 network-attack signatures. • The architecture uses a sensor (deployed across multiple networks) to communicate with a management console. • Allows large-scale coverage and a level of fault tolerance. • Any console can view the results of any sensor. • Console interface allows for multiple views of incident data by administrator. • Attacks can be viewed by target, source or event type.

  16. Cisco Systems NetRanger • First commercial IDS to ship. • Contains an implementation system that is fairly versatile. • Healthy attack signature database + creative signatures. • Heavy dependency on HP’s OpenView. • Lack of documentation on the ins and outs of the product. • Failure to provide an overview of recent attacks. • Difficult to configure for non UNIX administrators. • IDS can reconfigure perimeter devices on the fly. • Absence of functionality: unable to process multiple step condition-based actions. • Dropped to second place behind ISS Real Secure.

  17. AXENT Tech ID-Trak • Requires a Windows NT platform to run correctly. • Flexible assortment of security-related tools. • Fails to match the level of robustness, or depth that RealSecure and NetRanger provide. • Requires administrator to define a list of hosts to monitor. • Base of pre-built attack signatures is less than competitors. • Customizability is far superior: Rule-building utility allows administrators to provide more complex checks. • Provides administrator with visuals on open sessions, in real time. • Extremely hard to configure, menus are hard to interpret and navigation is extremely troublesome.

  18. Questions ?

More Related