1 / 8

Figure 10-4: Intrusion Detection Systems (IDSs)

Figure 10-4: Intrusion Detection Systems (IDSs). IDSs Event logging in log files Analysis of log file data Alarms Too many false positives (false alarms) Too many false negatives (overlooked incidents) Log files for retrospective analysis by humans.

verataylor
Download Presentation

Figure 10-4: Intrusion Detection Systems (IDSs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Figure 10-4: Intrusion Detection Systems (IDSs) • IDSs • Event logging in log files • Analysis of log file data • Alarms • Too many false positives (false alarms) • Too many false negatives (overlooked incidents) • Log files for retrospective analysis by humans

  2. Figure 10-4: Intrusion Detection Systems (IDSs) • Elements of an IDS (Figure 10-5) • Event logging • Analysis method • Action • Management

  3. Figure 10-5: Elements of a Simple IDS Management: Configuration, Tuning Action: Alarms, Queries, Reports Analysis: Attack Signatures and Heuristics Logging (Data Collection): Individual Events are Time-Stamped Log is Flat File of Events

  4. Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Managers • Agents • Distribution of functionality between agents and managers (analysis and action)

  5. Log File FW Log Figure 10-6: Distributed IDS Manager Site Host IDS Agent Log File Transfer in Batch Mode or Real Time Internet Connection Agent Agent Agent Main Firewall Internal Switch-Based Network IDS Stand-Alone Network IDS

  6. Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Batch versus Real-Time Data Transfer • Batch mode: Every few minutes or hours; efficient • Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer

  7. Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Secure manager-agent communication • Vendor’s automatic updates with secure communication • Network IDSs (NIDSs) • Capture packets • Stand-alone NIDS collects data for only its portion of the network • Switch or router NIDSs can collect data on all ports

  8. Figure 10-4: Intrusion Detection Systems (IDSs) • Network IDSs (NIDSs) • NIDS placement • Between main firewall and internal or external network for relevant or all attacks • At internal points to detect internal mischief • Weaknesses • Blind spots in network where no NIDS data is collected • Cannot filter encrypted packets

More Related