80 likes | 91 Views
Figure 10-4: Intrusion Detection Systems (IDSs). IDSs Event logging in log files Analysis of log file data Alarms Too many false positives (false alarms) Too many false negatives (overlooked incidents) Log files for retrospective analysis by humans.
E N D
Figure 10-4: Intrusion Detection Systems (IDSs) • IDSs • Event logging in log files • Analysis of log file data • Alarms • Too many false positives (false alarms) • Too many false negatives (overlooked incidents) • Log files for retrospective analysis by humans
Figure 10-4: Intrusion Detection Systems (IDSs) • Elements of an IDS (Figure 10-5) • Event logging • Analysis method • Action • Management
Figure 10-5: Elements of a Simple IDS Management: Configuration, Tuning Action: Alarms, Queries, Reports Analysis: Attack Signatures and Heuristics Logging (Data Collection): Individual Events are Time-Stamped Log is Flat File of Events
Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Managers • Agents • Distribution of functionality between agents and managers (analysis and action)
Log File FW Log Figure 10-6: Distributed IDS Manager Site Host IDS Agent Log File Transfer in Batch Mode or Real Time Internet Connection Agent Agent Agent Main Firewall Internal Switch-Based Network IDS Stand-Alone Network IDS
Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Batch versus Real-Time Data Transfer • Batch mode: Every few minutes or hours; efficient • Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer
Figure 10-4: Intrusion Detection Systems (IDSs) • Distributed IDSs (Figure 10-6) • Secure manager-agent communication • Vendor’s automatic updates with secure communication • Network IDSs (NIDSs) • Capture packets • Stand-alone NIDS collects data for only its portion of the network • Switch or router NIDSs can collect data on all ports
Figure 10-4: Intrusion Detection Systems (IDSs) • Network IDSs (NIDSs) • NIDS placement • Between main firewall and internal or external network for relevant or all attacks • At internal points to detect internal mischief • Weaknesses • Blind spots in network where no NIDS data is collected • Cannot filter encrypted packets