Intrusion Detections Systems

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Intrusion Detections Systems"

Transcription

1 Intrusion Detections Systems Secure Computer Systems Poia Samoudi Asli Davor Sutic

2 Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance... 3 Trusting IDSs... 4 Different types of IDSs... 4 Host-Based IDSs... 5 Application-Based IDSs... 5 Network-Based IDSs... 6 Where to put NIDS?... 6 How does NIDS work?... 7 Short Snort example... 9 Conclusion References: Abstract The concept of security is often unfairly equated with attack prevention systems. It is important to know about other two, sometimes overlooked, security aspects: attack detection and attack recovery. This paper reviews intrusion detection systems, which can help in both of these areas. After reading this paper, one should have a clear idea of what intrusion detection is and how it works, in principles.

3 Introduction The goal of security system is to stop malicious attacks. Attacks that are not prevented need to be detected. For this we have Intrusion detection systems (IDSs). They are used to detect attacks by performing computer and network scans. Due to increasing number of known attacks, especially network based ones, intrusion detection systems have become an essential part in sustaining secure computers systems. In this document we will give a general overview of IDSs, both their strengths and some weaknesses. We examine more closely an example of network IDS Snort. We hope that this paper will give you a concept of what IDS is and why it is important. IDS importance Intrusions are malicious attacks made on computer or network systems that sidestep security mechanisms in place. Attacks compromise integrity, availability or confidentiality of a network or computer system. Attackers use vulnerabilities in order to bypass security and gain unauthorized access. Although system administrator tries to tend to these flaws and vulnerabilities, some will often be overlooked due to increasing amount of new ones discovered every day. What an IDS does is to systematically monitor event changes in a computer or network system in order to analyze them for signs of intrusion. They detect attacks that are not prevented by other security measures and alert system administration about a breach in security. This gives the administrator an opportunity to address the attack before it causes any substantial damage. Attackers often probe or examine systems or networks in an attempt to find vulnerabilities or to determine attack strategy. A network system lacking an IDS gives an attacker the opportunity to investigate attack options without running a great risk of being discovered or hindered. IDSs not only detect successful, but also failed attacks by recognizing scan patterns when the attacker is investigating the system. More often than not, attackers who notice that their examining attempts have been discovered are discouraged from continuing their attack. There are compelling arguments for using IDSs, especially in important network systems where intrusion can make financial losses. These systems provide information that can be used as evidence in a legal case or as data when conducting security assessment analysis. Many argue that it is not a question of whether to use an IDS or not, but rather a question of what kind of IDS to use.

4 Trusting IDSs As any other security mechanism an IDS has both strengths and weaknesses. The strengths and weaknesses should give you a good guide to when IDS should be utilized. By strengths we mean the tasks IDSs does well and by weaknesses we mean tasks IDSs cannot perform. Strengths Monitor and analyze system events and user behaviors. Measure performance of system security states over time and track any changes. Recognize patterns of self inflicted intentional attacks. Recognize patterns of abnormal activities with help of statistics. Manage OS audit and logging mechanisms and their generated data. Alert correct user in correct way when attacks are detected. Provide default information security policy. Allow security monitoring functions performed by non-experts. Weaknesses Compensate for insufficient or lack of security protections mechanisms such as firewalls, link encryptions and authentication. Instantly, under heavy processing or network load report, detect or respond to attacks. Investigate all attacks automatically without human interference. Resist custom made attacks with the purpose of defeating or evading them. Different types of IDSs There are different types of IDSs and they are commonly separated by the way they monitor and conduct analysis. However, they all share some common process characteristics that define IDSs. Consequentially, they all have considerable advantages and disadvantages. Most IDSs can be described by three rudimentary process components: Information Sources, Analysis and Response.

5 Information Sources source for information about events transpired that determine if an intrusions has been made. Logs, system state and network traffic can be information sources. Analysis the actual analysis of the data provided by the information sources in order to determine if an intrusion is taking place or has been taking place. Response actions that are made when intrusion is established and are often categorized in two categories, passive and active. Active responses are automated prevention actions whilst passive responses are alerts to administrator informing him of the intrusion so that they can handle the threat. Different types of IDSs are grouped after what kind of information source they use. Some get information from analyzing network packages, other by performing system scans and reading logs. Host-Based IDSs Host-Based IDS or HIDS uses individual computer system as information source. Because a HIDS has access to system processes it can analyze the system with great precision and even foretell outcomes of attempted attacks. They can also directly monitor system files. The information sources used are in form of OS audit trails and system logs. Advantages with HIDSs are that they can, unlike Networkbased IDSs, detect local attacks. Because HIDSs operate on OS audits trails they can help detect attacks from Trojans and other software involved attacks. Another advantage is that they can operate where Network-based IDS can t, because network traffic could be encrypted. Disadvantages with HIDSs are that they are harder to manage because of all the information that needs managing for every host. Furthermore HIDSs require computing resources from the host thus lowering performance of other parts of the system. Application-Based IDSs Application-Based IDSs or AIDSs are a subset of HIDSs that operate with events occurring within specific software. They often use application transcript logs as information sources. AIDSs are primarily used to detect suspicious behavior amongst authorized users in some applications. For example, it can report frequent or suspicious modifications in an important database. AIDS can often

6 function within encrypted environments. Disadvantages with the AIDSs are that their information source, application logs, are sometimes badly protected and susceptible to attacks. AIDS can t usually detect Trojans or other software attacks and it's recommended that it is used in combination with an HIDS. Network-Based IDSs Network-Based IDSs or NIDSs are the most popular IDSs and a majority of commercial IDSs are network-based. NIDSs use network packages as information sources and by listening on a network segment one NIDS can monitor several hosts. An advantage with using NIDS is that a smart placed NIDS can monitor a large network on its own. Because NIDS commonly just listen to network traffic (i.e. with taps, as later described) they can be fitted in to a preexisting network with minimal interference. Because they are hidden, they are harder to attack. Disadvantages with NIDSs are that they may have difficulties monitoring all packages in a large and very busy network and may not detect an attack made during busy periods. Another significant disadvantage with NIDS is that they cannot analyze encrypted information. NIDS sometimes can t tell whether or not an attack was successful, but only that it was initiated. In these cases, the attack has to be investigated by system administrator. In the next chapters, we look in more detail to one example of network intrusion detection system(nids). We aim to show by example how such system might be set up, so that the reader gets familiar with basic principles. We do this by using Snort open source and the most popular NIDS presently. Where to put NIDS? The first basic principle is that NIDS needs to monitor all network traffic. This is relatively easy to ensure when dealing with only one computer, but when working with bigger networks, becomes easy to forget. Then, we are not installing the system on every computer, but prefer to have one central NIDS that monitors all traffic. This way, updates and control is easier, but bottleneck effect must be avoided. There are three basic ways in which NIDS can be deployed in a computer network. First is with a hub although hubs are more and more out of use, it is fair to mention them for completeness of this overview. In hubs, there should be no problems, because hubs send data they

7 receive to all ports. Simply connect NIDS to one of hub ports. With a switch the situation is different, because a switch sends a data packet only to intended recipient's port. When presented with a switch, look for SPAN (Switch Port Analyzer) port. This port is intended for network analysis and all data that comes to switch will be sent to this port [4]. Drawback to this meted is that SPAN port easily gets overloaded. Final solution is to use taps (it is sometimes mentioned that tap stands for Test Access Port). Network tap is a simple device used to mirror the network traffic, structure shown on the picture below. Everything that goes through network cable is also sent to secondary tap output, where NIDS can be connected. Figure 1. Connecting NIDS to network using taps How does NIDS work? Basic principle of NIDS is to take every network packet and compare it to it's list of rules. If one or many packets meet a rule, take appropriate action: alert the user, log it, send an . When the network has a high bandwidth, examining all packets in real time can be a very complex task. Let's look at Snort for further explanation.

8 Figure 2.Snort structure Packet decoder modifies packets from different network interfaces for preprocessor use. Preprocessor translates the packets to form suitable for further analysis. Here are two example functions: Bigger data traveling through the network is split to smaller packets (standard being 1500 bytes). Preprocessor unites these packets for further analysis. URI decoding when accessing a server or a file there is more than one way in which this URI can be written (i.e. using UTF-8). When analyzing traffic, Snort wants to detect these accesses and therefore translates them into unique (canonic) representation. Detection engine must be both reliable and fast. There are two kinds of mistakes that system can make: false negatives system missed to detect the threat and false positives system reported a threat where there really is no threat. False positives mean more alerts then necessary while false negatives mean that system could be compromised while Snort is unaware. The latter is worse than the first. Snort's creator speaks about this [6] saying that both of these mistakes are almost always due to improper user configuration. This is a good example of usability versus complexity in security, where complex systems with lots of security options can end up being unsafe. Efforts are made to make Snort self configurable. To do it's job properly, detection engine must match rules in it's database against each packet. With big number of rules, pruning has to be applied to manage the task quickly. Snort has it's rules divided into logical sets, so that not all rules are applied on all packets. Rules are sorted by priority so that more important rules get to be tested first: when the match is achieved there might be no use in further checking. On other times, depending on the rules, it might be important to know all the rules that apply to the packet, so checking is continued even after a hit. The goal of the alert system is to manage all alerts: user can choose to log it to database, see a printed warning or receive an .

9 Short Snort example Before using Snort, you should get a list of network interfaces. To get interfaces list, run: snort W Snort can work in more basic modes: 1) As a sniffer, Snort will simply read the packets from the network and display them on the screen. snort i2 v Here i2 stands for network interface number 2. 2) In packet logger mode, Snort works similar to sniffer mode, logging the packets into specified file. snort -vde -i2 -l../log To read the file, assuming that snort created snort.log file, use: snort -v -r../log/snort.log ) NIDS mode is the most complex and useful Snort mode. Here we will show how to form a simple rule for this mode: alert tcp any any -> / (content:" a5 "; msg:"bad packet here";) Snort rules are divided into two parts: header and body. Header part such basic rule properties as the network protocol, source and destination IP address and network masks and ports. Appropriate action is also specified. Body is enclosed in the brackets and defines more properties packet must have in order for the rule to apply. First option specifies the action Snort will take if the rule applies. This can be, among others, alert, log or dump. After this, we specify protocol: TCP, UDP, ICMP. Next we specify source and destination IP addresses in CIDR format (IP address/mask) and ports. Here all traffic from any port to computer in IP range /24 and port 789 is subject to this rule. Body of rule consists of three parts: in first part we state the general rule information. Second part is subrules that concern packet header. Third and final part are subrules about packet body. In our example, if packet body contains a5, message bad packet here will be reported. This example demonstrates that creating Snort rules is not hard and that the user can, with little documentation reading, simply create his own rules. Usually, rules for variety of threats will be downloaded manually from Snort website, or automatically using a Perl script named Oinkmaster.

10 Conclusion Good security system has three sides to it: threat prevention, detection and reaction. They are often unfairly overlooked at management budget meetings because they are seemingly not needed until it's too late. Now you know what it is that they do and why detection systems play an important role in overall security. As we have seen with Snort, good NIDS system is like a Swiss army knife. It has lots of features and is definitely very useful tool in security. This Swiss knife is also small, fast and modular, in that you can add your own tool in the toolbox. But, how useful? That depends on the person using the knife. If you don't configure Snort or don't update the rules, then you can only hope that when the threat comes, you'll detect it. By reading the documentation, taking some effort to tailor the rules to your own needs and by doing regular updates, you can count on your NIDS to be a valuable tool in your system security toolbox. References: [1] NIST Special Publication on Intrusion Detection Systems, Rebecca Bace & Peter Mell, 2003, [2] Snort home page, [3] WinSnort, Windows IDS package based on Snort, [4] Cisco Catalyst Switched Port Analyzer (SPAN) Configuration Example, html, [5] Intrusion detection systems, network placing explanation, [6] The Story of Snort: Past, Present and Future, Snort creator Martin Roesch,

Intrusion Detection System (IDS)

Intrusion Detection System (IDS) Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through

More information

INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM INTRUSION DETECTION SYSTEM INTRUSION DETECTION AND PREVENTION using SAX 2.0 and WIRESHARK Cain & Abel 4.9.35 Supervisor Dr. Akshai Kumar Aggarwal Director School of Computer Sciences University of Windsor

More information

A Review on Network Intrusion Detection System Using Open Source Snort

A Review on Network Intrusion Detection System Using Open Source Snort , pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics

More information

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International. www.radware.

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International. www.radware. Radware s Smart IDS Management FireProof and Intrusion Detection Systems Deployment and ROI North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ 07430 Tel 888 234 5763 International Radware

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org

More information

Intrusion Detection Theory

Intrusion Detection Theory Intrusion Detection System (IDS) CPE5021 Advanced Network Security --- IDS: Theory and Practice--- Lecture 6 Knowledge Base Analysis Engine Response Module Alert Database Other machines Event Provider

More information

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society

More information

Kingston University London

Kingston University London Kingston University London Analysis and Testing of Intrusion Detection/Prevention Systems (IDS/IPS) XYLANGOURAS ELEFTHERIOS Master of Science in Networking and Data Communications THESIS Kingston University

More information

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware 1 Corresponding Author: lawal5@yahoo.com 1 O.B. Lawal Computer Science Department,

More information

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

AN EFFICIENT INTRUSION DETECTION SYSTEM FOR NETWORKS WITH CENTRALIZED ROUTING

AN EFFICIENT INTRUSION DETECTION SYSTEM FOR NETWORKS WITH CENTRALIZED ROUTING AN EFFICIENT INTRUSION DETECTION SYSTEM FOR NETWORKS WITH CENTRALIZED ROUTING Paulo F. Andrade, Fernando Mira da Silva, Carlos Ribeiro Instituto Superior Técnico, Universidade Técnica de Lisboa, Lisboa,

More information

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IntruPro TM IPS. Inline Intrusion Prevention. White Paper IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert

More information

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall

More information

Snort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010

Snort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010 December 7, 2010 Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder. CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files

More information

Intrusion Detection in AlienVault

Intrusion Detection in AlienVault Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Snort. A practical NIDS

Snort. A practical NIDS Snort A practical NIDS What is SNORT Snort is a packet logger/analyzer, which can be used to implement a NIDS. It can based be used in 4 modes: Sniffer mode Packet Logger mode Network Intrusion Detection

More information

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013 SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion

More information

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project. Our Security Ways we protect our valuables: By Edith Butler Fall 2008 Locks Security Alarm Video Surveillance, etc. History about IDS It began in 1980, with James Anderson's paper: History of IDS Cont

More information

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

More information

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection

More information

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) 1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories

More information

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity NIP IDS Product Overview The Network Intelligent Police (NIP) Intrusion Detection System (IDS) is a new generation of session-based intelligent network IDS developed by Huaweisymantec. Deployed in key

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

CS 589-07: Digital Forensics Fall 2006 Instructors: Lorie Liebrock, Bob Hutchinson and David Duggan

CS 589-07: Digital Forensics Fall 2006 Instructors: Lorie Liebrock, Bob Hutchinson and David Duggan CS 589-07: Digital Forensics Fall 2006 Instructors: Lorie Liebrock, Bob Hutchinson and David Duggan Research Paper: Collection and Analysis of Network Traffic David Burton Executive Summary The collection

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Lab VI Capturing and monitoring the network traffic

Lab VI Capturing and monitoring the network traffic Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)

More information

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

From Network Security To Content Filtering

From Network Security To Content Filtering Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...

More information

Course Title: Penetration Testing: Security Analysis

Course Title: Penetration Testing: Security Analysis Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

Performance Evaluation of Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection

More information

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold The Essentials Series PCI Compliance sponsored by by Rebecca Herold Using PCI DSS Compliant Log Management to Identify Attacks from Outside the Enterprise...1 Outside Attacks Impact Business...1 PCI DSS

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b

HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b Advanced Engineering Forum Online: 2012-09-26 ISSN: 2234-991X, Vols. 6-7, pp 991-994 doi:10.4028/www.scientific.net/aef.6-7.991 2012 Trans Tech Publications, Switzerland HIDS and NIDS Hybrid Intrusion

More information

Implementation of Intelligent Techniques for Intrusion Detection Systems

Implementation of Intelligent Techniques for Intrusion Detection Systems Ain Shams University Faculty of Computer & Information Sciences Implementation of Intelligent Techniques for Intrusion Detection Systems A Thesis Submitted to Department of Computer Science In partial

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection

More information

CS419 Computer Security

CS419 Computer Security CS419 Computer Security Vinod Ganapathy Topic: Intrusion Detection and Firewalls Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION

More information

SURVEY OF INTRUSION DETECTION SYSTEM

SURVEY OF INTRUSION DETECTION SYSTEM SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT

More information

USM IT Security Council Guide for Security Event Logging. Version 1.1

USM IT Security Council Guide for Security Event Logging. Version 1.1 USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate

More information

Network Security Monitoring

Network Security Monitoring Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users

More information

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4) Using Nessus to Detect Wireless Access Points March 6, 2015 (Revision 4) Table of Contents Introduction... 3 Why Detect Wireless Access Points?... 3 Wireless Scanning for WAPs... 4 Detecting WAPs using

More information

Intruders and viruses. 8: Network Security 8-1

Intruders and viruses. 8: Network Security 8-1 Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds

More information

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Demystifying the Myth of Passive Network Discovery and Monitoring Systems Demystifying the Myth of Passive Network Discovery and Monitoring Systems Ofir Arkin Chief Technology Officer Insightix Copyright 2012 - All Rights Reserved. This material is proprietary of Insightix.

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

NETWORK SECURITY (W/LAB) Course Syllabus

NETWORK SECURITY (W/LAB) Course Syllabus 6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information

More information

Network Security Demonstration - Snort based IDS Integration -

Network Security Demonstration - Snort based IDS Integration - Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and

More information

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Intrusion Detection Systems. Darren R. Davis Student Computing Labs Intrusion Detection Systems Darren R. Davis Student Computing Labs Overview Intrusion Detection What is it? Why do I need it? How do I do it? Intrusion Detection Software Network based Host based Intrusion

More information

Network Security Management

Network Security Management Network Security Management TWNIC 2003 Objective Have an overview concept on network security management. Learn how to use NIDS and firewall technologies to secure our networks. 1 Outline Network Security

More information

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network. Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part

More information

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information. Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro Environment Network/services can be damaged

More information

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008 Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems.

More information

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford Intrusion Detection Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford For this term paper I will be discussing the subject of Intrusion detection. I will be going

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000 Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000 Building a solid rulebase is a critical, if not the most critical, step in implementing a successful and secure firewall.

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

NORMAL SIGNATURE BASED IDS FOR E-CAFÉ (HEP)

NORMAL SIGNATURE BASED IDS FOR E-CAFÉ (HEP) NORMAL SIGNATURE BASED IDS FOR E-CAFÉ (HEP) Raihana Md Saidi, Abd. Hamid Othman, Asnita Hashim Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA Abstract Many intrusion detection

More information