Introduction of Intrusion Detection Systems



Similar documents
Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Chapter 9 Firewalls and Intrusion Prevention Systems

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewalls, Tunnels, and Network Intrusion Detection

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Security Technology: Firewalls and VPNs

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls (IPTABLES)

Lab Configure IOS Firewall IDS

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

FIREWALLS & CBAC. philip.heimer@hh.se

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Architecture Overview

Network- vs. Host-based Intrusion Detection

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

INTRUSION DETECTION SYSTEMS and Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Name. Description. Rationale

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewall Firewall August, 2003

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

INTRODUCTION TO FIREWALL SECURITY

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

CSCE 465 Computer & Network Security

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

PROFESSIONAL SECURITY SYSTEMS

Chapter 20. Firewalls

Network Defense Tools

Chapter 11 Cloud Application Development

Firewalls. Chapter 3

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Secure Software Programming and Vulnerability Analysis

Solution of Exercise Sheet 5

Lesson 5: Network perimeter security

General Network Security

Achieving PCI-Compliance through Cyberoam

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Intrusion Detection System (IDS)

Chapter 8 Network Security

CSCE 465 Computer & Network Security

Firewalls and Intrusion Detection

Proxy Server, Network Address Translator, Firewall. Proxy Server

Computer Security: Principles and Practice

Chapter 8 Security Pt 2

10 Configuring Packet Filtering and Routing Rules

Tk20 Network Infrastructure

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Computer Security DD2395

CaptIO Policy-Based Security Device

Intrusion Detection Systems

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

BlackRidge Technology Transport Access Control: Overview

Second-generation (GenII) honeypots

CS5008: Internet Computing

How To Protect Your Network From Attack From Outside From Inside And Outside

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Security Management

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

IDS / IPS. James E. Thiel S.W.A.T.

The Comprehensive Guide to PCI Security Standards Compliance

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Firewalls. Ahmad Almulhem March 10, 2012

Firewall Design Principles Firewall Characteristics Types of Firewalls

- Introduction to PIX/ASA Firewalls -

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CorreLog Alignment to PCI Security Standards Compliance

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

MANAGED SECURITY SERVICES

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

1. Firewall Configuration

Transcription:

Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection: analyzes the information it gathers and compares it to large databases of attack signatures. o A signature is a set of rules that uses to detect typical intrusive activity. Prevention: stop detected attacks from being executed. Reaction: immunize the systems from future attacks and provide real-time alerts. 1

NIDS (Network-based IDS): check the individual packets flowing through a network. detect malicious packets that are designed to be overlooked by a firewall s simplistic filtering rules. HIDS (Host-based IDS): check information at the host or operating system level. examine log files, such as system calls, audit logs, error messages and compare the logs against common signatures for known attacks. What the firewall does not do? (1) Protect against internal threats (2) Protect against the transfer of virusinfected programs or files. 2

Benefits of HIDS (1) Monitors specific system activities monitor user and file access activity. changes to file permissions attempts to install new executables attempts to access privileged services. (2) Detect some attacks that cannot be seen by NIDS Example: attacks from the keyboard of a critical server do not cross the network, and so cannot be seen by a NIDS. Drawbacks of HIDS Limited network view Example: It is impossible for a HIDS to detect reconnaissance scans. 3

Benefits of NIDS Detects attacks that host-based systems miss Examine all packet headers for signs of malicious activity. HIDS cannot detect these types of attacks such as denial of service attacks. Real-time detection and response Detect malicious attacks as they occur, and provide faster notification and response. Example: NIDS terminate the DOS attack before it crashes a targeted host. Operating system independence NIDS are not dependent on host operating systems. Drawbacks of NIDS Bandwidth: As network pipes grow larger and larger, you normally need to install more IDS throughout the network at locations where the IDS can handle the traffic. Encryption: when the network traffic is encrypted, the NIDS cannot match the encrypted data against its signature database. New attacks occur with no known signatures available to detect them. Regular updating of the signatures can prevent some of these issues. 4

IDS Signatures A signature is a set of rules that your sensor uses to detect typical intrusive activity. Rules are based on various criteria: IP protocol parameters (IP addresses, IP fragmentation parameters and so on) Transport protocol parameters (TCP flags, port numbers) Packet data IP packets are composed of different headers and application data. Signatures can examine the information in the various headers or the packet's data. Context-based Signatures: examine packet headers Content-based Signatures: examine packet data Context-based Signatures Triggered by the data contained in packet headers. IP and TCP protocol parameters: 3050 Half-open SYN Attack Port numbers IP fragmentation parameters TCP flags IP protocol field IP addresses 5

Example: TCP SYN Attack (Signature ID 3050) Triggers when multiple TCP sessions have been improperly initiated on several well known service ports. FTP, Telnet, WWW, SSH and E-mail servers ports 21, 23, 80, 22 and 25 respectively). TCP Connection: 1. SYN. 2. SYN/ACK 3. ACK Content-based Signatures Triggered by the data portion of the packets traveling across the network. Example: Sendmail Reconnaissance (Signature ID 3103). Locates IP packets with either a VRFY or EXPN sendmail command. An attacker can use these commands to locate account names on the mail server. 6

Cisco Secure IDS IDS Sensors: perform the real-time monitoring of network packets Director platform: provides the management software used to configure, log, and display alarms generated by sensors. IDS sensors have two interfaces: Monitoring: monitor network traffic for alarms in real time through it. o IDS looks for patterns of attacks. Command and control: alarms are transmitted through it to the Director platform. Functionality of the Director Platform: Provides a user interface for the configuration of signature elements Provides a facility for logging information collected by the sensor Sends event information to pager, or e-mail to alert security personnel 7

The basic Cisco Secure IDS process: 1. A sensor captures network packets through its monitoring interface. 2. Packets are reassembled, if required, and compared against a signature indicating typical intrusion activity. 3. If an attack is detected, the sensor logs the attack and notifies the Director platform through the command and control interface. 4. The Director platform displays the alarms and logs the data. You can program your sensors to respond in various ways upon alarm detection. Possible responses: TCP reset IP blocking IP logging 8

TCP reset After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS may terminate session by sending a TCP RST packet to the attacked server and the host. The TCP Reset is initiated from the data-capturing port to the attacked server and the host Effective only for TCP-based connections. UDP traffic is unaffected. Director Platform 9

IP blocking The sensor updates the access control list (ACL) on the perimeter router to deny all traffic from the offending IP address. Director Platform 10

IP logging Records in a session log file what the attacker is doing. This option is passive and does not prevent the attacker from continuing his attack. The logged information provides a record of what the attacker does against the network. Director Platform 11

Installation Configurations Different installation configurations provide a different level of functionality Standalone Configuration Installing sensors without IP blocking is called a standalone configuration. IP Logging: capture a history of the intrusive traffic TCP Reset: if the attack is TCP-based, then the sensor can generate TCP resets in an attempt to halt the intrusive activity. In the standalone configuration, the sensor usually communicates alarms and other information to the Director via a separate command and control network connection. 12

Device Management Configuration Support IP blocking: drop all traffic from the attacker's host, future attacks are blocked as well from that specific IP address. If any of these signatures is configured for IP Blocking, then the sensor telnets into the router to automatically block the offending host by updating the ACL. 13

Firewall Sandwich Configuration Placing a sensor with the monitoring interface in front of the firewall and the command and control network behind the firewall is known as a firewall sandwich. Firewall protects the command and control network for IDS. The command and control interface can connect directly into the network behind the firewall. However, internal users can potentially attack the Cisco Secure IDS. A more secure installation places the command and control interface on a separate interface behind the firewall. 14

The IDS Sensor can dynamically update the access control lists on the router to block future attacks. Command traffic to update the access control lists traverses through the firewall to the router, while the firewall prevents unauthorized traffic from accessing your sensor. You must allow certain traffic through the firewall to enable IP blocking. Step 1 Enable Telnet on the router. Step 2 Permit the Telnet traffic (only from the sensor to the router) to pass through the firewall. 15

Remote Sensor Configuration Sometimes, you need to deploy a sensor to monitor a network but the Director is located on a remote network that is reachable only through an untrusted network. The traffic traveling across the untrusted network (from the sensor to the director, and vice versa) must be encrypted. A simple way is to define an IPSec tunnel across the untrusted network. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information