Attack Evaluation and Mitigation Framework



Similar documents
Introduction of Intrusion Detection Systems

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Networking for Caribbean Development

Network Security Management

CIS 4361: Applied Security Lab 4

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Performance Evaluation of Intrusion Detection Systems

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Architecture Overview

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Chapter 8 Network Security

Intrusion Detection System (IDS)

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

FIREWALLS & CBAC. philip.heimer@hh.se

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Development of a Network Intrusion Detection System

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Technical Support Information

Network- vs. Host-based Intrusion Detection

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

Network Based Intrusion Detection Using Honey pot Deception

Applied Security Lab 2: Personal Firewall

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Network Defense Tools

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CIT 480: Securing Computer Systems. Firewalls

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

Securing EtherNet/IP Using DPI Firewall Technology

PROFESSIONAL SECURITY SYSTEMS

Cisco IPS Tuning Overview

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Chapter 9 Firewalls and Intrusion Prevention Systems

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

CIT 480: Securing Computer Systems. Firewalls

Linux MDS Firewall Supplement

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

How To Block A Ddos Attack On A Network With A Firewall

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

On-Premises DDoS Mitigation for the Enterprise

Are Second Generation Firewalls Good for Industrial Control Systems?

Firewalls, Tunnels, and Network Intrusion Detection

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

10 Configuring Packet Filtering and Routing Rules

1Fortinet. 2How Logtrust. Firewall technologies from Fortinet offer integrated, As your business grows and volumes of data increase,

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Cisco Firewall Technology

SECURE YOUR NETWORK WITH FIREWALL BUILDER

McAfee Intrusion Prevention System

Intrusion Detection Systems

Implementing Cisco Intrusion Prevention System 7.0 (IPS)

Cisco PIX vs. Checkpoint Firewall

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Name. Description. Rationale

Two State Intrusion Detection System Against DDos Attack in Wireless Network

About Firewall Protection

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Assignment 3 Firewalls

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

OS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Intrusion Detection System

DDoS Protection Technology White Paper

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

How To Understand A Firewall

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Developing Network Security Strategies

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Linux MPS Firewall Supplement

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Firewall Firewall August, 2003

CSE543 - Computer and Network Security Module: Firewalls

Transcription:

Attack Evaluation and Mitigation Framework Laura Gheorghe, Răzvan Rughiniş, Nicolae Ţăpuş Politehnica University of Bucharest, Romania laura.gheorghe@cs.pub.ro, razvan.rughinis@cs.pub.ro, ntapus@cs.pub.ro 23.03.2010 Sesiunea de Comunicări Ştiinţifice Studenteşti 1

Context Increase in frequency and severity of network-based attacks Intrusions and targeted attacks may result in the loss of: critical data business availability time reputation money Firewalls are not always efficient against intrusion attempts The solution: intrusion detection and prevention systems

Intrusion detection and prevention systems Intrusion: the attempt to compromise the confidentiality, integrity and availability of a resource Detection: the process of monitoring system or network events in order to detect intrusions Prevention: the attempt to stop the intrusion from happening Two categories of IDPS depending on the location: Host-based IDPS Network-based IDPS Two types of intrusion detection: Anomaly-based intrusion detection Signature-based intrusion detection

Types of signatures and attacks Signature - description of network traffic generated by attackers Atomic signatures Conditions for a single packet Minimal resources When the context is not important Flood signatures Denial of Service attacks Host-based: Traffic directed at one specific host Network-based: Traffic directed at an entire network Sweep signatures Reconnaissance attacks Multiple connections to: multiple hosts multiple ports on a single host

System architecture

Central application Role: keep the sensor configuration up to date Loads configuration: Retrieves sensor configuration from the database Sends configuration to the kernel module Updates configuration: Receives messages from the interfaces if configuration has been changed Sends changes to the kernel module Stores alerts: Receives alert messages from the kernel module Stores alerts in the database

Kernel Module A chain of five software components called engines two firewall-based engines three signature-based engines Packet analyzed by each engine in a sequential order Analysis result: Packet blocking Send packet to the next engine If the packet is not blocked the engines, it will be forwarded

Firewall-based engines Stateless firewall engine Two lists of rules: static and dynamic, checked sequentially A rule contains: the conditions to be matched action Block packet Send to next engine Stateful inspection engine Valid connections initiated from a host in the internal network the destination is defined as a public server monitors the TCP and UDP connections by maintaing their state

Signature-based engines Every engine stores a list of signatures Atomic engine Match between the packet and a signature Flood engine Analyses and stores packets that match a signature Packets stored in a list with count, peak and gap values Packets per second counter Sweep engine Analyses and stores packets that match a signature Packets stored in a list with associated count value Maximum number of packets per time period

Graphical Interface Enable/disable engine Alerts can be visualized Signature-based engines Signature tables can be displayed Add and modify signatures Delete signatures Stateless firewall engine Display, add, modify, delete firewall rules Stateful firewall engine Display, add, modify, delete internal networks and servers Announce changes to the central application

Command line interface Organized on levels, for example: Engine level Signature level Header level Specific configurations for each level list command Display current level configuration delete command Delete current level configuration exit command Return to the previous level Announce changes to the central application

Conclusion Analyze traffic in kernelspace Low latency Minimal overhead Control over packets They can be blocked without other applications like iptables Ability to prevent attacks Availability during configuration Updates made by the central application Restarting the application is not necessary Signature definition granularity Multiple types of alerts: email, pop-up, terminal alert High degree of modularity, relying on distinct engines

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information