Evolutionism of Intrusion Detection



Similar documents
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Advanced Higher Computing. Computer Networks. Homework Sheets

PROFESSIONAL SECURITY SYSTEMS

E-BUSINESS THREATS AND SOLUTIONS

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Gateway Security at Stateful Inspection/Application Proxy

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Web App Security Audit Services

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Proxies. Chapter 4. Network & Security Gildas Avoine

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Introduction to Computer Security Benoit Donnet Academic Year

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Chapter 9 Firewalls and Intrusion Prevention Systems

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Norton Personal Firewall for Macintosh

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

User Documentation Web Traffic Security. University of Stavanger

Network Defense Tools

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Basic & Advanced Administration for Citrix NetScaler 9.2

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Firewall Evolution - Deep Packet Inspection by Ido Dubrawsky last updated July 29, 2003

Firewall VPN Router. Quick Installation Guide M73-APO09-380

The Microsoft JPEG Vulnerability and the Six New Content Security Requirements

Web Application Security 101

SSL VPN Technology White Paper

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

1. Built-In SPI Firewall to Protect Your Enterprise Network 2. Multi-Spam-Filtering Function Providing High Spam-Filtering Accuracy

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Desktop and Laptop Security Policy

Computer Security Maintenance Information and Self-Check Activities

M3-R3: INTERNET AND WEB DESIGN

Fortinet Network Security NSE4 test questions and answers:

Network- vs. Host-based Intrusion Detection

Using a Firewall General Configuration Guide

The following multiple-choice post-course assessment will evaluate your knowledge of the skills and concepts taught in Internet Business Associate.

Sonicwall Reporting Server

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

The Evolution of Information Security at Wayne State University

7. Firewall - Concept

Firewalls, IDS and IPS

Steps for Basic Configuration

How To Protect A Web Application From Attack From A Trusted Environment

Firewalls (IPTABLES)

Introducing IBM s Advanced Threat Protection Platform

Networking for Caribbean Development

ANTIVIRUS BEST PRACTICES

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

8. Firewall Design & Implementation

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

How To Protect Your Network From A Hacker Attack On Zcoo Ip Phx From A Pbx From An Ip Phone From A Cell Phone From An Uniden Ip Pho From A Sim Sims (For A Sims) From A

PC Security and Maintenance

IBM Protocol Analysis Module

Firewalls and Software Updates

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Computer Viruses: How to Avoid Infection

HoneyBOT User Guide A Windows based honeypot solution

Information Security Threat Trends

Multi-Homing Dual WAN Firewall Router

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

HP IMC User Behavior Auditor

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

THE ROLE OF IDS & ADS IN NETWORK SECURITY

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Guidelines for Web applications protection with dedicated Web Application Firewall

Network Security and Firewall 1

Firewalls, Tunnels, and Network Intrusion Detection

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

Pretend or Prevent? Intranet. Internet Router IDS Hub Firewall. Overview. Recognizing attacks. Intercepting attacks. White Paper

Transport Layer Security Protocols

CS5008: Internet Computing

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

NetDefend Firewall UTM Services

Vantage Report. User s Guide. Version /2006 Edition 1

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Transcription:

Evolutionism of Intrusion Detection Jackie Lai The network technology changes with each passing day; and the attack technique of hacker also weeds through the old to bring forth the new. Worms such as Code Red, Nimda, Slammer, Blaster and Sasser always regard the firewall /anti-virus software as nothing at the beginning of attack. They drive into the core server of enterprise with sudden speed directly, paralyze the operation of the server, or clog the bandwidth of network to cause large loss of the enterprise. Just the same as Darwin s evolutionism, species must evolve to get with the environment, otherwise they will be eliminated by the environment. The traditional intrusion detection system installed by the enterprise and Layer 4 Firewall could not block the exquisite and wily attacks by hackers. They also face the fate of evolution. The intrusion detection system evolves into intrusion detection & prevention system The operation structure of Intrusion Detection System (IDS) is shown as Figure 1. IDS just monitors the past packets at the side of network. When it finds the network attack, generally it will (1) notify administrator to adopt suitable defense measure; (2)change the firewall rules; or (3) send the command of TCP Reset to attacker and victim to terminate session connection. Figure 1 The operation structure of IDS 1

Such method might work in early stage. However, IDS has been unable to manage new type of attack. For IDS does not detect the content of the packet actively and immediately, but collect the data passively. Taking the attack of SQL Slammer as an example, it is easy to infect the host by sending a packet with 376 bytes to the port (1434/UDP) of the vulnerable host. When IDS finds the attack and tries to do something, it is too late to do anything. Therefore, to manage the flash attack of the hacker, IDS gradually evolves to Intrusion Detection & Prevention System (IDP). The operation structure of IDP is shown as Figure 2. Figure 2 The operation structure of IDP Instead of subordinate role in network before, IDP plays the leading role to detect the past packets immediately and deeply in the entry gateway of enterprise network. If it finds malicious attack packet, it will discard it directly and not allow the packet into the network. The operation features of IDP are listed below: Deep Packet Inspection - Current IDP can break through the limitation of traditional firewall to detect the content of the packets mapping with OSI model 4 to 7 Layer (equal to the application layer in TCP/IP model). For the new attack program code data hidden inside the application layer of TCP/IP protocol, the Deep Packet Inspection technology can make those network packets with malicious attack not concealing themselves. In-Line Mode - IDP must be placed in the entry of gateway of enterprise network (see Figure 2). All of the packets pass in and out of the Intranet of enterprise must be detected deeply by IDP. The feature of In-Line mode is the greatest difference in operation between IDP and IDS. IDS can just monitor network packet with sniff mode. When it detects the malicious attack packet, 2

such malicious attack packet has intruded into Intranet of enterprise. By the way, in-line mode is also named Gateway mode. Real-Time Detection - IDP must do real-time detection to all the packets that pass in and out of the intranet of enterprise. If it could not detect in real-time, it would be too late to defend the attack of the packet crossing through IDP. IDS also cannot finish real-time detection. Its main job is to record the intrusion of network packet and send out warning message when find out large amount of doubtful attack packets, or offer the record of packet for analyzing by relational people. Proactive Prevention - The features of deep packet inspection, in-line mode and real-time detection can find the malicious attack packets hidden inside the TCP/IP application layer in real-time and discard them immediately. Later, all the packets that relate to such malicious attack packets will be thrown away directly without any inspection. Thus, the malicious attack packets cannot access into the network and the function of proactive prevention can be reached. Wire-Line Speed - IDP connects Intranet of enterprise and Internet by using gateway mode. On the one part it must do the real-time work of deeply inspecting/discarding past packets and on the other part it must avoid the situation that user thinks delay appearing in data transmission due to the existence of IDP. So, it must have high execution efficiency to make the passing packets reaching wire-line speed. If IDP cannot operate with wire-line speed, it would be a burden on the transmission rate for the enterprise network to outside world and might affect the will of enterprise to install IDP. Evolution in Firewall Traditional firewall cannot block the new type attack of hackers. Therefore it tries to improve in packet detection and defense ability continuously. New defense trend of firewall can be listed as the following: Adding Inspection & Management Capability in Application Layer Traditional firewall using the technique of packet filter does not inspect the network packet in application layer. Though, in theory, proxy-based firewall can fully detect the content of the packet in application layer, yet actually it still has great fall. The reason is simple. It needs large amount of calculating rate in hardware for overall detecting packets in application layer. However, the proxy-base firewall is always installed on the industrial personal computer, the calculating rate is restricted. So, the proxy-based firewall of enterprise generally detects the contents of packets in the 3

protocols of HTTP, SMTP and FTP. Yet, current the exploit code of hacker attack always is hidden inside the application layer and can avoid the detection of firewall easily. To defend such attack with new pattern, recently the detection ability in application layer has been added already into the new generation firewall (no matter proxy-based or packet-filter based). The capabilities added in detecting application layer are listed below: HTTP header filtering - Such function can judge if the general behavior of Internet browsing for the application packets passing through port 80/TCP or application packets that have no relation with HTTP is allowed or not. At present, many network attack penetrates the firewall through port 80/TCP by pretending HTTP application packets to start attack. HTTP URL filtering - Such function can filter malicious or illegal URL to avoid intentional or unwitting access by users. For example, some malicious websites lay up Trojan horse program purposely. Once a user connects to such website, he will be forced to download such malicious program and be embedded with backdoor program. As a result, the system might be unstable. And if worse, the network account, password, credit card number will be revealed, be stolen or the money on deposit will be withdrawn by someone else. HTTP content filtering - For many malicious program or Trojan horse program might pretend normal program to be downloaded through HTTP protocol by users. Or if users browse the malicious web page, the script of the program will be executed automatically to damage the computer of the user. Therefore such capability becomes an important function that newly added to the firewall. The managing range includes: file format, MIME format control; managing the download from ActiveX, Java, JavaScript, VBScript, XML, Cookies, WebDAV, DCOM, etc. HTTP action controls - The internal users of network might use browser to upload confidential documents of the company through HTTP protocol. HTTP actions include HEAD, GET, POST, PUT and DELETE. The firewall which has the capability of controlling HTTP actions can prevent the improper data revealing stated above. Management for the content of FTP and SMTP communication It can determine if it is necessary to add anti-virus inspection, Anti-SPAM function, limitation of file size onto the transmission of the communication ports. 4

Management for the content of LDAP and SNMP communication The firewall which supports LDAP management can block any rewritten job from outside world to the internal server. And the firewall which supports SNMP management can protect SNMP MIB database from rewritten by hackers arbitrarily. Management for the content of VoIP communication Some enterprises will need to save the expenditure of long-distance calls through the technology of VoIP. When they plan the firewall, they need to consider such capability of supporting H.323 or SIP. Built-in Intrusion Detection & Prevention Capability New types of firewall have built-in part of functions of IDP to execute simple work of defense. For example, through Anomaly-based detection, it can discard the packets that do not match with the RFC standard directly, or it can discard the quite dangerous and not misjudged packets immediately. For the main functions of firewall still emphasize on data source access management, VPN, protocol usage management and some firewall also have to bear the job of virus inspection, therefore the functions of built-in IDP for most of the new type firewall are still limited. To the enterprise which requires high security in network, it is not recommended to depend on the built-in IDP function of firewall completely. Conclusion Each time, people usually realize the insufficiency in the protection of information security only the network attack events occur in large scale. With the changes of attacks measures of hackers, the advanced information security equipment of the past years might become out of date. At present, there is no resolution which can offer absolutely protection to the network security. Only keeping up with the change of the age and choosing suitable information security equipment can help people to obtain relative protection. About the author Jackie Lai (gclai@draytek.com) owns the certificate of CISSP and has written/translated several books, such as Network Hacker Manual Attack, detection and defense of backdoor program, Intrusion Detection, E-Mail Virus Protection Handbook and so on. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information