Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC



Similar documents
An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Intrusion Detection Systems

Architecture Overview

INTRUSION DETECTION SYSTEMS and Network Security

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Modular Network Security. Tyler Carter, McAfee Network Security

Introduction of Intrusion Detection Systems

IDS / IPS. James E. Thiel S.W.A.T.

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Taxonomy of Intrusion Detection System

How To Manage Sourcefire From A Command Console

How To Protect A Network From Attack From A Hacker (Hbss)

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Symantec Security Information Manager Version 4.7

Security Event Management. February 7, 2007 (Revision 5)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

OWASP Logging Project - Roadmap

McAfee IntruShield Network IPS Sensor Pioneering and Industry-Leading, Next-Generation Network Intrusion Prevention Solution

McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7. NGFW Engine in the IPS and Layer 2 Firewall Roles

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

PROFESSIONAL SECURITY SYSTEMS

Tk20 Network Infrastructure

Cisco IPS Tuning Overview

McAfee Network Security Platform

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Traffic Monitoring : Experience

SourceFireNext-Generation IPS

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Network Security Forensics

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Chapter 9 Firewalls and Intrusion Prevention Systems

ArcSight Supports a Wide Range of Security Relevant Products

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

COUNTERSNIPE

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls and Intrusion Detection

funkwerk packetalarm NG IDS/IPS Systems

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Schedule M Managed Security

McAfee Intrusion Prevention System

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Network Security Management

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems (IDS)

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Name. Description. Rationale

How To Design An Intrusion Prevention System

How To Protect Your Network From Attack From A Hacker On A University Server

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Security Monitoring and Architectures for Security Logging

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Security Controls Implementation Plan

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Protecting Critical Infrastructure

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

The SIEM Evaluator s Guide

SANS Top 20 Critical Controls for Effective Cyber Defense

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

IT Security and OT Security. Understanding the Challenges

SURVEY OF INTRUSION DETECTION SYSTEM

The Security Organization p. 1 Anecdote p. 2. Introduction

Managed Security Services for Data

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

SOURCEFIRE RNA (REAL-TIME NETWORK AWARENESS)

Implementing Cisco Intrusion Prevention System 7.0 (IPS)

Intrusion Detection Systems Technologies, Weaknesses and Trends

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

VULNERABILITY MANAGEMENT

Getting Ahead of Malware

Industrial Security for Process Automation

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

STEALTHWATCH MANAGEMENT CONSOLE

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Transcription:

Intrusion Detection and Intrusion Prevention Ed Sale VP of Security Pivot Group, LLC

Presentation Goals Describe IDS and IPS Why They Are Important Deployment and Use Major Players

The IT Security Camera Intrusion Detection Two types: Network (NIDS) and Host (HIDS) Looks at network traffic and host logs for signs of intrusion Alerts bring potential intrusions to the attention of administrators Data is useful in forensic investigations Issues include false positives and negatives, large amounts of data, requires full-time monitoring, signature updates, encrypted traffic

Passive Monitoring Not Inline IDS Deployment Network Tap Network Tap Proxy Server Mail Server DMZ WAN Router Network Tap DMZ IDS Sensor Inside IDS Sensor IDS Console Outside IDS Sensor Intranet

Types of Detection Rule-Based Detection Signatures produced for known attacks Traffic scanned for matches to signatures Anomaly Detection Baseline of normal traffic produced Deviations from baseline flagged as intrusions HIDS Detection Types Executable file checksums System call monitoring Log file monitoring

Types of Detection (cont d) Target-based Alerting (new) Combines knowledge of system vulnerabilities with type of incoming attack to reduce # of alerts Only alerts when attack has chance of success

IDS Management Reactive Response to Attack Centralized Monitoring and Management Critical for multi-sensor environments Tuning Required Constant Monitoring Large Data Store Backups Frequent Signature Updates (if rule-based) Software Upgrades

Intrusion Prevention The IT Security Guard Two types: Network (NIPS) and Host (HIPS) Looks at network traffic and host logs for signs of intrusion Automatically takes action to protect networks and systems from attack Helps reduce patch update urgency Issues include false positives and negatives, inline operation can create bottlenecks or single point of failure, signature updates, encrypted traffic

Inline Network Device(s) IPS Deployment Proxy Server Mail Server WAN Router Outside IPS DMZ IPS DMZ Inside IPS IPS Console Intranet

IPS Management Proactive Response to Attack Centralized Monitoring and Management Critical for multi-sensor environments Tuning Required Redundancy / Fail-open Required Constant Monitoring not Necessary Frequent Signature Updates (if rule-based) Software Upgrades

Common NIDS Pitfalls Deployed where it does not have access to all network traffic Output and/or alerts are ignored Inadequate incident response planning Administrators become overwhelmed by an un-tuned system Limitations of IDS/IPS are not well understood (updates, zero-day attacks, IDS blinding and evasion techniques)

Network Resets Types of Protection Passive monitors may not get connections reset before damage is done Not all attacks are connection based IP Address Blocking Passive monitors may not get address blocked before damage is done Address spoofing may cause DoS of legitimate user Packet Drop Decision has to be made real-time (0.5 usec for 1 GB link)

Product Selection What types of protection do I need? Zero-day attacks Network Segments to Monitor Bandwidth Tuning Flexibility How do I want to manage it? Few False Positives and False Negatives Constant Monitoring Reporting Capabilities Pivot Group Recommends Evaluation

IDS/IPS Solutions Host IDS/IPS: Cisco (Okena), Sana Security, Network Associates (Enterasys) Network IDS: Snort, Cisco, ISS, SecureWorks, Symantec, Lancope, Tenable, NetScreen, Computer Associates, NFR Security, McAfee, Sourcefire, Lucid Technologies Network IPS: Tipping Point, Captus, TopLayer, DeepNines, EcoNet.com, Lucid, StillSecure, Vsecure Technologies

IDS is evolving, not dead Final Words IDS/IPS required in some industries Network IDS data has forensic and other uses Correlation, Analysis, Alerting, Reporting IDS and IPS adds to defense in depth

More Information For additional references on IDS/IPS, see: http://www.pivotgroup.net/ http://www.sans.org/rr/papers/30/1028.pdf http://www.infosecwriters.com/texts.php?op=display&id=117 http://www.nss.co.uk/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information