/
Security Technology: Intrusion Detection, Access Control and Other Security Tools Security Technology: Intrusion Detection, Access Control and Other Security Tools

Security Technology: Intrusion Detection, Access Control and Other Security Tools - PowerPoint Presentation

tatiana-dople
tatiana-dople . @tatiana-dople
Follow
436 views
Uploaded On 2018-09-21

Security Technology: Intrusion Detection, Access Control and Other Security Tools - PPT Presentation

Chapter 7 Intrusion Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with almost always the intent to do malicious harm ID: 673885

amp system attack attacks system amp attacks attack security network detect based intrusion systems honey ids traffic wireless idps

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Security Technology: Intrusion Detection..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Security Technology: Intrusion Detection, Access Control and Other Security Tools

Chapter 7Slide2

Intrusion

“Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.”Slide3

Definitions

Intrusion prevention: activities that deter an intrusion

Writing &implementing a good enterprise information security policy

Planning & executing effective information security programs

Installing & testing technology-based countermeasures

Conducting & measuring the effectiveness

Employee training and awareness activities

Intrusion detection: procedures and systems that identify sys intrusions

Intrusion correction:

Activities finalize the restoration of operations to a normal state

Activities seek to identify the source & method of attack for preventionSlide4

Intrusion Detection Systems

Commercially available in late 1990

Works like a burglar alarm

Detects a violation and sounds alarm

Extension – Intrusion prevention systems

Detect and prevent intrusion

Generally accepted combination

Intrusion detection and prevention system (IDPS)Slide5

IDPS Terminology

Alarm or alert: indication that attack is happening

Evasion: attacker change the format and/or timing of activities to avoid being detected

False attack stimulus: event triggers alarm – no real attack

False negative: failure of IDPS to react to attack

False positive: alarm

activates in the absence of an actual

attack

Noise: alarms events that are accurate but do not pose threats

Site policy: rules & configuration guidelines governing the implementation & operation of IDPSSlide6

IDPS TerminologySite policy awareness: ability to dynamically modify

config

in response to environmental activity

True attack stimulus: event that triggers alarms in event of real attack

Tuning: adjusting an IDPS

Confidence value: measure IDPS ability correctly detect & identify type of attacks

Alarm filtering: Classification of IDPS alerts

Alarm clustering and compaction: grouping almost identical alarms happening at close to the same timeSlide7

Why Use an IDS

Prevent problem behaviors by increasing the perceived risk of discovery and punishment

Detect attacks and other security violations

Detect and deal with preambles to attacks

Document existing threat to an organization

Act as quality control for security design & administration

Provide useful information about intrusions that take placeSlide8

Types of IDS

Network based

Focused on protection network information assets

Wireless

Network behavior analysis

Host-based

Focused on protection server of host’s information assetsSlide9

Network-Based

Resides on computer or appliance connected to an a segment of orgs. network

Monitors network traffic on the segment

Monitors packets

Monitoring port (switched port analysis)

Monitors all ingoing and outgoing traffic

Looks for attack patterns

Compares measured activity to known signatures

Protocol verification – packet structure

Application verification – packet useSlide10

Advantages and Disadvantages

Advantages

Needs few devices to monitor large network

Little or no disruption to normal operations

May not be detectable by attackers

Disadvantages

Overwhelmed by network volume

Requires access to all traffic

Cannot analyze encrypted packets

Cannot ascertain if an attack was successful

Some forms of attack are not easily discerned

Fragmented packets

Malformed packetsSlide11

Wireless NIDPS

Monitors and analyzes wireless network traffic

Looks for potential problems with the wireless protocols (layers 2 and 3)

Cannot evaluate & diagnose issue with higher level layers

Issues associated with implementation

Physical security

Sensor range

Access point and wireless switch locations

Wired network connections

CostSlide12

Wireless NIDPS

Can detect conditions in addition to traditional types of IDSPS

Unauthorized WLAN and WLAN devices

Poorly secured WLAN devices

Unusual usage patterns

The use of wireless network scanners

DoS

attacks and condition

Man-in-middle attacks

Unable to detect

Passive wireless protocol attacks

Susceptible to evasion techniques

Susceptible to logical and physical attacks on

wireless access pointSlide13

Host-Based

Resides on a particular computer or server & monitors traffic only on that system

Also known as system integrity verifiers

Works on principle of configuration and change management

Classifies files in categories & applies various notification actions based on rules

Maintains own log file

Can monitor multiple computers simultaneouslySlide14

Advantages

Reliable

Can detect local events

Operates on host system where encrypted files already decrypted and available

Use of switched network protocols does not affect

Can detect inconsistencies in how application and system programs were usedSlide15

Disadvantages

Pose more management issues

Configured and maintained on each host

Vulnerable both to direct attacks and attacks against the host operating system

Not optimized to detect multi-host

scanningSlide16

Disadvantages

Not able to detect scanning of non-host devices (routers and switches)

Susceptible to Denial of Service attacks

Can use large amounts of disk space – audit logs

Can inflict a performance overhead on host systemsSlide17

Application Based

Examines application for abnormal events

Looks for files created by application

Anomalous occurrences – user exceeding authorization

Tracks interaction between users and applications

Able to tract specific activity back to individual user

Able to view encrypted data

Can examine encryption/decryption processSlide18

Advantages & Disadvantages

Advantages

Aware of specific users

Able to operate on encrypted data

Disadvantages

More susceptible to attack

Less capable of detecting software tamperingSlide19

IDS MethodologiesTypes determined by where placed for monitoring purposes

IDS methodologies based on detection methods

Two dominate methodologies

Signature-based (knowledge-based)

Statistical-anomaly approachSlide20

Signature Based

Examines data traffic in search of patterns that match known signature

Foot printing and fingerprinting activities

Specific attack sequences

DOS

Widely used

Signature database must be continually updated

Attack time-frame sometimes problematic

Slow and methodical may slip through Slide21

Statistical Anomaly Based

Based on frequency on which network activities take place

Collect statistical summaries of “normal” traffic to form baseline

Measure current traffic against baseline

Traffic outside baseline will generate alert

Can detect new type of attacks

Requires much more overhead and processing capacity

May not detect minor changes to baselineSlide22

Log file MonitorsSimilar to NIDS

Reviews logs

Looks for patterns & signatures in log files

Able to look at multiple log files from different systems

Large storage requirementSlide23

Responses to IDSVary according to organization policy, objectives, and system capabilities

Administrator must be careful not to increase the problem

Responses active or passiveSlide24

Which One?

Consider system environment

Technical specification of systems environment

Technical specification of current security protections

Goals of enterprise

Formality of system environment and management cultureSlide25

Which One?

Consider Security Goals and Objectives

Protecting from threats out organization?

Protecting against inside?

Use output of IDS to determine new hardware/software needs

Maintain managerial over one-security related network usageSlide26

Which One?

Security policy

Structure

Job descriptions of system user

Include reasonable use policy

What are you going to do if violation occursSlide27

Which One?

Organization Requirements and Constraints?

Outside Requirements

Resource Constraints

Features and Quality

Tested Product

User Level of Expertise

Product SupportSlide28

Strengths of IDS

Monitoring & analysis of system events & user behaviors

Testing security states of system configuration

Base lining security state of the system & track changes to baseline

Pattern recognition

Auditing and logging

Alerting

Measuring performanceSlide29

Limitations of IDS

Compensate for weak or missing security mechanisms

Instantly report or detect during heavy operations

Detect newly published attacks

Effectively respond to sophisticated attackers

Automatic investigate

Keep attacks from circumventing them

Deal effectively with switched networksSlide30

Control StrategiesCentralized

Partially distributed

Fully distributedSlide31

CentralizedAll IDS control functions are implemented and managed in a centralized location

1 management system

Advantages

Cost and control

Specialization

DisadvantageSlide32

Fully DistributedOpposite of centralized

All control functions applied at the physical location of each IDS component

Each sensor/agent is best configured to deal with its own environment

Reaction to attacks sped upSlide33

Partially Distributed ControlIndividual agents respond to local threats

Report to a hierarchical central facility

One of the more effective methodsSlide34

Honey Pots / Honey Nets / Padded Cell Systems

Honey Pots

Decoy systems

Lure potential attackers away from critical systems

Encourages attacks against themselves

Honey Net

Collection of honey pots

Connects honey pots on a subnet

Contains pseudo-services the emulated well-known services

Filled with factious informationSlide35

Honey Pots / Honey Nets / Padded Cell Systems

Padded Cell

Protected honey pot

IDS detects attacks and transfers to simulated environment

Monitors action of attackerSlide36

Trap and Trace Systems

Detect intrusion and trace incident back

Consist of honey pot or padded cell & alarm

Similar to concept of caller ID

Back-hack

Considered unethical

Legal drawbacks to trap and trace

Enticement and entrapmentSlide37

Scanning and Analysis Tools

Help find vulnerabilities in system, holes in security components, and unsecure aspects of the network

Allow system admin to see what the attacker sees

May run into problems with ISP

Port scanners – what is active on computer

Firewall analysis tools

Operating system detection tools

Vulnerability scanners

Packet sniffersSlide38

Access Control Tools

Authentication – validation of users identity

4 general ways carried out

What he knows

What he has

Who he is

What he produces