Chapter 7 Intrusion Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with almost always the intent to do malicious harm ID: 673885
Download Presentation The PPT/PDF document "Security Technology: Intrusion Detection..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security Technology: Intrusion Detection, Access Control and Other Security Tools
Chapter 7Slide2
Intrusion
“Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.”Slide3
Definitions
Intrusion prevention: activities that deter an intrusion
Writing &implementing a good enterprise information security policy
Planning & executing effective information security programs
Installing & testing technology-based countermeasures
Conducting & measuring the effectiveness
Employee training and awareness activities
Intrusion detection: procedures and systems that identify sys intrusions
Intrusion correction:
Activities finalize the restoration of operations to a normal state
Activities seek to identify the source & method of attack for preventionSlide4
Intrusion Detection Systems
Commercially available in late 1990
Works like a burglar alarm
Detects a violation and sounds alarm
Extension – Intrusion prevention systems
Detect and prevent intrusion
Generally accepted combination
Intrusion detection and prevention system (IDPS)Slide5
IDPS Terminology
Alarm or alert: indication that attack is happening
Evasion: attacker change the format and/or timing of activities to avoid being detected
False attack stimulus: event triggers alarm – no real attack
False negative: failure of IDPS to react to attack
False positive: alarm
activates in the absence of an actual
attack
Noise: alarms events that are accurate but do not pose threats
Site policy: rules & configuration guidelines governing the implementation & operation of IDPSSlide6
IDPS TerminologySite policy awareness: ability to dynamically modify
config
in response to environmental activity
True attack stimulus: event that triggers alarms in event of real attack
Tuning: adjusting an IDPS
Confidence value: measure IDPS ability correctly detect & identify type of attacks
Alarm filtering: Classification of IDPS alerts
Alarm clustering and compaction: grouping almost identical alarms happening at close to the same timeSlide7
Why Use an IDS
Prevent problem behaviors by increasing the perceived risk of discovery and punishment
Detect attacks and other security violations
Detect and deal with preambles to attacks
Document existing threat to an organization
Act as quality control for security design & administration
Provide useful information about intrusions that take placeSlide8
Types of IDS
Network based
Focused on protection network information assets
Wireless
Network behavior analysis
Host-based
Focused on protection server of host’s information assetsSlide9
Network-Based
Resides on computer or appliance connected to an a segment of orgs. network
Monitors network traffic on the segment
Monitors packets
Monitoring port (switched port analysis)
Monitors all ingoing and outgoing traffic
Looks for attack patterns
Compares measured activity to known signatures
Protocol verification – packet structure
Application verification – packet useSlide10
Advantages and Disadvantages
Advantages
Needs few devices to monitor large network
Little or no disruption to normal operations
May not be detectable by attackers
Disadvantages
Overwhelmed by network volume
Requires access to all traffic
Cannot analyze encrypted packets
Cannot ascertain if an attack was successful
Some forms of attack are not easily discerned
Fragmented packets
Malformed packetsSlide11
Wireless NIDPS
Monitors and analyzes wireless network traffic
Looks for potential problems with the wireless protocols (layers 2 and 3)
Cannot evaluate & diagnose issue with higher level layers
Issues associated with implementation
Physical security
Sensor range
Access point and wireless switch locations
Wired network connections
CostSlide12
Wireless NIDPS
Can detect conditions in addition to traditional types of IDSPS
Unauthorized WLAN and WLAN devices
Poorly secured WLAN devices
Unusual usage patterns
The use of wireless network scanners
DoS
attacks and condition
Man-in-middle attacks
Unable to detect
Passive wireless protocol attacks
Susceptible to evasion techniques
Susceptible to logical and physical attacks on
wireless access pointSlide13
Host-Based
Resides on a particular computer or server & monitors traffic only on that system
Also known as system integrity verifiers
Works on principle of configuration and change management
Classifies files in categories & applies various notification actions based on rules
Maintains own log file
Can monitor multiple computers simultaneouslySlide14
Advantages
Reliable
Can detect local events
Operates on host system where encrypted files already decrypted and available
Use of switched network protocols does not affect
Can detect inconsistencies in how application and system programs were usedSlide15
Disadvantages
Pose more management issues
Configured and maintained on each host
Vulnerable both to direct attacks and attacks against the host operating system
Not optimized to detect multi-host
scanningSlide16
Disadvantages
Not able to detect scanning of non-host devices (routers and switches)
Susceptible to Denial of Service attacks
Can use large amounts of disk space – audit logs
Can inflict a performance overhead on host systemsSlide17
Application Based
Examines application for abnormal events
Looks for files created by application
Anomalous occurrences – user exceeding authorization
Tracks interaction between users and applications
Able to tract specific activity back to individual user
Able to view encrypted data
Can examine encryption/decryption processSlide18
Advantages & Disadvantages
Advantages
Aware of specific users
Able to operate on encrypted data
Disadvantages
More susceptible to attack
Less capable of detecting software tamperingSlide19
IDS MethodologiesTypes determined by where placed for monitoring purposes
IDS methodologies based on detection methods
Two dominate methodologies
Signature-based (knowledge-based)
Statistical-anomaly approachSlide20
Signature Based
Examines data traffic in search of patterns that match known signature
Foot printing and fingerprinting activities
Specific attack sequences
DOS
Widely used
Signature database must be continually updated
Attack time-frame sometimes problematic
Slow and methodical may slip through Slide21
Statistical Anomaly Based
Based on frequency on which network activities take place
Collect statistical summaries of “normal” traffic to form baseline
Measure current traffic against baseline
Traffic outside baseline will generate alert
Can detect new type of attacks
Requires much more overhead and processing capacity
May not detect minor changes to baselineSlide22
Log file MonitorsSimilar to NIDS
Reviews logs
Looks for patterns & signatures in log files
Able to look at multiple log files from different systems
Large storage requirementSlide23
Responses to IDSVary according to organization policy, objectives, and system capabilities
Administrator must be careful not to increase the problem
Responses active or passiveSlide24
Which One?
Consider system environment
Technical specification of systems environment
Technical specification of current security protections
Goals of enterprise
Formality of system environment and management cultureSlide25
Which One?
Consider Security Goals and Objectives
Protecting from threats out organization?
Protecting against inside?
Use output of IDS to determine new hardware/software needs
Maintain managerial over one-security related network usageSlide26
Which One?
Security policy
Structure
Job descriptions of system user
Include reasonable use policy
What are you going to do if violation occursSlide27
Which One?
Organization Requirements and Constraints?
Outside Requirements
Resource Constraints
Features and Quality
Tested Product
User Level of Expertise
Product SupportSlide28
Strengths of IDS
Monitoring & analysis of system events & user behaviors
Testing security states of system configuration
Base lining security state of the system & track changes to baseline
Pattern recognition
Auditing and logging
Alerting
Measuring performanceSlide29
Limitations of IDS
Compensate for weak or missing security mechanisms
Instantly report or detect during heavy operations
Detect newly published attacks
Effectively respond to sophisticated attackers
Automatic investigate
Keep attacks from circumventing them
Deal effectively with switched networksSlide30
Control StrategiesCentralized
Partially distributed
Fully distributedSlide31
CentralizedAll IDS control functions are implemented and managed in a centralized location
1 management system
Advantages
Cost and control
Specialization
DisadvantageSlide32
Fully DistributedOpposite of centralized
All control functions applied at the physical location of each IDS component
Each sensor/agent is best configured to deal with its own environment
Reaction to attacks sped upSlide33
Partially Distributed ControlIndividual agents respond to local threats
Report to a hierarchical central facility
One of the more effective methodsSlide34
Honey Pots / Honey Nets / Padded Cell Systems
Honey Pots
Decoy systems
Lure potential attackers away from critical systems
Encourages attacks against themselves
Honey Net
Collection of honey pots
Connects honey pots on a subnet
Contains pseudo-services the emulated well-known services
Filled with factious informationSlide35
Honey Pots / Honey Nets / Padded Cell Systems
Padded Cell
Protected honey pot
IDS detects attacks and transfers to simulated environment
Monitors action of attackerSlide36
Trap and Trace Systems
Detect intrusion and trace incident back
Consist of honey pot or padded cell & alarm
Similar to concept of caller ID
Back-hack
Considered unethical
Legal drawbacks to trap and trace
Enticement and entrapmentSlide37
Scanning and Analysis Tools
Help find vulnerabilities in system, holes in security components, and unsecure aspects of the network
Allow system admin to see what the attacker sees
May run into problems with ISP
Port scanners – what is active on computer
Firewall analysis tools
Operating system detection tools
Vulnerability scanners
Packet sniffersSlide38
Access Control Tools
Authentication – validation of users identity
4 general ways carried out
What he knows
What he has
Who he is
What he produces