Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 05 CompSec

    Uploaded by

    Berrezeg Mahieddine
    44 views26 pages
    network security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    network security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    44 views26 pages

    Chapter 05 CompSec

    Uploaded by

    Berrezeg Mahieddine
    network security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Network Defense and

    Countermeasures
    Sir. Ahmad Kamalrulzaman Othman
    FSKM, UiTM Johor

    Chapter 5: Intrusion-Detection Systems

    Objectives

    Explain how intrusion-detection systems work


    Implement strategies for preventing intrusion
    Identify and describe several popular
    intrusion-detection systems
    Define the term honey pot
    Identify and describe at least one honey pot
    implementation

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Introduction
    Intrusion-Detection Systems (IDS) allow system
    administrators to detect possible attacks to the
    network. This chapter explores implementations
    of IDS solutions. We also explore the concept of a
    honey pot and how it can help administrators
    track attackers of the network.

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts

    Preemptive blocking
    Infiltration
    Intrusion deflection
    Intrusion deterrence
    Anomaly detection

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Preemptive Blocking

    Sometimes called banishment vigilance


    Attempts to detect impending intrusions through
    foot printing
    Susceptible to false positives
    May block legitimate traffic

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Infiltration

    The concept of going undercover in the hacker


    world
    Information is gathered through the hacker
    community to find out what vulnerabilities are
    being exploited
    Time consuming
    Administrators are not trained in detective work
    Dangerous

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Intrusion Deflection

    An attempted intrusion is redirected to a special


    environment and monitored
    Honey pots are used in this approach
    Difficult to setup and maintain
    Assumes a target system will be compromised

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Intrusion Deterrence

    Making the reward of intrusion not worth the effort


    Incorporates hiding the important servers through
    the use of camouflage
    Uses multiple warnings to scare off attackers
    Low cost solution
    Easy to setup

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Anomaly Detection

    Any activity that does not match normal use is


    saved in a log
    Normal usage profiles are kept and updated, then
    compared to anomalous behavior

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    Understanding IDS Concepts cont.

    Anomalous Detection

    Threshold monitoring

    Define acceptable behaviors


    Presets acceptable behavior levels
    Monitors the exceeding of these levels
    Difficult to set times for monitoring behavior
    Susceptible to false positives and negatives

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    10

    Understanding IDS Concepts cont.

    Anomaly Detection

    Resource Profiling

    Develops historic usage profile, system-wide


    Difficult to interpret the meaning of changes in usage

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    11

    Understanding IDS Concepts cont.

    Anomaly Detection

    User/Group Work
    Profiling

    2006 by Pearson Education, Inc.

    Profiles are kept on a


    user or group level
    Changes in work
    patterns need to be
    updated in profile
    Dynamic user base
    could be difficult to
    profile

    Chapter 5 Intrusion-Detection Systems

    12

    Understanding IDS Concepts cont.

    Anomaly Detection

    Executable Profiling

    Monitors how programs use system resources


    System services cannot be traced to a particular user
    Profiles how system objects (files, printers) are normally
    used

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    13

    Understanding and Implementing IDS


    Systems

    Two systems discussed in this section:

    Snort
    Cisco Intrusion-Detection

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    14

    Understanding and Implementing


    IDS Systems cont.

    Snort

    Possibly the most well-known open source IDS


    Available on multiple platforms including:

    UNIX, Linux, and Windows

    Three modes of operation:

    Sniffer
    Packet logger
    Network intrusion-detection

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    15

    Sniffer Mode

    Monitors all traffic coming and going on a


    computer
    Excellent way to check encryption
    Helps determine potential sources of
    problems

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    16

    Packet Logger Mode

    Similar to sniffer mode


    Packet contents are written to a text file
    Contents can be searched for specific items

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    17

    Network Intrusion-Detection

    Uses a heuristic approach


    Rules-based
    Command line based interface
    Need to know commands and what they do

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    18

    Cisco Intrusion-Detection

    Cisco IDS 4200 Series


    Sensors
    Cisco Catalyst 6500
    Series IntrusionDetection System
    Services Module
    (IDSM-2)

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    19

    Understanding and Implementing


    Honey Pots

    A honey pot is a single machine


    Set up to appear to be an important server
    All traffic to the machine is suspicious
    No legitimate users should connect
    Two types of Honey Pots discussed here:

    Specter
    Symantec Decoy Server

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    20

    Specter

    Software solution, phantom servers


    Documentation can be found at
    www.specter.com
    Able to emulate common services:

    SMTP, FTP, TELNET, FINGER, POP3, etc.

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    21

    Specter cont.

    Can be set up in one of five modes:

    Open
    Secure
    Failing
    Strange
    Aggressive

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    22

    Specter cont.

    Fake password files can also be configured

    Easy
    Normal
    Hard
    Fun
    Warning

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    23

    Symantec Decoy Server

    Full details can be found at:


    http://enterprisesecurity.symantec.com/conte
    nt/displaypdf.cfm?pdfid=292
    Should be no surprise that Symantec
    provides a honey pot solution

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    24

    Summary

    There are a variety of Intrusion Detection


    Systems available
    Should be used in conjunction with firewalls
    Can run at the perimeter and internally as
    sensors
    Ideally implemented on every server
    Free IDS solutions are available

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    25

    Summary cont.

    Honey Pots entice hackers to a fake server


    A server is set up specifically to monitor
    hacker activity
    Honey Pots can help track and catch hackers
    Honey Pots can be configured to emulate
    many server services

    2006 by Pearson Education, Inc.

    Chapter 5 Intrusion-Detection Systems

    26

    You might also like