Lesson 13-Intrusion Detection
description
Transcript of Lesson 13-Intrusion Detection
![Page 1: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/1.jpg)
Lesson 13-Intrusion Detection
![Page 2: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/2.jpg)
Overview
Define the types of Intrusion Detection Systems (IDS).
Set up an IDS.
Manage an IDS.
Understand intrusion prevention.
![Page 3: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/3.jpg)
Overview
Intrusion detection is a reactive concept that tries to
identify a hacker when they attempt a penetration.
Intrusion detection can also assist in the proactive
identification of active threats. It provides indications and
warnings that a threat is gathering information for an
attack.
![Page 4: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/4.jpg)
Overview
Night watchmen and guard dogs are forms of IDS.
They serve two purposes. They provide a means of
identifying that something bad was happening, while
deterring the perpetrator.
![Page 5: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/5.jpg)
Define the types of Intrusion Detection Systems
There are two primary types of IDS:
Host-based
Network-based
![Page 6: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/6.jpg)
Host-Based IDS
A Host-based Intrusion Detection System (HIDS) resides on
a particular host and looks out for indications of attacks on
that host.
HIDS is a system of sensors that are loaded onto various
servers within an organization. They are controlled by some
central manager.
![Page 7: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/7.jpg)
Host-Based IDS
The sensors can:
Look for various types of events.
Take action on the particular server.
Send out a notification.
![Page 8: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/8.jpg)
Host-based IDS
There are five basic types of HIDS sensors:
Log analyzers
Signature-based sensors
System call analyzers
Application behavior analyzers
File integrity checkers
![Page 9: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/9.jpg)
Host-based IDS
Log analyzers are reactive in nature and look for events
that may be a security breach.
They are particularly adapted to track authorized users.
Signature-based sensors compare incoming traffic to a
built-in signature.
They are also reactive in nature and may be used to track
authorized users.
![Page 10: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/10.jpg)
Host-based IDS
System call analyzers sit between the OS and the
applications to analyze calls being sent. It compares the
calls to a database of signatures.
Application behavior analyzers sit between the OS and the
applications and examine calls to check for authorization.
File integrity checkers look for changes in the file, typically
through checksums or digital signatures.
![Page 11: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/11.jpg)
Network-based IDS
A NIDS resides on a separate system that watches network
traffic, looking for indications of attacks that traverse the
network.
A NIDS places the Network Interface Card (NIC) on the
system into promiscuous mode to pass traffic to the NIDS
software for analysis.
NIDS are primarily signature-based.
![Page 12: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/12.jpg)
Network-based IDS
NIDS systems have two NICs: one is configured in stealth
mode to monitor the network and the second is used to
send alarms.
The advantages of using a NIDS are the following:
It can be hidden on the network.
It can capture the contents of all packets traveling to a target
system.
It monitors traffic for a large number of systems.
![Page 13: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/13.jpg)
Network-based IDS
The disadvantages of using a NIDS are as follows:
It will only alarm if traffic matches preconfigured rule.
It can miss traffic of interest because of high bandwidth usage.
It cannot determine if an attack was successful.
It cannot examine encrypted traffic.
Switched networks require special configuration.
![Page 14: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/14.jpg)
Set up an IDS
The effective use of an IDS must include the proper
planning and involvement of executive management.
The steps for creating IDS implementation are:
Define the goals of the IDS.
Choose what to monitor.
Choose the response.
Set thresholds.
Implement the policy.
![Page 15: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/15.jpg)
Defining the Goals of the IDS
The goals of the IDS provide the requirements for the IDS
policy. Potential goals include the following:
Detection of attacks.
Prevention of attacks.
Detection of policy violations.
Enforcement of use policies.
Enforcement of connection policies.
Collection of evidence.
![Page 16: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/16.jpg)
Choosing What to Monitor
The choice of what an IDS should monitor is governed by
the goals of the IDS and the environment in which the IDS
will function.
The choice of what an IDS should monitor governs the
placement of sensors, as they must be able to see the
events of interest.
![Page 17: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/17.jpg)
Choosing What to Monitor
For a network using switches, a NIDS sensor will not
function properly if it is just connected to a switch port.
Instead, you should use the switch monitoring port or a
network tap.
![Page 18: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/18.jpg)
Choosing How to Respond
Response choices are governed by the goals of the IDS.
When an event occurs, there are two types of responses:
Passive response: a response that does not directly impede the
attacker’s actions.
Active response: a response that does directly attempt to
impede that attacker’s actions.
![Page 19: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/19.jpg)
Passive Response
A passive response is the most common type of action
when an intrusion is detected.
Passive responses have a lower probability of causing
disruptions to legitimate traffic while being the easiest to
implement in a completely automated fashion.
![Page 20: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/20.jpg)
Passive Response
Passive responses include:
Shunning: ignoring the attack.
Logging: gathering basic information.
Additional logging: collecting more information about the event
than is normally captured.
Notification: informing an individual about the event.
![Page 21: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/21.jpg)
Active Response
Active responses include:
Termination of connections, sessions, or processes
Network reconfiguration
Deception
An active response to an event allows the quickest possible
action to reduce the impact of the event.
![Page 22: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/22.jpg)
Active Response
It can also cause disruption or complete denial of service to
legitimate users.
Network reconfiguration may stop the intruder, but can
have a negative impact on partners and customers, causing
loss of productivity.
![Page 23: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/23.jpg)
Setting Thresholds
Thresholds provide protection against false positive
indications.
They enhance the overall effectiveness of an IDS policy.
They can be used to filter out accidental events from
intentional events.
Thresholds that detect attacks should be set to ignore low-
level probes or single information-gathering events.
![Page 24: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/24.jpg)
Setting Thresholds
Parameters that must be considered in setting thresholds are:
User expertise
Network speed
Expected network connections
Administrator/security officer workload
Sensor sensitivity
Security program effectiveness
![Page 25: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/25.jpg)
Implementing the System
The actual implementation of the IDS policy must be
carefully planned.
There are few easier ways to disrupt a well-managed
network than to introduce a badly configured IDS.
![Page 26: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/26.jpg)
Implementing the System
Once the IDS policy has been developed and the initial
threshold settings calculated, it should be put into place
with the final policy, less any active measures.
The IDS should be monitored closely for some period of
time while the thresholds are evaluated.
![Page 27: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/27.jpg)
Manage an IDS
To make a decision for an organization to implement an IDS,
the organization should understand the goals of the program.
They are:
Understand what an IDS can tell.
Investigate suspicious events.
![Page 28: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/28.jpg)
Understand What an IDS Can Tell You
There are two components to an IDS configuration:
The attack signatures that have been programmed into the
system.
Any additional events that the administrator has identified as
being of interest.
![Page 29: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/29.jpg)
Understand What an IDS Can Tell You
When the IDS has been properly configured, the four types of
events that the IDS will show are:
Reconnaissance events
Attacks
Policy violations
Suspicious or unexplained events
![Page 30: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/30.jpg)
Investigate Suspicious Events
When a suspicious activity occurs, any of these four steps can
be taken to determine if the activity constitutes an actual or
attempted intrusion:
Identify the systems.
Log additional traffic between the source and destination.
Log all traffic from the source.
Log the contents of packets from the source.
![Page 31: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/31.jpg)
Understand Intrusion Prevention
Intrusion prevention involves a proactive rather than reactive
approach to IDS.
To prevent an intrusion, the attack must be stopped before it
reaches the target system.
To prevent an intrusion, the actual attack must be either stopped
before it reaches the target system or stopped before the target
system can execute the code that exploits the vulnerability.
![Page 32: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/32.jpg)
Understand Intrusion Prevention
HIDS sensors such as system call analyzers and application
behavior analyzers have the potential to prevent an attack.
For a NIDS to prevent attacks, the standard configuration
must be changed to place the NIDS in line with the traffic.
IDS that are proactive can raise the potential for denial of
service and cause overall availability issues.
![Page 33: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/33.jpg)
Summary
Intrusion detection is a reactive concept that tries to
identify a hacker when a penetration is attempted.
A HIDS resides on a particular host and looks for indications
of attacks on that host.
A NIDS resides on a separate system that watches network
traffic and looks for indications of attacks that traverse the
network.
![Page 34: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/34.jpg)
Summary
The effective use of an IDS must include the proper
planning and involvement of executive management.
Passive responses have a lower probability of causing
disruptions to legitimate traffic while being the easiest to
implement in a completely automated fashion.
![Page 35: Lesson 13-Intrusion Detection](https://reader033.fdocuments.net/reader033/viewer/2022051621/56814907550346895db63f37/html5/thumbnails/35.jpg)
Summary
An active response to an event allows the quickest possible
action to reduce the impact of the event.
To prevent an intrusion, the attack must be stopped before
it reaches the target system.