Intrusion Detection Systems - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Intrusion Detection Systems

Description:

Aladdin Knowledge Systems eSafe. ISS Integrated product. 15. Honeypots ... Aladdin http://www.ealaddin.com. 17. Security Scenario to Solve ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 18
Provided by: Sri672
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
2
IDS
  • Intrusion Detection
  • Network-based IDS
  • Host-based IDS
  • Detection
  • Anomaly-based IDS
  • Signature-based IDS
  • Honeypots
  • Incident response

3
Intrusion Detection
  • Detecting unusual traffic pattern is a signal of
    intrusion by a hacker
  • IDS are complementary to firewalls
  • IDS detects activity once the intruder is on the
    system
  • Network IDS have the capacity to check 40 Mb/sec
    of traffic. If traffic exceeds this capacity,
    then IDS will miss packets at random and could
    potentially let the wrong packet through. This
    is false negative

4
Intrusion Detection
  • False positives happen when IDS mistakenly
    identifies a valid packet as suspect
  • False positives require human intervention
  • False positives are costly to fix
  • To avoid false positives, the system needs tuning
    over a period of time to monitor for the proper
    type of activity

5
Network-based IDS
  • Most commonly used IDS
  • Location of IDS on the network is critical both
    to detect intrusion as well as to be cost
    effective
  • Typical locations are
  • Inside the firewall
  • On the DMZ
  • On the server farm segment
  • On network segments connecting mainframe to hosts

6
Network-based IDS
  • Just inside the firewall is the best location
    because all inbound and outbound traffic goes
    through that place
  • DMZ is also a good location since the public
    enters the DMZ only. If DMZ is attacked, an IDS
    there could potentially stop the hacker at the
    DMZ.
  • Locating the IDS on the server farm segment or
    the mainframe to host segment is needed only in
    mission critical applications

7
Network-based IDS
  • NIDS monitors traffic using sniffing
  • Networks that use hubs can be sniffed easily
  • Networks that use switches are difficult to
    sniff. Use Switch Port Analyzer (SPAN) or taps
    to sniff. SPAN causes the switch to copy all
    packets and transmit to the port with the SPAN
    configuration.
  • SPAN can be used to monitor a single host
  • SPAN does not monitor traffic between hosts on
    the same segment, as in a token ring.

8
Network-based IDS
  • Taps are placed between the node and the switch.
    Taps copy all traffic and forward them to a hub,
    which is attached to an IDS server. This
    arrangement allows multiple hosts to be monitored
    simultaneously.
  • Signature-based IDS looks for patterns that could
    indicate an attack
  • Port signature means that traffic is monitored
    for a particular port such as 80. If http
    service is not provided by that server, then
    there should be no attempt to use port 80.

9
Host-based IDS
  • This is an older method used in 1980s.
  • Keep audit logs, system logs, event logs,
    security logs, and syslog
  • Monitor file checksum to identify changes
  • Monitor port activity
  • Intercept and evaluate requests by applications
    for system resources

10
Host-based IDS
  • Install agent software on the system for
    host-based IDS
  • Two types of software available
  • Agent-based IDS
  • Host wrappers
  • Host wrappers are usually personal firewalls
  • Black ICE Defender is a host wrapper

11
Host-based IDS
  • Example of agent HIDS is Entercepts product
  • How HIDS works?
  • Log the event
  • Alert the administrator
  • Terminate the user login
  • Disable the user account
  • Host-based and network-based IDS are
    complementary products

12
Detection methods
  • Passive detection
  • Detects anomalous activity but does not stop such
    activity
  • Active detection
  • Detects anomalous activity and stops such
    activity
  • Interoperates with routers and firewalls
  • When IDS is used to block malicious traffic, it
    is called shunning or blocking

13
Detection methods
  • Signature detection is an active IDS
  • NIDS use a pattern of characters as the signature
    of an attack
  • Example A packet payload might look something
    like CE63 D1D2 16E7 13CF from a malicious
    source and this causes the signature to be
    developed as the above pattern in payload.

14
Detection methods
  • Anomaly detection takes the opposite view of
    signature detection. It looks for pattern that
    does not follow the norm for traffic.
  • IDS Products
  • Computer Associates eTrust
  • Cisco Entercepts HIDS
  • Aladdin Knowledge Systems eSafe
  • ISS Integrated product

15
Honeypots
  • Systems that pretend to be real and entice
    hackers to attempt to break-in
  • Most systems are not connected to company network
  • Honeypots are challenged in courts as entrapment
  • White hat community considers Honeypots as ethical

16
References
  • Black ICE http//www.iss.net
  • Agent HIDS http//www.entercept.com
  • Computer Associates http//www.cai.com
  • Aladdin http//www.ealaddin.com

17
Security Scenario to Solve
Write a Comment
User Comments (0)
About PowerShow.com