Intrusion Detection/Prevention Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion Detection/Prevention Systems

Description:

Intrusion Detection/Prevention Systems Charles Poff Bearing Point Intrusion Detection Systems Intrusion Detection System (IDS) Passive Hardware\software based Uses ... – PowerPoint PPT presentation

Number of Views:122
Avg rating:3.0/5.0
Slides: 14
Provided by: Charles568
Learn more at: https://ewh.ieee.org
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection/Prevention Systems


1
Intrusion Detection/Prevention Systems
  • Charles Poff
  • Bearing Point

2
Intrusion Detection Systems
  • Intrusion Detection System (IDS)
  • Passive
  • Hardware\software based
  • Uses attack signatures
  • Configuration
  • SPAN/Mirror Ports
  • Generates alerts (email, pager)
  • After the fact response

3
Intrusion Prevention Systems
  • Intrusion Prevention System (IPS)
  • Also called Network Defense Systems (NDS)
  • Inline active
  • Hardware\software based
  • Uses attack signatures
  • Configuration
  • Inline w/fail over features.
  • Generates alerts (email, pager)
  • Real time response

4
IDS vs. IPS
  • IPS evolved from IDS
  • Need to stop attacks in real time
  • After the fact attacks have lesser value
  • IDS is cheaper.
  • Several Open Source IDS/IPS
  • Software based
  • IPS EXPENSIVE
  • Hardware based (ASIC FPGA)

5
Detection Capabilities
  • Signatures
  • Based on current exploits (worm, viruses)
  • Detect malware, spyware and other malicious
    programs.
  • Bad traffic detection, traffic normalization
  • Anomaly Detection
  • Analyzes TCP/IP parameters
  • Normalization
  • Fragmentation/reassembly
  • Header checksum problems

6
Evasion Techniques
  • Encryption
  • IPSec, SSH, Blowfish, SSL, etc.
  • Placement of IPS sensors are crucial
  • Lead to architectural problems
  • False sense of security
  • Encryption Key Exchange
  • IPS sensors can usually detect/see encryption
    key exchanges
  • IPS sensors can usually detected unknown
    protocols

7
Evasion Techniques (cont.)
  • Packet Fragmentation
  • Reassembly 1.) out of order, 2.) storage of
    fragments (D.o.S)
  • Overlapping different size packets arrive out
    of order and in overlapping positions.
  • Newly arrived packets can overwrite older data.

8
Evasion Techniques (cont.)
  • Zero day exploits (XSS, SQL Injection)
  • Not caught by signatures
  • Not detected by normalization triggers
  • Specific to custom applications/DBs.
  • Social engineering
  • Verbal communication
  • Malicious access via legitimate credentials
  • Poor configuration management
  • Mis-configurations allow simple access not
    detected.
  • Increases attack vectors

9
Vendors
  • Open Source
  • SNORT (IDS/IPS) my favorite
  • Prelude (IDS)
  • HoneyNet (Honey Pot/IDS)
  • Commercial
  • TippingPoint
  • Internet Security Systems
  • Juniper
  • RadWare
  • Mirage Networks

10
Tools of the Trade
  • Fuzzers SPIKE, WebScarab, ADMmutate, ISIC, Burp
    Suite
  • Scanners - Nessus, NMAP, Nikto, Whisker
  • Fragmentation ADMmutate, Fragroute, Fragrouter,
    ettercap, dSniff
  • Sniffers ethereal, dSniff, ettercap, TCPDump
  • Web Sites
  • www.thc.org
  • packetstormsecurity.nl
  • www.packetfactory.net

11
Future of IDS/IPS
  • Many security appliances ? ONE
  • IDS/IPS, SPAM, AV, Content Filtering
  • IDS will continue to loose market share
  • IPS, including malware, spyware, av are gaining
    market share
  • Security awareness is increasing
  • Attacks are getting sophisticated
  • Worms, XSS, SQL Injection, etc.

12
Your Organization
  • Whats protecting your organization?
  • Future Plans?
  • Products and vendors?
  • Evolution of security infrastructure.

13
Question
  • Question comments
Write a Comment
User Comments (0)
About PowerShow.com