Title: Concepts of Network Security and Intrusion Detection
1Concepts of Network Security and Intrusion
Detection
- Jianhua Yang
- Department of Math Computer Science
- University of Maryland Eastern Shore
2Goals
- Network Security
- Intrusion Detection
33.1 What is Network Security?
- Security is a continuous process of protecting an
object from attack. - Object
- A person
- Organization, or
- A computer system or a file.
4Computer System
- Its security involves all its resources
- Physical resources
- Reader, printers, CPU, monitor, memories,.
- Non-physical resources
- Data
- File information
-
5Distributed computer system
- The protection covers
- Communication channels
- Network connectors
- Modems, bridges, switches, routers, servers
- Network file system
6In General, security
- Means preventing unauthorized access, use,
alteration, and theft or physical damage to the
resources - Involves three elements
- Confidentiality
- Integrity
- Availability
To prevent unauthorized disclosure of information
to third parties.
To prevent unauthorized modification of resources
and maintain the status
To prevent unauthorized withholding of system
resources from those who need them when they need
them
7Some basic concepts and methods
Is the process of trying to stop intruders from
gaining access to the resources of the system
- Prevention
- Detection
- Response
- Firewalls
- Passwords
Occurs when the intruder has succeeded or is in
the process of gaining access of the system
Is an aftereffect mechanism that tries to respond
to the failure of prevention and detection
A firewall is hardware or software used to
isolate the sensitive portions of an information
system facility from the outside world and limit
the potential damage that can be done by a
malicious intruder.
A password is a string of usually six to eight
characters, with restrictions on length and start
character, to verify a user to an information
system facility, usually a computer system.
8Security Services
- The prevention of unauthorized access to system
resources is achieved through a number of
security services. - They include
- Access control
- Authentication
- Confidentiality
- Integrity
- Non-repudiation
9Access control
- Hardware access control systems
- Access terminal
- Visual event monitoring
- Identification cards
- Biometric identification
- Video surveillance
- Software access control systems
- Point of access monitoring
- Remote monitoring
10Authentication
- It is a service to identify a user, especially a
remote user. - It is a process whereby the system gathers and
builds up information about the user to ensure
the user is genuine. - It is based on
- Username and password
- Retinal images
- face images
- Fingerprints
- Physical location
- Identity cards
- Typing mode
11Authentication Techniques
It is a key management scheme that authenticates
unknown principals who want to communicate with
each other.
- Kerberos
- IPSec
- SSL (secure sockets layer)
- S/Key
- ANSI X9.9
- ISO 8730
- Indirect OTP (one time password)
It provides the capability to ensure security of
data in a communication network. It makes all the
Internet applications including client/server,
e-mail, file transfer, and web access secure.
It ends up with a secret key that both the client
and server use for sending encrypted messages.
It is a one-time password scheme based on a
one-way hash function.
It is a U.S. banking standard for authentication
of financial transaction.
12Confidentiality
- It is a service to protect system data and
information from unauthorized disclosure. - Encryption protects the communication channel
from sniffers.
Sniffers are programs written for and installed
on the communication channels to eavesdrop on
network traffic, examining all traffic on
selected network segments.
13Integrity
- It is a service to protect data against active
threats such as those that may alter it. - Hashing algorithms
14Non-repudiation
- It is a security service that provides proof of
origin and delivery of service and/or
information. - Digital signature
15Security Standards
- Security organizations
- Security standards
16Security Organizations
- IETF Internet Engineering Task Force
- IEEE Institute of Electronic and Electric
Engineer - ISO International Standards Organization
- ITU International Telecommunications Union
- ECBS European Committee for Banking standards
- ECMA European Computer Manufacturers Association
- NIST National Institute of Standards and
Technology - W3C World Wide Web Consortium
- RSA Rivest, Shamir and Adleman
17Security Standards-Organizations
- IETF IPSec, XML-Signature, Kerberos, S/MIME
- ISO OSI
- ITU X.2xx, X.5xx, X.7xx, X.80xx
- ECBS TR-40x
- ECMA ECMA-13x, ECMA-20x
- NIST X3, X9.xx Financial, X12.xx Electronic Data
Exchange - IEEE IEEE802.xx
- RSA Public Key Cryptographic Standard
- W3C XML Encryption, XML Signature, XKMS
(exXensible Key Management Specification)
18Security Standards -Services
- Internet security
- Digital signature and encryption
- Login and authentication
- Firewall and system security
19Internet Security
- Network authentication
- Kerberos
- Secure TCP/IP communications over the Internet
- IPSec
- Privacy-enhanced electronic mail
- S/MIME, PGP
- Public key cryptography
- 3-DES, DSA, RSA, MD-5, SHA-1, PKCS
- Secure hypertext transfer protocol
- S-HTTP
- Security protocol for privacy on
Internet/transport security - SSL, TLS, SET
20Digital Signature and Encryption
- Advanced Encryption Standards
- X509, DES, AES, DSS/DSA, SHA/SHS
- Digital certificates/XML digital signatures
- XMLDSIG, XMLENC, XKMS
21Login and Authentication
- Authentication of users right to use system or
network resources - SAML
- Liberty Alliance
- FIPS 112
22Firewall and system security
- Security of local, wide and metropolitan area
networks - Secure Data Exchange (SDE) for IEEE 802
- ISO/IEC 10164
233.2 Intrusion Detection and Prevention
- Definition of ID
- Intrusion Detection Systems (IDS)
- Types of IDS
- Response to System Intrusion
- Challenges to IDS
- Intrusion Prevention Systems (IPS)
- Intrusion Detection Tools
24Definitions
- Intrusion Detection
- It is a technique of detecting unauthorized
access to a computer system or a computer
network. - Intrusion Prevention
- It is the art of preventing an unauthorized
access of a systems resources.
25The Types of Intrusion
- Attempted break-ins
- Masquerade attacks
- Penetrations
- Denial of service
- Malicious use
26System Intrusion Process
- Reconnaissance
- Information collection and weak points analysis
- Physical Intrusion
- Attack
- Denial of service (DoS) the intruder attempts to
crash a service, overload network links, overload
CPU, or fill up the disk. - Common DoS
- Ping-of-Death
- SYN Flooding
- Land/Latierra
- WinNuke
27Land/Latierra, WinNuke
- Land/Latierra
- Sends forged SYN packet with identical
source/destination address/port so that the
system goes into an infinite loop trying to
complete the TCP connection. - WinNuke
- Sends and URG data on a TCP connection to port
139 (for NetBIOS session), which causes the
Windows system to hang.
28Intrusion Detection Systems
- What is an IDSs?
- An IDSs is a system used to detect unauthorized
intrusions into computer systems and networks.
29Three Models
- Anomaly-based detection
- Signature-based detection
- Hybrid detection
30Anomaly detection
- Creating norms of activities
- Collecting current activity
- Comparing the current one with norm one
- Based on the comparison result to determine if
there is an Intrusion
31Problems
- Not efficient
- Easy to introduce false positive error
32Misuse detection
- Signature-based detection
- Each intrusive activity is represented by a
unique pattern or a signature - New activity can be compared with existing pattern
33Problems
- Cannot detect unknown attacks
- Easy to introduce false negative errors
34Types of IDSs
- Network-based IDS (NIDSs)
- Host-based IDS (HIDS)
35NIDSs
- They take the whole network as the monitoring
scope - They monitor the traffic on the network to detect
intrusions - They are mainly for outside attackers
36Components of a NIDS
- Network sensor
- Analyzer
- Alert notifier
- Response system
37Advantages of NIDSs
- The ability to detect attacks that a HIDS would
miss because NIDS monitor network at a transport
layer. - Difficulty to remove evidence.
- Real-time detection and response.
- Ability to detect unsuccessful attacks and
malicious intent.
38Disadvantages
- Blind spots
- Encrypted data
39HIDSs
- Detect intrusions based on the information of a
single target computer - The information includes system, event, and
security logs on Windows and syslog in Unix
environments - Focus on inside attacks
40Advantages
- Ability to verify success or failure of an attack
quickly - Efficiency
- Near real-time detection and response
- Ability to deal with encrypted environments
41Disadvantages
- Limited view of the network
- It is not possible for large deployment
42Stepping-stone intrusion
43Intrusion Detection Tools
- Realsecure v3.0 (ISS)
- Net Perver 3.1 (Axent Technologies)
- Net Ranger v2.2 (CISCO)
- FlightRemohe v2.2 (NFR Network)
- Sessi-Wall-3 v4.0 (Computer Associates)
- Kane Security Monitor (Security Dynamics)
44Summary
- Concepts of Network Security
- Basics of IDSs