Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 34 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
34
Dung lượng
197,5 KB
Nội dung
Network Security: Intrusion Detection Systems Vo Viet Minh Nhat Information Technology Dept. Faculty of Sciences Agenda Introduction to Intrusion Detection Host-Based IDSs Network-Based IDSs IDS Management Communications: Monitoring the Network Sensor Maintenance Conclusion Objectives On completing this section, you will be able to Explain the main differences between the various IDSs Describe host-based IDSs in detail Describe network-based IDSs in detail Explain how IDS management communication works Describe IDS tuning Explain how IDS maintenance works Introduction to defend company resources: not only passively by using firewalls, virtual private networks (VPNs), encryption techniques, and whatever other tricks, but also by deploying proactive tools and devices throughout the network => IDS Intrusion = someone tries to break into, misuse, or exploit a system => security policy defines what and who constitutes attempts to break into, abuse, or exploit a system. Introduction Two types of potential intruders exist: Outside intruders: referred to as crackers Inside intruders: occur from within the organization IDSs are effective solutions to detect both types of intrusions continuously. These systems run constantly in a network, notifying network security personnel when they detect an attempt they consider suspicious. Introduction IDSs have two main components: IDS sensors: they can be software and hardware based used to collect and analyze the network traffic. They are available in two varieties: network IDS: can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic host IDS: is a server-specific agent running on a server with a minimum of overhead to monitor the operating system IDS management: acts as the collection point for alerts and performs configuration and deployment services for the IDS sensors in the network. Notification Alarms The overall purpose of IDSs is to trigger alarms when a given packet or sequence of packets seems to represent suspicious activity that violates the defined network security policy. However, it is critical for network security personnel to configure the IDS to minimize the occurrence of false negative and false positive alarms. Notification Alarms A false positive is a condition in which valid traffic or a benign action causes the signature to fire. A signature is a set of events and patterns that is recognized from a protocol-decoded packet. This set defines an alarm-firing condition when offending network traffic is seen A false negative is a condition in which a signature is not fired when offending traffic is transmitted. when the IDS sensor does not detect and report a malicious activity, and the system allows it to pass as nonintrusive behavior. Notification Alarms two main reasons for a false negative: from the sensor lacking the latest signatures. because of a software defect in the sensor. => The IDS configuration should be continuously updated with new exploits and hacking techniques upon their discovery. [...]... of what is a normal network traffic pattern is the tricky part The anomaly-based IDS can monitor the system or network and trigger an alarm if an event outside known normal behavior is detected Example: the detection of specific data packets that originate from a user device rather than from a network router Anomaly-Based IDS Overview of Anomaly-Based IDS Pros Unknown attack detection Cons High... Network IDS versus Host IDS Host IDSs and network IDSs are currently the most popular approaches to implement analysis technologies A host IDS can be described as a distributed agent residing on each server of the network that needs protection Network IDSs can be described as intelligent sniffing devices Data (raw packets) is captured from the network by a network IDS, whereas host IDSs capture... attacks, and hidden attacks in encrypted packets Network IDS versus Host IDS The most efficient approach is to implement network- based IDS first It is much easier to scale and provides a broad coverage of the network less organizational coordination is required, with no or reduced host and network impact If only a few servers need to be protected, a network administrator may want to start with... host-based IDS Evasion and Anti-Evasion Techniques Network IDSs have a fundamental problem whereby a skilled attacker can evade the detection mechanism by exploiting ambiguities in the traffic patterns, network topology, and the IDS architecture The attacker can try to evade the detection mechanism in the sensor The attacker can try to convince the network IDS by masking the traffic as legitimate The... protocol validation Host IDS Network IDS Comparison of Host IDS and Network IDS Pros Host IDS • • • Network IDS • • • Cons Verification of success or failure of an attack possible Has a good knowledge of the host's context and, as a result, is more focused on a specific system Not limited by bandwidth restrictions or data encryption • Protects all hosts on the monitored networkcost effective Independent... of generated networks with well-defined alarms is difficult traffic patterns Anomaly-Based IDS Two types of anomaly-based IDS exist: Statistical: Statistical anomaly detection learns the traffic patterns interactively over a period of time Nonstatistical: In the nonstatistical approach, the IDS has a predefined configuration of the supposedly acceptable and valid traffic patterns Network IDS... on the host (runs invisibly) Especially useful for low-level attacks (network probes and DoS attacks) • • • • • Operating system/platform dependent Not available for all operating systems Impact on the available resources of the host system Expensive to deploy one agent per host Deployment is very challenging in switched environment Network traffic may overload the NIDS (CPU intensive) Not effective... of four steps: secure the system, monitor the network, test the effectiveness of the solution, and improve the security implementation Testing the effectiveness of the IDS host sensor is an integral part of the monitoring step Host-Based IDSs A host IDS can be described as a distributed agent residing on each server of the network that monitors the network activity in real time The host IDS detects... system Host Sensor Components and Architecture The Intrusion Detection Host sensor has two main components: Secure Agent Secure Agent Manager Secure Agent The Secure Agent is a software package that runs on each individual server or workstation to protect these hosts against attacks The IDS sensor provides real-time analysis and reaction to intrusion attempts The host sensor processes and analyzes... events In this way, real threats to the network are not visible because the IDS is unable to capture and analyze all the traffic Evasion and Anti-Evasion Techniques Anti-evasion techniques can range from fragmentation alarms, packet loss alarms, and protocol decodes to tunable TCP stream reassembly options, alarm summarization, and others Host-Based IDSs Network security should be seen as a continuous . Network Security: Intrusion Detection Systems Vo Viet Minh Nhat Information Technology Dept. Faculty of Sciences Agenda Introduction to Intrusion Detection Host-Based IDSs Network- Based. IDSs are effective solutions to detect both types of intrusions continuously. These systems run constantly in a network, notifying network security personnel when they detect an attempt. and analyze the network traffic. They are available in two varieties: network IDS: can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic