Network Security: Intrusion Detection Systems

Chia sẻ: Vu Van Nghi | Ngày: | Loại File: PPT | Số trang:34

Thêm vào BST

Báo xấu

158
lượt xem 23
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

to defend company resources: not only passively by using firewalls, virtual private networks (VPNs), encryption techniques, and whatever other tricks, but also by deploying proactive tools and devices throughout the network = IDS.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Network Security: Intrusion Detection Systems

Network Security: Intrusion Detection Systems Vo Viet Minh Nhat Information Technology Dept. Faculty of Sciences
Agenda  Introductionto Intrusion Detection  Host-Based IDSs  Network-Based IDSs  IDS Management Communications: Monitoring the Network  Sensor Maintenance  Conclusion
Objectives  On completing this section, you will be able to Explain the main differences between the various  IDSs Describe host-based IDSs in detail  Describe network-based IDSs in detail  Explain how IDS management communication  works Describe IDS tuning  Explain how IDS maintenance works 
Introduction to defend company resources: not only  passively by using firewalls, virtual private networks (VPNs), encryption techniques, and whatever other tricks, but also by deploying proactive tools and devices throughout the network => IDS Intrusion = someone tries to break into, misuse,  or exploit a system => security policy defines what and who constitutes attempts to break into, abuse, or exploit a system.
Introduction Two types of potential intruders exist:  Outside intruders: referred to as crackers  Inside intruders: occur from within the organization  IDSs are effective solutions to detect both types  of intrusions continuously. These systems run constantly in a network, notifying network security personnel when they detect an attempt they consider suspicious.
Introduction IDSs have two main components:  IDS sensors: they can be software and hardware based used  to collect and analyze the network traffic. They are available in two varieties:  network IDS: can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic  host IDS: is a server-specific agent running on a server with a minimum of overhead to monitor the operating system IDS management: acts as the collection point for alerts and  performs configuration and deployment services for the IDS sensors in the network.
Notification Alarms  The overall purpose of IDSs is to trigger alarms when a given packet or sequence of packets seems to represent suspicious activity that violates the defined network security policy.  However, it is critical for network security personnel to configure the IDS to minimize the occurrence of false negative and false positive alarms.
Notification Alarms A false positive is a condition in which valid traffic or  a benign action causes the signature to fire. A signature is a set of events and patterns that is recognized  from a protocol-decoded packet. This set defines an alarm- firing condition when offending network traffic is seen A false negative is a condition in which a signature  is not fired when offending traffic is transmitted. when the IDS sensor does not detect and report a malicious  activity, and the system allows it to pass as nonintrusive behavior.
Notification Alarms  two main reasons for a false negative: from the sensor lacking the latest signatures.  because of a software defect in the sensor.   =>The IDS configuration should be continuously updated with new exploits and hacking techniques upon their discovery.
Notification Alarms False positive alarms occur when the IDS sensor  classifies an action or transaction as anomalous although it is actually legitimate traffic. A false alarm requires an unnecessary intervention  to analyze and diagnose the event. => try to avoid this type of situation because a large  number of false positives can significantly drain resources, and the specialized skills required for analysis are scarce and costly.
Signature-Based IDS  The signature-based IDS monitors the network traffic or observes the system and sends an alarm if a known malicious event is happening.  It does so by comparing the data flow against a database of known attack patterns.  These signatures explicitly define what traffic or activity should be considered as malicious.
Signature-Based IDS Various types of signature-based IDSs:  Simple and stateful pattern matching  Protocol decode-based analysis  Heuristic-based analysis  The pattern-matching systems look for a fixed  sequence of bytes in a single packet simple, generates reliable alerts, applicable to all protocols  any slightly modified attack leads to false negatives.  multiple signatures may be required to deal with a single  vulnerability
Signature-Based IDS  Protocol decode-based systems decode very specific protocol elements, such as header and payload size and field content and size, and analyze for Request for Comment (RFC) violations. highly specific and minimize the chance for false  positives.
Signature-Based IDS Overview of Signature-Based IDSs Pros Cons Low false positive rate (reliable Single vulnerability may require alerts) multiple signatures Simple to customize Continuous updates required Applicable for all protocols Modifications lead to misses (false negatives) Cannot detect unknown attacks Susceptible to evasion
Example of an attack against a web server
Policy-Based IDS  The policy-based IDSs (mainly host IDSs) trigger an alarm whenever a violation occurs against the configured policy. For instance, a network access policy defined in  terms of access permissions.
Policy-Based IDS Overview of Policy-Based IDS Pros Cons Low false positive rate Network administrator must (reliable alerts) design a set of policy rules from scratch Simple to customize Long deployment time
Anomaly-Based IDS The anomaly-based IDS looks for traffic that  deviates from the normal. but the definition of what is a normal network traffic  pattern is the tricky part. The anomaly-based IDS can monitor the system or  network and trigger an alarm if an event outside known normal behavior is detected. Example: the detection of specific data packets that  originate from a user device rather than from a network router.