SlideShare a Scribd company logo

Ids vs ips

Download as PPTX, PDF
T
Tapan Khilar

- Intrusion Detection Systems (IDS) are designed to detect security breaches and aid in mitigating damage caused by hacking. The basic intent is to spot something suspicious on a network or system and sound an alarm. [IDS monitor network traffic and system logs and trigger alarms for any abnormal activity.] - There are two main types of IDS: Network IDS (NIDS) which use sensors to monitor all network traffic, and Host based IDS (HIDS) which are installed on individual workstations/servers to watch for abnormal activity only on that computer. [IDS can be configured to watch for known attacks, analyze audit logs, terminate connections, and alert administrators.] - Intrusion Prevention Systems

Technology
1 of 41
Downloaded 39 times
1
2
Most read
3
Most read
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
IDS/IPS TAPAN KUMAR KHILAR
What is an Intrusion? An intrusion is somebody attempting to break into or misuse your system. The word “misuse” can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam. Intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of resource. In the context of info systems, intrusion refers to any unauthorized access, unauthorized attempt to access or damage or malicious use of info resources.
WHO ARE INTRUDERS? • Outsiders. Intruders from outside the network. They may attempt to go around the firewall to attack internal network. machines on the • Insiders. Intruders that legitimately use your internal network. These include users who misuse privileges or who impersonate higher privileged users.
HOW DO INTRUDERS GET INTO THE SYSTEM? • Physical intrusion. • System intrusion. • Remote intrusion.
• The main function of an IDS is to warn about suspicious activity taking place, but not to prevent them. • An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. WHAT IS AN INTRUSION DETECTION SYSTEM?
Intrusion Detection Systems (IDS) IDS designed to detect security breaches. IDS designed to aid in mitigating damage caused by hacking. Basic intent behind IDS: spot something suspicious on NW/system and sound alarm. May look for data bits that indicate questionable activity or monitor system logs. Events that sound alarm – may not be an intrusion; any abnormal activity may trigger, depending on configuration.
Intrusion Detection Systems (IDS) All IDS have three things in common: Sensors: collect tfc and user activity data and sends to analyzer. Analyzer: Looks for suspicious activity. Administrator Interface: If analyzer detects suspicious activity, sends an alert to the Admin Interface.
Intrusion Detection Systems (IDS) Why use an IDS: To detect attacks and other security violations that are not prevented by other security measures, To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities), To document the existing threat to an organization To act as quality control for security design and administration, especially of large and complex enterprises To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors.
Intrusion Detection Systems (IDS) IDS can be configured for: Watch for attacks Parse audit logs Terminate a connection Alert an admin as attacks are happening Protect system files Expose a hacker’s techniques Throw up vulnerabilities that need to be addressed Possibly help to track down hackers Two main type of IDS: NIDS HIDS
Network Intrusion Detection Systems (NIDS) Uses sensors to monitor all NW tfc Cannot see the activities within the computer itself.
Host based Intrusion Detection Systems (HIDS) Installed on indl workstns / servers Watches for abnormal activity NIDs understands and monitors NW computer only on which it is installed. tfc, HIDs monitors the Gen, HIDS installed on critical servers only due to administrative overheads.
Types of HIDS/NIDS Signature based Pattern matching Stateful matching Anomaly based Statistical anomaly based Protocol anomaly based Tfc anomaly based Rule based
Types of HIDS/NIDS A pkt having the same source and destination address (Land Attack) A TCP header of a pkt in which all values are set to 1s (xmas attack). Once these type of attack discovered, vendors wrote signatures that looks specially for pkts with same source and destination addresses or with TCP headers flag set to all 1s. Knowledge or Signature based IDS Knowledge is gained by sensors about how specific attacks are carried out. Each identified attack has a signature Eg of a signature:
Types of HIDS/NIDS Knowledge or Signature based IDS Most popular IDS today. Effectiveness depends on regularly updating signature database. May not be able to uncover new types of attacks.
Types of HIDS/NIDS State based IDS What is a state? Every change that an OS experiences (user log on, opening of aplns, user data input, etc), is a state transition. Gen happens continuously in any system. So again, what is a state? A snapshot of an OS’s values in volatile and non-volatile memory locations. In a state based IDS: Initial state is the state prior to attack execution. Compromised state is the state after successful penetration. The IDS has rules as to which state transitions should trigger alarm.
Types of HIDS/NIDS An example of State based IDS •A remote user connects to a system •Sends data to an apln (data exceeds alloted buffer for this empty variable). •The data is executed and overwrites the buffer and possibly other memory segments. •A malicious code executes. sequence matches its preconfigured rules. Requires frequent signature updates. State based IDS looks for activity between initial and compromised state and sends alert if any state transition
Types of HIDS/NIDS Statistical Anomaly based IDS A behavior based system (also called heuristic IDS). Does not use a signature database. Initially put in a learning mode wherein the IDS learns the `normal’ NW activities. The longer it is in learning mode, more accurate profile of a normal state is built up. After a profile is built, all future activities are compared to this `normal’ profile. If an activity exceeds a predefined `normal’ threshold, the alert is triggered.
Types of HIDS/NIDS Statistical Anomaly based IDS - Benefits Can react to 0 day attacks Also capable of detecting the low and slow attacks Statistical Anomaly based IDS – Problems May provide overwhelming number of false positives. If an attacker discovers an IDS on a NW, will try to detect type so that he can circumvent it. With a behavior based IDS, attacker will try to integrate activities in the `normal’ NW usage. If an attack was underway when the IDS was in learning mode, an attack will never be detected. Sends generic alerts compared to specific alerts thrown up by signature based IDS.
Types of HIDS/NIDS Statistical Anomaly based IDS Strength of this IDS lies in determining actual thresholds of normal activity. Once an attack is iden, the IDS can: Send an alert to the admin’s console. Send an email to a preconfigured address. Kill the connection of the detected attack Reconfigure a router/firewall to stop any attacks. further similar
Types of HIDS/NIDS Protocol Anomaly based IDS These IDS have specific knowledge of each protocol they will monitor. A protocol anomaly pertains to the format and behavior of a protocol.. The IDS builds a model of each protocol’s `normal’ usage Eg of protocol anomaly: Data Link Layer: ARP attack where bogus data is inserted in an ARP table. NW Layer: ICMP can be used in a Loki Attack to move data from one place to another.
Types of HIDS/NIDS Traffic Anomaly based IDS Detects changes in NW tfc patterns Tfc patterns may change during DoS attacks or when a new service is introduced on the NW. The IDS learns the normal tfc pattern and sets a threshold. 0 day attacks can be detected.
Types of HIDS/NIDS Rule based IDS A signature based IDS is very straightforward – if a pkt has same source/destination address, send alert. A statistical anomaly based IDS is also straightforward – X logs in his system at 8 AM and logs off at 5 PM everyday. If he logs on at 10 PM, it is an anomaly and an alert is sent. Rule based IDS gen used in expert systems (Artificial Intelligence). An expert system has: A knowledge base An inference engine Rule based programming.
Types of HIDS/NIDS Rule based IDS Rule based programming refers to - IF situation THEN action. The rules are applied to facts (data that comes in from a sensor). Rule based IDS gathers data from sensors/logs, the inference engine uses its pre-programmed rules on it. If characteristics of the rule is met – an alert is triggered. Eg of a rule based IDS: IF a root user creates file1 AND creates file2 SUCH THAT they are in the same directory AND the root user opens tool1 TRIGGER send alert.
IDS Placement of sensors Outside the FW- detect attacks Inside the FW – to detect actual intrusions Highly sensitive subnets DMZs NW Tfc: Every vendor’s IDS product has a threshold. If NW tfc exceeds the threshold, all pkts may not be examined and attacks may go unnoticed. In high tfc environments multiple sensors reqd to be placed to ensure all pkts are investigated.
• Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful. WHAT IS IPS?
Intrusion Prevention Systems (IPS) The bad guys are always one step ahead professionals. of the security Security professionals try and come up with innovative means to detect and prevent attacks. IPS is a preventive device rather than a detective device (IDS). An IPS combines the prevent action of a FW with the in depth pkt analysis function of an IDS.
• Broadly classified into two categories – Host IPS (HIPS) – Network IPS (NIPS) CLASSIFICATION OF IPS
• HIPS is installed directly on the system being protected • It binds closely with the operating system kernel and services, it monitors and to the kernel inintercepts system calls order to prevent them. attacks as well as log • It prevents the system from generic attacks exists. for which no “signature” yet HOST-IPS
• Has two network interfaces, one designated as internal and one as external. • Packets passed through both interfaces and they determined whether the packet being examined poses a threat. If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination. • NETWORK-IPS
TYPES OF IPS • Inline network intrusion protection systems. • Layer seven switches. • Application firewalls. • Hybrid switches. • Deceptive applications.
INLINE NETWORK IPS • It is configured with two NICs, management and one for detection. one for • NIC that is configured for detection usually does not have an IP address assigned . • It works by sitting between the systems that need to be protected and the rest of the network. • It inspects the packet for any vulnerabilities that it is configured to look for.
INLINE NETWORK IPS PKT SCRUBBING
• Placing these devices in front of your firewalls would give protection for the entire network. • However the drawbacks are that they can only stop attacks that they know about. • The only attack they can stop that others IPS can’t are the DoS attacks. most LAYER SEVEN SWITCHES
LAYER SEVEN SWITCHES
• These IPSs are loaded on each server that is to be protected. • These types of IPSs are customizable to each application that they are to protect. • It profiles a system before protecting it. During the profiling it watches the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like. • The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use. APPLICATION FIREWALLS
HYBRID SWITCHES • They inspect specific traffic content as has been configured . for malicious • Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server. • It also fails , if the user’s request match any of the permitted requests. does not
HYBRID SWITCHES
DECEPTIVE APPLICATIONS • It watches all your network traffic and figures out what is good traffic. • When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker • The response will be “marked” with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the “marked” data and stop all traffic coming from the attacker.
Honeypots A system set up as a sacrificial lamb on a NW. Not locked down. Modified operational data kept on system to lure hackers to this system rather than going to an actual operational system. Enables admin to know what types of attacks are occurring. May also help to track down an intruder. More the time spent by the hacker on a honeypot, more info can be gained about his techniques.
Honeypots Legal issues with a honeypot Enticement versus entrapment.
THANK YOU

More Related Content

PPTX
Network Penetration Testing
Mohammed Adam
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
PPTX
Intrusion Detection Systems (IDS)
Hachmdhmdzad
 
PDF
Osint presentation nov 2019
Priyanka Aash
 
PPTX
Metasploit framwork
Deepanshu Gajbhiye
 
PPT
IDS and IPS
Santosh Khadsare
 
PDF
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
PPT
INTRUSION DETECTION TECHNIQUES
Trinity Dwarka
 
Network Penetration Testing
Mohammed Adam
 
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion Detection Systems (IDS)
Hachmdhmdzad
 
Osint presentation nov 2019
Priyanka Aash
 
Metasploit framwork
Deepanshu Gajbhiye
 
IDS and IPS
Santosh Khadsare
 
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
INTRUSION DETECTION TECHNIQUES
Trinity Dwarka
 

What's hot (20)

PDF
Offensive OSINT
Christian Martorella
 
PPTX
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
PPTX
Security Onion - Brief
Ashley Deuble
 
PPTX
zero day exploits
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPTX
Packet sniffers
Kunal Thakur
 
PPTX
Intrusion detection system
Sweta Sharma
 
PPTX
Malicious software and software security
Prachi Gulihar
 
PPTX
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
PPTX
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
PDF
Cyber Threat Intelligence
mohamed nasri
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
PPTX
Lecture 10 intruders
rajakhurram
 
PPTX
How to Use Open Source Intelligence (OSINT) in Investigations
Case IQ
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
IDS VS IPS.pptx
Tapan Khilar
 
PPT
Reconnaissance & Scanning
amiable_indian
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
PPTX
DoS or DDoS attack
stollen_fusion
 
PPT
Lesson 3
MLG College of Learning, Inc
 
Offensive OSINT
Christian Martorella
 
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Security Onion - Brief
Ashley Deuble
 
zero day exploits
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Packet sniffers
Kunal Thakur
 
Intrusion detection system
Sweta Sharma
 
Malicious software and software security
Prachi Gulihar
 
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
Cyber Threat Intelligence
mohamed nasri
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Lecture 10 intruders
rajakhurram
 
How to Use Open Source Intelligence (OSINT) in Investigations
Case IQ
 
Security Information and Event Management (SIEM)
k33a
 
IDS VS IPS.pptx
Tapan Khilar
 
Reconnaissance & Scanning
amiable_indian
 
Introduction to penetration testing
Nezar Alazzabi
 
DoS or DDoS attack
stollen_fusion
 
Lesson 3
MLG College of Learning, Inc
 
Ad

Similar to Ids vs ips (20)

PPSX
Intrusion detection system
gaurav koriya
 
PPT
Chapter-3-Intrusion-Detection-Systems-part-1.ppt
madin20232022
 
PDF
IDS (intrusion detection system)
Netwax Lab
 
PPT
Ids
Savyasachi14
 
PPSX
Ids 001 ids vs ips
jyoti_lakhani
 
PPTX
Dcit 418-Slide two presentation (1).pptx
kojokoranteng19
 
PPTX
Intrusion detection
Umesh Dhital
 
PPTX
Information Security.pptx
DrRajapraveen
 
PPTX
L5A - Intrusion Detection Systems.pptx
RebeccaMunasheChimhe
 
PDF
Intrusion Detection System: Security Monitoring System
IJERA Editor
 
PPTX
speaking_skills IN english presentation speaking skills
ahmed2558607
 
PPTX
INTRUSION DETECTING SYSTEM INTRUSION DETECTING SYSTEM
ahmed2558607
 
PPTX
Intrusion detection system and intrusion prevention system
salutiontechnology
 
PDF
Intrusion detection system – a study
ijsptm
 
PPTX
Intrusion Detection System(IDS)
shraddha_b
 
PDF
Automatic Intrusion Detection based on Artificial Intelligence Techniques: A ...
IRJET Journal
 
PPTX
Intrusion detection systems
Seraphic Nazir
 
PPTX
Intrusion detection system
Aparna Bhadran
 
PDF
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
PPTX
Chapter#7 Intrusion Detection and Prevention Systems.pptx
sanawarali920
 
Intrusion detection system
gaurav koriya
 
Chapter-3-Intrusion-Detection-Systems-part-1.ppt
madin20232022
 
IDS (intrusion detection system)
Netwax Lab
 
Ids
Savyasachi14
 
Ids 001 ids vs ips
jyoti_lakhani
 
Dcit 418-Slide two presentation (1).pptx
kojokoranteng19
 
Intrusion detection
Umesh Dhital
 
Information Security.pptx
DrRajapraveen
 
L5A - Intrusion Detection Systems.pptx
RebeccaMunasheChimhe
 
Intrusion Detection System: Security Monitoring System
IJERA Editor
 
speaking_skills IN english presentation speaking skills
ahmed2558607
 
INTRUSION DETECTING SYSTEM INTRUSION DETECTING SYSTEM
ahmed2558607
 
Intrusion detection system and intrusion prevention system
salutiontechnology
 
Intrusion detection system – a study
ijsptm
 
Intrusion Detection System(IDS)
shraddha_b
 
Automatic Intrusion Detection based on Artificial Intelligence Techniques: A ...
IRJET Journal
 
Intrusion detection systems
Seraphic Nazir
 
Intrusion detection system
Aparna Bhadran
 
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
Chapter#7 Intrusion Detection and Prevention Systems.pptx
sanawarali920
 
Ad

More from Tapan Khilar (20)

PPTX
CYBER SECURITY AWARENESS.pptx
Tapan Khilar
 
PPTX
SNMP_ network monitoring.pptx
Tapan Khilar
 
PPTX
cctv setup (2).pptx
Tapan Khilar
 
PPT
FIBER OPTICS .ppt
Tapan Khilar
 
PPTX
cyber security.pptx
Tapan Khilar
 
PPTX
IT ACT 2000 _ AA 2008_TAPAN.pptx
Tapan Khilar
 
PPTX
mobile security.pptx
Tapan Khilar
 
PPTX
Acl cisco
Tapan Khilar
 
PPTX
Data security
Tapan Khilar
 
PPTX
Snmp network monitoring
Tapan Khilar
 
PPTX
Server operating system
Tapan Khilar
 
PPTX
Operating systems
Tapan Khilar
 
PPTX
Network switch
Tapan Khilar
 
PPTX
Network devices
Tapan Khilar
 
PPT
Memory and storage
Tapan Khilar
 
PPTX
Ip addressing
Tapan Khilar
 
PPTX
Internet security
Tapan Khilar
 
PPTX
Input and output device
Tapan Khilar
 
PPTX
I series processor
Tapan Khilar
 
PPTX
Computer networking
Tapan Khilar
 
CYBER SECURITY AWARENESS.pptx
Tapan Khilar
 
SNMP_ network monitoring.pptx
Tapan Khilar
 
cctv setup (2).pptx
Tapan Khilar
 
FIBER OPTICS .ppt
Tapan Khilar
 
cyber security.pptx
Tapan Khilar
 
IT ACT 2000 _ AA 2008_TAPAN.pptx
Tapan Khilar
 
mobile security.pptx
Tapan Khilar
 
Acl cisco
Tapan Khilar
 
Data security
Tapan Khilar
 
Snmp network monitoring
Tapan Khilar
 
Server operating system
Tapan Khilar
 
Operating systems
Tapan Khilar
 
Network switch
Tapan Khilar
 
Network devices
Tapan Khilar
 
Memory and storage
Tapan Khilar
 
Ip addressing
Tapan Khilar
 
Internet security
Tapan Khilar
 
Input and output device
Tapan Khilar
 
I series processor
Tapan Khilar
 
Computer networking
Tapan Khilar
 

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

Ids vs ips

  • 2. What is an Intrusion? An intrusion is somebody attempting to break into or misuse your system. The word “misuse” can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam. Intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of resource. In the context of info systems, intrusion refers to any unauthorized access, unauthorized attempt to access or damage or malicious use of info resources.
  • 3. WHO ARE INTRUDERS? • Outsiders. Intruders from outside the network. They may attempt to go around the firewall to attack internal network. machines on the • Insiders. Intruders that legitimately use your internal network. These include users who misuse privileges or who impersonate higher privileged users.
  • 4. HOW DO INTRUDERS GET INTO THE SYSTEM? • Physical intrusion. • System intrusion. • Remote intrusion.
  • 5. • The main function of an IDS is to warn about suspicious activity taking place, but not to prevent them. • An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. WHAT IS AN INTRUSION DETECTION SYSTEM?
  • 6. Intrusion Detection Systems (IDS) IDS designed to detect security breaches. IDS designed to aid in mitigating damage caused by hacking. Basic intent behind IDS: spot something suspicious on NW/system and sound alarm. May look for data bits that indicate questionable activity or monitor system logs. Events that sound alarm – may not be an intrusion; any abnormal activity may trigger, depending on configuration.
  • 7. Intrusion Detection Systems (IDS) All IDS have three things in common: Sensors: collect tfc and user activity data and sends to analyzer. Analyzer: Looks for suspicious activity. Administrator Interface: If analyzer detects suspicious activity, sends an alert to the Admin Interface.
  • 8. Intrusion Detection Systems (IDS) Why use an IDS: To detect attacks and other security violations that are not prevented by other security measures, To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities), To document the existing threat to an organization To act as quality control for security design and administration, especially of large and complex enterprises To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors.
  • 9. Intrusion Detection Systems (IDS) IDS can be configured for: Watch for attacks Parse audit logs Terminate a connection Alert an admin as attacks are happening Protect system files Expose a hacker’s techniques Throw up vulnerabilities that need to be addressed Possibly help to track down hackers Two main type of IDS: NIDS HIDS
  • 10. Network Intrusion Detection Systems (NIDS) Uses sensors to monitor all NW tfc Cannot see the activities within the computer itself.
  • 11. Host based Intrusion Detection Systems (HIDS) Installed on indl workstns / servers Watches for abnormal activity NIDs understands and monitors NW computer only on which it is installed. tfc, HIDs monitors the Gen, HIDS installed on critical servers only due to administrative overheads.
  • 12. Types of HIDS/NIDS Signature based Pattern matching Stateful matching Anomaly based Statistical anomaly based Protocol anomaly based Tfc anomaly based Rule based
  • 13. Types of HIDS/NIDS A pkt having the same source and destination address (Land Attack) A TCP header of a pkt in which all values are set to 1s (xmas attack). Once these type of attack discovered, vendors wrote signatures that looks specially for pkts with same source and destination addresses or with TCP headers flag set to all 1s. Knowledge or Signature based IDS Knowledge is gained by sensors about how specific attacks are carried out. Each identified attack has a signature Eg of a signature:
  • 14. Types of HIDS/NIDS Knowledge or Signature based IDS Most popular IDS today. Effectiveness depends on regularly updating signature database. May not be able to uncover new types of attacks.
  • 15. Types of HIDS/NIDS State based IDS What is a state? Every change that an OS experiences (user log on, opening of aplns, user data input, etc), is a state transition. Gen happens continuously in any system. So again, what is a state? A snapshot of an OS’s values in volatile and non-volatile memory locations. In a state based IDS: Initial state is the state prior to attack execution. Compromised state is the state after successful penetration. The IDS has rules as to which state transitions should trigger alarm.
  • 16. Types of HIDS/NIDS An example of State based IDS •A remote user connects to a system •Sends data to an apln (data exceeds alloted buffer for this empty variable). •The data is executed and overwrites the buffer and possibly other memory segments. •A malicious code executes. sequence matches its preconfigured rules. Requires frequent signature updates. State based IDS looks for activity between initial and compromised state and sends alert if any state transition
  • 17. Types of HIDS/NIDS Statistical Anomaly based IDS A behavior based system (also called heuristic IDS). Does not use a signature database. Initially put in a learning mode wherein the IDS learns the `normal’ NW activities. The longer it is in learning mode, more accurate profile of a normal state is built up. After a profile is built, all future activities are compared to this `normal’ profile. If an activity exceeds a predefined `normal’ threshold, the alert is triggered.
  • 18. Types of HIDS/NIDS Statistical Anomaly based IDS - Benefits Can react to 0 day attacks Also capable of detecting the low and slow attacks Statistical Anomaly based IDS – Problems May provide overwhelming number of false positives. If an attacker discovers an IDS on a NW, will try to detect type so that he can circumvent it. With a behavior based IDS, attacker will try to integrate activities in the `normal’ NW usage. If an attack was underway when the IDS was in learning mode, an attack will never be detected. Sends generic alerts compared to specific alerts thrown up by signature based IDS.
  • 19. Types of HIDS/NIDS Statistical Anomaly based IDS Strength of this IDS lies in determining actual thresholds of normal activity. Once an attack is iden, the IDS can: Send an alert to the admin’s console. Send an email to a preconfigured address. Kill the connection of the detected attack Reconfigure a router/firewall to stop any attacks. further similar
  • 20. Types of HIDS/NIDS Protocol Anomaly based IDS These IDS have specific knowledge of each protocol they will monitor. A protocol anomaly pertains to the format and behavior of a protocol.. The IDS builds a model of each protocol’s `normal’ usage Eg of protocol anomaly: Data Link Layer: ARP attack where bogus data is inserted in an ARP table. NW Layer: ICMP can be used in a Loki Attack to move data from one place to another.
  • 21. Types of HIDS/NIDS Traffic Anomaly based IDS Detects changes in NW tfc patterns Tfc patterns may change during DoS attacks or when a new service is introduced on the NW. The IDS learns the normal tfc pattern and sets a threshold. 0 day attacks can be detected.
  • 22. Types of HIDS/NIDS Rule based IDS A signature based IDS is very straightforward – if a pkt has same source/destination address, send alert. A statistical anomaly based IDS is also straightforward – X logs in his system at 8 AM and logs off at 5 PM everyday. If he logs on at 10 PM, it is an anomaly and an alert is sent. Rule based IDS gen used in expert systems (Artificial Intelligence). An expert system has: A knowledge base An inference engine Rule based programming.
  • 23. Types of HIDS/NIDS Rule based IDS Rule based programming refers to - IF situation THEN action. The rules are applied to facts (data that comes in from a sensor). Rule based IDS gathers data from sensors/logs, the inference engine uses its pre-programmed rules on it. If characteristics of the rule is met – an alert is triggered. Eg of a rule based IDS: IF a root user creates file1 AND creates file2 SUCH THAT they are in the same directory AND the root user opens tool1 TRIGGER send alert.
  • 24. IDS Placement of sensors Outside the FW- detect attacks Inside the FW – to detect actual intrusions Highly sensitive subnets DMZs NW Tfc: Every vendor’s IDS product has a threshold. If NW tfc exceeds the threshold, all pkts may not be examined and attacks may go unnoticed. In high tfc environments multiple sensors reqd to be placed to ensure all pkts are investigated.
  • 25. • Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful. WHAT IS IPS?
  • 26. Intrusion Prevention Systems (IPS) The bad guys are always one step ahead professionals. of the security Security professionals try and come up with innovative means to detect and prevent attacks. IPS is a preventive device rather than a detective device (IDS). An IPS combines the prevent action of a FW with the in depth pkt analysis function of an IDS.
  • 27. • Broadly classified into two categories – Host IPS (HIPS) – Network IPS (NIPS) CLASSIFICATION OF IPS
  • 28. • HIPS is installed directly on the system being protected • It binds closely with the operating system kernel and services, it monitors and to the kernel inintercepts system calls order to prevent them. attacks as well as log • It prevents the system from generic attacks exists. for which no “signature” yet HOST-IPS
  • 29. • Has two network interfaces, one designated as internal and one as external. • Packets passed through both interfaces and they determined whether the packet being examined poses a threat. If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination. • NETWORK-IPS
  • 30. TYPES OF IPS • Inline network intrusion protection systems. • Layer seven switches. • Application firewalls. • Hybrid switches. • Deceptive applications.
  • 31. INLINE NETWORK IPS • It is configured with two NICs, management and one for detection. one for • NIC that is configured for detection usually does not have an IP address assigned . • It works by sitting between the systems that need to be protected and the rest of the network. • It inspects the packet for any vulnerabilities that it is configured to look for.
  • 33. • Placing these devices in front of your firewalls would give protection for the entire network. • However the drawbacks are that they can only stop attacks that they know about. • The only attack they can stop that others IPS can’t are the DoS attacks. most LAYER SEVEN SWITCHES
  • 35. • These IPSs are loaded on each server that is to be protected. • These types of IPSs are customizable to each application that they are to protect. • It profiles a system before protecting it. During the profiling it watches the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like. • The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use. APPLICATION FIREWALLS
  • 36. HYBRID SWITCHES • They inspect specific traffic content as has been configured . for malicious • Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server. • It also fails , if the user’s request match any of the permitted requests. does not
  • 38. DECEPTIVE APPLICATIONS • It watches all your network traffic and figures out what is good traffic. • When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker • The response will be “marked” with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the “marked” data and stop all traffic coming from the attacker.
  • 39. Honeypots A system set up as a sacrificial lamb on a NW. Not locked down. Modified operational data kept on system to lure hackers to this system rather than going to an actual operational system. Enables admin to know what types of attacks are occurring. May also help to track down an intruder. More the time spent by the hacker on a honeypot, more info can be gained about his techniques.
  • 40. Honeypots Legal issues with a honeypot Enticement versus entrapment.