Learn About Intrusion Detection And Prevention - Juniper Networks

2y ago
1.01 MB
10 Pages
Last View : 16d ago
Last Download : 6m ago
Upload by : Harley Spears

Learn About Intrusion Detection and PreventionThis Learn About discusses the complex security threats businesses are facing andhow the technology behind intrusion detection and prevention (IDP) can preventattacks on business networks. Juniper Networks has offered IDP for years, andtoday it is implemented on thousands of business networks by the Juniper NetworksSRX Series Services Gateways and Juniper Networks JSA Series Secure Analyticsappliances.Staying Open for BusinessSecurity has long been important to network technology. But there is an increasingfocus on it today because most business networks are designed to provide access tothe Internet and other public networks in order to perform their core operationalfunctions. As shown in Figure 1, a typical business network has several access pointsto other networks, both public and private. Thus, securing organizational networksas well as their multiple access points is now fundamentally important, if notcritical, for businesses to survive.Figure 1The Network Today

2Learn About Intrusion Detection and PreventionThe challenge is maintaining the security of these networks while keeping themopen to their customers. And of course, the threats are constantly changing; thenetwork-based attacks that caught your attention only yesterday can and willcontinue to evolve. Currently, attacks are so sophisticated that they can thwart thebest security systems, especially those that still operate under the assumption thatnetworks can be secured by encryption or firewalls. Unfortunately, those technologies alone are not sufficient to counter today’s attacks.For example, Figure 2 illustrates the frightening frequency and sophistication ofcyberattacks. Today’s attackers have increased knowledge and understanding ofthe technology, infrastructure, and systems of their victims. In addition, theamount of knowledge an attacker needs to know about your network in order tolaunch a sophisticated attack is decreasing. This means sophisticated attacks aregrowing more severe each day. (Source: Citi Online Academy, Digital Security –Cyber Security and Fraud Prevention)Figure 2Attack Sophistication vs. Intruder Technical KnowledgeWhile your network still needs firewalls and encryption to improve security, youalso need security systems that will watch your network and detect suspiciousactivity (such as attackers gathering intelligence about your network) 24 hours aday. When these tools observe any suspicious activity or event, they produce alertsfor the network administrators. Often, they can detect attacker activity even beforethe attack begins.Intrusion detection is the process of monitoring the events occurring in yournetwork and analyzing them for signs of possible incidents, violations, or imminentthreats to your security policies. And intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents. Thesesecurity measures are available as intrusion detection systems (IDS) and intrusionprevention systems (IPS), which become part of your network to detect and stoppotential incidents.

3Learn About Intrusion Detection and PreventionHow Does IDP Work?IDP constantly watches your network, identifying possible incidents and logging information about them, stopping the incidents, and reporting them to security administrators. In addition, some networks use IDP systems for other purposes, such as identifyingproblems with security policies, documenting existing threats, and deterring individualsfrom violating security policies. IDP systems have become a necessary addition to thesecurity infrastructure of most organizations, precisely because they can stop attackerswhile they are gathering information about your network.Most IDPs typically record information and produce reports. But many IDPs can alsorespond to a detected threat by attempting to prevent it from succeeding. This processcan use several different response techniques such as involving the IDP in stopping theattack itself, changing the security environment (for example, reconfiguring a firewall),or even changing the content of the attack.Figure 3 illustrates the following general components of an IDP solution (note thatspecific network architecture will differ depending on the exact type of IDP):§§ Sensors or agents monitor and analyze activity on the host, node, or network (the termagent is typically used for host-based IDP technologies).§§ Management servers are available as either software or as an appliance that is the coreof the IDP solution. A management server:§§Manages the agents and sensors, collects data from them, analyzes the data received,and identifies intrusion attempts.§§Compares events from multiple management servers to see if there are correlationsbetween triggered events (multiple servers are common in larger networks, but notrequired in smaller deployments).§§ Database servers act as a centralized repository for event information recorded bysensors, agents, and/or management servers. Many IDPs provide support for databaseservers.§§ The console is the administrator program interface to the IDP system and is used toconfigure agents or sensors, run updates, and monitor and analyze events.Figure 3IDP Components

4Learn About Intrusion Detection and PreventionAll of this observation generates lots of data. So in addition to monitoring andanalyzing events in order to identify undesirable activity, most IDP technologiesarchive the recorded data locally, although it might also be sent to separate systems, such as centralized logging servers, security information and event management (SIEM) solutions, or enterprise management systems. Reports summarizingmonitored events and details can be provided on any event of interest. And oncedata is flagged as suspicious, the IDP system notifies the security administratorsthrough e-mail, text, messages on the IDP user interface, Simple Network Management Protocol (SNMP) traps, system log messages, and user-defined programs andscripts.Network-based IDP and host-based IDP are two different types of IDP technologycharacterized by the types of events they monitor and the ways in which they aredeployed, as depicted in Figure 4:§§ Network-based IDP monitors network traffic for particular network segments ordevices, and analyzes the network and application protocol activity to identifysuspicious activity.§§Wireless components monitor wireless network traffic and analyze it to identifysuspicious activity involving the wireless networking protocols.§§Network behavior analysis (NBA) examines network traffic to identify threatsthat generate unusual traffic flows, such as distributed denial-of-service (DDoS)attacks, certain forms of malware, and policy violations (for example, a clientsystem providing network services to other systems).§§ Host-based IDP monitors the characteristics of a single host, and the eventsoccurring within that host, for suspicious activity.Figure 4Deploying Network-Based and Host-Based IDPs in a NetworkMost IDP technologies use multiple detection methodologies, either separately orintegrated, to provide wider and more accurate detection. Table 1 lists three IDPdetection methodologies (signature-based, anomaly-based, and stateful protocolanalysis) that are typically used to detect incidents.

5Learn About Intrusion Detection and PreventionTable 1Common IDP Detection MethodologiesDetection ectionSignature-based detectioncompares signatures againstobserved events to identifypossible incidents.A telnet attempt with a rootusername, which is a violation of anorganization’s security policy or ane-mail, with Free Pictures in thesubject line, and an attachment withthe filename freepics.exe, all of whichare characteristics of a known formof malware.This is the simplest detectionmethod because it comparesonly the current unit ofactivity (such as a packet or alog entry, to a list ofsignatures) using stringcomparison operations.Anomaly-BasedDetectionAnomaly-based detectioncompares definitions of what isconsidered normal activity withobserved events in order toidentify significant deviations.An IDP using anomaly-baseddetection has profiles thatrepresent the normal behaviorof such things as users, hosts,network connections, orapplications. The profiles aredeveloped by monitoring thecharacteristics of typical activityover a period of time.A profile for a network might showthat Web activity comprises anaverage of 13% of networkbandwidth at the Internet borderduring typical workday hours. TheIDP then uses statistical methods tocompare the characteristics ofcurrent activity to thresholds relatedto the profile, such as detecting whenWeb activity consumes significantlymore bandwidth than expected andalerting an administrator of theanomaly.This detection method can bevery effective at spottingpreviously unknown threats.Stateful ProtocolAnalysisStateful protocol analysiscompares predeterminedprofiles of generally accepteddefinitions for benign protocolactivity for each protocol stateagainst observed events in orderto identify deviations. Unlikeanomaly-based detection,which uses host or networkspecific profiles, statefulprotocol analysis relies onvendor-developed universalprofiles that specify howparticular protocols should andshould not be used. The statefulin stateful protocol analysismeans that the IDP is capable ofunderstanding and tracking thestate of network, transport, andapplication protocols that havea notion of state.When a user starts a File TransferProtocol (FTP) session, the session isinitially in the unauthenticated state.Unauthenticated users should onlyperform a few commands in thisstate, such as viewing helpinformation or providing usernamesand passwords. An important part ofunderstanding state is pairingrequests with responses, so when anFTP authentication attempt occurs,the IDP can determine if it wassuccessful by finding the status codein the corresponding response. Oncethe user has authenticatedsuccessfully, the session is in theauthenticated state, and users areexpected to perform any of severaldozen commands. Performing mostof these commands while in theunauthenticated state would beconsidered suspicious, but in theauthenticated state performing mostof them is considered benign.This analysis identifiesunexpected sequences ofcommands, adds statefulcharacteristics to regularprotocol analysis, and addsreasonableness checks forindividual commands (forexample, min/max lengths).

6Learn About Intrusion Detection and PreventionChoosing IDP SystemsIDP technologies can provide a wide array of security capabilities for your network.Look for these common, but necessary, security capabilities:§§ Information gathering: Systems that identify hosts and the operating systems andapplications being used, as well as identifying general characteristics of the network.§§ Logging: Your IDP should perform extensive logging of data related to detectedevents. This data can be used to confirm the validity of alerts, investigate incidents,and correlate events between the IDP and other logging sources. You should knowthat specific types of IDPs log additional data fields, such as network-based IDPsthat perform packet captures, and host-based IDPs recording user IDs. Your IDPshould permit administrators to store logs locally and send copies of logs to centralized logging servers (for example, syslog, security information and event management software). Also, your IDP should ideally synchronize its clocks using theNetwork Time Protocol (NTP), or through frequent manual adjustments, so that logentries have accurate timestamps.§§ Detection: IDP technologies should typically offer extensive detection capabilities.The types of events detected and the accuracy of detection can vary greatly depending on the type of IDP technology being used. Most IDPs require at least somefine-tuning and customization, such as setting prevention actions to be enabled forparticular alerts, to improve their detection and effectiveness.§§ Prevention: Finally, most IDPs should offer multiple prevention capabilities. Whilethe specific capabilities vary by IDP technology type, your IDP should allow administrators to specify the prevention capability configuration for each type of alert,including enabling or disabling prevention, as well as specifying which type ofprevention capability should be used.Juniper Networks IDPJuniper Networks uses its SRX Series Services Gateways for Intrusion Detection andPrevention services and its IDP policy configuration lets you selectively enforce variousattack detection and prevention techniques on the network traffic passing throughyour chosen SRX Series device (the IDP-enabled device). You can define policy rules tomatch a section of traffic based on a zone, a network, or an application, and then takeactive or passive preventative actions on that traffic. The SRX Series device contains afull set of IDP signatures to secure networks against attacks.Juniper Networks regularly updates the predefined attack database and makes itavailable on the Juniper Networks website. This database includes attack objectgroups that you can use in IDP policies to match traffic against known attacks.Although you cannot create, edit, or delete predefined attack objects, you can use theCLI to update the list of attack objects that you can use in IDP policies.The SRX Series device can forward packet capture (PCAP) data from its traffic to aJuniper Secure Analytics (JSA) appliance using the PCAP Syslog Combination Protocol. With the PCAP Syslog Combination Protocol, the JSA appliance is capable ofreceiving both syslog and the additional PCAP data once configured with the SRXSeries.

7Learn About Intrusion Detection and PreventionThis Juniper Networks IDP system is shown in Figure 5, in a very small site deployment that larger networks can scale. The SRX Series device displays the visibility ofincoming or outgoing traffic and the JSA appliance collects events, allowing real-timestreaming of events and monitoring of events through a common dashboard.Figure 5Small Site Deployment – JSA AppliancePacket capture data is forwarded to the JSA appliance on a specified port, which isseparate from the port that receives forwarded syslog data. The data contained in thepacket capture and the outgoing port from the SRX Series is all configured using theSRX Series user interface.Use Case: Protect Server and Application VulnerabilitiesLet’s employ a simple use case to examine how the Juniper IDP system works.Assume that Company X is hosting its own commercial website as shown in Figure 6.Traffic is sent to the SRX Series services gateway for monitoring.Figure 6Company X Network OverviewWhen the traffic is sent to the SRX Services gateway, it is discovered that the company’s website is vulnerable to a specific SQL injection attack as shown in Figure 7.Packet capture provides the following details of the attack:§§ The external connections are coming from the UNTRUSTED zone.§§ The webserver ( is located in our DMZ zone.§§ The attack happens over TCP/80 or HTTP.

8Learn About Intrusion Detection and Prevention§§ The attack uses the GET command.§§ The attack uses the following pattern:form.php?q 1 UNION SELECT VERSIONFigure 7Packet CaptureOnce the SRX Series services gateway has been spotted, and alerts are sent, the administrator can create custom attack objects to detect SQL injection as shown in Figure 8.Figure 8Creating a Custom Attack ObjectEach rule is composed of match conditions, objects, actions, and notifications. Whenyou define an IDP rule, you must specify the type of network traffic you want IDP tomonitor for attacks by using the following characteristics – source zone, destinationzone, source IP address, destination IP address, and the Application Layer protocolsupported by the destination IP address. The rules are defined in rulebases, andrulebases are associated with policies.Figure 9 shows the result – the network drops the attack when the SQL injection attackis attempted.Figure 9The Attack Is Now Known to the Network

9Learn About Intrusion Detection and PreventionReferences and Resources§§ The Juniper TechLibrary documentation includes everything you need to understand Juniper’s IDP system. See http://www.juniper.net/techpubs/en ages/security/security-idpindex.html.§§ A tech note on Juniper SRX Series device forwarding of packet capture (PCAP)and syslog data to the JSA appliances. See http://www.juniper.net/techpubs/en s/jsa-managing-juniper-pcapdata.pdf.§§ The SANS Reading Room maintains, and makes available at no cost, a widecollection of research documents about various aspects of information security. Itfeatures over 2,460 original computer security white papers in 96 differentcategories. See http://www.sans.org/reading-room; � The TechTarget network of technology-specific websites gives you access toindustry experts, independent content, and analysis. twork-intrusionprevention-systems§§ Webopedia is an online tech dictionary for IT professionals, educators, andstudents. It also provides in-depth articles, study guides, and links to sources offurther information on the topic, where applicable. See http://www.webopedia.com/DidYouKnow/Computer Science/intrusion detection prevention.asp.§§ The Computer Security Resource Center (CSRC) is the primary gateway forgaining access to NIST computer security publications, standards, and guidelinesplus other useful security-related information. See SP800-94.pdf.§§ This O’Reilly book is a complete field guide, authorized by Juniper Networks, andis the perfect hands-on reference for deploying, configuring, and operatingJuniper’s SRX Series networking device. See 3/ch13.html.§§ World Academy of Science, Engineering and Technology (WASET) is a scholarlyopen science, peer reviewed, interdisciplinary, monthly and fully referred international research journal focusing on theories, methods, and applications in Science,Engineering, and Technology. WASET serves as a forum for scholarly intellectualexchange and as a platform to present cutting-edge research. See vel-security-protocols.§§ CST (Computer Security Technology) provides consultancy services and managedsecurity services for IT departments that may lack the time, resources, or expertiseto handle security themselves. CST complements your own resources and helps fillany resourcing and skill gaps within your own security posture. See olution/WhitePaper/Juniper-IDPWhitePaper.pdf.

Learn About Intrusion Detection and Preventionby Keerthi Latha M RIntrusion detection is the process of monitoring the events occurring inyour network and analyzing them for signs of imminent threats; intrusionprevention is the process of stopping the incidents detected throughintrusion detection. Together they are a formidable team blockingunwanted access to your network and reinforcing its securitycapabilities. Learn about these technologies and how to integrateJuniper Networks IDP Services to be part of your network.About the Author:Keerthi Latha M R is an Information Development Engineer at Juniper Networks with over 10 yearsof experience in writing and developing documentation for networking and telecommunications. 2016 by Juniper Networks, Inc. All rights reserved.Juniper Networks, Junos, are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. The Juniper Networks Logo, and the Junos logo are trademarks of JuniperNetworks, Inc. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. Juniper Networks assumes no responsibility forany inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.Version History: First Edition, September 201623456789For more information go tothe TechLibrary at:www.juniper.net/documentation

threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.

Related Documents:

c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.

Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,

called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion

There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.

Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210

This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are

2. Evaluation of a Single Intrusion Detection System (IDS) A computer intrusion detection system (IDS) is con-cerned with recognizing whether an intrusion is being attempted into a computer system. An IDS provides some type of alarm to indicate its assertion that an intrusion is present. The alarm may be correct or incor-rect.

courts interpret laws, adjudicate dis-putes under laws, and at times even strike down laws as violating the fun-damental protections that the Consti-tution guarantees all Americans. At the same time, millions of Americans transact their day-to-day affairs with-out turning to the courts. They, too, rely upon the legal system. The young