Security Technology: Intrusion Detection And Prevention Systems, And .
Security Technology: IntrusionDetection and PreventionSystems,and Other Security ToolsPresented ByAnjalee MuraleedharanAsst. ProfessorDept. Of Computer ScienceAl-Ameen College, Edathala.
INTRODUCTIONProtection of organizations assets relies as muchon managerial controls as on technicalsafeguards. Properly implemented technical solutions guidedby policy are essential to an information securityprogram. Advanced technologies can be used to enhancethe security of information assets. 2
INTRUSION DETECTION AND PREVENTIONSYSTEMSAn intrusion occurs when an attacker attempts togain entry into or disrupt the normal operationsof an organization’s information systems. Intrusion prevention consists of activities thatdeter an intrusion. Intrusion detection consists of procedures andsystems that identify system intrusions. Intrusion reaction encompasses actions anorganization undertakes when intrusion event isdetected. 3
INTRUSION DETECTION AND PREVENTIONSYSTEMS (CONT’D)Intrusion correction activities: completerestoration of operations to a normal state andseek to identify source and method of intrusion Intrusion detection systems detect a violation ofits configuration and activate alarm. Many IDPSs enable administrators to configuresystems to notify them directly of trouble via email or pagers. Systems can also be configured to notify anexternal security service organization of a ―breakin.‖ 4
IDPS TERMINOLOGY Alarm clustering and compactionAlarm filteringAlert or alarmConfidence valueEvasionFalse attack stimulusFalse negative and false positiveNoiseSite policySite policy awarenessTrue attack stimulusTuning5
WHY USE AN IDPS?Intrusion detection: Primary purpose to identify and report anintrusion Can quickly contain attack and prevent/mitigateloss or damage Detect and deal with preambles to attacks Data collection allows the organization toexamine what happened after an intrusion andwhy. Serves as a deterrent by increasing the fear ofdetection Can help management with quality assuranceand continuous improvement Principles of Information Security, FifthEdition6
TYPES OF IDPSSIDPSs operate as network-based or host-basedsystems. Network-based IDPS is focused on protectingnetwork information assets. Wireless IDPS: focuses on wireless networks Network behavior analysis IDPS: examines trafficflow on a network in an attempt to recognizeabnormal patterns 7
Principles of Information Security, FifthEdition8
TYPES OF IDPSS (CONT’D) Network-based IDPS (NIDPS) Resides on a computer or an appliance connected to asegment of an organization’s network; looks forindications of attacksWhen examining packets, a NIDPS looks for attackpatterns within network trafficInstalled at specific place in the network where it canmonitor traffic going into and out of a particularnetwork segment9
TYPES OF IDPSS (CONT’D) Network-based IDPS (NIDPS) (cont’d) To determine whether attack has occurred/is underway, compare measured activity to known signaturesin knowledge baseDone by using special implementation of TCP/IPstack:In the process of protocol stack verification, NIDPSs look forinvalid data packets. In the application protocol verification, higher-orderprotocols are examined for unexpected packet behavior orimproper use. 10
TYPES OF IDPSS (CONT’D) Advantages of NIDPSs Good network design and placement of NIDPS canenable an organization to monitor a large networkwith few devices.NIDPSs are usually passive and can be deployed intoexisting networks with little disruption to normalnetwork operations.NIDPSs are not usually susceptible to direct attackand may not be detectable by attackers.11
TYPES OF IDPSS (CONT’D) Disadvantages of NIDPSsCan become overwhelmed by network volume and failto recognize attacks Require access to all traffic to be monitored Cannot analyze encrypted packets Cannot reliably ascertain if attack was successful ornot Some forms of attack are not easily discerned byNIDPSs, specifically those involving fragmentedpackets. 12
TYPES OF IDPSS (CONT’D) Wireless NIDPS Monitors and analyzes wireless network trafficIssues associated with it include physical security,sensor range, access point and wireless switch locations,wired network connections, cost, AP and wireless switchlocations.Network behavior analysis systems Identify problems related to the flow of trafficTypes of events commonly detected include denial-ofservice (DoS) attacks, scanning, worms, unexpectedapplication services, and policy violations.Offer intrusion prevention capabilities that are passive,inline, and both passive and inline13
TYPES OF IDPSS (CONT’D) Host-based IDPS (HIDPS) Resides on a particular computer or server (host) andmonitors activity only on that systemBenchmarks and monitors the status of key systemfiles and detects when intruder creates, modifies, ordeletes filesAdvantage over NIDPS: can access encryptedinformation traveling over network and makedecisions about potential/actual attacksMost HIDPSs work on the principle of configurationor change management.14
TYPES OF IDPSS (CONT’D) Advantages of HIDPSs Can detect local events on host systems and detectattacks that may elude a network-based IDPSFunctions on host system, where encrypted trafficwill have been decrypted and is available forprocessingNot affected by use of switched network protocolsCan detect inconsistencies in how applications andsystems programs were used by examining recordsstored in audit logs15
TYPES OF IDPSS (CONT’D) Disadvantages of HIDPSs Pose more management issuesVulnerable both to direct attacks and attacks againsthost operating systemDoes not detect multihost scanning, nor scanning ofnon-host network devicesSusceptible to some DoS attacksCan use large amounts of disk spaceCan inflict a performance overhead on its hostsystems16
IDPS DETECTION METHODS Signature-based detection Examines network traffic in search of patterns thatmatch known signaturesWidely used because many attacks have clear anddistinct signaturesProblem with this approach is that new attackpatterns must continually be added to IDPS’sdatabase of signatures. Slow, methodical attack involving multiple events mightescape detection.17
IDPS DETECTION METHODS (CONT’D) Anomaly-based detection Anomaly-based detection (or behavior-baseddetection) collects statistical summaries by observingtraffic known to be normal.When measured activity is outside baselineparameters or clipping level, IDPS sends alert toadministrator.IDPS can detect new types of attacks.Requires much more overhead and processingcapacity than signature-based detectionMay generate many false positives18
IDPS DETECTION METHODS (CONT’D) Stateful protocol analysis SPA: process of comparing known normal/benignprotocol profiles against observed traffic Stores and uses relevant data detected in asession to identify intrusions involving multiplerequests /responses; allows IDPS to better detectspecialized, multisession attacks (also calleddeep packet inspection) Drawbacks: analytical complexity; heavyprocessing overhead; may fail to detect intrusionunless protocol violates fundamental behavior;may interfere with normal operations of protocol19
IDPS DETECTION METHODS (CONT’D) Log file monitors Log file monitor (LFM) similar to NIDPSReviews log files generated by servers, networkdevices, and even other IDPSs for patterns andsignaturesPatterns that signify attack may be much easier toidentify when entire network and its systems areviewed as a wholeRequires considerable resources since it involves thecollection, movement, storage, and analysis of largequantities of log data20
IDPS RESPONSE BEHAVIORIDPS response to external stimulation dependson the configuration and function; many responseoptions are available. IDPS responses can be classified as active orpassive. Active response: collecting additional information aboutthe intrusion, modifying the network environment,taking action against the intrusionPassive response: setting off alarms or notifications,collecting passive data through SNMP trapsMany IDPSs can generate routine reports andother detailed documents. Failsafe features protect IDPS from beingcircumvented. 21
SELECTING IDPS APPROACHES ANDPRODUCTS Technical and policy considerations What is your systems environment?What are your security goals and objectives?What is your existing security policy?Organizational requirements and constraints What requirements are levied from outside theorganization?What are your organization’s resource constraints?22
SELECTING IDPS APPROACHES ANDPRODUCTS (CONT’D) IDPSs product features and quality Is the product sufficiently scalable for yourenvironment?How has the product been tested?What user level of expertise is targeted by theproduct?Is the product designed to evolve as the organizationgrows?What are the support provisions for the product?23
STRENGTHS AND LIMITATIONS OF IDPSS IDPSs perform the following functions well: Monitoring and analysis of system events and userbehaviorsTesting security states of system configurationsBaselining security state of system and trackingchangesRecognizing patterns of system events correspondingto known attacksRecognizing activity patterns that vary from normalactivity24
STRENGTHS AND LIMITATIONS OF IDPSS(CONT’D) IDPSs perform the following functions well:(cont’d) Managing OS audit and logging mechanisms anddata they generateAlerting appropriate staff when attacks are detectedMeasuring enforcement of security policies encodedin analysis engineProviding default information on security policiesAllowing non-security experts to perform importantsecurity monitoring functions25
STRENGTHS AND LIMITATIONS OF IDPSS(CONT’D) IDPSs cannot perform the following functions: Compensating for weak/missing security mechanismsin protection infrastructureInstantaneously detecting, reporting, responding toattack when there is heavy network or processingloadDetecting new attacks or variants of existing attacksEffectively responding to attacks by sophisticatedattackersAutomatically investigating attacks without humanintervention26
STRENGTHS AND LIMITATIONS OF IDPSS(CONT’D) IDPSs cannot perform the following functions(cont’d):Resisting attacks intended to defeat or circumventthem Compensating for problems with fidelity ofinformation sources Dealing effectively with switched networks 27
DEPLOYMENT AND IMPLEMENTATION OFAN IDPS An IDPS can be implemented via one of threebasic control strategies:Centralized: All IDPS control functions areimplemented and managed in a central location. Fully distributed: All control functions are applied atthe physical location of each IDPS component. Partially distributed: Combines the two; whileindividual agents can still analyze and respond tolocal threats, they report to a hierarchical centralfacility to enable organization to detect widespreadattacks. 28
Principles of Information Security, FifthEdition29
Principles of Information Security, FifthEdition30
Principles of Information Security, FifthEdition31
DEPLOYMENT AND IMPLEMENTATION OFAN IDPS (CONT’D) IDPS deployment Principles of Information Security, FifthEdition Great care must be taken when deciding where tolocate components.Planners must select deployment strategy that isbased on careful analysis of organization’sinformation security requirements and causesminimal impact.NIDPS and HIDPS can be used in tandem to coverindividual systems that connect to an organization’snetwork and networks themselves.32
DEPLOYMENT AND IMPLEMENTATION OFAN IDPS (CONT’D) Deploying network-based IDPSs NIST recommends four locations for NIDPS sensorsLocation 1: Behind each external firewall, in the networkDMZ Location 2: Outside an external firewall Location 3: On major network backbones Location 4: On critical subnets 33
34
DEPLOYMENT AND IMPLEMENTATION OFAN IDPS (CONT’D) Deploying host-based IDPSs Proper implementation of HIDPSs can be apainstaking and time-consuming task.Deployment begins with implementing most criticalsystems first.Installation continues until either all systems areinstalled or the organization reaches planned degreeof coverage it will accept.35
MEASURING THE EFFECTIVENESS OFIDPSSIDPSs are evaluated using four dominantmetrics: thresholds, blacklists and whitelists,alert settings, and code viewing and editing. Evaluation of IDPS might read: At 100 Mb/s,IDPS was able to detect 97 percent of directedattacks. Because developing this collection can be tedious,most IDPS vendors provide testing mechanismsto verify systems are performing as expected. 36
MEASURING THE EFFECTIVENESS OFIDPSS (CONT’D) Some of these testing processes will enable theadministrator to:Record and retransmit packets from real virus orworm scan Record and retransmit packets from a real virus orworm scan with incomplete TCP/IP sessionconnections (missing SYN packets) Conduct a real virus or worm scan against ahardened or sacrificial system Testing process should be as realistic as possible.37
HONEYPOTS, HONEYNETS, AND PADDEDCELL SYSTEMSHoneypots: decoy systems designed to lurepotential attackers away from critical systems Honeynets: several honeypots connected togetheron a network segment Honeypots are designed to: Divert attacker from accessing critical systemsCollect information about attacker’s activityEncourage attacker to stay on a system long enoughfor administrators to document the event andperhaps respond38
HONEYPOTS, HONEYNETS, AND PADDEDCELL SYSTEMS (CONT’D)Padded cell system: protected honeypot thatcannot be easily compromised In addition to attracting attackers with temptingdata, a padded cell operates in tandem with atraditional IDPS. When the IDPS detects attackers, padded cellsystem seamlessly transfers them to a specialsimulated environment where they can cause noharm—hence the name padded cell. 39
HONEYPOTS, HONEYNETS, AND PADDEDCELL SYSTEMS (CONT’D) Advantages Attackers can be diverted to targets they cannot damage.Administrators have time to decide how to respond to anattacker.Attackers’ actions can be easily and more extensivelymonitored, and records can be used to refine threat modelsand improve system protections.Honeypots may be effective at catching insiders who aresnooping around a network.40
HONEYPOTS, HONEYNETS, AND PADDEDCELL SYSTEMS (CONT’D) Disadvantages Legal implications of using such devices are not wellunderstood.Honeypots and padded cells have not yet been shownto be generally useful security technologies.An expert attacker, once diverted into a decoysystem, may become angry and launch a moreaggressive attack against an organization’s systems.Administrators and security managers need a highlevel of expertise to use these systems.41
TRAP-AND-TRACE SYSTEMSUse a combination of techniques to detect anintrusion and trace it back to its source Trap usually consists of a honeypot or a paddedcell and alarm. Legal drawbacks to trap and trace Enticement: act of attracting attention to system byplacing tantalizing information in key locations Entrapment: act of luring an individual intocommitting a crime to get a conviction Enticement is legal and ethical, entrapment is not. 42
ACTIVE INTRUSION PREVENTIONSome organizations implement activecountermeasures. One tool (LaBrea) takes up unused IP addressspace to pretend to be a computer and allowattackers to complete a connection request, butthen holds connection open. 43
SCANNING AND ANALYSIS TOOLSScanning tools typically are used to collectinformation that an attacker needs to launch asuccessful attack. Attack protocol is a logical sequence of steps orprocesses used by an attacker to launch an attackagainst a target system or network. Footprinting: process of collecting publicly availableinformation about a potential target 44
SCANNING AND ANALYSIS TOOLS (CONT’D)Fingerprinting: systematic survey of targetorganization’s Internet addresses collectedduring the footprinting phase to identify networkservices offered by hosts in that range Fingerprinting reveals useful information aboutthe internal structure and nature of the targetsystem or network to be attacked. These tools are valuable to the network defendersince they can quickly pinpoint the parts of thesystems or network that need a prompt repair toclose vulnerabilities. 45
PORT SCANNERSTools used by both attackers and defenders toidentify/fingerprint computers active on anetwork and other useful information Can either perform generic scans or those forspecific types of computers, protocols, orresources The more specific the scanner is, the more usefulits information is to attackers and defenders. 46
47
FIREWALL ANALYSIS TOOLSSeveral tools automate remote discovery offirewall rules and assist theadministrator/attacker in analyzing them. Administrators who feel wary of using the sametools that attackers use should remember: User intent dictates how gathered information will beused.To defend a computer or network well, administratorsmust understand ways it can be attacked.A tool that can help close an open or poorlyconfigured firewall will help the networkdefender minimize risk from attack.48
OPERATING SYSTEM DETECTION TOOLS Ability to detect a target computer’s operating system(OS) is very valuable to an attacker. Once OS is known, the attacker can easily determine thevulnerabilities to which it is susceptible.Many tools use networking protocols to determine aremote computer’s OS.49
VULNERABILITY SCANNERSActive vulnerability scanners examine networksfor highly detailed information and initiate trafficto determine security holes. Passive vulnerability scanners listen in onnetwork and identify the vulnerable versions ofboth server and client software. Passive vulnerability scanners have the ability tofind client-side vulnerabilities typically not foundin active scanners. 50
PACKET SNIFFERSNetwork tool that captures copies of packets fromnetwork and analyzes them Can provide network administrator with valuableinformation for diagnosing and resolving networkingissues In the wrong hands, a sniffer can be used toeavesdrop on network traffic. To use packet sniffers legally, an administrator must beon a network that the organization owns, be under directauthorization of owners of the network, and haveknowledge and consent of the content’s creators.51
WIRELESS SECURITY TOOLSAn organization that spends its time securing awired network while ignoring wireless networksis exposing itself to a security breach. Security professionals must assess the risk ofwireless networks. A wireless security toolkit should include theability to sniff wireless traffic, scan wirelesshosts, and assess the level of privacy orconfidentiality afforded on the wireless network. 52
SUMMARYIntrusion detection system (IDPS) detects violation ofits configuration and activates alarm. Network-based IDPS (NIDPS) versus host-basedIDPS (HIDPS) Selecting IDPS products that best fit anorganization’s needs is challenging and complex. Honeypots are decoy systems; two variations areknown as honeynets and padded cell systems. Scanning and analysis tools are used to pinpointvulnerabilities in systems, holes in securitycomponents, and unsecured aspects of a network. 53
CONTENTSElectronic mail security Pretty good privacy s/mime Ip security overview Ip security architecture Authentication header Encapsulating security payload
EMAIL SECURITY email is one of the most widely used andregarded network servicescurrently message contents are not securemay be inspected either in transit or by suitably privileged users on destination system
EMAIL SECURITY ENHANCEMENTS confidentiality authentication of sender of messagemessage integrity protection from disclosureprotection from modificationnon-repudiation of origin protection from denial by sender
PRETTY GOOD PRIVACY (PGP)widely used de facto secure email developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program on Unix, PC, Macintosh and other systems originally free, now also have commercialversions available
PGP OPERATION – AUTHENTICATION1.2.3.4.5.sender creates messagemake SHA-1160-bit hash of messageattached RSA signed hash to messagereceiver decrypts & recovers hash codereceiver verifies received message hash
PGP OPERATION – CONFIDENTIALITY1.2.3.4.5.sender forms 128-bit random session keyencrypts message with session keyattaches session key encrypted with RSAreceiver decrypts & recovers session keysession key is used to decrypt message
PGP OPERATION –CONFIDENTIALITY &AUTHENTICATION can use both services on same message create signature & attach to messageencrypt both message & signatureattach RSA/ElGamal encrypted session key
PGP OPERATION – COMPRESSION by default PGP compresses message after signingbut before encryptingso can store uncompressed message & signature forlater verification & because compression is non deterministic uses ZIP compression algorithm
PGP OPERATION – EMAILCOMPATIBILITY whenusing PGP will have binary data tosend (encrypted message etc) however email was designed only for text hence PGP must encode raw binary datainto printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable charsalso appends a CRC PGPalso segments messages if too big
PGP OPERATION – SUMMARY
PGP SESSION KEYS need a session key for each message of varying sizes: 56-bit DES, 128-bit CAST or IDEA,168-bit Triple-DESgenerated using ANSI X12.17 mode uses random inputs taken from previous usesand from keystroke timing of user
PGP PUBLIC & PRIVATE KEYS sincemany public/private keys may be inuse, need to identify which is actuallyused to encrypt session key in a message could send full public-key with every messagebut this is inefficient rather use a key identifier based on keyis least significant 64-bits of the keywill very likely be unique alsouse key ID in signatures
PGP MESSAGE FORMAT
PGP KEY RINGS each PGP user has a pair of keyrings: public-key ring contains all the public-keys of otherPGP users known to this user, indexed by key IDprivate-key ring contains the public/private keypair(s) for this user, indexed by key ID & encryptedkeyed from a hashed passphrasesecurity of private keys thus depends on thepass-phrase security
PGP KEY RINGS
PGP MESSAGE GENERATION
PGP MESSAGE RECEPTION
PGP KEY MANAGEMENT ratherthan relying on certificateauthorities in PGP every user is own CA can sign keys for users they know directly forms a ―web of trust‖trust keys have signedcan trust keys others have signed if have achain of signatures to them keyring includes trust indicators users can also revoke their keys
PGP TRUST MODEL EXAMPLE
S/MIME (SECURE/MULTIPURPOSEINTERNET MAIL EXTENSIONS) security enhancement to MIME emailoriginal Internet RFC822 email was text only MIME provided support for varying content typesand multi-part messages with encoding of binary data to textual form S/MIME added security enhancements have S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etc
S/MIME FUNCTIONS enveloped data signed data encoded message signed digestclear-signed data encrypted content and associated keyscleartext message encoded signed digestsigned & enveloped data nesting of signed & encrypted entities
S/MIME CRYPTOGRAPHICALGORITHMSdigital signatures: DSS & RSA hash functions: SHA-1 & MD5 session key encryption: ElGamal & RSA message encryption: AES, Triple-DES, RC2/40and others MAC: HMAC with SHA-1 have process to decide which algs to use
S/MIME MESSAGES S/MIME secures a MIME entity with a signature,encryption, or bothforming a MIME wrapped PKCS objecthave a range of content-types: enveloped datasigned dataclear-signed dataregistration requestcertificate only message
S/MIME CERTIFICATE PROCESSINGS/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 CAhierarchy & PGP’s web of trust each client has a list of trusted CA’s certs and own public/private key pairs & certs certificates must be signed by trusted CA’s
CERTIFICATE AUTHORITIEShave several well-known CA’s Verisign one of most widely used Verisign issues several types of Digital IDs increasing levels of checks & hence trustClassIdentity Checks Usage1name/email check web browsing/email2 enroll/addr check email, subs, s/w validate3 ID documentse-banking/service access
S/MIME ENHANCED SECURITY SERVICES 3 proposed enhanced security services: signed receiptssecurity labelssecure mailing lists
CHAPTER 19 – IP SECURITYIf a secret piece of news is divulged by a spy before thetime is ripe, he must be put to death, together with theman to whom the secret was told.—The Art of War, Sun Tzu
IP SECURITY have a range of application specific securitymechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPShowever there are security concerns that cutacross protocol layers would like security implemented by the networkfor all applications
IP SECURITYgeneral IP Security mechanisms provides authentication confidentiality key management applicable to use over LANs, across public & privateWANs, & for the Internet need identified in 1994 report need authentication, encryption in IPv4 & IPv6
IP SECURITY USES
BENEFITS OF IPSEC in a firewall/router provides strong security to alltraffic crossing the perimeterin a firewall/router is resistant to bypassis below transport layer, hence transparent toapplicationscan be transparent to end userscan provide security for individual userssecures routing architecture
IP SECURITY ARCHITECTURE specification is quite complex, with groups: Architecture Authentication Header (AH) RFC4302 IP Authentication HeaderEncapsulating Security Payload (ESP) RFC4301 Security Architecture for Internet ProtocolRFC4303 IP Encapsulating Security Payload (ESP)Internet Key Exchange (IKE) RFC4306 Internet Key Exchange (IKEv2) ProtocolCryptographic algorithms Other
IPSEC SERVICESAccess control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrityConfidentiality (encryption) Limited traffic flow confidentiality
TRANSPORT AND TUNNEL MODES Transport Modeto encrypt & optionally authenticate IP data can do traffic analysis but is efficient good for ESP host to host traffic Tunnel Modeencrypts entire IP packet add new header for next hop no routers on way can examine inner IP header good for VPNs, gateway to gateway security
TRANSPORTANDTUNNELMODES
TRANSPORTANDTUNNEL MODEPROTOCOLS
SECURITY ASSOCIATIONSa one-way relationship between sender &receiver that affords security for traffic flow defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier has a number of other parameters seq no, AH & EH info, lifetime etchave a database of Security Associations
SECURITY POLICY DATABASE relates IP traffic to specific SAsmatch subset of IP traffic to relevant SA use selectors to filter outgoing traffic to map based on: local & remote IP addresses, next layer protocol,name, local & remote ports
ENCAPSULATING SECURITYPAYLOAD (ESP) providesmessage content confidentiality,data origin authentication, connectionlessintegrity, an anti-replay service, limitedtraffic flow confidentiality services depend on options selected whenestablish Security Association (SA), netlocation can use a variety of encryption &authentication algorithms
ENCAPSULATING SECURITY PAYLOAD
ENCRYPTION & AUTHENTICATIONALGORITHMS & PADDING ESP can encrypt payload data, padding, pad length,and next header fields ESP can have optional ICV for integrity if needed have IV at start of payload datais computed after encryption is performedESP uses paddingto expand plaintext to required length to align pad length and next header fields to provide partial traffic flow confidentiality
ANTI-REPLAY SERVICEreplay is when attacker resends a copy of anauthenticated packet use sequence number to thwart this attack sender initializes sequence number to 0 when a newSA is established increment for each packet must not exceed limit of 232 – 1 receiver then accepts packets with seq no withinwindow of (N –W 1)
Intrusion correction activities: complete restoration of operations to a normal state and seek to identify source and method of intrusion Intrusion detection systems detect a violation of its configuration and activate alarm. Many IDPSs enable administrators to configure systems to notify them directly of trouble via e-mail or pagers.
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.
threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are
2. Evaluation of a Single Intrusion Detection System (IDS) A computer intrusion detection system (IDS) is con-cerned with recognizing whether an intrusion is being attempted into a computer system. An IDS provides some type of alarm to indicate its assertion that an intrusion is present. The alarm may be correct or incor-rect.
