Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

IDS - Introduction to Information Security - Lecture Slides, Slides of Network security

The major points which I found very informative according to security are: Ids, Exceeds Authentication Limits, Intrusion Detection, Similar to Incidents, Intrusion, Intrusion Detection System, Hardware, Notices Suspicious, Security Policies, Prohibitive or Permissive

Typology: Slides

2012/2013

Uploaded on 04/22/2013

sathiamoorthy
sathiamoorthy 🇮🇳

4.4

(24)

106 documents

1 / 32

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Intrusion Detection Systems
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20

Partial preview of the text

Download IDS - Introduction to Information Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Intrusion Detection Systems

2

Intrusion Detection

  • Intrusion is any use or attempted use of a system that

exceeds authentication limits

  • Intrusions are similar to incidents
    • An incident does not necessarily involve an active system or network device, an intrusion does
  • Intrusion Detection System (IDS) can be either

software or hardware based that monitors network

activity and delivers an alert if it notices suspicious

activity

4

Dealing with Intruders

  • Intruders can be external or internal
    • External intruders are hackers or crackers
    • Internal intruders are more common and very dangerous
  • Security policy should state what steps will be taken

to handle intrusions

  • Block and ignore
    • Simplest tactic for handling intrusions
    • Block the intruder and address the vulnerability
    • Don’t take any further action

5

Dealing with Intruders

  • Block and investigate
    • Block the intruder and address the vulnerability
    • Collect evidence and try to determine intruder’s identity
    • Investigate
  • Honeypot (bait the intruder)
    • Allow the intruder to access a part of your network
    • Try to catch the intruder while he/she explores
    • This is a potentially dangerous approach
      • The intruder does have at least partial access
      • Crackers may become interested in your site

7

IDS Principles

  • Run unattended for extended periods of time
  • Stay active and secure
  • Recognize unusual activity
  • Operate without unduly affecting the system’s

activity

  • Configurable

8

IDS Principles

Sample current activity

Compare with database

Decide what to do

10

IDS Taxonomy

  • Signature-based IDS
    • Detects misuse intrusions
    • Maintains a database of attack signatures
    • Compares current activity to database
    • Database must be current and complete to be effective
  • Knowledge-based IDS
    • Detects anomaly intrusions
    • Builds a profile of “normal” system activity over time
    • Produces more false positives and requires more administration
    • Requires careful initial configuration

11

Thresholds

  • A rule tells the IDS which packets to examine and what action to take - Similar to a firewall rule - Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;) - Alert specifies the action to take - Tcp specifies the protocol - Any any 192…. specifies the source and destination within the given subnet - 111 specifies the port - Content specifies the value of a payload - Msg specifies the message to send

13

Snort IDS

  • Snort is an example of an IDS
    • Freeware
    • UNIX and Windows
  • A highly configurable packet sniffer
  • Analyzes network traffic in real time
  • www.snort.org

14

Snort IDS

  • Snort sniffs a packet from the network
    • Preprocessor looks at the packet header and decides whether to analyze it further
    • Detection engine compares pattern from rules to the packet payload
    • If payload matches, then appropriate action is taken
  • Snort can be used in a plain packet sniffer mode or in

full IDS mode

  • Snort has numerous configurable options

16

Snort IDS

17

Snort IDS

19

Network-Based vs Host-Based

  • Host-based IDS examines all traffic and activity for a

particular machine

  • Can examine system log files as well as inbound and outbound packets
  • Each system requires its own IDS
  • Best choice is to use both network-based and host-

based IDS in an organization

  • Many firewalls provide some IDS functionality

20

Network-Based IDS