Chapter 7 info tech

Disadvantages of NIDPSs

-can become overwhelmed by network volume and fail to recognize attacks -require access to all traffic to be monitored -cannot analyze encrypted packets -cannot reliably ascertain if an attack was successful or not -some forms of attack are not easily discerned, especially those involving fragmented packets

The advantages of HIDPSs

-can detect local events on host systems and detect attacks that may elude a network-based IDPS -functions on host system, where encrypted traffic will have been decrypted and is available for processing -not affected by use of switched network protocols -can detect inconsistencies in how applications and systems programs were used by examining records stored in audit logs

Why use an IDPS?

-data collection allows the organization to examine what happened after an intrusion and why -serves as a deterrent by increasing the fear of detection -can help management with quality assurance and continuous improvement

Advantages of NIDPSs

-good network design and placement of NIDPS can enable an organization to monitor a large network with few devices. -NIDPSs are usually passive and can be deployed into existing networks with little disruption to normal network operations -are not usually susceptible to direct attack and may not be detectable by attackers

Intrusion

-occurs when an attacker attempts to gain entry to or disrupt the normal operations of an organization's info systems -prevention consists of activities that deter an intrusion -detention consists of procedures and systems that can identify system intrusions -reaction encompasses actions an org undertakes when intrusion event is detected -correction activities complete restoration of operations to a normal state and seek to identify source and method of intrusion -detection systems detect a violation of its configuration and activate alarm

Disadvantages of HIDPSs

-poss more management issues -vulnerable both to direct attacks and attacks against the host operating system -does not detect multi-host scanning, nor scanning of non-host network devices -susceptible to some DoS attacks -can use large amount of disk space -can inflict a performance overheard on its host systems

Why use an IDPS? Intrusion Detection

-primary purpose to identify and report an intrusion -can quickly contain an attack and prevent/mitigate the loss or damage -detect and deal with preambles to attacks

network-based IDPS(NIDPS)

-resides on a computer or an appliance connected to a segment of an org's network; looks for indications of attack -when examining packets, an NIDPS looks for attack patterns with network traffic -installed at specific place in the network where it can monitor traffic going into and out of a particular network segment -to determine whether an attack has occurred/is under way, compare measures activity to known signatures in knowledge base Done by using special implementation of TCP/IP stack: -in the process of Protocol stack verification, NIDPSs look for invalid data packets -in the application protocol verification, higher-order protocols are examined for unexpected packet behavior or improper use

Host based IDPS (HIDPS)

-resides on a particular computer or server(host) and monitors activity only on that system -benchmarks and monitors the status of key system files and detects when intruder creates , modifies, or deletes files -advantages over NIDPS: can access encrypted information traveling over network and make decisions about potential/actual attacks -most HIDPSs work in the principle of configuration or change management

IDPS Terminology

Alarm clustering and compaction, alarm filtering, alert/alarm, confidence value, evasion, false attack stimulus, false negative, false positive, noise, site policy, site policy awareness, true attack stimulus, tuning

Anomaly-based detection

Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy. -collects statistical summaries by observing traffic known to be normal -when measured activity is outside the baseline parameters or clipping level, IDPS sends an alert to the administrator -IDPS can detect new types of attacks -requires much more overheard and processing capacity than signature-based detection -May generate many false positives

Signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures. -examines network traffic in search of patterns that match known signatures -widely used because many attacks have clear and distinct signatures -problems with this approach is that new attack patterns must continually be added to the IDPS's database of signatures -slow, methodical attack involving multiple events might escape detection

Advanced technologies

Can be used to enhance the security of info assets

Active IDPS response

Collecting additional info about the intrusion, modifying the network environment, and taking action against the intrusion

IDPS response to external simulation

Depends on the configuration and function; many response options are available Responses can be classified as active or passive Many IDPSs can generate routine reports and other detailed documents Failsafe features protect an IDPS from being circumvented

Many intrusion detection and prevention systems (IDPSs)

Enable admins to configure systems to notify them directly if trouble via email or pagers; Systems can also configured to notify an external security service org of a "break-in"

Properly implemented technical solutions guided by policy are

Essential to an info security program

Network Behavior Analysis (NBA) systems

Identify problems related to the flow of traffic -types of events commonly detected include denial-of-service (DoS) attacks, scanning, worms, unexpected applications services, and policy violations -offer intrusion prevention capabilities that are passive, inline, and both passive and inline

Wireless NIDPS

Monitors and analyzes wireless network traffic -issues associated with it include physical security, sensor range, access point and wireless switch locations, wired network connections, cost, AP, and wireless switch locations

IDPSs operate as

Network-based or host-based systems -network based IDPS is focused on protecting network info assets -wireless IDPS focuses on wireless networks -network behavior analysis IDPS examines traffic flow on a network in an attempt to recognize abnormal patterns

Protection of org's access

Relies atleast as much on managerial controls as on technical safeguards

log file monitor (LFM)

Reviews log files generated by servers, network devices, and even other IDPSs for patterns and signatures; similar to NIDPS -patterns that signify an attack may be much easier to identify when the entire network and its systems are viewed as a whole -requires considerable resources since it involves the collection, movement, storage, and analysis of large quantities of log data

Passive IDPS response

Setting off alarms or notifications, and collecting passive data through SNMP traps

Stateful Protocol Analysis (SPA)

The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks. -stores and uses relevant data detected in a session to identify intrusions involving multiple requests/responses; allows IDPS to better detect specialized, multisession attacks(also called deep packet inspection) -drawbacks: analytical complexity, heavy processing overhead, may fail to detect intrusion unless protocol violates fundamental behavior, may interfere with normal operations of the protocol