SECURITY + INTRUSION DETECTION AND PREVENTION 6.8

Ace your homework & exams now with Quizwiz!

False Negative

False negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible action by an IDS.

False Positive

False positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic

An NIDS is particularly well suited

for detecting and blocking port scanning and DoS attacks.

A sensor passes data

from the data source to the analyzer

With entrapment, you actively

solicit users to visit the system where they might be encouraged or tricked into attempting illegal access.

IDS signatures are written and updated by

the IDS vendor in response to identified vulnerabilities

Entrapment is

the process of encouraging a person to take dishonest or criminal actions when the person would have otherwise been unlikely to have taken that action

IDS administration is usually accomplished

through a console by an operator (IDS user or administrator) that monitors events, alerts, and control sensors

An active IDS can be used to prevent

unauthorized access and attack

When implementing a layered defense

use both to best protect your system

A passive IDS will alert

will alert the network administrator when prevention has failed and then document breaches to the system

If you are using a switch on your network,

your IDS must be placed on a special port called a spanning or diagnostic port that directly connects to the backbone of the switch so that the IDS can see all traffic on that segment

An NIDS should be placed at

all critical junctions within a network including backbones and critical choke points, such as: Inside the DMZ Behind the internal firewall in the corporate LAN Near your critical information assets

Firewalls use

an access control list (ACL) to filter packets based on the packet header information, firewalls can filter packets based on port, protocol, or IP address.

. A tarpit can also transfer

an attacker to a padded cell, a safe environment where no critical data is stored.

Be aware that an NIDS cannot

analyze encrypted traffic

The engine, or analyzer,

analyzes sensor data and events, generates alerts, and logs activity

An NIDS is typically implemented

as part of a firewall device acting as a router. When implemented as a stand-alone device,

In the padded cell, the attacker

can be monitored where harm cannot be caused

One way to protect your real servers and networks is to

create fake resources that appear to contain valuable information,

IPS Sensor

A sensor that is connected inline between an external network and the edge router or firewall that drops packets and defends against an attack before it enters the internal network.

IDS Sensor

A sensor that is connected inline between the edge router or firewall and the uplink port of an aggregation switch that analyzes packets.

Intrusion Detection System (IDS)

A special network device or system of network devices that can detect attacks and suspicious activity and is sometimes called an intrusion prevention system (IPS).

Aggregation Switch

A switch that combines multiple network connections in parallel to increase throughput. An IDS should be placed inline between the edge router or firewall and the uplink port of an aggregation switch.

Signature recognition usually cause

more false negatives than anomaly-based IDS.

IDS systems can use

multiple data sources to find attacks. They can analyze audit files, systems logs, and real-time traffic.

Intrusion detection and protection systems are not

mutually exclusive

An application-aware IDS or IPS can analyze

network packets to detect malicious payloads targeted at application-layer services (such as a web server).

An NIDS is typically unaware

of individual hosts on the network. It cannot be detected by attacking systems.

A control center should be

set up to receive all IDS data

This is where all decision-making

should take place in regards to IDS communications

VPN Concentrator

A type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. If an IDS is placed external to a VPN concentrator, it will not be capable of analyzing encrypted network traffic

SSL Accelerator

A hardware device added to a server that increases performance by performing processor-intensive public-key encryption. An IDS should be placed internal to a SSL accelerator so that it can analyze decrypted network traffic.

Load Balancer

A hardware device that distributes network traffic to multiple servers. An IPS should be placed external to any load balancing systems

Prevention

Access Controls Firewalls IPS Guard

Analysis or Correlation Engin

An IDS component that analyzes the data collected by the traffic collector.

Traffic Collector

An IDS component that gathers activity and event data for analysis such as inbound and outbound traffic metrics.

filter

An IDS feature used to run important IDS data through a query that removes or ignores less important IDS data.

IPS/IDS

An intrusion detection system (IDS) and an intrusion prevention system (IPS) are devices that scan packet contents looking for patterns that match known malicious attacks, signature files identify the patterns of all known attacks. when a packet matches the pattern indicated in thee signature file, the packet can be dropped or an alert can be sent.

response capability

An intrusion detection system can be classified by how it responds when a threat is detected:

you must direct all traffic to the IDS device using one of the following strategies

Connect the IDS and other devices using a hub. The IDS will then see all traffic sent to all devices on the subnet Connect the IDS to a switch and enable spanning or diagnostic capabilities on the switch port to forward all traffic to that switch port. Use a tap to connect the IDS directly to the network medium.

IDS features

IDS administration is usually accomplished through a console by an operator (IDS user or administrator) that monitors events, alerts, and control sensors. IDS systems can use multiple data sources to find attacks. They can analyze audit files, systems logs, and real-time traffic. A sensor passes data from the data source to the analyzer. The engine, or analyzer, analyzes sensor data and events, generates alerts, and logs activity. An alert is a message indicating an event of interest (such as a possible attack). The IDS labels traffic based on its interpretation of whether or not the traffic poses a threat

Be aware of the following security facts about intruder detection:

IDS can miss frames when the network is too busy. IDS log reports become unreliable if the system is compromised because the attacker may have modified the log files. When an intruder is detected, stopping the intrusion is often more important than continuing with the hopes of gathering additional information about the attacker to catch the attacker. Allowing an intruder to spend any additional time inside of your network can lead to further breaches of confidentiality. After you have taken measures to stop an attack, be sure to document the incident. Make backups of the logs and audit files to retain information about the attack for future investigations. After audit trails are secured, repairing damage, deploying new countermeasures, and even updating the security policy are reasonable activities to perform. If you were unable to discover the identity of the perpetrator or means of attack, future review of the evidence and comparison to other incidents,may reveal important details or patterns.

Signature recognition is the most common

IDS recognition type.

Taps and Port Mirrors

If an IDS or IPS can't be placed inline, a tap (test access port) device can be used. The tap is placed inline and provides an additional port that echoes all traffic passing through the tap. A switch's spanning port is also known as a port mirror. A copy of all network packets seen on the switch is sent to the spanning port or port mirror. A spanning port is an ideal location for connecting an IDS.

Detection

Log Analysis Auditing IDS Camera

Negative

Negative traffic assessment means that the system deemed the traffic harmless and let it pass

The two main goals of using these solutions are to:

Offer the attackers targets that will occupy their time and attention, distracting them from valid resources. Observe the attackers to gather information about the methods of attack or to gather evidence to assist in identification or prosecution

interpretation of whether or not the traffic poses a threat, as described in the following table:

Positive False Positive Negative False Negative

Positive

Positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.

There are several ways to describe typical detection systems:

Response Capability Recognition Method Detection Scope

Detection Scope

Systems can be classified based on where the system runs and the scope of threats it looks for

Recognition Method

The recognition method defines how the system distinguishes attacks and threats from normal activity.

A network-based IDS (NIDS) is

a dedicated device installed on the network. It analyzes all traffic on the network

Honeypot is

a device or virtual machine that entices intruders by displaying a vulnerable trait or flaw or by appearing to contain valuable data

Anti-virus software is the most common form of

a host-based IDS.

A honeynet

a network of honeypots

Signature-based recognition cannot

detect unknown attacks; they can only detect attacks identified by published signature files. For this reason, it is important to update signature files on a regular basis

Honeypots are often placed

inside the padded cell.

A tarpit (also called a sticky honeypot)

is a honeypot that answers connection requests in such a way that the attacking computer is "stuck" for a period of time

The IDS labels traffic based on

its interpretation of whether or not the traffic poses a threat, as described in the following table:

Signature recognition, also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS)

looks for patterns in network traffic and compares them to known attack patterns called signatures

Enticement is the process of using a honeypot or honeynet to

lure an attacker in. With enticement, the vulnerable system exists, but is unlikely to be detected by a user without malicious intent

An alert is a

message indicating an event of interest (such as a possible attack)

Anomaly recognition, also referred to as behavior, heuristic, or statistical recognition

monitors traffic to define a standard activity pattern as normal Clipping levels or thresholds are defined and are used to identify deviations from the norm. When the threshold is reached, an alert is generated or action is taken. Anomaly-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file). Anomaly recognition usually causes more false positives than signature-based IDS. Anomaly-based recognition systems can be fooled by incremental changes within the clipping level that cause the changed state to become the normal level of activity, thus allowing a higher level of irregularity to go unnoticed.

A passive IDS

monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack. A passive IDS: Can send an alert, but it is the network administrator's job to interpret the degree of the threat and respond accordingly. Might also perform shunning, which is simply dropping offending traffic without additional actions. Cannot be detected on the network because it takes no detectible action.

A host-based IDS (HIDS) is installed

on a single host and monitors all traffic coming in to the host. A host-based IDS: Is used to detect attacks that are unique to the services on the system. It can monitor application activity and modifications, as well as local system files, logon audit files, and kernel audit files. Is typically unaware of other devices on the network but can be detected and could be the target of an attack itself. May rely on auditing and logging capabilities of the operating system. Can analyze encrypted traffic (because services running on the host decrypt the traffic).

When implementing these solutions, be careful that your design does not inadvertently entice

otherwise-honest users from taking dishonest actions

An active IDS, also called an intrusion protection system (IPS),

performs the functions of an IDS but can also react when security breaches occur. An IPS Can automate responses that may include dynamic policy adjustment and reconfiguration of supporting network devices to block the offending traffic Can terminate sessions (e.g., using the TCP-RST command) or terminate or restart other processes on the system. Performs behaviors that can be seen by anyone watching the network. Usually these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS


Related study sets

Chapter 12: Miscellaneous Commercial Policies

View Set

Management and Organizational Behavior

View Set

Brain, Spinal Cord, and Nervous Review

View Set

Introduction to Federal Fair Housing Laws

View Set

Chapter 4: Calcium & Power Stroke

View Set

CSC 121: People in Computing Quiz

View Set

chromosomal abnormalities PRACTICE QUIZ

View Set

Pathology of Thyroid Disease I- Dr. Vila

View Set