SECURITY + INTRUSION DETECTION AND PREVENTION 6.8
False Negative
False negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible action by an IDS.
False Positive
False positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic
An NIDS is particularly well suited
for detecting and blocking port scanning and DoS attacks.
A sensor passes data
from the data source to the analyzer
With entrapment, you actively
solicit users to visit the system where they might be encouraged or tricked into attempting illegal access.
IDS signatures are written and updated by
the IDS vendor in response to identified vulnerabilities
Entrapment is
the process of encouraging a person to take dishonest or criminal actions when the person would have otherwise been unlikely to have taken that action
IDS administration is usually accomplished
through a console by an operator (IDS user or administrator) that monitors events, alerts, and control sensors
An active IDS can be used to prevent
unauthorized access and attack
When implementing a layered defense
use both to best protect your system
A passive IDS will alert
will alert the network administrator when prevention has failed and then document breaches to the system
If you are using a switch on your network,
your IDS must be placed on a special port called a spanning or diagnostic port that directly connects to the backbone of the switch so that the IDS can see all traffic on that segment
An NIDS should be placed at
all critical junctions within a network including backbones and critical choke points, such as: Inside the DMZ Behind the internal firewall in the corporate LAN Near your critical information assets
Firewalls use
an access control list (ACL) to filter packets based on the packet header information, firewalls can filter packets based on port, protocol, or IP address.
. A tarpit can also transfer
an attacker to a padded cell, a safe environment where no critical data is stored.
Be aware that an NIDS cannot
analyze encrypted traffic
The engine, or analyzer,
analyzes sensor data and events, generates alerts, and logs activity
An NIDS is typically implemented
as part of a firewall device acting as a router. When implemented as a stand-alone device,
In the padded cell, the attacker
can be monitored where harm cannot be caused
One way to protect your real servers and networks is to
create fake resources that appear to contain valuable information,
IPS Sensor
A sensor that is connected inline between an external network and the edge router or firewall that drops packets and defends against an attack before it enters the internal network.
IDS Sensor
A sensor that is connected inline between the edge router or firewall and the uplink port of an aggregation switch that analyzes packets.
Intrusion Detection System (IDS)
A special network device or system of network devices that can detect attacks and suspicious activity and is sometimes called an intrusion prevention system (IPS).
Aggregation Switch
A switch that combines multiple network connections in parallel to increase throughput. An IDS should be placed inline between the edge router or firewall and the uplink port of an aggregation switch.
Signature recognition usually cause
more false negatives than anomaly-based IDS.
IDS systems can use
multiple data sources to find attacks. They can analyze audit files, systems logs, and real-time traffic.
Intrusion detection and protection systems are not
mutually exclusive
An application-aware IDS or IPS can analyze
network packets to detect malicious payloads targeted at application-layer services (such as a web server).
An NIDS is typically unaware
of individual hosts on the network. It cannot be detected by attacking systems.
A control center should be
set up to receive all IDS data
This is where all decision-making
should take place in regards to IDS communications
VPN Concentrator
A type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. If an IDS is placed external to a VPN concentrator, it will not be capable of analyzing encrypted network traffic
SSL Accelerator
A hardware device added to a server that increases performance by performing processor-intensive public-key encryption. An IDS should be placed internal to a SSL accelerator so that it can analyze decrypted network traffic.
Load Balancer
A hardware device that distributes network traffic to multiple servers. An IPS should be placed external to any load balancing systems
Prevention
Access Controls Firewalls IPS Guard
Analysis or Correlation Engin
An IDS component that analyzes the data collected by the traffic collector.
Traffic Collector
An IDS component that gathers activity and event data for analysis such as inbound and outbound traffic metrics.
filter
An IDS feature used to run important IDS data through a query that removes or ignores less important IDS data.
IPS/IDS
An intrusion detection system (IDS) and an intrusion prevention system (IPS) are devices that scan packet contents looking for patterns that match known malicious attacks, signature files identify the patterns of all known attacks. when a packet matches the pattern indicated in thee signature file, the packet can be dropped or an alert can be sent.
response capability
An intrusion detection system can be classified by how it responds when a threat is detected:
you must direct all traffic to the IDS device using one of the following strategies
Connect the IDS and other devices using a hub. The IDS will then see all traffic sent to all devices on the subnet Connect the IDS to a switch and enable spanning or diagnostic capabilities on the switch port to forward all traffic to that switch port. Use a tap to connect the IDS directly to the network medium.
IDS features
IDS administration is usually accomplished through a console by an operator (IDS user or administrator) that monitors events, alerts, and control sensors. IDS systems can use multiple data sources to find attacks. They can analyze audit files, systems logs, and real-time traffic. A sensor passes data from the data source to the analyzer. The engine, or analyzer, analyzes sensor data and events, generates alerts, and logs activity. An alert is a message indicating an event of interest (such as a possible attack). The IDS labels traffic based on its interpretation of whether or not the traffic poses a threat
Be aware of the following security facts about intruder detection:
IDS can miss frames when the network is too busy. IDS log reports become unreliable if the system is compromised because the attacker may have modified the log files. When an intruder is detected, stopping the intrusion is often more important than continuing with the hopes of gathering additional information about the attacker to catch the attacker. Allowing an intruder to spend any additional time inside of your network can lead to further breaches of confidentiality. After you have taken measures to stop an attack, be sure to document the incident. Make backups of the logs and audit files to retain information about the attack for future investigations. After audit trails are secured, repairing damage, deploying new countermeasures, and even updating the security policy are reasonable activities to perform. If you were unable to discover the identity of the perpetrator or means of attack, future review of the evidence and comparison to other incidents,may reveal important details or patterns.
Signature recognition is the most common
IDS recognition type.
Taps and Port Mirrors
If an IDS or IPS can't be placed inline, a tap (test access port) device can be used. The tap is placed inline and provides an additional port that echoes all traffic passing through the tap. A switch's spanning port is also known as a port mirror. A copy of all network packets seen on the switch is sent to the spanning port or port mirror. A spanning port is an ideal location for connecting an IDS.
Detection
Log Analysis Auditing IDS Camera
Negative
Negative traffic assessment means that the system deemed the traffic harmless and let it pass
The two main goals of using these solutions are to:
Offer the attackers targets that will occupy their time and attention, distracting them from valid resources. Observe the attackers to gather information about the methods of attack or to gather evidence to assist in identification or prosecution
interpretation of whether or not the traffic poses a threat, as described in the following table:
Positive False Positive Negative False Negative
Positive
Positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.
There are several ways to describe typical detection systems:
Response Capability Recognition Method Detection Scope
Detection Scope
Systems can be classified based on where the system runs and the scope of threats it looks for
Recognition Method
The recognition method defines how the system distinguishes attacks and threats from normal activity.
A network-based IDS (NIDS) is
a dedicated device installed on the network. It analyzes all traffic on the network
Honeypot is
a device or virtual machine that entices intruders by displaying a vulnerable trait or flaw or by appearing to contain valuable data
Anti-virus software is the most common form of
a host-based IDS.
A honeynet
a network of honeypots
Signature-based recognition cannot
detect unknown attacks; they can only detect attacks identified by published signature files. For this reason, it is important to update signature files on a regular basis
Honeypots are often placed
inside the padded cell.
A tarpit (also called a sticky honeypot)
is a honeypot that answers connection requests in such a way that the attacking computer is "stuck" for a period of time
The IDS labels traffic based on
its interpretation of whether or not the traffic poses a threat, as described in the following table:
Signature recognition, also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS)
looks for patterns in network traffic and compares them to known attack patterns called signatures
Enticement is the process of using a honeypot or honeynet to
lure an attacker in. With enticement, the vulnerable system exists, but is unlikely to be detected by a user without malicious intent
An alert is a
message indicating an event of interest (such as a possible attack)
Anomaly recognition, also referred to as behavior, heuristic, or statistical recognition
monitors traffic to define a standard activity pattern as normal Clipping levels or thresholds are defined and are used to identify deviations from the norm. When the threshold is reached, an alert is generated or action is taken. Anomaly-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file). Anomaly recognition usually causes more false positives than signature-based IDS. Anomaly-based recognition systems can be fooled by incremental changes within the clipping level that cause the changed state to become the normal level of activity, thus allowing a higher level of irregularity to go unnoticed.
A passive IDS
monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack. A passive IDS: Can send an alert, but it is the network administrator's job to interpret the degree of the threat and respond accordingly. Might also perform shunning, which is simply dropping offending traffic without additional actions. Cannot be detected on the network because it takes no detectible action.
A host-based IDS (HIDS) is installed
on a single host and monitors all traffic coming in to the host. A host-based IDS: Is used to detect attacks that are unique to the services on the system. It can monitor application activity and modifications, as well as local system files, logon audit files, and kernel audit files. Is typically unaware of other devices on the network but can be detected and could be the target of an attack itself. May rely on auditing and logging capabilities of the operating system. Can analyze encrypted traffic (because services running on the host decrypt the traffic).
When implementing these solutions, be careful that your design does not inadvertently entice
otherwise-honest users from taking dishonest actions
An active IDS, also called an intrusion protection system (IPS),
performs the functions of an IDS but can also react when security breaches occur. An IPS Can automate responses that may include dynamic policy adjustment and reconfiguration of supporting network devices to block the offending traffic Can terminate sessions (e.g., using the TCP-RST command) or terminate or restart other processes on the system. Performs behaviors that can be seen by anyone watching the network. Usually these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS