View
277
Download
0
Category
Tags:
Preview:
Citation preview
Intrusion Prevention, Detection & Response
IDS vs IPS
IDS = Intrusion detection system IPS = intrusion prevention system
IDS
Monitors a system for Malicious activities. Policy violations
not all policy violations are malicious.
IDS Categories
Two categories of IDS: A network-based IDS monitors network data
packets for malicious activity. Example: Snort, Comodo-firewall
A host-based IDS analyzes any combination of system calls, applications logs, file modifications, and other host activities. Example: Tripwire, WinPatrol, Anti-Virus software
Passive vs Reactive IDS
Passive IDS
Logs the possible intrusion, and sends an alert. The alert could be an e-mail to SA staff; or posting
the alert on a monitored console (or both). This is how Tripwire behaves.
Reactive IDS
The reactive IDS, (aka IPS), would respond to an intrusion with a pre-configured defense strategy in real time.
Snort, e-mail filters, and many anti-virus packages can be configured to be reactive.
Revised Taxonomy
Revised Taxonomy for IDS vs IPS IDS is either Passive or Reactive.
An IPS prevents intrusions.
IPS (Revised Taxonomy)
Passwords Login Server (example: Kerberos) Firewalls : Consists of a combination of
hardware and software. Access controls applied to hardware, software,
and data. Physical security
IPS (Revised Taxonomy)
In Summary, the IPS is a barrier. The IDS is needed when the IPS barrier is
breached.
IPS : Firewall
A combination of software and hardware used to implement security policies governing the network traffic between two or more networks.
A firewall is a system used to enforce network traffic security policy.
IPS: Firewall System
1. Design the system
2. Acquire the hardware and software
3. Acquire training, documentation and support
4. Install and configure the system
5. Test the system
6. Maintain the system (sustainability cycle)
IPS : Other Systems
Implement Access controls Physical security Login Server
IPS Access Controls
Windows Professional provides access control lists.
Unix/Linux has a simple access control system: User, Group, World + read, write, execute
Princeton study showed that complex access controls lead to mis-configuration. Proper training is essential.
IPS : Physical Security
Previously covered: Locks on doors, limited access, keycards, proximity
badges, etc
IPS : Login Server
Kerberos is a common login server that goes beyond the user-id & password authentication process.
Kerberos was developed at MIT
Kerberos
Intrusion Detection Data: Characterization Information
Collect characterization information, CI. Characterization information must be monitored
regularly
IDS : Characterization Info
System logs File checksums System performance metrics provided by
system monitoring applications Expected activities by users and applications
CI : System Logs
System logs require
1) access controls
2) back-up
3) encrypted.
Unix/Linux/var/log
MS Windowssystemroot\WINDOWS\System32\Config\*.evt
Enable event logging and use the event viewer (eventvwr.msc)
System Log Files
• Log files can grow and use up space.
• Log files should periodically be backed-up then removed to make space for new log information.
Checksums
Tripwire creates a database of checksums for a list of specified files (data, source, binary, etc).
The data base of checksums acts as a baseline for comparison.
Common checksum algorithms:
MD5
SHA
CRC
System Performance Metrics
Server/computer system metrics Network activity metrics
System Resource CI
Report the top resource users (examples: top, sysstat)
CPU time usage
Memory usage (example: free)
Number of active processes (by all user-ids, including system ids)
Number of active open files
Number of files
IO data transfer
Disk space usage and free space
IO transfer rate
Other devices used by processes
Login sessions
Login attempts
Network Resource CI
Connection attempts Connection duration Number of connections Source & destination of data packets Bandwidth usage (by user and total) Transfer rates Error counts
E-mail CI
Number of sent messages Number of received messages Mail message sizes read/unread message count
Consider logs of other possible communication devices like telephones and company issued cell phones.
System Security Logging & Auditing Documentation
Document the characterization information to collect
log files
network CI
computing system CI, etc.
Document which events should produce an alert
Document system and application updates
Document roles and responsibilities of SA staff.
Document a sustainability cycle
Document an intrusion detection response
Intrusion Response Team
Create a security response team Document the responsibilities of the intrusion
response team members Document a contact list for the team Update the documentation regularly
(sustainability cycle) Document what to do in an emergency.
Recommended