Text of Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS =...
Intrusion Prevention, Detection & Response
IDS vs IPS IDS = Intrusion detection system IPS = intrusion
IDS Monitors a system for Malicious activities. Policy
violations not all policy violations are malicious.
IDS Categories Two categories of IDS: A network-based IDS
monitors network data packets for malicious activity. Example:
Snort, Comodo-firewall A host-based IDS analyzes any combination of
system calls, applications logs, file modifications, and other host
activities. Example: Tripwire, WinPatrol, Anti-Virus software
Passive vs Reactive IDS
Passive IDS Logs the possible intrusion, and sends an alert.
The alert could be an e-mail to SA staff; or posting the alert on a
monitored console (or both). This is how Tripwire behaves.
Reactive IDS The reactive IDS, (aka IPS), would respond to an
intrusion with a pre-configured defense strategy in real time.
Snort, e-mail filters, and many anti-virus packages can be
configured to be reactive.
Revised Taxonomy Revised Taxonomy for IDS vs IPS IDS is either
Passive or Reactive. An IPS prevents intrusions.
IPS (Revised Taxonomy) Passwords Login Server (example:
Kerberos) Firewalls : Consists of a combination of hardware and
software. Access controls applied to hardware, software, and data.
IPS (Revised Taxonomy) In Summary, the IPS is a barrier. The
IDS is needed when the IPS barrier is breached.
IPS : Firewall A combination of software and hardware used to
implement security policies governing the network traffic between
two or more networks. A firewall is a system used to enforce
network traffic security policy.
IPS: Firewall System 1. Design the system 2. Acquire the
hardware and software 3. Acquire training, documentation and
support 4. Install and configure the system 5. Test the system 6.
Maintain the system (sustainability cycle)
IPS : Other Systems Implement Access controls Physical security
IPS Access Controls Windows Professional provides access
control lists. Unix/Linux has a simple access control system: User,
Group, World + read, write, execute Princeton study showed that
complex access controls lead to mis-configuration. Proper training
IPS : Login Server Kerberos is a common login server that goes
beyond the user-id & password authentication process. Kerberos
was developed at MIT
Intrusion Detection Data: Characterization Information Collect
characterization information, CI. Characterization information must
be monitored regularly
IDS : Characterization Info System logs File checksums System
performance metrics provided by system monitoring applications
Expected activities by users and applications
CI : System Logs System logs require 1) access controls 2)
back-up 3) encrypted. Unix/Linux /var/log MS Windows
systemroot\WINDOWS\System32\Config\*.evt Enable event logging and
use the event viewer (eventvwr.msc)
System Log Files Log files can grow and use up space. Log files
should periodically be backed-up then removed to make space for new
Checksums Tripwire creates a database of checksums for a list
of specified files (data, source, binary, etc). The data base of
checksums acts as a baseline for comparison. Common checksum
algorithms: MD5 SHA CRC
System Performance Metrics Server/computer system metrics
Network activity metrics
System Resource CI Report the top resource users (examples:
top, sysstat) CPU time usage Memory usage (example: free) Number of
active processes (by all user-ids, including system ids) Number of
active open files Number of files IO data transfer Disk space usage
and free space IO transfer rate Other devices used by processes
Login sessions Login attempts
Network Resource CI Connection attempts Connection duration
Number of connections Source & destination of data packets
Bandwidth usage (by user and total) Transfer rates Error
E-mail CI Number of sent messages Number of received messages
Mail message sizes read/unread message count Consider logs of other
possible communication devices like telephones and company issued
System Security Logging & Auditing Documentation Document
the characterization information to collect log files network CI
computing system CI, etc. Document which events should produce an
alert Document system and application updates Document roles and
responsibilities of SA staff. Document a sustainability cycle
Document an intrusion detection response
Intrusion Response Team Create a security response team
Document the responsibilities of the intrusion response team
members Document a contact list for the team Update the
documentation regularly (sustainability cycle) Document what to do
in an emergency.