Embed Size (px)
Citation preview
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY
Welcome toWelcome toIntrusion Detection and Intrusion Detection and
Incidence ResponseIncidence Response
Course Name – IT390-01 Intrusion Detection and Incidence ResponseInstructor – Jan McDanolds, MS, Security+Contact Information: AIM – JMcDanolds Email – [email protected] Hours: Tuesday, 8:00 PM ET or Thursday, 8:00 PM ET
UNIT 2
Agenda for Unit 2
Overview of Unit 1Chapter 1 in Intrusion Prevention Fundamentals – Cisco bookChapter 1 Implementing Intrusion Detection System – Wiley ebook
Unit 2 – Reading: Chapter 2 in Cisco bookSignatures: types, triggers and actions
UNIT 1 – CHAPTER 1
Intrusion Prevention Overview
Why is an IPS is necessary?
Technology adoption – client-server, Internet, wireless connectivity, mobile computing
Target value – information theft, zombie acquisition
Attack characteristics – delivery mechanism, attack complexity, attack target and attack impact
UNIT 1
Intrusion Detection Technology versus
Intrusion Prevention System
Intrusion Detection System (IDS) – an intrusion monitoring system that passively monitors network traffic looking for malicious activity.
Intrusion Prevention Systems (IPS) – an intrusion monitoring system that examines network traffic while it acts as a forwarding device for that traffic.
Two types: Host and Network
UNIT 1
Attack Examples
Review attacks - See pages 17 to 22Year Delivery Mechanism Complexity Target Impact
Replacement LoginThe Morris WormCIH VirusLoveletter WormNimdaSQL Slammer
Why do we need to study these?
UNIT 2
Intrusion Detection TechnologyTechnology designed to monitor computer activities for the purpose of finding security violations. IDS is similar to an alarm system. An alarm means there is some sort of potential malicious activity (fire, break-in, etc).
Example: When a fire alarm goes off, it does not put out the fire. If there are people in the building, the alarm alerts them to leave. If there is a sprinkler system, it may have already activated due to heat or smoke. The two systems may not even be connected. Alarm systems for buildings would not be effective if fire sensors were the only triggers. Sensors on windows and doors protect against a physical intrusion. Carbon monoxide sensors warn of hazardous gas. False alarms are common. Burnt toast in the faculty lounge or smoke in the chemistry lab may trigger an alarm, but do not set off the sprinkler system.
UNIT 2
Intrusion Detection Technology (cont.)IDS systems use rules (dynamic or static) to allow or deny (block) activity. This is similar to a lock on a door, similar but not the same as a firewall.
Example: The activity from an IP address indicates it is attempting to scan for open ports. One of the ports it is scanning is FTP - listen on port 21. The IDS has a rule indicating that any outside scan for port 21 should be blocked. The IDS dynamically logs the IP address indicating any activity from this address should be blocked. All packets from this IP address are dropped.
Examples: TCP Kill with Linux – using tcpkill not netstathttp://www.cyberciti.biz/howto/question/linux/kill-tcp-connection-using-linux-netstat.php Windows Firewallhttp://windows.microsoft.com/en-US/windows-vista/Understanding-Windows-Firewall-settingsOpen a port in Windows Firewallhttp://windows.microsoft.com/en-US/windows-vista/Open-a-port-in-Windows-Firewall
UNIT 2
Intrusion Detection Technology (cont.)
Physical Intrusion Detection Example: ADThttp://www.adt.com/commercial-security/products/intrusion-detection
“Our intrusion detection systems are designed to help protect your people and property. After all, while your property is valuable, nothing is more precious than the lives of your employees, customers, and clients.” Intrusion Detection Service Features:
Burglar alarm system monitoring (off site)Hold-up and panic button/signal monitoringCritical condition monitoring
UNIT 2
Intrusion Detection Technology (cont.)
SecureWorks – Dell Companyhttp://www.secureworks.com/services/managed_ids_ips
“Network Intrusion Detection and Prevention (IDS/IPS) devices can provide a highly effective layer of security designed to protect critical assets from cyber threats. Organizations can detect attempts by attackers to compromise systems, applications and data by deploying network IDS; however, keeping the devices tuned and up-to-date so they are effective is a challenge for many organizations. Dell SecureWorks team of security device management experts can help alleviate this burden and enable more effective operation.”
Managed IDS/IPS service providesExpert signature tuningReal-time threat monitoring and responseIntegrated Counter Threat Unit intelligenceOn-demand security and compliance reportingAuditable and accurate change management
UNIT 2
Intrusion Detection Technology (cont.)SecureWorks
“Malicious attacks that use encryption can easily bypass firewalls and network intrusion prevention systems. Host intrusion prevention provides another layer of defense to protect your infrastructure from internal and external attacks that use encryption techniques. However, host intrusion prevention systems (HIPS) are complex and difficult to configure. If implemented incorrectly, HIPS can cripple an application on the host server.”
“Dell SecureWorks' Host Intrusion Prevention System (Host IPS) service is a fully managed service that decrypts and inspects encrypted traffic to prevent external and internal attacks on your critical servers in real time.”http://www.secureworks.com/services/host_intrusion_prevention/
Host Intrusion Prevention-Host IPS
UNIT 2
Issue with Zero-Day“Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.
Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook."
The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says.” http://www.darkreading.com/security/security-management/208804656/index.html
UNIT 2
Chapter 2 in Cisco bookUnit 2 – Reading: Chapter 2
Signatures: types, triggers and actionsWhat is a signature? http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-one
Signature Basics: A network IDS signature is a pattern that we want to look for in traffic.
Examples:Connection attempt from a reserved IP address. Packet with an illegal TCP flag combination. Email containing a particular virus. DNS buffer overflow attempt contained in the payload of a query. Denial of service attack on a POP3 server caused by issuing the same command thousands of times. File access attack on an FTP server by issuing file and directory commands to it without first logging in.
UNIT 2
Signatures and Actions
Signatures: types, triggers and actions
Signature types: atomic and stateful
Signature triggers: pattern detection, anomaly-based detection, behavior-based detection
Signature actions: generating an alert, dropping, logging, resetting TCP connection, blocking future activity, allowing (page 45)
UNIT 2
Six Integral Steps to Selecting the Right IPS for Your Network (Opus article)
Step 1: Why am I buying an IPS?Every IPS has a different set of design goals and features targeted to address a limited set of questions.
Step 2: Determine the Level of Security and Coverage you require
Three approaches in current IPS products: signature-based (including protocol anomaly) IPS, rate-based IPS, and behavioral IPS
Step 3: Determine Your Performance RequirementsStep 4: Determine Your Form Factor Requirements
IPS is not a product; IPS is a function and a technology…many kinds of devices including standalone IPS appliances, inside of firewalls and switches, and in other types of security appliances, such as SSL VPNs.
Step 5: Determine your Management RequirementsStep 6: Evaluate an IPS
UNIT 2
ReadingsUnit 2 Readings:
Chapter 2 in Intrusion Prevention FundamentalsALSOWeb Readings listed (Black Hat – How to Hack IPS Signaturesand Opus white paper – Six Integral Steps)
UNIT I
Unit 2 Assignment
Essay on 5 actions:
“Our text describes 5 actions an IPS is capable of performing (drop, log, block, reset, and allow). In a2-3 page paper, using good APA formatting, briefly review each of the 5 actions. Next, create a hypothetical situation where each action (one situation for each action) is implemented. For each situation explain why the action is the correct choice for the situation.”
Page 45 – Intrusion Prevention Fundamentals
UNIT I
Unit 2 Assignments
Download chapters from Doc SharingRead chapters and web readingsPost to DiscussionAttend SeminarComplete Assignment
Email any questions: [email protected] you can call me 641-649-2980
