Firewalls, Tunnels, and Network Intrusion Detection

Similar documents
Network Security. Course notes. Version

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Computer Security: Principles and Practice

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

CIT 480: Securing Computer Systems

IDS: Signature Detection

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Distributed Denial of Service (DDoS)

Unit 2 Assignment 2. Software Utilities?

Basic Concepts in Intrusion Detection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CSE 565 Computer Security Fall 2018

The Reconnaissance Phase

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Computer Network Vulnerabilities

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Lecture 12. Application Layer. Application Layer 1

Chapter 4. Network Security. Part I

Configuring attack detection and prevention 1

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

IBM i Version 7.3. Security Intrusion detection IBM

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

CS System Security 2nd-Half Semester Review

UMSSIA INTRUSION DETECTION

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

NETWORK SECURITY. Ch. 3: Network Attacks

Intrusion Detection Systems (IDS)

Ensure you write your exam number on any sheets which are to be handed in. This paper consists of THREE pages and FOUR questions.

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Network Security. Chapter 0. Attacks and Attack Detection

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Intrusion Detection System

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Detecting Specific Threats

Access Controls. CISSP Guide to Security Essentials Chapter 2

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Developing the Sensor Capability in Cyber Security

NIP6000 Next-Generation Intrusion Prevention System

Intrusion Detection Systems and Network Security

Systems and Network Security (NETW-1002)

Chapter 7. Denial of Service Attacks

Prevention and Protection Strategies in Cybersecurity CSEC 630

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Introduction to Security. Computer Networks Term A15

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Network Security: Firewall, VPN, IDS/IPS, SIEM

ANOMALY DETECTION IN COMMUNICTION NETWORKS

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

1. Intrusion Detection and Prevention Systems

The Protocols that run the Internet

Chapter 10: Denial-of-Services

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Configuring attack detection and prevention 1

Intruders and Intrusion Detection. Mahalingam Ramkumar

Network Security. Thierry Sans

Ethical Hacking and Prevention

Firewall Identification: Banner Grabbing

Introduction and Statement of the Problem

Certified Ethical Hacker (CEH)

HP High-End Firewalls

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Attack Prevention Technology White Paper

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

PROTECTING INFORMATION ASSETS NETWORK SECURITY

CSE 565 Computer Security Fall 2018

Cisco IOS Firewall Intrusion Detection System Commands

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Wireless Network Security Spring 2016

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

DDoS Testing with XM-2G. Step by Step Guide

CS 161 Computer Security

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15M&T

PrecisionAccess Trusted Access Control

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Wireless Network Security Spring 2015

CEH: CERTIFIED ETHICAL HACKER v9

ASA Access Control. Section 3

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

ProCurve Network Immunity

Configuring Flood Protection

Active defence through deceptive IPS

CTS2134 Introduction to Networking. Module 08: Network Security

Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada

2. INTRUDER DETECTION SYSTEMS

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Transcription:

Firewalls, Tunnels, and Network Intrusion Detection 1

Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection The identification through intrusion signatures and report of intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 2

IDS Components The IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred. This determination is based on a set of site policies, which are rules and conditions that define probable intrusions. If an IDS manager detects an intrusion, then it sounds an alarm. IDS Manager Untrusted Internet router Firewall IDS Sensor IDS Sensor router router 3

Intrusions An IDS is designed to detect a number of threats, including the following: Masquerader: an attacker who is falsely using the identity and/or credentials of a legitimate user to gain access to a computer system or network Misfeasor: a legitimate user who performs actions he is not authorized to do Clandestine user: a user who tries to block or cover up his actions by deleting audit files and/or system logs 4

Intrusions In addition, an IDS is designed to detect automated attacks and threats, including the following: port scans: information gathering intended to determine which ports on a host are open for TCP connections Denial-of-service attacks: network attacks meant to overwhelm a host and shut out legitimate accesses Malware attacks: replicating malicious software attacks, such as Trojan horses, computer worms, viruses, etc. ARP spoofing: an attempt to redirect IP traffic in a localarea network DNS cache poisoning: a pharming attack directed at changing a host s DNS cache to create a falsified domainname/ip-address association 5

Possible Alarm Outcomes Alarms can be sounded (positive) or not (negative) Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive No Alarm Sounded False Negative True Negative 6

The Base-Rate Fallacy It is difficult to create an intrusion detection system with the desirable properties of having both a high true-positive rate and a low false-negative rate. If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced. In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the baserate fallacy. This type of error occurs when the probability of some conditional event is assessed without considering the base rate of that event. 7

Base-Rate Fallacy Example Suppose an IDS is 99% accurate, having a 1% chance of false positives or false negatives. Suppose further An intrusion detection system generates 1,000,100 log entries. Only 100 of the 1,000,100 entries correspond to actual malicious events. Because of the success rate of the IDS, of the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. Nevertheless, of the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That is, roughly 99% of our alarms are false alarms. 8

IDS Data In an influential 1987 paper, Dorothy Denning identified several fields that should be included in IDS event records: Subject: the initiator of an action on the target Object: the resource being targeted, such as a file, command, device, or network protocol Action: the operation being performed by the subject towards the object Exception-condition: any error message or exception condition that was raised by this action Resource-usage: quantitative items that were expended by the system performing or responding to this action Time-stamp: a unique identifier for the moment in time when this action was initiated [128.72.201.120, 201.33.42.108, HTTP, 0.02 CPU sec, 201012102152] 9

Types of Intrusion Detection Systems Rule-Based Intrusion Detection Rules identify the types of actions that match certain known profiles for an intrusion attack, in which case the rule would encode a signature for such an attack. Thus, if the IDS manager sees an event that matches the signature for such a rule, it would immediately sound an alarm, possibly even indicating the particular type of attack that is suspected. Statistical Intrusion Detection A profileis built, which is a statistical representation of the typical ways that a user acts or a host is used; hence, it can be used to determine when a user or host is acting in highly unusual, anomalous ways. Once a user profile is in place, the IDS manager can determine thresholds for anomalous behaviors and then sound an alarm any time a user or host deviates significantly from the stored profile for that person or machine. 10

Port Scanning Use to determine which traffic is permitted through a firewall Discover open port on the target machine Use to perform network reconnaissance and find vulnerabilities 11

Port Scanning with TCP TCP Scans. The attacker initiate a TCP connection on each port on the target machine Ports that complete the connection are open. Attacker Scanning different ports Responses indicate open ports 12

SYN scan Attacker send a SYN packet to identify an open port on the target Victim machine replay with SYN-ACK packet indicating that the port is open Attacker conclude the connection by sending RST to terminate the session 13

Idle Scanning Attacker search for victim machine known as the zombie The attacker use the TCP weak implementation to perform port scanning on the target The attacker will send SYN-ACK packet to the Zombie to learn the current TCP sequence on the Zombie machine The attacker then send SYN packet to the target with a spoof IP address of the Zombie machine The target will replay to the zombie with a SYN-ACK packet The Zombie will rest the connection by sending a RST packet with the updated sequence number Finally, The attack probe the zombie to learn if the sequence number is updated or not. 14

Honeypot Honeypot is used to detect intrusion, it is used as bait for intruders Used to identify new cyber attacks and build latest attacks signature to update an IDS Fingerprinting, help localizing attackers on the network Diversion. Use as a diverter for attack that are trying to capture sensitive data. 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback