Beruflich Dokumente
Kultur Dokumente
Paul Apolinar Christian Chavez RJ Favila Arni Paragas Jessica Mayuga Abegail Soas
manually or via software expert systems that operate on logs or other information available from the system or the network.
IT Security
An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse
Intrusion : Attempting to break into or misuse your system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion.
Intrusion Detection Systems are only one piece of the whole security puzzle IDS must be supplemented by other security and protection mechanisms They are a very important part of your security architecture but does not solve all your problems
IDS are a dedicated assistant used to monitor the rest of the security infrastructure
Todays security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors.
Failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect
8/5/2010
Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Firewalls are subject to attacks themselves Protect against misconfigurationor fault in other security mechanisms
It's like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! That's why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you can't be sure what they have under their coats.
Firewalls are really good access control points, but they aren't really good for or designed to prevent intrusions. That's why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.
Monitor and analyse user and system activities Auditing of system and configuration
identification mechanisms
Investigate attacks without human intervention Guess the content of your organization security policy Compensate for weakeness in networking protocols,
vulnerabilities Asses integrity of critical system and data files Recognition of pattern reflecting known attacks Statisticalanalysis for abnormal activities Data trail, tracing activities from point of entry up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS)
information
Analyze all traffic on a very high speed network Deal adequately with attack at the packet level Deal adequately with modern network hardware
Attacks
Are unauthorized activity with malicious intent
Misuse
Refers to unauthorized events without specially
using specially crafted code or techniques. Includes DOS, Virus or Worm Infections, buffer overflows, malcrafted requests, file corruption, malformed network packets, or unauthorized program execution
crafted code.
In this case, The offending person used normally
crafted traffic or requests and their implicit level of authorization to do something malicious. Unintended consequences like when a hapless new user overwrites a critical document with a blank page.
8/5/2010
Application Attacks
It can be text commands used to exploit OS or
Application holes, or can contain malicious content such as a buffer overflow exploit, a maliciously-crafted command, or a computer virus. Include
misappropriated passwords, password-cracking attempts, rootkit software, illegal data manipulation, unauthorized file access, and every other network that doesnt rely on malformed network packets to work.
the packets to maliciously reassemble and intentionallycover up the header and payload of the first fragment.
Content Obfuscation
Code Obfuscation is when programmers conceal
Some experts will say that a properly defined IDS can catch any security threat, events involving misuseprove the most difficult to detect and prevent. For example, if an outside hacker uses social engineering tricks to get the CEOs password, there arent many IDSs that will notice. If the webmaster accidentally posts a confidential document to a public directory available to the world, IDS wont notice.
If a cracker uses the default passwordof an administrative account that should have been right after the system was installed, few IDSs will notice. If a hacker gets inside the network and copies confidential files, that would be tough to notice.
IDS development began in the early 1980sm but only started growing in the PC marketplace in the late 1990s. Focuses almost exclusively on the benefit of early warning resulting from accurate detection. The practical reality is that while most IDSs are considered fairly accurate, no IDS has ever been close to being perfectly accurate.
8/5/2010
IDSs never get over 90 % accuracy against a wide spectrum of real-world attack traffic. Most are in the 80% range. When an IDS misses a legitimate threat, it is called false-negative.
False-positive is when the IDS says there is a security threat, but the traffic is not malicious or was never intended to be malicious. Ex: When an IDS flags an e-mail as infected with a particular virus because it is looking for some key text known to be in the message body of the e-mail virus(for example, the phrase see my wifes photos).
While first-generation IDSs focused on accurate attack detection, the second-generationIDSs do that and work to simplify the administrators life by offering a bountiful array of back-end options. They offer
intuitive end-user interfaces, intrusion prevention, centralized device management, Event correlation, and data analysis.
This generation of IDSs do more than just detect attacks- they sort, prevent and attempt to add as much value as they can beyond mere detection. Tips: to increase your odds of a successful IDS deployment,
signatures,
spend an hour planning and configuring your logging,
8/5/2010
Are installed on the host they are intended to monitor. Host can be a server, workstation, or any networked device (such as printer, router, gateway).
Have the ability to sniff network traffic intended for
HIDS can inspect each incoming command, looking for signs of maliciousness, or simply track unauthorized file changes. File-integrity HIDSs
(sometimes called snapshot or checksum HIDSs) take a cryptographic hash of important files in a known
the monitored host, they excel at monitoring and reporting direct interactions at the application layer.
clean state, and then check them again later for comparison.
If any changes are noted, the administrator is alerted. Ex: Tripwire (www.tripwire.com) , Pedestal Softwares INTACT (www.pedestalsoftware.com)
Behavior-monitoring HIDSs
do real-time monitoring and will intercept
attempts to modify the registry, file manipulations, system access, password changes, privilege escalations, and other direct modifications to the host.
Captured traffic is compared against protocol specifications and normal traffic trends or the packets payload data is examined for malicious content. If a security threat is noted,
the event is logged and an alert is generated.
8/5/2010
Monitor in terms of who accessed what Can map problem activities to a specific user ID System can track behavior changes associated with misused Can operate in encrypted environment Operates in switched networks Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console
Cannot see all network activities Running audit mechanisms adds overload to system, performance may be an issue Audit trails can take lots of storage OS vulnerabilities can undermine the effectiveness of agents Agents are OS specific Escalation of false positive Greater deployment and maintenance cost
Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms Does not affect network or data sources Monitor and detects in real time networks attacks or misuses Does not create system overhead
Cannot scan protocols if the data is encrypted Can infer from network traffic what is happening on host but cannot tell the outcome Hard to implement on fully switched networks Has difficulties sustaining network with a very large bandwidth
The 2nd generation IDSs Going far beyond mere monitoring and alerting Examples:
Setting access controls Requiring passwords Enabling real-time antivirus scanning Updating patches Installing perimeter firewalls
8/5/2010
IDS is a mandatory inspection point with the ability to filter real-time traffic Can:
Drop packets Reset connections Route suspicious traffic to quarantined areas for
Internet
inspection
IDS placed to drop malicious packets before they can enter the network.
Is the best Intrusion-Detection Software a host-based, real-time intrusion-monitoring system, succeeded detects unauthorized activity and security breaches and responds automatically You use Intruder Alert's central console to
create, update, and deploy policies and securely collect and archive audit logs
8/5/2010
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection,
technology worldwide.
Snort is logically divided into multiple components. These components work together to detect particular attacks and to generate output in a required format from the detection system. A Snort-based IDS consists of the following major components:
Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules
Snort
8/5/2010
a tool used by sys admins to detect an intrusion by a hacker on a system used to detect any changes made to your system by a hacker useful tool for monitoring any change from the baseline configuration of a system
Tripwire creates a known-state database of cryptographic checksums of all of your operating system and application software, and then periodically compares that knownstate against new tests.
Tripwire Configuration
8/5/2010
Although behavior-based intrusion detection is a relatively new technology, WatchGuard already has mechanisms in place within the firewall to identify known attack behaviors, such as:
Port scans and probes Spoofing Synflood attacks DoS and DDoS attacks The misuse of IP options such as source routing
that provide comprehensive protection from a variety of both known and unknown cyber threats.
10
8/5/2010
11