Beruflich Dokumente
Kultur Dokumente
Introduction
It's very important to understand that in security, one simply cannot say ``what's the best method?'' There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either. We constantly make decisions about what risks we're willing to accept. Every organization needs to decide for itself where between the two extremes of total security and total access they need to be.
Authenticating Users
(Basic Authentication)
Firewalls
User Authentication
Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)
User Authentication
Client Authentication
Same as user authentication but with additional time limit or usage limit restrictions.
Client Authentication
Centralized Authentication
Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network. Most common method
Kerberos
Kerberos
Kerberos Authentication
Provides authentication and encryption between
clients and servers. Authentication mediated by a trusted 3rd party on the network:
Key Distribution Center (KDC) User must identify itself once at the beginning of a workstation session (login session).
Kerberos Authentication
A Kerberos authenticated service, that allows user to obtain tickets for other services Co-located at the KDC Ticket used to access the TGS and obtain service tickets
18
Advantages
Password is only typed to the local workstation
More convenient: only one password, entered once Users may be less likely to store passwords Need authenticator as well, which cant be reused
Intrusion Detection
Introduction
An intrusion is a unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. OR Intrusions are the activities that violate the security policy of system.
Get audit data from host audit trails. Detect attacks against a single host Gather audit data from multiple host and possibly the network that connects the hosts Detect attacks involving multiple hosts Use network traffic as the audit data source Detect attacks from network.
Distributed IDSs
Network-Based IDSs
Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities. Detect any action that significantly deviates from the normal behavior.
Anomaly detection
Misuse Detection
Based on known attack actions. Feature extract from known intrusions The rules are pre-defined Disadvantage:
Anomaly Detection
Based on the normal behavior of a subject. Any action that significantly deviates from the normal behavior is considered intrusion.
Disadvantage: -These generate many false alarms and hence compromise the effectiveness of the IDS.
Accurately and generate much fewer false alarm Is able to detect unknown attacks based on audit
Cannot detect novel or unknown attacks High false-alarm and limited by training data.
in system 2. Define and extract the Rules of Intrusion 3. Apply the rules to detect the intrusion
Audit Data 3 1 Training Audit Data Features 2 Rules 3 Pattern matching or Classification
Future of IDS
To integrate the network and host based IDS for better detection. Developing IDS schemes for detecting novel attacks rather than individual instantiations.
Thank You..