Real time monitoring of network activity

Traffic Detection Incident Identification Response Logging Network Based Host Based Also known as Knowledge based IDS Low False Positives Understandable alarms Resource intensive New attacks go unnoticed Can dynamically adapt to new attacks Not as OS dependant High false positives Can affect user activity Advantages

Listens to data and helps with

Motivation and Study Techniques to help you learn, remember, and pass your technical exams!

Cisco CISSP CEH More coming soon...


Visit us
Signature Based


Detects based on user patterns Advantages


Provides security services at the IP layer A framework of services

Behavior Based

Intrusion Detection Definition

Adds security to the upper layers in the OSI model

By Implementing a new set of headers One SA is required per direction

Disadvantages SNMP Syslog Logging

Utilizes Security Associations (SA)

A router to router IPsec VPN will use two SA's

One in each direction

Launch and attack Block Issue an SMS or E-mail Trace the connection Configure Alarms Have to check Systems using HIDS for performance problems NIDS may lose packets due to bandwidth limitations System and network latency Interferes with legitimate traffic


Access Control is the heart of security Fundamental for providing CIA
Prevent modification by unauthorized users

Why Control Access?

Three Goals

Prevent unintentional modification by unauthorized users Preserve internal and external data consistency Avoid Identify Discourage Fix or Repair Restore Policies Administrative Controls Procedures Training Background checks ACLs Encryption


As it states, Sign on Once Users Love it
Novell NDS and Microsoft AD Sign on once for access to all resources Started as Project Athena Currently in version 5 Introduced in Windows 2000 Uses Symmetric Key Cryptography Holds the Cryptographic Keys Key Distribution Centre (KDC) Tickets Ticket Granting Server (TGS) Subject requests access to an object Includes a session key derived from the users password Request goes via the KDC Kerberos Kerberos Process Components


SSO Directory Services

Controls may be

Deterrent Corrective Recovery

Implementing Controls

Logical/Technical Controls Gates Physical Controls Guards Fences Badges Administrative

KDC Generates a ticket for the subject and object Subject validates the ticket came from the KDC Subject sends ticket to object Object validates the ticket Kerberized session is established Object grants access to subject

"soft" policy procedures such as background checks

Each piece of software must be Kerberized Requires synchronized time clocks Relies on UDP Weakness in v4 allowed password attacks KDC can be a SPOF Secure European System for Applications in a Multivendor Environment Designed to extend Kerberos Uses Public Key and Symmetric Cryptography Authenticates with a Privileged Attribute Certificate One contains Authentication One contains the access rights to the client Only authenticates using the first block of the message Initial exchange passed on password authentication Uses two tickets SESAME Problems

Single Sign on Systems

Encryption Preventative Technical Smart Cards Biometrics Physical Badges Fences Job rotation Administrative Supervision Existing Violations Detective Technical IDS System Scanners Motion Detectors CCTV All objects controlled at a central point Very strict Access Control Ease of Administration Could be SPOF RADIUS


Access Control Systems and Methodology

Control Types



IBM system like Kerberos Client-Server Peer-to-Peer relationship between KDC and parties Authentication through one way hash of users password stored on server NETSP Password PIN Passphrase Weak Passwords Reused Written Down Strong Passwords Default passwords Password Age Tokens Tickets OTP More Expensive than Type 1 May have to be combined with Type 1 More Complex Can lock the user out if they lose token Can be copied or forged Again, total strength is in the PIN Physical Characteristics Iris/Retina Scans Fingerprinting Voice Recognition Signature DNA, Blood Cannot be lent or borrowed Lasts forever Wrong rejections Turn down the sensitivity VERY BAD Wrong acceptions False Rejection Rate (FRR) Biometrics What you Are Issues What you Have Hybrid Model Issues Decentralized What you Know KRYPTONIGHT Centralized Authentication

Serves Dial In Users Incorporates an Authentication server and dynamic password TACACS

Centralized and Decen‐ tralized Access Control


Static password

Type 1 Authentication
Remote Authentication Decision is closer to the objects More Administration Overhead

Supports token authentication

Different User Rights around the network A Mixture of centralized and decentralized

Type 2 Authentication

Controlling access by a subject to an object Involves Rule Creation

Subject Object

person or process file or resource

Assigns classification levels to objects

Security Labels

Subject must have equal or higher security than the object May be assigned per user, or per group Mandatory Set of Rules Rule based Access Control Data Owners have less freedom than DAC Access Granted on Rules or Security Labels More Secure (Government) Every Resource has a label, every user has a clearance Used by the military Embodies the concept of need to know

Identification and Authentication

Mandatory Access Control (MAC)

Control Models

Type 3 Authentication Discretionary Access Control (DAC)

Identity Based Access Control Owner specifies access levels Like UNIX and Windows Most common Access Control Role based Access Control Access based on Job Description Good for high staff turnover

False Acceptance Rate (FAR) False Rejection Rate (FRR)

Turn Up the Sensitivity The FRR and FAR combined gives you the Crossover Error Rate (CER) Expensive Immature market Bad user acceptance

Lower CER is Always Better

Non discretionary
Lattice based ACL

Access based on the job role and the task

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.