Professional Documents
Culture Documents
Intrusion Prevention
CIS 4361
Eng. Hector M Lugo-Cordero, MS
April 2012
First Edition
by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown
Intruders
significant issue hostile/unwanted trespass
user trespass
software trespass
classes of intruders:
Examples of Intrusion
Intrusion Detection
a security service that monitors and analyzes system
events for the purpose of finding, and providing realtime or near real-time warning of attempts to access
system resources in an unauthorized manner.
Intrusion Techniques
objectivetogainaccessorincreaseprivileges
initialattacksoftenexploitsystemorsoftware
vulnerabilitiestoexecutecodetogetbackdoor
Hackers
Criminal Enterprise
organized
groupsofhackersnowathreat
corporation/government/looselyaffiliatedgangs
typicallyyoung
oftenEasternEuropeanorRussianhackers
commontargetcreditcardsonecommerceserver
criminalhackersusuallyhavespecifictargets
oncepenetratedactquicklyandgetout
IDS / IPS help but less effective
sensitivedataneedsstrongprotection
Insider Attacks
HostbasedIDS:monitorsinglehostactivity
NetworkbasedIDS:monitornetworktraffic
logicalcomponents:
sensorscollectdata
analyzersdetermineifintrusionhasoccurred
userinterfacemanage/direct/viewIDS
IDS Principles
assume intruder behavior differs from
legitimate users
false positives
false negatives
must compromise
IDS Requirements
run continually
be fault tolerant
resist subversion
impose a minimal overhead on system
configured according to system security policies
adapt to changes in systems and users
scale to monitor large numbers of systems
provide graceful degradation of service
allow dynamic reconfiguration
Host-Based IDS
Audit Records
a fundamental tool for intrusion detection
two variants:
Example of Audit
Consider copy.exe game.exe
<system>/game.exe
Several records may be generated for a
single command
1.
2.
3.
Execute copy.exe
Read game.exe
Write <system>/game.exe
Anomaly Detection
threshold detection
profile based
Examples of Anomaly
Examples of Anomaly
Signature Detection
observe events on system
and applying a
set of rules to decide if intruder
approaches:
Example of Signatures
Network-Based IDS
network-based IDS (NIDS)
anomaly detection
Intrusion
Detection
Exchange
Format
Honeypots
are decoy systems
Honeypot
Deployment
SNORT
lightweight IDS
SNORT Rules
Summary
honeypots
SNORT example
capabilities:
limitations:
Types of
Firewalls
Packet
Filter
Rules
attacks
Application-Level Gateway
acts as a relay of application-level traffic
Circuit-Level Gateway
sets up two TCP connections, to an inside
Examples of Firewalls
Windows Defender (Application level)
IP Tables (Packet level)
SOCKS (circuit-level)
MAC OS X personal firewall
SNORT?
Distributed
Firewalls
Host-Based IPS
identifies attacks
using both:
signature techniques
malicious application packets
Network-Based IPS
inline NIDS that can discard packets or
Unified
Threat
Management
Products
Summary
introduced need for & purpose of firewalls
types of firewalls