Module-1

Information Security Devices

 Intrusion Detection System (IDS)
Network intrusion prevention (IP)
• It includes the process of detecting network intrusion events, but also
includes the process of preventing and blocking detected or potential
network incidents.
Network intrusion detection and prevention systems (idp)
• They are based on identifying potential incidents, logging information
about them, attempting to prevent them and alerting the administrators
responsible for security.
• In addition to this basic function, IDP systems can also be used to
identify problems concerning the adopted security policies, to document
existing security threats and to discourage individuals from violating
security rules.
• IDP systems use various incidentdetection methods.
 Intrusion Detection System (IDS)
• IDP (intrusion detection and prevention) network intrusion
detection (ID) is based on monitoring the operation of computer
systems or `networks and analysing the processes they perform,
which can point to certain incidents.
• Incidents are events posing a threat to or violating defined
security policies, violating AUP (acceptable use policy) rules, or
generally accepted security norms.
• They appear as a result of the operation of various malware
programmes (e.G., Worms, spyware, viruses, and trojans), as a
result of attempts at unauthorised access to a system through
public infrastructure (internet), or as a result of the operation of
authorised system users who abuse their privileges.
 Intrusion Detection System (IDS)
• There are three primary classes of detection
methodology:
– 1. Signature-based detection
– 2. Anomaly-based detection
– 3. Detection based on stateful protocol analysis
 Intrusion Detection System (IDS)
1. Signature-based detection
– certain security threats can be detected based on the
characteristic manner in which they appear.
– The behaviour of an already detected security threat,
described in a form that can be used for the detection of any
subsequent appearance of the same threat, is called an
attack signature.
– This detection method, based on the characteristic signature
of an attack, is a process of comparing the known forms in
which the threat has appeared with the specific network
traffic in order to identify certain incidents.
 Intrusion Detection System (IDS)
1. Signature-based detection
– Although it can be very efficient in detecting the
subsequent appearance of known threats, this detection
method is extremely inefficient in the detection of
completely unknown threats, of threats hidden by using
various techniques, and of already known threats that
have somehow been modified in the meantime.
– It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state of
certain, more complex forms of communication.
 Intrusion Detection System (IDS)
2. Anomaly-based detection
– This method of IDP is based on detecting anomalies in a
specific traffic flow in the network.
– Anomaly detection is performed, based on the defined profile
of acceptable traffic and its comparison with the specific
traffic in the network.
– Acceptable traffic profiles are formed by tracking the typical
characteristics of the traffic in the network during a certain
period of time (e.g., The number of email messages sent by a
user, and the number of attempts to log in to a host, or the
level of utilisation of the processor in a given time interval).
– These characteristics of the behaviour of users, hosts,
connections or applications in the same time interval are then
 Intrusion Detection System (IDS)
2. Anomaly-based detection
– However, acceptable-behaviour profiles can
unintentionally contain certain security threats,
which lead to problems in their application.
– Likewise, imprecisely defined profiles of
acceptable behaviour can cause numerous alarms,
generated by the system itself as a reaction to
certain acceptable) activities on the network.
– The greatest advantage of this detection method is
its exceptional efficiency in detecting previously
unknown security threats.
 Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Stateful protocol analysis is a process of comparing predefined
operation profiles with the specific data flow of that protocol on
the network.
– Predefined profiles of operation of a protocol are defined by the
manufacturers of IDP devices and they identify everything that is
acceptable or not acceptable in the exchange of messages in a
protocol.
– Unlike anomaly-based detection, where profiles are created based
on the hosts or specific activities on the network, stateful
protocolanalysis uses general profiles generated by the equipment
manufacturers.
– Most IDP systems use several detection methods simultaneously,
thus enabling a more comprehensive and precise method of
 Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Testing tools are used for testing the detection,
recognition and response capabilities of devices tha
perform packet filtering (including those that use
network address translation), such as firewalls,
idses/ipses, routers and switches.
– These test the traffic filtering devices' ability to detect
and/or block dos attacks, spyware, backdoors, and
attacks against applications such as IIS, SQL server and
WINS.
– Standard traffic sessions can be used to test how packet
filtering devices handle a variety of protocols including
 Intrusion Detection System (IDS)
• Intrusion detection systems can be grouped
into the following categories:
– Host-based IDS
– Network-based IDS
– Intrusion prevention system (IPS)
Host-based intrusion detection systems
• Host-based IDSs are designed to monitor, detect
and respond to activity and attacks on a given
host. In most cases, attackers target specific
systems on corporate networks that have
confidential information.
• They will often try to install scanning programs
and exploit other vulnerabilities that can record
user activity on a particular host.
• Some host-based IDS tools provide policy
management, statistical analytics and data
forensics at the host level.
Host-based intrusion detection systems

• Host-based IDSs are best used when an

intruder tries to access particular files or other
services that reside on the host computer.
• Because attackers mainly focus on operating
system vulnerabilities to break into hosts, in
most cases, the host-based IDS is integrated
into the operating systems that the host is
running.
Network-based intrusion detection systems

• Network traffic based IDSs capture network traffic to detect

intruders.
• Most often, these systems work as packet sniffers that read
through incoming traffic and use specific metrics to assess
whether a network has been compromised.
• Various internet and other proprietary protocols that handle
messages between external and internal networks, such as
TCP/IP, NetBEUI and XNS, are vulnerable to attack and require
additional ways to detect malicious events.
• Frequently, intrusion detection systems have difficulty
working with encrypted information and traffic from virtual
private networks. Speed over 1Gbps is also a constraining
factor, although modern and costly network-based IDSs have
Network-based intrusion detection systems

• Cooperative agents are one of the most important

components of distributed intrusion detection architecture.
• An agent is an autonomous or semi-autonomous piece of
software that runs in the background and performs useful
tasks for another.
• Relative to IDSs, an agent is generally a piece of software
that senses intrusions locally and reports attack information
to central analysis servers.
• The cooperative agents can form a network among
themselves for data transmission and processing.
• The use of multiple agents across a network allows a
broader view of the network than might be possible with a
single IDS or centralized IDSs.
 Intrusion prevention system (IPS)
• An IPS is a network security tool that can not only detect
intruders, but also prevent them from successfully
launching any known attack.
• Intrusion prevention systems combine the abilities of
firewalls and intrusion detection systems.
• However, implementing an IPS on an effective scale can
be costly, so businesses should carefully assess their IT
risks before making the investment.
• Moreover, some intrusion prevention systems are not as
fast and robust as some firewalls and intrusion detection
systems, so an IPS might not be an appropriate solution
when speed is an absolute requirement.
 Intrusion prevention system (IPS)
• One important distinction to make is the difference between intrusion
prevention and active response.
• An active response device dynamically reconfigures or alters network
or system access controls, session streams or individual packets based
on triggers from packet inspection and other detection devices.
• Active response happens after the event has occurred; thus, a single
packet attack will be successful on the first attempt but will be blocked
in future attempts; for example, a DDoS attack will be successful on
the first packets but will be blocked afterwards.
• While active response devices are beneficial, this one aspect makes
them unsuitable as an overall solution.
• Network intrusion prevention devices, on the other hand, are typically
inline devices on the network that inspect packets and make decisions
before forwarding them on to the destination.
 Intrusion prevention system (IPS)
• Most important, an IPS must perform packet inspection and
analysis at wire speed. Intrusion prevention systems should
be performing detailed packet inspection to detect intrusions,
including application-layer and zero-day attacks.
• System or host intrusion prevention devices are also inline at
the operating system level. They have the ability to intercept
system calls, file access, memory access, processes and other
system functions to prevent attacks. There are several
intrusion prevention technologies, including the following:
– System memory and process protection
– Inline network devices
– Session sniping
– Gateway interaction devices
 Intrusion prevention system (IPS)
• System memory and process protection
– This type of intrusion prevention strategy resides
at the system level.
– Memory protection consists of a mechanism to
prevent a process from corrupting the memory of
another process running on the same system.
– Process protection consists of a mechanism for
monitoring process execution, with the ability to
kill processes that are suspected of being attacks.
 Intrusion prevention system (IPS)
• System memory and process protection
– Internet technology, with its open architecture, inherently
provides access to all resources that are connected to the
world wide web. Hence, users can connect themselves to
all legitimate and illegitimate web sources.
– This may expose organizations to serious security
threats. The outward and inward connections, thus, have
a potential to jeopardize the security posture of an
organization. These connections also create possibilities
of data leakage from an organization to the outside
world. Security threats have been increasingly exploiting
these connections, channels, protocols and traffic to
perpetrate attacks.
 Intrusion prevention system (IPS)
• Inline network devices
– This type of intrusion prevention strategy places a
network device directly in the path of network
communications with the capability to modify and
block attack packets as they traverse the device’s
interfaces.
– It acts much like a router or firewall combined
with the signature-matching capabilities of IDS.
The detection and response happens in real time
before the packet is passed on to the destination
network.
 Intrusion prevention system (IPS)
• Session sniping
– This type of intrusion prevention strategy terminates a TCP
session by sending a TCP RST packet to both ends of the
connection. When an attempted attack is detected, the TCP RST
is sent and the attempted exploit is flushed from the buffers
and thus prevented. Note that the TCP RST packets must have
the correct sequence and acknowledgement numbers to be
effective.
• Gateway interaction devices
– This type of intrusion prevention strategy allows a detection
device to dynamically interact with network gateway devices
such as routers or firewalls. When an attempted attack is
detected, the detection device can direct the router or firewall
to block the attack.
 Intrusion prevention system (IPS)
• Session sniping system identification is another
concern when deploying active response IPSs.
• When systems terminate sessions with RST packets, an
attacker might be able to discover not only that an IPS
is involved but also the type of underlying system.
• Readily available passive operating system
identification tools analyze packets to determine the
underlying operating system.
• This type of information might enable an attacker to
evade the IPS or direct an attack at the IPS.
 Intrusion prevention system (IPS)
• There are several risks when deploying intrusion prevention
technologies.
• Most notable is the recurring issue of false positives in today’s intrusion
detection systems. On some occasions, legitimate traffic will display
characteristics similar to malicious traffic.
• This could be anything from inadvertently matching signatures to
uncharacteristically high traffic volume.
• Even a finely tuned IDS can present false positives when this occurs.
When intrusion prevention is involved, false positives can create a
denial-of-service (DoS) condition for legitimate traffic.
• In addition, attackers who discover or suspect the use of intrusion
prevention methods can purposely create a DoS attack against legitimate
networks and sources by sending attacks with spoofed source IP
addresses.
• A simple mitigation to some DoS conditions is to use a whitelisting policy.
 Intrusion prevention system (IPS)
• Another risk with active response IPSs involves gateway
interaction timing and race conditions.
• In this scenario, a detection device directs a router or
firewall to block the attempted attack.
• However, because of network latency, the attack has
already passed the gateway device before it receives this
direction from the detection device.
• A similar situation could occur with a scenario that
creates a race condition on the gateway device itself
between the attack and the response.
• In either case, the attack has a high chance of succeeding.
 Intrusion prevention system (IPS)
• When deploying an IPS, you should carefully
monitor and tune your systems and be aware
of the risks involved.
• You should also have an in-depth
understanding of your network, its traffic, and
both its normal and abnormal characteristics.
• It is always recommended to run IPS and
active response technologies in test mode for
a while to thoroughly understand their
behavior.
 Secure Content Management - Overview
• Organizations are increasingly moving toward collaboration
– encouraging usage of the internet for knowledge access and
productivity enhancement, advocating widespread adoption of email as
communication means and promoting instant messaging for better
coordination.
• The global nature of business transactions — involving service
providers and third party solutions — relies on communication
protocols such as SMTP, HTTP, HTTPS, FTP, ipsec VPN, etc.
• For exchange of information and execution of a transaction.
This has been contributing to increased dependencies of an
organization on the inbound and outbound traffic flowing across
its boundaries.
 The Importance of Secure Content
Management
Unrestricted Access
 The use of the internet is on the rise, as are the risks of
uncontrolled access.
 When employees and staff inadvertently or deliberately
access sites containing inappropriate, illegal or dangerous
content, businesses suffer losses of productivity, expose
themselves to legal liabilities and can experience degraded
network performance that negatively affects mission-
critical tasks. There are also a growing number of security
risks—including trojans and worms—that can seriously
impact operations.
 Unrestricted Access
The risks include:
Impacted employee productivity
Liability exposure
Hacker attacks and privacy violations
 Unrestricted Access
Impacted employee productivity
 Restricting access to inappropriate web sites helps companies prevent
excessive non-productive web surfing and preserves network bandwidth.
Liability Exposure
 Employees who visit pornographic or racist/hate sites represent a major legal
liability concern. Businesses need to shield themselves from potential legal
liability that can arise if an employee is repeatedly exposed to offensive
material on a co-worker’s computer or anywhere in the workplace.
 Other sources of liability exposure include peer-to-peer networking and file
sharing, which have opened the door to charges of copyright violations and
high-profile litigation. Corporations can be held liable for breaking copyright
laws if employees use company networks to download music or movies
illegally.
 Content Management
Hacker Attacks and Privacy Violations
• Instant messaging, peer-to-peer file sharing
and multimedia downloads make businesses
vulnerable to backdoor attacks.
How Secure Content Management Works
 Securing content starts with controlling access to certain web
sites based on predetermined criteria. At a basic level, user
access to internet content is controlled using the URL address
or the URL content category (such as nudity or gambling).
 Basic content management solutions can also examine the
way the content is delivered, such as through Java Applets or
ActiveX scripts, and determine access permissions
accordingly.
 More advanced content management solutions also provide
the ability to block applications such as instant messaging
and peer-to-peer services.
 Site Blocking Versus Content Monitoring
 Secure content management solutions employ one of two
basic approaches: site blocking or content monitoring.
 While there are considerable differences between these two
approaches, both are based on pass-through filtering
technology.
 That is, all requests for web pages pass through an internet
control point such as a firewall, proxy server or caching
device.
 The device then evaluates each request to determine
whether it should be allowed or denied based on company
policy.
 Site blocking
 The site blocking approach for content management typically
uses list-based or URL-based filters to identify and block
certain web sites. Some solutions rely on white lists that allow
access to only those sites that appear on the list.
 For example, a retail store might create a white list containing
only the company’s web site, shipping web sites and supplier
web sites. Other solutions use black lists, which permit access
to all sites except those on the black list.
 The black list approach is preferable for businesses whose
employees need less restrictive internet access. With a black
list approach, the database of web sites is organized into
categories, such as “violence” or “drugs,” and network
administrators can selectively block categories.
 Site blocking
• The effectiveness and manageability of site blocking
depends on a number of factors:
 Database size
 A larger database allows more sites to be added to the restricted list.
 Update frequency
 New sites continually emerge, and many existing sites are relocated.
Most site blocking solutions update their databases on a daily basis,
often automatically downloading new URL’s every night.
 Category Organization
 definition of categories must be carefully considered and established
with enough granularity to accomplish effective restrictions while
allowing access when appropriate. A general limitation of site blocking
is that it focuses exclusively on http-based web traffic. It does not block
instant messaging, e-mail attachments, peer-to-peer applications and
other applications that could contain security threats.
 Content monitoring
 The most basic level of content monitoring uses a keyword-
blocking approach.
 Instead of blocking URL’s, it compares the keyboard data to a
user-defined library of words and phrases.
 When a match to one of the blocked words or phrases is detected,
the solution filters or blocks the data, or in some cases even closes
the application.
 The problem with this approach is that it can inadvertently block
legitimate pages based on the fact that they contain one or more
targeted keywords.
 For example, a web site about cancer research could be blocked
because it contains the word “breast.” More advanced content
monitoring solutions not only examine the individual words on the
page, but also evaluate context and other data such as HTML tags.
 Solution Architectures
• Content management software can be embedded on a
networked device such as a proxy server, caching
appliance or firewall, or it can reside on a dedicated server
running the Microsoft windows, Linux or UNIX operating
system. The three common deployment methods vary in
terms of effectiveness, cost and manageability.
 Client Solutions
 Standalone Solutions
 Integrated Solutions
 Integrated Content Management and Firewalls
 Standalone Appliances
 Solution Architectures
• Client Solutions
– Installed on the desktop, client solutions are most
suited for home environments where parental control
is the primary application.
– Client software solutions include a management
interface and a database of blocked web sites; the
parent downloads database updates via the internet.
– Leading providers of client solutions include zone
labs, net nanny® and internet service providers
(ISP’s) such as Microsoft® MSN and AOL®.
 Solution Architectures
• Standalone Solutions
 Standalone solutions consist of a dedicated database server for
defining policies and a separate gateway or firewall that enforces
the content management policies.
 These solutions are more manageable than client based solutions
because an administrator can create a policy once on the gateway
and then apply it across all desktops.
 However, most standalone solutions require organizations to
purchase and manage two separate hardware devices in addition
to content management software.
 They also require additional storage to be purchased as needed,
when the policy database grows to exceed the storage available.
 Key vendors of standalone solutions include SonicWALL®,
Websense and Surf Control®.
 Solution Architectures
• Integrated Solutions
– Integrated solutions consolidate management and
processing in a single gateway or firewall, thereby
reducing capital and operational expenses.
– However, when the gateway or firewall is also used
for services like anti-virus and intrusion prevention,
performance can suffer.
– Key vendors of integrated content filtering solutions
include SonicWALL®, Symantec™ and Watch
Guard®.
 Solution Architectures
• Integrated content management and firewalls
 Content filtering integrated on a firewall is a cost-effective
content management solution that is ideal for businesses with
small to mid-sized networks.
 This alternative integrates the existing firewall technology, or is
installed simultaneously with a new firewall solution.
 A typical service will make available a continuously updated,
comprehensive database of millions of web sites, domains and IP
addresses.
 Minimal administrative overhead means that businesses can
either manage the solution themselves or outsource the task to
their IT service provider.
 Solution Architectures
• Standalone Appliances
– Beyond these advantages and basic web site access
controls, other advantages of a standalone
appliance include:
1. Seamless integration
2. Dynamic rating engine
3. Protection from attacks
4. Advanced security for bandwidth protection and
reduced legal liabilities
 Solution Architectures
• Standalone Appliances
 For larger businesses and enterprise environments requiring more
comprehensive content control abilities, a standalone content filtering
appliance maximizes the protection of any network from today’s
sophisticated internet threats.
 Although it requires the purchase of additional hardware, ease of
installation and use make this an attractive solution. The appliance
can be dropped into the existing network without any reconfiguration
of existing hardware or software.
 Appliances are also an affordable way to upgrade existing firewalls
by introducing new functionality without an actual upgrade on the
firewall itself.
 A standalone appliance can affordably combine internet content
management with real-time gateway anti-virus and antispyware
capabilities, and the best appliances are rich in features and
 Solution Architectures: Standalone
Appliances
1. Seamless integration
Appliances can be easily installed in virtually any
network, and combined with any existing firewall.
Plug-and-play designs speed installation, making
them drop-in solutions that eliminate the need for
additional servers or hardware.
 Solution Architectures: Standalone
Appliances
2. Dynamic rating engine
built-in capabilities can dynamically evaluate new
URL’s.
Real-time analysis of page content, context for
flagged words, HTML tags and other data can
produce a rating and category for immediate
access or blocking based on the organizations’
predetermined policies.
New ratings can be automatically added to a
master ratings database for subsequent requests.
 Solution Architectures: Standalone
Appliances
3. Protection from attacks
deep packet inspection technology can block
viruses, worms, Trojans, spyware, phishing,
malicious code and other attacks before they are
able to infect a network.
Appliances can scan and clean network traffic over
a multitude of ports and protocols including HTTP,
SMTP, POP3, FTP and NetBIOS.
 Solution Architectures: Standalone
Appliances
4. Advanced security for bandwidth protection
and reduced legal liabilities
 appliances can provide controls for managing instant
messaging, peer-to-peer and multimedia applications.
 Management and reporting capabilities—integrated
support enables network administrators to manage all
users through a single interface, while the option to
create custom categories and URL rating lists provides
more granular control over filtering policies.
 Advanced reporting and analysis tools provide
granular insight into network usage through custom
reports.
Why are CMS platforms so vulnerable?
 When you consider the different issues in play it becomes obvious
why hackers deem CMSes to be appealing targets. It is easy for some
to assume that since WordPress, Joomla, and Drupal are such
recognizable names, they must be providing some form of
protection.
 However, the opposite is true. Fact is, CMSes are vulnerable by
nature because they are built on open source frameworks. Such
shared development environments offer several benefits but they also
have their share of flaws, many of which arise form a lack of
accountability.
 With no price tag, and with no one to take direct responsibility for
potential problems, it’s no surprise when the final product has some
security issues. Since the top CMSes are so popular, these security
vulnerabilities are actively sought after — both by security
researchers and members of the hacker community.
Why are CMS platforms so vulnerable?
 Once identified, these flaws can turn into a virtual gold mine
for hackers, creating a much more efficient way for them to
execute automated mass-scale attacks.
 Adding to the issue are website operators who use weak
passwords, leaving their admin accounts vulnerable to
automated brute force attacks.
 In past we’ve showed how such weak passwords were used
to inject the website with malware, turning them into DDoS
zombies.
 Obviously, with administrative access hackers can also deal
other kinds of damage: anything from defacing the site (for
fun) to using it for malware distribution, which eventually
gets it blacklisted in google and in other search engines.
Why are CMS platforms so vulnerable?

• Finally, there is also the issue of various CMS plugins

and themes, which are also exposed to attacks. Each of
these is created by a different developer and may
introduce an additional set of vulnerabilities.
• A recent study found that over 20% of the fifty most
popular WordPress plugins were vulnerable to hacking,
while a staggering eight million susceptible plugins
had been downloaded from WordPress alone.
• Considering that most users have at least 3-4 plugins
running on their CMS platform, it’s apparent how they
can further expose their sites to new security risks.
Why are CMS platforms so vulnerable?
What users can do to protect themselves from CMS
vulnerabilities
There are a number of things users can do to protect themselves:
 create a regular schedule to update or patch their CMS, and
all installed plugins and themes. This will ensure that all
components are up-to-date. CMS platforms usually display a
dashboard message whenever a new update is available; users
should quickly install it even if it’s outside their update
schedule.
 Regularly backup the CMS and its underlying database. This
should be performed weekly at a minimum.
 Subscribe to a regularly-updated list of vulnerabilities for
the specific CMS being used (e.g., WordPress).
Why are CMS platforms so vulnerable?

What users can do to protect themselves from CMS

vulnerabilities

 Delete default admin usernames (e.g., ‘Admin’•) and use

strong passwords (at least eight characters long, with a
combination of upper and lower case, as well as both
letters and numerical characters).
 Use a plugin for strong authentication, or two-factor
authentication (2FA) for an additionallayer of protection.