Professional Documents
Culture Documents
Chapter 4.3 IDS & HoneyPot 4.4 Email Security and 4.5 IP Security (IPSec) .Pps
Chapter 4.3 IDS & HoneyPot 4.4 Email Security and 4.5 IP Security (IPSec) .Pps
System
Intrusion Detection System
Intruders: Intruder is a person who trying to
access system, resources or network without
authorization.
IDS is developed to provide early warning of
an intrusion so that defensive action can be
taken to prevent it.
Intrusion detection involves detecting unusual
patterns of activity.
April 22, 2024 2
Intrusion Detection System
Masquerader: not authorized to use the computer and
who penetrates a system’s access controls to exploit a
legitimate user’s account
The masquerader is likely to be an outsider;
Misfeasor: A legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuses his or her privileges
the misfeasor generally is an insider;
Clandestine user: An individual who seizes supervisory
control of the system and uses this control to evade
auditing and access controls or to suppress audit
Collection
clandestine user can be either an outsider or an insider.
April 22, 2024 3
Intrusion Techniques
Objective of the intruder is to gain access to a system
Most initial attacks use system/software
vulnerabilities
The intruder attempts to acquire information that
should have been protected. (eg. Password)
Intruder can log in to a system using password and
exercise all the privileges accorded to the legitimate
user
The password file can be protected in one of two
ways: One Way Function & Access Control.
April 22, 2024 4
Intrusion Detection System
IDS monitors network traffic and computer system
for suspicious activity and alerts the system or
network.
IDS is same as Burglar alarm system.
Detect based on looking for specific signatures of
known threats.
Approach of detecting suspicious traffic in two
different ways.
Host Based IDS
Network Based IDS
April 22, 2024 5
Critical Signature
Files Database
Components of IDS
April 22, 2024 6
Components of IDS
Traffic Collector: Collects activity or events from the
IDS to examine.
Analysis Engine: examines the collected network
traffic & compares it to known patterns of
suspicious or activity stored in the signature
database.
Signature database: collection of patterns &
definitions of known suspicious activity.
User Interface & Reporting: interfaces with the
human element, providing alerts.
April 22, 2024 7
Host Based IDS
Performs logging and analyzing data plus
events of single host to identify possible
threats.
HIDS checks log files, critical files, audit
trails and network traffic entering into or
leaving a host.
HIDS operate in real time or operate in batch
mode.
Focuses on log files or audit trails produced
by OS.
April 22, 2024 8
Host Based IDS
They are installed on a single system
It captures all traffic and incidents perform on
host and analyzes it.
Each packet coming and going from the host is
scanned against defined rules and signatures
Alerts are configured to notify security team
Alarm Reports
Storage
1 2 3
SENDER RECEIVER
April 22, 2024 SENDER RECEIVER 27
SMTP SMTP
Post Office Protocol (POP)
POP is used to retrieve (download) email
Uses plaintext to communicate between sender
and receiver
To denote success POP server sends plus (+) at
beginning of response
To denote failure POP server sends minus (-)
Application Application
Transport Transport
IPSec IPSec
Internet Internet
Physical Physical
Transmission
Media
April 22, 2024 52
IPSec in TCP/IP protocol
Transport Mode
• Encrypts only data portion of packet,
• Thus enabling outsiders to see source & dest. IP
address.
• This protects data being transmitted, but allows
knowledge of transmission.
• IPSec takes transport layer payload adds IPSec
header & then adds the IP header
• Thus the IP header in not encrypted.
• Protection of data portion of packet is referred as
content protection
April 22, 2024 53
Transport Mode
Transport Transport
Layer Layer Payload
Transport Transport
Layer Layer Payload
IPSec
IPSec Payload
Transport Transport
Layer Layer Payload
Transport Transport
Layer Layer Payload
IP IP Payload
Transport Transport
Layer Layer Payload
IP IP H IP Payload
Transport Transport
Layer Layer Payload
IP IP H IP Payload
Network
IP Payload
Layer
Network
IP H IP Payload
Layer
Network
IP H IP Payload
Layer
Network
IP H IP Payload
Layer
Network
IP H IP Payload
Layer
New IP payload
Network
IP H IP Payload
Layer
New
New IP payload
IP H
Internet
Host A Host B
Internet
Internet
Internet
April 22, 2024 Remote connection across the internet using IPSec 74
IPSec Security
• IP packets consist of 2 portions
– IP header
– Actual data
• IPSec features implemented in the form of
additional IP header to standard default IP
Header
• IPSec offers 2 main services
– Authentication
– Confidentiality
April 22, 2024 75
IPSec Security
• IPSec defines two IP extension headers one for
authentication & other for confidentiality.
• IPSec consists of 2 main protocols
IPSec
Authentication Encapsulating
Header (AH) Security Payload (ESP)
IP TCP Original
AH
Header Header Data
After applying AH in transport mode