Slide 1

Network Security

Ts. V Vn KhangMCSE+SecuritySCNP, ZHHP Network Security Course - Ts. V Vn Khang11Introduction

Gii thiu chungnh hng kha hc Ni dung mn hcTi liu

Network Security Course - Ts. V Vn Khang22Gii thiu chungGio vin- Tt nghip Ph.D v ATTT nm 2001 ti Russia- Cng tc ti S BCVT Tp.HCM t 2004- H CNTT t 9/2007Chuyn ngnh Bo Mt v An Tan Thng Tin - Cha c o to chnh quy ti VN - o to theo chng ch CISSP, SCP, CEH, Security+, MCSE+.Network Security Course - Ts. V Vn Khang33An Tan Thng Tin uGio dc- Smart School- o to t xaQun s- iu khin tn la- M hoKinh t- Thng mi in t- Th trng chng khonQun l- GIS, ERP, SIDNetwork Security Course - Ts. V Vn Khang44nh hng kha hcTi sao li cn nghin cu v ATTT- Tm quan trng ca thng tin- S l thuc vo cng nghBo mt thng tin c t bao giCc mi e da xung quanh chng ta

Network Security Course - Ts. V Vn Khang55Networks of TodayNetwork Security Course - Ts. V Vn Khang6

InternetTelecommutersMobile Users

Branch OfficeBusiness Partner

Internet-Based Extranet (VPN)

PSTN

Internet-Based Intranet (VPN)Branch Office

Open NetworkAs the Internet matured into the Corporate Information Highway with it came the Open Network of telecommutingAnd the connecting of branch offices. A more complex network requires more sophisticated security solutions.Cu trc OSI Network Security Course - Ts. V Vn Khang77nh hng kha hci tng nghin cu ca an ninh mng- An tan xc thc, thit lp phin lm vic- An tan d liu trn ng truyn- An tan kt ni- An tan h tng v thit b vt l

Network Security Course - Ts. V Vn Khang88An Tan xc thcHello , Its MeReally?On the Internet, no ones knows youre a dog. cartoon in the June 1993 issue of New Yorker magazine.

Network Security Course - Ts. V Vn Khang9mInternetxy?9An tan d liu trn ng truyn

Network Security Course - Ts. V Vn Khang10mxy

mAMaking data un-readable by protocol analyzers and other man-in-the-middle methods on the network.10An Tan Kt NiSniffing unsecured wireless networkWEP ( wired Equivalent Privacy)

Network Security Course - Ts. V Vn Khang11

11Ni dung kha hcC bn v an ninh mngCu trc TCP/IP Cu trc IP PacketH thng tng laH thng pht hin xm nhpK Thut M haH thng xc thcVirtual Private NetworksK Thut tn cngLut, chnh sch an ton thng tinNetwork Security Course - Ts. V Vn Khang1212C BN V AN NINH MNG The only secure computer is one thats unplugged, locked in a safe, and buried 20 feet under the ground in a secure location and Im not even too sure about that one.Dennis Huges, FBINot so!Network Security Course - Ts. V Vn Khang13Khng c h thng tuyt i an tan13C BN V AN NINH MNG Bi Tp 1Hng my bay Boing ang lu tr thng tin v sn phm s tham gia hi ch hng khng quc t 9/2009. Thng tin ny c nh gi 1 triu $. Bn hy la chn phng php bo v cho Boing.Gii php m ha tr gi 800.000 vi kh bo mt 5 nmGii php m ha tr gi 500.000 vi kh nng bo mt 2 nmGii php m ha tr gi 100.000 vi kh nng bo mt 10 thngNetwork Security Course - Ts. V Vn Khang1414C BN V AN NINH MNG Gi tr thng tin- Chu k sng, mc nh giQuy tc CIA- Confedentiality (Tnh bo mt)- Availability (Tnh sn sng)- Integrity (Tnh nguyn vn)

*******************************- Non Repudiation (khng th t chi)Network Security Course - Ts. V Vn Khang15Nh th no l h thng an ton ? Yu t no l quan trng nht trong quy tc CIA ?15C BN V AN NINH MNG Hackers l ai ?

Nhng ngi t m, nghch ngm K tn cng c trnh Hackers ng cp

Mc ch tn cngS hu tr tu Kinh t Chnh tr Gii tr

Network Security Course - Ts. V Vn Khang1616C BN V AN NINH MNG Cc thnh phn ca An Ninh Mng

Authentication ( Xc thc ) Auditing ( Kim ton ) Strong Encryption ( M ha mnh m ) Security Policies ( Chnh sch bo mt )

Network Security Course - Ts. V Vn Khang1717C BN V AN NINH MNG Cc Thut ng An Ninh Mng Authentication (xc thc ) Auditing ( kim ton ) Encryption ( m ha ) Digital Signature (E-Signature) Authoziration ( y quyn ) Intrusion Detection System (IDS) Firewall ( tng la ) Demilitarized Zone (DMZ) ( khu fi q.s )

Network Security Course - Ts. V Vn Khang1818C BN V AN NINH MNG Cc Thut ng An Ninh Mng Denial Of Service (DoS) Script-Kiddies Cryptography Network Forensics Biometrics Social Engineering Countermeasure Spoofing

Network Security Course - Ts. V Vn Khang1919C BN V AN NINH MNG Bi Tp 2Cng ty AFC c mng my domain w2kMi ngi phi c PW ring Admin s kim tra di ca tng PW Mng xy ra s c v bn c mi n xem xt, bn iu tra v pht hin k ph hoi, sau bn nh gi li tan b h thng.

Cu hi:iu u tin bn lm l g ?Nhng khi nim no c s dng trong han cnh ny

Network Security Course - Ts. V Vn Khang2020M Hnh Pho iNetwork Security Course - Ts. V Vn Khang21Security PolicyOS, Update Management, AuthenticationFirewall, VPN, RoutersLock, CameraVLAN, IPS, IDSApplication Control, AntivirusAccess Control, Encryption, backupPhisicalPerimeterInternalHostApplicationData21To minimize the possibility of a successful attack against your organization, you need to maximize the layers of defense. Defending your organization in depth means that you use multiple layers of defense. If one layer is compromised, it does not necessarily mean that your entire organization is compromised. As a general guideline, design and build each layer of your security under the assumption that every layer has been breached. Take steps to protect the layer you are working on.In addition, there are many ways to protect each individual layer by using tools, technologies, policies, and best practices. For example:Policies, procedures, and awareness layer Security education programs for usersPhysical security layer Security guards, locks, and tracking devicesPerimeter layer Hardware and/or software firewalls, and creating virtual private networks with quarantine proceduresInternet network layer Network segmentation, IP Security (IPSec), and network intrusion detection systemsHost layer Server and client hardening practices, patch management tools, strong authentication methods, and host-based intrusion detection systems Application layer Application hardening practices and antivirus software Data layer Access control lists (ACLs) and encryption

LESSON 2Advanced TCP/IPNetwork Security Course - Ts. V Vn Khang2222OSI v TCP/IPAPPLICATIONAPPLICATIONPRESENTATIONSESSIONTRANSPORTTRANSPORTNETWORKINTERNETDATALINKNETWORK ACCESSPHYSICAL23CC GIAO THC THNG DNGAPPLICATIONHTTP, FTP, SMTP, SSL, DNSTRANSPORTUDP, TCPINTERNETIP, IPSECN. ACCESSARP24Encapsulation Introduction1-25source

applicationtransportInternetN.AccHtHnMsegmentHtdatagramdestination

applicationtransportInternetN.AccHtHnHlMHtHnMHtMMnetworkN.AccHtHnHlMHtHnMHtHnMHtHnHlMrouterswitchmessageMHtMHnframe25IPv4 Addressing202.155.43.211001010.10011011.00101011.00000010ID NETWORKHOST26IP CLASSESClass A1-126Class B128-191Class C192 223Class D224 239Class E240 247Private10.0.0.0 10.255.255.255172.16.0.0 172.16.255.255192.168.0.0 192.168.255.255169.254.x.y27Subnet MaskClass A 255.0.0.0Class B255.255.0.0Class C255.255.255.0Subnet Mask l gi tr m khi thc hin php tan XOR vi IP ta s c ID network.10100011.00011011.11100010.0000111111111111.11111111.00000000.00000000= 255.255.0.0

28SubnettingBroadcastingIP: 165.134.8.123Network: 165.134.0.0Subnet mask: 255.255.0.0Broadcast:165.134.255.25529Bi tp 3Cng ty ABC c 5 Branches Offices. Theo yu cu mi Office phi VLAN ring vi a ch Public IP. Bit rng ABC c s hu a ch 163.134.0.0.1. Phi s dng thm bao nhiu bits cho subnet mask c 5 VLAN?2. S lng ti a IP tht m mi office c th c?

30SOCKETCng dch v 0-65535Well-Known0-1023Registered1024 49151Dynamic49152 - 65535T hp (IP, PORTs)HTTP:80, SMTP:25;POP3:110; FTP:20,21WIN SHARED: 137DNS:53, Telnet:23,SSL:44331TCP HEADER0 - 1516 - 31Source PortDestination PortSequence NumberAcknowledgment numberIHLResrvedurgackpshrstsynfinWindows size

TCP Check sumeUrgent PointerOption32TCP FLAGSYN Khi to kt niACK phn hiFIN Kt thc phin kt niRESET khi to liPUSH chuyn d liu khng qua bufferURG Th hin quyn u tin ca d liuSequence number : 32 bit sinh ra tng 4msAcknowledgment number: 32 bit33ID ProtocolICMP - 1TCP- 6UDP- 1734Quy tc bt tay 3 lnBc 1- Host A gi segment cho Host B c: SYN =1, ACK = 0, SN = X, ACKN=0.Bc 2- Sau khi nhn t A, Host B tr li SYN=1, ACK=1, SN=Y, ACKN=X+1Bc 3- Host A gi tip n B vi SYN=0, ACK=1, SN=X+1, ACKN=y+135Kt thc kt ni1. FIN=1, ACK=1, SN=x, ACKN=y2. FIN=0, ACK=1, ACKN=x+13. FIN=1, ACK=1, SN=y, ACKN=x+14. FIN=0, ACK=1, ACKN=y+136Bi tp 4Sau khi dng Sniffing software bt thng tin phn tch gi thng tin gi i t host AGi 1:- Protocol : UDP- D.Port: 53- Source IP: 192.168.3.8- Destination IP: 203.162.4.1Gi 2:Protocol :TCPD.Port: 80S.IP192.168.3.8D.IP203.SYN=1, ACK=0M t qu trnh lm vic ca host A, c nhn xt g t S.IP ca host A

37IPv6128 bits Address8 block 16bitsc th hin c s 1671ab:1234:0:fdac:234f:2314:acde:0Chuyn i t IPv4 sang IPv6203.123.3.6::ffff:203.123.3.6::1 loopbackff01::1, ff02::01- Multicastingff01::02, ff02::02 - to all Gateways38LESSON 3IP HeaderUDP HeaderICMPARP39IP HEADERS0-78-1516 - 31VersionIHLServicesLengthIndenfiticationFlagsFragment offsetTime to LiveProtocolHeader checksumSource AddressDestination AddressOptionsData40IP HEADERSIHL S word (32 bits) ca Header thng thng IHL =5Type Of Services cht lng dch vLength chiu di headers tnh theo bytesIdentification S th t Datagram (packets)Flags 3 bits, 0, DF=Dont fragment, MF = More FragmentFragment Offset S th t FM trong Datagram (bt u t 0)TTL Thi gian sng to bi sender v gim dn khi i qua tng gateways.Option d liu b sung v c chn thm cho 32 bits

41UDP Headers0 - 1516 - 31S.PortD.PortUDP LengthChecksumData42ICMP Headers0 - 1516 - 31TYPECODECHECKSUMContents43ICMPType Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header44BI TP 5Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP headerBn cn cm vic d qutT mng khc theo giao thc ICMP.Bn phi set lnh denyICMP vi tham s no?45Packet FragmentationMTU Maximum Transmission UnitMDS Maximum Datagram SizeMSS Maximum Segment SizeDefault MDS=576, MSS=536Mt s MTU (bytes)PPP=296, Ethernet=1500FDDI = 4352, Token Ring 446446ARP Address Resolution ProtocolMAC Media Access ControlMAC Address 48 bits a ch

47LAN Addresses and ARP5: DataLink Layer5-48Each adapter on LAN has unique LAN addressBroadcast address =FF-FF-FF-FF-FF-FF= adapter

1A-2F-BB-76-09-AD58-23-D7-FA-20-B00C-C4-11-6F-E3-9871-65-F7-2B-08-53 LAN(wired orwireless)485: DataLink Layer5-49LAN Address (more)MAC address allocation administered by IEEEmanufacturer buys portion of MAC address space (to assure uniqueness)Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address MAC flat address portability can move LAN card from one LAN to anotherIP hierarchical address NOT portable depends on IP subnet to which node is attached

49Each IP node (Host, Router) on LAN has ARP tableARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)5: DataLink Layer5-50ARP: Address Resolution ProtocolQuestion: how to determineMAC address of Bknowing Bs IP address?

1A-2F-BB-76-09-AD58-23-D7-FA-20-B00C-C4-11-6F-E3-9871-65-F7-2B-08-53 LAN137.196.7.23137.196.7.78137.196.7.14137.196.7.88505: DataLink Layer5-51ARP protocol: Same LAN (network)A wants to send datagram to B, and Bs MAC address not in As ARP table.A broadcasts ARP query packet, containing B's IP address Dest MAC address = FF-FF-FF-FF-FF-FFall machines on LAN receive ARP query B receives ARP packet, replies to A with its (B's) MAC addressframe sent to As MAC address (unicast)

A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state: information that times out (goes away) unless refreshedARP is plug-and-play:nodes create their ARP tables without intervention from net administrator51walkthrough: send datagram from A to B via R assume A knows B IP address

Two ARP tables in router R, one for each IP network (LAN)

In routing table at source Host, find router 111.111.111.110In ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc

5: DataLink Layer5-52Routing to another LAN

ARB52Bn set deny ICMP v HTTP trn FW i vi WebserverHiNhng host no c th ping n WebserverLm th no tt c cc host khng c ping n WebserverBi tp 6

Host BWEBSERVERSHost A FIREWALL53LESSON 4 (6 Tit)Firewallinh nghaPhn loiThit lp lut RulesThit kCc Firewall Thng dng

54FIREWALLL cng c mm nhm kim sat lu lng thng thng gia cc vng mng c tin cy khc nhau.- khi nim Trust Level- Internet c Trust level = 0C th l Hardware hay Software- Checkpoint, ISA, PIX Cisco, JuniperLm vic trn c s tp lut m qun tr mng cu hnh trc.

55Trusted Side

56Vai tr tng laLm cKim sat lung d liu i qua nBo v cc lp bn trongCm tt c. Cu hnh nhng g cho quaCho php tt c, cu hnh nhng g cmKhng lm cVirusesLi con ngiKt ni hChnh sch tiSocial Engineering57Stateless Packet Filteringa ra quyt nh cho php hoc cm gi d liu da trn phn tch Protocol HeaderNhng s liu c xem xt ch yu:IP addressPorts and socketsACK bitsIntruders c th vt qua tng la

5859

5960Stateful Packet FilteringLu li du kt ni gia cc host, network

Lu vt trng thi kt ni vo file state tableCho php gi d liu t Internet i qua ch khi no c host ni b gi yu cu trc .6061

61n

62Bi tp 7Cng ty ABC c mng my tnh bao gm:- Website cung cp thng tin trn Internet c a ch 203.162.4.115- Mail Server phc v nhn vin ca mnh qua giao thc POP3 v SMTP vi a ch 203.162.4.116- Cc users phi dng SSL trong qu trnh xc thcHY SETUP TP LUT CHO ABC

6364APPLICATION CONTROLFirewalls cho php kim sat cc ng dng trong qu trnh trao i d liu.Phn bit ng dngKhng thng qua cng dch v (port)Hat ng trn nguyn tc Proxy6465

65

66

6768

6869

6970Designing Firewall SystemsFirewalls c th thit k theo cc cch sau:Screening routerDual-homed host, Multi-homed HostScreen hostScreened subnet DMZMultiple DMZsMultiple firewallsReverse firewall70Screening Router71

Nhng g Screening Router khng lm c?7172

7273

73

74

75

76

7778

7879Thit lp tp lut cho FirewallRule basePhi ch r hnh ng ca FW i vi tng loi traffic ra v vo cc vng mngPoints to considerPhi da vo chnh sch chung t chc (Write down policy)Da vo nguyn l ca FWn gin, ngn gn, kh khiKim sot truy cpKim sot ng dng79Mt s lut c bn choSecurity PolicyCommon policies that need to be reflected in the rule base:Mi thnh vin c kt ni vo Internet u c kim sotPublic c th truy cp vo companys Web v e-mail server thun tinCh c authenticated traffic mi c cho php i vo internal LANCc thnh vin khi s dng instant-messaging cn c kim sot cht chCh c network administrator c kt ni trc tip vo internal network t Internet v lu li log80

192.168.1.1192.168.0.10BI TP 881Bi tp 8 tp trung cho cng vic cng ty ABC quy nh nh sau trong gi lm vic:Ch c gim c c IP 192.168.0.10 c truy cp vo InternetNhn vin cng ty, khch hng ch c truy cp vo cc server to DMZ truy cp vo website, FTP v ly v gi mail theo giao thc POP3 v SMTP.

8283

83Hardening the Bastion HostChn lc nhng dch v cn thitng cc port khng cn thitDisable cc users (accounts) v cc dch v khng cn thitTi thiu c hi tn cng dnh cho hackersDisable routing or IP forwarding services li cc dch v cn thit cho hot ng m h thng ang m nhim. System needs them to function correctly84Hardening the Bastion HostDisabling users accountsDisable all user default accounts from the bastion hostUsers should not be able to connect to iti tn Administrator accountPasswords phi c t nht 6-8 alphanumeric characters85

8687Backups and AuditingEssential steps in hardening a computerBackupsDetailed recordkeepingAuditingCopy log files vo computers khc trong networkAudit failed v successful attempts khi log on v cc attempts nhm m hoc thay i files trong bastion host v honeypot87LESSON 5 - IDSKhi nim v IDSThnh phn IDSNguyn l hot ng ca IDSMt s IDS thng dng8889Intrusion Detection System ComponentsNetwork intrusionHnh vi (Attempt) xm nhp (tri php) vo ti nguyn mngIntrusion Detection System (IDS)H thng bao gm 1 hay nhiu ng dng , thit b phc v vic pht hin xm nhpIntrusion DetectionBao gm ngn chn, pht hin, phn ng (prevention, detection, response)8990Intrusion Detection System ComponentsComponentsNetwork sensors Alert systemsCommand consoleResponse systemDatabase of attack signatures or behaviors9091Network SensorsSensor (Cm ng)Mt in t (Electronic eyes)Hardware hoc software theo di cc traffic trong mng chun b cnh boAttacks c pht hin bi sensorSingle-session attacksMultiple-session attacks

9192Network SensorsCm ng c t ti cc common-entry pointsInternet gatewaysConnections between LANsRemote access server that receives dial-up connections from remote usersVirtual private network (VPN) devicesCn c phn qun tr v iu khin cc SensorsSensors cn c bo v v t sau firewall, hay bn mt trong devices.9293

9394Alert SystemsTriggerTnh hung m cnh bo s c gi i Types of triggersDetection of an anomalyDetection of misuse (sai phm)9495Alert Systems Anomaly detectioni hi s thng k, theo di, nh ngha (Make profile)authorized user, group of usersServices, resources normally accessed by usersMt s IDSs c th t thit lp user profilesi hi t hc training periodCc hin tng khcFalse negativesFalse positives9596Alert SystemsMisuse detectionDa vo signatures of known attacksIDS c setup vi cc signatures v c th bo vh h thng ngay lp tcCc c ch pht hin khcTraffic rate monitoringProtocol state trackingIP packet reassembly9697

9798Command ConsolePhn giao din front-end iu khin IDS cho php administrators nhn v phn tch alert messages v qun tr log filesIDS c th nhn v phn tch thng tin t nhiu ngun khc nhau thng qua mngCommand console nn chy trn my tnh ring bit m bo tc v tnh c lp trong phn ng9899Response SystemIDS c th c thit lp phn ng vi nhng hin tng nht nhResponse systems khng th thay th Network administratorsAdministrators cn x l cc false positiveAdministrators cn xc nh mc phn ng v phn tch ranh gii ca cc vi phm99100Database of Attack Signatures or BehaviorsIDSs khng th t a ra quyt nh nu khng c ngun thng tin gc so snhMisuse detectionDatabase mu )References a database of known attack signatures)If traffic matches a signature, it sends an alertKeep database updatedAnomaly-based IDSLu gi thng tin chun v users trong vic phn tch hnh vi.100101

101102Intrusion Detection Step by StepStepsCi t - Installing the IDS databaseThu thp - Gathering dataGi cnh bo - Sending alert messagesPhn ng -The IDS respondsnh lng nh hngTun th cc quy trnh khc phc nu c Logging and reviewing the event102103

103104Step 1: Installing the IDS DatabaseIDS uses the database to compare traffic detected by sensorsAnomaly-based systemsRequire a training period (over a week)IDS observes traffic and compile a network baselineMisuse-based IDSCan use database immediatelyYou can provide it with your own database104105Step 2: Gathering DataNetwork sensors gather data by reading packetsSensors need to be positioned where they can capture all packetsSensors on individual hosts capture information that enters and leaves the hostSensors on network segments read packets as they pass throughout the segmentSensors on network segments cannot capture all packetsIf traffic levels become too heavy105106Step 3: Sending Alert MessagesSensors capture packetsIDS software compares captured packets with information in its databaseIDS sends alert messages If captured packets match an attack signature Deviates from normal network behavior106107Step 4: The IDS RespondsCommand console receives alert messagesNotifies the administratorIDS can be configured to take actions when a suspicious packet is receivedSend an alarm messageDrop the packetStop and restart network traffic107108Step 5: The Administrator Assesses DamageAdministrator monitors alertsAnd determines whether countermeasures are neededAdministrator need to fine-tune the databaseThe goal is avoiding false negativesLine between acceptable and unacceptable network use is not always clear108109

109110Step 6: Following Escalation ProceduresEscalation proceduresSet of actions to be followed if the IDS detects a true positiveShould be spelled out in companys security policyIncident levelsLevel OneMight be managed quicklyLevel TwoRepresents a more serious threatLevel ThreeRepresents the highest degree of threat110111Step 7: Logging and Reviewing the EventIDS events are stored in log filesOr databasesAdministrator should review logsTo determine patterns of misuseAdministrator can spot a gradual attackIDS should also provide accountabilityCapability to track an attempted attack or intrusion back to the responsible partySome systems have built-in tracing features111112

112113Options for Implementing Intrusion Detection SystemsNetwork-based IDSHost-base IDSHybrid implementations113114Network-Based Intrusion Detection SystemsNIDS c t v hot ng trn thit b ngoi vi v dng c ch sniff lng ngheNetwork-based IDS (NIDS)Theo di network trafficNhng v tr thng thng t cm ng NIDS sensorsSau firewall v trc mng LANGia cc firewalls v cc DMZGia cc network segmentPhn qun tr v phn tch cn t trn PC ring bit114115

115116Host-Based Intrusion Detection SystemsHost-based IDS (HIDS)Trin khai trn mt host ca mng LANThng thng s c bo v bi cc FirewallTheo di v nh gi cc traffic i qua hostTp hp c nhng thng tin khc ca h thngSystem processesCPU useFile accessesKhng lng nghe cc traffic khng i qua host116117Host-Based Intrusion Detection SystemsCu hnh HIDSCu hnh tp trung (Centralized configuration)HIDS gi d liu v trung tmIDS t nh hng n Hosts level of performance is unaffected by the IDSAlert messages that are generated do not occur in real timeDistributed configurationProcessing of events is distributed between host and consoleHost generates and analyzes it in real timePerformance reduction in host117118

118119

119120Host-Based Intrusion Detection SystemsChoosing the host computerCentralized configurationRAM, hard disk memory, and processor speed requirements are minimalDistributed configurationHost should be equipped with maximum memory and processor speed120121Host-Based Intrusion Detection Systems Advantages and disadvantages of HIDSsAdvantagesDetect events on host systemsCan process encrypted trafficNot affected by use of switched network protocolsCan compare records stored in audit logs

121122Host-Based Intrusion Detection SystemsDisadvantagesMore management issuesVulnerable to direct attacks and attacks against hostSusceptible to some denial-of-service attacksCan use large amounts of disk spaceCould cause increased performance overhead on host122123Hybrid IDS ImplementationsHybrid IDSCombines the features of HIDSs and NIDSsGains flexibility and increases securityCombining IDS sensor locationsPut sensors on network segments and network hostsCan report attacks aimed at particular segments or the entire network123124Hybrid IDS Implementations (continued)Combining IDS detection methodsIDS combines anomaly and misuse detectionDatabase enables IDS to run immediatelyAnomaly-based systems keep the alert system flexibleCan respond to the latest, previously unreported attacksBoth external and internal attacksAdministrators have more configuration and coordination work to do124125Hybrid IDS ImplementationsDistributed IDSMultiple IDS devices are deployed on a networkReduces response timeTwo popular DIDSsmyNetWatchmanDShield125126

126127Hybrid IDS ImplementationsAdvantagesCombine aspects of NIDS and HIDS configurationsCan monitor network as a wholeCan monitor attacks that reach individual hostsDisadvantagesNeed to get disparate systems to work in coordinate fashionData gathered by multiple systems can be difficult to absorb and analyze127128Evaluating Intrusion Detection SystemsSurvey various options and match them to your needsReview topology of your network identifyingNumber of entry pointsUse of firewallsNumber of network segmentsEvaluating IDSs can be time consuming128129Freeware NIDS: SnortIdeal for monitoring traffic on a small network or individual hostDoes not consume extensive system resourcesIntended for installation on a computer at network perimeterComes with a collection of rule filesSeparate rules exist forPort scansBack door attacksWeb attacks129130

130131

131132IDS Hardware AppliancesCan handle more network trafficHave better scalability than software IDSsPlug-and-play capabilitiesOne of its major advantagesDo not need to be configured to work with a particular OSExamplesiForceIntrusion SecureNetStealthWatch G1132133SummaryIntrusion Detection System (IDS)Supplementary line of defense behind firewalls and antivirus softwareIDS componentsNetwork sensorsAlert messagesCommand consoleResponse systemDatabase of signatures133134SummaryIDS stepsInstall set of attack signaturesSensors monitor packetsIDS respondsFalse positives are highly likelyRequire administrators to fine-tune the systemIf attack is legitimate, escalation procedures should be followedIDS logs alarmed eventsThey can be reviewed later134135SummaryIDS implementationNetwork-based IDS (NIDS)Host-based IDS (HIDS)Hybrid IDSDistributed IDS (DIDS)Types of IDS productsOpen-source IDSs such as SnortCommercial firewalls IDS hardware appliances135