Security Technology: Intrusion

Detection, Access Control and

Other Security Tools
Chapter 7
 Intrusion

“Intrusion is a type of attack on information assets in

which the instigator attempts to gain entry into a
system or disrupt the normal operation of system
with, almost always, the intent to do malicious harm.”
Definitions

 Intrusion prevention: activities that deter an intrusion

 Writing &implementing a good enterprise information security policy
 Planning & executing effective information security programs
 Installing & testing technology-based countermeasures
 Conducting & measuring the effectiveness
 Employee training and awareness activities

 Intrusion detection: procedures and systems that identify sys intrusions

 Intrusion correction:
 Activities finalize the restoration of operations to a normal state
 Activities seek to identify the source & method of attack for prevention
Intrusion Detection and Protection
Systems
 Commercially available in late 1990
 Works like a burglar alarm
 Detects a violation and sounds alarm
 Extension – Intrusion prevention systems
 Detect and prevent intrusion
 Generally accepted combination
 Intrusion detection and prevention system (IDPS)
IDPS Terminology

 Alarm or alert: indication that attack is happening

 Evasion: attacker change the format and/or timing of activities to
avoid being detected
 False attack stimulus: event triggers alarm – no real attack
 False negative: failure of IDPS to react to attack
 False positive: alarm activates in the absence of an actual attack
 Noise: alarms events that are accurate but do not pose threats
 Site policy: rules & configuration guidelines governing the
implementation & operation of IDPS
IDPS Terminology

 Site policy awareness: ability to dynamically modify config in

response to environmental activity
 True attack stimulus: event that triggers alarms in event of real
attack
 Tuning: adjusting an IDPS
 Confidence value: measure IDPS ability correctly detect &
identify type of attacks
 Alarm filtering: Classification of IDPS alerts
 Alarm clustering and compaction: grouping almost identical
alarms happening at close to the same time
 Why Use an IDS

 Prevent problem behaviors by increasing the

perceived risk of discovery and punishment
 Detect attacks and other security violations
 Detect and deal with preambles to attacks
 Document existing threat to an organization
 Act as quality control for security design &
administration
 Provide useful information about intrusions that take
place
 Types of IDS

 Network based
 Focused on protection network information assets
 Wireless
 Network behavior analysis
 Host-based
 Focused on protection server of host’s information assets
 Network-Based

 Resides on computer or appliance connected to an a

segment of orgs. network
 Monitors network traffic on the segment
 Monitors packets
 Monitoring port (switched port analysis)
 Monitors all ingoing and outgoing traffic
 Looks for attack patterns
 Compares measured activity to known signatures
 Protocol verification – packet structure
 Application verification – packet use
Advantages and Disadvantages

Advantages
 Needs few devices to monitor large network
 Little or no disruption to normal operations
 May not be detectable by attackers

Disadvantages
 Overwhelmed by network volume
 Requires access to all traffic
 Cannot analyze encrypted packets
 Cannot ascertain if an attack was successful
 Some forms of attack are not easily discerned
Fragmented packets
Malformed packets
Wireless NIDPS

 Monitors and analyzes wireless network traffic

 Looks for potential problems with the wireless protocols (layers 2
and 3)
 Cannot evaluate & diagnose issue with higher level layers
 Issues associated with implementation
 Physical security
 Sensor range
 Access point and wireless switch locations
 Wired network connections
 Cost
Wireless NIDPS

 Can detect conditions in addition to traditional types of IDSPS

 Unauthorized WLAN and WLAN devices
 Poorly secured WLAN devices
 Unusual usage patterns
 The use of wireless network scanners
 DoS attacks and condition
 Man-in-middle attacks
 Unable to detect
 Passive wireless protocol attacks
 Susceptible to evasion techniques
 Susceptible to logical and physical attacks on wireless access point
Host-Based
 Resides on a particular computer or server & monitors traffic only on
that system
 Also known as system integrity verifiers
 Works on principle of configuration and change management
 Classifies files in categories & applies various notification actions
based on rules
 Maintains own log file
 Can monitor multiple computers simultaneously
 Advantages
 Reliable
 Can detect local events
 Operates on host system where encrypted files already decrypted and
available
 Use of switched network protocols does not affect
 Can detect inconsistencies in how application and system programs were
used
Disadvantages

Pose more management issues

 Configured and maintained on each host

Vulnerable both to direct attacks and

attacks against the host operating system
Not optimized to detect multi-host scanning
Disadvantages

 Not able to detect scanning of non-host devices (routers and

switches)
 Susceptible to Denial of Service attacks
 Can use large amounts of disk space – audit logs
 Can inflict a performance overhead on host systems
Application Based

 Examines application for abnormal events

 Looks for files created by application
 Anomalous occurrences – user exceeding authorization

 Tracks interaction between users and

applications
 Able to tract specific activity back to
individual user
 Able to view encrypted data
 Can examine encryption/decryption process
Advantages & Disadvantages

 Advantages
 Aware of specific users
 Able to operate on encrypted data
 Disadvantages
 More susceptible to attack
 Less capable of detecting software tampering
IDS Methodologies

 Types determined by where placed for monitoring purposes

 IDS methodologies based on detection methods
 Two dominate methodologies
 Signature-based (knowledge-based)
 Statistical-anomaly approach
Signature Based

 Examines data traffic in search of patterns that match known

signature
 Foot printing and fingerprinting activities
 Specific attack sequences
 DOS
 Widely used
 Signature database must be continually updated
 Attack time-frame sometimes problematic
 Slow and methodical may slip through
Statistical Anomaly Based

 Based on frequency on which network activities take place

 Collect statistical summaries of “normal” traffic to form baseline
 Measure current traffic against baseline
 Traffic outside baseline will generate alert
 Can detect new type of attacks
 Requires much more overhead and processing capacity
 May not detect minor changes to baseline
Log file Monitors

 Similar to NIDS
 Reviews logs
 Looks for patterns & signatures in log files
 Able to look at multiple log files from different systems
 Large storage requirement
Responses to IDS

 Vary according to organization policy, objectives, and system

capabilities
 Administrator must be careful not to increase the problem
 Responses active or passive
 Which One?

 Consider system environment

 Technical specification of systems environment
 Technical specification of current security protections
 Goals of enterprise
 Formality of system environment and management culture
 Which One?

 Consider Security Goals and Objectives

 Protecting from threats out organization?
 Protecting against inside?
 Use output of IDS to determine new hardware/software needs
 Maintain managerial over one-security related network usage
 Which One?

 Security policy
 Structure
 Job descriptions of system user
 Include reasonable use policy
 What are you going to do if violation occurs
Which One?

 Organization Requirements and Constraints?

 Outside Requirements
 Resource Constraints
 Features and Quality
 Tested Product
 User Level of Expertise
 Product Support
 Strengths of IDS

 Monitoring & analysis of system events & user behaviors

 Testing security states of system configuration
 Base lining security state of the system & track changes to baseline
 Pattern recognition
 Auditing and logging
 Alerting
 Measuring performance
 Limitations of IDS

 Compensate for weak or missing security mechanisms

 Instantly report or detect during heavy operations
 Detect newly published attacks
 Effectively respond to sophisticated attackers
 Automatic investigate
 Keep attacks from circumventing them
 Deal effectively with switched networks
Control Strategies

 Centralized
 Partially distributed
 Fully distributed
Centralized

 All IDS control functions are implemented and managed in a

centralized location
 1 management system
 Advantages
 Cost and control
 Specialization
 Disadvantage
Fully Distributed

 Opposite of centralized
 All control functions applied at the physical location of each IDS
component
 Each sensor/agent is best configured to deal with its own
environment
 Reaction to attacks sped up
Partially Distributed Control

 Individual agents respond to local threats

 Report to a hierarchical central facility
 One of the more effective methods
Honey Pots / Honey Nets / Padded Cell
Systems
 Honey Pots
 Decoy systems
 Lure potential attackers away from critical systems
 Encourages attacks against themselves

 Honey Net
 Collection of honey pots
 Connects honey pots on a subnet
 Contains pseudo-services the emulated well-known services
 Filled with factious information
Honey Pots / Honey Nets / Padded Cell
Systems
 Padded Cell
 Protected honey pot
 IDS detects attacks and transfers to simulated environment
 Monitors action of attacker
Trap and Trace Systems

 Detect intrusion and trace incident back

 Consist of honey pot or padded cell & alarm
 Similar to concept of caller ID
 Back-hack
 Considered unethical
 Legal drawbacks to trap and trace
 Enticement and entrapment
 Scanning and Analysis Tools
 Help find vulnerabilities in system, holes in security components, and
unsecure aspects of the network
 Allow system admin to see what the attacker sees
 May run into problems with ISP
 Port scanners – what is active on computer
 Firewall analysis tools
 Operating system detection tools
 Vulnerability scanners
 Packet sniffers
Access Control Tools

 Authentication – validation of users identity

 4 general ways carried out
 What he knows
 What he has
 Who he is
 What he produces