Professional Documents
Culture Documents
Chapter 04 - Intrusion Detection Systems
Chapter 04 - Intrusion Detection Systems
INTRUSION Detection
Systems
Pre-emptive blocking
Infiltration / disguise
Intrusion deflection
Anomaly detection
Understanding IDS Concepts cont.
Pre-emptive Blocking
Advantages:
Sometimes called “banishment vigilance”
Seek to prevent intrusion before they occur
This is done by noting any sign of danger /
threats and then blocking them through
ipaddress
Attempts to detect impending intrusions through
foot printing
Understanding IDS Concepts cont.
Pre-emptive blocking (situation)
IDS detect that numbers of packet are sent to each port in the main server coming from the
same ipaddress
This probably indicates that the server is being scan by network scanning software such as
Cerberus or nmap
So by default the IDS installed in the firewall will automatically block all transmission
connection coming from this person
Understanding IDS Concepts cont.
Pre-emptive Blocking
Disadvantages:
The problem is your suspect person maybe not
really guilty / wrong guy / hacked victim
Understanding IDS Concepts cont.
Infiltration
Advantages:
Disadvantages:
Time consuming
Administrators are not trained in detective work
Dangerous
Understanding IDS Concepts cont.
Intrusion Deflection
Advantages:
An attempted intrusion is redirected to a special
environment and monitored
Act as a decoy to the real system
Honey pots are used in this approach
Disadvantages:
Difficult to setup and maintain
Assumes a target system will be compromised
Understanding IDS Concepts cont.
Anomaly Detection
Any activity that does not match normal use is
saved in a log
It is a freeware software
www.snort.org/
The latest version of snort support real-time analysis and
packet logging
Packet logger
Network intrusion-detection
Sniffer Mode
Monitors all traffic coming and going on a
Computer (show in the console)
Able to determine whether the transfer
packet is encrypted or not
Helps determine potential sources of
problems
Packet Logger Mode
All the sniffing result can be found in a log
Packet contents are written to a text file
rather than display in a console
Contents can be searched once data is in a
text file using a word processor’s search
capability
Network Intrusion-Detection
Uses a heuristic approach to detect
anomalies
Rules-based (learning from experience)
Command line based interface
Need to know commands and what they do
Snort cont.
Snort cont.
Cisco Intrusion-Detection
Cisco IDS 4200 Series Sensors
Cisco Catalyst 6500 Series Intrusion- Detection
System Services Module (IDSM-2)
Understanding and Implementing
Honey Pots
A honey pot is a single machine / server
Set up to appear to be an important server
Prevent illegal user to bum the real server
Two types of Honey Pots discussed here:
Specter
Symantec Decoy Server
Specter
secure server
Failing – This mode causes the system to behave like a
unpredictable ways.
Aggressive – This mode causes the system to actively