64494
Description
Mind Map by Nick.Bell2013, updated more than 1 year ago
|
Created by Nick.Bell2013
over 11 years ago
|
|
Net Sec U11 -
Intrusion Detection
Systems (IDS)
- Why IDS?
- Perimeter security
devices only prevent
attacks by outsiders
- why fail
- firewall
badly
configured
- attack too
new
- password
sniffed
- firewall
badly
configured
- attacks
- don't detect
- don't react
- don't detect
- why fail
- insider threats
- can elevate
privileges
- easier to map &
exploit weak
points
- can elevate
privileges
- Perimeter security
devices only prevent
attacks by outsiders
- Ad Hoc
- Unix - CERT checklist
- 1. check logs for
unusual connection
locations
- 2. "hacker activity"
- 3. system
binaries not
altered
- 4. network sniffers
- 5. check files run by 'cron' & 'at'
- 6. check sys files for unauthorised services
- 7. check "/etc/password" file
- 8. check sys & network config
files re: unauthorised entries
- 9. check for
hidden files
- 1. check logs for
unusual connection
locations
- not recommended
- automated systems
- monitor
multiple hosts
- report & react
- monitor
multiple hosts
- Unix - CERT checklist
- Knowledge-based
aka Misuse
detection
- what attack
signatures based
on
- Security policy
- known vulnerabilities
- known attacks
- Security policy
- limits
- new
vulnerabilities
- large
dbase
- time
lag
- new
vulnerabilities
- what attack
signatures based
on
- Behaviour-based aka
Statistical Anomaly
Detection
- base-line
statistical
behaviour
- gather
new data
- exceed threshold
= alarm
- gather
new data
- false: +'s and -'s
- no dbase to
maintain
- base-line
statistical
behaviour
- Architecture
- distributed set of
sensors
- centralised console
- manage,
analyse, report
& react
- manage,
analyse, report
& react
- protected
communication
- secured signature
updates from
vendor
- distributed set of
sensors
- NIDS
- data source
= network
packets
- network adaptor
= promiscuous
mode
- attack
recognition
module
- pattern/byte code
matching
- freq./threshold
crossing
- correlation of
lesser events
- pattern/byte code
matching
- deployment
- firewall
- outside
- inside
- outside
- between
business units
- behind remote
access server
- between Corp. &
Partner networks
- firewall
- Strengths
- cheap
- fewer detection points
- fewer detection points
- missed HIDS attacks
- harder to hide evidence
- real-time detection
& response
- OS independence
- detects unsuccessful
attacks/malicious intent
- cheap
- Weaknesses
- placement
critical
- switched
networks
- switched
networks
- partial
matching
- loaded/high-speed
networks
- loaded/high-speed
networks
- indecipherable
packets
- packet
spoofing
- frag
attacks
- DoS
- placement
critical
- data source
= network
packets
- HIDS
- monitors
sys/event/security
logs in NT & syslog
in Unix
- checks key sys
files & .exe via
checksums
- checks key sys
files & .exe via
checksums
- regular
expressions
- port
activity
- deployment
- key servers
- sensitive info
- "mission critical"
- "mission critical"
- sensitive info
- servers
- Web
- FTP/DNS
- E-commerce
- Web
- key servers
- Strengths
- missed NIDS attacks
- verifies attack success/failure
- monitors specific activities
- needs little/no h/ware
- encrypted &
switched
environments
- missed NIDS attacks
- Weaknesses
- placement
critical
- indirect info
- attacker
fingerprints
- attacker
fingerprints
- full
coverage
hard
- detection =
too late?
- placement
critical
- monitors
sys/event/security
logs in NT & syslog
in Unix
- The Future
- integrated approach
- NIDS + HIDS
- NIDS + HIDS
- better tools
- reporting
- management
- visualisation
- reporting
- event
correlation
- Statistical
Anomaly
Detection
- Intrusion
Protection
Systems?
- integrated approach
Want to create your own Mind Maps for free with GoConqr? Learn more.