Net Sec U11 - Intrusion Detection Systems (IDS)

Description

Mind Map on Net Sec U11 - Intrusion Detection Systems (IDS), created by Nick.Bell2013 on 01/05/2013.
Nick.Bell2013
Mind Map by Nick.Bell2013, updated more than 1 year ago
Nick.Bell2013
Created by Nick.Bell2013 over 11 years ago
85
9

Resource summary

Net Sec U11 - Intrusion Detection Systems (IDS)
  1. Why IDS?
    1. Perimeter security devices only prevent attacks by outsiders
      1. why fail
        1. firewall badly configured
          1. attack too new
            1. password sniffed
            2. attacks
              1. don't detect
                1. don't react
              2. insider threats
                1. can elevate privileges
                  1. easier to map & exploit weak points
                2. Ad Hoc
                  1. Unix - CERT checklist
                    1. 1. check logs for unusual connection locations
                      1. 2. "hacker activity"
                        1. 3. system binaries not altered
                          1. 4. network sniffers
                            1. 5. check files run by 'cron' & 'at'
                              1. 6. check sys files for unauthorised services
                                1. 7. check "/etc/password" file
                                  1. 8. check sys & network config files re: unauthorised entries
                                    1. 9. check for hidden files
                                    2. not recommended
                                      1. automated systems
                                        1. monitor multiple hosts
                                          1. report & react
                                        2. Knowledge-based aka Misuse detection
                                          1. what attack signatures based on
                                            1. Security policy
                                              1. known vulnerabilities
                                                1. known attacks
                                                2. limits
                                                  1. new vulnerabilities
                                                    1. large dbase
                                                      1. time lag
                                                    2. Behaviour-based aka Statistical Anomaly Detection
                                                      1. base-line statistical behaviour
                                                        1. gather new data
                                                          1. exceed threshold = alarm
                                                          2. false: +'s and -'s
                                                            1. no dbase to maintain
                                                            2. Architecture
                                                              1. distributed set of sensors
                                                                1. centralised console
                                                                  1. manage, analyse, report & react
                                                                  2. protected communication
                                                                    1. secured signature updates from vendor
                                                                    2. NIDS
                                                                      1. data source = network packets
                                                                        1. network adaptor = promiscuous mode
                                                                          1. attack recognition module
                                                                            1. pattern/byte code matching
                                                                              1. freq./threshold crossing
                                                                                1. correlation of lesser events
                                                                                2. deployment
                                                                                  1. firewall
                                                                                    1. outside
                                                                                      1. inside
                                                                                      2. between business units
                                                                                        1. behind remote access server
                                                                                          1. between Corp. & Partner networks
                                                                                          2. Strengths
                                                                                            1. cheap
                                                                                              1. fewer detection points
                                                                                              2. missed HIDS attacks
                                                                                                1. harder to hide evidence
                                                                                                  1. real-time detection & response
                                                                                                    1. OS independence
                                                                                                      1. detects unsuccessful attacks/malicious intent
                                                                                                      2. Weaknesses
                                                                                                        1. placement critical
                                                                                                          1. switched networks
                                                                                                          2. partial matching
                                                                                                            1. loaded/high-speed networks
                                                                                                            2. indecipherable packets
                                                                                                              1. packet spoofing
                                                                                                                1. frag attacks
                                                                                                                  1. DoS
                                                                                                                2. HIDS
                                                                                                                  1. monitors sys/event/security logs in NT & syslog in Unix
                                                                                                                    1. checks key sys files & .exe via checksums
                                                                                                                    2. regular expressions
                                                                                                                      1. port activity
                                                                                                                        1. deployment
                                                                                                                          1. key servers
                                                                                                                            1. sensitive info
                                                                                                                              1. "mission critical"
                                                                                                                            2. servers
                                                                                                                              1. Web
                                                                                                                                1. FTP/DNS
                                                                                                                                  1. E-commerce
                                                                                                                                2. Strengths
                                                                                                                                  1. missed NIDS attacks
                                                                                                                                    1. verifies attack success/failure
                                                                                                                                      1. monitors specific activities
                                                                                                                                        1. needs little/no h/ware
                                                                                                                                          1. encrypted & switched environments
                                                                                                                                          2. Weaknesses
                                                                                                                                            1. placement critical
                                                                                                                                              1. indirect info
                                                                                                                                                1. attacker fingerprints
                                                                                                                                                2. full coverage hard
                                                                                                                                                  1. detection = too late?
                                                                                                                                                3. The Future
                                                                                                                                                  1. integrated approach
                                                                                                                                                    1. NIDS + HIDS
                                                                                                                                                    2. better tools
                                                                                                                                                      1. reporting
                                                                                                                                                        1. management
                                                                                                                                                          1. visualisation
                                                                                                                                                          2. event correlation
                                                                                                                                                            1. Statistical Anomaly Detection
                                                                                                                                                              1. Intrusion Protection Systems?
                                                                                                                                                              Show full summary Hide full summary

                                                                                                                                                              Similar

                                                                                                                                                              CCNA Security 210-260 IINS - Exam 1
                                                                                                                                                              Mike M
                                                                                                                                                              CCNA Security 210-260 IINS - Exam 2
                                                                                                                                                              Mike M
                                                                                                                                                              SY0-401 Part 1 (50 questions)
                                                                                                                                                              desideri
                                                                                                                                                              CCNA Security 210-260 IINS - Exam 1
                                                                                                                                                              Ricardo Nuñez
                                                                                                                                                              CCNA Security 210-260 IINS - Exam 3
                                                                                                                                                              irvin pastora
                                                                                                                                                              1.3 Network and Security Components
                                                                                                                                                              DJ Perrone
                                                                                                                                                              U1. OSI 7 Layer Reference Model
                                                                                                                                                              Craig Parker
                                                                                                                                                              Types of Attacks
                                                                                                                                                              River L.
                                                                                                                                                              CCNA Security 210-260 IINS - Exam 1
                                                                                                                                                              irvin pastora
                                                                                                                                                              Network Security Vocabulary
                                                                                                                                                              Shantal K Green
                                                                                                                                                              Maximizing Efficiency: A Comprehensive Guide to Cloud Services for Your Business
                                                                                                                                                              Andrew James