intrusion detection and intrusion preventionit666/reading_list/defense/ids_vs_idp.pdf ·...
TRANSCRIPT
![Page 1: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/1.jpg)
Intrusion Detectionand
Intrusion Prevention
Ed SaleVP of Security
Pivot Group, LLC
![Page 2: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/2.jpg)
Presentation Goals
• Describe IDS and IPS• Why They Are Important• Deployment and Use• Major Players
![Page 3: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/3.jpg)
Intrusion DetectionThe IT Security Camera
– Two types: Network (NIDS) and Host (HIDS)– Looks at network traffic and host logs for signs of
intrusion– Alerts bring potential intrusions to the attention of
administrators– Data is useful in forensic investigations– Issues include false positives and negatives, large
amounts of data, requires full-time monitoring, signature updates, encrypted traffic
![Page 4: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/4.jpg)
Passive Monitoring – Not Inline
WAN Router
Network
Tap
Proxy
Server
ServerNetwork
Tap
Network
Tap
DMZ
Outside
IDS
Sensor
DMZ IDS
Sensor
Inside
IDS
Sensor
Intranet
IDS
Console
IDS Deployment
![Page 5: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/5.jpg)
Types of DetectionRule-Based Detection
– Signatures produced for known attacks– Traffic scanned for matches to signatures
Anomaly Detection– Baseline of “normal” traffic produced– Deviations from baseline flagged as intrusions
HIDS Detection Types– Executable file checksums– System call monitoring– Log file monitoring
![Page 6: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/6.jpg)
Types of Detection (cont’d)Target-based Alerting (new)
– Combines knowledge of system vulnerabilities with type of incoming attack to reduce # of alerts
– Only alerts when attack has chance of success
![Page 7: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/7.jpg)
IDS ManagementReactive Response to Attack
Centralized Monitoring and Management– Critical for multi-sensor environments
Tuning RequiredConstant Monitoring
Large Data Store BackupsFrequent Signature Updates (if rule-based)
Software Upgrades
![Page 8: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/8.jpg)
Intrusion PreventionThe IT Security Guard
– Two types: Network (NIPS) and Host (HIPS)– Looks at network traffic and host logs for signs of
intrusion– Automatically takes action to protect networks and
systems from attack– Helps reduce patch update urgency– Issues include false positives and negatives, in-
line operation can create bottlenecks or single point of failure, signature updates , encrypted traffic
![Page 9: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/9.jpg)
IPS DeploymentInline Network Device(s)
WAN Router
Proxy
Server
Server
DMZ
Outside
IPS
DMZ
IPS
Inside
IPS
Intranet
IPS
Console
![Page 10: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/10.jpg)
IPS ManagementProactive Response to Attack
Centralized Monitoring and Management– Critical for multi-sensor environments
Tuning RequiredRedundancy / Fail-open Required
Constant Monitoring not NecessaryFrequent Signature Updates (if rule-based)
Software Upgrades
![Page 11: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/11.jpg)
Common NIDS Pitfalls• Deployed where it does not have access to
all network traffic• Output and/or alerts are ignored
• Inadequate incident response planning• Administrators become overwhelmed by an
un-tuned system
• Limitations of IDS/IPS are not well understood (updates, zero-day attacks, IDS blinding and evasion techniques)
![Page 12: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/12.jpg)
Types of ProtectionNetwork Resets
– Passive monitors may not get connections reset before damage is done
– Not all attacks are connection based
IP Address Blocking– Passive monitors may not get address blocked before
damage is done– Address spoofing may cause DoS of legitimate user
Packet Drop– Decision has to be made real-time (0.5 usec for 1 GB link)
![Page 13: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/13.jpg)
Product SelectionWhat types of protection do I need?
– Zero-day attacks– Network Segments to Monitor– Bandwidth– Tuning Flexibility
How do I want to manage it?– Few False Positives and False Negatives– Constant Monitoring– Reporting Capabilities
Pivot Group Recommends Evaluation
![Page 14: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/14.jpg)
IDS/IPS SolutionsHost IDS/IPS : Cisco (Okena), Sana Security,
Network Associates (Enterasys)Network IDS : Snort, Cisco, ISS, SecureWorks,
Symantec, Lancope, Tenable, NetScreen, Computer Associates, NFR Security, McAfee, Sourcefire, Lucid Technologies
Network IPS : Tipping Point, Captus, TopLayer, DeepNines, EcoNet.com, Lucid, StillSecure, Vsecure Technologies
![Page 15: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/15.jpg)
Final Words• IDS is evolving, not dead
• IDS/IPS required in some industries• Network IDS data has forensic and other
uses• Correlation, Analysis, Alerting, Reporting • IDS and IPS adds to defense in depth
![Page 16: Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdf · Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment and](https://reader034.vdocuments.site/reader034/viewer/2022052607/5a71f53f7f8b9a93538d6678/html5/thumbnails/16.jpg)
More Information
For additional references on IDS/IPS, see:
http://www.pivotgroup.net/
http://www.sans.org/rr/papers/30/1028.pdf
http://www.infosecwriters.com/texts.php?op=display&id=117
http://www.nss.co.uk/