Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

ids by suchenfz

VIEWS: 48 PAGES: 21

									Network Security Layers


     IST 266
        April 13, 2004
Agenda…

• Attendance & Administratriva
• Review Firewalls
• Chapter 15 Auditing, Monitoring, and
  Intrusion detection




                        2
Auditing, Monitoring, and Intrusion Detection

                   “The Details”
–   Reduces reliance on administrative and procedural
    controls
–   In addition to controls…verifications take place after
    the fact
–   Review only periodically…
–   Residual risk

               “Audit vs. Monitor”

                              3
     Our author’s 3 types of “auditing”



-   Traditional EDO auditing
-   System auditing
-   Intrusion detection systems (auditing)




                          4
                   What is an Audit?


1. Independent review of a given subject
2. Purpose is to report on conformance to required standards
3. Concerned with risk assessment
4. See list on page 262
5. Security audits – complex, detailed and requires IT experts:
    not part of the standard EDP audit
6. “Tiger teams” & “white hat hacker”




                               5
         Auditing Functions


Operational audits

System audits

Activity audits page 263




                     6
             Auditing Outcomes


1. Baseline comparison
2. Logging capabilities
3. Supervisor override
4. Data change tracking page 266




                         7
               Audit Mistakes

1. Idea of non-retribution
2. Consulting with target work group, e.g., IT
3. Auditors not properly trained to perform IT audits
4. Levels of authority for IT changes
5. Doing it by the book
6. Hatchet jobs
7. Lack of management support to implement audit
recommendations




                         8
         Intrusion Detection Systems



1. Variability Detection Systems vs. Intrusion Detection
Systems
2. Real-time vs. After-the-fact
3. Volume of activity today vs. past
4. Misuse vs. intrusion




                           9
      Intrusion Detection Systems



1. Guards or sentries
2. Constantly scan network traffic or logs
3. Not new & not end-to-end
4. Two categories:
          a. Network-based
          b. Host-based




                           10
                Host-based IDS

1. Capable of automatically monitoring & denying services
2. On host vs. network
3. Rely on system logs
4. Automates the system administrator’s monitoring
responsibility
5. Approaches:
          a. employ a wrapper, like TCPWrapper
          b. agents




                          11
               Host-based IDS

Advantages:

a. monitors changes to critical system files
b. monitors changes to user privileges
c. checksums
d. monitor TCP port activity
e. can notify of security event in near real-time
f. cost lower than network IDS
g. can identify non-network based attacks, e.g., system
file integrity
h. monitor terminal connections, e.g., modems
i. monitors what is on a specific host.


                         12
            Host-based IDS


Disadvantage:

a. not real-time
b. does not allow for proactive activity
c. requirement for IDS software to be on every host




                       13
             Network-based IDS



1. Runs on networks monitoring activity analyzing patterns

2. Employs a dedicated network server or device




                          14
              Network-based IDS
Advantages:

a. less expensive than host because it is loaded only on
one machine.
b. host-based systems miss network based attacks
c. more stealthy than host-based IDS
d. ability to see compromised system is easier in host-
based IDS
e. network IDS provides better superior controls on event
logs
f. audit log manipulations



                          15
                 Network-based IDS


Disadvantages:

Less effective the more the network traffic
– remember they read packets




                              16
    Identifying Hostile Intrusions

    General approaches

1. Knowledge-based IDS

2. Statistical-based IDS




                           17
          Knowledge-based IDS
Most widely used today

1. Other names: misuse detection systems, expert
   systems, model-based IDS, or signature-based IDS
2. relies on the ability to recognize known attacks
3. Comes in both host and network-based IDS systems
4. Advantage: low false alarm rate, high detail and
   certainty
5. Disadvantage: must know threat and required
   maintenance of signature files




                         18
     Statistical-based IDSs (SIDSs)


1. Identifies intrusions by developing base-line
   measurements for normal activity
2. Assumes that anything that significantly deviates from
   the norm is an intrusion
3. Referred to as behavior IDSs or anomaly detection
   systems
4. Follows history….




                          19
    Statistical-based IDSs (SIDSs)

Advantages:

does not rely on signature files
detects malicious activity of the privileged user




                           20
     Statistical-based IDSs (SIDSs)

Disadvantages:

High number of false positives
Networks are not static….must be flexible to change, SIDs
   will not report any activity that it has learned as normal
Architecting the SIDs environment is difficult…too many
   possible targets. (Page 276 – neural networks)




                            21

								
To top