Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Networked System Security Unit 32 Session 5

Operation of different intruder detection systems

Masudur rahman

on 6 October 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Networked System Security Unit 32 Session 5

Milena Flament
Firewalls are used to restrict access to one network from another network. Most companies use firewalls to restrict access to their networks from the Internet. A firewall device supports and enforces the company’s network security policy. A firewall may be a router, server, or specialized hardware device. It monitors packets coming into and out of the network it is protecting. It filters out the packets that do not meet the requirements of the security policy.
Packet-Filtering Firewalls are a security method of controlling what data can flow into and out of a network. Packet filtering takes place by using ACLs, which are developed and applied to a device. ACLs are lines of text, called rules, that the device applies to each packet it receives. The lines of text provide specific information pertaining to what packets can be accepted and what packets must be denied. Packet filtering is the method used by the first-generation firewall—that is, it was the first type created and used, while other types subsequently developed fall into later generations.
Stateful filtering is like a nosy neighbor who gets into people’s business and conversations. She keeps track of who said what and when. This can be annoying until your house is burglarized. Then you and the police will want to talk to the nosy neighbor, because she knows everything going on in the neighborhood and would be the one most likely to know something unusual happened.
A stateful-inspection firewall isnosier than a regular filtering device, because it keeps track of what computers say to each other. This requires that the firewall maintain a state table, which is like a score sheet of who said what to whom. Stateful-inspection firewalls also make decisions on what packets to allow or disallow, but their functionality goes a step further. For example, a regular packet-filtering device may deny any UDP packets requesting service on port 25, and a stateful packetfiltering device may have a rule to allow UDP packets through only if they are responses to outgoing requests.
The following lists some important characteristics of a stateful-inspection firewall:
• Maintains a state table that tracks each and every communication channel.
• Provides a high degree of security and does not introduce the performance hit that application proxy firewalls introduce.
• Is scalable and transparent to users.
• Provides data for tracking connectionless protocols such as UDP and ICMP.
• Stores and updates the state and context of the data within the packets.
• Is considered a third-generation firewall.
Demilitarized zone (DMZ) is a network segment located between the protected and unprotected networks. The DMZ provides a buffer zone between the dangerous Internet and the goodies within the internal network that the company is trying to protect.
We will talk about
Different types of Firewalls
Different Types of IDS and IPS
Use of Honeypots
Operation of different intruder detection systems
The whole world is zooming
Passive & Reactive IDS
network-based vs. host-based systems: in a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewalls simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
People in every country on earth are using prezi to make their ideas zoom.
and growing at a rate
of over 1 million users a month.
Intrusion Detection Systems
which allows a more effective use of spatial relativity to convey meaning.
What is HoneyPot
Charity Temple
Ashley Selman a former Olympic qualifier; runs one of the top personal-training facilities in the Valley:
Peter Duffin
Bernadette Martin
Julie Vetter
Milena Flament
Knowledge based IDS
Almost all IDS tools today are knowledge-based. Knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities. The intrusion detection system contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities. When such an attempt is detected, an alarm is triggered.
Randy Howder
Facebook's new headquarter was pitched using Prezi
John Wilson
Stuart Taylor, et. al
IDSs are used to detect unauthorized entries and alert a responsible entity to respond. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
Behavior-based IDS
Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users. The model of normal or valid behavior is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an alarm is generated.
Explain the Operation of different intruder detection systems
Some of the weaknesses of packet-filtering firewalls are listed next:
• They cannot prevent attacks that employ application-specific vulnerabilities or functions.
• Most packet-filtering firewalls do not support advanced user authentication schemes.
• Many packet-filtering firewalls cannot detect a network packet in which the OSI Layer 3 addressing information has been altered (spoofed).
• Due to the small number of variables used in access control decisions, packetfiltering firewalls are susceptible to security breaches caused by improper configurations.
The advantages to using packet-filtering firewalls are that they are scalable, not application- dependent, and they have high performance because they do not carry out extensive processing on the packets.
By end of this session we will be able to explain the
The DMZ usually contains web, mail, and DNS servers, which must be hardened systems because they would be the first in line for attacks. Many DMZs also have an IDS sensor that listens for malicious and suspicious behavior.
Stateful Inspection Firewalls
A proxy firewall stands between a trusted and untrusted network and makes the connection, each way, on behalf of the source. So, if a user on the Internet requests to send data to a computer on the internal protected network, the proxy firewall gets this request first and looks it over for suspicious information. The request does not automatically go to the destination computer—instead, the proxy firewall accepts the request on behalf of the computer it is protecting.
A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available.

Some network administrators want to keep the attackers away from their other systems and set up honeypots as decoys. Other administrators want to go after those who hurt them. These administrators would keep detailed logs, enable auditing, and perform different degrees of forensics in the hopes of turning over the attackers to the authorities for prosecution.
Network and Host Based IDS
Passive system vs. reactive system: in a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates, and the contextual analysis proposed by the intrusion detection system is detailed, making it easier for the security officer using this intrusion detection system to take preventive or corrective action.
Drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up to date with new vulnerabilities and environments. Maintenance of the knowledge base of the intrusion detection system requires careful analysis of each vulnerability and is therefore a time-consuming task. Knowledge-based approaches also have to face the generalization issue. Knowledge about attacks is very focused, dependent on the operating system, version, platform, and application. The resulting intrusion detection tool is therefore closely tied to a given environment. Also, detection of insider attacks involving an abuse of privileges is deemed more difficult because no vulnerability is actually exploited by the attacker.
Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities. They can even contribute to the (partially) automatic discovery of these new attacks. They are less dependent on operating system-specific mechanisms. They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability. In short, this is the paranoid approach: Everything which has not been seen previously is dangerous.
The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase. Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous.
Full transcript