MANAGEMENT of INFORMATION SECURITY Fifth Edition INTRUSION DETECTION
- Slides: 25
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
INTRUSION DETECTION AND PREVENTION SYSTEMS Management of Information Security, 5 th Edition, © Cengage Learning 2
Intrusion Detection and Prevention Systems • IDPSs combine tried-and-true detection methods from intrusion detection systems (IDSs) with the capability to react to changes in the environment, which is available in intrusion prevention technology • As most modern technology in this category has the capability both to detect and prevent, the term IDPS is generally used to describe the devices or applications Management of Information Security, 5 th Edition, © Cengage Learning 3
Intrusion Detection and Prevention Systems (IDPS) • When an IDPS detects a violation it activates the alarm, which can be audible and visible (noise and lights), or it can be a silent alarm that sends a message to a monitoring entity • Systems that include intrusion prevention technology attempt to prevent the attack from succeeding by one of the following means: – Stopping the attack by terminating the network connection or the attacker’s user session – Changing the security environment by reconfiguring network devices (firewalls, routers, and switches) to block access to the targeted system – Changing the attack’s content to make it benign—for example, by removing an infected file attachment from an e-mail before the e-mail reaches the recipient Management of Information Security, 5 th Edition, © Cengage Learning 4
IDPSs • All IDPSs require complex configurations to provide the appropriate level of detection and response • These systems are either network based to protect network information assets, or they are host based to protect server or host information assets • IDPSs use one of two detection methods: signature based or statistical anomaly based Management of Information Security, 5 th Edition, © Cengage Learning 5
IDPS Management of Information Security, 5 th Edition, © Cengage Learning 6
Host-Based IDPS • A host-based IDPS works by configuring and classifying various categories of systems and data files • Unless the IDPS is very precisely configured, benign actions can generate a large volume of false alarms • During times of routine operation, the system will provide alerting for only a few urgent reasons and will provide recording only for exceptions. • Host-based IDPSs can monitor multiple computers simultaneously Management of Information Security, 5 th Edition, © Cengage Learning 7
Network-Based IDPS • Network-based IDPSs monitor network traffic and, when a predefined condition occurs, notify the appropriate administrator • The network-based IDPS looks for patterns of network traffic • Network IDPSs must match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred • These systems yield many more false-positive readings than do host-based IDPSs, because they are attempting to read the network activity pattern to determine what is normal and what is not Management of Information Security, 5 th Edition, © Cengage Learning 8
Signature-Based IDPS • A signature-based IDPS or knowledge-based IDPS examines data traffic for something that matches the signatures, which comprise preconfigured, predetermined attack patterns • The problem with this approach is that the signatures must be continually updated, as new attack strategies emerge • Another weakness of this method is the time frame over which attacks occur • If attackers are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events Management of Information Security, 5 th Edition, © Cengage Learning 9
Anomaly-Based IDPS • The anomaly-based IDPS or behavior-based IDPS first collects data from normal traffic and establishes a baseline • It then periodically samples network activity and compares the samples to the baseline • When the activity falls outside the baseline parameters (or clipping level), the IDPS notifies the administrator • The advantage of this approach is that the system is able to detect new types of attacks, as it looks for any type of abnormal activity • Unfortunately, these IDPSs require significant processing capacity as they must constantly attempt to match activity to the baseline • In addition, they may not detect minor changes to system variables and may generate many false-positive warnings Management of Information Security, 5 th Edition, © Cengage Learning 10
Managing IDPSs • Just as with any alarm system, if there is no response to an alert, then an alarm does no good • IDPSs must be configured using technical knowledge and adequate business and security knowledge to differentiate between routine circumstances and low, moderate, or severe threats • A properly configured IDPS can translate a security alert into different types of notification • A poorly configured IDPS may yield only noise Management of Information Security, 5 th Edition, © Cengage Learning 11
Managing IDPSs • Most IDPSs monitor systems by means of agents, software that resides on a system and reports back to a management server • A valuable tool in managing an IDPS is the consolidated enterprise manager, software that allows the security professional to collect data from multiple host- and network-based IDPSs and look for patterns across systems and subnetworks, collecting responses from all IDPSs used to identify cross-system probes and intrusions Management of Information Security, 5 th Edition, © Cengage Learning 12
Remote Access Protection • An attacker who suspects that an organization has dial-up lines can use a device called a wardialer to locate the connection points • Dial-up connections are usually much simpler and less sophisticated than Internet connections • For the most part, simple user name and password schemes are the only means of authentication Management of Information Security, 5 th Edition, © Cengage Learning 13
RADIUS and TACACS • RADIUS and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection • Typical dial-up systems place the authentication of users on the system connected to the modems • A Remote Authentication Dial-In User Service (RADIUS) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server Management of Information Security, 5 th Edition, © Cengage Learning 14
RADIUS and TACACS • When a remote access server (RAS) receives a request for a network connection from a dialup client, it passes the request along with the user’s credentials to the RADIUS server; RADIUS then validates the credentials • The Terminal Access Controller Access Control System (TACACS) works similarly and is based on a client/server configuration Management of Information Security, 5 th Edition, © Cengage Learning 15
RADIUS Configuration Management of Information Security, 5 th Edition, © Cengage Learning 16
Managing Dial-Up Connections • Organizations that continue to offer dial-up remote access must deal with a number of thorny issues: – Determine how many dial-up connections the organization has – Control access to authorized modem numbers – Use call-back whenever possible – Use token-based authentication if at all possible Management of Information Security, 5 th Edition, © Cengage Learning 17
Wireless Networking Protection • Most organizations that make use of wireless networks use an implementation based on the IEEE 802. 11 protocol • The size of a wireless network’s footprint depends on the amount of power the transmitter/receiver wireless access points (WAPs) emit • Sufficient power must exist to ensure quality connections within the intended area, but not so much as to allow those outside the footprint to receive them Management of Information Security, 5 th Edition, © Cengage Learning 18
Wireless Networking Protection • War driving is moving through a geographic area or building, actively scanning for open or unsecured WAPs • Two most common encryption protocols used to secure wireless networks are: – Wired Equivalent Privacy (WEP) and – Wi-Fi Protected Access (WPA) Management of Information Security, 5 th Edition, © Cengage Learning 19
Wired Equivalent Privacy (WEP) • Provides a basic level of security to prevent unauthorized access or eavesdropping • Like a traditional wired network, does not protect users from observing each others data • Has several fundamental cryptological flaws, resulting in vulnerabilities that can be exploited, which led to replacement by WPA Management of Information Security, 5 th Edition, © Cengage Learning 20
Wi-Fi Protected Access (WPA) • WPA is an industry standard, created by the Wi-Fi Alliance • IEEE 802. 11 i has been implemented in products such as WPA 2 which introduced newer, more robust security protocols based on the Advanced Encryption Standard • WPA and WPA 2 provide increased capabilities for authentication, encryption, and throughput • WPA and WPA 2 have some compatibility issues with older WAPs and network cards • Both WPA and WPA 2 can use an IEEE 802. 1 X authentication server, similar to RADIUS servers Management of Information Security, 5 th Edition, © Cengage Learning 21
Wi. MAX • The next generation of wireless networking is Wi. MAX, or Wireless-MAN, essentially an improvement on the technology developed for cellular telephones and modems • Wi. MAX, developed as part of the IEEE 802. 16 standard, is a certification mark or stamp of approval that stands for “Worldwide Interoperability for Microwave Access” Management of Information Security, 5 th Edition, © Cengage Learning 22
Bluetooth • Bluetooth is a de facto industry standard for short range (approx 30 ft) wireless communications between devices • The Bluetooth wireless communications link can be exploited by anyone within range, unless suitable security controls are implemented • In discoverable mode devices can easily be accessed • Even in nondiscoverable mode, the device is susceptible to access by other devices that have connected with it in the past Management of Information Security, 5 th Edition, © Cengage Learning 23
Bluetooth • By default Bluetooth does not authenticate connections, but it does implement some degree of security when devices access certain services like dial-up accounts and local area file transfers • The only way to secure Bluetooth enabled devices is to: – 1) turn off Bluetooth when you do not intend to use it and – 2) do not accept an incoming communications pairing request unless you know who the requestor is Management of Information Security, 5 th Edition, © Cengage Learning 24
Managing Wireless Connections • It is possible to restrict access to the network to a preapproved set of wireless network card MAC addresses • One of the first management requirements is to regulate the size of the wireless network footprint by adjusting the placement and strength of the WAPs • Select WPA or WPA 2 over WEP • Protect pre-shared keys Management of Information Security, 5 th Edition, © Cengage Learning 25