What is a Network Intrusion Detection System NIDS

Some of the major features in NIDS in Windows 2000 include: • Support for

Features n n Support for older (legacy) transport stacks over connection-oriented media (for example,

n n n High performance OS Specific capture module for Linux Packet decode engine

n n n n Easy to configure; just one config file Full IP defragmentation

Supported Protocols n n n n n TCP/IP Suite (IPv 4, TCP, UDP, ICMP,

Planned Features n n Some performance enhancements Proper remote alerting to central firestorm server

What happens after a NIDS detects an attack? n n n Reconfigure firewall chime

How can one detect if someone is running a NIDS? n A NIDS is

NIDS n n n BY Meron Girma Cis. 450 Professor Anrivor

Slides: 11

Download presentation

What is a “Network Intrusion Detection System (NIDS)"?

What is a “Network Intrusion Detection System (NIDS)"? n n A Network Intrusion Detection System is a system which can identify suspicious patterns in network traffic NIDS is designed to allows Data to be transmitted in Real-Time across any TCP/IP Network or connection, i. e. from any 2 PCs or Wireless Devices to millions, in Real-Time

Some of the major features in NIDS in Windows 2000 include: • Support for Plug and Play, Power Management, and Windows Management Instrumentation(WMI) • Support for connection-oriented media such as asynchronous transfer mode (ATM).

Features n n Support for older (legacy) transport stacks over connection-oriented media (for example, the LAN Emulation (LANE) driver and User Network Interface (UNI) Call Manager). The ability to offload tasks from the TCP/IP transport to the network adapter (for example, TCP/IP checksum tasks, IP Security tasks, and the segmentation of large TCP packets).

n n n High performance OS Specific capture module for Linux Packet decode engine fully supports encapsulation Decode plugins included for many protocols

n n n n Easy to configure; just one config file Full IP defragmentation TCP stateful inspection with window tracking Intelligent TCP stream reassembly Full application layer decodes EXTREMELY fast and scalable signature engine Configurable token-bucket ratelimiting of any alerts

Supported Protocols n n n n n TCP/IP Suite (IPv 4, TCP, UDP, ICMP, IGMP) 802. 1 q (vlan) Can differentiate Ethernet. II and novell IPX frames Can decode LLC and SNAP IPX, SAP Linux cooked sockets (SLL) in two different formats GRE (generic routing encapsulation) Ir. DA (infra-red) ARP/Appletalk ARP

Planned Features n n Some performance enhancements Proper remote alerting to central firestorm server Analyst consoles to read data from central server Central management of all configuration from analyst console

What happens after a NIDS detects an attack? n n n Reconfigure firewall chime SNMP Trap NT Event syslog send e-mail page Log the attack Save evidence Launch program Terminate the TCP session

How can one detect if someone is running a NIDS? n A NIDS is essentially a sniffer, so therefore standard sniffer detection techniques can be used. An example would be to do a traceroute against the victim. This will often generate a low-level event in the IDS.

NIDS n n n BY Meron Girma Cis. 450 Professor Anrivor