5 Firewalls and IDS

75 %
25 %
Information about 5 Firewalls and IDS
News-Reports

Published on August 20, 2007

Author: Hufflepuff

Source: authorstream.com

Firewall and Perimeter Security :  Firewall and Perimeter Security Contents:  Contents Firewall packet-filter firewall: filters at the network or transport layer proxy firewall: filters at the application layer NAT solve the problem of IP address limitation provide load balance and redundancy IDS active detection to monitor the network status three methods: signature, statistical and integrity four types: host, network, applications and integrity Honeypots a décor to attract hackers What is a firewall?:  What is a firewall? A firewall, is a 'router, or several routers or access servers, designed as a buffer between any connected public networks and private network. Protecting Network Using Firewall - 1:  Protecting Network Using Firewall - 1 Security protocol cannot prevent malicious people from sending harmful message to a system A firewall is a device (usually a router or computer) installed between internal network and the Internet Some large companies with a lot of sensitive information also install firewall within their intranet to protect these types of the network resource from unauthorized employee. Protecting Network Using Firewall - 2:  Protecting Network Using Firewall - 2 Some modern firewall has additional features: network address translation (NAT) encryption in data transmission, e.g. VPN use strong authentication techniques to authenticate users/ports anti-virus features easy to use GUI Requirements of Firewall:  Requirements of Firewall Efficient access control (easy to use access control list (ACL), such as GUI interface) Filtering of vulnerable protocols (based on types of protocols) Network monitoring Simple management (features such as GUI, web-based, SNMP enabled) Firewall Classification:  Firewall Classification A firewall is usually classified into two classes packet-filter firewall also known as screen router or screening filter forward and block packets based on information in the network layer and transport layer headers: source, destination, IP address, source and destination port, type of protocol (TCP or UDP) proxy-based firewall also known as application gateway forward and block packets based on the contents of the messages (i.e. at application level traffic) Standard packet filtering:  Standard packet filtering Packet filters make decisions based on packet header information. Access decisions are based on source and destination addresses, source and destination port numbers, protocol types, and possibly flags within the header themselves. They does not look at the actual payload. Packet-filter Firewall - 1:  Packet-filter Firewall - 1 is a router that uses a filtering table to decide which packet must be discard (not forward) operate at network layer (or transport layer) Packet-filter firewall - 2:  Packet-filter firewall - 2 Example of packet filter rules: incoming packet from 131.34.0.0 are blocked incoming packet destined for any internal TELNET (port 23) are blocked incoming packets destined to internal host 194.78.20.8 are blocked (this host for internal use) outgoing packets destined for an HTTP server (port 80) are blocked. (i.e. does not want employees to browser the Internet) Packet Filter Firewall - 3:  Packet Filter Firewall - 3 Two main types: Standard or Stateless packet filtering Also known as first generation firewall Operates at either the Network or Transport layer. Most packet filters used the values of the following header field to determine what to pass or not Protocol type, IP address, TCP/UDP port, Fragment number Packet Filter Firewall - 4:  Packet Filter Firewall - 4 Stateful inspection packet filters known as dynamic packet filtering filter rules are set up based on policy rule and state of the protocol For example: do not allow any services through the firewall except: Services they’re programmed to allow Connections that they already maintained in their state tables. Pros and Cons of Packet Filter:  Pros and Cons of Packet Filter Pros Scalable (Simple) Provides high performance (High speed) Application dependent Cons Does not look into the packet pass the header. Low security relative to other firewall types Difficulties in setting up the packet filter rules correctly Lack of support for authentication Stateful inspection -packet filter:  Stateful inspection - packet filter Proxy-based firewall - 1:  Proxy-based firewall - 1 Application Level firewall Make high-level connections at application layer for example Policy on access web-pages: Only Internet users who had established business relationships with the company can have access; access by other users must be blocked. packet-filter firewall is not feasible because it cannot distinguish between different packet. Selection must be done at applications level (i.e. URL) proxy work on behalf of internal hosts to complete the connection between internal and external hosts. Proxy-based firewall - 2:  Proxy-based firewall - 2 A variants of proxy is called circuit gateway creates a new connection between itself and the remote host Proxy stand in for outbound connection attempts to servers and then make the request to the actual target server on behalf of the client. When the server returns data, the proxy transmits that data to the client. Application proxies don’t necessary to be run on firewalls appliances. it is a high-end servers (or cluster of servers) Usually Internet client applications (Browser) require to setup to talk to the proxy. Proxy-based firewall - 3:  Proxy-based firewall - 3 Bastion Host:  Bastion Host The bastion host sits on the internal network. It is the machine that will be accessed by all entities trying to access or leave the network. It is the only system on the internal network that hosts on the Internet can open connections to (for example, to deliver incoming email). If the bastion host is compromised, the internal network is wide open to attack from this bastion host The bastion host thus needs to maintain a high level of host security. Demilitarized Zone (DMZ) - 1:  Demilitarized Zone (DMZ) - 1 Another firewall features is provision of DMZ DMZ - Demilitarized Zone: Firewall configuration that allows an organization to securely host its public servers and also protect its internal network at the same time. DMZ is simply a network segment that is located between the protected and the unprotected networks. Demilitarized Zone (DMZ) - 2:  Demilitarized Zone (DMZ) - 2 General DMZ rules - 1:  General DMZ rules - 1 General DMZ rules - 2:  General DMZ rules - 2 Allow external users to access the appropriate services on DMZ systems. DMZ systems should be severely restricted from accessing internal systems. Internal uses can access the DMZ or external network as policy allows No external users may access the internal system. Firewall Variations - 1:  Firewall Variations - 1 Screening Router Using one packet filtering router as firewall Cheap and flexible Can only withstand a limited number of attacks Hard to administer. Firewall Variations - 2:  Firewall Variations - 2 Firewall with only a bastion host can analyse traffic but not control it A minimum useful firewall uses a router and a bastion host A bastion host is connected to a separate interface of a router The network of the bastion host is on is called perimeter network Firewall Variations - 3:  Firewall Variations - 3 Perimeter network is an additional network between the external network and a protected internal network. If an attacker has accessed the bastion host, it is still not possible to snoop the internal network directly. For router with only 2 interfaces andamp; bastion host can act as external or internal router as well as bastion. Firewall Variations - 4:  Firewall Variations - 4 Standard Single-homed Bastion Host Built with two routers and a bastion host. In between the two routers is the perimeter network on which the bastion host is placed. Routers are configured such that all connections have to go via the bastion host. Firewall Variations - 5:  Firewall Variations - 5 If the outside router has more than 2 interfaces, perimeter network can be built on the extra interface. Hosts that have to be accessible from the external network such as WWW can be placed there. Firewall Variations - 6:  Firewall Variations - 6 Standard Dual-homed Bastion Host More secure than single-homed bastion host. It has two perimeter networks. If a mistake is made in the external router access list, it is not possible to make illegal connection through the firewall that would be possible with the single-homed bastion host. Additional Firewall Components:  Additional Firewall Components Authentication Allows users on the public network to prove their identity to the firewall in order to gain access to the private network from external locations. to filter unauthorized users function as an NAS (network access server) Encrypted Tunnels tunneling is also called encapsulation, it is a major building block of Virtual Private Networking (VPN) Tunneling establishes a secure connection between two private networks over a public medium like the Internet. allows physically separated networks to use the Internet rather than leased-line connections to communicate. VPN firewall is usually work in pairs Limitations of Firewall:  Limitations of Firewall Even with the use of Proxy firewalls, it is still unable to control the content transferred across the network boundaries satisfactorily. Firewalls are extremely vulnerable to insider attacks and covert channels Firewalls can become bottlenecks of traffic If a firewall is compromised, the protected network is extremely vulnerable Security Strategies in firewall:  Security Strategies in firewall Least privilege every element of the firewalls system should have only the privileges that are needed to carry out its tasks Defense in depth security mechanisms should be redundant, should use different approaches (e.g. from different vendors), and should be able to back up each other. Controlled access the protected network should have a well-defined access point that forces attackers to use a narrow channel, which you can monitor and control Fail-safe andamp; fail-over Fail-safe: a malfunctioning of a subsystem may affect functionality but should not lose security. Fail-over: the task can taken over by another firewall. Firewall Philosophies:  Firewall Philosophies Default Permit: 'Not Expressly Prohibited' is Permitted Used in 'open' environments (e.g., ISP and some universities) Difficult to manage Default Deny: 'Not Expressly Permitted' is Prohibited used in environment with higher security May be too restrictive in some environments Factors to consider for choosing firewall :  Factors to consider for choosing firewall Performance Firewall is usually the bottle neck of network traffics. The performance is usually the prime concerns. Stateful inspection filter is the trend as it’s good cost-performance ratio is better. Scalability scale adapted to size of company and corporate security policy. Usually, firewall vendor provide modules for client to upgrade according to their needs Compatibility work seamlessly with firewall products from different vendors Network management support easy installation and compatible with network management protocol Summary:  Summary Two type of firewall packet filter firewall stateless and stateful inspection proxy firewall: application level not allow client to go directly, must go thru’ a proxy which has rules Three basic configuration examples: Screened host firewall, Single-homed bastion Screened host firewall, Dual-homed bastion Screened subnet A modern firewall usually have three interfaces: trusted, DMZ and untrusted NAT Explained - 1:  NAT Explained - 1 NAT hides internal IP addresses by converting all internal host addresses to the address of the firewall as packets are routed through the firewall. NAT is also called IP masquerading. Translates the IP addresses of internal hosts to hide them from outside monitoring. Originally implemented to make more IP addresses available to private networks. NAT Explained (2):  NAT Explained (2) The firewall then retransmits the data payload of the internal host from its own address using a translation table to keep track of which sockets on the exterior interface equate to which sockets on the interior interface. To the Internet, all the traffic on your network appears to be coming from one extremely busy computer. NAT Process - in details:  NAT Process - in details NAT Modes - 1:  NAT Modes - 1 Four primary modes of NAT: Dynamic Translation (also called Automatic, Hide Mode or IP Masquerade) Wherein a large group of internal clients share a single or small group of internal IP addresses for the purpose of hiding their identities or expanding the internal network address space. Static Translation (also called Port Forwarding) Wherein a specific internal network resource (usually a server) has a fixed translation that never changes. Static NAT is required to make internal hosts available for connections from external hosts. NAT Modes - 2:  NAT Modes - 2 Loading Balancing Translation Wherein a single IP address and port is translated to a pool of identically configured servers so that a single public address can be served by a number of servers. Network Redundancy Translation Wherein multiple Internet connections are attached to a single NAT firewall and clients requests are routed through an Internet connection based on load and availability. NAT Used in ISP:  NAT Used in ISP A large group of internal clients share a single or small group of internal IP addresses for the purpose of hiding their identities or expanding the internal network address space. Loading Balancing Translation:  Loading Balancing Translation A single IP address and port is translated to a pool of identically configured servers so that a single public address can be served by a number of servers. Hacking through NAT - 1:  Hacking through NAT - 1 Static translation does not protect the internal host. Static translation merely replaces port information on a one-to-one basis. This affords no protection to statically translated hosts Hacking attacks will be just as efficiently translated as any valid connection attempt. Solution: Reduce the number of attack to one, and then to use application proxy software or other application based security measures. Hacking through NAT - 2:  Hacking through NAT - 2 If the client establishes the connection, a return connection exists. Even if hackers can’t get inside our network, you can’t prevent your users form going to the hackers. Forged email with a Web site link, a Trojan horse, or a seductive content Web site can entice your users to attach to a machine whose purpose is to glean information about your network. Solution: Higher-level, application-specific proxies are once again the solution. Firewall Products:  Firewall Products Cisco PIX Firewall - 1:  Cisco PIX Firewall - 1 The Cisco PIX firewall series a high-performance, enterprise-class firewall product line within the Cisco firewall family. with integrated hardware and software delivers high security and network performance scalable to meet different customer requirements Product PIX 525 andamp; PIX 520 - for large enterprise PIX 515 - for medium size company PIX 506 - for SOHO Cisco PIX firewall - 2:  Cisco PIX firewall - 2 The PIX firewalls provide stateful inspection firewall IPsec and L2TP/PPTP-based VPNs content filtering capabilities (limited) integrated intrusion detection capabilities Adaptive Security Algorithm (ASA):  Adaptive Security Algorithm (ASA) Adaptive Security Algorithm (ASA) is the foundation on which the PIX Firewall is built. It defines how PIX examines traffic passing through it and applies various rules to it. The basic concept behind ASA is to keep track of the various connections being formed from the networks behind the PIX to the public network. Information keep tracking include: IP packet source and destination information TCP sequence numbers and additional TCP flags UDP packet flow and timers Rules to restrict information flow in a PIX firewall:  Rules to restrict information flow in a PIX firewall Data traveling from a more secure interface to a less interface (from high to low) A translation (either static or dynamic) is required to allow traffic from a higher security to a lower security interface. Data traveling from a less secure interface to a more secure interface (from low to high) A conduit or an access list is required to permit the desired traffic. That is, traffic is not allowed unless allowed by the conduit command or access list Data traveling from two interfaces with the same security level No traffic flows between two interfaces with the same security level. Rules to restrict information flow in a PIX firewall:  Rules to restrict information flow in a PIX firewall PIX commands:  PIX commands There are six basic commands in Cisco PIX: nameif – assign a name to an interface interface – interface configuration ip address command – assign IP address nat command – network address translation command to define the trusted source address to be translated (two variants: nat : dynamic NAT and static: static NAT) global – The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. route – define static route Examples of PIX commands to setup NAT and packet filter:  Examples of PIX commands to setup NAT and packet filter Allow only external connected to web server at DMZ nameif ethernet0 outside security0 nameif ehternet1 inside secuirty100 naemif ethernet2 dmz security50 Interface ethernet0 auto ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.255.0   /* for NAT: allow NAT to all inside, map to 10-254. set one static addr 192.168.1.10 to 10.1.1.10*/ nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0 static (inside, outside) 192.168.1.10 10.1.1.10   /* for packet filter: allow all external network to web server */ access-list 80 permit TCP any host 172.16.1.2 access group 80 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 Intrusion Detection:  Intrusion Detection Traditional Security Approach:  Traditional Security Approach The disciplines of computer security address three fundamental needs: Prevention Detection Response Traditional response to security risks a series of preventive measures design to keep out unauthorized people Firewall only concentrated on perimeter defense! it is only part of the defense in computer security Intrusion Detection Approach:  Intrusion Detection Approach Problem with perimeter defenses (use firewall only) is that most of the losses are attributable to insiders! IDS provides damage assessment and threat identification capabilities just like their physical counterparts the video cameras =andgt; IDS sensors Intrusion detection tools are not only prevention devices, it is for detection IDS is also an excellent deterrent. What are IDS?:  What are IDS? IDS are dedicated appliances or software-based components that monitor network traffic or individual computer activity with the goals of Identifying malicious actions Resource misuse Attempts to gain unauthorized access Attacks Note with IDS, you still need firewalls, anti-virus software, security policies, and other types of control. Capabilities of an IDS:  Capabilities of an IDS Event log analysis for insider threat detection Security configuration management Network traffic analysis for perimeter threat detection File integrity checking Three main classes of analysis in IDS: signature analysis statistical analysis integrity analysis Signature Analysis:  Signature Analysis Look for specific attacks against known weak points of a system. These attacks can be detected by watching for certain actions (certain pattern of action) being performed on certain objects. IDS performs signature analysis on the information it obtains. Signature analysis is pattern matching of system setting and user activities against a database of known attacks. require an updated list of signature file (e.g. once every 2 weeks released by CERN etc) Comparisons with anti-virus software anti-virus to scan hostile pattern from memory and files (hard-disk) IDS is to scan hostile pattern within a network Statistical Intrusion Analysis:  Statistical Intrusion Analysis Based on observations of deviations from normal system usage. Method: Require to measure a baseline of statistics: CPU utilization and network usage User logins and its pattern (i.e. time-of-day) File activity and so on (file type and size and time) Alert administrator regarding any deviation from this baseline. Integrity Analysis:  Integrity Analysis Integrity analysis reveals whether a file or object has been altered. Such analysis often uses strong cryptographic hash algorithms to determine whether anything has been modified. e.g. if an attacker adds a user to a Linux system, the hash of the /etc/password file will change, alerting the administrator that the file has been modified. e.g. Tripwire: digest are generated as a series markers. System can check all files again with the designated digest to check any modification. Unexpected change signify possible intrusion. Tripwire is an open-source project of Purdue University (www.tripwire.org) Characteristics of a Good IDS:  Characteristics of a Good IDS Run continually without supervision. Be fault-tolerant. Do not use excessive system resources. Able to observe deviation from normal behavior. Able to cope with changing system behavior over time. As new applications are added, the system profile will change automatically, and the IDS must be able to adapt. Be accurate (0% false positive and 0% false negative). Be customizable. Be current (i.e. signature files and baseline data are up-to-date) Errors in IDS - 1:  Errors in IDS - 1 False Positives occurs when the IDS classifies an action as anomalous (a possible intrusion) when it is actually a legitimate action. if too many false positives are generated, people will begin to ignore the output of the system, which might lead to an actually intrusion being detected but ignored. problem: very difficult and often cannot totally eliminated. input quality (biometrics / IDS) poor good output accept reject FRR FAR Errors in IDS - 2:  Errors in IDS - 2 False Negatives occurs when an intrusive action has taken place, but the IDS allows it to pass as an non-intrusive behavior. problem: Extremely dangerous false negative subversion occurs when an intruder modifies the operation of the IDS to force false negatives to occur. Categories of Intrusion Detection:  Categories of Intrusion Detection Several categories of IDS exists in the market NIDS - Network Intrusion Detection System (typical) HIDS - Host Intrusion Detection System Application Intrusion Detection System Integrity Intrusion Detection (not yet popular) e.g. Tripwire NIDS - 1:  NIDS - 1 Network-based IDS can be hardware appliances or software application installed on a computer system. NIC works in promiscuous mode and collects and monitors network traffic for malicious activity. There are sensors placed in the network segment that are to be monitored , typical strategic locations are: DMZ, behind firewall, database server’s subnet etc These sensors are all connected to a central management console. The traffic is then analyzed. NIDS - 2:  NIDS - 2 NIDS are mostly signature-based. A set of attack signatures are built into the systems These signatures are compared against the traffic on the network. The NIC card that monitors the network in placed in 'stealthy' mode so that it does not have an IP address and does not respond to probes such as a ping. NIDS - 3:  NIDS - 3 Advantages include Lower cost of ownership (one IDS for whole networks) The NIDS can be completely hidden on the network so that an attacker will not know that s/he is being monitored. NIDS - 4:  NIDS - 4 Disadvantages include: The NIDS can only alarm if the traffic matches signatures The NIDS cannot determine if the attack was successful The NIDS cannot examine traffic that is encrypted Switched network require special configurations Unable to handle high-speed networks HIDS - 1:  HIDS - 1 Host-based IDS is a system of sensors that are loaded onto various servers within an organization and controlled by some central manager. HIDS sensors watch the events associated with the server on which they are loaded. The HIDS sensor can determine whether an attack was successful or not since the attack was on the same platform as the sensors. HIDS - 2:  HIDS - 2 The five basic types of HIDS sensors: Log analyzers – looks for log entries that may indicate a security event. Signature-based sensors – analyze incoming traffic and compare them with a set of built-in security event signatures System call analyzers – examine an application’s system calls, analyze the action and compared it to a database of signatures. Application behavior analyzers – the sensor examines an application’s system calls to see if it is allowed to perform such action. File integrity checkers – check for changes in files. HIDS - 3:  HIDS - 3 Advantages: Verifies success or failure of an attack Monitor specific system activities Detect attacks that network-based systems miss Well-suited for encrypted and switched environments Requires no additional hardware Lower cost of entry (for system with fewer number of hosts) HIDS - 4:  HIDS - 4 Disadvantages Network activity is not visible to host-based sensors Running audit mechanisms can use additional resources When audit trails are used as data sources, they can take up significant storage Host-based sensors must be platform specific Management and deployment very difficult in large network Designing IntrusionDetection Systems:  Designing Intrusion Detection Systems Monitoring security through IDS requires a combination of: good sensor placement well designed sensor behaviour, appropriate sensor configuration, regular tuning and a sound strategy for event response. Application Intrusion Detection:  Application Intrusion Detection Collects information at the application level. E.g. Logs generated by database management software, Web servers, and firewalls. Sensors placed in the application collected and analyze information. Not very popular at the moment But it is expected in the coming years the focus on security will shift from network to server/application level. Strength High degree of control Weakness Too many applications to support Covers only one component at a time Popular IDS Products:  Popular IDS Products RealSecure www.iss.net/securing_e-business/security_products/intrusion _detection/ Cisco Secure IDS www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ Network ICE www.networkice.com Snort www.snort.org SNORT:  SNORT Light weight Network IDS Packet capture /logger: real-time traffic analysis Content search: detect attacks and probes Support rule language Detection engine with modular plug-ins Real-time alerting capacity Support Linux and Windows Syslog features logging network data in Tcpdump format use WinPopup message to window client SNORT (2):  SNORT (2) 4 major engines packet capture / decode engine rules parsing and detection engine logging engine plug-ins andamp; preprocessing handling engine 3 modes sniffing mode: snort -v andlt;= verbose to show header snort -vd andlt;= verbose to show header and data content snort -vde andlt;= same as above, with describe details logging mode snort –v –l ./log –h 192.168.1.0/24 andlt;= for Linux snort –v –l ..\log –h 192.168.1.0/24 andlt;=for PC IDS mode snort –v –l ./log –h 192.168.1.0/24 –c snort.conf snort –v –l ..\log –h 192.168.1.0/24 –c ..\etc\snort.conf snort.conf - 1:  snort.conf - 1 To tune the performance of the NIDS Five sections network and configuration variables var HOME_NET 10.120.25.135 var HOME_NET [10.10.10.20, 192.168.1.23, 172,16.30.25] var HOME_NET 10.10.10.0/24 var EXTERNAL_NET !HOME_NET var ORACLE_PORTS 1512 snort.conf - 2:  snort.conf - 2 Decoder and detection engine configuration alert user if a packet has strange size, strange option, or uncommon setting these are not necessary attacks and may generate large amount of false positive, use the following to disable, for example config disable_decode_alerts config disable_tcpopt_experimental_alerts snort.conf - 3:  snort.conf - 3 Preprocessor configuration output configuration: control o/p format that works with 3rd party software output alert_syslog: host=10.10.10.100 LOG_AUTH LOG_ALERT output database: andlt;log | alertandgt;, andlt;database typeandgt;, andlt;parameter listandgt; file inclusions : include rule sets Preprocessor of SNORT - 1:  Preprocessor of SNORT - 1 Functions of preprocessor normalize traffic to ensure data packet can be watch by Snort provide self-defense against attacks that may confuse or overwhelm an NIDS sensor extend Snort’s ability to detect network anomalies (enhance the rule sets) Preprocessor of SNORT - 2:  Preprocessor of SNORT - 2 Examples of preprocessor flow - watches all traffic and keeps track of connections between machines. When a new unique flow is detected, the information is hashed and stored in a memory-resident table frag2 - allow data fragment to be reassembled so that snort can see a 'big picture' examples preprocessor flow: stats_interval 0 hash 2 perprocessor frag other preprocessors: stream4, stream4_reassemble, HTTP_inspect, rpc_decode, bo, telnet decode, flow-portscan, arpspoof, perfmonitor Typical Rules in SNORT:  Typical Rules in SNORT Rule header action field: alert, log or pass protocol field: ip, tcp, udp, icmp rule field : src ip, src port, direction, dest ip, dest, port e.g. alert tcp [64.147.128.0/19] 21:23 -andgt; $HOME_NET any e.g. log tcp $EXTERNAL_NET any -andgt; $ $HOME_NET any (msg: 'SCAN SYN FIN', flags:SF; reference: arachnids, 198; classtype: attempted-recod; sid:624; rev:1;) msg option : specify the type of attack flags option: look for field of packet header (e.g. Syn, Fin) reference: indicate where information can be found class type option: category of attack sid type option: signature ID rev type option: rule revision number simplest rule alert tcp any any -andgt; any any Pre-defined rules:  Pre-defined rules Snort come with a wide variety of rules Here are some examples attack-responses.rules backdoor.rules : detect traffic generated by backdoor connections such as netbus dos.rules: detects traffic generated by known dos attacks, such as IGMP and teardrop attack ddos.rules: alerts on traffic generated by well-down attacks such as trin00 and shaft. It can be noisy as it look for specific words in payload dns.rules: alerts on attacks against DNS servers Components of a Typical SNORT System - 1:  Components of a Typical SNORT System - 1 Snort sensors (the most important!!) installed at strategic network locations internal network, DMZ, and external network (sometimes) snort only alert in log file use tail -f to watch the log file, not very interactive ACID : Analysis Console for Intrusion Databases project developed by Roman Danyliw at US CERT coordination center PHP based web application act as the front end of help to manage the alerts generated by multiple IDS sensors generate trend, search based upon time, address, alert type, priority, classification and sensor Components of a Typical SNORT System - 2:  Components of a Typical SNORT System - 2 MySQL: database server to store alerts and ready for analysis and inspection Web Server: for hosting ACID web-based console that usually connected to a database Web Browser: for user interface Remote admin software to update sensor rules (optional) Components of a Typical SNORT System - 3:  Components of a Typical SNORT System - 3 IPS: Intrusion Prevention System:  IPS: Intrusion Prevention System A new class of security tool place more focus on prevention Concepts andamp; prevention strategies host-based memory and process protection kill process that appears malicious, or when it try to execute a buffer overflow (e.g. anti-spyware) session interception terminate a TCP session by sending RST packet to tear down connection, also known as session sniping gateway intrusion detection modify ACL to block hostile traffic automatically e.g. SnortSAM Honeypot - 1:  Honeypot - 1 Honeypot is a tool used commonly for network security for computer crime forensic it is a decoy IDS, part of the company resource waiting to be probed, attacked, or compromised. it can be a decoy service, decoy host (I.e Honeypot) or decoy network (Honeynet) They don't fix a single problem, instead they can help in prevention, detection, or information gathering. Honeypot - 2:  Honeypot - 2 Honeypots are closely monitored network decoys serving several purposes: distract hackers from more valuable machines on a network provide early warning about new attack and exploitation trends allow in-depth examination of adversaries during and after exploitation of a honeypot. Honeypot should be highly secure and isolated by the rest of the network. Summary - 1:  Summary - 1 Firewall modern FW: packet filter, proxy, NAT, VPN packet-filter firewall: filters at the network or transport layer stateless inspection (static packet filter) stateful inspection (dynamic packet filter) proxy firewall: filters at the application layer (many rules can be applied) usually work with proxy servers to provide large hard-disk storage for content cache. Summary - 2:  Summary - 2 NAT solve the problem of IP address limitation provide load balance and redundancy Four modes: Dynamic Translation (IP Masquerade), Static Translation (Port Forwarding), Loading Balancing Translation and Network Redundancy Translation IDS active detection to monitor the network status three methods: signature, statistical and integrity four types: network, host, applications and integrity

Add a comment

Related presentations

Related pages

Firewall – Wikipedia

Externe Firewalls sind dem zu schützenden Computer bzw. ... (Port) und ggf. 5 ... Der Unterschied ist, dass ein IDS den Angriff nur erkennt (Detection ...
Read more

Difference between IDS and IPS and Firewall - Information ...

Difference between IDS and IPS and Firewall. ... – Terry Chia Nov 5 '13 at 0:48. ... Browse other questions tagged firewalls ids or ask your own question.
Read more

Network Design: Firewall, IDS/IPS - InfoSec Resources

Network Design: Firewall, IDS/IPS. Posted in Application Security on April 10, 2013 ... This article provided an in-depth overview of firewalls and IDS, ...
Read more

What is the Difference between a Firewall and IDS?

What is the difference between a firewall and IDS? ... To understand the difference between firewalls and IDS, ... slide 5 of 7. What is an ...
Read more

What is the difference between IPS, IDS and a firewall ...

Firewalls often have an optional IDS/IPS component based on their usually being placed at the optimal network location to see all ... 3.5 (2 ratings)
Read more

NextGen UTM-Firewalls für aktiven Netzwerkschutz

Komplette all-inclusive UTM-Firewalls. ... IDS, Authentisierung etc.) sorgen für einen durchgängig sicheren Netzwerkbetrieb. ... 1 bis 5 Jahre buchbar .
Read more

Comparison of Firewall and Intrusion Detection System

Comparison of Firewall and Intrusion Detection ... of firewalls and IDS are required for providing security to ... Vol. 5 (1) , 2014, 674-678 www ...
Read more

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls • A firewall is an integrated collection of security measures designed to prevent ...
Read more

Firewalls Test - testberichte.de

Im Test: 206 Firewalls in 164 Testberichten von Stiftung Warentest und anderen Magazinen. Die besten Firewalls bei Testberichte.de
Read more