Net Sec U11 - Intrusion Detection Systems (IDS)

Nick.Bell2013
Mind Map by , created over 6 years ago

Mind Map on Net Sec U11 - Intrusion Detection Systems (IDS), created by Nick.Bell2013 on 05/01/2013.

63
9
0
Tags No tags specified
Nick.Bell2013
Created by Nick.Bell2013 over 6 years ago
1.3 Network and Security Components
DJ Perrone
Types of Attacks
River L.
U1. OSI 7 Layer Reference Model
Craig Parker
Religious Studies - Keywords.
Ready2learn
GCSE Foundation Maths Revision
Mia Jones
CCNA Security 210-260 IINS - Exam 1
Mike M
CCNA Security 210-260 IINS - Exam 2
Mike M
SY0-401 Part 1 (50 questions)
desideri
CCNA Security 210-260 IINS - Exam 1
Ricardo Nuñez
CCNA Security 210-260 IINS - Exam 3
irvin pastora
Net Sec U11 - Intrusion Detection Systems (IDS)
1 Why IDS?
1.1 Perimeter security devices only prevent attacks by outsiders
1.1.1 why fail
1.1.1.1 firewall badly configured
1.1.1.2 attack too new
1.1.1.3 password sniffed
1.1.2 attacks
1.1.2.1 don't detect
1.1.2.2 don't react
1.2 insider threats
1.2.1 can elevate privileges
1.2.2 easier to map & exploit weak points
2 Ad Hoc
2.1 Unix - CERT checklist
2.1.1 1. check logs for unusual connection locations
2.1.2 2. "hacker activity"
2.1.3 3. system binaries not altered
2.1.4 4. network sniffers
2.1.5 5. check files run by 'cron' & 'at'
2.1.6 6. check sys files for unauthorised services
2.1.7 7. check "/etc/password" file
2.1.8 8. check sys & network config files re: unauthorised entries
2.1.9 9. check for hidden files
2.2 not recommended
2.3 automated systems
2.3.1 monitor multiple hosts
2.3.2 report & react
3 Knowledge-based aka Misuse detection
3.1 what attack signatures based on
3.1.1 Security policy
3.1.2 known vulnerabilities
3.1.3 known attacks
3.2 limits
3.2.1 new vulnerabilities
3.2.2 large dbase
3.2.3 time lag
4 Behaviour-based aka Statistical Anomaly Detection
4.1 base-line statistical behaviour
4.1.1 gather new data
4.1.2 exceed threshold = alarm
4.2 false: +'s and -'s
4.3 no dbase to maintain
5 Architecture
5.1 distributed set of sensors
5.2 centralised console
5.2.1 manage, analyse, report & react
5.3 protected communication
5.4 secured signature updates from vendor
6 NIDS
6.1 data source = network packets
6.2 network adaptor = promiscuous mode
6.3 attack recognition module
6.3.1 pattern/byte code matching
6.3.2 freq./threshold crossing
6.3.3 correlation of lesser events
6.4 deployment
6.4.1 firewall
6.4.1.1 outside
6.4.1.2 inside
6.4.2 between business units
6.4.3 behind remote access server
6.4.4 between Corp. & Partner networks
6.5 Strengths
6.5.1 cheap
6.5.1.1 fewer detection points
6.5.2 missed HIDS attacks
6.5.3 harder to hide evidence
6.5.4 real-time detection & response
6.5.5 OS independence
6.5.6 detects unsuccessful attacks/malicious intent
6.6 Weaknesses
6.6.1 placement critical
6.6.1.1 switched networks
6.6.2 partial matching
6.6.2.1 loaded/high-speed networks
6.6.3 indecipherable packets
6.6.4 packet spoofing
6.6.5 frag attacks
6.6.6 DoS
7 HIDS
7.1 monitors sys/event/security logs in NT & syslog in Unix
7.1.1 checks key sys files & .exe via checksums
7.2 regular expressions
7.3 port activity
7.4 deployment
7.4.1 key servers
7.4.1.1 sensitive info
7.4.1.1.1 "mission critical"
7.4.2 servers
7.4.2.1 Web
7.4.2.2 FTP/DNS
7.4.2.3 E-commerce
7.5 Strengths
7.5.1 missed NIDS attacks
7.5.2 verifies attack success/failure
7.5.3 monitors specific activities
7.5.4 needs little/no h/ware
7.5.5 encrypted & switched environments
7.6 Weaknesses
7.6.1 placement critical
7.6.2 indirect info
7.6.2.1 attacker fingerprints
7.6.3 full coverage hard
7.6.4 detection = too late?
8 The Future
8.1 integrated approach
8.1.1 NIDS + HIDS
8.2 better tools
8.2.1 reporting
8.2.2 management
8.2.3 visualisation
8.3 event correlation
8.4 Statistical Anomaly Detection
8.5 Intrusion Protection Systems?

Media attachments