Principles of Computer Security
Download
Report
Transcript Principles of Computer Security
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Intrusion Detection Systems
and Network Security
Chapter 13
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Objectives
• Apply the appropriate network tools to facilitate
network security.
• Determine the appropriate use of tools to
facilitate network security.
• Apply host-based security applications.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms
• Access control lists
•
(ACLs)
•
• Antispam
•
• Antivirus
•
• Content-based signature
• Context-based signature
• False negative
• False positive
• Firewall
• Heuristic scanning
© 2012
Honeypot
Host-based IDS (HIDS)
Internet content filter
Intrusion detection
system (IDS)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Network Security: A Layered Approach
• As need for security increases, layers of
security should be added.
– Layers could include passwords, firewalls, access
lists, file permissions, and intrusion detection
systems
• Intrusion detection systems are one of the more
complex layers.
– Detects inappropriate or malicious activity on a
computer or network.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
History of Intrusion Detection
Systems
• Stalker (host-based) released 1989
• Mid-1990s IDS gain popularity commercially.
• WheelGroup develops first network-based IDS
under the name NetRanger.
• Internet Security Systems’ Realsecure released
in 1996.
• By 1998 IDS was considered a vital part of
network security.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
History of the Internet and IDS
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
IDS Components
•
•
•
•
© 2012
Traffic collector / sensor
Analysis engine
Signature database
User interface and reporting
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
IDS Components (continued)
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of IDS
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Distinguished by detection method:
– Signature-based IDS - Relies heavily on a predefined set
of attack and traffic patterns called signatures.
– Anomaly-based (heuristic) IDS - Monitors activity and
attempts to classify it as either “normal” or “anomalous.”
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Network IDS Components
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
• Advantages of NIDS
– Providing IDS coverage requires fewer systems.
– Deployment, maintenance, and upgrade costs are
usually lower.
– A NIDS has visibility into all network traffic and can
correlate attacks among multiple systems.
• Disadvantages of NIDS
–
–
–
–
© 2012
It is ineffective when traffic is encrypted.
It can’t see traffic that does not cross it.
It must be able to handle high volumes of traffic.
It doesn’t know about activity on the hosts
themselves.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Active vs. Passive NIDS
• Passive NIDS
– Generates an alarm when it matches a pattern and does not
interact with the traffic in any way.
• Active NIDS
– Reactive response to an attack such as a TCP reset.
• TCP reset
– The most common defensive ability for an active NIDS.
– The reset message (RST) tells both sides of the connection
to drop the session and stop communicating immediately.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Signatures
• Content-based signatures
– Matching characters or strings
– Generally the simplest types
– Easy to build and look for simple things, such as a
certain string of characters or a certain flag set in a
TCP packet
• Context-based signatures (heuristics)
– Matching patterns of activity
– Generally more complex
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Firewalls
• A network device—hardware, software, or a
combination thereof
• Determines what traffic should be allowed or
denied to pass in or out of a network
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
How Firewalls Work
• Firewall Mechanisms
–
–
–
–
Network Address Translation (NAT)
Basic packet filtering (header information)
Stateful inspection (header and contents) pg 335
Access control lists (ACLs)
• Rules applied to ports and IP addresses
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Intrusion Prevention Systems
• In addition to IDS functions, it has the capability
of stopping or preventing malicious attack.
• Some can inspect encrypted traffic (SSL traffic)
• Often rated by the amount of traffic that can be
processed without dropping packets.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Internet Content Filters
• Used to:
– Filter undesirable content
– Filter malicious code such as browser hijacking
attempts
• Challenges:
– Blacklists of websites difficult to maintain
– Keyword filtering may generate false positives
– Determined users will attempt to bypass the system
• Barracuda Case Study
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Honeypots and Honeynets
• A honeypot is a system or group of systems
designed to attract an attacker’s attention.
– Allows the attackers methods to be observed without
putting real systems at risk
– Activity recorded for later analysis
– Afford information and additional security but require
significant cost and effort to maintain
• A honeynet is a group of honeypots.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Host-Based IDS (HIDS)
• Examines activity only on a specific host
– Examines logs, audit trails, and network traffic coming
into or leaving the host
– Examination is done in real time or periodically
• Flags that may raise the alarm in a HIDS
–
–
–
–
© 2012
Login failures
Logins at irregular hours
Privilege escalation
Additions of new user accounts
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
How HIDS Work
• The traffic collector aggregates information.
• The analysis engine reviews the data.
– May implement a decision tree to classify activities
and make decisions
– Signature database may be used to match activities to
predefined activity or patterns
• Users work with HIDS through the user interface
which include the visible components of the
HIDS.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Antivirus Products
• Used to identify, neutralize, or remove malicious
programs, macros, and files.
• Scanning approaches:
– Signature-based scanning
– Heuristic scanning
• Modern antivirus products have:
– Automated updates
– Automated scanning
– Media scanning
© 2012
– Manual Scanning
– E-mail scanning
– Resolution
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Personal Software Firewalls
• Host-based protective mechanism that controls
traffic going into and out of a single system.
• Various free and commercial firewall software is
available.
• Zone Alarm
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Pop-up Blockers and Windows
Defender
• Pop-up Blockers
– Attempts to prevent web pages from opening a new
tab or window
• Windows Defender
– Designed to remove spyware and unwanted programs
from your PC
– Includes spyware detection and removal, scheduled
scanning, automatic updates, real-time protection,
software explorer, and configurable responses
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Apply the appropriate network tools to facilitate
network security.
• Determine the appropriate use of tools to
facilitate network security.
• Apply host-based security applications.
© 2012