concepts and implementation of intrusion detection...

©2007 Marc-André Léger Champlain College Saint Lambert course 420-860-LA Semester: Winter 2007

Concepts and implementation ofIntrusion Detection Systems


Module 0

Introduction to the course and the material


Please note

• These slides are produced as presentation material for a technical college course, all references, sources and bibliographical information is available in the commentaries section of the PowerPoint presentation and may not be visible to viewers of PDF versions.

• The course instructor has no pretensions to be the original author of any of the material.


Who am I ?

Marc-André Léger• DESS in Healthcare Informatics (U of Sherbrooke)• MASc in Management Information Systems (UQAM)• PHD candidate in Clinical Sciences at the

University of Sherbrooke – Longueuil Campus (Risk Management in Healthcare)

• 25 years IT experience (Qc, NB, On, Penn. USA, France)• 20 years security (DND, DOJ, Space, etc…)• Starting hacking at 14 y.o.


How to contact me

• By email: [email protected]• My website: www.leger.ca

mailto:[email protected]

http://www.leger.ca/


DESCRIPTION

• This course will examine common methods of intrusion on computer networks and the concepts involved in host and network-based intrusion detection systems. At the end of the course, students will be able to read and analyze log files as well as implement and monitor intrusion detection systems.


COURSE OBJECTIVES

Upon successful completion of this course, a student will be able to:

• Identify common methods of intrusion on a network • Monitor and log intrusion attempts on several operating

systems and network components


COURSE CONTENT

The content of this course will include the following items: – methods of intrusion, – goals of an IDS, – examination of HIDS and NIDS,– reading and analyzing intrusion logs, and – configuration of an IDS.


Sessions overviewNo Contents

1 Introduction to the course and the materialPresentation: The basic concepts of intrusion detection, ISO 18043 and NIST

guidelinesIntroduction to the Business case used in this courseLab: finding IDS information on the internet

2 Presentation: IDS , IDS selection and IDS operationIn-class demo: Watchguard Xedge Firewall installation and configuration

3 Presentation: HIDSIn-class demo: Cisco 4215 IDS configurationAssignment 1 given

4 Presentation: NIDSLab: HIDS installation on Windows and MacOS



5 Presentation: SNORTLab: SNORT installation

6 Presentation: IPSLab: SNORT installation part 2

7 Presentation: Tools that complement an IDSLab: Installing NESSUS and Performing a NVA

8 Presentation: Hacking and penetration testingLab: Watching a hack in progress on SNORT (using the data generated in the

first lab of this session)9 Mid-term exam

Assignment 1 DUEAssignment 2 givenLab: Watching a hack in progress on SNORT (using the data generated in the

first lab of this session)



10 Presentation Wireless LANs IDS (WIDS) and securing WLANsLab: Watching a hack in progress on SNORT (using the data generated in the

first lab of this session)11 Presentation: IDS Data mining

Lab: Hacking Windows (in a closed lab environment)12 Security architecture part 1 (Firewall and IDS architecture)

Lab: An information Security Architecture for St Lawrence Sawmill part 113 Presentation: Security architecture part 2 (WAN and Distributed networks

Security Architecture issues)Lab: An information Security Architecture for St Lawrence Sawmill part 2


Sessions overview14 Presentation: Security architecture part 3 (IDS based layered perimeter Security

Architecture design and implementation in the form of an IT Project)Lab: Hacking Linux (in a closed lab environment)Assignment 2 DUE

15 Review of the principal concepts of this courseLab: Hacking WiFi (in a closed lab environment)

16 Final exam


Evaluation

• Two (2) home assignments (Courses 3 and 9) 25% each or 50% of the final grade

• A mid-term exam (Course 9) 15%• A final exam (Course 16) 35%


Assignements

1. Planning a Security Architecture (individual)

2. In-class presentation (individual)


1- Planning a Security Architecture (individual)

• Your employer asked you, as Network Manager for the company, to plan the implementation of a Security Architecture for St-Lawrence Sawmill. The sawmill is currently implementing a new IT infrastructure whose principal objective is to allow for the implementation of workstations for the operators of industrial equipment. The solution must also allow for the use of wireless access in the corporate conference rooms and in the office. The instructors acts as the CIO and is your internal customer. He expects a 7 to 10 page (1.5 spacing, courier 12 font, 3cm margins all around) report including:

• a title page• an executive summary• a table of contents• an analysis of the current situation• a description of the requirements• the solutions that where considered (at least 2)• the proposed solution• a recommendation to the CIO.• a bibliography


2- In-class presentation (individual)

• The CIO asks you to make a presentation to the board of directors (formed of all your classmates) of the Security Architecture proposed for St Lawrence Sawmill as per corporate purchasing policy. The board will evaluate your proposal using an evaluation template (provided by the instructor).


Business case

• Available online: www.leger.ca• Sawmill producing lumber wood• In La Tuque, in the Mauricie region• 800 relatively unskilled workers• Operates uninterrupted 24x7 (3 shifts of 8 hours)• Part of a great industrial group, Bois St-Laurent• HQ in Montreal• In May 2006 it was purchased by SWP (Svirge

Wood Products)

http://www.leger.ca/


Current technological environment

• Minicomputer (IBM AS400) • Custom built information system created by

an external consultant • Five workstations (PC) for administration

used for the integration of data into theinformation system

• Printer for reports• Oracle


Project name: SIGES

• Corporate management information systemconnected to the corporate management system (ERP or ertreprise ressource planning), SAP, located in Sweden ()


Proposed architecture• Server: SUN Microsystems Sun Fire E20K• Storage: Sun Microsystem Sun Storage Teak 9900• 100 pc's for factory (adapted for use in factory)• 10 workstations (Windows - INTEL) for management• printers for reports• Local area network 100-baseT commuted (switched) with

high bandwith for the management network• Wireless Local area network in factory• Wireless Local area network access for conference rooms• Virtual private network (VPN) with Sweden via Internet


Budget of the project of change (Maximum allocated)

• Equipment: 500 000$• Wiring and infrastructure: 100 000$• Service Contracts for the equipment: 50 000$ per

year as of the second year• Software: 150 000$ + recurring license fees of 15

000$ per year • Configuration and conversion of the data: 150 000$• Training: 50 000$• Consulting services: 350 000$• Installation: 200 000$• Contingencies (10%): 150 000$


Layout


Question period and discussion


Please note

• These slides are produced as presentation material for a technical college course, all references, sources and bibliographical information is available in the commentaries section of the PowerPoint presentation and may not be visible to viewers of PDF versions.

• The course instructor has no pretensions to be the original author of any of the material.

concepts and implementation of intrusion detection...

Documents