intrusion dps
TRANSCRIPT
-
8/2/2019 Intrusion DPS
1/26
Intrusion Detection & Prevention System 1
-
8/2/2019 Intrusion DPS
2/26
Content
Introduction
What is Intrusion
What is IDPS
Principles
Components
Need of IDPS
Types of IDPS
Conclusion
-
8/2/2019 Intrusion DPS
3/26
IntroductionIntrusion Detection & prevention systems (IDPS) was invented in
the late 1990s by Andrew Plato who was a technical writer and
consultant for Network ICE ,@ USA.
The goal of Computer Network Security is to improve
Confidentiality
integrity
and availability
3Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
4/26
What is an intrusion?
Intrusion is the act of entering(putting) one self in without
invitation, permission, or welcome.
It is Any set of actions that threaten(damage) theintegrity,availability, or confidentiality of computer network resources.
Intrusion prevention (authentication, encryption, etc.) alone is not
sufficient. Intrusion detection is needed!!
4Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
5/26
Intrusion Detection/Prevention Systems
(IDPS) It is a one type computer network security in which un
authorized access to a computer system or a computer
network can be detected.
In other case it is a hardware or software application that
monitors network or system activities from malicious
activities or policy violations and produces reports to a
Management Station.
It is the combined applications of IDS and IPS.
5Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
6/26
What process IDPS is involves?
Monitoring and analyzing network traffic.
Identifying abnormal activities.
Assessing severity and raising alarm.
The primary responsibility of an IDPS is to detectunwanted and malicious activities.
6Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
7/26
Intrusion Prevention System (IPS)
IPS is not a new technology, but it is simply an evolvedversion of IDS.
IPS combine IDSs and improved firewall technologies, they
make access control decisions based on application content,rather than IP address or ports as traditional firewalls haddone.
IPS is software that has all the capabilities of an intrusiondetection system and can also attempt to stop possible
incidents. Usually IPS is a combination of a firewall and an IDS
7Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
8/26
Terminology used in IDPSs
Risk : Accidental exposure of information, or violation of
operations integrity due to the malfunction of hardware or
incomplete or incorrect software design.
Vulnerability: A known or suspected flaw(error) in the
h/w or s/w or operation of a system that exposes the
system to penetration or its information to accidental
disclosure.
Attack: A specific formulation or execution of a plan tocarry out a threat.
Penetration: A successful attack.
8Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
9/26
Goal of IDPS
Detect wide variety of intrusions.
Detect intrusions in timely fashion.
Present analysis in simple, easy-to-understand format
Be accurate
Minimize time spent verifying attacks, looking for them
Minimize false positives, false negatives.
False positive: An event, incorrectly identified by the IDPS as being an
intrusion when none has occurred.
False negative: An event that the IDS fails to identify as an intrusion when
one has in fact occurred
9Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
10/26
Components Of IDPS
1. Sensor or Agent:- Monitor and analyze activity.
2. Management Server:- A centralized device thatreceives information from the sensors or agents and manages them.
3. Database Server:- A database server is a repository forevent information recorded by sensors, agents, and/or managementservers. Many IDPSs provide support for database servers.
4. Console:- It is a program that provides an interface for theIDPSs users and administrators.
10Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
11/26
Database Server
Management Server
Servers
IDPS
Console
Work Station
Internet
Wireless Sensor
Coredata centre
Access
Wireless Access
Point
-
8/2/2019 Intrusion DPS
12/26
General IDS Arch/Model
Sensor
Analyzer
Manager
Administrator
Operator
Sensor
Analyzer
Manager
Sensor
Administrator
Operator
Data SourceActivity
SecurityPolicy
SecurityPolicy
SecurityPolicy
SecurityPolicy
Notifications
Response
AlertsEvents
Ev
ents
12Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
13/26
Why IDPS Should Be Used?
Because it is cost-effective ways to
Block malicious traffic,
Detect and contain worm and virusthreats,
Serve as a network monitoring point,
Assist in compliance requirements, and
Act as a network sanitizing agent.
13Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
14/26
How Does IDPS Is Works?
1. Recording information related to observedevents
2. Notifying security administrators of important
observed events.3. Producing reports.
4. The IPS stops the attack itself.
5. The IPS changes the security environment.6. The IPS changes the attacks content
14Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
15/26
What can an IDPS do?
IPDS can detect and block :-
OS, Web and database attacks
Spyware / Malware
Instant Messenger
Peer to Peer (P2P)
Worm propagation
Critical outbound data loss (data leakage)
15Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
16/26
What can not IDPSs do?
One of the most common problems with an IDPS is the
detection of
false positives or
false negatives
This occurs when the system blocks a activity on the network because
it is out of the normal and so it assumes it is malicious, causing denial of
service to a valid user, trying to do a valid procedure; or in the case of a
false negative, allowing a malicious activity to go by.
16Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
17/26
Principles of Intrusion Detection/Prevention Systems
The IDPS Must Be:-
Run un attended for extended periods oftime
Stay active and secure
Able to recognize unusual activity
Operate without unduly affecting thesystems activity
Configurable
17Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
18/26
What Should Be Done After/While
Detection Happen?
Reconfigure firewall
Send e-mail/page to System administrator
Terminate the TCP session
Authentication
Encryption
18Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
19/26
Type of IDPS Technologies
1. Network-Based
2. Host-Based
3. Wireless
4. Network Behavior Analysis etc
1. Network-Based
:-Monitors network traffic for particular
network segments or devices and analyzes thenetwork and application protocol activity to
identify suspicious activity.
19Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
20/26
Type of IDPS Technologies(cont...)
2. Host-Based
:-Monitors the characteristics of a single host and theevents occurring within that host for suspicious activity.
3. Wireless:- Monitors wireless network traffic and analyzes it to
identify suspicious activity involving the wireless networkingprotocols .
4. Network Behavior Analysis (NBA)
:-examines network traffic to identify threats thatgenerate unusual traffic flows, such as DDoS attacks,scanning, and certain forms of malware.
20Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
21/26
Common Detection Methodologies
Signature-Based Detection
compares known threat signatures to observedevents to identify incidents.
Anomaly-Based Detection compares definitions of what activity is considered normal
against observed events to identify significant deviations.
State full Protocol Analysis
compares predetermined profiles of generally accepted
definitions of benign protocol activity for each protocol
state against observed events to identify deviations.
21Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
22/26
What to Consider When Buying IDPS?
Speed / latency
Will the device perform under load?
Accuracy
How many attacks did it miss?
How many false attacks did it block? Signature Updates
Absolutely critical. How often the signatures are updated is a keyindicator of how serious they are about selling IPS
High Availability
Will it do Active-Passive, Active-Active? Fail Open
Will the device pass traffic in the event of a device failure?
22Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
23/26
Implementation An effective IDPS does not stand alone, It must be supported by a number
of other systems.
Among these systems the following are necessary:-
Operating Systems
A good operating system that has logging and auditingfeatures.
Eg Windows, Unix/linux, and others
Services All applications on servers such as Web servers, e-mail
servers, and databases should include logging/auditingfeatures as well.
Firewalls
A good firewall should have some network intrusion
detection capabilities.Network management platform
Hardware platform
Intel based
SPARC based
23Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
24/26
IDPS is a powerful security system and it's proving to make a
significant impact in information systems.
There are limitations of IDPSs however these limitations for
the most part can be worked around.
The amount of network bandwidth that can be handled through
IPDS units has grown substantially.
Generally we can conclude that IPDSs are useful and have
proven to make significant differences on large networks
where many attacks are evident or happen.
Conclusion
24Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
25/26
****************************************
THANK YOU 4 UR
ATTENTION!!!!* *
* *
* *
*
@25Intrusion Detection & Prevention System
-
8/2/2019 Intrusion DPS
26/26
Questions
Are
Appreciated!!26Intrusion Detection & Prevention System