Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

At the end of the unit, the students should be able to:

 Identify and describe the categories and operating models of intrusion detection and
prevention systems
 Define and describe honeypots, honeynets, and padded cell systems
 List and define the major categories of scanning and analysis tools, and describe the specific
tools used within each of these categories
 Explain the various methods of access control, including the use of biometric access
mechanisms
INTRODUCTION
The protection of an organization’s information assets relies at least as much on people as on
technical controls, but technical solutions, guided by policy and properly implemented, are an essential
component of an information security program.
This chapter builds on that discussion by describing additional and more advanced technologies—
intrusion detection and prevention systems, honeypots, honeynets, padded cell systems, scanning
and analysis tools, and access controls—that organizations can use to enhance the security of their
information assets.

INTRUSION DETECTION AND PREVENTION SYSTEMS

- An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal
operations of an information system, almost always with the intent to do harm.
- Intrusion prevention consists of activities that deter an intrusion.
- Intrusion detection consists of procedures and systems that identify system intrusions.
- Intrusion reaction encompasses the actions an organization takes when an intrusion is
detected.
- Intrusion correction activities finalize the restoration of operations to a normal state and seek
to identify the source and method of the intrusion in order to ensure that the same type of
attack cannot occur again—thus reinitiating intrusion prevention.
- Information security intrusion detection systems (IDSs) became commercially available in the
late 1990s.
- A current extension of IDS technology is the intrusion prevention system (IPS), which can
detect an intrusion and also prevent that intrusion from successfully attacking the organization
by means of an active response.
- Because the two systems often coexist, the combined term intrusion detection and
prevention system (IDPS) is generally used to describe current anti-intrusion technologies.
IDPS Terminology

In order to understand IDPS operational behavior, you must first become familiar with some IDPS
terminology.

 Alert or alarm: An indication that a system has just been attacked or is under attack. IDPS alerts
and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up
windows.
 Evasion: The process by which attackers change the format and/or timing of their activities to
avoid being detected by the IDPS.
 False attack stimulus: An event that triggers an alarm when no actual attack is in progress.
Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs
can distinguish between these stimuli and real attacks.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
16
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
 False negative: The failure of an IDPS to react to an actual attack event. This is the most grievous
failure, since the purpose of an IDPS is to detect and respond to attacks.
 False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive
can sometimes be produced when an IDPS mistakes normal system activity for an attack. False
positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion
events.
 Noise: Alarm events that are accurate and noteworthy but that do not pose significant threats to
information security. Unsuccessful attacks are the most common source of IDPS noise, and some
of these may in fact be triggered by scanning and enumeration tools deployed by network users
without intent to do harm.
 Site policy: The rules and configuration guidelines governing the implementation and operation of
IDPSs within the organization.
 Site policy awareness: An IDPS’s ability to dynamically modify its configuration in response to
environmental activity. A so-called smart IDPS can adapt its reactions in response to administrator
guidance over time and circumstances of the current local environment. A smart IDPS logs events
that fit a specific profile instead of minor events, such as file modification or failed user logins.
 True attack stimulus: An event that triggers alarms and causes an IDPS to react as if a real attack
is in progress. The event may be an actual attack, in which an attacker is at work on a system
compromise attempt, or it may be a drill, in which security personnel are using hacker tools to
conduct tests of a network segment.
 Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting true positives,
while minimizing both false positives and false negatives.
 Confidence value: The measure of an IDPS’s ability to correctly detect and identify certain types of
attacks. The confidence value an organization places in the IDPS is based on experience and past
performance measurements. For example, if a system deemed 90 percent capable of accurately
reporting a denial-of-service attack sends a denial-of-service alert, there is a high probability that an
actual attack is occurring.
 Alarm filtering: The process of classifying IDPS alerts so that they can be more effectively
managed. An IDPS administrator can set up alarm filtering by running the system for a while to
track what types of false positives it generates and then adjusting the alarm classifications. For
example, the administrator may set the IDPS to discard alarms produced by false attack stimuli or
normal network operations. Alarm filters are similar to packet filters in that they can filter items by
their source or destination IP addresses, but they can also filter by operating systems, confidence
values, alarm type, or alarm severity.
 Alarm clustering and compaction: A process of grouping almost identical alarms that happen at
close to the same time into a single higher-level alarm. This consolidation reduces the number of
alarms generated, thereby reducing administrative overhead, and also identifies a relationship
among multiple alarms. This clustering may be based on combinations of frequency, similarity in
attack signature, similarity in attack target, or other criteria that are defined by the system
administrators.

Types of IDPS

IDPSs operate as network- or host-based systems.

Network-Based IDPS (NIDPS)

- focused on protecting network information assets.

- resides on a computer or appliance connected to a segment of an organization’s network and
monitors network traffic on that network segment, looking for indications of ongoing or
successful attacks.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
17
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

Figure 2.1 Intrusion Detection and Prevention Systems

Two specialized subtypes of network-based IDPS

a. Wireless IDPS
- monitors and analyzes wireless network traffic, looking for potential problems with the
wireless protocols (Layers 2 and 3 of the OSI model).
- cannot evaluate and diagnose issues with higher-layer protocols like TCP and UDP.
- its capability can be built into a device that provides a wireless access point.

Some issues associated with the implementation of wireless IDPSs include:

- Physical security: Unlike wired network sensors, which can be physically secured,
many wireless sensors are located in public areas like conference rooms, assembly
areas, and hallways in order to obtain the widest possible network range.
- Sensor range: A wireless device’s range can be affected by atmospheric conditions,
building construction, and the quality of both the wireless network card and access
point.
- Access point and wireless switch locations: Wireless components with bundled
IDPS capabilities must be carefully deployed to optimize the IDPS sensor detection
grid.
- Wired network connections: Wireless network components work independently of the
wired network when sending and receiving between stations and access points.
- Cost: The more sensors deployed, the more expensive the configuration. Wireless
components typically cost more than their wired counterparts.
In addition to the traditional types of intrusions detected by other IDPSs, the wireless IDPS
can also detect:

- Unauthorized WLANs and WLAN devices

- Poorly secured WLAN devices
- Unusual usage patterns
- The use of wireless network scanners
- Denial of service (DoS) attacks and conditions
- Impersonation and man-in-the-middle attacks

b. Network Behavior Analysis (NBA) IDPS

- examine network traffic in order to identify problems related to the flow of traffic.

Typical flow data particularly relevant to intrusion detection and prevention includes:

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
18
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
- Source and destination IP addresses
- Source and destination TCP or UDP ports or ICMP types and codes
- Number of packets and bytes transmitted in the session
- Starting and ending timestamps for the session

- Most NBA sensors can be deployed in passive mode only, using the same connection
methods

The types of events most commonly detected by NBA sensors include the following:

- DoS attacks (including DDoS attacks)

- Scanning
- Worms
- Unexpected application services (e.g., tunneled protocols, back doors, use of
forbidden application protocols)
- Policy violations

NBA sensors offer various intrusion prevention capabilities, including the following
(grouped by sensor type):
- Passive only
- Ending the current TCP session. A passive NBA sensor can attempt to end an
existing TCP session by sending TCP reset packets to both endpoints.
- Inline only
 Performing inline firewalling. Most inline NBA sensors offer firewall
capabilities that can be used to drop or reject suspicious network
activity.
- Both passive and inline
 Reconfiguring other network security devices. Many NBA sensors can
instruct network security devices such as firewalls and routers to
reconfigure themselves to block certain types of activity or route it
elsewhere, such as a quarantine virtual local area network (VLAN).
 Running a third-party program or script. Some NBA sensors can run an
administrator-specified script or program when certain malicious activity
is detected
Host-Based IDPS (HIDPS)
- resides on a particular computer or server, known as the host, and monitors activity only on
that system.
- also known as system integrity verifiers because they benchmark and monitor the status of
key system files and detect when an intruder creates, modifies, or deletes monitored files.
- An HIDPS has an advantage over an NIDPS in that it can access encrypted information
traveling over the network and use it to make decisions about potential or actual attacks.
- An HIDPS is also capable of monitoring system configuration databases, such as Windows
registries, in addition to stored configuration files like .ini, .cfg, and .dat files.
- Most HIDPSs work on the principle of
configuration or change
management, which means that they
record the sizes, locations, and other
attributes of system files.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
19
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
- The HIDPS triggers an alert when one of the following occurs:
o File attributes change
o New files are created
o Existing files are deleted
- The only time an HIDPS produces a false positive alert is when an authorized change occurs
for a monitored file. Figure
2.2 Inox Verisys (File Integrity Monitor) HIDPS

IDPS DETECTION METHODS

IDPSs use a variety of detection methods to monitor and evaluate network traffic. Three methods dominate: the
signature-based approach, the statistical-anomaly approach, and the stateful packet inspection approach.

Signature-Based IDPS

- sometimes called a knowledge-based IDPS or a misuse-detection IDPS

- examines network traffic in search of patterns that match known signatures—that is, preconfigured,
predetermined attack patterns.
- Signaturebased IDPS technology is widely used because many attacks have clear and distinct
signatures, for example:
(1) footprinting and fingerprinting activities use ICMP, DNS querying, and e-mail routing analysis;
(2) exploits use a specific attack sequence designed to take advantage of a vulnerability to gain access
to a system;
(3) DoS and DDoS attacks, during which the attacker tries to prevent the normal usage of a system,
overload the system with requests so that the system’s ability to process them efficiently is compromised
or disrupted

Statistical Anomaly-Based IDPS

- The statistical anomaly-based IDPS (stat IDPS) or behavior-based IDPS collects statistical summaries
by observing traffic that is known to be normal.
- This normal period of evaluation establishes a performance baseline. Once the baseline is established,
the stat IDPS periodically samples network activity and, using statistical methods, compares the
sampled network activity to this baseline.
- The advantage of the statistical anomaly-based approach is that the IDPS can detect new types of
attacks, since it looks for abnormal activity of any type.

Stateful Protocol Analysis IDPS

- a process of comparing predetermined profiles of generally accepted definitions of benign activity for
each protocol state against observed events to identify deviations
- relies on vendor-developed universal profiles that specify how particular protocols should and should not
be used
- can also examine authentication sessions for suspicious activity as well as for attacks that incorporate
“unexpected sequences of commands, such as issuing the same command repeatedly or issuing a
command without first issuing a command upon which it is dependent, as well as ‘reasonableness’ for
commands such as minimum and maximum lengths for arguments.”

Log File Monitors

- (LFM) IDPS is similar to a NIDPS.

- Using LFM, the system reviews the log files generated by servers, network devices, and even other
IDPSs, looking for patterns and signatures that may indicate that an attack or intrusion is in process or
has already occurred.

STRENGTHS AND LIMITATIONS OF IDPSs

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
20
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
Strengths of Intrusion Detection and Prevention Systems Intrusion detection and prevention systems
perform the following functions well:

1. Monitoring and analysis of system events and user behaviors

2. Testing the security states of system configurations
3. Baselining the security state of a system, then tracking any changes to that baseline
4. Recognizing patterns of system events that correspond to known attacks
5. Recognizing patterns of activity that statistically vary from normal activity
6. Managing operating system audit and logging mechanisms and the data they generate
7. Alerting appropriate staff by appropriate means when attacks are detected
8. Measuring enforcement of security policies encoded in the analysis engine
9. Providing default information security policies
10. Allowing non-security experts to perform important security monitoring functions

Limitations of Intrusion Detection and Prevention Systems Intrusion detection systems cannot perform
the following functions:

1. Compensating for weak or missing security mechanisms in the protection infrastructure, such as
firewalls, identification and authentication systems, link encryption systems, access control
mechanisms, and virus detection and eradication software
2. Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or
processing load
3. Detecting newly published attacks or variants of existing attacks
4. Effectively responding to attacks launched by sophisticated attackers
5. Automatically investigating attacks without human intervention
6. Resisting all attacks that are intended to defeat or circumvent them
7. Compensating for problems with the fidelity of information sources
8. Dealing effectively with switched networks

HONEYPOTS, HONEYNETS, AND PADDED CELLS

Honeypots are decoy systems designed to lure potential attackers away from critical systems. In
the industry, they are also known as decoys, lures, and fly-traps.
When a collection of honeypots connects several honeypot systems on a subnet, it may be called a
honeynet.
In sum, honeypots are designed to do the following:
o Divert an attacker from critical systems
o Collect information about the attacker’s activity
o Encourage the attacker to stay on the system long enough for administrators to document
the event and, perhaps, respond
Honeypots are instrumented with sensitive monitors and event loggers that detect attempts to
access the system and collect information about the potential attacker’s activities.
A screenshot from a simple IDPS that specializes in honeypot techniques, called Deception
Toolkit
A padded cell is a honeypot that has been protected so that that it cannot be easily compromised—
in other words, a hardened honeypot.

The advantages and disadvantages of using the honeypot or padded cell approach are summarized below:

Advantages:

Attackers can be diverted to targets that they cannot damage.

Administrators have time to decide how to respond to an attacker.
Attackers’ actions can be easily and more extensively monitored, and the records can be used to
refine threat models and improve system protections.
IASEC 2-Information Assurance and Security 2
Leary John H. Tambagahan, LPT
Instructor
21
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
Honeypots may be effective at catching insiders who are snooping around a network.

Disadvantages:

The legal implications of using such devices are not well understood.
Honeypots and padded cells have not yet been shown to be generally useful security technologies.
An expert attacker, once diverted into a decoy system, may become angry and launch a more
aggressive attack against an organization’s systems.
Administrators and security managers need a high level of expertise to use these systems

TRAP-AND-TRACE

Trap-and-trace applications, which are an extension of the attractant technologies discussed in the
previous section, are growing in popularity.
The trap usually consists of a honeypot or padded cell and an alarm.
The trace feature is an extension to the honeypot or padded cell approach.
Enticement is the act of attracting attention to a system by placing tantalizing information in key
locations.
Entrapment is the act of luring an individual into committing a crime to get a conviction.
Enticement is legal and ethical, whereas entrapment is not.
Wasp Trap Syndrome – In this syndrome, a concerned homeowner installs a wasp trap in his back
yard to trap the few insects he sees flying about.

Active Intrusion Prevention

 One tool that provides active intrusion prevention is known as LaBrea

(http://labrea.sourceforge.net/labrea-info.html).
 LaBrea is a “sticky” honeypot and IDPS and works by taking up the unused IP address space within
a network.
 It allows the LaBrea system time to notify the system and network administrators about the
anomalous behavior on the network.

Scanning

 Scanning tools are, as mentioned earlier, typically used as part of an attack protocol to collect
information that an attacker would need to launch a successful attack.
 The attack protocol is a series of steps or processes used by an attacker, in a logical sequence, to
launch an attack against a target system or network.
 Footprinting is the organized research of the Internet addresses owned or controlled by a target
organization.
 To assist in the footprint intelligence collection process, you can use an enhanced WEB SCANNER
that, among other things, can scan entire Web sites for valuable pieces of information, such as
server names and e-mail addresses
 One such scanner is called Sam Spade, the details of which can be found in the program’s help
file.
 Sam Spade can also do a host of other scans and probes, such as sending multiple ICMP
information requests (pings), attempting to retrieve multiple and cross-zoned DNS queries, and
performing network analysis queries (known, from the commonly used UNIX command for
performing the analysis, as traceroutes)
 For Linux or BSD systems, there is a tool called “wget” that allows a remote individual to “mirror”
entire Web sites. With this tool, attackers can copy an entire Web site and then go through the
source HTML, JavaScript, and Web-based forms at their leisure, collecting and collating all of the
data from the source code that will be useful to them for their attack.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
22
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
 Fingerprinting is a systematic survey of all of the target organization’s Internet addresses (which
were collected during the footprinting phase described above); the survey is conducted to identify
the network services offered by the hosts in that range

PORT SCANNERS

 Port scanning utilities, or port scanners, are tools used by both attackers and defenders to identify
(or fingerprint) the computers that are active on a network, as well as the ports and services active
on those computers, the functions and roles the machines are fulfilling, and other useful
information.
 A port is a network channel or connection point in a data communications system

FIREWALL ANALYSIS TOOLS

 Idle scanning (which is run with the -I switch) will allow the Nmap user to bounce your scan across
a firewall by using one of the idle DMZ hosts as the initiator of the scan.

BIOMETRIC ACCESS CONTROLS

Biometric access control is based on the use of

some measurable human characteristic or trait to
authenticate the identity of a proposed systems
user (a supplicant).

The use of biometric-based authentication is

expected to have a significant impact in the future
as technical and ethical issues with the
technology are resolved.

Figure 2.3 Biometric Recognition Characteristics

Biometric authentication technologies include the

following:

 Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint

 Palm print comparison of the supplicant’s actual palm print to a stored palm print
 Hand geometry comparison of the supplicant’s actual hand to a stored measurement
 Facial recognition using a photographic ID card, in which a human security guard compares the
supplicant’s face to a photo
 Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored
image
 Retinal print comparison of the supplicant’s actual retina to a stored image
 Iris pattern comparison of the supplicant’s actual iris to a stored image

Among all possible biometrics, only three human characteristics are usually considered truly unique. They
are as follows:

 Fingerprints
 Retina of the eye (blood vessel pattern)

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
23
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
 Iris of the eye (random pattern of features found in the iris, including freckles, pits, striations,
vasculature, coronas, and crypts)

Minutiae are unique points of reference that are digitized and stored in an encrypted format when the
user’s system access credentials are created.

Signature and voice recognition technologies are also considered to be biometric access controls
measures.

 Signature recognition has become commonplace.

 The signature is digitized and either saved for future reference, or compared with a signature on a
database for validation.
 Voice recognition works in a similar fashion in that an initial voiceprint of the user reciting a phrase
is captured and stored

EFFECTIVENESS OF BIOMETRICS

Biometric technologies are evaluated on three basic criteria:

1. The false reject rate, which is the percentage of supplicants who are in fact authorized users but
are denied access. This failure is known as a Type I error.
2. The false accept rate, which is the percentage of supplicants who are unauthorized users but are
granted access. This failure is known as a Type II error, and is unacceptable to security
professionals.
3. The crossover error rate (CER), which is the level at which the number of false rejections equals
the false acceptances. This is possibly the most common and important overall measure of the
accuracy of a biometric system. CERs are used to compare various biometrics and may vary by
manufacturer.

ACTIVITIES

Activity 1. Review Questions

1. What common security system is an IDPS most like? In what ways are these systems similar?
2. How does a false positive alarm differ from a false negative one? From a security perspective,
which is least desirable?
3. How does a network-based IDPS differ from a host-based IDPS?
Activity 2. Research
1. Use the Internet to find vendors of thumbprint and iris scanning tools. Which of these tools is
more economical? Which of these is least intrusive?
2. There are several online passphrase generators available. Locate at least two of them on the
Internet, and try them out. What did you observe?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
24
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
Activity 3. Do It Your Self
Think of any Biometric authentication technologies that is NOT YET available in the market.
Design it and includes the different features of your work.

Activity 1
1. What common security system is an IDPS most like? In what ways are these systems similar?

2. How does a false positive alarm differ from a false negative one? From a security perspective,
which is least desirable?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
25
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

3. How does a network-based IDPS differ from a host-based IDPS?

Activity 2. Research
1. Use the Internet to find vendors of thumbprint and iris scanning tools. Which of these tools is
more economical? Which of these is least intrusive?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
26
Chapter 2: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
2. There are several online passphrase generators available. Locate at least two of them on the
Internet, and try them out. What did you observe?

Activity 3. Do It Your Self

Think of any Biometric authentication technologies that is NOT YET available in the market.
Design it and includes the different features of your work.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
27