ch 7 IAS

CH-7
SECURITY TECHNOLOGY: INTRUSION DETECTION AND

PREVENTION SYSTEMS, AND OTHER SECURITY TOOLS
UPON COMPLETION OF THIS CHAPTER,
YOU SHOULD BE ABLE TO:
• Identify and describe the categories and operating models of

intrusion detection and prevention systems
• Define and describe honeypots, honeynets, and padded cell

systems
• List and define the major categories of scanning and analysis

tools, and describe the specific tools Used within each of
these categories
• Explain the various methods of access control, including the

use of biometric access mechanisms
1
CH-7
SECURITY TECHNOLOGY: INTRUSION DETECTION AND PREVENTION SYSTEMS, AND OTHER SECURITY
TOOLS
INTRUSION DETECTION AND PREVENTION SYSTEMS

An intrusion occurs when an attacker attempts to gain entry into or
disrupt the normal operations of an information system, almost
always with the intent to do harm.
Intrusion detection consists of procedures and systems that identify

system intrusions.
Intrusion reaction encompasses the actions an organization takes

when an intrusion is detected.
These actions seek to limit the loss from an intrusion and return
operations to a normal state as rapidly as possible.
2
CH-7
TOOLS
Intrusion correction activities finalize the restoration of operations

to a normal state and seek to identify the source and method of the
intrusion in order to ensure that the same type of attack cannot occur
again—thus reinitiating intrusion prevention.
Intrusion prevention consists of activities that deter an intrusion.

Some important intrusion prevention activities are;
 writing and implementing good enterprise information security
policy,
 planning and executing effective information security programs,
 installing and testing technology-based information security
countermeasures (such as firewalls and intrusion detection
systems), and
 conducting and measuring the effectiveness of employee training
and awareness activities.
3
CH-7
TOOLS
intrusion detection system (IDS)

Software employed to monitor and detect possible attacks and
behaviors that vary from the normal and expected activity.
The IDS can be;

network based, which monitors network traffic, or
host based, which monitors activities of a specific system and

protects system files and control mechanisms.
An IDS works like a burglar alarm in that it detects a violation (some

system activity analogous to an opened or broken window) and
activates an alarm.
This alarm can be audible and/or visual (producing noise and lights,
4
respectively), or it can be silent (an e-mail message or pager alert).
CH-7
TOOLS
Many IDSs enable administrators to configure the systems to

notify them directly of trouble via e-mail or pagers.
A current extension of IDS technology is the intrusion prevention

system (IPS), which can detect an intrusion and also prevent that
intrusion from successfully attacking the organization by means of
an active response.
Hence, the combined term intrusion detection and prevention

system (IDPS) is generally used to describe current anti-intrusion
technologies.
5
CH-7
TOOLS
6
CH-7
TOOLS
IDPS TERMINOLOGY
Alert or alarm: An indication that a system has just been attacked or
is under attack.
Evasion: The process by which attackers change the format and/or

timing of their activities to avoid being detected by the IDPS.
False attack stimulus: An event that triggers an alarm when no

actual attack is in progress.
False negative: The failure of an IDPS to react to an actual attack

event.
False positive: An alert or alarm that occurs in the absence of an

actual attack.
7
CH-7
TOOLS
I D P S T E R M I N O LO GY
Noise: Alarm events that are accurate and noteworthy but that do not
pose significant threats to information security.
Site policy: The rules and configuration guidelines governing the

implementation and operation of IDPSs within the organization.
Site policy awareness: An IDPS’s ability to dynamically modify

its configuration in response to environmental activity.
True attack stimulus: An event that triggers alarms and causes

an IDPS to react as if a real attack is in progress.
Tuning: The process of adjusting an IDPS to maximize its

efficiency in detecting true positives, while minimizing both false
positives and false negatives.
8
CH-7
TOOLS
I D P S T E R M I N O LO GY
Confidence value: The measure of an IDPS’s ability to correctly

detect and identify certain types of attacks.
Alarm filtering: The process of classifying IDPS alerts so that they

can be more effectively managed.
Alarm clustering and compaction: A process of grouping almost

identical alarms that happen at close to the same time into a single
higher-level alarm.
TYPES OF IDPS
1. NETWORK-BASED IDPS
A network-based IDPS (NIDPS) resides on a computer or
appliance connected to a segment of an organization’s network
and monitors network traffic on that network segment, looking for
9
CH-7
TOOLS
When examining incoming packets, an NIDPS looks for patterns

within network traffic such as
large collections of related items of a certain type—which could
indicate that a denial-of-service attack is underway or
the exchange of a series of related packets in a certain pattern—

which could indicate that a port scan is in progress.
A NIDPS is installed at a specific place in the network from where it

is possible to monitor the traffic going into and out of a particular
network segment.
The NIDPS can be deployed to monitor a specific grouping of host

computers on a specific network segment, or
it may be installed to monitor all traffic between the systems that
make up an entire network.
10
CH-7
TOOLS
The monitoring port also known as a switched port analysis

(SPAN) port or mirror port, is a specially configured connection on a
network device that is capable of viewing all of the traffic that moves
through the entire device.
To determine whether an attack has occurred or is underway,

NIDPSs compare measured activity to known signatures in their
knowledge base.
This is accomplished by means of a special implementation of the

TCP/IP stack that reassembles the packets and applies protocol
stack verification, application protocol verification, or other
verification and comparison techniques.
In the process of protocol stack verification, the NIDPSs look for

invalid data packets—that is, packets that are malformed under the
rules of the TCP/IP protocol.
11
CH-7
TOOLS
In application protocol verification, the higher-order protocols

(HTTP, FTP, and Telnet) are examined for unexpected packet
behavior or improper use.
The advantages of NIDPSs include the following:

1. Good network design and placement of NIDPS devices can
enable an organization to use a few devices to monitor a large
network.
2. NIDPSs are usually passive devices and can be deployed into

existing networks with little or no disruption to normal network
operations.
3. NIDPSs are not usually susceptible to direct attack and, in fact,

may not be detectable by attackers.
12
CH-7
TOOLS
The disadvantages of NIDPSs include the following:

1. A NIDPS can become overwhelmed by network volume and fail to
recognize attacks it might otherwise have detected.
2. NIDPSs require access to all traffic to be monitored.
3. NIDPSs cannot analyze encrypted packets, making some of the
network traffic invisible to the process.
4. NIDPSs cannot reliably ascertain if an attack was successful or
not.
5. Some forms of attack are not easily discerned by NIDPSs,
specifically those involving fragmented packets.
A wireless IDPS monitors and analyzes wireless network traffic,

looking for potential problems with the wireless protocols.
Unfortunately, wireless IDPSs cannot evaluate and diagnose
issues with higher-layer protocols like TCP and UDP.
13
Wireless IDPS capability can be built into a device that provides a
CH-7
TOOLS
14
CH-7
TOOLS
The wireless IDPS can also detect:

 Unauthorized WLANs and WLAN devices
 Poorly secured WLAN devices.
Unusual usage patterns.
The use of wireless network scanners.
Denial of service (DoS) attacks and conditions.
 Impersonation and man-in-the-middle attacks
EXAMPLE Snort Network IDPS Engine (see www.snort.org).
2. HOST-BASED IDPS
A host-based IDPS (HIDPS) resides on a particular computer or
server, known as the host, and monitors activity only on that system.
An HIDPS has an advantage over an NIDPS in that it can access

encrypted information traveling over the network and use it to make
decisions about potential or actual attacks.
15
CH-7
TOOLS
The HIDPS triggers an alert when one of the following occurs:

file attributes change,
new files are created, or
existing files are deleted.
Once properly configured, an HIDPS is very reliable. The only time

an HIDPS produces a false positive alert is when an authorized
change occurs for a monitored file.
The advantages of HIDPSs include:

1. An HIDPS can detect local events on host systems and also
detect attacks that may elude a network-based IDPS.
2. An HIDPS functions on the host system, where encrypted traffic

will have been decrypted and is available for processing.
16
CH-7
TOOLS
3. The use of switched network protocols does not affect an HIDPS.

4. An HIDPS can detect inconsistencies in how applications and
systems programs were used by examining the records stored in
audit logs.
This can enable it to detect some types of attacks, including Trojan horse
programs.
The disadvantages of HIDPSs include:

5. HIDPSs pose more management issues because they are
configured and managed on each monitored host.
6. An HIDPS is vulnerable both to direct attacks and to attacks

against the host operating system.
7. An HIDPS is not optimized to detect multihost scanning, nor is
it able to detect the scanning of non-host network devices,
such as routers or switches.
17
CH-7
TOOLS
4. An HIDPS is susceptible to some denial-of-service attacks.
5. An HIDPS can use large amounts of disk space to retain the host OS
audit logs; to function properly, it may be necessary to add disk
capacity to the system.
6. An HIDPS can inflict a performance overhead on its host systems,

and in some cases may reduce system performance below
acceptable levels.
Example Inox Verisys (File Integrity Monitor) see www.ionx.co.uk.
IDPS DETECTION METHODS
Three detection methods dominate to monitor and evaluate network
traffic :
7. Signature-Based IDPS
A signature-based IDPS (sometimes called a knowledge-based IDPS
or a misuse-detection IDPS) examines network traffic in search of
18
patterns that match known signatures—that is, preconfigured,
CH-7
TOOLS
For example
(1) footprinting and fingerprinting activities use ICMP, DNS querying,
and e-mail routing analysis;
Footprinting activities that gather information about the

organization and its network activities and assets
Fingerprinting activities that scan network locales for active
systems and then identify the network services offered by the host
systems.
(2) exploits use a specific attack sequence designed to take advantage

of a vulnerability to gain access to a system;
(3) DoS and DDoS attacks, during which the attacker tries to prevent
the normal usage of a system, overload the system with requests so
19
that the system’s ability to process them efficiently is compromised or
CH-7
TOOLS
A potential problem with the signature-based approach is that new

attack strategies must continually be added into the IDPS’s
database of signatures; otherwise, attacks that use new strategies
will not be recognized and might succeed.
2. Statistical Anomaly-Based IDPS

The statistical anomaly-based IDPS (stat IDPS) or behavior-based
IDPS collects statistical summaries by observing traffic that is
known to be normal.
This normal period of evaluation establishes a performance
baseline.
Once the baseline is established, the stat IDPS periodically
samples network activity and, using statistical methods, compares
the sampled network activity to this baseline.
When the measured activity is outside the baseline parameters—
exceeding what is called the clipping level—the IDPS sends an
20
alert to the administrator. .
CH-7
TOOLS
The baseline data can include variables such as host memory or

CPU usage, network packet types, and packet quantities.
The advantage of the statistical anomaly-based approach is that

the IDPS can detect new types of attacks, since it looks for
abnormal activity of any type.
Unfortunately, these systems require much more overhead and

processing capacity than signature-based IDPSs, because they
must constantly compare patterns of activity against the baseline.
Another drawback is that these systems may not detect minor

changes to system variables and may generate many false
positives.
21
CH-7
TOOLS
3. Stateful Protocol Analysis IDPS

Stateful protocol analysis (SPA) is a process of comparing
predetermined profiles of generally accepted definitions of benign
activity for each protocol state against observed events to identify
deviations.
Essentially, the IDPS knows how a protocol, such as FTP, is
supposed to work, and therefore can detect anomalous behavior.
By storing relevant data detected in a session and then using that

data to identify intrusions that involve multiple requests and
responses, the IDPS can better detect specialized, multisession
attacks.
This process is sometimes called deep packet inspection because

SPA closely examines packets at the application layer for
information that indicates a possible intrusion.
22
CH-7
TOOLS
Stateful protocol analysis can also examine authentication

sessions for suspicious activity as well as for attacks that
incorporate “unexpected sequences of commands, such as issuing
the same command repeatedly or issuing a command without first
issuing a command upon which it is dependent.
Unfortunately, the analytical complexity of session-based

assessments is the principal drawback to this type of IDPS
method, which also requires heavy processing overhead to track
multiple simultaneous connections.
Additionally, unless a protocol violates its fundamental behavior,

this IDPS method may completely fail to detect an intrusion.
23
CH-7
TOOLS
In general, Intrusion detection and prevention systems perform the

following functions well:
• Monitoring and analysis of system events and user behaviors

• Testing the security states of system configurations
• Baselining the security state of a system, then tracking any
changes to that baseline
• Recognizing patterns of system events that correspond to
known attacks
• Recognizing patterns of activity that statistically vary from
normal activity
• Managing operating system audit and logging mechanisms and
the data they generate
24
CH-7
TOOLS
• Alerting appropriate staff by appropriate means when attacks

are detected
•
Measuring enforcement of security policies encoded in the
analysis engine
•
Providing default information security policies
•
Allowing non-security experts to perform important security
monitoring functions
However, Intrusion detection systems cannot perform the following

functions:
• Compensating for weak or missing security mechanisms in the
protection infrastructure, such as firewalls, identification and
authentication systems, link encryption systems, access control
25
mechanisms, and virus detection and eradication software
CH-7
TOOLS
• Instantaneously detecting, reporting, and responding to an attack

when there is a heavy network or processing load
• Detecting newly published attacks or variants of existing attacks
• Effectively responding to attacks launched by sophisticated

attackers
• Automatically investigating attacks without human intervention
• Resisting all attacks that are intended to defeat or circumvent

them
• Compensating for problems with the fidelity of information sources
• Dealing effectively with switched networks
26
CH-7
TOOLS
HONEYPOTS, HONEYNETS, AND PADDED CELL SYSTEMS
HONEYPOTS
A computer set up as a sacrificial lamb on the network in the hope that
attackers will attack this system instead of actual production systems.
The system is not locked down and has open ports and services enabled.
This is to entice a would-be attacker to this computer instead of attacking
authentic production systems on a network.
Honeypots are decoy systems designed to lure potential attackers away from
critical systems.
A honeypot system contains pseudo-services that emulate well-known

services, but is configured in ways that make it look vulnerable to attacks.
This combination is meant to lure potential attackers into committing an
27
attack, thereby revealing themselves.
CH-7
TOOLS
H O N E Y P O T S , H O N E Y N E T S , A N D PA D D E D C E L L S Y S T E M S
Once organizations have detected these attackers, they can better

defend their networks against future attacks targeting real assets.
In sum, honeypots are designed to do the following:

 Divert an attacker from critical systems
 Collect information about the attacker’s activity
 Encourage the attacker to stay on the system long enough for

administrators to document the event and, perhaps, respond
Honeypots are instrumented with sensitive monitors and event

loggers that detect attempts to access the system and collect
information about the potential attacker’s activities.
28
CH-7
TOOLS
When a collection of honeypots connects several honeypot

systems on a subnet, it may be called a Honeynet.
A padded cell is a honeypot that has been protected so that that

it cannot be easily compromised—in other words, a hardened
honeypot.
In addition to attracting attackers with tempting data, a padded

cell operates in tandem with a traditional IDPS.
When the IDPS detects attackers, it seamlessly transfers them to

a special simulated environment where they can cause no harm—
the nature of this host environment is what gives the approach the
name “padded cell.”
29
CH-7
TOOLS
The advantages and disadvantages of using the honeypot or

padded cell approach are summarized below:
Advantages:
 Attackers can be diverted to targets that they cannot damage.
 Administrators have time to decide how to respond to an
attacker.
 Attackers’ actions can be easily and more extensively
monitored, and the records can be used to refine threat models
and improve system protections.
 Honeypots may be effective at catching insiders who are

snooping around a network.
30
CH-7
TOOLS
Disadvantages:
 The legal implications of using such devices are not well
understood.
 Honeypots and padded cells have not yet been shown to be

generally useful security technologies.
 An expert attacker, once diverted into a decoy system, may

become angry and launch a more aggressive attack against an
organization’s systems.
 Administrators and security managers need a high level of

expertise to use these systems.
31
CH-7
TOOLS
SCANNING AND ANALYSIS TOOLS

The attack protocol is a series of steps or processes used by an attacker,
in a logical sequence, to launch an attack against a target system or
network.
PORT SCANNERS
port scanners are tools used by both attackers and defenders to identify
(or fingerprint);
the computers that are active on a network, as well as the ports and
services active on those computers,
the functions and roles the machines are fulfilling, and other useful
information.
A port is a network channel or connection point in a data
32
communications system.
CH-7
TOOLS
S C A N N I N G A N D A N A LY S I S T O O L S
The general rule of thumb is to remove from service or secure any

port not absolutely necessary to conducting business.
For example, if a business doesn’t host Web services, there is no

need for port 80 to be available on its servers.
Probably the most popular port scanner is Nmap, which runs on

both Unix and Windows systems. You can find out more about
Nmap at www.insecure.org .
FIREWALL ANALYSIS TOOLS

Understanding exactly where an organization’s firewall is located
and what the existing rule sets on the firewall do are very
important steps for any security administrator.
33
CH-7
TOOLS
The Nmap tool mentioned earlier has some advanced options that
are useful for firewall analysis.
Another tool that can be used to analyze firewalls is Firewalk.

Running Firewalk against a target machine reveals where routers
and firewalls are filtering traffic to the target host.
More information on Firewalk can be obtained from

www.packetstormsecurity.org/UNIX/audit/firewalk.
Another firewall analysis tool worth mentioning is HPING, which is

a modified ping client.
34
It supports multiple protocols and has a command-line method of
CH-7
TOOLS
OPERATING SYSTEM DETECTION TOOLS

Detecting a target computer’s operating system is very valuable to
an attacker, because once the OS is known, all of the vulnerabilities
to which it is susceptible can easily be determined.
One specific tool worth mentioning is Xprobe, which uses ICMP to

determine the remote OS.
This tool can be found at www.Sourceforge.Net/projects/xprobe.
VULNERABILITY SCANNERS
Active vulnerability scanners scan networks for highly detailed
information.
An active scanner is one that initiates traffic on the network in order
35
to determine security holes.
CH-7
TOOLS
this type of scanner identifies;

 exposed usernames and groups,
 shows open network shares, and
 exposes configuration problems and other vulnerabilities in servers.
An example of a vulnerability scanner is GFI LANguard Network

Security Scanner (NSS), which is available as freeware for
noncommercial use.
Another example of a vulnerability scanner is Nessus, which is a
professional freeware utility that uses IP packets to identify;
 the hosts available on the network,
 the services (ports) they are offering,
 the operating system and OS version they are running,
 the type of packet filters and firewalls in use, and
36
 dozens of other characteristics of the network.
CH-7
TOOLS
37
CH-7
TOOLS
the most popular scanners seem to be Nessus, Retina, and

Internet Scanner.
The Nessus scanner is available at no cost; the other two require a

license fee.
Often times, some members of an organization require proof that a

system is actually vulnerable to a certain attack.
Three tools that can perform this action are Core Impact,
Immunity’s CANVAS, and the Metasploit Framework.
Of these three tools, only the Metasploit Framework is available

without a license fee (see www.metasploit.com).
38
CH-7
TOOLS
A passive vulnerability scanner is one that listens in on the

network and determines vulnerable versions of both server and
client software.
These tools simply monitor the network connections to and from a

server to obtain a list of vulnerable applications.
Furthermore, passive vulnerability scanners have the ability to

find client-side vulnerabilities that are typically not found by active
scanners.
Example, Tenable Network Security with its Passive Vulnerability

Scanner (PVS) and Sourcefire with its RNA product.
39
CH-7
TOOLS
The following table summarizes Web addresses for the products

mentioned in the vulnerability scanners section.
40
CH-7
TOOLS
PACKET SNIFFERS
A packet sniffer (sometimes called a network protocol analyzer) is a
network tool that collects copies of packets from the network and
analyzes them.
It can provide a network administrator with valuable information for
diagnosing and resolving networking issues.
In the wrong hands, however, a sniffer can be used to eavesdrop on

network traffic.
There are both commercial and open-source sniffers—more

specifically, sniffer is a commercial product, and snort is open-source
software.
An excellent free, client-based network protocol analyzer is Wireshark
(www.Wireshark.Org), formerly known as ethereal.
41
Wireshark allows the administrator to examine data from both live
CH-7
TOOLS
To use a packet sniffer legally, the administrator must

(1) be on a network that the organization owns,
(2) be under direct authorization of the owners of the network, and
(3) have knowledge and consent of the content creators.
packet sniffing should be construed as a form of employee

monitoring.
There are a number of open-source sniffers that support alternate
networking approaches that can, in turn, enable packet sniffing in a
switched network environment.
Two of these alternate networking approaches are ARP-spoofing and
session hijacking (which uses tools like ettercap).
42
CH-7
TOOLS
A wireless security toolkit should include the ability to sniff wireless

traffic, scan wireless hosts, and assess the level of privacy or
confidentiality afforded on the wireless network.
The top five wireless sniffing and other tools are;
 Kismet, a powerful wireless sniffer, network detector, and IDPS,

which works by passively sniffing the networks.
 Netstumbler, a freeware Windows destumbler available at
www.netstumbler.org Aircrack, a WEP/WPA cracking tool.
 Airsnort, an 802.11 WEP encryption cracking tool
 KisMac, a GUI passive wireless stumbler for Mac OS X (variation

of Kismet)
43
CH-7
TOOLS
BIOMETRIC ACCESS CONTROLS

Biometric access control is based on the use of some measurable
human characteristic or trait to authenticate the identity of a
proposed systems user (a supplicant). It relies upon recognition
Biometric authentication technologies include the following:

 fingerprint comparison of the supplicant’s actual fingerprint to a
stored fingerprint
 Palm print comparison of the supplicant’s actual palm print to a

stored palm print
 Hand geometry comparison of the supplicant’s actual hand to a
stored measurement
 Facial recognition using a photographic ID card, in which a human
44
security guard compares the supplicant’s face to a photo
CH-7
TOOLS
B I O M E T R I C A C C E SS C O N T R O L S
 Facial recognition using a digital camera, in which a supplicant’s

face is compared to a stored image
 Retinal print comparison of the supplicant’s actual retina to a

stored image
 Iris pattern comparison of the supplicant’s actual iris to a stored

image
Among all possible biometrics, only three human characteristics are

usually considered truly unique. They are as follows:
 Fingerprints
 Retina of the eye (blood vessel pattern)
 Iris of the eye (random pattern of features found in the iris,
45
including freckles, pits, striations, vasculature, coronas, and
CH-7
TOOLS
Most of the technologies that scan human characteristics convert these

images to some form of minutiae.
Minutiae are unique points of reference that are digitized and stored in an
encrypted format when the user ’s system access credentials are created.
A problem with this method is that some human characteristics can change
over time, due to normal development, injury, or illness, which means that
system designers must create fallback or failsafe authentication
mechanisms.
Biometric technologies are evaluated on three basic criteria:

first, the false reject rate, which is the percentage of supplicants who are
in fact authorized users but are denied access
This failure is known as a Type I error.
The false reject rate is often ignored unless it reaches a level high enough
to generate complaints from irritated supplicants.
46
CH-7
TOOLS
second, the false accept rate, which is the percentage of supplicants who
are unauthorized users but are granted access;
This failure is known as a Type II error, and is unacceptable to security

professionals. and
third, the crossover error rate, which is the level at which the number of
false rejections equals the false acceptances.
PHYSICAL SECURITY
Physical security encompasses the design, implementation, and
maintenance of countermeasures that protect the physical resources of an
organization, including the people, hardware, and supporting system
elements and resources that control information in all its states
(transmission, storage, and processing).
47
CH-7
TOOLS
48
CH-7
TOOLS
In his book, Fighting Computer Crime, Donn B. Parker lists the following
“Seven Major Sources of Physical Loss”:
1. Extreme temperature: heat, cold
2. Gases: war gases, commercial vapors, humid or dry air, suspended

particles
3. Liquids: water, chemicals
4. Living organisms: viruses, bacteria, people, animals, insects
5. Projectiles: tangible objects in motion, powered objects
6. Movement: collapse, shearing, shaking, vibration, liquefaction, flow

waves, separation, slide
7. Energy anomalies: electrical surge or failure, magnetism, static

electricity, aging circuitry; radiation: sound, light, radio, microwave,
electromagnetic, atomic
49
CH-7
TOOLS
Some of the major physical controls are:

 Walls, fencing, and gates guards
 Dogs
 ID cards and badges
 locks and keys
 Mantraps
Mantrap is a small enclosure that has separate entry and exit points.
To gain access to the facility, area, or room, a person enters the
mantrap, requests access via some form of electronic or biometric
lock and key, and if confirmed, exits the mantrap into the facility.
Otherwise the person cannot leave the mantrap until a security
official overrides the enclosure’s automatic locks.
 Electronic monitoring
 Alarms and alarm systems
 Computer rooms and Wiring closets
50
 Interior walls and doors
51

ch 7 IAS

Uploaded by

Copyright:

Available Formats

ch 7 IAS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ch 7 IAS

Uploaded by

Copyright:

Available Formats

CH-7

SECURITY TECHNOLOGY: INTRUSION DETECTION AND

• Identify and describe the categories and operating models of

• Define and describe honeypots, honeynets, and padded cell

• List and define the major categories of scanning and analysis

• Explain the various methods of access control, including the

INTRUSION DETECTION AND PREVENTION SYSTEMS

Intrusion detection consists of procedures and systems that identify

Intrusion reaction encompasses the actions an organization takes

Intrusion correction activities finalize the restoration of operations

Intrusion prevention consists of activities that deter an intrusion.

intrusion detection system (IDS)

The IDS can be;

host based, which monitors activities of a specific system and

An IDS works like a burglar alarm in that it detects a violation (some

Many IDSs enable administrators to configure the systems to

A current extension of IDS technology is the intrusion prevention

Hence, the combined term intrusion detection and prevention

Evasion: The process by which attackers change the format and/or

False attack stimulus: An event that triggers an alarm when no

False negative: The failure of an IDPS to react to an actual attack

False positive: An alert or alarm that occurs in the absence of an

Site policy: The rules and configuration guidelines governing the

Site policy awareness: An IDPS’s ability to dynamically modify

True attack stimulus: An event that triggers alarms and causes

Tuning: The process of adjusting an IDPS to maximize its

Confidence value: The measure of an IDPS’s ability to correctly

Alarm filtering: The process of classifying IDPS alerts so that they

Alarm clustering and compaction: A process of grouping almost

When examining incoming packets, an NIDPS looks for patterns

the exchange of a series of related packets in a certain pattern—

A NIDPS is installed at a specific place in the network from where it

The NIDPS can be deployed to monitor a specific grouping of host

The monitoring port also known as a switched port analysis

To determine whether an attack has occurred or is underway,

This is accomplished by means of a special implementation of the

In the process of protocol stack verification, the NIDPSs look for

In application protocol verification, the higher-order protocols

The advantages of NIDPSs include the following:

2. NIDPSs are usually passive devices and can be deployed into

3. NIDPSs are not usually susceptible to direct attack and, in fact,

The disadvantages of NIDPSs include the following:

A wireless IDPS monitors and analyzes wireless network traffic,

The wireless IDPS can also detect:

An HIDPS has an advantage over an NIDPS in that it can access

The HIDPS triggers an alert when one of the following occurs:

Once properly configured, an HIDPS is very reliable. The only time

The advantages of HIDPSs include:

2. An HIDPS functions on the host system, where encrypted traffic

3. The use of switched network protocols does not affect an HIDPS.

The disadvantages of HIDPSs include:

6. An HIDPS is vulnerable both to direct attacks and to attacks

4. An HIDPS is susceptible to some denial-of-service attacks.

6. An HIDPS can inflict a performance overhead on its host systems,

Footprinting activities that gather information about the

(2) exploits use a specific attack sequence designed to take advantage

A potential problem with the signature-based approach is that new

2. Statistical Anomaly-Based IDPS

The baseline data can include variables such as host memory or

The advantage of the statistical anomaly-based approach is that