Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Principles of Computer Security
Document related concepts
Multilevel security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Unix security wikipedia , lookup
Information security wikipedia , lookup
Wireless security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Mobile security wikipedia , lookup
Security printing wikipedia , lookup
Airport security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Transcript
Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Intrusion Detection Systems and Network Security Chapter 13 © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Objectives • Apply the appropriate network tools to facilitate network security. • Determine the appropriate use of tools to facilitate network security. • Apply host-based security applications. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Key Terms • Access control lists • (ACLs) • • Antispam • • Antivirus • • Content-based signature • Context-based signature • False negative • False positive • Firewall • Heuristic scanning © 2012 Honeypot Host-based IDS (HIDS) Internet content filter Intrusion detection system (IDS) Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Network Security: A Layered Approach • As need for security increases, layers of security should be added. – Layers could include passwords, firewalls, access lists, file permissions, and intrusion detection systems • Intrusion detection systems are one of the more complex layers. – Detects inappropriate or malicious activity on a computer or network. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition History of Intrusion Detection Systems • Stalker (host-based) released 1989 • Mid-1990s IDS gain popularity commercially. • WheelGroup develops first network-based IDS under the name NetRanger. • Internet Security Systems’ Realsecure released in 1996. • By 1998 IDS was considered a vital part of network security. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition History of the Internet and IDS © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition IDS Components • • • • © 2012 Traffic collector / sensor Analysis engine Signature database User interface and reporting Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition IDS Components (continued) © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Types of IDS • Host-based IDS (HIDS) • Network-based IDS (NIDS) • Distinguished by detection method: – Signature-based IDS - Relies heavily on a predefined set of attack and traffic patterns called signatures. – Anomaly-based (heuristic) IDS - Monitors activity and attempts to classify it as either “normal” or “anomalous.” © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Network IDS Components © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition • Advantages of NIDS – Providing IDS coverage requires fewer systems. – Deployment, maintenance, and upgrade costs are usually lower. – A NIDS has visibility into all network traffic and can correlate attacks among multiple systems. • Disadvantages of NIDS – – – – © 2012 It is ineffective when traffic is encrypted. It can’t see traffic that does not cross it. It must be able to handle high volumes of traffic. It doesn’t know about activity on the hosts themselves. Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Active vs. Passive NIDS • Passive NIDS – Generates an alarm when it matches a pattern and does not interact with the traffic in any way. • Active NIDS – Reactive response to an attack such as a TCP reset. • TCP reset – The most common defensive ability for an active NIDS. – The reset message (RST) tells both sides of the connection to drop the session and stop communicating immediately. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Signatures • Content-based signatures – Matching characters or strings – Generally the simplest types – Easy to build and look for simple things, such as a certain string of characters or a certain flag set in a TCP packet • Context-based signatures (heuristics) – Matching patterns of activity – Generally more complex © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Firewalls • A network device—hardware, software, or a combination thereof • Determines what traffic should be allowed or denied to pass in or out of a network © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition How Firewalls Work • Firewall Mechanisms – – – – Network Address Translation (NAT) Basic packet filtering (header information) Stateful inspection (header and contents) pg 335 Access control lists (ACLs) • Rules applied to ports and IP addresses © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Intrusion Prevention Systems • In addition to IDS functions, it has the capability of stopping or preventing malicious attack. • Some can inspect encrypted traffic (SSL traffic) • Often rated by the amount of traffic that can be processed without dropping packets. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Internet Content Filters • Used to: – Filter undesirable content – Filter malicious code such as browser hijacking attempts • Challenges: – Blacklists of websites difficult to maintain – Keyword filtering may generate false positives – Determined users will attempt to bypass the system • Barracuda Case Study © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Honeypots and Honeynets • A honeypot is a system or group of systems designed to attract an attacker’s attention. – Allows the attackers methods to be observed without putting real systems at risk – Activity recorded for later analysis – Afford information and additional security but require significant cost and effort to maintain • A honeynet is a group of honeypots. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Host-Based IDS (HIDS) • Examines activity only on a specific host – Examines logs, audit trails, and network traffic coming into or leaving the host – Examination is done in real time or periodically • Flags that may raise the alarm in a HIDS – – – – © 2012 Login failures Logins at irregular hours Privilege escalation Additions of new user accounts Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition How HIDS Work • The traffic collector aggregates information. • The analysis engine reviews the data. – May implement a decision tree to classify activities and make decisions – Signature database may be used to match activities to predefined activity or patterns • Users work with HIDS through the user interface which include the visible components of the HIDS. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Antivirus Products • Used to identify, neutralize, or remove malicious programs, macros, and files. • Scanning approaches: – Signature-based scanning – Heuristic scanning • Modern antivirus products have: – Automated updates – Automated scanning – Media scanning © 2012 – Manual Scanning – E-mail scanning – Resolution Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Personal Software Firewalls • Host-based protective mechanism that controls traffic going into and out of a single system. • Various free and commercial firewall software is available. • Zone Alarm © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Pop-up Blockers and Windows Defender • Pop-up Blockers – Attempts to prevent web pages from opening a new tab or window • Windows Defender – Designed to remove spyware and unwanted programs from your PC – Includes spyware detection and removal, scheduled scanning, automatic updates, real-time protection, software explorer, and configurable responses © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Chapter Summary • Apply the appropriate network tools to facilitate network security. • Determine the appropriate use of tools to facilitate network security. • Apply host-based security applications. © 2012
