Loading...
Friday, April 6, 2012

Intrusion Detection/Prevention Systems

  • Intrusion Detection Systems form a small but critical piece of the computer security jigsaw, alerting to intrusions and attacks aimed at computers or networks.  They're not the computer security panacea.  But, they are your eyes and ears, essential in knowing whether you are under attack. Intrusion Prevention Systems take this concept to the next level and sit inline blocking the packets you tell them to based on signatures as per the IDS.  They can be highly effective as a defensive tool but need to be configured with great care and attention in stages.
  • Application IDS
  • As the name suggests an application IDS/IPS will work solely with the application itself.  They tend to be tailored to a specific product that provides externally visible services such as Web servers, Databases and Mailservers. An IDS will report when nefarious activity is detected most usually using logs generated by the application, whilst an Application IPS will not only detect such activity but also block it, protecting the application from attack.
  • Attack Mitigation Systems
  • The main definition between NIPS and Mitigators would be Mitigators are designed to do one specific job - detect and mitigate against DOS/DDOS attacks and bilateral effects of worm activity. NIPS are designed to detect malicious traffic and drop the packet/stream. NIPS are not always necessarily good at mitigating DOS/DDOS attacks. Mitigators generally do not have the signature coverage to provide good NIPS functionality. NIPS are like IDS but in-line. Mitigators are like firewalls but designed to detect and prevent DOS attacks rather than enforce policy.
  • File Integrity Checkers
  • When a system is compromised an attacker will often alter certain key files to provide continued access and prevent detection. By applying a message digest (cryptographic hash) to key files and then checking the files periodically to ensure the hash hasn’t altered a degree of assurance is maintained. On detecting a change an alert will be triggered. Furthermore, following an attack the same files can have their integrity checked to assess the extent of the compromise.
  • HoneyPots
  • Honeypots are a highly flexible security tool with differing applications for security. They don't fix a single problem,  instead they have multiple uses, such as prevention, detection, or information gathering.  Honeypots all share the same concept, a security resource that should not have any production or authorized activity.  This makes them very simple to use.  There are two general types of honeypots, production and research.   Production honeypots are easy to use, capture only limited information, and used primarily by companies or corporations.  Research honeypots are complex to deploy and maintain, capture extensive information, and used primarily by research, military, or government organizations
  •  Host Based IDS (HIDS) / Event Log Viewers
  • This kind of IDS monitors event logs from multiple sources for suspicious activity.  Host IDS are best placed to detect computer misuse from trusted insiders and those who have infiltrated your network.
  • Host Intrusion Prevention System (HIPS)
  • Firewalls protect a host by monitoring network packets and attempting to identify good vs. bad traffic. A complement program to firewalls is Host Intrustion Prevention Systems (HIPS).
  • HIPS works to protect a host by monitoring applications that execute.  HIPS tries to look at what the program does, either by intercepting system calls or watching packets or other system activity. These may be rule based or may assign scores for certain activity.
  •  Firewall and IDS Load Balancers
  • These products ensure availability and throughput by providing redundant systems to overcome failure and performance issues.
  •  Net Flow Analyzers
  • Any device that monitors the network traffic between two or more connected computer systems. By examining the flow of traffic, Network flow analysers can be used to find out where problems (such as bottlenecks/congestion or the failure of a network device) are on a LAN. Advanced network flow analysers can also provide statistics on the traffic that can help to identify trends that may in future lead to further problems with the network.
  • NetFlow and SFlow Exporters
  • List of vendors that export to NetFlow and SFlow
  • Network Intrusion Detection System (NIDS)
  • Monitors all network traffic passing on the segment where the agent is installed, reacting to any anomaly or signature based activity.  Basically this is a packet sniffer with attitude. They analyse every packet for suspected nefarious activity, most will also look for anomalies within the protocol
  • Network Intrusion Prevention System (NIPS)
  • Network IPS sit inline on the network, statefully analyzing packet content and block certain packets that match a signature and alert on others.   It is sometimes easier to explain what isn't an IPS for instance products that just block by port such as routers and many firewalls.  Furthermore, the IPS must block the packet and not just use TCP resets, spoof reject packets from border devices or update border devices to shun addresses.
  • Network Taps
  • Network Taps were developed to address perhaps the most prevalent issue with network intrusion detection deployments -- how to connect the IDS to the network.
  • Protocol Analyzers
  • Any device that captures and interprets the network traffic between two or more connected computer systems. The traffic can then be decoded so that it is possible to see what processes are occurring. By examining the flow of traffic, protocol analysers can be used to find out where problems (such as bottlenecks or the failure of a network device) are on a LAN.  Advanced protocol analysers can also provide statistics on the traffic that can help to identify trends that may in future lead to further problems with the network.
  • Security Information Managers
  • Switch Port Mirroring
  • The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port.
  • Tap Detection
  • Readily available Network Taps enable the non-invasive tapping and monitoring of copper and fibre-optic data transmission streams.  These products provide ways to identify such intrusions. Wireless IDS Wireless Intrusion Detection Systems are designed specifically to identify attacks aimed at an 802.11 networks. The sensors detect attacks from a wireless interface.
  •  Other Information about IDS/IPS
  • Six Integral Steps to Selecting the Right IPS for Your Network
  • Guide to Intrusion Detection and Prevention Systems - from NIST
  • Our own Andy Cuff has authored
  • o Intrusion Detection Terminology, A-H
  • o Intrusion Detection Terminology, I-Z
  • o Checklist for Deploying an IDS
  • Source   - 
  • Securitywizardry




0 comments:

Post a Comment

 
TOP