Académique Documents
Professionnel Documents
Culture Documents
Threats
I have a good firewall, why do I need an
IDS?
Expectations
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
THREATS – FACT OR FICTION ??
Frequency vs Difficulty level
I am not a target (Yeah, right!)
Examples of TOOLS
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
TYPE OF IDS MONITORING
Host Based (also called Agent)
-These systems collect and analyze
data that originate on a computer that
hosts a service, such as a Web server
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
TYPE OF ANALYSIS
Signature based (Pattern matching)
Statistical
Integrity Checker
HOST BASED (ADVANTAGES)
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
FEATURES TO LOOK FOR
Number of rules
Which one apply to your specific environment
Ability to read whole packet
Ability to drill down
Deal adequately with fragmentation
Updates (how they are done and how often)
Reporting features (import, export, flexibility)
Support Issues (OS, Platform)
Ease of use (What manning is needed)
FEATURES TO LOOK FOR
What specialized equipment is required
Is the product Network or Host based
Type of IDS
Analyzing Patterns
Choosing an IDS
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
ONGOING SUPPORT
There is a need for a COMPETENT analyst
Vendors latest signatures may take up to a week
after a new threat has be publicized. You will need
someone in house that can analyse new
vulnerabilities or attacks in order to create your
own rule. May take an hour a day or more.
Need someone that can fine tune the IDS in order
to avoid false positive or false negative
Must subscribe to popular advisories and security
newsletters such as bugtraq, CERT, GIAC, SANS,
and others
OVERVIEW
Introduction
Overview
The IDS Puzzle
Current State of IDS
Threats
I have a good firewall, why do I need an
IDS?
Expectations
Type of IDS
Analyzing Patterns
Choosing an IDS
Products available on market
Ongoing Effort
Conclusion / Summary
IDS GOOD GUYS
A few initiative is on the way to improve
the early detection, accuracy and
terminology amongst vendors of ID
equipment and software
Incident.org,ARIS, MyNetWatchMan
CVE ( http://www.mitre.org/cve/
IDMEF, Intrusion Detection Exchange Message
Format
http://www.ietf.org/html.charters/idwg-charter.html
- CIDF, Common Intrusion Detection Framework
CLOSING
An IDS is like a three year old kid, it’s not happy
unless you are constantly watching it all the time.
Contrary to all other devices, An IDS talks back to
you and demand immediate attention.
One of the most important point is how you are going
to monitor your systems, what are you going to do
when the alarm goes off at three in the morning?
There is about 400 different IDS on the market. Only
a few of these products integrate well in large
environment, are scalable, and easy to maintain.
Acquire the IDS that meets your need, not the one
that the vendor think you need.