Académique Documents
Professionnel Documents
Culture Documents
01/28/17
Misuse Prevention
Prevention techniques: first line of
defense
Secure local and network resources
Techniques: cryptography,
identification, authentication,
authorization, access control,
security
filters, etc.
Problem:
Losses
occur!
01/28/17
Need:
Intrusion Prevention: protect
system resources
Intrusion Detection: (second line
of defense) discriminate intrusion
attempts from normal system usage
Intrusion Recovery: cost effective
recovery models
01/28/17
Intrusion Detection
systems
Terminology
Audit: activity of looking at user/system
behavior, its effects, or the collected data
Profiling: looking at users or systems to
determine what they usually do
Anomaly: abnormal behavior
Misuse: activity that violates the security policy
Outsider: someone without access right to the
system
Insider: someone with access right to the
system
Intrusion: misuse by outsiders and insiders
01/28/17
Phases of Intrusion
Intelligence gathering: attacker
observes the system to determine
vulnerabilities
Planning: attacker decide what
resource to attack (usually least
defended component)
Attack: attacker carries out the plan
Hiding: attacker covers tracks of attack
Future attacks: attacker installs
backdoors for future entry points
01/28/17
Definitions
Intrusion
A set of actions aimed to compromise
the security goals, namely
Integrity, confidentiality, or availability, of
a computing and networking resource
Intrusion detection
The process of identifying and
responding to intrusion activities
01/28/17
Intruders
significant issue for networked systems is
hostile or unwanted access
either via network or local
can identify classes of intruders:
masquerader
Misfeasor (a person who is guilty of
misfeasance: the wrongful performance of a
normally lawful act; the wrongful and injurious
exercise of lawful authority).
clandestine (secret) user
10
Intruders
clearly a growing publicized problem
may seem benign, but still cost
resources
may use compromised system to
launch other attacks
01/28/17
11
Intrusion Techniques
aim to increase privileges on system
basic attack methodology
01/28/17
12
Contents
Overview of IDS/IPS
Components of an IDS/IPS
IDS/IPS classification
By scope of protection
By detection model
14/57
Overview of IDS/IPS
Intrusion
A set of actions aimed at compromising
the security goals (confidentiality,
integrity, availability of a
computing/networking resource)
Intrusion detection
The process of identifying and
responding to intrusion activities
Intrusion prevention
The process of both detecting intrusion
activities and managing responsive
actions throughout
the network.
15/57
Overview of IDS/IPS
Intrusion detection system (IDS)
A system that performs automatically the
process of intrusion detection.
Components of an IDS/IPS
System activities are
observable
Incoming
traffic/logs
Data preprocessor
Activity data
Detectio
n
model(s)
Decision
criteria
Detection
algorithm
Alerts
Alert filter
17/57
Components of an IDS/IPS
Data pre-processor
Collects and formats the data to be analyzed by
the detection algorithm.
Detection algorithm
Based on the detection model, detects the
difference between normal and intrusive audit
records.
Alert filter
Based on the decision criteria and the detected
intrusive activities, estimates their severity and
alerts the operator/manages responsive
activities (usually blocking).
18/57
Components of an IDS/IPS
Incoming traffic/log data
Packets headers contain routing
information, content may (and is more
and more) also be important for detecting
intrusions.
Logs a chronological set of records of
system activity.
19/57
Components of an IDS/IPS
Incoming traffic/log data (cont.)
Problems related to data
Inadequate format for intrusion detection
Information important for intrusion detection
is often missing (e.g. in log files).
Components of an IDS/IPS
Detection algorithm
Checks the incoming data for presence of
anomalous content.
A major detection problem
There is no sharp limit between normal and
intrusive it often depends on the context
hence statistical analysis of the input data
may be useful.
To determine the context, a lot of memory is
needed.
21/57
Components of an IDS/IPS
Alert filter
Determines the severity of the detected
intrusive activity.
A major decision problem
It is difficult to estimate the severity of
threat in real time.
Filtering is normally carried out by means of
a set of thresholds (decision criteria).
Thresholds should be carefully set in order to
maintain a high level of security and a high
level of system performance at the same
time.
22/57
IDS/IPS classification
By scope of protection (or by location)
Host-based IDS
Network-based IDS
Application-based IDS
Target-based IDS
By detection model
Misuse detection
Anomaly detection
23/57
Password Guessing
01/28/17
24
Password Capture
another attack involves password
capture
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login (eg.
telnet, FTP, web, email)
extracting recorded info after successful login
(web history/cache, last number dialed etc)
25
Why Is Intrusion
Detection Necessary?
Prevent
Detect
React/
Survive
Securityprinciples:layeredmechanisms
01/28/17
26
01/28/17
27
Threshold detection
E.g., number of failed logins, number of accesses to
resources, size of downloaded files, etc.
01/28/17
28
01/28/17
29
01/28/17
30
01/28/17
31
Intrusion Types
Doorknob rattling
Masquerade attacks
Diversionary Attack
Coordinated attacks
Chaining
Loop-back
01/28/17
32
Doorknob Rattling
Attack on activity that
can be audited by the
system (e.g.,
password guessing)
Number of attempts is
lower than threshold
Attacks continue until
All targets are covered
or
Access is gained
01/28/17
33
Masquerading
Target 1
Change identity:
Im Y
Target 2
Login as
Y
Login as
X
Y
Legitimate
user
Attacker
01/28/17
34
Diversionary Attack
Create diversion to draw
attention away from
real target
TARGET
Real attack
Fake attacks
01/28/17
35
Coordinated attacks
Attacker
Target
Compromise system
to attack target
01/28/17
36
Chaining
Attacker
Target
01/28/17
37
Honeypots
In computer terminology, a honeypot is a trap
set to detect, deflect or in some manner
counteract attempts at unauthorized use of
information systems.
Generally it consists of a computer, data or a
network site that appears to be part of a network
but which is actually isolated and protected, and
which seems to contain information or a resource
that would be of value to attackers.
A honeypot that masquerades as an open proxy is
known as a sugarcane.
01/28/17
38
Honeypots
A honeypot is valuable as a surveillance and early-warning tool.
While often a computer, a honeypot can take on other forms, such as files or
data records, or even unused IP address space.
Honeypots should have no production value and hence should not see any
legitimate traffic or activity.
Whatever they capture can then be surmised as malicious or unauthorized.
Honeypots can carry risks to a network, and must be handled with care.
If they are not properly walled off, an attacker can use them to actually break
into a system.
01/28/17
40
Firewalls
Similar to a Security Guard
Protects an organizations
network
Stands between internet and
Intranet
01/28/17
41
Firewall Concept
N
e
t
w
o
r
k
B
a
c
k
b
o
n
e
To
Internet
Corporate network
01/28/17
Firewall
42
What is a firewall?
Untrusted Networks
& Servers
Firewall
Untrusted Users
Internet
Router
Intranet
DMZ
Public Accessible
Servers & Networks
Trusted Users
01/28/17
43
Firewalls
01/28/17
44
Firewalls can:
Restrict incoming and outgoing traffic
by IP address, ports, or users
Block invalid packets
01/28/17
45
When misconfigured
01/28/17
46
Hardware Firewall
01/28/17
47
Software Firewall
01/28/17
48
A Firewall
Can filter traffic based on their source and
destination addresses, port numbers, protocol used,
and packet state.
Cannot prevent individual users with modems from
dialing in and out of the network.
Cannot protect against social engineering and
dumpster diving (Prevalent in the 1980s due to lax
security was the process of `dumpster diving'. A
curious hacker or malicious cracker would search in
the dumpsters of major corporations for thrown-out
manuals, passwords, credit card numbers, et cetera.
When corporations became aware of the need for
increased security (in the early 1990s), sensitive
documents were shredded before being placed in
dumpsters).
01/28/17
49
01/28/17
50
01/28/17
51
01/28/17
52
Types of Firewalls
Packet Filter
Circuit Level Gateways
Application Level Gateways
Stateful Multilayer Inspection
01/28/17
53
01/28/17
54
01/28/17
55
01/28/17
56
01/28/17
57
Firewalls in Practice
A computer may be protected by
both a hardware and a software
firewall
Mode of Operation
A firewall that stands in between two
networks will inspect a packet that is
ready to pass between the networks
and allow or block the packet based
on the rules set for the firewall to
operate
Data encryption
Hiding presence
Reporting/logging
e-mail virus protection
Pop-up ad blocking
Cookie digestion
Spy ware protection etc.
A Rule of Thumb
Use the best firewall and virus
protection although each may
originate from a different company
DMZ
Demilitarized zone
Neither part of the internal network
nor part of the Internet
Never offer attackers more to work
with than is absolutely necessary
Firewall Scenario
Microsoft Internet Security and
Acceleration (ISA) Server as a
Dedicated Server
Network Configuration
Local Area Network
Single Computer
Small Office Network
Less than 250 Clients
IP Network Protocol
Demand Dial Connectivity
Larger Organization
Array of ISA Server
Internet
ISA Server
Software Firewalls
Firewall for Windows
Zone Alarm
Winroute
Trojan Trap - Trojan Horse
Hardware Firewall
What is it?
What it does.
An example.
Firewall use.
What it protects you from.
What is it?
Remote logins
Application backdoors
SMTP session hijacking
E-mail Addresses
Spam
Denial of service
E-mail bombs
E-mail sent 1000s of times till mailbox is full
Macros
Viruses
Software Firewall
What it is?
Also called Application Level Firewalls
It is firewall that operate at the
Application Layer of the OSI
They filter packets at the network layer
It Operating between the Datalink Layer
and the Network Layer
It monitor the communication type (TCP,
UDP, ICMP, etc.) as well as the
origination of the packet, destination port
of the packet, and application (program)
the packet is coming from or headed to.
(Cont.)
Web References
www.firewall.com
www.firewall-net.com
www.firewallguide.com
www.msdn.microsoft.com
www.winroute.com
www.tinysoftware.com
www.sunsite.unc.edu
Benefits of Firewall-Summary
Prevent intrusion
Choke point for security audit
Reduce attacks by hackers
Hide network behind a single IP
address
Part of total network security policy
References
http:// www.howstuffworks.com
http://www.microsoft.com
http://www.securityfocus.com
http://grace.com/us-firewalls.htm
http://www.kerio.com/us/supp_kpf_manual.h
tml
http://www.broadbandreports.com/faq/securit
y/2.5.1
.
http://www.firewall-software.com
Port Numbers
The Well Known Ports are those from 0
through 1023.
The Registered Ports are those from 1024
through 49151.
The Dynamic and/or Private Ports are
those from 49152 through 65535.
http://www.iana.org/assignments/port-numbers
ftp://ftp.isi.edu/in-notes/rfc1700.txt
Description
20
21
23
Telnet
80
139
Description
53
69
137
138
161
References
http://www.tlc.discovery.com/convergence/hacker
s/hackers.html
http://www.tuxedo.org/~esr/faqs/hacker-howto.ht
ml
http://www.iss.net/security_center/advice/Underg
round/Hacking/Methods/Technical/
http://www.infosecuritymag.com/articles/march01/
features4_battle_plans.shtml
http://www.nmrc.org/faqs/www/wsec09.html
http://www.microsoft.com/. Tim Rains Technical Lead Networking
Team
Privacy control
Zone Alarm
Microsoft Widows Firewall
MacAfee Security Suite
Norton Security Suite
01/28/17
90
Traditional Connectivity
What is VPN?
Virtual Private Network is a type of private
network that uses public
telecommunication, such as the Internet,
instead of leased lines to communicate.
Became popular as more employees
worked in remote locations.
Terminologies to understand how VPNs
work.
Encryption
Encryption -- is a method of
scrambling data before
transmitting it onto the Internet.
Public Key Encryption Technique
Digital signature for authentication
Tunneling
A virtual point-to-point connection
made through a public network. It
transports
Original Datagram
encapsulated datagrams.
Encrypted Inner Datagram
Datagram Header
Types of
Implementations
What does implementation mean
in VPNs?
3 types
Intranet Within an organization
Extranet Outside an organization
Remote Access Employee to Business
Device Types
What it means
3 types
Hardware
Firewall
Software
Cons
Cost
Lack of flexibility
Dual-purpose
Cons
Tri-purpose
Cost-effective
Lack of efficiency
More labor
training required
Lower
productivity; higher
labor costs
Advantages
VS.
Disadvantages
Advantages: Cost
Savings
Eliminating the need for expensive longdistance leased lines
Reducing the long-distance telephone
charges for remote access.
Transferring the support burden to the
service providers
Operational costs
Advantages: Scalability
Flexibility of growth
Efficiency with broadband technology
Disadvantages
VPNs require an in-depth understanding of
public network security issues and proper
deployment of precautions
Availability and performance depends on
factors largely outside of their control
Immature standards
VPNs need to accommodate protocols other
than IP and existing internal network
technology
Applications: Site-to-Site
VPNs
Large-scale encryption between
multiple fixed sites such as remote
offices and central offices
Network traffic is sent over the
branch office Internet connection
This saves the company hardware
and management expenses
Site-to-Site VPNs
Applications: Remote
Access
*Source: www.cisco.com
Pop Quiz!
Q.1
VPN stands for
a) Virtual Public Network
Pop Quiz!
A.1
VPN stands for
Pop Quiz!
Q.2
What are the acronyms for the 3 most common VPN
protocols?
Pop Quiz!
A.2
3 most common VPN protocols are
PPTP
L2TP
IPsec
PPTP, IPsec, and L2TP are three of today's most popular VPN tunneling protocols. Each
one of these is capable of supporting a secure VPN connection.
Pop Quiz!
Q.3
What does PPTP stand for?
Pop Quiz!
A.3
PPTP = Point-to-Point Tunneling Protocol !
Pop Quiz!
Q.4
What is the main benefit of VPNs compared to
dedicated networks utilizing frame relay, leased
lines, and traditional dial-up?
a) better network performance
c) reduced cost
d) improved security
Pop Quiz!
A.4
The main benefit of VPNs is
c) reduced cost
The main benefit of a VPN is the potential for significant cost savings compared to
traditional leased lines or dial up networking. These savings come with a certain amount
of risk, however, particularly when using the public Internet as the delivery mechanism
for VPN data.
Pop Quiz!
Q.5
In VPNs, the term "tunneling" refers to
d) a marketing strategy that involves selling VPN products for very low prices in return for expensive service contracts
Pop Quiz!
A.5
In VPNs, the term "tunneling" refers to