What is Security Intrusion?
A security incident where the intruder gains or attempts to gain unauthorised access to a system
What is Intrusion Detection?
A security service that monitors and analyses the system for suspicious behaviour.
- The user is warned of the attempts of accessing their resources in an unauthorised manner.
Intrusion Detection System (IDSs)
Is a software/application that monitors and analyses the system’s activities and determines whether or not an attack is in place
- LOGS + ALERTS TRAFFIC
Compromises three logical components:
- Sensors – Collect data > forward this information to the analyzer
- Analysers – Determine if the intrusion has occurred
- User Interface – View output or control system behaviour
The two main types of IDS are:
Host-Based IDS
- Adds a layer of security software to vulnerable/sensitive systems
- Monitors the characteristics of a single host for suspicious behaviour activity
- By detecting intrusions, log suspicious events send alerts
- Detects internal and external intrusion
Network-Based IDS
- Monitors network traffic and analyses network transport, and application protocols to identify suspicious activity.
- Analyses the traffic patterns done by the sensor
What are the two Sensor Deployment?
Inline sensor
- Inserted into the network that the traffic is monitoring must pass through the sensor
Passive sensor
- Monitors copies of the **network traffic **
What are the two Host Based Approaches?
Anomaly Detection
- Accomplished using threshold detection + statistics
- Involves countering the number of specific event types of legitmate users over a period of time
- Used to detect changes in an individual’s behaviour
Signature detection
- Involves attempts to set rules that can be used to decide that a given behaviour is that of an intruder
What are the NIDS Intrusion Detection Techniques?
Similar to a host-based IDS techniques
Signature detection:
- At application
- Transport
- Network layers
- Unexpected application service
- Policy violations
Anomaly detection:
- DOS attacks
- Scanning
- Worms
What are the Firewall characteristics? List the Security Policy
- All traffic from inside to outside must pass through the firewall
- Only authorised traffic defined by the security policy are allowed to pass through
- Packets that do not match policy are rejected.
Firewall’s site’s security policy:
- Security control
- Direction control
- User control
- Behaviour control
What are the Capabilities + Limitations of Firewall?
Capabilities:
- Defines a single choke point
- Provides a location for monitoring security events
Limitations:
- Cannot protect against attacks for bypassing the firewall
- May not protect internal attacks
- Improperly secured wireless LAN can be accessed from outside the **organisation **
What is Packet Filtering Firewall and it’s two default policies?
- Applies rules to each incoming and outgoing IP packet
- Filtering rules are based on information contained in a network packet
- Source IP address
- Destination IP address
- Source + destination transport level address
- IP protocol field
Two default policies
Discard: Prohibit unless expressly permitted
Forward: Permit unless expressly prohibited
What are the Packet Filter Advantages + Disadvantage?
Advantages:
- Simple
- Typically transparent to users
Disadvantages:
- Cannot prevent attacks to specific vulnerabilities
- Limited logging
- Does not support advanced user authentication
- Improper configuration > **breeches **
What is Application-Level Gateway?
Application-Level Gateway
“Application proxy”
- User contacts the gateway using a TCP/IP application
- User is authenticated
- Gateway contacts application on a remote host and relays TCP segments between server and user
What is a Circuit-Level Gateway?
“Proxy”
- Sets up TCP connections between itself + TCP user on an inner host and outside host
- Relies on TCP segments from one connection without examining contents
- Used when inside users are trusted
What is a Host-Based Firewalls?
- Used to secure an individual host
- Available in OS/provided as an add-on package
- Filter, restrict packet flows
- Common location is a server
What is a Personal Firewall?
- Controls the traffic in a PC or workstation
- Both home and corporate use
- Can be housed in a router that connects to all the home computers to a DSL cable modem
- Role: Deny unauthorised access
- Monitors to detect worms, malware activity
List a few Firewall Typologies
- Host-resident firewall
- Screen router
- Single bastion inline
- Single bastion T
What is Intrusion Prevention Systems (IPS)?
- Inline network based IDS that can block traffic
- Blocks anything that it believes is ‘malicious’
- Prevent it from reaching the different targets on your network
- Network/host based
- Functional addition to the firewall ADDS IDS capabilities
What are Host-Based IPS (HIPS)?
- Uses anomaly + signature detection techniques:
Signature:
- Focuses on content application payloads in packets, look for patterns to identify malicious
Anomaly:
- Looks for behaviour patterns that indicate malware
- Uses sandbox approach to **monitor behaviour **
Network-Based IPS (NIPS) + List the malicious packets
- Authority to discard packets + tear down TCP connections
- Uses anomaly + signature detection techniques
- Provide full data protection
Malicious packets:
- Pattern matching
- Stateful matching
- Protocol anomaly
- Traffic anomaly
- Statistical anomaly
