CISSPDOMAIN 1 – Access ControlLecture 3rd Pg 149-194June 15th 2013
Decentralized/Distributed AccessControl TechniquesDefined policies, standard and process of ACImplement to simplify inform...
• Identity Management– Consolidate and streamlines the management ofuser IDs, authentication, and access across multiplesy...
Password Management• Most common authentication tech in use• Can be compromised over time• So it has to be changed every 3...
Contd…• This prevents damage with the cost of calling help desk (users arenotorious to forget passwords since they get cha...
Account Management• Got job = new access control• Job ended = needs user account decommissioned asap(minimize time to deco...
Contd…• This should include one or more features to insure acentral, cross-platform security administration capability– Ce...
Contd…• Obstacle– Higher cost of full deployment– Complexity of account management systemStart small, gain experience and ...
Profile Management• Profile = collection of info associated with a particular identity or group• In addition to user and p...
Directory Management• Is a comprehensive database designed to centralizedata management• Typical directory contains hierar...
Contd…• Benefit- provide centralized collection of userdata– Can be used by many applications to avoidreplication of info ...
Directory Technologies• Centralized directory service• Supported by international standards.• Developed by InternationalTe...
Contd…1. X.500 Developed by ITU-T in 1980s Also known as ISO/IEC 9594 Facilitate standard method of developing electron...
2. Lightweight Directory Access Protocol(LDAP)• X.500 is complex to implement & administer and used OSIprotocol• Developed...
3. Active Direcrtory• Implementation of LDAP protocol for Microsoft environments• With additional plug-in AD can be used i...
Single Sign-On (SSO)• SSO is referred to as reduced sign-on or federated ID management• Sign-On on a centralized system so...
Contd…Advantages of SSO solutions• Efficient log-on process: Fewer password to remember and work• No Need of Multiple pass...
Script-Based Single Sign-On• If available solutions are not be feasible for a company, useof script-based single sign-on m...
Kerboros• It guards a network with 3 elements: authentication,authorization, and auditing• Essentially a network authentic...
Kerberos Process• Based on interaction between 3 systems– Requesting system(principal) endpoint destination server(applica...
Contd…• While acting as Authentication Server (AS) it will authenticate principaluser via pre-shared secret key• Once user...
Contd…• Kerberos are time sensitive and requireNetwork Time Protocol• If time is not synchronized it will lead toauthentic...
Contd…• Advantages– Goal of Kerberos is to ensure private communications between systems over anetwork.– Managing encrypti...
Secure European System for Applications ina Multi-Vendor Environment (SESAME)• Project funded by European Commission to el...
Contd…• Key attributes of SESAME– Single Sign-On– Role-based access control– Use of Privileged attribute certificate (PAC)...
Perimeter-Based Web Portal Access• If LDAP is in place, a user can be identified, authenticatedand authorized on multiple ...
Federated Identity Management• Single Sign-On is good for a organization• When two or more companies has to access each ot...
Once In-Unlimited Access (OIUA)• Some organizations don’t need to restrict their user access tothe resources. E.g. public ...
Logging and Monitoring• Logging is keeping records of users’ activities• Monitoring is what users are doing in system• Rec...
Contd…• When threshold of log data is reached, automated tools will parse outthe logs info.• based on abnormal activity (u...
Audit Trail Monitoring• It is the data collected from various systems’ event logging activity toreconstruct event that hap...
Audit Event TypesBased on Info Security and accesscontrol, there are 5 key audit types1. Network Events2. System Events3. ...
1. Network Events• Can play critical role during attack• Devices supporting communications can provide info• Network layer...
2. System Events• Part of audit trail which provides system activity info• Reports if files are modified, deleted or added...
3. Application Events• Broad range of possibilities for monitoring activity• Dependent on specific services of application...
4. User Action• It helps the behavior of activity of auser• Info on log-on and log-out times, useof privileged access, app...
5. Keystroke Activity• Logging keystroke helps what user is typing• Controversial because it can evade privacy (even ifcom...
Intrusion Detection and Prevention• IDS alerts attacks in real time to administrator but don’t take any action• Considered...
Network Intrusion Detection SystemArchitecture (NIDS/IDS)• NIDS works passively/promiscuous mode• It monitors every packet...
Host-Based Intrusion DetectionSystemn(HIDS)• Implementation of IDS at host level is HIDS• Processes are limited to host bo...
IDS Analysis Engine Methods• Based on strength and weakness differentmethods can be used. Two basic methods are– Pattern M...
Anomaly Detection• Uses behavioral characteristics of system’s operation or networktraffic to draw conclusion. Anomalies i...
Stateful Matching IntrusionDetection• Scans for attack signatures in context of traffic or overall behavior• Intruder may ...
Statistical Anomaly-Based IntrusionDetection• Analyses event data by comparing tonormal/typical/predicted profiles• Why th...
Protocol Anomaly-Based Detection• Catches when a protocol is deviatedfrom expected behavior• E.g. if packets deviates from...
Traffic Anomaly-Based IntrusionDetection• Based on traffic or packets• Again defining normal is difficult
Intrusion Response• Upon suspicious activity, IDS or IPS if permitted to and configuredaccordingly to interact with system...
Alarm and Signals• Cre capability of IDS is to produce alarm and signals thatwork to notify people and system to adverse e...
IDS Management• Employ technically knowledgeable personto select, install, configure, operate andmaintain IDS• Update syst...
Upcoming SlideShare
Loading in …5
×

access-control-week-3

836
-1

Published on

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
836
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
167
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

access-control-week-3

  1. 1. CISSPDOMAIN 1 – Access ControlLecture 3rd Pg 149-194June 15th 2013
  2. 2. Decentralized/Distributed AccessControl TechniquesDefined policies, standard and process of ACImplement to simplify informationCreate effective control managementserviceStreamline appropriate technologies
  3. 3. • Identity Management– Consolidate and streamlines the management ofuser IDs, authentication, and access across multiplesystem– Bind user to establish policies, processes, privilegesto ensure consistency• For that Identity Management should include:» Password Management» Account Management» Profile Management» Directory Management» Single sign-on
  4. 4. Password Management• Most common authentication tech in use• Can be compromised over time• So it has to be changed every 30 – 90 days– Shorter the better but cumbersome to memorize• Multiple passwords on multiple system if expires at separatetimes, user tend to write it down (someone can steal it andown the system)• Users tend to rotate couple of passwords – hencemaking easier to guess• Password policies, standards, and complexity need to bemanaged consistently• Locking they system if password is guessed 3-5 wrongattempts
  5. 5. Contd…• This prevents damage with the cost of calling help desk (users arenotorious to forget passwords since they get changed every coupleof months or they return from long vacation)• It creates helpdesk jobs but cost money to industry• A password management system is designed to managepassword consistently across enterprise by a central toolsynchronizing passwords across multiple systems• Can be deployed multifactor authentication,• Use of self registration and verification (like the one used by largerinternet sites)– Asking verification code in mobile– Secret question– Pictures– Sending email to trusted email account to change password(all these help helpdesk not to spend much time on unlocking account)
  6. 6. Account Management• Got job = new access control• Job ended = needs user account decommissioned asap(minimize time to decommission inactive account)• Web based access management addresses the issue(e.g. hotmail)• Old systems might not interact well with new singlecentralized account directory. Even if does, it might stillhave some limitations• Account Management systems attempts to identify useracross multiple systems• Management processes must be performed on eachsystem
  7. 7. Contd…• This should include one or more features to insure acentral, cross-platform security administration capability– Central facility to manage user access to multiple systems(ensures consistency, reduces manual entry error, helpssystem adimin)– Workflow System (ensures prompt action like new/added orterminated access )– Automatic replication of Data (user records between systemsensuring permission are propagated uniformly betweensystems)– Facility for loading batch changes (big hires/fires ,restructuring organization is efficient)– Automatic creation, change/removal of access triggered byother departments (e.g. HR or corporate directory) isminimized thereby chances of access permission is greatlyreduced.
  8. 8. Contd…• Obstacle– Higher cost of full deployment– Complexity of account management systemStart small, gain experience and success before full scaledeployment• Interface issues can be a big project killer– Fully automated account management system has to interfacewith each systems– Its hard to do because of numerous application and directories– Different interface which aren’t designed to interface with ACMesp. with older systems and mainframes.– Dedicated programmers needed and its time consuming
  9. 9. Profile Management• Profile = collection of info associated with a particular identity or group• In addition to user and password, a user profile should include personalinfo like name, phone, emergency #, etc.• These info are subjected to change over time.• These changes can be done either administratively or by user.• It is helpful for user to enter and manage those data which arenot sensitive and needn’t to be validated• This will increase accuracy, saves time and cost to implement changes
  10. 10. Directory Management• Is a comprehensive database designed to centralizedata management• Typical directory contains hierarchy of objects storinginfo about users, groups, systems, servers, printers• Directory is stored in one or more servers to ensurescalability and availability• Applications will access data stored in a directory bymeans of standard directory protocol
  11. 11. Contd…• Benefit- provide centralized collection of userdata– Can be used by many applications to avoidreplication of info and simplify architecture• Using directory it’s possible to configure severalapplications to share data about users ratherthan each system managing user, authentication,data• Limitation• Integration with legacy system, mainframes and out datedservers
  12. 12. Directory Technologies• Centralized directory service• Supported by international standards.• Developed by InternationalTelecommunications Union (ITU-T) forcommunication protocolTypes of Directory Technologies1. X.5002. Lightweight Directory Access Protocol3. Active Directory4. X.400
  13. 13. Contd…1. X.500 Developed by ITU-T in 1980s Also known as ISO/IEC 9594 Facilitate standard method of developing electronic directories for use over telecom networks Originally developed to work with OSI network communications model Currently TCP/IP protocol can be used Info in X.500 is in hierarchy. Key field in database is Distinguished Name (DN) DN provides full path through X.500 database Also supports Relative Distinguished Name (RDN) which provides specific entry without fullpath component attached Contains 4 separate protocols Directory Access Protocol (DAP) – primary access in access information in X.500 Direcrtory System Protocol (DSP) Directory Information Shadowing Protocol (DISP) Directory operational bindings management Protocol (DOP)
  14. 14. 2. Lightweight Directory Access Protocol(LDAP)• X.500 is complex to implement & administer and used OSIprotocol• Developed in 1990s, based on X.500 (DAP), used TCP/IPport 389 – very simple• Version 3 LDAP protocol supports TLS to encryptcommunication, can be used over SSL connection via TCPport 636• Supports DN, RDN• Operates in client/server architecture• Client request may be connecting to disconnecting LDAP,searching directory entry comparing info, read, write, deletedirectory infoClientRequestLDAPServerResult
  15. 15. 3. Active Direcrtory• Implementation of LDAP protocol for Microsoft environments• With additional plug-in AD can be used in UNIX, Linux, and mainframeenvironments• Provides central authentication and authorization capabilities forusers and system services in enterprise wide level• AD has ability to enforce organizational security and configuration policies• This is the reason why AD is used to enforce user and system levelsecurity policies in uniform and highly auditable manner• AD uses LDAP for naming structure, hierarchical framework to store info.• AD are into forest(collection of all objects and their attributes) andtrees(logical groupings of one or more AD security domain within a forest)• Domain in AD are identified by their name. Objects in AD are grouped byorganizational units.
  16. 16. Single Sign-On (SSO)• SSO is referred to as reduced sign-on or federated ID management• Sign-On on a centralized system so that user can access multipleserver/application without being signing on individual servers• While opening an application SSO credentials of a user will automatically beentered (client software is used to open appropriate application programs)• Central repository of user credentials. If password is changed in application,the password in SSO system must be changed• The changed password must be stored in SSO system to maintainsynchronization among applications• For SSO solutions, Smart Card (secured by pin to store array of user credentials inmemory card) is used• Smart card with user credentials coupled with system software detects whenuser wants to access application/server. Server authenticate and asks questions ifsystem wants to learn credentials for future. You can store the credentials in yoursmart card. Now you can only remember passphrase to unlock smart card andunlock the system to gain access
  17. 17. Contd…Advantages of SSO solutions• Efficient log-on process: Fewer password to remember and work• No Need of Multiple password: SSO translates into single use credentialsfor users.• Users may create stronger passwords: a stronger password orpassphrase can be used• Standards can be enforced across entire SSO system: access controlpolicies, and standards can be easily enforced through SSO. Timeouts can bedeployed if user is away from running workstation• Centralized administration:Disadvantages• Costly devices and software.• If centralized SSO system is compromised or fail the entire work will come tohalt at once causing company to lose money• Only one password or passphrase per user- if password is cracked hacker canmake significant damage to data• SSO password is stored in single database = great fun for hacker if thedatabase is not extremely secured• SSO is complex and integration is challenging.
  18. 18. Script-Based Single Sign-On• If available solutions are not be feasible for a company, useof script-based single sign-on may be possible• Script can manipulate the applications, interactingwith them as if they were the users and injectinguser ID password and other authenticationinteraction with application on behalf of user• Advantage – functionality• Disadvantage- costly/complex maintenance anddevelopment of such tool
  19. 19. Kerboros• It guards a network with 3 elements: authentication,authorization, and auditing• Essentially a network authentication protocol• Designed to provide strong authentication for client/serverapplication using secret key cryptography• Effective in open, distributed environments• It verifies a user who they are claimed to be and networkservices they use are contained within their permission• It has 4 basic requirements for access control– Security: network eavesdropper cannot obtain information byimpersonating a user– Reliability: resources must be available when needed (to user)– Transparency: user should not be aware of authentication processand it should be nonintrusive– Scalability: support large number o clients and servers
  20. 20. Kerberos Process• Based on interaction between 3 systems– Requesting system(principal) endpoint destination server(application, information) and Kerberos or KeyDistribution Center (KDC).•User workstation/application/service (principal) interacts withKerberos.•Kerberos serves two functions- authentication Server (AS)and Ticket granting Server(TGS)•Kerberos is based on symmetric encryption and a secretkey shared amongst participants•KDC maintains a database of secret keys of all principal onnetwork
  21. 21. Contd…• While acting as Authentication Server (AS) it will authenticate principaluser via pre-shared secret key• Once user is authenticated, Kerberos operates as TGS, providing ticket• Ticket is a piece of electronic data validated by TGS to the user to establishconnection between network and user• User requests for authentication• Authentication server (AS) authenticate using pre-shared key and sends Ticket(Ticket granting Ticket or TGT) and session key using Ticket GrantingServer(TGS)• User gets ticket and secure the connection with network and user also has rightto request service tickets (STs) on KDC network• TGTs are valid for certain period of time and needs to be reauthenticated afterexpiration• Once TGTs are issued, there is no use of passwords or log-on factors• Now User again sends request application ticket (TGT) to TGS and TGS (aftervalidation of TGT) in returns generates unique session key with encryption to beused between user and application server .• KDC will pack data in Service Ticket (ST) and send it to User• Now user will send this ST to Application Server for access. Once AS decrypt thesession key it authenticate the User• Encrypted communication is now established
  22. 22. Contd…• Kerberos are time sensitive and requireNetwork Time Protocol• If time is not synchronized it will lead toauthentication failure = easy DOS attack• Once KDC generates unique session key, itis first sent to Client (User) to avoid DoSattack against application server• If it is not done, then application server willbe overloaded with encrypted session keys
  23. 23. Contd…• Advantages– Goal of Kerberos is to ensure private communications between systems over anetwork.– Managing encryption keys, it acts to authenticate principals in communicationbased on secret keys, allows access session key– Elegant solution used in many platforms for broad authentication process• Disadvantages Security of KDC should be physically secured and should not allow any non-kerberos activity If Kerberos fails, whole system halts so backup and continuity plan should be made Keys (both secret and session) are vulnerable to bruteforce attack. If it is long Kerberos willbe overloaded with encryption key. Achilles’ heel of Kerberos are encrypted based onpasswords. Traditional password guessing can compromise the system Kerberizing ??? Please Explain
  24. 24. Secure European System for Applications ina Multi-Vendor Environment (SESAME)• Project funded by European Commission to eliminate the drawback of Kerberos• Primary due to need to manage symmetric keys across environments.Theweakness of Kerberos is scalability larger the entities more complexand harder to manage KDC.• The other weakness is privilege info is stored in server that user usesthe server. Access info need to be located in each server as environmentgrows• SESAME – an extension of Kerberos – overcome those limitations by offeringsign-on services with distributed access controls across environment– Eliminates the need to replicate authorization data across servers– Uses both symmetric and asymmetric cryptographic techniques for protection ofinterchanged data which alleviate Kerberos’s key management issues
  25. 25. Contd…• Key attributes of SESAME– Single Sign-On– Role-based access control– Use of Privileged attribute certificate (PAC)-similar to Kerberos ticket– Use of Kerberos V5 Protocol to access SESAMEcomponents– Use of public key cryptography for distributionof secret keys
  26. 26. Perimeter-Based Web Portal Access• If LDAP is in place, a user can be identified, authenticatedand authorized on multiple web-based application using webportal tied to Web Access Management (WAM)• These solution replaces sign-on process in Webapplication by the use of Plug-in services• User needs to sign-on once then he/she can access multipleweb applications while plug-in will fill the authenticationticket among applications• These system provide effective user management and singlesign-on in web environment but they cannot support entireaccess control environment.• WAM has become common
  27. 27. Federated Identity Management• Single Sign-On is good for a organization• When two or more companies has to access each others’ system, trust is a bigissue– E.g. Car company and Parts dealer• The solution is to create Federated Identity Management infrastructure- similar policies, standards,management of user identities, authentication and authorization• Once verification and certification process is completed, each company will trust each other.• This is an example of Cross-Certification Trust Model• If 3 companies has to come to a fededration there will be 6 ways of trust. Higher the number ofcompanies to be federated higher the complexity (permutation in terms of trust)• Lets see, several organizations has to be federated but Cross-Certification Trust model cannot beused because of its complexity• So Third Party Certification Trust Model or Bridge Model has been created.• Third party will manage the verification and due diligence process for all participating organization.• Each organization will trust third party and can gain access to database of other organization
  28. 28. Once In-Unlimited Access (OIUA)• Some organizations don’t need to restrict their user access tothe resources. E.g. public service or website contributors• Other companies allows their employee access all theresources of company in their intranet without authentication.• If the user got access to those resources, it is assumed thatthe user is authorized- NO Question Asked• There are no certificates or tokens passed betweenauthentication system and application.• Unauthorized user like contractor or support person can easilygain access to OIUA
  29. 29. Logging and Monitoring• Logging is keeping records of users’ activities• Monitoring is what users are doing in system• Records of identification, authentication and authorization is useful to understand isgoing on within a system• Attempted logging or authenticated user trying to gain access to non-privilegedapplications something is going wrong• Logging and monitoring helps backtrack who is trying/doing malicious activities• Security logs are important for forensics investigations for legal purposes• Attacker tries to delete logs so that they wouldn’t be caught. It is therefore importantthat security of storage and archive systems used to store log data is critical tointegrity of information• In big organizations, security data logs are huge (gigabytes) and it will take lot oftime and personnel to review those data for malicious activities.• Event filtering or Clipping Level should be used
  30. 30. Contd…• When threshold of log data is reached, automated tools will parse outthe logs info.• based on abnormal activity (using correlation of logs from multiplesystem), it is possible to determine what exactly attacker was doing• Best practices to establish a log collection and management– Control the volume of data: based on available storage, processingcapacity and manpower– Do not allow rollover of logs: deleting earlier logs will save disk space butvaluable info can be deleted. Coping those logs into permanent storage mightbe important for forensic investigations– Evaluate and implement auditing tools to reduce complex task of loganalysis– Establish log review and investigative procedure in advance– Train personnel to review logs– Protect unauthorized access and change-Copied logs should bephysically secured
  31. 31. Audit Trail Monitoring• It is the data collected from various systems’ event logging activity toreconstruct event that happened in a system for legal purposes• Record of activities can be investigated if network devices, systems areoperating within expected parameters• Event logging can be done in any system• It helps gain awareness of system and infrastructure• Audit trail alerts suspicious activity for further investigation.• E.g. administrator can see somebody logging into mission-critical system after workhours. Admin can look at logs and determine if it was legitimate or expected. Other logscan be checked to see if that user is doing questionable actions• It provides details of intruder activity. Hacker will leave traces behind whilehopping different systems/applications. This will help to reconstruct the path,what type of tool may have been used can be known etc.• Finally , all these records can be used for legal actions
  32. 32. Audit Event TypesBased on Info Security and accesscontrol, there are 5 key audit types1. Network Events2. System Events3. Application Events4. User Actions5. Keystroke Activity
  33. 33. 1. Network Events• Can play critical role during attack• Devices supporting communications can provide info• Network layer info is helpful in isolating threat activity(e.g. worm of DoS attack)• Helpful in detecting if user is using software or servicesnot permitted by policy (eg. Instant messenger, peer topeer applications)• Network logs shows source and destination address oftraffic, what application was the traffic, if the packetsare allowed or blocked• How much traffic was received over a period of time
  34. 34. 2. System Events• Part of audit trail which provides system activity info• Reports if files are modified, deleted or added• Shows if software is installed or removed, privilegewas changed• If there is worm or virus in system, system will showunexpected activities• Also shows if there is strong change in managementactivities (both legit and hack)
  35. 35. 3. Application Events• Broad range of possibilities for monitoring activity• Dependent on specific services of application• E.g. attack on web server can be evaluated bymanipulation of URL in web server logs• The objective to audit application is to isolate keyfunction to at least gain an initial perspective ofapplication activity.• The reviewer should know the possible problems thatcan be seen in logs while analyzing the logs• If application was made by organization, securityoriented logs should be incorporated
  36. 36. 4. User Action• It helps the behavior of activity of auser• Info on log-on and log-out times, useof privileged access, applicationexecuted, data file accessed arebasics of user monitoring
  37. 37. 5. Keystroke Activity• Logging keystroke helps what user is typing• Controversial because it can evade privacy (even ifcompany allows it)• E.g. sending inappropriate message to coworker canbe the basis of firing a strong staff• Lot of info can be found in command history filesfound on some operating system• E.g. In unix system, $HOME directory can have nameslike .history , .sh_history, .bash_history
  38. 38. Intrusion Detection and Prevention• IDS alerts attacks in real time to administrator but don’t take any action• Considered audit/network monitoring technology• It can be implemented as a part of router, firewall, or NIDS(Network IDS).• If used with host to monitor activity, it can be called Host IDS (HIDS)• IPS (Intrusion Prevention System) can detect threats and acts proactively. Itblocks unauthorized activity of hacker as well as user trying to usenon-privileged actions• IPS is gaining popularity lately• IDS needs to be tuned to normal traffic of organization• If it is not tuned it becomes noisy box or sits quietly and cannot distinguishbetween real attack or application the organization has made.
  39. 39. Network Intrusion Detection SystemArchitecture (NIDS/IDS)• NIDS works passively/promiscuous mode• It monitors every packets passing in/out of network• Can be attached with firewall, switch, routers,• NIDS should be able to handle enough traffic throughput equivalent (or greaterthan) combined traffic load.• Throughput = sum of all data flying by the network• E.g. if 100 MB, 10 port switch is used, we need atleast 1GB IDS to handle trafficload. If the capacity of IDS is smaller than 1GB then data packets will be lost• If the session data is encrypted IDS fails• Many tools are available which now a days break session encryption andre-establish it.• If IDS detects unwanted communication steam, it can attempt to terminate theconnection by blocking packets from source of traffic, or use features of TCPprotocol and inject packets into network forcing remote system to cancelcommunication
  40. 40. Host-Based Intrusion DetectionSystemn(HIDS)• Implementation of IDS at host level is HIDS• Processes are limited to host boundries• Advantage- effectively detects objectionable activities it runs on hostsystem• Offers access to system logs, processes, system info, device info,• Virtually eliminates limits associated with encryption• Level of visibility of packets are higher• Multi-host IDS allows system to share policy info and real time attackmaking it easier to establish defensive posture• It is invasive to operating system and uses lot of CPU and memory tofunction during an attack thereby causing diminished performance oflaptops and workstations• However, new servers eliminate these issues
  41. 41. IDS Analysis Engine Methods• Based on strength and weakness differentmethods can be used. Two basic methods are– Pattern Matching (Signature Analysis)• Based on characteristic of attack (specific packet sequence ortext in data stream)• E.g. when attacker attacks the system they send specificpackets which IDS compares with its database. IDS hasthousands of signature patterns and needs to be updatedquite often to get new database pattern• If sequence is matched then it alerts• If there is a new attack or slight changes in packets,signature can cause IDS to miss the attack– Anomaly Detection
  42. 42. Anomaly Detection• Uses behavioral characteristics of system’s operation or networktraffic to draw conclusion. Anomalies include:– Multiple failed log-on attempts– User logged on off hours– Unexplained changes in system clock– Unusual error message– Unexplained system shut down and restarts– Attempts to access restricted files• Reports false positives as expected in behavioral change• They aren’t dependent on Specific pattern/signature basedsystem• Info from anomaly can be used to create pattern for signautebased attack
  43. 43. Stateful Matching IntrusionDetection• Scans for attack signatures in context of traffic or overall behavior• Intruder may send volley of valid packets to targeted system• Matching pattern is virtually impossible as they are valid• But why such huge volume of valid packets?• To evade attack, attacker sends packets from multiple location with longwait periods between each transmission to confuse detection System orexhaust session timing window.• If IDS is turned over a long period of time, it can detect the attack• Stateful Matching IDS also uses signatures. So it has to be updated often
  44. 44. Statistical Anomaly-Based IntrusionDetection• Analyses event data by comparing tonormal/typical/predicted profiles• Why the data is skewed at particular time?• Very effective, high level, characteristics of IPS• Defining normal is difficult task if not impossible ina complex environment• Prone to false positive• Has potential to detect previously unknown attacks• Using signature based with Statistical anomalybased IDS is very effective to detect attack
  45. 45. Protocol Anomaly-Based Detection• Catches when a protocol is deviatedfrom expected behavior• E.g. if packets deviates from HTTP inHTTP session protocol standard, IDSthinks it is a malicious behavior• Useful for HTTP, FTP, or telnet
  46. 46. Traffic Anomaly-Based IntrusionDetection• Based on traffic or packets• Again defining normal is difficult
  47. 47. Intrusion Response• Upon suspicious activity, IDS or IPS if permitted to and configuredaccordingly to interact with system to restrict or block traffic• Early versions of IDS interact with firewall and allow firewall toimplement specific rules to the subject in question.• Still used today. The proposed rule won’t conflict with normalbusiness operation.• Firewalls might have lot of rules and the new rule can havenegative impact on normal mission-critical communications.• Firewall shares rules with other firewall therefore attacker will beblocked without affecting the system processes
  48. 48. Alarm and Signals• Cre capability of IDS is to produce alarm and signals thatwork to notify people and system to adverse events.• Fundamental components of alarm capability1. Sensor: A mechanism that identifies an event of attack andinforms an admin. Tuning sensors are important2. Control and Communication: Mechanism of handling alerts. E.g.email, text, instant message, pager, voice message etc.3. Enunciator:
  49. 49. IDS Management• Employ technically knowledgeable personto select, install, configure, operate andmaintain IDS• Update system regularly to avoid signatureattacks and behavioral profile• IDS may be vulnerable to attacks so protectit accordingly• Intruders might try to disable IDS with falseinfo or overload the system
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×