Your SlideShare is downloading. ×
0
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
L2  ids
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

L2 ids

100

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
100
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  • 2.  If a computer is on the Internet, or receives data from the Internet, including Web browsing or email, then security is a problem.  This is true for everyone, as automated scanners and worms do not make distinctions between targets.  Simply, if your system has vulnerabilities, it will be hit. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  • 3.  Because security problems are ubiquitous, security solutions should be also.  To be effective, this security must follow a "defense in depth" strategy or a layered approach. This means that security is layered in hopes that if an attack passes through one layer, it is caught by the next, or the next.  Defense in depth combines network security and host- based security (especially antivirus software).  While each layer is important, no layer is sufficient on its own.  Many end users make the mistake of thinking that a firewall, by itself, constitutes network security. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  • 4.  With market penetration of firewalls reaching more than 95 percent, security problems still persist for organizations large and small.  simply allowing Web traffic allows all Web traffic, including that which is malicious.  The next step that many organizations have taken is to install intrusion detection systems (IDS), which can monitor traffic for attack signatures that represent hostile activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  • 5.  Intrusion detection (ID) is a type of security management system for computers and networks.  An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both › intrusions (attacks from outside the organization) and › misuse (attacks from within the organization). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  • 6.  ID uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to assess the security of a computer system or network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  • 7.  Monitoring and analyzing both user and system activities  Analyzing system configurations and vulnerabilities  Assessing system and file integrity  Ability to recognize patterns typical of attacks  Analysis of abnormal activity patterns  Tracking user policy violations Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  • 8.  Typically, an ID system follows a two-step process.  The first procedures are host-based and are considered the passive component, › inspection of the system's configuration files to detect inadvisable settings › inspection of the password files to detect inadvisable passwords › inspection of other system areas to detect policy violations. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  • 9.  The second procedures are network-based and are considered the active component  mechanisms are set in place to reenact known methods of attack and to record system responses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  • 10.  Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic.  A network IDS, using either a network tap, span port, or hub collects packets that traverse a given network.  Using the captured data, the IDS system processes and flags any suspicious traffic.  The role of a network IDS is passive, only gathering, identifying, logging and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  • 11.  attempts to identify unauthorized, illicit, and anomalous behavior on a specific device.  HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity.  The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity.  The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  • 12.  A honeypot is a simply a system program or file that has absolutely no purpose in production.  Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to  Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  • 13.  A honeypot can also be a computer on your network to look and act like a legitimate computer but actually is configured to interact with potential hackers  Honeypots are known also as a sacrificial lamb, decoy, or booby trap.  The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems.  The longer the hacker stays using the honeypot, the more will be disclosed about their techniques.  This information can be used to identify what they are after, what is their skill level, and what tools do they use.  All this information is then used to better prepare your network and host defenses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  • 14.  Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame.  Step 4: Node C will also receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  • 15.  In order for a host to be used as a sniffing agent, the network interface must be set to 'promiscuous' mode.  Setting this mode requires root or administrator access.  After this mode is set, the network interface will no longer drop network frames which are addressed to other hosts.  Rather, it will pass them up to the higher network layers with the expectation that some software at a higher layer will process them. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  • 16.  Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive this frame and will accept it because the network interface has been set to 'promiscuous' mode. This allows a network interface to accept any frames, regardless of the MAC (Media Access Control) address in the frame  Step 4: Node C will also receive the frame and will process it as expected. It has no way of knowing that another host has also processed the frame. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  • 17.  Step 1: Node A transmits a frame to Node C.  Step 2: The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a 'private' connection.  Step 3: Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  • 18. ARP Spoofing  when Node A wants to communicate with Node C on the network, it sends an ARP request.  Node C will send an ARP reply which will include the MAC address.  Even in a switched environment, this initial ARP request is sent in a broadcast manner.  It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A.  This fake ARP reply will specify that Node B has the MAC address of Node C.  Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  • 19. MAC Flooding  On some switches, it is possible to bombard the switch with bogus MAC address data.  The switch, not knowing how to handle the excess data, will 'fail open'.  That is, it will revert to a hub and will broadcast all network frames to all ports.  At this point, one of the more generic network sniffers will work. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  • 20. MAC Duplicating  You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff.  This is easy to do on a Linux box if you have access to the 'ifconfig' command.  This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache.  In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  • 21. IP Filtering  By enabling IP filtering on your switch, you directly specify which traffic is allowed to flow to and from each port.  This can be a monumental effort to put in place and manage, especially if your environment is dynamic. Port Security  If your hub or switch has the ability to enable port security, this will help to protect you from both the MAC Flood and MAC Spoofing attacks.  These feature effectively prevents the hub or switch from recognizing more than 1 MAC address on a physical port. Routing Security  No workstations should be allowed to run a routing protocol as they may be compromised.  management of any of your network gear should be through a secure connection and not through telnet which passes the administrative login/password in cleartext. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  • 22.  knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities.  IDS contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities.  When such an attempt is detected, an alarm is triggered. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  • 23.  In other words, any action that is not explicitly recognized as an attack is considered acceptable.  Therefore, the accuracy of knowledge-based intrusion detection systems is considered good.  However, their completeness (i.e. the fact that they detect all possible attacks) depends on the regular update of knowledge about attacks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  • 24.  Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  • 25.  Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users.  The model of normal or valid behavior is extracted from reference information collected by various means.  The intrusion detection system later compares this model with the current activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  • 26.  When a deviation is observed, an alarm is generated.  In other words, anything that does not correspond to a previously learned behavior is considered intrusive.  Therefore, the intrusion detection system might be complete (i.e. all attacks should be caught), but its accuracy is a difficult issue (i.e. you get a lot of false alarms). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  • 27.  Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities.  They can even contribute to the (partially) automatic discovery of these new attacks.  They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability.  In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  • 28.  The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase.  Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  • 29.  The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  • 30. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30

×