Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
{elysiumsecurity}
INTRUSION DETECTION SYSTEM
HOW TO SETUP A HOME IDS
Version: 1.2a
Date: 29/03/2018
Author: Sylvain Martin...
{elysiumsecurity}
cyber protection & response
2
EXAMPLESETUPCONCEPTCONTEXT
• Overall Concept;
• How does it work?
• IDS Re...
{elysiumsecurity}
cyber protection & response
3
EXAMPLESETUPCONCEPTCONTEXT
WHY SETUP AN IDS?
Public
KNOW WHEN YOUR
NETWORK...
{elysiumsecurity}
cyber protection & response
4
WHAT IS AN IDS?
Public
An Intrusion Detection System (IDS) is a device
or ...
{elysiumsecurity}
cyber protection & response
5
WHAT TYPE OF IDS?
Public
NETWORK IDS
NIDS
HOST IDS
HIDS
INTRUSION DETECTIO...
{elysiumsecurity}
cyber protection & response
6
OVERALL CONCEPT
Public
IDS
ANALYSIS
NETWORK
TRAFFIC
INTERCEPTED
TRAFFIC
EX...
{elysiumsecurity}
cyber protection & response
7
HOW DOES IT WORK?
Public
10101010
11111110
10101010
11111110
10101010
1111...
{elysiumsecurity}
cyber protection & response
8
IDS REQUIREMENTS
Public
COVERAGE
TRACKING
TUNING
- Internal Network Activi...
{elysiumsecurity}
cyber protection & response
9
SIMPLE ARCHITECTURE
Public
HOME NETWORK
IDS
INTERNET
Traffic
Analysis
Sign...
{elysiumsecurity}
cyber protection & response
10
INSTALLATION
Public
1. IDS CHOICE
- Security Onion (SO)
https://securityo...
{elysiumsecurity}
cyber protection & response
11
TRAFFIC DUPLICATION
Public
1. HARDWARE
- Netgear GS105E
- Mikrotik RB2011...
{elysiumsecurity}
cyber protection & response
12
TUNING
Public
1. TRACKING
- NAT DISABLED
- Fixed IP or
- Reserved DHCP
2....
{elysiumsecurity}
cyber protection & response
13
ENHANCED ARCHITECTURE
Public
HOME NETWORK
IDS
INTERNET
Traffic
Analysis
S...
{elysiumsecurity}
cyber protection & response
14
GOING FURTHER
Public
• SELKS WIKI:
https://github.com/StamusNetworks/SELK...
{elysiumsecurity}
cyber protection & response
15
SAMPLE DASHBOARD
Public
EXAMPLESETUPCONCEPTCONTEXT
{elysiumsecurity}
cyber protection & response
© 2018 ElysiumSecurity Ltd.
All Rights Reserved
www.elysiumsecurity.com
Elys...
Upcoming SlideShare
Loading in …5
×

Talk2 esc4 muscl-ids_v1_2

93 views

Published on

An overview of what an IDS is and how to get started to set one up at home

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Talk2 esc4 muscl-ids_v1_2

  1. 1. {elysiumsecurity} INTRUSION DETECTION SYSTEM HOW TO SETUP A HOME IDS Version: 1.2a Date: 29/03/2018 Author: Sylvain Martinez Reference: ESC4-MUSCL Classification: Public cyber protection & response
  2. 2. {elysiumsecurity} cyber protection & response 2 EXAMPLESETUPCONCEPTCONTEXT • Overall Concept; • How does it work? • IDS Requirements; • Sample Dashboard. CONTENTS Public • Why setup an IDS? • What is an IDS? • What type of IDS? • Simple Architecture; • Installation; • Traffic Duplication; • Tuning; • Enhanced Architecture; • Going Further;
  3. 3. {elysiumsecurity} cyber protection & response 3 EXAMPLESETUPCONCEPTCONTEXT WHY SETUP AN IDS? Public KNOW WHEN YOUR NETWORK/COMPUTERS HAVE BEEN COMPROMISED IDENTIFY SUSPICIOUS APPLICATION ACTIVITIES KNOW WHEN YOUR NETWORK/COMPUTERS ARE UNDER ATTACK
  4. 4. {elysiumsecurity} cyber protection & response 4 WHAT IS AN IDS? Public An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Source: Wikipedia – Icons from the noun project unless specified otherwise EXAMPLESETUPCONCEPTCONTEXT
  5. 5. {elysiumsecurity} cyber protection & response 5 WHAT TYPE OF IDS? Public NETWORK IDS NIDS HOST IDS HIDS INTRUSION DETECTION SYSTEM IDS INTRUSION PREVENTION SYSTEM IPS EXAMPLESETUPCONCEPTCONTEXT
  6. 6. {elysiumsecurity} cyber protection & response 6 OVERALL CONCEPT Public IDS ANALYSIS NETWORK TRAFFIC INTERCEPTED TRAFFIC EXAMPLESETUPCONCEPTCONTEXT
  7. 7. {elysiumsecurity} cyber protection & response 7 HOW DOES IT WORK? Public 10101010 11111110 10101010 11111110 10101010 11111110 INSPECT TRAFFIC DETECT THREAT GENERATE ALERT SIGNATURES PATTERNS IDS ANALYSIS NETWORK TRAFFIC INTERCEPTED TRAFFIC EXAMPLESETUPCONCEPTCONTEXT
  8. 8. {elysiumsecurity} cyber protection & response 8 IDS REQUIREMENTS Public COVERAGE TRACKING TUNING - Internal Network Activities - (External Network -> IN) - What IP generated the alert? - What Host? - What are you interested the most? - Remove False Positives EXAMPLESETUPCONCEPTCONTEXT
  9. 9. {elysiumsecurity} cyber protection & response 9 SIMPLE ARCHITECTURE Public HOME NETWORK IDS INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE EXAMPLESETUPCONCEPTCONTEXT
  10. 10. {elysiumsecurity} cyber protection & response 10 INSTALLATION Public 1. IDS CHOICE - Security Onion (SO) https://securityonion.net/ - SELKS: https://www.stamus-networks.com/open-source/ 2. PLATFORM SETUP - Virtual Machine or Dedicated Server - 2x Network ports (Manage/Monitor) - Enough RAM (8Gb+) and Disk Space (50Gb) - To run 24/7 3. INSTALLATION - Best to keep default settings - Know in advance which network port will be your management port; - Use testmyids.com to validate your installation EXAMPLESETUPCONCEPTCONTEXT
  11. 11. {elysiumsecurity} cyber protection & response 11 TRAFFIC DUPLICATION Public 1. HARDWARE - Netgear GS105E - Mikrotik RB2011UiAS-2HnD-IN - Ubiquity Networks UNIFI Switch 2. DUPLICATION - Configure a TAP, SPAN or Mirror port - FROM: connection to your Internet Gateway - DESTINATION: Connection to your IDS Monitoring port 2. CONSIDERATION - Careful of VLANs -> Extra IDS configuration - Careful of NAT -> Limits visibility Video Link for Netgear Setup: https://www.youtube.com/watch?v=kCSRgbEMkWs EXAMPLESETUPCONCEPTCONTEXT
  12. 12. {elysiumsecurity} cyber protection & response 12 TUNING Public 1. TRACKING - NAT DISABLED - Fixed IP or - Reserved DHCP 2. CONFIGURATION - Local IP Subnet - Define critical hosts - Disable rules not needed 3. TUNING - Review alerts regularly and act on false positives - Rules Suppression - Rules Trigger setup tuning EXAMPLESETUPCONCEPTCONTEXT
  13. 13. {elysiumsecurity} cyber protection & response 13 ENHANCED ARCHITECTURE Public HOME NETWORK IDS INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE DHCP REQUEST DHCP SERVER ALLOWS IP VISIBILITY EXAMPLESETUPCONCEPTCONTEXT
  14. 14. {elysiumsecurity} cyber protection & response 14 GOING FURTHER Public • SELKS WIKI: https://github.com/StamusNetworks/SELKS/wiki • SECURITY ONION WIKI: https://github.com/Security-Onion-Solutions/security-onion/wiki • ELYSIUMSECURITY Installation Guide: https://www.elysiumsecurity.com/blog/Guides/post7.html EXAMPLESETUPCONCEPTCONTEXT
  15. 15. {elysiumsecurity} cyber protection & response 15 SAMPLE DASHBOARD Public EXAMPLESETUPCONCEPTCONTEXT
  16. 16. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

×