Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Talk2 esc4 muscl-ids_v1_2

63 views

Published on

An overview of what an IDS is and how to get started to set one up at home

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Talk2 esc4 muscl-ids_v1_2

  1. 1. {elysiumsecurity} INTRUSION DETECTION SYSTEM HOW TO SETUP A HOME IDS Version: 1.2a Date: 29/03/2018 Author: Sylvain Martinez Reference: ESC4-MUSCL Classification: Public cyber protection & response
  2. 2. {elysiumsecurity} cyber protection & response 2 EXAMPLESETUPCONCEPTCONTEXT • Overall Concept; • How does it work? • IDS Requirements; • Sample Dashboard. CONTENTS Public • Why setup an IDS? • What is an IDS? • What type of IDS? • Simple Architecture; • Installation; • Traffic Duplication; • Tuning; • Enhanced Architecture; • Going Further;
  3. 3. {elysiumsecurity} cyber protection & response 3 EXAMPLESETUPCONCEPTCONTEXT WHY SETUP AN IDS? Public KNOW WHEN YOUR NETWORK/COMPUTERS HAVE BEEN COMPROMISED IDENTIFY SUSPICIOUS APPLICATION ACTIVITIES KNOW WHEN YOUR NETWORK/COMPUTERS ARE UNDER ATTACK
  4. 4. {elysiumsecurity} cyber protection & response 4 WHAT IS AN IDS? Public An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Source: Wikipedia – Icons from the noun project unless specified otherwise EXAMPLESETUPCONCEPTCONTEXT
  5. 5. {elysiumsecurity} cyber protection & response 5 WHAT TYPE OF IDS? Public NETWORK IDS NIDS HOST IDS HIDS INTRUSION DETECTION SYSTEM IDS INTRUSION PREVENTION SYSTEM IPS EXAMPLESETUPCONCEPTCONTEXT
  6. 6. {elysiumsecurity} cyber protection & response 6 OVERALL CONCEPT Public IDS ANALYSIS NETWORK TRAFFIC INTERCEPTED TRAFFIC EXAMPLESETUPCONCEPTCONTEXT
  7. 7. {elysiumsecurity} cyber protection & response 7 HOW DOES IT WORK? Public 10101010 11111110 10101010 11111110 10101010 11111110 INSPECT TRAFFIC DETECT THREAT GENERATE ALERT SIGNATURES PATTERNS IDS ANALYSIS NETWORK TRAFFIC INTERCEPTED TRAFFIC EXAMPLESETUPCONCEPTCONTEXT
  8. 8. {elysiumsecurity} cyber protection & response 8 IDS REQUIREMENTS Public COVERAGE TRACKING TUNING - Internal Network Activities - (External Network -> IN) - What IP generated the alert? - What Host? - What are you interested the most? - Remove False Positives EXAMPLESETUPCONCEPTCONTEXT
  9. 9. {elysiumsecurity} cyber protection & response 9 SIMPLE ARCHITECTURE Public HOME NETWORK IDS INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE EXAMPLESETUPCONCEPTCONTEXT
  10. 10. {elysiumsecurity} cyber protection & response 10 INSTALLATION Public 1. IDS CHOICE - Security Onion (SO) https://securityonion.net/ - SELKS: https://www.stamus-networks.com/open-source/ 2. PLATFORM SETUP - Virtual Machine or Dedicated Server - 2x Network ports (Manage/Monitor) - Enough RAM (8Gb+) and Disk Space (50Gb) - To run 24/7 3. INSTALLATION - Best to keep default settings - Know in advance which network port will be your management port; - Use testmyids.com to validate your installation EXAMPLESETUPCONCEPTCONTEXT
  11. 11. {elysiumsecurity} cyber protection & response 11 TRAFFIC DUPLICATION Public 1. HARDWARE - Netgear GS105E - Mikrotik RB2011UiAS-2HnD-IN - Ubiquity Networks UNIFI Switch 2. DUPLICATION - Configure a TAP, SPAN or Mirror port - FROM: connection to your Internet Gateway - DESTINATION: Connection to your IDS Monitoring port 2. CONSIDERATION - Careful of VLANs -> Extra IDS configuration - Careful of NAT -> Limits visibility Video Link for Netgear Setup: https://www.youtube.com/watch?v=kCSRgbEMkWs EXAMPLESETUPCONCEPTCONTEXT
  12. 12. {elysiumsecurity} cyber protection & response 12 TUNING Public 1. TRACKING - NAT DISABLED - Fixed IP or - Reserved DHCP 2. CONFIGURATION - Local IP Subnet - Define critical hosts - Disable rules not needed 3. TUNING - Review alerts regularly and act on false positives - Rules Suppression - Rules Trigger setup tuning EXAMPLESETUPCONCEPTCONTEXT
  13. 13. {elysiumsecurity} cyber protection & response 13 ENHANCED ARCHITECTURE Public HOME NETWORK IDS INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE DHCP REQUEST DHCP SERVER ALLOWS IP VISIBILITY EXAMPLESETUPCONCEPTCONTEXT
  14. 14. {elysiumsecurity} cyber protection & response 14 GOING FURTHER Public • SELKS WIKI: https://github.com/StamusNetworks/SELKS/wiki • SECURITY ONION WIKI: https://github.com/Security-Onion-Solutions/security-onion/wiki • ELYSIUMSECURITY Installation Guide: https://www.elysiumsecurity.com/blog/Guides/post7.html EXAMPLESETUPCONCEPTCONTEXT
  15. 15. {elysiumsecurity} cyber protection & response 15 SAMPLE DASHBOARD Public EXAMPLESETUPCONCEPTCONTEXT
  16. 16. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

×