AGENDA INTRODUCTION TYPES OF IDS NETWORK INTRUSION DETECTION SYSTEM HOW DOES IT PROTECT THE SENSITIVE SYSTEM WORKING OF NIDS DIFFERENCES BETWEEN NIDS AND FIREWALL
MISUSE DETECTION SYSTEMSNEW ARCHITECTUREIMPLEMENTED APPROACHES ADVANTAGES AND DISADVANTAGES CONCLUSION
INTRODUCTION An intrusion is somebody attempting to break into or misuse your system. An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.
TYPES OF INTRUSION DETECTIONSYSTEM Intrusion Detection Systems are categorized into two types a) Network intrusion detection system(NIDS) b) Host based intrusion detection system(HIDS)
NETWORK INTRUSIONDETECTION SYSTEM (NIDS) A network-based IDS or NIDS resides on a computer or appliance connected to a segment of an organizations network and monitors network traffic on that network. In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the dematerialized zone (DMZ) or at network borders.
HOW DOES NIDS PROTECT SENSITIVE MATERIALS A Network Intrusion Detection System (NIDS) performs the same function as a sophisticated alarm system. NIDS observes and alerts. It will not affect network performance. NIDS maintains a database – updated daily – that contains a history, nearly a decade’s worth of documented attack attempts, detecting similarities.
WORKING OF NIDS HUBS: The NIDS device connects to a network hub or a switch that connects to the network router or Firewall. All traffic passing to or from the customer is inspected by the NIDS device.
TAP: The network tap is another approach toallowing the NIDS to see all the traffic on aswitched network. A tap is similar in function to a phone tap.The tap will typically look like 3-port switch.Port 1 will attach to Switch 1 Port 2 will attach toSwitch 2 and Port 3 will attach to the NIDS.
SPAN PORT: Another popular option for adding a sniffer ofany type to a network is the use of a span porton the switch being monitored A span port is a port that is configured to havea copy of all packets sent to it The major disadvantage of spanning ports isthat they can have a detrimental effect on othertraffic traversing the switch.
An inline NIDS looks essentially like a bridge. The NIDS will be configured without an IP sothat it will not respond to any trafficThe finaloption is an inline NIDS. The IPS will simply accept traffic on one NICand pass it back out unchanged on a second NIClike a bridge.
TYPES OF DETECTION METHODS: Two types of detection methods are: a) Anomaly Detection model b) Signature detection model ANOMALY DETECTION MODEL: IDS methodology is an approach called anomaly detection or behavior-based detection. This model works by establishing accepted baselines or rules and noting exceptional differences
If an ids looks only at network packet headers for differences it is called as protocol anomaly detection. This model triggers off when the following events occur a) Unusual user account activity b) Excessive file and object accesses c) High cpu utilization d) Inappropriate protocol use e) Unusual login frequency f) High number of sessions g) Unusual content
Advantages: Analyzes ongoing traffic, activity, transactions,and behavior for anomalies. Potential to detect previously unknown types ofattacks. Catalogs the differences between baselinebehavior and ongoing activity.Disadvantages: Prone to false positives. Heavy processing overhead. Vulnerable to attack while creating timeconsuming, statistically significant baselines.
Signature detection model: The defined patterns of code are called as signatures and often treated as a rule when included in ids. Signature-based IDS use a database of traffic and activity patterns related to known attacks. The patterns are called attack signatures. These signatures and rules can be collected together into larger sets called signature databases or rule sets.
Advantages: Examines ongoing activity and matches against patterns of previously observed attacks. Works extremely well against previously observed attacks. Disadvantages: Signature databases must be constantly updated. Must compare and match activities against large collections of attack signatures. Specific signature definitions may miss variations on known attacks. May impose noticeable performance drags on systems.
Misuse Detection: Expert Systems Keystroke monitoring Model Based Intrusion Detection
NEW ARCHITECTURE Mobile IDS Agents The Local Audit Trial The Local Intrusion Database ( LID ) The Secure Communication Module The Anomaly Detection Modules ( ADM s The Misuse Detection Modules ( MDM) s Stationary Secure Database
IMPLEMENTED APPROACHES IEEE 802.11 a) Open System Authentication. b) Shared Key Authentication. Secure key generation and distribution Mitigating Routing Misbehavior:( Sergio Marti et al. )
ADVANTAGES: Monitors an entire network with only a few well-placed nodes Mostly passive devices Low Overhead and limited number of resources are used even in the large network. Easy to secure against attack Mostly undetectable to attackers or intruders because they are completely hidden in the network. Easy to install NIDS can be used in the present networks without interrupting conventional network operations.
DISADVANTAGES: May not be able to monitor and analyze all traffic on large, busy networks Vulnerable to attacks launched during peak traffic periods on large busy networks Not able to monitor switch-based (high-speed) networks effectively Typically unable to analyze encrypted data or not suitable for encrypted traffic. Does not always report success or failure of attempted attacks Require active manual involvement by network administrators or security administrators.
CONCLUSION: As NIDS technologies continue to evolve, they will more closely resemble their real-world counterparts. In the future, NIDS, firewalls, VPNs, and related security technologies will all come to interoperate to a much higher degree. The current generation of IDS (HIDS and NIDS) is quite effective already; as they continue to improve they will become the backbone of the more flexible security systems we expect to see in the not-too-distant future.