Ips and its types in Security

2. Discussion Topics:
IPS and Its Types
Kerberos Authentication Protocol
Group members:
Mohsin Iqbal (1596)
Arslan Khaliq (1582)
Saeed –ur- Rehman (1607)
Usman Ali (1622)
Presented to:
Mr. Farhat Mehmood

3. Need for Intrusion Prevention System
 Today, viruses, worms, and several other invading malicious codes and
programs proliferate widely on the Internet. With the environment
becoming increasingly hostile, networks are easy targets because the
infection can spread across the network rapidly.
 Networks need to be designed and equipped with sophisticated
intelligence to diagnose and mitigate threats in real-time.

4. What is IPS?
 Intrusion Prevention System (IPS) is any device (hardware or software) that
has the ability to detect attacks, both known and unknown and prevent the
attack from being successful.
 Major functions of intrusion prevention systems are to identify malicious
activity, collect information about this activity, report it and attempt to block
or stop it.
 Active response security solution. Early Detection, proactive technique, early
prevent the attack, when an attack is identified then blocks the offending
data
 IPS design is to enhance data processing ability, intelligent, accurate of it self.
 IPS’s include firewalls, anti-virus software and anti-spoofing software.

6. Objectives
 The main objectives of intrusion prevention systems are:
Identification of malicious activity
Log information about said activity
Attempt to block/stop harmful activity
Report malevolent activity.
IPS’S DETECTION METHOD
 The majority of intrusion prevention systems utilize one of two detection
methods:
1. Signature-based Detection
2. Statistical anomaly-based or Knowledge-based Detection

7. How An IPS Works
 An intrusion prevention system works by actively scanning forwarded
network traffic for malicious activities and known attack patterns. The
IPS engine analyzes network traffic and continuously compares the
bitstream with its internal signature database for known attack
patterns.
 An IPS might drop a packet determined to be malicious, and follow up
this action by blocking all future traffic from the attacker’s IP address
or port. Legitimate traffic can continue without any perceived
disruption in service.

8. IPS Classifications
 Network-based intrusion prevention system (NIPS): Analyzes protocol
activity across the entire network, looking for any untrustworthy traffic.
 Wireless intrusion prevention system (WIPS): Analyzes network protocol
activity across the entire wireless network, looking for any untrustworthy
traffic.
 Host-based intrusion prevention system (HIPS): A secondary software
package that follows a single host for malicious activity, and analyzes events
occurring within said host.
 Network behavior analysis (NBA): Examines network traffic to identify
threats that generate strange traffic flows. The most common threats being
distributed denial of service attacks.

9. Types of IPS
1. Inline network intrusion protection systems.
2. Layer seven switches.
3. Application firewalls.
4. Hybrid switches.
5. Deceptive applications.

10. 1.INLINE NETWORK IPS
 It is configured with two NICs, one for management and one for detection.
 NIC that is configured for detection usually does not have an IP address
assigned .
 It works by sitting between the systems that need to be protected and the rest
of the network.
 It inspects the packet for any vulnerabilities that it is configured to look for.

11. 2. LAYER SEVEN SWITCHES
• Placing these devices in front of your firewalls would give protection for the
entire network.
• However the drawbacks are that they can only stop attacks that they know
about.
• The only attack they can stop that most others IPS can’t are the DoS attacks.

12. 3. APPLICATION FIREWALLS
• These IPSs are loaded on each server that is to be protected.
• These types of IPSs are customizable to each application that they are to
protect.
• It profiles a system before protecting it. During the profiling it watches the
user’s interaction with the application and the applications interaction with
the operating system to determine what legitimate interaction looks like.
• The drawback is that when the application is updated it might have to be
profiled again.

13. 4. HYBRID SWITCHES
 They inspect specific traffic for malicious content as has been configured
 Hybrid switch works in similar manner to layer seven switch, but has
detailed knowledge of the web server and the application that sits on top of
the web server.
 It also fails , if the user’s request does not match any of the permitted
requests.

14. 5. DECEPTIVE APPLICATIONS
 It watches all your network traffic and figures out what is good traffic.
 When an attacker attempts to connect to services that do not exist, it will
send back a response to the attacker
 The response will be “marked” with some bogus data. When the attacker
comes back again and tries to exploit the server the IPS will see the
“marked” data and stop all traffic coming from the attacker.

15. Kerberos Authentication Protocol
 Kerberos is a computer network authentication protocol.
 It helps the user to prove its identity to various services .
 Don't require user to enter password every time a service is
requested.
 Developed at MIT in the mid 1980s..

16. What’s with the 3 heads?
 Authentication
Confirms that a user who is requesting services.
 Authorization
Granting of specific types of services to a user based on their
authentication.
 Accounting
The tracking of the consumption of network resources by users.

17. Kerberos vs Firewall
 Firewalls make a risky assumption: that attackers are coming from the
outside. In reality, attacks frequently come from within.
 Kerberos assumes that network connections (rather than servers and work
stations) are the weak link in network security.

18. It consists of following 3 components
 Client
 Authentication Server or Key Distribution Server (KDC)
 Server
Architecture

19. Kerberos Exchanges
 Authentication Service (AS)
 Ticket Granting Service (TGS)
 Client Server (CS)

20. AS Exchange
 Exchange between client and Authentication Server (KDC)
 Client sends KRB_AS_REQ msg to KDC specifying credentials it
wants
 Server replies with msg KRB_AS_REP containing the ticket and
session key
 The Session key is encrypted with client’s secret key
 The TGT is encrypted with server’s secret key
 The encryption type is DES by default

21. TGS Exchange
 Is used to obtain additional tickets for the servers.
 Doesn’t need client’s secret key for encryption
 Transparent to the user
 TGS must have access to all secret keys
 But encrypts the ticket using server’s secret key
 Client sends KRB_TGS_REQ to the TGS server
 Server replies KRB_TGS_REP to the client with ticket

22. CS Exchange
 Client contacts with the real server
 Client sends KRB_AP_REQ to the server specifying the service
 Server validates client by decrypting ticket with server’s secret key and
decrypting authenticator with sessions key contained in ticket
 Server optionally replies with KRB_AP_REP
Limitations
 Only provides authentication
 Central Authentication server
 Assumes relatively secure hosts on an insecure network