SlideShare a Scribd company logo

Intrusion detection and prevention systems.pdf

A
AliAlwesabi

Intrusion detection and prevention systems

Technology
1 of 55
Download to read offline
Guide to Network Defense and Countermeasures Third Edition Chapter 8 Intrusion Detection and Prevention Systems
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 2 Goals of an IDPS • Network intrusion – Attempt to gain unauthorized access to network resources • Intrusion Detection and Prevention System (IDPS) – Consists of more than one application or hardware device – Incorporates more than just detection • Intrusion detection and prevention – Involves prevention, detection, and response
Guide to Network Defense and Countermeasures, 3rd Edition 3 Figure 8-1 The role of intrusion detection and prevention in network defense
© Cengage Learning 2014 Goals of an IDPS • An IDPS should be able to: – Assess large volumes of network traffic or system activity to find signs of unauthorized access – Record its findings in a log so that administrators can examine past activity – Detect and record unauthorized access without compromise to produce evidence admissible in court – Respond almost immediately – Make itself and systems it protects as inaccessible as possible to attackers Guide to Network Defense and Countermeasures, 3rd Edition 4
© Cengage Learning 2014 Anomaly and Signature Detection Systems • Anomaly detection system: makes use of profiles that describe services and resources each authorized user normally accesses – Network baselines are associated with profiles – System can monitor profiles for suspicious activity that does not fit the profiles • IDPS can create baselines by monitoring network traffic to observe what is considered normal behavior Guide to Network Defense and Countermeasures, 3rd Edition 5
© Cengage Learning 2014 Anomaly and Signature Detection Systems • If profiles are incomplete or inaccurate: – IDPS sends alarms that false positives (legitimate traffic rather than actual attacks) – False negatives (genuine attacks that an IDPS does not detect) could occur • True negatives: legitimate communications that do not set off an alarm • True positive: used to describe a genuine attack that an IDPS detects successfully Guide to Network Defense and Countermeasures, 3rd Edition 6
© Cengage Learning 2014 Anomaly and Signature Detection Systems • Signature detection: triggers alarms based on characteristic signatures of known external attacks • Signature-based IDPS best for companies that want a basic IDPS and mostly concerned with known attacks – Network engineers research well-known attacks and record rules associated with each signature – Signatures should be updated regularly Guide to Network Defense and Countermeasures, 3rd Edition 7
Guide to Network Defense and Countermeasures, 3rd Edition 8 Table 8-1 Advantages and disadvantages of detection systems
Guide to Network Defense and Countermeasures, 3rd Edition 9 Table 8-1 Advantages and disadvantages of detection systems (continued)
© Cengage Learning 2014 Stateful Protocol Analysis • Stateful protocol analysis: information gathering about a connection – When an IDPS receives a packet, connection information between the host and remote computer is compared to entries in a state table – State table: maintains a record of connections between computers • Includes: source and destination IP address and port, and protocol • Event horizon: entire length of the attack – IDPS needs to maintain state information during this Guide to Network Defense and Countermeasures, 3rd Edition 10
© Cengage Learning 2014 Stateful Protocol Analysis • Stateful protocol analysis approaches: – Traffic rate monitoring – If IDPS detects sudden increase in traffic it can stop and reset all TCP traffic – Protocol state tracking – IDPS maintains a record of connection’s state and allows packets to pass through if it is an established connection – Dynamic Application layer protocol analysis – Can identify applications not using standard ports – IP packet reassembly – Can reassemble fragmented packets to prevent fragments from passing through to the internal network Guide to Network Defense and Countermeasures, 3rd Edition 11
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 12 Examining IDPS Components • Components – Network sensors or host-based agents – Detection and prevention capabilities – Command console – Database server that stores attack signatures or behaviors
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 13 Sensors and Agents • Sensor or agent – Functions as electronic “eyes” of an IDPS – Host-based IDPS – IDPS installed on a single host computer has its agent built into the IDPS software – Network-based IDPS – sensor is hardware or software that monitors network traffic in real time – Attacks detected by an IDPS sensor • Single-session attacks – isolated attempt • Multiple-session attacks – take place over a period of time
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 14 Sensors and Agents • Sensors should be placed at common-entry points – Internet gateways – Connections between one network and another – Remote access server that receives dial-up connections from remote users – Virtual private network (VPN) devices • Sensors could be positioned at either side of the firewall – Behind the firewall is a more secure location • IDPS management server: central repository for sensor and agent data
Guide to Network Defense and Countermeasures, 3rd Edition 15 Figure 8-2 Positioning sensors at entry points to the network
Guide to Network Defense and Countermeasures, 3rd Edition 16 Figure 8-3 Positioning sensors behind the firewall in the DMZ
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 17 Detection and Prevention Capabilities • When selecting an IDPS, consider the following: – Threshold – Values that set the limit between normal and abnormal behavior – Blacklists – lists of entities that have been associated with malicious activity – Whitelists – lists of entities known to be harmless – Alert settings – specifying default priorities or severity levels, determining which prevention capabilities should be used for certain events, and specifying what information should be logged
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 18 Detection and Prevention Capabilities • Prevention Capabilities – IDPS can be configured to take preventative countermeasures • Example: resetting all network connections when an intrusion is detected – Some IDPSs allow administrators to specify which measure should be taken for each alert type – Some have a simulation mode in which all prevention capabilities are disabled but generate reports used to fine-tune prevention capabilities
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 19 Command Console • Provides a graphical front-end interface to an IDPS – Enables administrators to receive and analyze alert messages and manage log files • IDPS can collect information from security devices throughout a network • Command console should run on a computer dedicated solely to the IDPS – To maximize the speed of response
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 20 Database of Attack Signatures or Behaviors • IDPSs do not have the capability to use judgment – Can make use of a source of information for comparing the traffic they monitor • Signature-detection IDPS – Reference a database of known attack signatures – If traffic matches a signature, it sends an alert • Keep database updated • Anomaly-based IDPS – Store information about users in a database
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 21 Figure 8-4 The SecurityFocus online database of known vulnerabilities
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 22 Options for IDPSs • Network-based IDPS • Host-based IDPS • Hybrid IDPS
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 23 Network-Based IDPSs • Network-based IDPS (NIDPS) • Monitors network traffic by using well-positioned sensors, management servers, a command console, and a signature database • Can be hardware devices equipped with NICs for capturing and analyzing packets • Can also be software-based sensors installed on a dedicated computer – Positioning an NIDPS on the Network • Behind the firewall and before the LAN • Between the firewall and the DMZ • Any network segment
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 24 Network-Based IDPSs • An NIDPS can use: – Inline sensors – positioned so that network traffic must pass through it • Used to stop attacks from blocking network traffic • Usually placed where firewalls are positioned – Passive sensors – monitor copies of traffic; no actual traffic passes through them • Can monitor traffic by: – Spanning port – Network tap – IDPS load balancer
Guide to Network Defense and Countermeasures, 3rd Edition 25 Figure 8-6 Positioning an inline sensor
Guide to Network Defense and Countermeasures, 3rd Edition 26 Figure 8-7 Positioning a passive sensor
© Cengage Learning 2014 Network-Based IDPSs • NIDPS Capabilities – Vary depending on product – Some can: • Collect information about hosts, OSs, applications, and network activities and characteristics – Used to help identify vulnerable hosts • Analyze packet headers to identify unusual behavior – Most have traffic logs to help identify and analyze potential attacks, locate vulnerabilities, and assess network use and performance Guide to Network Defense and Countermeasures, 3rd Edition 27
© Cengage Learning 2014 Network-Based IDPSs • NIDPS prevention capabilities vary based on sensor types: – Passive only – Ends the current TCP session – Inline only – Uses inline firewalling and bandwidth throttling, and alters malicious content – Passive and inline – Reconfigures other network security devices • Administrators can configure specific actions for each type of alert Guide to Network Defense and Countermeasures, 3rd Edition 28
© Cengage Learning 2014 Network-Based IDPSs • NIDPS Management – Designing architecture includes: • Determining where sensors are located • How many are needed and how they should be connected – Testing NIDPS components includes: • Accounting for network downtime while deploying sensors – Securing components involves: • Making sure sensors do not have IP addresses • Hardening management networks and configuring hosts for log files and backups Guide to Network Defense and Countermeasures, 3rd Edition 29
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 30 Host-Based IDPSs • Host-based IDPS (HIDPS) – Deployed on hosts in the network perimeter – Commonly use management servers, signature databases, and console – Evaluates traffic generated by the host • Often used to protect a Web server or database server – Gathers system variables such as • System processes, CPU use, file accesses, system logs, and system and application configuration changes – Does not sniff packets as they enter the LAN • Monitors log file entries and user activity
Guide to Network Defense and Countermeasures, 3rd Edition 31 Figure 8-8 A typical HIDPS deployment
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 32 Host-Based IDPSs • Configuring an HIDPS – Centralized configuration • HIDPS sends all data to a central location • Host’s level of performance is unaffected by the IDPS • Alert messages that are generated do not occur in real time – Distributed configuration • Processing of events is distributed between host and console • Host generates and analyzes it in real time • Performance reduction in host
Guide to Network Defense and Countermeasures, 3rd Edition 33 Figure 8-9 A centralized HIDPS
Guide to Network Defense and Countermeasures, 3rd Edition 34 Figure 8-10 Processing event data from an HIDPS
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 35 Host-Based IDPSs • Choosing the Host – Centralized configuration • RAM, hard disk memory, and processor speed requirements are minimal – Distributed configuration • Host should be equipped with maximum memory and processor speed
© Cengage Learning 2014 Comparing an NIDPS and HIDPS • HIDPS – Can tell whether an attack attempt was successful – Can detect attacks that would get past NIDPS – Provides only data pertaining to the host, not network as a whole – Compares records stored in audit logs • NIDPS – Provides alerts on suspicious network activity • Does not tell whether attack occurred – Detects attacks on network • Such as port scanning on a range of computers Guide to Network Defense and Countermeasures, 3rd Edition 36
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 37 Hybrid IDPSs • Hybrid IDPS – Combines the features of HIDPSs and NIDPSs • Gains flexibility and increases security • Combining IDPS Sensor Locations – Put sensors on network segments and network hosts – Can report attacks aimed at particular segments or the entire network
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 38 Hybrid IDPSs • Combining IDPS Detection Methods – IDPS combines anomaly and signature detection – Database of known attack signatures enables IDPS to run immediately – Anomaly-based systems keep the alert system flexible – A hybrid IDPS that combines anomaly and signature detection can respond to both external and internal attacks – Administrators have more configuration and coordination work to do
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 39 Hybrid IDPSs • Advantages – Combine aspects of NIDPS and HIDPS configurations – Can monitor network as a whole – Can monitor attacks that reach individual hosts • Disadvantages – Getting disparate systems to work in coordinate fashion – Data gathered by multiple systems can be difficult to analyze
© Cengage Learning 2014 Securing IDPS Components • IDPS must be able to handle the volume of traffic or activity it encounters • IDPSs should be tested regularly • Sensors should not be addressable • Communication between IDPS components should be encrypted • Authentication should be required for use and administration of the IDPS • IDPSs should be able to work during DoS attacks • Remote logging should be used in an HIDPS • OSs of HIDPSs should be patched and hardened Guide to Network Defense and Countermeasures, 3rd Edition 40
© Cengage Learning 2014 Developing IDPS Filter Rules • To create IDPS filter rules you must know basics of Snort rule syntax – Snort rule has two sections: header and options • Example: – Alert tcp any any -> 192.16.21.0/24 111 (content: “00 01 86 a5” ; msg: “mounted access”;) – Header is the opening portion – Options are in parentheses Guide to Network Defense and Countermeasures, 3rd Edition 41
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 42 Examining Intrusion Detection Step by Step • Steps – Installing the IDPS database – Gathering data – Sending alert messages – The IDPS responds – The administrator assesses damage – Following escalation procedures – Logging and reviewing events
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 43 Figure 8-11 Steps in intrusion detection
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 44 Step 1: Installing the IDPS Database • IDPS uses the database to compare traffic detected by sensors • Anomaly-based systems – Requires compiling a network baseline by observing network traffic (over a week) • Signature-based IDPS – Can use database immediately – You can add your own custom rule base
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 45 Step 2: Gathering Data • Network sensors gather data by reading packets • Sensors need to be positioned where they can capture all packets – Sensors on individual hosts capture information that enters and leaves the host – Sensors on network segments read packets as they pass throughout the segment • Sensors on network segments cannot capture all packets – If traffic levels become too heavy
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 46 Step 3: Sending Alert Messages • IDPS detection software compares captured packets with information in its database • IDPS sends alert messages – If captured packets match an attack signature or – Deviates from normal network behavior
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 47 Step 4: The IDPS Responds • Command console receives alert messages – Notifies the administrator • IDPS response actions: – Alarm - Send an alarm message – Drop – Packet is dropped – Reset – IDPS stops and restarts network traffic – Code analysis – Prevents malicious code from running – File system monitoring – Prevent files from being modified – Network traffic filtering – act as firewall – Network traffic analysis – stop incoming traffic
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 48 Step 5: The Administrator Assesses Damage • Administrator monitors alerts – Determines whether countermeasures are needed • Administrator need to fine-tune the database – The goal is avoiding false negatives • Line between acceptable and unacceptable network use is not always clear
Guide to Network Defense and Countermeasures, 3rd Edition 49 Figure 8-12 Differentiating acceptable and unacceptable network use
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 50 Step 6: Following Escalation Procedures • Escalation procedures – Set of actions to be followed if the IDPS detects a true positive • Should be spelled out in company’s security policy • Incident levels – Level One • Might be managed quickly – Level Two • Represents a more serious threat – Level Three • Represents the highest degree of threat
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 51 Step 7: Logging and Reviewing the Event • IDPS events are stored in log files – May also be sent to a database file • Administrator should review logs – To determine patterns of misuse – Administrator can spot a gradual attack • IDPS should also provide accountability – Ability to track an attempted attack or intrusion back to the responsible party – Some systems have built-in tracing features
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 52 Evaluating IDPS Products • Evaluate the various options and match them to your needs • Consider the following basic factors: – Determine whether an IDPS is necessary – Conduct a risk assessment – Define general requirements and goals an IDPS should meet – Determine whether to use proprietary or open-source products – Consider the frequency and accuracy of signature updates – Assess availability of support
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 53 Evaluating IDPS Products • Consider the following basic factors (cont’d): – Evaluate technical specifications – Determine external security requirements – Evaluate need for security capabilities and logging – Review detection and prevention capabilities – Identify performance and management requirements – Define the interoperability and scalability – Determine a reasonable cost estimate that includes acquisition, testing, installation, and maintenance – Identify resource limitations – Identify any training, documentation, and support needed
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 54 Summary • Intrusion detection and prevention systems (IDPSs) add another line of defense behind firewalls and antivirus software • IDPS components include sensors, management servers, command consoles, and databases of signatures • A network-based IDPS (NIDPS) uses sensors positioned at key points on the network • A host-based IDPS (HIDPS) deploys agents on selected hosts in the network
© Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 55 Summary • A hybrid IDPS combines aspects of NIDPS and HIDPS configurations • Selecting an IDPS requires evaluating the organization’s needs and security goals and the product’s features • Steps of intrusion detection include: installing the IDPS and signature database, gathering data, sending an alert, responding to the alert, assessing damage, following escalation procedures, and logging and reviewing events

Recommended

9780840024220 ppt ch06
9780840024220 ppt ch069780840024220 ppt ch06
9780840024220 ppt ch06Kristin Harrison
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Securityelipanganiban15
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPSMLG College of Learning, Inc
 

Recommended

9780840024220 ppt ch06
9780840024220 ppt ch069780840024220 ppt ch06
9780840024220 ppt ch06Kristin Harrison
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Securityelipanganiban15
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPSMLG College of Learning, Inc
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Idps
IdpsIdps
IdpsGNANARAJA R
 
Intrusion preventionintrusion detection
Intrusion preventionintrusion detectionIntrusion preventionintrusion detection
Intrusion preventionintrusion detectionIJCNCJournal
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
INTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMINTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMBhushan Gajare
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSMLG College of Learning, Inc
 
Es34887891
Es34887891Es34887891
Es34887891IJERA Editor
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
 
IS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxIS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxV.V.Vanniaperumal College for Women
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
N44096972
N44096972N44096972
N44096972IJERA Editor
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systemsvamsi_xmen
 
1776 1779
1776 17791776 1779
1776 1779Editor IJARCET
 
1776 1779
1776 17791776 1779
1776 1779Editor IJARCET
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptxRoyBokhiriya
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptxStevenJoeBiago
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...AliAlwesabi
 

More Related Content

Similar to Intrusion detection and prevention systems.pdf

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion preventionintrusion detection
Intrusion preventionintrusion detectionIntrusion preventionintrusion detection
Intrusion preventionintrusion detectionIJCNCJournal
 
INTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMINTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMBhushan Gajare
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systemsvamsi_xmen
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptxStevenJoeBiago
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 

Similar to Intrusion detection and prevention systems.pdf (20)

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Idps
IdpsIdps
Idps
 
Intrusion preventionintrusion detection
Intrusion preventionintrusion detectionIntrusion preventionintrusion detection
Intrusion preventionintrusion detection
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
INTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMINTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEM
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Es34887891
Es34887891Es34887891
Es34887891
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
 
IS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxIS-Types of IDPSs.pptx
IS-Types of IDPSs.pptx
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
N44096972
N44096972N44096972
N44096972
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
1776 1779
1776 17791776 1779
1776 1779
 
1776 1779
1776 17791776 1779
1776 1779
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptx
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 

More from AliAlwesabi

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...AliAlwesabi
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...AliAlwesabi
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...AliAlwesabi
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdfAliAlwesabi
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfAliAlwesabi
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...AliAlwesabi
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfAliAlwesabi
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfAliAlwesabi
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfAliAlwesabi
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfAliAlwesabi
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfAliAlwesabi
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresAliAlwesabi
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfAliAlwesabi
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityAliAlwesabi
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router SecurityAliAlwesabi
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityDNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityAliAlwesabi
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksAliAlwesabi
 

More from AliAlwesabi (18)

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdf
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdf
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasures
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdf
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurity
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router Security
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityDNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS Security
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networks
 

Recently uploaded

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxNeo4j
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 

Intrusion detection and prevention systems.pdf

  • 1. Guide to Network Defense and Countermeasures Third Edition Chapter 8 Intrusion Detection and Prevention Systems
  • 2. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 2 Goals of an IDPS • Network intrusion – Attempt to gain unauthorized access to network resources • Intrusion Detection and Prevention System (IDPS) – Consists of more than one application or hardware device – Incorporates more than just detection • Intrusion detection and prevention – Involves prevention, detection, and response
  • 3. Guide to Network Defense and Countermeasures, 3rd Edition 3 Figure 8-1 The role of intrusion detection and prevention in network defense
  • 4. © Cengage Learning 2014 Goals of an IDPS • An IDPS should be able to: – Assess large volumes of network traffic or system activity to find signs of unauthorized access – Record its findings in a log so that administrators can examine past activity – Detect and record unauthorized access without compromise to produce evidence admissible in court – Respond almost immediately – Make itself and systems it protects as inaccessible as possible to attackers Guide to Network Defense and Countermeasures, 3rd Edition 4
  • 5. © Cengage Learning 2014 Anomaly and Signature Detection Systems • Anomaly detection system: makes use of profiles that describe services and resources each authorized user normally accesses – Network baselines are associated with profiles – System can monitor profiles for suspicious activity that does not fit the profiles • IDPS can create baselines by monitoring network traffic to observe what is considered normal behavior Guide to Network Defense and Countermeasures, 3rd Edition 5
  • 6. © Cengage Learning 2014 Anomaly and Signature Detection Systems • If profiles are incomplete or inaccurate: – IDPS sends alarms that false positives (legitimate traffic rather than actual attacks) – False negatives (genuine attacks that an IDPS does not detect) could occur • True negatives: legitimate communications that do not set off an alarm • True positive: used to describe a genuine attack that an IDPS detects successfully Guide to Network Defense and Countermeasures, 3rd Edition 6
  • 7. © Cengage Learning 2014 Anomaly and Signature Detection Systems • Signature detection: triggers alarms based on characteristic signatures of known external attacks • Signature-based IDPS best for companies that want a basic IDPS and mostly concerned with known attacks – Network engineers research well-known attacks and record rules associated with each signature – Signatures should be updated regularly Guide to Network Defense and Countermeasures, 3rd Edition 7
  • 8. Guide to Network Defense and Countermeasures, 3rd Edition 8 Table 8-1 Advantages and disadvantages of detection systems
  • 9. Guide to Network Defense and Countermeasures, 3rd Edition 9 Table 8-1 Advantages and disadvantages of detection systems (continued)
  • 10. © Cengage Learning 2014 Stateful Protocol Analysis • Stateful protocol analysis: information gathering about a connection – When an IDPS receives a packet, connection information between the host and remote computer is compared to entries in a state table – State table: maintains a record of connections between computers • Includes: source and destination IP address and port, and protocol • Event horizon: entire length of the attack – IDPS needs to maintain state information during this Guide to Network Defense and Countermeasures, 3rd Edition 10
  • 11. © Cengage Learning 2014 Stateful Protocol Analysis • Stateful protocol analysis approaches: – Traffic rate monitoring – If IDPS detects sudden increase in traffic it can stop and reset all TCP traffic – Protocol state tracking – IDPS maintains a record of connection’s state and allows packets to pass through if it is an established connection – Dynamic Application layer protocol analysis – Can identify applications not using standard ports – IP packet reassembly – Can reassemble fragmented packets to prevent fragments from passing through to the internal network Guide to Network Defense and Countermeasures, 3rd Edition 11
  • 12. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 12 Examining IDPS Components • Components – Network sensors or host-based agents – Detection and prevention capabilities – Command console – Database server that stores attack signatures or behaviors
  • 13. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 13 Sensors and Agents • Sensor or agent – Functions as electronic “eyes” of an IDPS – Host-based IDPS – IDPS installed on a single host computer has its agent built into the IDPS software – Network-based IDPS – sensor is hardware or software that monitors network traffic in real time – Attacks detected by an IDPS sensor • Single-session attacks – isolated attempt • Multiple-session attacks – take place over a period of time
  • 14. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 14 Sensors and Agents • Sensors should be placed at common-entry points – Internet gateways – Connections between one network and another – Remote access server that receives dial-up connections from remote users – Virtual private network (VPN) devices • Sensors could be positioned at either side of the firewall – Behind the firewall is a more secure location • IDPS management server: central repository for sensor and agent data
  • 15. Guide to Network Defense and Countermeasures, 3rd Edition 15 Figure 8-2 Positioning sensors at entry points to the network
  • 16. Guide to Network Defense and Countermeasures, 3rd Edition 16 Figure 8-3 Positioning sensors behind the firewall in the DMZ
  • 17. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 17 Detection and Prevention Capabilities • When selecting an IDPS, consider the following: – Threshold – Values that set the limit between normal and abnormal behavior – Blacklists – lists of entities that have been associated with malicious activity – Whitelists – lists of entities known to be harmless – Alert settings – specifying default priorities or severity levels, determining which prevention capabilities should be used for certain events, and specifying what information should be logged
  • 18. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 18 Detection and Prevention Capabilities • Prevention Capabilities – IDPS can be configured to take preventative countermeasures • Example: resetting all network connections when an intrusion is detected – Some IDPSs allow administrators to specify which measure should be taken for each alert type – Some have a simulation mode in which all prevention capabilities are disabled but generate reports used to fine-tune prevention capabilities
  • 19. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 19 Command Console • Provides a graphical front-end interface to an IDPS – Enables administrators to receive and analyze alert messages and manage log files • IDPS can collect information from security devices throughout a network • Command console should run on a computer dedicated solely to the IDPS – To maximize the speed of response
  • 20. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 20 Database of Attack Signatures or Behaviors • IDPSs do not have the capability to use judgment – Can make use of a source of information for comparing the traffic they monitor • Signature-detection IDPS – Reference a database of known attack signatures – If traffic matches a signature, it sends an alert • Keep database updated • Anomaly-based IDPS – Store information about users in a database
  • 21. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 21 Figure 8-4 The SecurityFocus online database of known vulnerabilities
  • 22. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 22 Options for IDPSs • Network-based IDPS • Host-based IDPS • Hybrid IDPS
  • 23. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 23 Network-Based IDPSs • Network-based IDPS (NIDPS) • Monitors network traffic by using well-positioned sensors, management servers, a command console, and a signature database • Can be hardware devices equipped with NICs for capturing and analyzing packets • Can also be software-based sensors installed on a dedicated computer – Positioning an NIDPS on the Network • Behind the firewall and before the LAN • Between the firewall and the DMZ • Any network segment
  • 24. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 24 Network-Based IDPSs • An NIDPS can use: – Inline sensors – positioned so that network traffic must pass through it • Used to stop attacks from blocking network traffic • Usually placed where firewalls are positioned – Passive sensors – monitor copies of traffic; no actual traffic passes through them • Can monitor traffic by: – Spanning port – Network tap – IDPS load balancer
  • 25. Guide to Network Defense and Countermeasures, 3rd Edition 25 Figure 8-6 Positioning an inline sensor
  • 26. Guide to Network Defense and Countermeasures, 3rd Edition 26 Figure 8-7 Positioning a passive sensor
  • 27. © Cengage Learning 2014 Network-Based IDPSs • NIDPS Capabilities – Vary depending on product – Some can: • Collect information about hosts, OSs, applications, and network activities and characteristics – Used to help identify vulnerable hosts • Analyze packet headers to identify unusual behavior – Most have traffic logs to help identify and analyze potential attacks, locate vulnerabilities, and assess network use and performance Guide to Network Defense and Countermeasures, 3rd Edition 27
  • 28. © Cengage Learning 2014 Network-Based IDPSs • NIDPS prevention capabilities vary based on sensor types: – Passive only – Ends the current TCP session – Inline only – Uses inline firewalling and bandwidth throttling, and alters malicious content – Passive and inline – Reconfigures other network security devices • Administrators can configure specific actions for each type of alert Guide to Network Defense and Countermeasures, 3rd Edition 28
  • 29. © Cengage Learning 2014 Network-Based IDPSs • NIDPS Management – Designing architecture includes: • Determining where sensors are located • How many are needed and how they should be connected – Testing NIDPS components includes: • Accounting for network downtime while deploying sensors – Securing components involves: • Making sure sensors do not have IP addresses • Hardening management networks and configuring hosts for log files and backups Guide to Network Defense and Countermeasures, 3rd Edition 29
  • 30. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 30 Host-Based IDPSs • Host-based IDPS (HIDPS) – Deployed on hosts in the network perimeter – Commonly use management servers, signature databases, and console – Evaluates traffic generated by the host • Often used to protect a Web server or database server – Gathers system variables such as • System processes, CPU use, file accesses, system logs, and system and application configuration changes – Does not sniff packets as they enter the LAN • Monitors log file entries and user activity
  • 31. Guide to Network Defense and Countermeasures, 3rd Edition 31 Figure 8-8 A typical HIDPS deployment
  • 32. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 32 Host-Based IDPSs • Configuring an HIDPS – Centralized configuration • HIDPS sends all data to a central location • Host’s level of performance is unaffected by the IDPS • Alert messages that are generated do not occur in real time – Distributed configuration • Processing of events is distributed between host and console • Host generates and analyzes it in real time • Performance reduction in host
  • 33. Guide to Network Defense and Countermeasures, 3rd Edition 33 Figure 8-9 A centralized HIDPS
  • 34. Guide to Network Defense and Countermeasures, 3rd Edition 34 Figure 8-10 Processing event data from an HIDPS
  • 35. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 35 Host-Based IDPSs • Choosing the Host – Centralized configuration • RAM, hard disk memory, and processor speed requirements are minimal – Distributed configuration • Host should be equipped with maximum memory and processor speed
  • 36. © Cengage Learning 2014 Comparing an NIDPS and HIDPS • HIDPS – Can tell whether an attack attempt was successful – Can detect attacks that would get past NIDPS – Provides only data pertaining to the host, not network as a whole – Compares records stored in audit logs • NIDPS – Provides alerts on suspicious network activity • Does not tell whether attack occurred – Detects attacks on network • Such as port scanning on a range of computers Guide to Network Defense and Countermeasures, 3rd Edition 36
  • 37. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 37 Hybrid IDPSs • Hybrid IDPS – Combines the features of HIDPSs and NIDPSs • Gains flexibility and increases security • Combining IDPS Sensor Locations – Put sensors on network segments and network hosts – Can report attacks aimed at particular segments or the entire network
  • 38. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 38 Hybrid IDPSs • Combining IDPS Detection Methods – IDPS combines anomaly and signature detection – Database of known attack signatures enables IDPS to run immediately – Anomaly-based systems keep the alert system flexible – A hybrid IDPS that combines anomaly and signature detection can respond to both external and internal attacks – Administrators have more configuration and coordination work to do
  • 39. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 39 Hybrid IDPSs • Advantages – Combine aspects of NIDPS and HIDPS configurations – Can monitor network as a whole – Can monitor attacks that reach individual hosts • Disadvantages – Getting disparate systems to work in coordinate fashion – Data gathered by multiple systems can be difficult to analyze
  • 40. © Cengage Learning 2014 Securing IDPS Components • IDPS must be able to handle the volume of traffic or activity it encounters • IDPSs should be tested regularly • Sensors should not be addressable • Communication between IDPS components should be encrypted • Authentication should be required for use and administration of the IDPS • IDPSs should be able to work during DoS attacks • Remote logging should be used in an HIDPS • OSs of HIDPSs should be patched and hardened Guide to Network Defense and Countermeasures, 3rd Edition 40
  • 41. © Cengage Learning 2014 Developing IDPS Filter Rules • To create IDPS filter rules you must know basics of Snort rule syntax – Snort rule has two sections: header and options • Example: – Alert tcp any any -> 192.16.21.0/24 111 (content: “00 01 86 a5” ; msg: “mounted access”;) – Header is the opening portion – Options are in parentheses Guide to Network Defense and Countermeasures, 3rd Edition 41
  • 42. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 42 Examining Intrusion Detection Step by Step • Steps – Installing the IDPS database – Gathering data – Sending alert messages – The IDPS responds – The administrator assesses damage – Following escalation procedures – Logging and reviewing events
  • 43. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 43 Figure 8-11 Steps in intrusion detection
  • 44. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 44 Step 1: Installing the IDPS Database • IDPS uses the database to compare traffic detected by sensors • Anomaly-based systems – Requires compiling a network baseline by observing network traffic (over a week) • Signature-based IDPS – Can use database immediately – You can add your own custom rule base
  • 45. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 45 Step 2: Gathering Data • Network sensors gather data by reading packets • Sensors need to be positioned where they can capture all packets – Sensors on individual hosts capture information that enters and leaves the host – Sensors on network segments read packets as they pass throughout the segment • Sensors on network segments cannot capture all packets – If traffic levels become too heavy
  • 46. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 46 Step 3: Sending Alert Messages • IDPS detection software compares captured packets with information in its database • IDPS sends alert messages – If captured packets match an attack signature or – Deviates from normal network behavior
  • 47. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 47 Step 4: The IDPS Responds • Command console receives alert messages – Notifies the administrator • IDPS response actions: – Alarm - Send an alarm message – Drop – Packet is dropped – Reset – IDPS stops and restarts network traffic – Code analysis – Prevents malicious code from running – File system monitoring – Prevent files from being modified – Network traffic filtering – act as firewall – Network traffic analysis – stop incoming traffic
  • 48. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 48 Step 5: The Administrator Assesses Damage • Administrator monitors alerts – Determines whether countermeasures are needed • Administrator need to fine-tune the database – The goal is avoiding false negatives • Line between acceptable and unacceptable network use is not always clear
  • 49. Guide to Network Defense and Countermeasures, 3rd Edition 49 Figure 8-12 Differentiating acceptable and unacceptable network use
  • 50. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 50 Step 6: Following Escalation Procedures • Escalation procedures – Set of actions to be followed if the IDPS detects a true positive • Should be spelled out in company’s security policy • Incident levels – Level One • Might be managed quickly – Level Two • Represents a more serious threat – Level Three • Represents the highest degree of threat
  • 51. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 51 Step 7: Logging and Reviewing the Event • IDPS events are stored in log files – May also be sent to a database file • Administrator should review logs – To determine patterns of misuse – Administrator can spot a gradual attack • IDPS should also provide accountability – Ability to track an attempted attack or intrusion back to the responsible party – Some systems have built-in tracing features
  • 52. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 52 Evaluating IDPS Products • Evaluate the various options and match them to your needs • Consider the following basic factors: – Determine whether an IDPS is necessary – Conduct a risk assessment – Define general requirements and goals an IDPS should meet – Determine whether to use proprietary or open-source products – Consider the frequency and accuracy of signature updates – Assess availability of support
  • 53. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 53 Evaluating IDPS Products • Consider the following basic factors (cont’d): – Evaluate technical specifications – Determine external security requirements – Evaluate need for security capabilities and logging – Review detection and prevention capabilities – Identify performance and management requirements – Define the interoperability and scalability – Determine a reasonable cost estimate that includes acquisition, testing, installation, and maintenance – Identify resource limitations – Identify any training, documentation, and support needed
  • 54. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 54 Summary • Intrusion detection and prevention systems (IDPSs) add another line of defense behind firewalls and antivirus software • IDPS components include sensors, management servers, command consoles, and databases of signatures • A network-based IDPS (NIDPS) uses sensors positioned at key points on the network • A host-based IDPS (HIDPS) deploys agents on selected hosts in the network
  • 55. © Cengage Learning 2014 Guide to Network Defense and Countermeasures, 3rd Edition 55 Summary • A hybrid IDPS combines aspects of NIDPS and HIDPS configurations • Selecting an IDPS requires evaluating the organization’s needs and security goals and the product’s features • Steps of intrusion detection include: installing the IDPS and signature database, gathering data, sending an alert, responding to the alert, assessing damage, following escalation procedures, and logging and reviewing events