Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 07_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OC RED
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Components An IDS system is built on various com...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Components An IDS system is built on various components. @ Knowledge of their functions and placement is required for effective IDS implementation IDS Components -! P Network Sensors Alert Systems Command Console Response System s e — — Attack Signature Database ] Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited. Prohibited IDS Components An IDS system is built on various components. Knowledge of their functions and placement is required for effective IDS implementation. These components are used to collect information from a variety of systems and network sources, and then analyze the information for any abnormalities. Major components of an IDS are listed below. IDS Components | l Network Alert | Command l Response Attack Signatures | Sensors Systems Console System Database Figure 7.74: IDS Components Network sensors: These agents analyze and report any suspicious activity. = Analyzer: It analyzes the data collected by the sensors. = Alert systems: These systems trigger alerts when detecting malicious activity. = Command Command console: It acts as an interface between the user and the IDS. = Response system: An IDS uses this system to initiate countermeasures on detected activities. = Database of attack signatures or behaviors: A list of previously detected signatures stored in a database that assist the IDS in intrusion detection. Module 07 Page 839 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Network Sensors Network sensors are hardware and software components that monitor network traffic and trigger alarms if any abnormal activity is detected BOLK G 423 33 Commuied Commannnt To kxadus knadu. B Doy Bets Bt TlBl OFO Senetin e il e Uhetiae (hatite S DD | s ey 4117 17 1910 canr 4117 carr e e |Eonnd| Network sensors should be placed and located at common entry points FERGSIRREERENAS in a network such as: O Internet gateways O In between LAN connections O Remote access servers used to receive dial-up connections O VPN devices O QO Either side of firewall Copyright © by EC il All Rights Reserved. Reproduction is Strictly Prohibited. Network Sensors Network sensors are hardware and software components that monitor network traffic and trigger alarms if any abnormal activity is detected. It is a primary data collection point for the IDS. Network sensors collect data from the data source and pass it to the alert systems. The sensor integrates with the component responsible for data collection such as an event generator. Network sensors determine data collection based on the event generator policy, which defines the filtering mode for event notification information. The role of the sensor is to filter information and discard any irrelevant data obtained from the event set associated with the protected system, thereby detecting suspicious activities. Sensors check the traffic for malicious packets, trigger an alarm when they suspect a packet is malicious, and then alert the IDS. If an IDS confirms the packet as malicious then the sensors generate an automatic response to block the traffic from the source of the attack. To perform effective traffic monitoring on a network, sensors must be connected at appropriate points in the network. There are several options available for placing sensors in a network, and the most common connection points include the following. = Switch port analyzer (SPAN) or mirror port: It is a passive network monitoring approach in which sensors are appended to a special port on a switch to obtain copies of network traffic or packets. This approach is not secure, as packets with error cannot be mirrored, and packet drops can be expected during heavy transmission. = Passive test access points (TAPs): Passive TAPs do not need electricity to perform operations. They are designed with an optical splitter that generates a copy of a signal as it passes through the cable and sends the copy to the monitoring port for traffic Module 07 Page 840 Certified Cybersecurity Technician Copyright © by EC-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls inspection. Unlike SPAN, the monitor port in this case absorbs every packet, irrespective of errors and load. = Active test access points (TAPs): Active TAPs require electric power to regenerate and transmit signals. However, during power shortage, active TAPs can become a point of failure; hence, passive TAPs are preferred over active TAPs. When an active TAP is used for monitoring, it must be connected to a UPS, inverter, or any other type of power backup. 777777777 SOUIL-0.9.0 - Connected To localhost 7§oun-n-cu-mvam -- ®& NX Efe Query Begpons Souna OF camost. AnenQ2 et Erees | Escaieed Everes| l'dlll'b'l!'fifi] oee——— " — SOUIL0.9.0 - Connected To locatho S’OlI.AUACVm”YflVMDa - 7 —— -' L £ Query Bepons Sound SoundOF ServerName ServerdName ocahost cahost Userame: mamn UsenD: UsenD 2 200001403 123925 OMT GMT 1 20190525 0217.06 021706 o— 2| bovvma botrvna 1w 20190023 20160929 032307 032307 RealTime [eres [veres | Eacaand Everes | 22|[ ot vt ot vwtua EE-Y IR0 20190925 032307 019M 25032307 ST | ONT | Serna - Aot 10 At [T DwaTere SSeicc 11 Ost 12 1|D1 Evert Messas | Evert Messa 1| ot botvena 33284 2019005032312 190035032312 3| bomvima b 12 20190019021451 20190019022451 0000 10103016 0 [OSSEC] Windows: System time Cranged. crangsd. 24| 24| v ooovma. | 230 a3 2010035032530 WINLBIS0IN N 2| mevina 2| e vt 134 1iew MMGE2306 200 0000 0000 10383018 0303016 L0 [OSSEC) Wiecows: [OSSEC) wvaows LagonLogon Fatae Fakae -- Urrown Urknownus. us 24 | boovenav vena anw EEE 2019002503253 2| bovvina b vima 11749 13749 2190519010834 20190919010834 0000 10103018 0 [OSSEC) [OSSEC) The st suct log was Claed Cliawed 1|vcovma 1| botvvwna | 3309 339 2019062503253 2019092503251 2|2| bt vma 1I71 11781 o4z42136 2019091901 0000 0000 @000 0000 O0 [OSSEC] PAM [OSSEC] PAM Uned Uner kg taed. Kaign Laied. 3| towna ovam. | 3me | 015052503 ama ommsosa 2531 2[2| b vinav 11748 117a8 2090019010848 20190519010848 0000 @000 ) 0 [OSSEC] Listened [OSSEC) Usaemed pons status (netstar) fnetstar) Change change 12 | ot ot von, 3335 3334 20190025 190975 0006 3638 37 0| bomvinan oo vinaa 13683 1108 2019019010000 2190019010000 0000 10103016 0 [OSSEC) Wtegriy ibegriy checksum chechium changed 12 | botverua totrvetua 3338 336 20190025 2019003506 337 06 3637 4| bovina 11640 13640 2019001900585 0190019005855 0000 10103018 0 [OSSEC] [OSSEC Hostst tixsed ancmaty anamaly Oeection evert ( Oesection |12 | bovva 1 anm 20100035 0606-36:37 20190035 3% 37 23 | vimas. boovima o 13087 11087 20190929010000 2190519010000 0000 10103016 0 [OSSEC) Fie Fre adoed naoed 1o19 the system. 23|2| tvnaoo vna 13m0 33w 21003509501111 201900350950 1 bovma 31365 23685 2091224171106 20191224 171106 101010%0 10101050 611 62 10103016 10303016 T AT 1T GRLRPC GPLRPC xamep Koo quory xamcp qury N3|ocowta. [ | 33 23m2 20190025 0952 20190035 09520505 3 bvina b IBE IDC 2VHBEAN 2VHHBEAN 10101050 a8 s 10103018 @5 43 ¢6 GPLNETBIOS SMB DS IPCS shave thave access Po | — —— 23en 23 20190038 20190025 110822 11082 305 6 bsvina bovma axar 1nw 2190039150201 2100019150201 10303050 10303038 10303018 1 OPLICMP GPLICMD INFO INFO PING X e 20 bsvinm. 230 2308 20190025 110612 200190025 B8 bvinabovisa I a3 20S124062105 W92 062105 10101079 10103079 10103018 10103016 1 GPLICWP_INFO PING "NX L= - e 11 v bt INW® e 0RBBN WSS WA 10101050 W0V w2 W2 10103016 0103016 nP €* OOLFTD G PORT barce FTP PORT b wisrgt sttengt — e 2& |1 Resenton | Agert Ageet Status st lhfil.—m | S saeates | Sysiem wsgs | [ ] e | ¥ Diglay Ouptay Dot iIl F— PE— _[.,m e o S R.,..mj. Detat 1 T bode Sebtanse e — —— 201 el R = mm' I «srgx_f;s'fi\:x::‘:fi'mmnzm RN ,T:fi.f‘;ffifi:fi:fifi:&""mm’ BENONEC BLNONEC 0N tASE LAASE games QIATes Wo- Ude 1000 r’ [ ma sron FSTY 1 oo TVl ma Caad 201908 s 1000 E- — — —— 33 o tovmsma =y 0513, e 7 to. tebvimusma — — o oo 20001 e 0 VL ma non 20912 i0 ::’xzln 2 o wovases. [l ww 2020014 xeoad J| [ e Upase inmervl (secs) 15 _fl_fi ’ i ' Updste ireorval Update ireervad Becs) fsecs) 35 13 w| nNOW now|4 Figure 7.75: Network Sensors Triggering Alarm Network sensors should be placed and located at common entry points in a network such as: = Internet gateways = In between LAN connections = Remote access servers used to receive dial-up connections = VPN devices = Ejther side of firewall Either Module 07 Page 841 Certified Cybersecurity Technician Copyright © by EC-Council EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Command Console Command console software is installed and Sguil Command Console runs ona runsona that is dedicated to to the IDS the IDS Aplamors_ Nplxmens Paces Kigpin Piscen Rigam — mei4 WO BOULB90 SOUL D90 - Commcted Comnmcted To locabast D T Bhe Qury e BNNS Bas OF e Bt boatod Ukt R AhedD ¢ Sats e IS 2z22 1247 1z ar 203 ou OMT eatiae temes MeaTe Evees | Ensiinn tveens| Eniamin Evves| It provides a to an administrator for the purpose of receiving and analyzing security events, alert message, and log files It evaluates information from different security devices [[00 hescnoon nescnon || S o ) ) S SR || | ST DO S e : If the command console is installed Y Aerse0 ii [P o N G om0 Sowve PP Sowe DelP40 Dt VeVo WLTOS W T05 km W D 1D Pap PMap Ofe Ohe TR OwSat TTL OwSaev ) on a non-dedicated computer system (e.g., = el — firewall, backup server), it will drastically T oy T e e = RIS qr__san_ome smr e om ea wnew v Upvy oot OSben slow down the response to security events as those systems may be busy handling other tasks ‘) RR e — Copyright © by IE L Al All Rights Reserved. Reproduction is Strictly Prohibited. Command Console Command console software is installed and runs on a separate system that is dedicated to the IDS. It provides a user interface to an administrator for the purpose of receiving and analyzing security events, alert message, and log files. The command console evaluates security event information from different security devices. The IDS collects all the data from security devices and analyzes it using the command console. Administrators use the console to analyze alert messages triggered by the alert system and manage log files. The command console allows administrators in large networks to process large volumes of activities and respond quickly. An IDS collects information from security devices placed throughout the network and sends it to the command console for evaluation. Installing a command console on the system for other purposes such as backing up files and firewall functions, will make it slow to respond to events. Installing the command console on a dedicated system provides the benefit of a fast response. Caution: If the command console is installed on a non-dedicated computer system (e.g., firewall, backup server), it will drastically slow down the response to security events as those systems may be busy handling other tasks. Module 07 Page 842 Certified Cybersecurity Technician Copyright © by EC-Council EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Applications Applications Places Places RSguil.tk kSgu-Ltk Thu12:47 Thul2:47 49 O SGUIL-0.9.0 - Connected SGUIL-0.9.0 To localhost Connected To localhost -= 8L X File Eile Query Repots Query Repots Sound: Off Sound: Off L[ martin UserlD: martin UserlD: 22 2019-08-22 12:47:28 2019-08-22 12:47:28 GMT, GMT, Dst IP II;I [ PR [~r Show Packet Data r"~" Show Rule Show Packet I~ ReverseDNS ¥ Enabie Extemal DNS | l | » l‘ l - Wnois Query: '+* None © SrcIP ~= DstIP Search Packet Search Packet Payload Payload | ™" Hex Hex @* Text Text [| NoCase NoCase 1/4 Figure 7.76: Sguil Command Console Module 07 Page 843 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.