Chapter 7 - 04 Network Security Controls - Technical Controls PDF

Summary

This document discusses network security controls, specifically focusing on Intrusion Detection and Prevention Systems (IDS/IPS). It explains their role and capabilities, limitations, and concerns in implementing IDS security. It also touches on components, collaboration, deployment and various aspects of IDS.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network...

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network Understand Different Types of Security Protocols Proxy Servers and their Benefits :. Discuss Fundamentals of VPN Discuss Security Benetiis /7 an and its importance in Network of Network Segmentation - G. — ’ Security N Understand Different Types @ 4\ Discuss Other Network Security of Firewalls and their Role Controls | Understand Different Types Discuss Importance of Load of IDS/IPS and their Role E\ Balancing in Network Security Understand Different Types Understand Various of Honeypots Antivirus/Anti-malware Software L All Rights Reserved. Reproduction s Strictly Prohibited Understand Different Types of IDS/IPS and their Role The objective of this section is to explain different types of IDS/IPS, their role, capabilities, limitations, and concerns in implementing IDS security. This section also discusses IDS components, collaboration of IDS components in intrusion detection, deployment of network and host based IDS, types of IDS alerts, and intrusion detection tools. Module 07 Page 807 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Intrusion Detection and Prevention System (IDS/IPS) 01 02 03 An intrusion detection and prevention If found, the IDS will alert the IDS checks the network traffic for system (IDS/IPS) is a network security administrator about the suspicious signatures that match known appliance that inspects all inbound activities intrusion patterns and triggers an and outbound network traffic for alarm when a match is found suspicious patterns that might indicate a network or system security breach Server Untrusted Network &@%..................,..................... &' @ Firewall 5 Intrusion Detection and Prevention System (IDS/IPS) An Intrusion Detection and Prevention System (IPS/IDPS) is a network security appliance which inspects all inbound and outbound network traffic for suspicious patterns that could indicate a network or system security breach, identifies suspicious activity if any, logs information of the suspicious activity, reports it and attempts to block it. An intrusion prevention system (IPS) is an extension of the intrusion detection system (IDS). An IPS can = Send alarms = Defragment packet streams = Drop identified malicious packets = Reduce TCP sequencing issues = Reset a connection = Block traffic from a malicious IP address ® Correct cyclic redundancy check (CRC) errors = (Clean unneeded transport and network layer options The Intrusion Detection System (IDS) monitors all inbound and outbound network activity and identifies malicious patterns by looking for known attack signatures and warns the security professionals of suspicious activity but does not prevent them. An IDS displays an alert, logs the event, or pages an administrator, reconfigures the network to mitigate the consequences of intrusions. Module 07 Page 808 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS vs. IPS The key difference between an IPS and an IDS is that the IPS is implemented in-line, however the IDS sits off to the side. The traffic that is directed through an IPS either blocks or allows the packets depending on the policy and performs correction if needed. In the case of IDS, it is connected via a network tap and it monitors traffic, but cannot act directly. Server i Untrusted Network IPS Figure 7.64: IDS vs. IPS Module 07 Page 809 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls —- Technical Controls Work? How does an IDS Work? IDS Preprocessor > Signature Signatu File re File |... @5 H Comparlson Comparison. < >a D = Internet Internet Router Router Firewall Firewall DS Y Matched? \ s W Matchedp)r+ Y "¥+ -ereeeeeeg esererense Signature File |: Database Database : :: Cisco Iog CIS(O = g log sever sever O X Anomaly | : : B foend g i - 3 Alarm notifies Alarmnotifies Detection [ : : admin and packet adminand v : canbe can be dropped vY.»Y | M‘[ghgd?-!............................. M‘(ghgdf-!un-u--é............... i..... > -" + Action Action flule Rule : d b Y,v H ¢ Connections are. v i -’ p- @xU H :¢ cutdown cut from down from : that IP source Stateful Protocol : : Analysis : : Hv : :. ¥ : ‘ bX 4 Lispy Ry '| i l'” —_—_— ,‘V'\ :. Enterprise Network Enterprise Network (200 annna) P ¢ I Rx KA. Matched? h _A— - packets Packet d:;p:!e: dropped Switch Copyright © by by L All Rights Reserved. Reproduction Reproductionisis Strictly Prohibited. How does an IDS Work? IDS Preprocessor Signature File. """"b‘ S 'b‘ Comparison ‘‘< < > """ > g v Signature File Internet Router Firewall IDS ¥ Database Database :: Matched? -. lllllllllll: lllll'lllli: : Vx A4 PX :: Ressapg Teered | Anomaly : ! Alarm notifies Detection : * admin admin and packet. - +¢+ can be dropped can be dropped b4Y : Matched? r#sssssssnuas a:n.............. T 1osssessssnns.é..E..... > %X !: Action Rule : do d%o ¢ -o : Connections are \:,X vx.: :' cut down from S o 1 HB : that IP source Stateful Protocol.:.' Analysis ‘ : : :H : :¢ = == >\/< v v : E s :. LR l) {11 m Packet is Zig':;‘;: Enterprise i Network CICHC]e&).. [maa (288 - XA L.1..00 Matched? s e Woesasssssst rstchodiiy ¥ereesnannsl dropped Switch witc Switch Figure 7.65: Working of an IDS Signature-based IDS: In a signature-based IDS, the network traffic is checked with the databases that comprises of intrusions. As shown in the above figure, if an attack signature Module 07 Page 810 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls matches with any of the signatures in the signature file database, the connection will be disconnected down from the source IP, the packet will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be moved to the next step called the anomaly detection step. Anomaly-based IDS: An anomaly-based IDS uses statistical techniques to compare the monitored traffic with the normal traffic. This method can identify new forms of attacks that are not in the IDS signature database and issue a warning. The disadvantage of this method is issuing false positive messages, which will complicate the functioning of an administrator. In the anomaly detection step, if the attack signature matches, the connections will be disconnected from the source IP, the packet will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be sent to stateful protocol analysis. A stateful protocol analysis is used for detecting the deviations of the protocol state, which uses predetermined profiles based on the vendor-developed definitions of malicious activity. In the stateful protocol analysis, if the packet is matched, the connections will be disconnected from the source IP, the packets will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be passed to the network through a switch. An IDS performs an evaluation of a network traffic for illegal activities and policy violations. It performs a vulnerability assessment for ensuring the security of the network. The following are the features of IDS: = Evaluating system and network activities = Analyzing vulnerabilities in a network * Measuring the system and file reliability = Skill to identify the possibilities of attacks *= Monitoring irregular activities in a network and system = Evaluating the policy violations Organizations can identify the presence of attacks or intrusions from outside a network as well as the intrusions or misuse within that network. An IDS generally performs a vulnerability assessment or scanning in order to identify the vulnerabilities in a network and to monitor the security of the network. Firewalls prevent intrusions within a network, but do not actually issue an alert regarding an intrusion or an attack. On the other hand, IDS systems can monitor and identify the intrusions within a network as well as signal an alarm to the administrator. Advantages of IDS: = An IDS allows continuous monitoring and tracking of all intrusions and attacks in a network. = An IDS provides an extra layer of security to a network. = An IDS can also provide a log or data regarding the attack or intrusion that can be later used for investigating the incident. Module 07 Page 811 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls = |DS requires more maintenance as compared to firewalls. Disadvantages of IDS: = |tis not always possible for an IDS to detect intrusions. = IDS requires properly trained and experienced users to maintain it. = |DS can raise false alarms to the network administrator. Module 07 Page 812 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser