Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 07_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 08_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 09_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 10_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred PDF
- Chapter 7 - 04 Network Security Controls - Technical Controls PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Role of an IDS in Network Defense —...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Role of an IDS in Network Defense — =211 O An IDS works from inside the network, unlike a O An DS is placed behind the firewall, inspecting firewall which only looks outside the network all the traffic, looking for heuristics and a pattern for intrusions match for intrusions Role of an IDS in Network Defense Why Do We Need IDS? Relying solely on a firewall for network security can provide a false sense of security. The firewall is simply implemented in the IT security policy to allow or deny traffic based on the policy rules. It allows certain packets to pass through or denies access if it does not meet certain criteria specified in a rule. It does not check the contents of legitimate traffic that are allowed based on the ruleset. Even legitimate traffic may contain malicious content, which is not evaluated during inspection by a firewall. As an example, a firewall can be configured to pass traffic solely to port 80 of the Web server and to port 25 of the email server but it will not inspect the nature of the traffic flowing through either of these ports. This is the reason why an IDS is implemented. An IDS will inspect the legitimate traffic coming from firewall and conduct signature-based analysis to identify malicious activity and raise an alarm to notify security professionals. Role of an IDS in Network Defense = An IDS works from inside the network, unlike a firewall which only looks outside the network for intrusions = An IDS is placed behind the firewall, inspecting all the traffic, looking for heuristics and a pattern match for intrusions Module 07 Page 813 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls How an IDS Detects an Intrusion? Signature Recognition Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network resource Anomaly Detection It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system Protocol Anomaly Detection In this type of detection, models are built to explore anomalies in the way in which vendors deploy the TCP/IP specification Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited How an IDS Detects an Intrusion? An IDS uses three methods to detect intrusions in the network. Signature Recognition Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. The signatures for IDS were created under the assumption that the model must detect an attack without disturbing normal system traffic. Only attacks should match the model; otherwise, false alarms could occur. o Signature-based intrusion detection compares incoming or outgoing network packets with the binary signatures of known attacks using simple pattern-matching techniques to detect intrusions. Attackers can define a binary signature for a specific portion of the packet, such as TCP flags. Signature recognition can detect known attacks. However, there is a possibility that other innocuous packets contain the same signature, which will trigger a false positive alert. Improper signatures may trigger false alerts. To detect misuse, a massive number of signatures are required. The more the signatures, the greater are the chances are of the IDS detecting attacks; however, the traffic may incorrectly match with the signatures, thus impeding system performance. A large amount of signature data requires more network bandwidth. IDS compare signatures of data packets against those in the signature database. An increase in Module 07 Page 814 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls the number of signatures in the database could result in the dropping of certain packets. Anomaly Detection Anomaly detection, or “not-use detection,” differs from signature recognition. Anomaly detection involves a database of anomalies. An anomaly is detected when an event occurs outside the tolerance threshold of normal traffic. Therefore, any deviation from regular use is an attack. Anomaly detection detects intrusions based on the fixed behavioral characteristics of the users and components in a computer system. Establishing a model of normal use is the most challenging step in creating an anomaly detector. o In the traditional method of anomaly detection, essential data are kept for checking variations in network traffic. However, in reality, there is some unpredictability in network traffic, and there are too many statistical variations, thus making these models imprecise. Some events labeled as anomalies might only be irregularities in network usage. o In this type of approach, the inability to construct a model thoroughly on a regular network is a concern. These models should be used to check specific networks. Protocol Anomaly Detection Protocol anomaly detection depends on the anomalies specific to a protocol. It identifies particular flaws in vendors’ deployment of the TCP/IP protocol. Protocols are designed according to RFC specifications, which dictate standard handshakes to permit universal communication. The protocol anomaly detector can identify new attacks. o There are new attack methods and exploits that violate protocol standards. o Malicious anomaly signatures are becoming increasingly common. By contrast, the network protocol is well defined and is changing slowly. Therefore, the signature database should frequently be updated to detect attacks. o Protocol anomaly detectors are different from traditional IDS in terms of how they present alarms. o The best way to present alarms is to explain which part of the state system is compromised. For this purpose, IDS operators must have thorough knowledge of protocol design. Module 07 Page 815 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Capabilities O DS provides an additional layer of security to the network under the defense-in-depth principle O IDS does several things that basic firewalls cannot do O IDS helps minimize the chance of missing security threats that could come from firewall evasions P IDS/IPS Functions Monitoring and analyzing both user and Q Recognizing typical attack patterns system activities Analyzing system configurations and Analyzing abnormal activity patterns vulnerabilities Assessing system and file integrity Tracking user policy violations IDS Capabilities IDS provides an additional layer of security to the network under the defense-in-depth principle. IDS does several things that basic firewalls cannot do. IDS helps minimize the chance of missing security threats that could come from firewall evasions. The main task of an IDS is detecting an intrusion attempt on a network and issuing a notification about what occurred. Detecting hostile attacks depends on several types of actions including prevention, intrusion monitoring, intrusion detection, and response. Intrusion prevention requires a well-selected combination of luring and tricking aimed at investigating threats. Diverting the intruder’s attention from protected resources is another task. An IDS constantly monitors both the real system and a possible trap system and carefully examines data generated for detection of possible attacks. Once an IDS detects an intrusion it issues alerts notifying administrators. Once the intrusion is detected and notified, the security professionals can execute certain countermeasures, which may include blocking functions, terminating sessions, backing up the systems, routing connections to a system trap, legal infrastructure, etc. An IDS is an important element of the security policy. IDS alerts and logs are useful in forensic research of any incidents and installing appropriate patches to enable the detection of future attack attempts targeting specific people or resources. An IDS observes computer network activity and keeps track of user policies and activity patterns to ensure they do not violate policies. It also observes network traffic and components for detecting virus and malware hidden in the form of spyware, key loggers, etc. Module 07 Page 816 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls An IDS works by gathering information about illicit attempts made to compromise security and then verifying them. It also records the event data and the security professional can use this data to take future preventive measures and make improvements to network security. IDS/IPS Functions = Monitoring and analyzing both user and system activities = Analyzing system configurations and vulnerabilities = Assessing system and file integrity = Recognizing typical attack patterns = Analyzing abnormal activity patterns * Tracking user policy violations In addition to its core functionality of identifying and analyzing intrusions, an IDS can perform the following types of activities related to intrusion detection: = Records information about events: An IDS notes down every detail regarding the monitored events and forwards the recorded information to various other systems such as centralized logging servers, security information and event management (SIEM), and enterprise management systems. = Sending an alert: The IDS sends an intrusion alert to the security professional through emails, pop-up messages on the IDS user interface, etc. = Generating reports: The IDS generates reports providing insight into observed events or any suspicious event that may have occurred. Module 07 Page 817 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
