IDS/IPS Limitations PDF

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS/IPS Limitations: What an IDS/IP...

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS/IPS Limitations: What an IDS/IPS is NOT? Network Logging Vulnerability Systems \ ‘ Assessment Tools IDS/IPS cannot act as or replacement of Antivirus < 5 Cryptographic Products Systems Copyright © by EC- IL All Rights Reserved. ReproductionIS Strictly Prohibited IDS/IPS Limitations: What an IDS/IPS is NOT? Contrary to popular belief and terminology employed in the literature on IDSs, not every security device falls into this category. In particular, the following security devices should not be categorized as IDSs: = Network logging systems: These devices are network traffic monitoring systems. They detect DoS vulnerabilities across a congested network. * Vulnerability assessment tools: These devices check for bugs and flaws in operating systems and network services (security scanners). = Antivirus products: These devices detect malicious software such as viruses, Trojan horses, worms, bacteria, logic bombs, etc. When compared feature by feature, these devices are very similar to IDSs and often provide effective security breach detection. = Security/cryptographic systems: These devices protect sensitive data from theft or alteration by mandating user authentication. Examples include VPN, SSL, S/MIME, Kerberos, and RADIUS. Module 07 Page 818 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS/IPS Security Concerns O Improper IDS/IPS configuration and management will make an IDS/IPS ineffective o QO IDS/IPS deployment should be done with careful planning, preparation, prototyping, testing, and specialized training ' Common Mistakes in IDS/IPS Configuration v Deploying an IDS in a location where it does not see all the network traffic v' Frequently ignoring the alerts generated by the IDS ¥ Not having the proper response policy and the best possible solutions to deal with an event ¥ Not fine-tuning the IDS for false negatives and false positives v Not updating the IDS with the latest new signatures from the vendor ¥ Only monitoring inbound connections IDS/IPS Security Concerns Improper IDS/IPS configuration and management will make an IDS/IPS ineffective. IDS/IPS deployment should be done with careful planning, preparation, prototyping, testing, and specialized training. Common Mistakes in IDS/IPS Configuration = Deploying an IDS in a location where it does not see all the network traffic = Frequently ignoring the alerts generated by the IDS = Not having the proper response policy and the best possible solutions to deal with an event = Not fine-tuning the IDS for false negatives and false positives = Not updating the IDS with the latest new signatures from the vendor = Only monitoring inbound connections Included below are some mistakes and workarounds to avoid them for effective deployment of an IDS in the network: = Deploying an IDS if the infrastructure planning is not efficient: An improper or incomplete network infrastructure will not help the functioning of an IDS. If the tuning of the IDS does not follow the network infrastructure, it has the potential to disable the network by flooding it with alerts. * Incorrect sensitivity: After the deployment of an IDS, organizations usually set its level to the highest sensitivity enabling the IDS to detect a large number of attacks. However, this also leads to a rise in the number of false positives. If an IDS generates a large Module 07 Page 819 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls number of false positive alerts per day, it could cause the administrator to miss an actual alert. In the long run, ignoring these alerts can be harmful for network security. * Detecting an intrusion is not enough: Organizations should also design a response policy that administrators implement in response to an incident that has occurred. This response policy should answer the following questions: What is a normal event and what is a malicious event? What is the response for every event generating an alert? The person reviewing the alerts should be aware of this action plan. = NIDS without IPsec: An infrastructure that has established a NIDS without IPsec network protocols makes the network more vulnerable to intrusions. A NIDS listens to all the traffic that it senses and then compares the legitimacy of the traffic. If it encounters encrypted traffic, it can only perform packet-level analysis as the application layer contents are inaccessible. This increases the vulnerability of the network. * Ignoring outbound traffic: Many organizations prefer securing and monitoring only the inbound traffic and ignore the outbound traffic. It is important to place IDS sensors throughout the organization. If the setup is cost effective, the organization should place the sensors near the choke points on the network. This will help monitor outbound as well as internal host network traffic. = Deploying IDS sensors on a single NIC or on multiple data links: This will lead to an IDS sensor sending the data on the same interface on which it is sensing. This may lead to a possible attack as the interface reports all the data to the centralized database. If an attacker gets access to this infrastructure, they can disable the IDS and prevent further alerts. The attacker can also intercept the data on the interface and alter it. This issue can be resolved by connecting the interface to a dedicated monitoring network. Module 07 Page 820 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls General Indications of Intrusions « L File System Intrusions Network Intrusions System Intrusions O The presence of new or O Repeated probes of the O Short or incomplete logs unfamiliar files, or programs available services on your O Unusually slow system machines QO Changes in file permissions ) performance O Unexolained ch n a file' Q Connections from unusual O Missing logs or logs with incorrect si::xp RO GOSN 8 ReS locations permissions or ownership O Repeated login attempts from O Modifications to system software Q Rogue files on the system that remote hosts and configuration files (,jo -y Forrespond othe naster Q' Asudden influx of log data Q Unusual graphic displays or text list of signed files messages QO Missing files O Gaps in system accounting O System crashes or reboots i 0 Unfamiliar processes ¢ ] Copyright © by EC L All Rights Reserved. Reproductionis Strictly Prohibited. General Indications of Intrusions Intrusion attempts on networks, systems, or file systems can be identified by following some general indicators: * File System Intrusions By observing system files, the presence of an intrusion can be identified. System files record the activities of the system. Any modification or deletion of the file attributes or the file itself is a sign that the system has been a target of an attack: o If you find new, unknown files/programs on your system, then there is a possibility that the system has been intruded into. The system can be compromised to the extent that it can, in turn, compromise other network systems. When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains administrator privileges, he/she could change file permissions, for example, from read-only to write. Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all your system files. The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate an attack. You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. Missing files are also a sign of a probable intrusion/attack. Module 07 Page 821 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls = Network Intrusions Similarly, general indications of network intrusions include: o A sudden increase in bandwidth consumption o Repeated probes of the available services on your machines Connection requests from IPs other than those in the network range, which imply that an unauthenticated user (intruder) is attempting to connect to the network Repeated login attempts from remote hosts A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks = System Intrusions Similarly, general indications of system intrusions include: o Sudden changes in logs such as short or incomplete logs o Unusually slow system performance Missing logs or logs with incorrect permissions or ownership Modifications to system software and configuration files Unusual graphic displays or text messages Gaps in system accounting System crashes or reboots Unfamiliar processes Module 07 Page 822 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.

IDS/IPS Limitations PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue