Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 06_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Computer Security Risks & Etiquettes - Notes.pdf
- 9.3 IDS IPS v2.1.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 07_ocred_fax_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 08_ocred_fax_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred_fax_ocred.pdf
- 5. Computer Security - Lec 4.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Structure...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Structure-based IDS il ‘ - \ILE) ‘ _ An IDS is also classified as a centralized IDS or a distributed IDS, this classification is based on the structure of the IDS DS, all data is shipped to a central In a centralized IDS, location for analysis, independent of the number of hosts that are monitored In a distributed IDS, several IDS are deployed over a large network and each IDS communicates with each other for traffic analysis b, 4 Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Structure-based IDS (Cont’d) B Application Network Host-based Centralized Control System System Itoring System itoring System —i =1 | g[ ()... -q — Q...................... gQ............................. G ------------------------------------------------------------------------------ :fiflwwt{......... e : Network Monltoring System }q................. ) g : Host-based Monltoring System. et e (oot rully Distributed FUHY (Agent-based) / Control Application { ' ) ] ). : i Monitoring System Monitoring Pb = T , B G S-S L1 v Copyright © by L All Rights Reserved. Reproduction Reproduction s Strictly Prohibited. Structure-based IDS An IDS is also classified as a centralized IDS or a distributed IDS, this classification is based on the structure of the IDS Centralized Structure of IDS In a centralized system, the data is gathered from different sites to a central site and the central coordinator analyzes the data following an intrusion. Such an IDS is designed for centralized Module 07 Page 834 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls systems. In a centralized IDS, data analysis is performed in a fixed number of locations, independent of how many hosts are being monitored. As a result, the centralized structure of an IDS can be harmful in a high-speed network. Application Network Host-based Monitoring System Monitoring System Monitoring System ELEJ g@.............. Qe G ) 1DS Console @?; v ufi o O =) (iare DBB =D S Figure 7.72: Centralized Structure of an IDS Distributed Structure of an IDS A distributed intrusion detection system (dIDS) consists of multiple IDSs over a large network. These systems communicate with each other or with a central server that facilitates an advanced network of monitoring, incident analysis, and instant attack data. By having these cooperative agents distributed across a network, network operators can get a broader view of what is occurring on their network as a whole. dIDS also allows a company to efficiently manage its incident analysis resources by centralizing its attack records and by giving the analyst a way to spot new trends or patterns and identify threats to the network across multiple network segments. Network Monitoring System Host-based Monitoring System Figure 7.73: Distributed structure of an IDS Module 07 Page 835 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Analysis time is a span of time elapsed between the events occurring and the analysis of those events @ An IDS is Categorized based on Analysis Time as: @ [ ] Interval-based IDS Real-Time-based IDS O The information about an intrusion detection does QO The information about an intrusion detection flows not flow continuously from monitoring points to continuously from monitoring points to analysis analysis engines, it is simply stored and forwarded engines O It performs analysis of the detected intrusion offline Q 1t performs analysis of the detected intrusion on the fly [ Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Analysis Timing-based IDS Analysis timing refers to the elapsed time between the occurrence of events and analysis of those events. Based on analysis timing, an IDS can be classified into two distinct types: interval- based IDS and real-time—based IDS. Interval-based IDS Interval-based or offline analysis refers to the storage of the intrusion-related information for further analysis. This type of IDS checks the status and content of log files at predefined intervals. The information about an intrusion detection does not flow continuously from monitoring points to analysis engines, it is simply stored and forwarded. It performs analysis of the detected intrusion offline. Interval-based IDSs are prohibited from performing an active response. Batch mode was common in early IDS implementations because their capabilities did not support real-time data acquisition and analysis. Real-time-based IDS The information about an intrusion detection flows continuously from monitoring points to analysis engines. It performs analysis of the detected intrusion on the fly. A real-time-based IDS is designed for on-the-fly processing and is the most common approach for a network-based IDS. It operates on a continuous information feed. Real-time—based IDS gathers and monitors information from network traffic streams regularly. The detection performed by this IDS yields results quick enough to allow the IDS system to take action affecting the progress of the detected attack. It can also conduct online verification of events with the help of on-the-fly processing and respond to them simultaneously. An IDS using this type of processing requires more RAM and a large hard drive because of the high data storage required to trace all of the network packets online. Module 07 Page 836 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Network Security Controls — Technical Controls Source Data Analysis-based IDS :5 1=l { A ed based on the classifiied An IDS is classif type of data source used for detecting intrusions network IDS uses data sources such as audit trail and An 1DS packets to detect intrusions ion Detection Using Network Packets 1 I Intrussion Intru Intru ion Detection Using Audit Trails Intrussion I I ! Q Capturing and analyzing network packets 1 1 QO O Audit trails help the IDS detect performance 1 1 help an IDS detect well-known attacks problems, security violations, and flaws in 1 1 1 applications 1 1 1 1 I I ] I 1 L All Rights Reserved. Reproducti ionks Strictly Prohibited Reproductonis Copyright © by I is- ysis Analys Source Data Anal based IDS -bas ting intrusions. An IDS uses fied classified An IDS is classi based on the type of data source used for detec sions. Depending on the data sources such as audit trail and network packets to detect intru tion using audit trails and data source, an IDS can be categorized into two types: intrusion detec intrusion detection using netwo rk packets. network Detectio Intrusion Detec Trailss tionn Using Audit Trail mentary evidence of a system’s activity using An audit trail is a set of records that provide docu ity of systems and applications. Audit trails systemm and application processes and user activ the syste , security violations, and flaws in applications. help the IDS in detecting performance problems reports in a single file to avoid intruders from Administrators should avoid storage of audit trail accessing the audit reports and making changes. = Audit syst ms are used for the following: systeems o Watch file access o Monittor Moni systemm calls or syste o Record commands run by user o Record security events o Search for events o Runssumm Run ry reports ummaary = performi The reasons for perfo ng audit trails are as follows: rming sis o Identifying the signs of an attack using event analy cil EG-Counncil by EC-Cou Certified Cybersecurity Technician Copyright © ited. Module 07 Page 837 All Rights Reserved. Reproduction is Strictly Prohib Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls o Identifying recurring intrusion events o lIdentifying system vulnerabilities o To develop access and user signatures o To define network traffic rules for anomaly detection-based IDSs o Provides a form of defense for a basic user against intrusions Intrusion Detection Using Network Packets A network packet is a unit of data transmitted over a network for communication. It contains control information in a header and user data. The header of the packet contains the address of the packet’s source and its destination; the payload is the body of the packet storing the original content. The header and the payload of a packet can contain malicious content sent by attackers. Capturing these packets before they enter their final destination is an efficient way to detect such attacks. Module 07 Page 838 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
