Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 07_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 IDS Components An IDS system is built on various components. Knowledge of their functions and placement is required for effective IDS implementation @ IDS Components -! P s Network Sensors Alert Systems Command Console Response System — Attack Signature Database Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited ] IDS Components An IDS system is built on various components. Knowledge of their functions and placement is required for effective IDS implementation. These components are used to collect information from a variety of systems and network sources, and then analyze the information for any abnormalities. Major components of an IDS are listed below. IDS Components l Network Sensors Alert Systems | | l Response Command Console System | Attack Signatures Database Figure 7.74: IDS Components Network sensors: These agents analyze and report any suspicious activity. = Analyzer: It analyzes the data collected by the sensors. = Alert systems: These systems trigger alerts when detecting malicious activity. = Command console: It acts as an interface between the user and the IDS. = Response system: An IDS uses this system to initiate countermeasures on detected activities. = Database of attack signatures or behaviors: A list of previously detected signatures stored in a database that assist the IDS in intrusion detection. Module 07 Page 839 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Network Sensors Network sensors are hardware and software components that monitor network traffic and trigger alarms if any abnormal activity is detected B Doy Bt Bl OF e e G 423 Commannnt To knadu Uhetiae S D | ey 4117 17 19 carr Network sensors should be placed and located at common entry points in a network such as: O Internet gateways O In between LAN connections O Remote access servers used to O VPN devices O Either side of firewall receive dial-up connections Copyright © by EC il All Rights Reserved. Reproduction is Strictly Prohibited. Network Sensors Network sensors are hardware and software components that monitor network traffic and trigger alarms if any abnormal activity is detected. It is a primary data collection point for the IDS. Network sensors collect data from the data source and pass it to the alert systems. The sensor integrates with the component responsible for data collection such as an event generator. Network sensors determine data collection based on the event generator policy, which defines the filtering mode for event notification information. The role of the sensor is to filter information and discard any irrelevant data obtained from the event set associated with the protected system, thereby detecting suspicious activities. Sensors check the traffic for malicious packets, trigger an alarm when they suspect a packet is malicious, and then alert the IDS. If an IDS confirms the packet as malicious then the sensors generate an automatic response to block the traffic from the source of the attack. To perform effective traffic monitoring on a network, sensors must be connected at appropriate points in the network. There are several options available for placing sensors in a network, and the most common connection points include the following. = Switch port analyzer (SPAN) or mirror port: It is a passive network monitoring approach = Passive in which sensors are appended to a special port on a switch to obtain copies of network traffic or packets. This approach is not secure, as packets with error cannot be mirrored, and packet drops can be expected during heavy transmission. test access points (TAPs): Passive TAPs do not need electricity to perform operations. They are designed with an optical splitter that generates a copy of a signal as it passes through the cable and sends the copy to the monitoring port for traffic Module 07 Page 840 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 inspection. Unlike SPAN, the monitor port in this case absorbs every packet, irrespective of errors and load. = Active test access points (TAPs): Active TAPs require electric power to regenerate and transmit signals. However, during power shortage, active TAPs can become a point of failure; hence, passive TAPs are preferred over active TAPs. When an active TAP is used for monitoring, it must be connected to a UPS, inverter, or any other type of power backup. 777777777 Efe Query 7§oun-n-cu-mvam Begpons Souna OF camost. l'dlll'b'l!'fifi] 1 2| botrvna 2 [ ot vt 1| botvena 24| ooovma. 24 | boovena 1|vcovma 3| ovam. 12 | ot 12 | totrvetua 12 | bovva 2| tvna 3|ocowta. o | —— 20 bsvinm. e L= | | | | - " 20190525 0217.06 1w 20160929 032307 EE-Y 20190925 032307 33284 2019005032312 230 2010035032530 anw 2019002503253 3309 2019062503253 3me | ommsosa 3334 20190025 06 36 37 336 2019003506 3637 1 20100035 06 3% 37 13m0 210035095011 33 20190025 095205 23 20190025 11082 230 20190025 110612 |1 Resenton | Ageet st | S saeates | Sysiem wsgs | F— E 1 bode 7 — to. e — tebvimusma PE— £ Query — Bepons [ ServerName el R oo 3 0 2 cahost X e o VL wovases. [l = mm' non 20912 ww 7 Sic 1 0000 0000 0000 0000 0000 0000 0000 0000 101010%0 10101050 10303050 10101079 10101050 62 a8 w2 10103016 10383018 10103018 @000 @000 10103016 10103018 10103016 10103016 10103018 10303018 10103016 10103016 T 43 P 1| 0 0 0 0 0 0 0 0 1T 6 1 1 € «srgx_f;s'fi\:x::‘:fi'mmnzm L GMT Evert Messa [OSSEC] Windows: System time crangsd. [OSSEC) Wiecows: Logon Fakae - Urknownus [OSSEC) The suct log was Cliawed [OSSEC] PAM Uned kg taed. [OSSEC] Usaemed pons status fnetstar) Change [OSSEC) ibegriy checksum changed [OSSEC Host tixsed anamaly Oeection evert ( [OSSEC) Fre naoed 19 the system. GRLRPC xamep o qury GPLNETBIOS SMB DS IPCS thave access GPLICMD INFO PING X GPLICWP_INFO PING "NX OOLFTD PORT barce wisrgt Diglay Dot RN i & BENONEC 0N tASE QIATes Ude 1000 ::’xzln i 2020014 _fl_fi -' 200001403 123925 | ma - Userame: mamn UsenD: 2 [T 20190019022451 MM 20190919010834 o4z 2090019010848 2019019010000 0190019005855 2190519010000 2091224171106 2VHHBEAN 2100019150201 20S124062105 0RBBN e 201 Upase inmervl (secs) 15 OF RealTime [veres | Eacaand Everes | ST | ONT | Serna Aot 10 3| bomvima 12 2| mevina 134 2| bovvina 11749 2| vma 1I71 2| v 11748 0| bomvinan 13683 4| bovina 13640 3 | boovima 13087 1 bovma 31365 3 b IBE 6 bovma 1nw 8 bovisa I 1 bt INW® — 20001 & S’OlI.AUACVm”YflVMDa Sound — o - AnenQ2 ’ Updste ireervad fsecs) 35 w| nNOW i 4 Figure 7.75: Network Sensors Triggering Alarm Network sensors should be placed and located at common entry points in a network such as: = Internet gateways = In between LAN connections = Remote access servers used to receive dial-up connections = VPN devices = Ejther side of firewall Module 07 Page 841 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Command Command console software is installed and runs ona to the Console Sguil Command Console that is dedicated IDS Nplxmens It provides a to an administrator for the purpose of receiving Paces Rigam Bhe Qury BNNS Bas OF Bt MeaTe Evees | Eniamin Evves| boatod Ukt mei4 SOUL D90 Comnmcted To locabast Sats AhedD ¢ IS WO 22 1247 20 OMT and analyzing security events, alert message, and log files It evaluates different security devices information from : If the command console is installed on a non-dedicated computer system (e.g., firewall, backup server), it will drastically slow down the response to security events as those systems may be busy handling other tasks [0 nescnon | Y o N S i o ) SR || ST O Sowve P = T e Dt 40 Vo W T05 W 1D qr__san_ome ‘ Copyright © by I Command S e PMap Ohe TTL ) OwSaev a wnew Up OSben — L All Rights Reserved. Reproduction is Strictly Prohibited. Console Command console software is installed and runs on a separate system that is dedicated to the IDS. It provides a user interface to an administrator for the purpose of receiving and analyzing security events, alert message, and log files. The command console evaluates security event information from different security devices. The IDS collects all the data from security devices and analyzes it using the command console. Administrators use the console to analyze alert messages triggered by the alert system and manage log files. The command console allows administrators in large networks to process large volumes of activities and respond quickly. An IDS collects information from security devices placed throughout the network and sends it to the command console for evaluation. Installing a command console on the system for other purposes such as backing up files and firewall functions, will make it slow to respond to events. Installing the command console on a dedicated system provides the benefit of a fast response. Caution: If the command console is installed on a non-dedicated computer system (e.g., firewall, backup server), it will drastically slow down the response to security events as those systems may be busy handling other tasks. Module 07 Page 842 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Applications Places Exam 212-82 kSgu-Ltk SGUIL-0.9.0 - Connected To localhost Query Repots Sound: Off L martin UserlD: 2 49 - 8 O X 2019-08-22 12:47:28 GMT, II;I Eile Thul2:47 [~ Show Packet Data " Show Rule » l‘ - Wnois Query: '+ None © SrcIP = DstIP Search Packet Payload " Hex * Text | NoCase 1/4 Figure 7.76: Sguil Command Console Module 07 Page 843 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.