Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 09_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 07_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 08_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 09_ocred.pdf
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred PDF
- Chapter 7 - 04 Network Security Controls - Technical Controls PDF
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls -— Technical Controls Deployment of Network and Host-based IDS Module 07 Page 850 Certified Cybersecurity Technician Copyright...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls -— Technical Controls Deployment of Network and Host-based IDS Module 07 Page 850 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Staged IDS Deployment )4 You should plan for a staged IDS deployment in their network A staged deployment will help you gain experience and discover how much monitoring and maintenance of network resources is actually required The monitoring and maintenance of network resources varies depending on the size of an organization’s network L All Rights Reserved. Reproduction is Strictly Prohibited Staged IDS Deployment Before effectively deploying an IDS, security professionals must understand their network infrastructure and organizational security policies. Then, plan for a staged IDS deployment in the network. A staged deployment will help you gain experience and discover how much monitoring and maintenance of network resources is actually required. The monitoring and maintenance of network resources varies depending on the size of an organization’s network. The organization should consider a staged deployment of an IDS. The initial deployment of an IDS requires high maintenance. Then the organization can think of implementing an IDS at the next stage. The staged deployment helps the organization discover exactly where it needs security from the IDS. Implementing an IDS across the organization’s network is advisable when the personnel are able to handle the IDS alerts from different sensors placed at various places. Staged deployment provides administrators enough time to think and get used to the new technology. This staged approach is beneficial to those evaluating and investigating IDS alerts and IDS logs. Module 07 Page 851 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Deploying Network-based IDS INTRUSION i\ INTRUSION An effective deployment of NIDS requires a lot of attention concerning the network topology of the organization DETECTION The possible IDS deployment options are categorized based on the location of IDS sensors Consider all possible options and its associated advantages/disadvantages when placing a network-based IDS Module 07 Page 852 EC-Council Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Deploying Network-based IDS (Cont’d) (+) @ Location o Location 22 Location O Place an IDS sensor behind each 0O QO Place an IDS sensor outside an external external firewall and in the network firewall DMz DMZ Advantages Advantages v'¥ Monitors attacks originating from the v’v' Ability to identify the number and types of outside world attack originating from the Internet to the network v' Highlights the inability of the firewall and its policies to defend against attacks v'v" It can see attacks which target the web or 1/ FTP servers located in the DMZ v’v Monitors outgoing traffic results from a compromised server A 4 Copyright Copyright ©© byby EG-Counci. EC-CounciL AllAl Rights Rghts Reserved. Reserved. Reproductionis Sty Prohibited. Reproduction is Strictly Prohbited. | Deploying Network-based IDS (Cont’d) L1 Location 3 Location 4 OQ Place an IDS sensor on 0 Place an IDS sensor on 0O major network n backbones : critical itical subnets s 3 Advantages Advantages v Monitors and inspects inspects large lar v' Detects attacks on critical criti amol amounts of f traffic, traffic, systems ms and and resources increasing the chance for attack attack detection detection v" Focuses on specific critical systems and resources v’ Detects unauthorized attempts ; from outside the organization v Copyright ©© byby EC-CounciL Copyright EC-CounciL All All Rights Rights Reserved. Reserved. Reproduction Reproduction iss Strictly Strictly Prohibited. Prohibited. Deploying Network-based IDS As a NIDS protects multiple hosts from a single location, the security professional can also consider customizing it to provide security for the entire network. An effective deployment of NIDS requires a lot of attention concerning the network topology of the organization. The possible IDS deployment options are categorized based on the location of IDS sensors. The security professional should consider deploying an IDS management console before adding its Module 07 Page 853 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls sensors. Consider all possible options and its associated advantages/disadvantages when placing a network-based IDS. Security professionals need to deploy IDS sensors incrementally throughout the network. Security professional must consider various factors such as the difference in traffic, logging, reporting, and alerts received when they deploy a new sensor for an IDS. Security professional should place several network sensors at strategic locations on the network. The positioning of sensors will depend significantly on which kind of network resources need to be monitored for intrusion. Some organizations will want to use the IDS to monitor internal resources such as a sensitive collection of machines or a specific department or physical location. In that case, the most logical place for the IDS sensor will be on the choke point between those systems and the rest of the internal network. Some of the critical common-entry points to place sensors are listed below: = At Internet gateways = At connections between LAN connections = At remote access servers that receive dial-up connections from users = At VPN devices that connect an internal LAN to an external LAN = Between subnets that are separated by switches If an organization is planning to monitor intrusions targeting internal servers such as DNS servers or mail servers, then it must place a sensor inside the firewall on the segment that connects the firewall to the internal network. The logic behind this is that the firewall will prevent a vast majority of attacks aimed at the organization, and regular monitoring of firewall logs will identify them. The IDS on the internal segment will detect some of those attacks that manage to get through the firewall. If a firewall is in place to protect the network, then positioning sensors inside the firewall is more secure than placing a sensor outside the firewall at a position exposed to the Internet. If it is placed outside the firewall, it can become the major focus for attacks. A more secure location to place a sensor is behind the firewall in the DMZ. Module 07 Page 854 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Different options for the deployment of sensors in the network are discussed below. 1 H it} L] Location 9 : = == T - 5 : : =.= Network backbones Location @ S Location 2] U...................................... famm m Internet Firewall Router"'-._ Location o (oo e _.__............ !............. ! Critical subnets Figure 7.80: Deploying Network-Based IDS Location 1: Place an IDS sensor behind each external firewall and in the network DMZ. The sensor placed at this location can detect inbound attacks. It can also be configured to detect outbound attacks. The sensor is configured to detect the least sensitive attacks to avoid false alarms. Such a sensor is configured to only log the attack attempts, instead of sending alerts out for them. Advantages o Monitors attacks originating from the outside world o Highlights the inability of the firewall and its policies to defend against attacks o It can see attacks which target the web or FTP servers located in the DMZ o Monitors outgoing traffic results from a compromised server Location 2: Place an IDS sensor outside an external firewall. This location is ideal for securing the perimeter network as well as identifying those attacks that bypass the external firewall. The NIDS sensor secures web, FTP, and other servers located on the perimeter of the network. It detects attacks with low to moderate impact in order to avoid the chances of generating false alarms. Any sensor placed here also has the ability to monitor for outbound attacks. Advantages o Ability to identify the number and types of attack originating from the Internet to the network Location 3: Place an IDS sensor on major network backbones. The sensor placed at this location is used to secure the internal network of the organization. It detects an attack Module 07 Page 855 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls may have bypassed the internal firewall. A sensor at this location is capable of detecting both inbound and outbound attacks. Such a sensor is configured to detect medium to high impact level attacks. Advantages o Monitors and inspects large amounts of traffic, increasing the chance for attack detection o Detects unauthorized attempts from outside the organization = Location 4: Place an IDS sensor on critical subnets. The sensor at this location is used to protect sensitive hosts in the network, including critical servers. It is capable of detecting both inbound and outbound attacks. Such a sensor is configured to detect high impact level attacks. Advantages o Detects attacks on critical systems and resources o Focuses on specific critical systems and resources Module 07 Page 856 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
