Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 09_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Deployment of Network and Host-based IDS Module 07 Page 850 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Staged IDS Deployment )4 You should plan for a staged IDS deployment in their network A staged deployment will help you gain experience and discover how much monitoring and maintenance of network resources is actually required The monitoring and maintenance of network resources varies depending on the size of an organization’s network L All Rights Reserved. Reproduction is Strictly Prohibited Staged IDS Deployment Before effectively deploying an IDS, security professionals must understand their network infrastructure and organizational security policies. Then, plan for a staged IDS deployment in the network. A staged deployment will help you gain experience and discover how much monitoring and maintenance of network resources is actually required. The monitoring and maintenance of network resources varies depending on the size of an organization’s network. The organization should consider a staged deployment of an IDS. The initial deployment of an IDS requires high maintenance. Then the organization can think of implementing an IDS at the next stage. The staged deployment helps the organization discover exactly where it needs security from the IDS. Implementing an IDS across the organization’s network is advisable when the personnel are able to handle the IDS alerts from different sensors placed at various places. Staged deployment provides administrators enough time to think and get used to the new technology. This staged approach is beneficial to those evaluating and investigating IDS alerts and IDS logs. Module 07 Page 851 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Deploying Network-based IDS INTRUSION An effective deployment of NIDS requires a lot of attention concerning the network topology of the organization DETECTION The possible IDS deployment options are categorized based on the location of IDS sensors Consider all possible options and its associated advantages/disadvantages when placing a network-based IDS Module 07 Page 852 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Deploying Network-based IDS (Cont’d) @ o Location O Location 0O Place an IDS sensor behind each external firewall and in the network 2 Place an IDS sensor outside an external firewall DMZ Advantages Advantages ¥ Monitors attacks originating from the outside world v' Ability to identify the number and types of attack originating from the Internet to the v' Highlights the inability of the firewall and its policies to defend against attacks v" It can see attacks which target the web or v Monitors outgoing traffic results from a compromised server network FTP servers located in the DMZ Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited. Deploying Network-based IDS (Cont’d) L1 Location 3 Q Location Place an IDS sensor on major network backbones Place an IDS sensor on critical subnets Advantages Advantages v 0 4 Monitors and inspects large amounts of traffic, increasing the chance for attack detection v' Detects attacks on critical systems and resources v" Focuses on specific critical systems and resources Detects unauthorized attempts from outside the organization Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited. Deploying Network-based IDS As a NIDS protects multiple hosts from a single location, the security professional can also consider customizing it to provide security for the entire network. An effective deployment of NIDS requires a lot of attention concerning the network topology of the organization. The possible IDS deployment options are categorized based on the location of IDS sensors. The security professional should consider deploying an IDS management console before adding its Module 07 Page 853 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls sensors. Consider all possible placing a network-based IDS. Exam 212-82 options and its associated advantages/disadvantages when Security professionals need to deploy IDS sensors incrementally throughout the network. Security professional must consider various factors such as the difference in traffic, logging, reporting, and alerts received when they deploy a new sensor for an IDS. Security professional should place several network sensors at strategic locations on the network. The positioning of sensors will depend significantly on which kind of network resources need to be monitored for intrusion. Some organizations will want to use the IDS to monitor internal resources such as a sensitive collection of machines or a specific department or physical location. In that case, the most logical place for the IDS sensor will be on the choke point between those systems and the rest of the internal network. Some of the critical common-entry points to place sensors are listed below: = At Internet gateways = At connections between LAN connections = At remote access servers that receive dial-up connections from users = At VPN devices that connect an internal LAN to an external LAN = Between subnets that are separated by switches If an organization is planning to monitor intrusions targeting internal servers or mail servers, then it must place a sensor inside the firewall connects the firewall to the internal network. The logic behind this is prevent a vast majority of attacks aimed at the organization, and regular logs will identify them. The IDS on the internal segment will detect some manage to get through the firewall. If a firewall is in more secure than is placed outside to place a sensor Module 07 Page 854 servers such as DNS on the segment that that the firewall will monitoring of firewall of those attacks that place to protect the network, then positioning sensors inside the firewall is placing a sensor outside the firewall at a position exposed to the Internet. If it the firewall, it can become the major focus for attacks. A more secure location is behind the firewall in the DMZ. Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Different options for the deployment of sensors in the network are discussed below. 1 T Location @ S Location 2] U...................................... famm Internet Firewall Location 9 - H it} : = =.= 5 : L] == : Network backbones m Router"'-._ (oo Location o e _.__............ !............. ! Critical subnets Figure 7.80: Deploying Network-Based IDS Location 1: Place an IDS sensor behind each external firewall and in the network DMZ. The sensor placed at this location can detect inbound attacks. It can also be configured to detect outbound attacks. The sensor is configured to detect the least sensitive attacks to avoid false alarms. Such a sensor is configured to only log the attack attempts, instead of sending alerts out for them. Advantages o Monitors attacks originating from the outside world o Highlights the inability of the firewall and its policies to defend against attacks o It can see attacks which target the web or FTP servers located in the DMZ o Monitors outgoing traffic results from a compromised server Location 2: Place an IDS sensor outside an external firewall. This location is ideal for securing the perimeter network as well as identifying those attacks that bypass the external firewall. The NIDS sensor secures web, FTP, and other servers located on the perimeter of the network. It detects attacks with low to moderate impact in order to avoid the chances of generating false alarms. Any sensor placed here also has the ability to monitor for outbound attacks. Advantages o Ability to identify the number and types of attack originating from the Internet to the network Location 3: Place an IDS sensor on major network backbones. The sensor placed at this location is used to secure the internal network of the organization. It detects an attack Module 07 Page 855 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 may have bypassed the internal firewall. A sensor at this location is capable of detecting both inbound and outbound attacks. Such a sensor is configured to detect medium to high impact level attacks. Advantages = o Monitors and detection inspects large amounts of traffic, increasing the chance for attack o Detects unauthorized attempts from outside the organization Location 4: Place an IDS sensor on critical subnets. The sensor at this location is used to protect sensitive hosts in the network, including critical servers. It is capable of detecting both inbound and outbound attacks. Such a sensor is configured to detect high impact level attacks. Advantages o Detects attacks on critical systems and resources o Focuses on specific critical systems and resources Module 07 Page 856 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.