Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Selection of an Appropriate IDS/IPS Solutions
O IDS products must meet certain criteria to be deployed in an organization

O Compare the different technology types, then select the most appropriate technology to meet the requirements

The products should be evaluated based on organizational requirements such as:

General QO Evaluate the general requirements the IDS products will have to meet post deployment
Reqguirements QO Size of an organization also modifies the number of IDS products needed

Security Capability O The selection of an IDS depends on an organization’s environment and policies as well as the current security
Requirements and network infrastructure

0O Evaluate an IDS product’s general performance characteristics by assessing its capacity to handle the network
traffic or packet monitoring capabilities for NIDS and event monitoring capabilities for HIDS

Management
O The products need to comply with the organization’s management policy in order to be used effectively
Requirements

Life Cycle Costs O Estimated lifecycle costs of the products should be within the available budget

Selection of an Appropriate IDS/IPS Solutions
IDS products must meet certain criteria to be deployed in an organization. An organization
should compare the different technology types and then select the most appropriate
technology to meet its requirements. The products should be evaluated based on
organizational requirements such as the following:
General requirements: An organization must have a clear baseline of the requirements
for an IDS product. IDS solutions may differ in terms of features and services. The
organization must determine which IDS product will best suit their requirements. For
example, there are situations where a single IDS product may not satisfy the
requirements of an organization. This scenario encourages the use of multiple IDS
products. Wireless IDS products have certain general requirements such as a method of
detecting anomalies and a process of connecting to other components, which
determine whether the product can satisfy the company’s requirements. Evaluate the
general requirements of the IDS products to meet post deployment. The number of IDS
products needed also depends on the size of the organization.

Security capability requirements: The selection of an IDS depends on an organization’s
environment and policies as well as the current security and network infrastructure. It is
crucial to meet these as the product will be used in conjunction with other security
controls.

Organizations should evaluate IDS security capability requirements as a baseline for
creating a specific set of criteria. This is achieved by accounting for the organization’s
environment, security policies, and network infrastructure. It is important to check and
confirm the security capabilities of an IDS product. An IDS product that does not meet
the required security capabilities is of no use as a security control, and a security

Module 07 Page 862 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

professional must select a different product or use that product in combination with
another security control. The IDS product should feature security capabilities such as
information gathering, logging, detection, and prevention.
= Performance requirements: Evaluate IDS products based on their general performance
characteristics.
o Network-based IDS (NIDS): This type of IDS has the ability to monitor and handle
network traffic.

o Host-based IDS (HIDS): This type of IDS has the ability to monitor a certain number
of events per second.
Security professionals should evaluate an IDS product’s general performance
characteristics by assessing its capacity to handle network traffic or its packet
monitoring capabilities for NIDS and event monitoring capabilities for HIDS.

* Management requirements: The products need to comply with the organization’s
management policy to offer sufficient performance. If the product does not comply with
the company’s policy, it would be difficult to handle it and make it work effectively.
= Lifecycle costs: IDS products are environment-specific, and it can be a tedious task for
organizations to quantify the cost of IDS solutions. The cost of the IDS product should be
proportional to the available budget of the organization. Estimated lifecycle costs of the
selected IDS products should be in the range of the available funding. Selecting an IDS
based on cost is difficult as the environment, security, and other networking criteria are
likely to affect the cost.

Module 07 Page 863 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Intrusion Detection with Snort
[ ISy SR P —

Snort is an open-source network intrusion
@ detection system, capable of performing real-time
traffic analysis and packet logging on IP networks

It can perform protocol analysis and content o ST https:/fwww.snortorg
hetps://www.snort.org

@ searching/matching, and is used to detect a variety
of attacks and probes, such as buffer overflows,
stealth port scans, and OS fingerprinting attempts

It uses a flexible rules language to describe
traffic that it should collect or pass, as well as
a detection engine that utilizes a modular
plug-in architecture

Copyright © by EC-Comncil. All Rights Reserved. Reproduction is Strictly Prohibited

Snort
Intrusion Detection with Snoxrt

Source: https://www.snort.org
Snort is an open-source network intrusion detection system capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform protocol analysis and content
searching/matching, and it is used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI
CGl attacks, SMB probes, and OS fingerprinting attempts. It uses a
flexible rules language to describe traffic that it should collect or pass, as well as a detection
engine that uses a modular plug-in architecture.

Uses of
of Snort:
= Straight packet sniffer such as tcpdump
= Packet logger (useful for network traffic debugging, etc.)
= Network intrusion prevention system

Module 07 Page 864 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Administrator: C:\Windows\system32\cmd.exe - snort - 0 X

:\Snort\binysnort |
Running in packet dump mode

--== Initializing Snort
[nitializing Output Plugins!
bcap DAQ configured to passive.
he DAQ version does not support reload.
\cquiring network traffic from "\Device\NPF_{EC2BCO73-AFB2-4670-A3E7-7A9760167573}".
Decoding Ethernet

--== Initialization Complete ==--

-*> Snort! 10.10.10.
2/06-12:58:54.772757 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:58:55.804095 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:58:56.820417 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:58:57.866882 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:58:58.912856 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:58:59.930602 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:59:00.991552 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.1¢
2/06-12:59:02.022895 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:59:03.069571 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:59:04.085231 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:59:05.131927 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.
2/06-12:59:06.163467 [**] [1:472: ICMP-INFO PING [Classification: Potentially Traffic] [Priority:
2] {ICMP} 10.10.10.10 -> 10.10.10.

Figure 7.82: Snort output

Module 07 Page 865 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Intrusion Detection Tools

Suricata
Suricata is a robust network threat detection engine capable of
real-time intrusion detection (IDS), inline intrusion prevention
(1PS), network security monitoring (NSM), and offline pcap
o AlienVault® OSSIM™
https://cybersecurity.att.com

processing

L’
SolarWinds Security Event
Manager
https://www.solarwinds.com

1% 12 e ) et g e ! B VO e L O e f‘!hi_l-IEi:'n": m‘awnmb;;m.

Zeek
https://zeek.org

https//suricato-ids.org L]
O Sagan Log Analysis Engine
https://quadrantsec.com

Copyright © by [ |. Al Rights Reserved. Reproduction
is Strictly Prohibited.

Intrusion Detection Tools

workstation, read all network packets, reconstruct user sessions, and scan for possible
intrusions by looking for attack signatures and network traffic statistical anomalies. Moreover,
these tools offer real-time, zero-day protection from network attacks and malicious traffic, and
they prevent malware, spyware, port scans, viruses, DoS, and DDoS from compromising hosts.

= Suricata

Source: https://suricata-ids.org
Suricata is a robust network threat detection engine capable of real-time intrusion
detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM),
and offline pcap processing. It inspects the network traffic using powerful and extensive
rules and a signature language, and it provides powerful Lua scripting support for the
detection of complex threats. With standard input and output formats such as YAML
and JSON, integrations with existing tools such as SIEMs, Splunk, Logstash/Elasticsearch,
Kibana, and other databases become effortless.

Module 07 Page 866 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

enees
Conare
Coure

831
Y1 0 UD i
1 e 0 O RD ee tma!.ifi.!llsn!mlum
!w!!.i!-!l!mn!mluw
BV ey pot......... gt 1)30 wabaies
wababes Court. VPP T— b Alen! Byl.
P o e © o
Coumnt y :.:
et sigranare raw
Wertsigranere raw Cescending
Cesiending ¢
POLCY
T POUCY GNUMLIs APT
GNUMIGs AT Lier
Liver Agen
Agent Oulbouns
Outhiouns Thaly relales
relales to i
e
Pacage
Packige Tenagerien|
(anagerent
L11 2P
PP BTBT rent
e DMTDMT pig
pog request
eguest I]
tL
ETL1 PP BT e et
P20 BT ard DHT neoes 1oy
1oply e
£Y£1 PP
P2P BITOrrent
BITorrent DHT anreourice_jeers
anrisare_jeoers 1oguest
toquet "
BT TOM
ET TOR Kreman
Krown Tor
Tor ReenWouter
ey Bouter Mol
Mo 2et)
2] e Tralle
Trafle
hoxde 3
b5 )

CILATTAZK
CIUATTATK RESPOREE
RESPOMLE 18 (vt
08 retarmed 1 root
retarmed root no

ET ONS Action Thrwet miteligercr
T mibebigercr Poor Reponaton
Bepanaton (PP "

ET oty
Y POLCY Ml"l
Pymonwribt
WD Sogiamn
L@ s
on D Agem
“"fl L]
U7 POOCY
ET PORICY GNUMIes
GNUMLITIGa YO
VUM Lner
LnerAgert
wl Oumound tarly related
&mlll'fll.l', retated In
in J

[ TT T T |

Figure
Figure 7.83:
7.83: Screenshot
Screenshot of
of Suricata
Suricata

Some additional intrusion detection tools are listed below:
= AlienVault® OSSIM™ (https://cybersecurity.att.com)
» (https.//www.solarwinds.com)
SolarWinds Security Event Manager (https://www.solarwinds.com)
=» OSSEC (https.//www.ossec.net)
(QOSSEC (https.//www.o0ssec.net)
=» Zeek (https://zeek.org)
» Sagan Log Analysis Engine (https.//quadrantsec.com)

Module 07 Page 867 Certified Cybersecurity Technician Copyright © by EC-Council