Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred PDF

Summary

This document discusses the selection of Intrusion Detection and Prevention Systems (IDS/IPS) solutions, covering general requirements, security capabilities, performance characteristics, management requirements, and lifecycle costs. It emphasizes the need for careful evaluation of these factors to ensure the best solution for an organization's specific requirements.

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Selection of an Appropriate IDS/IPS Solutions O IDS products must meet certain criteria to be deployed in an organization O Compare the different technology types, then select the most appropriate technology to meet the requirements The products should be evaluated based on organizational requirements such as: General QO Evaluate the general requirements the IDS products will have to meet post deployment Reqguirements QO Size of an organization also modifies the number of IDS products needed Security Capability Requirements O The selection of an IDS depends on an organization’s environment and policies as well as the current security and network infrastructure 0O Evaluate an IDS product’s general performance characteristics by assessing its capacity to handle the network traffic or packet monitoring capabilities for NIDS and event monitoring capabilities for HIDS Management Requirements O The products need to comply with the organization’s management policy in order to be used effectively Life Cycle Costs O Estimated lifecycle costs of the products should be within the available budget Selection of an Appropriate IDS/IPS Solutions IDS products must meet certain criteria to be deployed in an organization. An organization should compare the different technology types and then select the most appropriate technology to meet its requirements. The products should be evaluated based on organizational requirements such as the following: General requirements: An organization must have a clear baseline of the requirements for an IDS product. IDS solutions may differ in terms of features and services. The organization must determine which IDS product will best suit their requirements. For example, there are situations where a single IDS product may not satisfy the requirements of an organization. This scenario encourages the use of multiple IDS products. Wireless IDS products have certain general requirements such as a method of detecting anomalies and a process of connecting to other components, which determine whether the product can satisfy the company’s requirements. Evaluate the general requirements of the IDS products to meet post deployment. The number of IDS products needed also depends on the size of the organization. Security capability requirements: The selection of an IDS depends on an organization’s environment and policies as well as the current security and network infrastructure. It is crucial to meet these as the product will be used in conjunction with other security controls. Organizations should evaluate IDS security capability requirements as a baseline for creating a specific set of criteria. This is achieved by accounting for the organization’s environment, security policies, and network infrastructure. It is important to check and confirm the security capabilities of an IDS product. An IDS product that does not meet the required security capabilities is of no use as a security control, and a security Module 07 Page 862 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls professional must select a different product or use that product in combination with another security control. The IDS product should feature security capabilities such as information gathering, logging, detection, and prevention. = Performance requirements: Evaluate IDS products based on their general performance characteristics. o Network-based IDS (NIDS): This type of IDS has the ability to monitor and handle network traffic. o Host-based IDS (HIDS): This type of IDS has the ability to monitor a certain number of events per second. Security professionals characteristics by should assessing evaluate an its capacity to IDS product’s handle network general traffic performance or its packet monitoring capabilities for NIDS and event monitoring capabilities for HIDS. * Management requirements: The products need to comply with the organization’s management policy to offer sufficient performance. If the product does not comply with the company’s policy, it would be difficult to handle it and make it work effectively. = Lifecycle costs: IDS products are environment-specific, and it can be a tedious task for organizations to quantify the cost of IDS solutions. The cost of the IDS product should be proportional to the available budget of the organization. Estimated lifecycle costs of the selected IDS products should be in the range of the available funding. Selecting an IDS based on cost is difficult as the environment, security, and other networking criteria are likely to affect the cost. Module 07 Page 863 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Intrusion Detection with Snort [ ISy @ @ SR P — Snort is an open-source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks It can perform protocol analysis and content searching/matching, and is used to detect a variety o ST https:/fwww.snortorg of attacks and probes, such as buffer overflows, stealth port scans, and OS fingerprinting attempts It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture Copyright © by EC-Comncil. All Rights Reserved. Reproduction is Strictly Prohibited Intrusion Detection with Snort Source: https://www.snort.org Snort is an open-source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching, and it is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGl attacks, SMB probes, and OS fingerprinting attempts. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that uses a modular plug-in architecture. Uses of Snort: = Straight packet sniffer such as tcpdump = Packet logger (useful for network traffic debugging, etc.) = Network intrusion prevention system Module 07 Page 864 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Administrator: C:\Windows\system32\cmd.exe - snort :\Snort\binysnort| Running in packet dump - 0 X mode --== Initializing Snort [nitializing Output Plugins! bcap DAQ configured to passive. he DAQ version does not support reload. \cquiring network traffic from "\Device\NPF_{EC2BCO73-AFB2-4670-A3E7-7A9760167573}". Decoding Ethernet --== Initialization Complete ==-- -*> Snort! 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10.1¢ [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. [**] [1:472: -> 10.10.10. - =) ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: ICMP-INFO PING [Classification: Potentially Traffic] [Priority: X Figure 7.82: Snort output Module 07 Page 865 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Intrusion Detection Tools Suricata 1% 12 e ) et g e o Suricata is a robust network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (1PS), network security monitoring (NSM), and offline pcap processing ! B VO e L O e f‘!hi_l-IEi:'n": L’ AlienVault® OSSIM™ https://cybersecurity.att.com SolarWinds Security Event Manager https://www.solarwinds.com m‘awnmb;;m. Zeek https://zeek.org https//suricato-ids.org L] O Copyright © by [ Sagan Log Analysis Engine https://quadrantsec.com |. Al Rights Reserved. Reproduction is Strictly Prohibited. Intrusion Detection Tools workstation, read all network packets, reconstruct user sessions, and scan for possible intrusions by looking for attack signatures and network traffic statistical anomalies. Moreover, these tools offer real-time, zero-day protection from network attacks and malicious traffic, and they prevent malware, spyware, port scans, viruses, DoS, and DDoS from compromising hosts. = Suricata Source: https://suricata-ids.org Suricata detection is a robust network threat detection (IDS), inline intrusion prevention engine capable (IPS), network of real-time security monitoring intrusion (NSM), and offline pcap processing. It inspects the network traffic using powerful and extensive rules and a signature language, and it provides powerful Lua scripting support for the detection of complex threats. With standard input and output formats such as YAML and JSON, integrations with existing tools such as SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other databases become effortless. Module 07 Page 866 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Conare 831 1 0 D i e BV R e tma!.ifi.!llsn!mlum Court ey gt 1) wababes Coumnt Wertsigranere raw Cesiending T POLCY GNUMLIs AT Packige (anagerent Liver Agent Outhiouns Thaly relales to DMT pog eguest 1 PP BT e L1 P20 BT e et DHT neoes 1oply e £1 P2P BITorrent DHT anrisare_jeoers toquet " BT TOR Krown Tor ey Bouter Mo 2et) CIUATTATK RESPOREE 18 (vt y :.: i tL ] e Trafle retarmed 1 root 3 o ET ONS Action Thrwet mibebigercr Poor Bepanaton P " ET POLCY Pymonwribt Sogiamn s L Agem U7 PORICY GNUMLITIGa VUM LnerAgert Oumound tarly retated in [ T T | Figure 7.83: Screenshot of Suricata Some additional intrusion detection tools are listed below: = AlienVault® OSSIM™ (https://cybersecurity.att.com) » SolarWinds Security Event Manager (https.//www.solarwinds.com) » OSSEC (https.//www.o0ssec.net) » Zeek (https://zeek.org) » Sagan Log Analysis Engine (https.//quadrantsec.com) Module 07 Page 867 Certified Cybersecurity Technician Copyright © by EC-Council