Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Periphery
Security
1
Chapter 1 IDS
Outline
2 Firewalls
3 Trusted System
4 Access Control
2
1 Intrusion
•Access right
User-> 1. Legitimate/Internal 2.illegitimate/External
Network sniffers
A general term for programs or devices that are able to examine
traffic on a LAN segment.
3
•Snort
Topics Discussed in the Section
Types Of Intruders
Audit Records
Classification Of Intrusion Detection
Distributed Intrusion Detection
Honeypots
4
Types Of Intruders
Masquerader->illegitimate User->
Authorization Attack
Misfeasor->
1. Legitimate User->has access->Misuse
privilege.
2. Legitimate User->No access->but access
them.
Clandestine User->May be internal or
external->access the supervisor privilege-
>avoid auditing info being captured/record
5
Audit Record/Log
Important detection tool
Capture & record information about the
actions of users.
Traces of illegitimate user actions can be
found.
Appropriate actions can be taken for
prevention in future.
6
Audit Records Classification
7
Continue…
10
Classification Of Intrusion
Detection
11
Statistical Anomaly Detection:-
behavior of users over time is captured as
statistical data & processed.
rules are applied to test whether the user
behavior was legitimate or not.
Threshold Detection:- define for all the users
group & frequency of various events is
measured against the thresholds.
Profile based:-profiles for individual users are
created & they are matched against the
collected statistics to see if any irregular
patterns emerge.
12
Rule Based
A set of rules is applied to see if a given
behavior is suspicious enough to be
classified as an attempt to intrude.
Anomaly Detection:- usage pattern are
collected to analyze deviation from these
usage pattern, with help of certain rules.
Penetration Identification:-expert system
that looks for illegitimate behavior.
13
Distributed Intrusion Detection
record audit information in different
formats, this need to be uniformly
processed.
Few nodes used to gather & analyze audit
information & provision to share with all
nodes should be their.
14
Honey-pots a trap…
Divert attention from critical information.
Collect information about intruder’s action.
Encourage for Detecting behavior of
intruder & act accordingly.
Real looking (but fabricated) data used
Sensors & loggers used to alarm
Legitimate user don’t know about this.
Equipped with sensors & loggers,alarm
15
2 FIREWALLS
16
Topics Discussed in the Section
Packet-Filter Firewall (screening router)
Proxy Firewall (Application Gateway)
Firewall Configurations
17
Threats from inside and outside
a corporate network
18
Figure Firewall
19
Characteristics of good Firewall
Implementation
Entry & Exit point must be firewall.
Authorized traffic as per security policy.
Robustness to sustain attack.
20
Packet Filter Operation
21
Figure Packet-filter firewall
TCP/
UDP
22
Advantage & Disadvantage
Advantage
1. Simplicity
2. Fast
Disadvantage
1. Difficulties in setting up rules correctly.
2. Lack Of authentication.
23
Attacks
IP Address Spoof
Source Routing Attacks
Tiny Fragment Attack : Ethernet, Token
ring, X.25, Frame Relay, ATM.
Maximum frame size (MTU)
24
Defeating the IP address
spoofing attack
25
Dynamic Or Stateful Packet Filter
An Advance Type
Allows examination of packets based on
current states of the n/w.
It maintain a list of currently open
connections & outgoing packets in order
to deal with this rule.
26
Dynamic packet filter technology
27
Note
28
Application/Circuit gateway
operation
29
Figure Proxy firewall (Bastion Host)
Errors
All HTTP
packets
Accepted
packets
30
Advantage & Disadvantage
Advantage
1. More Secure due to authentication.
Disadvantage
1. Overhead in terms of managing two
connection & the traffic going between
them.
31
3.Firewall Configurations
32
3.1. Screened host firewall,
Single-homed bastion
33
Advantage & Disadvantage
Advantage
1. Increases the Security by performing
checks at both levels.
2. Provides Flexibility to n/w Admin to
define security Policies.
Disadvantage
1. Security compromised due to attack on
Proxy firewall.
34
3.2.Screened host firewall, Dual-
homed bastion
35
Advantage & Disadvantage
Advantage
1. No direct connection from internal host to
proxy firewall.
2. More secure than first configuration
Disadvantage
1. Little bit slow due too this.
36
3.3. Screened subnet firewall
3 levels of security
37
Demilitarized Zone (DMZ)
Networks
38
Advantage & Disadvantage
Advantage
1. Access to any service on the DMZ can be
restricted. E.g: Allowing 80,443
2. All other traffic can be filtered E.g: block
23.
3. Internal Private Network (IPN) is not
directly connected too DNZ.
4. IPN is safe & out of reach of an attacker.
39
Limitation Of Firewall
1.Insider’s intrusion:
2.Direct Internet traffic: bypass
3.Virus attacks: Firewall can’t scan
packet/file.
40
3 Trusted System
• A System that you have no choice but to trust.
•The security of system depends on the success of the
system.
•If the trusted system fails, then it will compromise the
security of the entire system.
•Therefore, there should be minimum number of trusted
components in a system.
•Trusted system should provide security , integrity ,
reliability & privacy 41
Trusted System in Policy Analysis
43