Intrusion Detection and Prevention

00:00

moving right along to intrusion detection and prevention

00:03

with intrusion detection and prevention systems on our network. We want to specify the difference. And I D s intrusion detection system is going to be a passive device. That's going to be a device that monitors the network. And if malicious activity is detected, it can alert, administrator or log an entry. But it does not terminate the attack.

00:23

The intrusion prevention system is actually an active device that can terminate the attack. It might send a TCP reset to terminate the connection. It could reconfigure a firewall, but ultimately the i PS is active. Quite honestly, today we're going to have both combined in a single system,

00:40

you have detection and prevention. But on the exam, when they separate the two out, we've got to honor that.

00:46

If they say I d s purely detection, I PS is going to be more active.

00:53

There are different types of intrusion detection systems. We have H. I. D. S and we have any ideas.

00:59

It hits is a host based system. It's basically software that you install on a particular system, and its job is to monitor activities just on that system

01:07

if I want to find out who's modifying the registry or if I want to find out how much network traffic is coming to this particular in I C. Or if there's any local access that's going to be fine with the heads. That's what a Heads is designed to inspect.

01:23

If I want to monitor the areas of the network, I'm going to need and ideas. A network intrusion detection system needs is a glorified sniffer. We set a sniffer is a device that has a network card and promiscuous mode, so it captures all traffic regardless of destination.

01:40

Well, when you add a sniffer to an analysis engine, now you have an ideas

01:44

now, even intrusion detection system.

01:47

We still have to have that network card and promiscuous mode. But if we're plugging into a switch, don't forget the idea of port span. So that way we can monitor switch based traffic.

01:57

Those same things we learned about sniffers are going to apply to network IEDs

02:02

in looking at. The different components are going to have a network sensor, and the sensor is where data is collected. You're going to have an analysis engine that evaluates whether or not. The traffic is malicious or not.

02:14

A lot of times that analysis engine is going to look for either signatures or behaviors to determine if the traffic is malicious.

02:22

We have pattern matching systems, and these are your signature based systems. They're looking for known patterns after an attack is determined, Then the signature files are updated and they have the specifics of the attack.

02:35

As long as the attack matches the specifics that are stored in signatures, then the I D. S is going to be able to detect the attack and create an alert.

02:44

The problem with that is sometimes their attacks that have not had signature files created for them. Yet

02:49

sometimes when attack first comes out might take a couple of weeks for these signatures to be published.

02:53

We refer to those as zero day attacks, attacks for which there are no signatures.

03:00

Of course, a powder matching system that's just looking for patterns won't be able to detect those zeros days. An alternative to that is profile matching systems, and these are sometimes referred to as behavior based systems.

03:12

Ultimately, it will take a snapshot or baseline of your network, and then the profile matching system identifies anything beyond that baseline within a certain threshold as being an attack.

03:23

The problem with that is there is a lot of activity that varies on a network on any given day or time, so you could have unusual activity that isn't malicious. With your profile matching systems, you often have what we've referred to as false positives. Positive is when an ideas that indicates that there's an attack.

03:38

I always think it's the idea, saying and positive there's an attack, a false positive means. The ideas alerts you that there is an attack going on, but were then there really isn't

03:47

that's not as concerning as a false negative with a false negative. The I. D. S does not sound the alert, but an attack is happening. We don't really want either of those when we talk about false positives and false negatives, the way we evaluate these analysis engines for their accuracy because the two are inversely related.

04:06

If I don't want any false positives, I'm likely to increase my false negatives. If I don't want any false negatives, I'm going to increase my false positives. At some point in time. Those who are going to match.

04:17

We talked about that a little bit with biometrics and with biometrics. It's called the crossover error rate. It's the same concept for intrusion detection systems, and that's a measure of the system's accuracy.

04:30

Other devices we might want on our network are honeypots. Honeypots are distractions. For instance, I usually put a honeypot in my DMS, and it's a system that looks vulnerable and he's still appealing to an attacker. The idea is that if an attacker is in my DMZ looking around for trouble,

04:47

I'm going to serve up this desirable, vulnerable systems. That way they can attack the system and keep them away from my real resources.

04:55

Also, Honeypot software has some detective tools that track the activities that the attacker, so I can go back and review those logs and get some kind of idea about the type of attack and the type of tools that were used. Well, we want to be careful about is that we operate the honeypots and an ethical fashion. We want that honey pot to be enticing,

05:14

but we don't want it to trick someone into launching an attack or compromising a system.

05:18

I don't want to say hey, click here for free music and try to prosecute somebody because they've clicked. There's a fine line between Enticement and Chapman.

05:30

A few other really important systems on our network. Our security information and event managers are s I am systems. These provide us aggregation across a wide variety of devices. I've got lots of servers, firewalls, honeypots and intrusion detection systems, and my network and I can go to each one and review the logs. That doesn't really give me the big picture with r S. I am systems we can aggregate the logs and other information from all these different devices. Put them all together on a single system. That s I am and use the tools. For instance, there are tools that help me correlate events and help me with trending and forecasting, analysis, aggregation and correlation. Those R s. I am systems.

06:13

If you've ever heard a Splunk or use Splunk, that's a good example of A S, A M system.

06:17

I also want to mention unified threat management systems. These do not have specific set of requirements. This is just a generic term for all these in company and systems. I might have a single device that gives me a firewall, anti malware, my router, and you can see all these different services.

06:36

It doesn't have to provide any specific set of services, but it's one of those multipurpose devices.

06:43

Then we think about network load balancing, and you can have hardware or software load balancers. The whole purpose of load balancing is to ensure that the work is distributed across nodes. A lot of time we have this implemented in a cluster. We might have five nodes in a cluster, and we want to make sure that each device handles their fair share of the work. So load balancing does that

07:03

Comparable to that? We have traffic shapers. Traffic shapers often look for specifics about a packet that would help with prioritization and specifically for things like labels that would indicate VoIP traffic,