1 / 44

Concepts of Network Security and Intrusion Detection

Concepts of Network Security and Intrusion Detection. Jianhua Yang Department of Math & Computer Science University of Maryland Eastern Shore. Goals. Network Security Intrusion Detection. 3.1 What is Network Security?. Security is a continuous process of protecting an object from attack.

karif
Télécharger la présentation

Concepts of Network Security and Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Concepts of Network Security and Intrusion Detection Jianhua Yang Department of Math & Computer Science University of Maryland Eastern Shore

  2. Goals • Network Security • Intrusion Detection

  3. 3.1 What is Network Security? • Security is a continuous process of protecting an object from attack. • Object • A person • Organization, or • A computer system or a file.

  4. Computer System • Its security involves all its resources: • Physical resources • Reader, printers, CPU, monitor, memories,…. • Non-physical resources • Data • File information • …

  5. Distributed computer system • The protection covers: • Communication channels • Network connectors: • Modems, bridges, switches, routers, servers • Network file system

  6. In General, security • Means preventing unauthorized access, use, alteration, and theft or physical damage to the resources • Involves three elements • Confidentiality • Integrity • Availability To prevent unauthorized disclosure of information to third parties. To prevent unauthorized modification of resources and maintain the status To prevent unauthorized withholding of system resources from those who need them when they need them

  7. Some basic concepts and methods Is the process of trying to stop intruders from gaining access to the resources of the system • Prevention • Detection • Response • Firewalls • Passwords Occurs when the intruder has succeeded or is in the process of gaining access of the system Is an aftereffect mechanism that tries to respond to the failure of prevention and detection A firewall is hardware or software used to isolate the sensitive portions of an information system facility from the outside world and limit the potential damage that can be done by a malicious intruder. A password is a string of usually six to eight characters, with restrictions on length and start character, to verify a user to an information system facility, usually a computer system.

  8. Security Services • The prevention of unauthorized access to system resources is achieved through a number of security services. • They include: • Access control • Authentication • Confidentiality • Integrity • Non-repudiation

  9. Access control • Hardware access control systems • Access terminal • Visual event monitoring • Identification cards • Biometric identification • Video surveillance • Software access control systems • Point of access monitoring • Remote monitoring

  10. Authentication • It is a service to identify a user, especially a remote user. • It is a process whereby the system gathers and builds up information about the user to ensure the user is genuine. • It is based on: • Username and password • Retinal images • face images • Fingerprints • Physical location • Identity cards • Typing mode

  11. Authentication Techniques It is a key management scheme that authenticates unknown principals who want to communicate with each other. • Kerberos • IPSec • SSL (secure sockets layer) • S/Key • ANSI X9.9 • ISO 8730 • Indirect OTP (one time password) It provides the capability to ensure security of data in a communication network. It makes all the Internet applications including client/server, e-mail, file transfer, and web access secure. It ends up with a secret key that both the client and server use for sending encrypted messages. It is a one-time password scheme based on a one-way hash function. It is a U.S. banking standard for authentication of financial transaction.

  12. Confidentiality • It is a service to protect system data and information from unauthorized disclosure. • Encryption protects the communication channel from sniffers. Sniffers are programs written for and installed on the communication channels to eavesdrop on network traffic, examining all traffic on selected network segments.

  13. Integrity • It is a service to protect data against active threats such as those that may alter it. • Hashing algorithms

  14. Non-repudiation • It is a security service that provides proof of origin and delivery of service and/or information. • Digital signature

  15. Security Standards • Security organizations • Security standards

  16. Security Organizations • IETF: Internet Engineering Task Force • IEEE: Institute of Electronic and Electric Engineer • ISO: International Standards Organization • ITU: International Telecommunications Union • ECBS: European Committee for Banking standards • ECMA: European Computer Manufacturers Association • NIST: National Institute of Standards and Technology • W3C: World Wide Web Consortium • RSA: Rivest, Shamir and Adleman

  17. Security Standards-Organizations • IETF: IPSec, XML-Signature, Kerberos, S/MIME • ISO: OSI • ITU: X.2xx, X.5xx, X.7xx, X.80xx • ECBS: TR-40x • ECMA: ECMA-13x, ECMA-20x • NIST: X3, X9.xx Financial, X12.xx Electronic Data Exchange • IEEE: IEEE802.xx • RSA: Public Key Cryptographic Standard • W3C: XML Encryption, XML Signature, XKMS (exXensible Key Management Specification)

  18. Security Standards -Services • Internet security • Digital signature and encryption • Login and authentication • Firewall and system security

  19. Internet Security • Network authentication • Kerberos • Secure TCP/IP communications over the Internet • IPSec • Privacy-enhanced electronic mail • S/MIME, PGP • Public key cryptography • 3-DES, DSA, RSA, MD-5, SHA-1, PKCS • Secure hypertext transfer protocol • S-HTTP • Security protocol for privacy on Internet/transport security • SSL, TLS, SET

  20. Digital Signature and Encryption • Advanced Encryption Standards • X509, DES, AES, DSS/DSA, SHA/SHS • Digital certificates/XML digital signatures • XMLDSIG, XMLENC, XKMS

  21. Login and Authentication • Authentication of user’s right to use system or network resources • SAML • Liberty Alliance • FIPS 112

  22. Firewall and system security • Security of local, wide and metropolitan area networks • Secure Data Exchange (SDE) for IEEE 802 • ISO/IEC 10164

  23. 3.2 Intrusion Detection and Prevention • Definition of ID • Intrusion Detection Systems (IDS) • Types of IDS • Response to System Intrusion • Challenges to IDS • Intrusion Prevention Systems (IPS) • Intrusion Detection Tools

  24. Definitions • Intrusion Detection • It is a technique of detecting unauthorized access to a computer system or a computer network. • Intrusion Prevention • It is the art of preventing an unauthorized access of a system’s resources.

  25. The Types of Intrusion • Attempted break-ins • Masquerade attacks • Penetrations • Denial of service • Malicious use

  26. System Intrusion Process • Reconnaissance • Information collection and weak points analysis • Physical Intrusion • Attack • Denial of service (DoS): the intruder attempts to crash a service, overload network links, overload CPU, or fill up the disk. • Common DoS: • Ping-of-Death • SYN Flooding • Land/Latierra • WinNuke

  27. Land/Latierra, WinNuke • Land/Latierra: • Sends forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection. • WinNuke • Sends and URG data on a TCP connection to port 139 (for NetBIOS session), which causes the Windows system to hang.

  28. Intrusion Detection Systems • What is an IDSs? • An IDSs is a system used to detect unauthorized intrusions into computer systems and networks.

  29. Three Models • Anomaly-based detection • Signature-based detection • Hybrid detection

  30. Anomaly detection • Creating “norms” of activities • Collecting current activity • Comparing the current one with ‘norm’ one • Based on the comparison result to determine if there is an Intrusion

  31. Problems • Not efficient • Easy to introduce false positive error

  32. Misuse detection • Signature-based detection • Each intrusive activity is represented by a unique pattern or a signature • New activity can be compared with existing pattern

  33. Problems • Cannot detect unknown attacks • Easy to introduce false negative errors

  34. Types of IDSs • Network-based IDS (NIDSs) • Host-based IDS (HIDS)

  35. NIDSs • They take the whole network as the monitoring scope • They monitor the traffic on the network to detect intrusions • They are mainly for outside attackers

  36. Components of a NIDS • Network sensor • Analyzer • Alert notifier • Response system

  37. Advantages of NIDSs • The ability to detect attacks that a HIDS would miss because NIDS monitor network at a transport layer. • Difficulty to remove evidence. • Real-time detection and response. • Ability to detect unsuccessful attacks and malicious intent.

  38. Disadvantages • Blind spots • Encrypted data

  39. HIDSs • Detect intrusions based on the information of a single target computer • The information includes system, event, and security logs on Windows and syslog in Unix environments • Focus on inside attacks

  40. Advantages • Ability to verify success or failure of an attack quickly • Efficiency • Near real-time detection and response • Ability to deal with encrypted environments

  41. Disadvantages • Limited view of the network • It is not possible for large deployment

  42. Victim Attacker Stepping-stones Monitor Point Stepping-stone intrusion

  43. Intrusion Detection Tools • Realsecure v3.0 (ISS) • Net Perver 3.1 (Axent Technologies) • Net Ranger v2.2 (CISCO) • FlightRemohe v2.2 (NFR Network) • Sessi-Wall-3 v4.0 (Computer Associates) • Kane Security Monitor (Security Dynamics)

  44. Summary • Concepts of Network Security • Basics of IDSs

More Related