2. If a computer is on the Internet, or receives data
from the Internet, including Web browsing or
email, then security is a problem.
This is true for everyone, as automated scanners
and worms do not make distinctions between
targets.
Simply, if your system has vulnerabilities, it will
be hit.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
3. Because security problems are ubiquitous, security
solutions should be also.
To be effective, this security must follow a "defense in
depth" strategy or a layered approach. This means that
security is layered in hopes that if an attack passes
through one layer, it is caught by the next, or the next.
Defense in depth combines network security and host-
based security (especially antivirus software).
While each layer is important, no layer is sufficient on
its own.
Many end users make the mistake of thinking that a
firewall, by itself, constitutes network security.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
4. With market penetration of firewalls reaching
more than 95 percent, security problems still
persist for organizations large and small.
simply allowing Web traffic allows all Web
traffic, including that which is malicious.
The next step that many organizations have
taken is to install intrusion detection systems
(IDS), which can monitor traffic for attack
signatures that represent hostile activity.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
5. Intrusion detection (ID) is a type of security
management system for computers and
networks.
An ID system gathers and analyzes information
from various areas within a computer or a
network to identify possible security breaches,
which include both
› intrusions (attacks from outside the organization)
and
› misuse (attacks from within the organization).
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
6. ID uses vulnerability assessment (sometimes
referred to as scanning), which is a technology
developed to assess the security of a computer
system or network.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
7. Monitoring and analyzing both user and system
activities
Analyzing system configurations and
vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
8. Typically, an ID system follows a two-step
process.
The first procedures are host-based and are
considered the passive component,
› inspection of the system's configuration files to
detect inadvisable settings
› inspection of the password files to detect inadvisable
passwords
› inspection of other system areas to detect policy
violations.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
9. The second procedures are network-based and
are considered the active component
mechanisms are set in place to reenact known
methods of attack and to record system
responses.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
10. Network based intrusion detection attempts to
identify unauthorized, illicit, and anomalous
behavior based solely on network traffic.
A network IDS, using either a network tap, span
port, or hub collects packets that traverse a
given network.
Using the captured data, the IDS system
processes and flags any suspicious traffic.
The role of a network IDS is passive, only
gathering, identifying, logging and alerting.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
11. attempts to identify unauthorized, illicit, and
anomalous behavior on a specific device.
HIDS generally involves an agent installed on
each system, monitoring and alerting on local OS
and application activity.
The installed agent uses a combination of
signatures, rules, and heuristics to identify
unauthorized activity.
The role of a host IDS is passive, only gathering,
identifying, logging, and alerting.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
12. A honeypot is a simply a system program or file
that has absolutely no purpose in production.
Therefore, we can always assume that if the
honeypot is accessed, it is for some reason
unrelated to
Honeypots are probably one of the last security
tools an organization should implement. This is
primarily because of the concern that somebody
may use the honeypot to attack other systems.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
13. A honeypot can also be a computer on your network to look
and act like a legitimate computer but actually is configured to
interact with potential hackers
Honeypots are known also as a sacrificial lamb, decoy, or booby
trap.
The more realistic the interaction, the longer the attacker will
stay occupied on honeypot systems and away from your
production systems.
The longer the hacker stays using the honeypot, the more will
be disclosed about their techniques.
This information can be used to identify what they are after,
what is their skill level, and what tools do they use.
All this information is then used to better prepare your network
and host defenses.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
14. Step 1: Node A transmits a frame to Node C.
Step 2: The hub will broadcast this frame to each active port.
Step 3: Node B will receive the frame and will examine the address
in the frame. After determining that it is not the intended host, it
will discard the frame.
Step 4: Node C will also receive the frame and will examine the
address. After determining that it is the intended host, it will
process the frame further.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
15. In order for a host to be used as a sniffing agent, the network
interface must be set to 'promiscuous' mode.
Setting this mode requires root or administrator access.
After this mode is set, the network interface will no longer drop
network frames which are addressed to other hosts.
Rather, it will pass them up to the higher network layers with the
expectation that some software at a higher layer will process
them.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
16. Step 1: Node A transmits a frame to Node C.
Step 2: The hub will broadcast this frame to each active port.
Step 3: Node B will receive this frame and will accept it because the
network interface has been set to 'promiscuous' mode. This allows a
network interface to accept any frames, regardless of the MAC (Media
Access Control) address in the frame
Step 4: Node C will also receive the frame and will process it as expected.
It has no way of knowing that another host has also processed the frame.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
17. Step 1: Node A transmits a frame to Node C.
Step 2: The switch will examine this frame and determine
what the intended host is. It will then set up a connection
between Node A and Node C so that they have a 'private'
connection.
Step 3: Node C will receive the frame and will examine the
address. After determining that it is the intended host, it will
process the frame further.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
18. ARP Spoofing
when Node A wants to communicate with Node C on the
network, it sends an ARP request.
Node C will send an ARP reply which will include the MAC
address.
Even in a switched environment, this initial ARP request is sent
in a broadcast manner.
It is possible for Node B to craft and send an unsolicited, fake
ARP reply to Node A.
This fake ARP reply will specify that Node B has the MAC
address of Node C.
Node A will unwittingly send the traffic to Node B since it
professes to have the intended MAC address.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
19. MAC Flooding
On some switches, it is possible to bombard the
switch with bogus MAC address data.
The switch, not knowing how to handle the
excess data, will 'fail open'.
That is, it will revert to a hub and will broadcast
all network frames to all ports.
At this point, one of the more generic network
sniffers will work.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
20. MAC Duplicating
You reconfigure Node B to have the same MAC
address as the machine whose traffic you're trying to
sniff.
This is easy to do on a Linux box if you have access to
the 'ifconfig' command.
This differs from ARP Spoofing because, in ARP
Spoofing, we are 'confusing' the host by poisoning it's
ARP cache.
In a MAC Duplicating attack, we actually confuse the
switch itself into thinking two ports have the same
MAC address.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
21. IP Filtering
By enabling IP filtering on your switch, you directly specify which traffic is allowed to
flow to and from each port.
This can be a monumental effort to put in place and manage, especially if your
environment is dynamic.
Port Security
If your hub or switch has the ability to enable port security, this will help to protect
you from both the MAC Flood and MAC Spoofing attacks.
These feature effectively prevents the hub or switch from recognizing more than 1
MAC address on a physical port.
Routing Security
No workstations should be allowed to run a routing protocol as they may be
compromised.
management of any of your network gear should be through a secure connection and
not through telnet which passes the administrative login/password in cleartext.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
22. knowledge-based intrusion detection techniques
apply the knowledge accumulated about specific
attacks and system vulnerabilities.
IDS contains information about these
vulnerabilities and looks for attempts to exploit
these vulnerabilities.
When such an attempt is detected, an alarm is
triggered.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
23. In other words, any action that is not explicitly
recognized as an attack is considered
acceptable.
Therefore, the accuracy of knowledge-based
intrusion detection systems is considered good.
However, their completeness (i.e. the fact that
they detect all possible attacks) depends on the
regular update of knowledge about attacks.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
24. Advantages of the knowledge-based approaches
are that they have the potential for very low
false alarm rates
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
25. Behavior-based intrusion detection techniques
assume that an intrusion can be detected by
observing a deviation from normal or expected
behavior of the system or the users.
The model of normal or valid behavior is
extracted from reference information collected
by various means.
The intrusion detection system later compares
this model with the current activity.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
26. When a deviation is observed, an alarm is
generated.
In other words, anything that does not
correspond to a previously learned behavior is
considered intrusive.
Therefore, the intrusion detection system might
be complete (i.e. all attacks should be caught),
but its accuracy is a difficult issue (i.e. you get a
lot of false alarms).
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
27. Advantages of behavior-based approaches are that they can
detect attempts to exploit new and unforeseen
vulnerabilities.
They can even contribute to the (partially) automatic
discovery of these new attacks.
They also help detect 'abuse of privileges' types of attacks
that do not actually involve exploiting any security
vulnerability.
In short, this is the paranoid approach: Everything which has
not been seen previously is dangerous.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
28. The high false alarm rate is generally cited as the
main drawback of behavior-based techniques
because the entire scope of the behavior of an
information system may not be covered during
the learning phase.
Also, behavior can change over time, introducing
the need for periodic online retraining of the
behavior profile, resulting either in unavailability
of the intrusion detection system or in additional
false alarms.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
29. The information system can undergo attacks at
the same time the intrusion detection system is
learning the behavior. As a result, the behavior
profile contains intrusive behavior, which is not
detected as anomalous.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29