Chapter 4
Chapter 4
Chapter 4
COMPUTER SECURITY
Chapter 4 :
Intrusion-Detection Systems (IDS)
Objectives
There are few IDS concepts that we can implement based on the situation,
objectives, budget, expertise and goals.
1. Pre-emptive Blocking
2. Infiltration
3. Intrusion Deflection
4. Intrusion Deterrence
5. Anomaly Detection
Understanding IDS Concept
Pre-emptive Blocking
Pre-emptive Blocking – seeks to prevent intrusions before they occur.
Technique : detect the early foot printing stages, then block the IP or user of the
source of foot printing activities.
Anomaly Detection
Actual software works to detect intrusion attempts
And notify administrator. How? The system will looks for
any anomalous behavior.
Anomalous Detection
Threshold Monitoring
Anomalous Detection
Executable Profiling
SNORT
Cisco Intrusion-Detection
Network Intrusion-Detection
Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS) are some of many
systems used as part of a defense-in-depth approach to protecting the network against malicious traffic.
Examples:
Cisco IDS 4200 Series Sensors (Dedicated Appliances)
Cisco Catalyst 6500 (Multilayer Switches)
Series Intrusion Detection System Services Module
(IDSM-2)
Cisco IPS 4270 Sensor - A sensor is a
Updated: device that looks at traffic on the
network and then makes a decision
Cisco FirePOWER 8000/7000 series appliances
based on a set of rules to indicate
Virtual Next-Generation IPS (NGIPSv) for Vmware whether that traffic is okay or whether it
is malicious in some way
A module in an IOS router, such as the AIM-IPS or NME-IPS modules
Understanding &
Implementing IDS Systems – Honey Pots
What is?
A honeypot resides in a DMZ as a vulnerable host and advertises services and software to
entice a hacker to hack the system.
1. Specter
2. Symantec Decoy Server
Understanding &
Implementing IDS Systems – Specter
Specter is a honeypot system that can automatically capture information about a hacker’s machine while they’re
attacking the system.
It simulates a vulnerable computer, providing an interesting target to trap hackers away from the production
machines.
1. Open - The system behaves like a badly configured system in terms of security
2. Secure - The system behaves like a well configured system in terms of security
3. Failing - The system behaves like a machine with various hard- and software problems
4. Strange - The system behaves unpredictable and leaves the intruder wondering what's going on
5. Aggressive - The system communicates as long as necessary to collect information about the
attacker, then reveals its true identity by the appropriate means depending on the kind of
connection and then ends communication. This is very handy to scare intruders away
Understanding &
Implementing IDS Systems – Specter
1. Open
2. Secure
3. Failing
4. Strange
5. Aggressive
ALERT !
Hacker will avoid from being trapped
into honeypots by using Anti-
Honeypot software like Send-safe
honeypot hunter
HoneyNets
Nepenthes
HoneyD (Virtual Honeypot)
KFSensor
BackOfficer Friendly