Cybersecurity Essentials course

Lec. 7
Protecting Organization

Dr. Eman zahran

 Cybersecurity Devices and Technologies

• There is no single security appliance or piece

of technology that will solve all the network
security needs in an organization.

• You must consider what tools will be most

effective as part of your security system.
 Security appliances
Security appliances can be standalone devices like a
router or software tools that are run on a network
device. They fall into five general categories:
1- Routers
2- Firewalls
3- Virtual Private Network (VPN)
4- Intrusion Detection and Prevention System
 Firewall Limitations
• cannot protect from attacks bypassing it
– e.g. sneaker net, utility modems
• cannot protect against internal threats
– e.g. colluding employees
• cannot protect against transfer of all virus infected programs
or files
– because of huge range of O/S & file types
• Firewalls allow traffic only to legitimate hosts and services
• Traffic to the legitimate hosts/services can have attacks
– CodeReds
• Solution?
– Intrusion Detection Systems
– Monitor data and behavior
– Report when identify attacks
 Intrusion Detection
preventing unauthorized access is the first line of security at the
local computing and control-device level. Cybersecurity
specialist should be able to detect the occurrence of an intrusion
and notify the proper authorities of its nature.

Intrusion: actions aimed at compromising the security of the

target (confidentiality, integrity, availability of
computing/networking resources)

Intrusion detection: A hardware or software function that

gathers and analyzes information from various areas within a
computer or a network to identify possible security intrusions.

15-441 Networks Fall 2002 5

Intrusion prevention: the process of both
detecting intrusion activities and managing
automatic responsive actions throughout the
network
 Intrusion Detection System

IDs may be a dedicated network device or host

computer operating system
IDs scans data against database of attack
signatures
If match detected, IDs will log the detection and
create an alert for the network administrator
IDs will not prevent the attack
IDS Detect Log and Report
Intrusion Detection
 Intrusion Detection System

• IDSes can detect and deal with insider attacks, as well

as, external attacks, and are often very useful in
detecting violations of corporate security policy and
other internal threats.

• Used to monitor for “suspicious or unapproved network

activity
– Can protect against known software exploits, like buffer
overflows
• Open Source IDS: Snort, www.snort.org
 Intrusion Detection System

• An IDS can alert the administrator of a

successful compromise, log key events and
policy violations
• allowing administrators to implement
mitigation actions before further damage is
caused
 Components of IDS
Three logical components:

Sensors - Analyzers - User Interface

• Sensors: Sensors are responsible for collecting data. The

input for a sensor may be any part of a system that could
contain evidence of an intrusion.
Types of input to a sensor includes network packets, log
files, and system call traces.
Sensors collect and forward this information to the analyzer.

The sensor inputs may also be stored for future analysis

and review in a storage or database component.
 Components of IDS Cont.
Analyzers: Analyzers receive input from one or
more sensors or from other analyzers. The
analyzer is responsible for determining if an
intrusion has occurred.

The output may include evidence supporting

the conclusion that an intrusion occurred.
The analyzer may provide guidance about what
actions to take as a result of the intrusion.
 Components of IDS Cont.
• User interface: The user interface to an IDS
enables a user to view output from
the system or control the behavior of the system.
 Basics of intrusion detection
1. If an intrusion is detected quickly enough, the intruder
can be identified and ejected from the system before
any damage is done or any data are compromised.

3. Intrusion detection enables the collection of

information about intrusion techniques that can be used to
strengthen intrusion prevention measures.

4. Intrusion detection is based on the assumption that the

behavior of the intruder differs from that of a legitimate
user in ways that can be quantified.
 Classifications of IDs
IDSs are often classified based on the source
and type of data analyzed, as:

• Host-based IDS (HIDS)

• Network-based IDS (NIDS)
• Distributed or hybrid IDS
 Host-Based IDS
• usually installed on servers
• focus on analyzing the specific operating systems and
applications, resource utilization and other system
activities.
• analyze information that originates and resides on a
host

• It will log any activities to a secure database and check

to see whether the events match any malicious event
record listed in the database.

• Host-based IDS are often critical in detecting internal

attacks directed towards an organization’s servers such
as DNS, Mail, and Web Servers.
 Host-based IDS
• Characteristics
– Runs on single host
– Can analyze audit-trails, logs, integrity of files and
directories, etc.
• Advantages
– More accurate than NIDS
– Less volume of traffic so less overhead
• Disadvantages
– Deployment is expensive
 Network-Based NIDS
• Are dedicated network devices distributed
within networks that monitor and inspect
network traffic flowing through the device.

• Network-based IDS uses packet sniffing

techniques to pull data from packets that
are traveling along the network.

• Most Network-based IDS log their activities

and report or alarm on questionable events.
 Network-based IDS
• Characteristics
– NIDS examine raw packets in the network
passively and triggers alerts

• Advantages?
– Easy deployment
– Difficult to evade

• Disadvantages?
– Different hosts process packets differently
 Comparison
Host Based
• Narrow in scope (watches only
specific host activities)
• More complex setup
• Better for detecting attacks from the
inside
• More expensive to implement
• Detection is based on what any single
host can record
• Does not see packet headers
• Usually only responds after a
suspicious log entry has been made
• OS-specific
• Detects local attacks before they hit
the network
• Verifies success or failure of attacks
Network Based
• Broad in scope (watches all network
activities)
• Easier setup
• Better for detecting attacks from the
outside
• Less expensive to implement
• Detection is based on what can be
recorded on the entire network
• Examines packet headers
• Near real-time response
• OS-independent
• Detects network attacks as payload is
analyzed
• Detects unsuccessful attack attempts
 Distributed (Hybrid) IDS
• Are systems that combine both Host-based IDS, which
monitors events occurring on the host system and
Network-based IDS, which monitors network traffic,
functionality on the same security platform.

• A Hybrid IDS, can monitor system and application events

and verify a file system’s integrity like a Host-based IDS,
but only serves to analyze network traffic destined for the
device itself.

• A Hybrid IDS is often deployed on an organization’s

most critical servers.
 Distributed (Hybrid) IDS

IDS Manager

Untrusted
Internet

router

IDS Sensor IDS Sensor

Firewall

router router
 Deployment of NIDS sensors
Example:
 Deployment of NIDS sensors
Location 1: NIDS sensor is just inside the external firewall
this position has a number of advantages:

• Sees attacks, originating from the outside world, that

penetrate the network’s perimeter defenses (external firewall).

• Highlights problems with the network firewall policy or

performance.

• Sees attacks that might target the Web server or FTP server.
• Even if the incoming attack is not recognized, the IDS can
sometimes recognize the outgoing traffic that results from the
compromised server.
 Deployment of NIDS sensors
location 2:
NIDS sensor is placed between the external firewall and the Internet or
WAN.
In this position, the sensor can monitor all network traffic, unfiltered.

Advantages :
• Documents number of attacks originating on the Internet that target
the network.
• Documents types of attacks originating on the Internet that target the
network.

Disadvantage:
A sensor at location 2 has a higher processing burden than any sensor
located elsewhere on the site network.
 Deployment of NIDS sensors
Location 3:
A firewall and one or more sensors are configured to protect major
backbone networks, such as those that support internal servers
and database resources
The Advantages:
• Monitors a large amount of a network’s traffic, thus increasing the
possibility of spotting attacks.
• Detects unauthorized activity by authorized users within the
organization’s security perimeter.
a sensor at location 3 is able to monitor for both internal and external
attacks. Because the sensor monitors traffic to only a subset of devices
at the site, it can be tuned to specific protocols and attack types, thus
reducing the processing burden.
 Deployment of NIDS sensors
Location 4:
could configure a firewall and NIDS sensor to provide
additional protection of critical subsystems, such as
personnel and financial networks
Advantages:
• Detects attacks targeting critical systems and resources.
• Allows monitoring of limited resources to the network
assets.
A sensor at location 4 can be tuned to specific protocols
and attack types, thus reducing the processing burden.
 IDS Analysis Strategies

All IDS devices are based on one of two strategies:

▶ Signature-based IDS: Incoming and outgoing traffic is
compared to a database of stored specific code patterns that have
been identified as malicious threats.

▶ Anomaly-based IDS: Incoming and outgoing traffic is

compared to an established baseline of normal traffic for the
system.
 Signature-based IDS
• Monitor network or server traffic and match bytes or packet
sequences against a set of predetermined attack lists or
signatures.
• When an attack matches a signature configured on the IDS, the
system alerts administrators
• Signatures are easy to develop
• However, because they only detect known attacks, a signature
must be created for every attack.
• New vulnerabilities and exploits will not be detected until
administrators develop new signatures.
• Another drawback to signature-based IDS is that they are very
large and it can be hard to keep up with the pace of fast moving
network traffic.
 Signature-based IDS
• Characteristics
– Uses known pattern matching
to signify attack
• Advantages?
– Widely available
– Fairly fast
– Easy to implement
– Easy to update
• Disadvantages?
– Cannot detect attacks for which it has no signature
– very large and it can be hard to keep up with the pace of
fast moving network traffic.
 Anomaly Based IDS
• Use network traffic baselines to determine a “normal”
state for the network and compare current traffic to that
baseline.

• Use a type of statistical calculation to determine

whether current traffic deviates from “normal” traffic,
which is either learned and/or specified by
administrators.

• If network anomalies occur, the IDS alerts

administrators.

• A new attack for which a signature doesn’t exist can be

detected if it falls out of the “normal” traffic patterns.

• High false alarm rates created by inaccurate profiles of

“normal” network operations.
 Anomaly-based IDS
• Characteristics
– Uses statistical model or machine learning engine to characterize normal
usage behaviors
– Recognizes departures from normal as potential intrusions
• Advantages?
– Can detect attempts to exploit new and unforeseen vulnerabilities
– Can recognize authorized usage that falls outside the normal pattern
• Disadvantages?
– Generally slower, more resource intensive compared to signature-based IDS
– Greater complexity, difficult to configure
– Higher percentages of false alerts
 IDS should
• Run continually with minimal human supervision.
• Be fault tolerant in the sense that it must be able to recover from system
crashes and initializations.
• Resist subversion. The IDS must be able to monitor itself and detect if it has
been modified by an attacker.
• Impose a minimal overhead on the system where it is running.
• Be able to be configured according to the security policies of the system that
is being monitored.
• Be able to adapt to changes in system and user behavior over time.
• Be able to scale to monitor a large number of hosts.
• Provide graceful degradation of service in the sense that if some components
of the IDS stop working for any reason, the rest of them should be affected as
little as possible.
• Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS
without having to restart it.
 Honeypots

Honeypot is a network-attached system.

Honeypots are decoy systems that are designed to
lure a potential attacker away from critical systems.
Honeypots are designed to:
• Divert an attacker from accessing critical systems.
• Collect information about the attacker’s activity.
• Encourage the attacker to stay on the system long
enough for administrators to respond.
 Honeypots
• Are decoy servers or systems setup to gather
information regarding an attacker of intruder into
networks or systems.
• Appear to run vulnerable services and capture vital
information as intruders attempt unauthorized access.
• Provide you early warning about new attacks and
exploitation trends which allow administrators to
successfully configure a behavioral based profile and
provide correct tuning of network sensors.
• Can capture all files that might have been used in the
intrusion attempt.
Example of Honeypot Deployment
 Example of Honeypot Deployment

The location of the Honeypot depends on:

1- the type of information the organization is interested in gathering
2- the level of risk that organizations can tolerate
Location1: (External Honeypot)
Advantage
does not increase the risk for the internal network.
The danger of having a compromised system behind the firewall is
avoided.
it reduces the alerts issued by the firewall and by internal IDS sensors,
easing the management burden.
Disadvantage
it has little or no ability to trap internal attackers
Location 2: Zone of Web and Mail servers
Disadvantage:
limited effectiveness of the honeypot at this
location because the firewall typically blocks
traffic to this zone.
 Example of Honeypot Deployment

location 3: (internal Honeypot)

Advantages
1- can catch internal attacks.
2- can also detect a misconfigured firewall that forwards
impermissible traffic from the Internet to the internal
network.
disadvantages
1- if the honeypot is compromised it can attack the
internal network.
2- the firewall must adjust its filtering to allow traffic to
the honeypot, thus complicating firewall configuration
and potentially compromising the internal network.
 IDS Example
SNORT
Snort is an open source
portable host-based or network-based IDS.
Snort is referred to as a lightweight IDS
• Easily deployed on most nodes (host, server,
router) of a network.
• Efficient operation that uses small amount of
memory and processor time.
• Easily configured to implement a specific
security solution in a short amount of time.