cysecure.orgcysecure.org/470/18sp/indiProject/...intrusionDetectionPrevention.docx · Web viewIn...
Click here to load reader
Transcript of cysecure.orgcysecure.org/470/18sp/indiProject/...intrusionDetectionPrevention.docx · Web viewIn...
IASP 470
Dr. John Yoon
Individual Project
Intrusion Detection and Prevention
Iliandra Gonzalez
Mercy College
Abstract
Intrusion detection and prevention go hand in hand because both are related to each
other basically go hand in hand. The overall focus will be on what is intrusion
detection and the types of protection available and why is it necessary in cybersecurity .
By observing the necessity of intrusion detection, one will understand the requirement
of prevention. It is fine if you alert the owner something was stolen, but it would be
better to prevent the whole theft in the first place. Overall both intrusion detection and
prevention will be analyzed on what it is, how they work, forms used currently,
different types of it, and lastly why is it needed.
Introduction
In the world of cyber security, the importance of intrusion detection and prevention is
clear. It is necessary in this field because it, in a sense, it is the field. Which leads to the first
question. What is cyber security? Cyber security is the protection of information from criminal
or unauthorized use of electronic data. This protection secures an individual's information or a
company's data. When discussing data or information, it can be referring to an individual or
group, to as large as a company. To provide security both cyber security, and physical security
are needed. This is relevant to intrusion detection and prevention because intrusion detection is
the alarm in this security system. An alarm is essential because if something is stolen, no one
will know without an indication. While prevention is self-explanatory, the need to prevent any
future incidents from happening is the necessity for protection.
Before going into why intrusion detection is important, a basic understanding is required.
Intrusion detection is a system, it can be a device or a software application that monitors a
network or system. It checks for any malicious activity or for policy violations. The intrusion
detection system (IDS) can be split into two different types of detections. The host-based
intrusion detection system (HIDS) which monitors important operating system files, and the
network intrusion detection system (NIDS) which analyzes incoming network traffic. The
difference between the two are minor yet significant for it is displayed in the actions taken during
an attack.
The intrusion detection is made up of two components. The system is comprised of a
management console and sensors. The management console is the reporting and management
console. Meaning this console reports this information and manages the information. This is for
record purposes and allows the owner to information for any future attacks. The sensors monitor
hosts and networks in real time. The intrusion detection system has a database of attack
signatures. These attack signatures are patterns of different variations of attacks that previously
were detected. The sensor portion detects any malicious activity and it matches it with the
corresponding packet. A packet is a unit of data that is sent between an origin and destination.
The sensor will scan for any activity that seems suspicious, if it finds one, it will then find the
numbered packet with an internet address. If it finds that it matches, it will report it to
management. However, the sensor can be configured to take different actions depending on
admin.
Intrusion detection system functions by detecting anomalies with the aim of catching
hackers before they do any damage to your network. As previously mentioned, they can be either
host based (HIDS) or network based (NIDS). The way this detection works is by looking for
signatures that are known as attacks. It also checks for any deviations from normal activity. It
uses this information to prevent attacks that are malicious to your network. It is to identify the
threat and respond to them in a timely manner. The host-based intrusion detection system and
network intrusion detection system both protect the user from viruses, malware, and other
malicious file types. The difference between the two however are, NIDS can only be installed on
certain intersection points. Examples of this would be routers or servers. HIDS can, and usually
are installed on every host machine.
A host-based intrusion detection system is like a sensor. They both collect information on
the system it is monitoring. The data collected is recorded by operating system mechanisms
referred to as audit trails. Another mechanism of data being recorded to can be system logs.
System logs are generally text files that pertain to what occurred, and the actions taken at the
time. Host based system can become limited by audit trails since they can put a strain on
performance. However, audit trails can arm the user with useful data and it is protected by the
operating system therefore, it can hardly be considered limited by it. Host based systems retrieve
information from a host.
Network based intrusion detection systems offer a different approach than host-based
systems. network based systems collects information from the network itself compared to host
based which collected from each separate host. Network based systems information is collected
from the network traffic stream. As stated previously, data travels on network segments. This
system comes with attack signatures. Attack signatures are rules that define what an attack is.
This gives the ability to customize the sensors rather than just collecting large amounts of
information. This system is portable and does not degrade the performance of other programs
running on the same network. However, since this system uses stored information, or signature
attacks, it will not detect any new exploits in the network.
The advantages of network intrusion detection systems are that they are low cost, they are
easier to deploy, and can detect network-based attacks. Furthermore, they have the capability of
retaining evidence, providing real time detection/ quick response, and detecting failed attacks.
NIDS can be deployed on each network segment making loading software unnecessary. This
reduces management so there is no need for sensor software on a host level; this lowers the cost
for the owner. It is easier to deploy since it does not affect the existing infrastructure, it will
monitor for attacks regardless of the operating system. NIDS can detect attacks that host-based
sensors fail to detect. Since NIDS does live network traffic the attacker is incapable of removing
evidence since it’s logged. Functioning in real time allows it to have a quick response to attacks.
If a NIDS is deployed outside the firewall it will detect any attacks the firewall prevented.
The advantages of a host-based intrusion detection system are that it verifies the
success/failure of an attack, monitors the systems activities, and detects attacks that the NIDS fail
to detect. Host based systems also have close to real time detection and response, do not require
any additional hardware, and have a lower entry cost. Host based systems monitors all user
logon and activities so improper change can be tracked. The capability to detect attacks that
Network based systems fail to see is due to the fact that since it monitors a larger group of users,
some attacks can come from a user and the network-based systems will not be alerted. Meaning
it is checking for outside attacks and any malicious activity on the network, it will not scan for
unusual activity from a user.
Continuing off intrusion detection, the goal is prevention. Intrusion prevention is a
preemptive approach to network security which is used to identify threats and respond to them. It
is similar to intrusion detection system (IDS), however it has its own identity. The intrusion
prevention system (IPS) monitors network traffic like IDS but handles it differently. The
intrusion prevention system is a network security/ threat prevention that examines network traffic
flow. This is done to detect and prevent vulnerable exploits in the network. It does not offer true
real time response, but since it checks and processes the attack; it can still be considered an
advantage that host-based systems can provide. Since host-based systems reside in the host
systems, it does not require any additional hardware. Generally, host-based intrusion detection
systems sensors are cheaper compared to network based intrusion detection systems.
The intrusion detection system and the intrusion prevention system both increase the
security level of networks. They both monitor network traffic and inspect network packets. They
scan each packet for any suspicious data. Both intrusion detection system and intrusion
prevention system detection is mostly based on signatures acquired over time or recognizable
ones. The difference between IPS and IDS is the actions they take when an attack is detected.
The actions that differ are focused during the initial phases such as the network scanning and
port scanning phases. Both help an individual, and at larger scales, a corporation.
Within the network scanning and port scanning phase, the main difference in intrusion
detection system is it provides the network with a level of security against any suspicious
activity. This is achieved by aiming warning messages at systems administrators. This achieves
a level of preventive security against any suspicious activity. However, unlike intrusion
prevention system (IPS), it is not designed to block attacks. For the best security as a whole for
the company, it is best to have both intrusion detection and prevention systems. A detailed
overview of what intrusion prevention system is and what it provides will be given to have an
understanding of why it is necessary. Overall both are required to ensure security for the owner
long term, and there are several network intrusion detection tools that are available.
There are plenty network intrusion detection tools currently out today, luckily almost all
are open source and available for different operating systems. Open source means the software’s
original source code is available freely and can be redistributed and modified. The top five
network intrusion detection tools according to Matthew Pascucci on searchsecurity, starting from
the top is Snort. Snort has been the leader of network intrusion detection and prevention tools.
The other good options are security onion, OSSEC, OpenWIPS-NG, Suricata, and Bro IDS.
Security onion monitors networks and does intrusion detection. It distributes an image as sensors
within the network to monitor several subnets and VLANS. It can run on virtual and VMware.
The next is OSSEC, their client is capable of performing file integrity monitoring and a rootkit
detection. This is done to create different policies tailored for the company’s needs. The next
open source network detection is OpenWIPS-NG. It is a bit different for is it a wireless intrusion
detection system/ prevention system that relies on a server, sensor, or interface. This detection
system runs on a commodity hardware, it can scan detect and prevent attacks. The fourth one is
Suricata, it has a similar architecture to Snort. The two both rely on signatures and can use the
VRT Snort rules. Both also have the same emerging threat rule set, Suricata is simply newer.
The last one is called Bro IDS. It is an intrusion detection system. Like the previous one, Bro is
like Security Onion because they both use more than intrusion detection system rules to detect
the location of the attack. It is possible for security onion to write custom signatures since it has
been documenting for the past fifteen years.
Intrusion detection systems are necessary for the protection of the company. The reason
behind this is if a company’s information gets stolen, there must be an indication that it was
stolen. Otherwise information can be stolen without any notice. The question is whether
intrusion detection systems are important in cyber security. The detection in relevant because
indication is necessary. If you get attacked an alert should allow the company to detect the
attack, intrusion prevention is what protects the company from the attack. In prevention it can
avoid an attack but is that enough security?
Intrusion prevention system is a system that monitors and prevents attacks. The intrusion
prevention system is different from the intrusion detection system because it is placed on the
direct communication path between the source and destination. Intrusion prevention system
examines network traffic flow to detect and prevent vulnerabilities. Generally, the prevention
system will send an alarm to the administrator, drop malicious packets when received, block
traffic from the source, and reset the connection. However, since the intrusion prevention system
is on an inline security component, it must work efficiently otherwise the network could degrade
in overall performance. An inline security component is a network device that receives packets
and forwards them to their destination. It uses a database consisting of signature recognition, so
it will recognize attacks. It will see the patterns based on the traffic or behavior. However, most
intrusion prevention systems come with a limitation, since there are predefined rules.
Similar to the intrusion detection system, there are host and network-based products that
function to provide protection. The following can be classified as intrusion prevention system
programs. Generally, there are anti-virus programs and firewalls. Anti-virus programs can be
viewed as clean-up programs. According to Nachenburg, “this approach has become reactive
and in the ensuing period great damage has already been inflicted on thousands of targets host
globally”. The next are firewalls. The four different variations are the static packet, the stateful
packet, the stateful inspection and proxy. The range from static packeting to be the basic tier or
low in this case, it filters by allowing or denying users access past this “wall”. Stateful in an
upgrade since it is a server, the user will request access from it and wait for a response. It is
safer, but it leaves ports open. Stateful inspection can open or close ports willingly allowing it to
be much more secure. Proxy holds rules and can break up a server connection to inspect the
protocol’s syntax. It however requires a lot of resources. Which is more beneficial to the
company.
While the two detection systems may differ they also share many similarities. Both
intrusion detection and prevention systems focus on security. They differ by the actions done
when monitoring users and actions taken afterwards. The impact of intrusion detection and
prevention systems can clearly be illustrated on the protection they provide. By storing
information and detecting behavior in packets, it counters old attacks to be used and hampers
future attacks. Overall as a whole, both can be used individually, intrusion detection system
giving visibility, while intrusion prevention systems give control. Both are not recommended to
work together, and at the end it is up to the owner’s choice of the two. However, in terms of
importance in cyber security, both have impacted the need for protection.
Work Cited
SANS Institute.(2000-2005). Host- vs. Network-Based Intrusion Detection Systems
[PDF file]. Retrieved from https://www.giac.org/paper/gsec/1377/host-vs-
network-based-intrusion-detection-systems/102574
SANS Institute InfoSec Reading Room.(2001).Intrusion Detection Systems; Definition,
Need and Challenges [PDF file]. Retrieve from https://www.sans.org/reading-
room/whitepapers/detection/intrusion-detection-systems-definition-challenges-
343
Information Technology Laboratory.(2007). Intrusion Detection and Prevention
Systems [PDF file]. Retrieved from
http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51128
Pascucci, Matthew.”Top five free enterprise network intrusion-detection
tools.”SearchSecurity,Jan.2013, http://searchsecurity.techtarget.com/tip/Top-
five-free-enterprise-network-intrusion-detection-tools