1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs Event logging in log files Analysis of log...
-
Upload
claud-gallagher -
Category
Documents
-
view
217 -
download
1
Transcript of 1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs Event logging in log files Analysis of log...
1
Figure 10-4: Intrusion Detection Systems (IDSs)
IDSs
Event logging in log files
Analysis of log file data
Alarms
Too many false positives (false alarms)
Too many false negatives (overlooked incidents)
Log files for retrospective analysis by humans
2
Figure 10-4: Intrusion Detection Systems (IDSs)
Elements of an IDS (Figure 10-5)
Event logging
Analysis method
Action
Management
3
Figure 10-5: Elements of a Simple IDS
Management:Configuration,
Tuning
Action:Alarms, Queries, Reports
Analysis:Attack Signatures and Heuristics
Logging (Data Collection):Individual Events are Time-Stamped
Log is Flat File of Events
4
Figure 10-4: Intrusion Detection Systems (IDSs)
Distributed IDSs (Figure 10-6)
Managers
Agents
Distribution of functionality between agents and managers (analysis and action)
5
Figure 10-6: Distributed IDS
Log File
ManagerHost IDS
MainFirewall
Agent
AgentAgent
AgentSite
InternalSwitch-BasedNetwork IDS
Log FileTransfer in
Batch Mode orReal Time
Stand-AloneNetwork IDS
InternetConnection
FW Log
6
Figure 10-4: Intrusion Detection Systems (IDSs)
Distributed IDSs (Figure 10-6)
Batch versus Real-Time Data Transfer
Batch mode: Every few minutes or hours; efficient
Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer
7
Figure 10-4: Intrusion Detection Systems (IDSs)
Distributed IDSs (Figure 10-6)
Secure manager-agent communication
Vendor’s automatic updates with secure communication
Network IDSs (NIDSs)
Capture packets
Stand-alone NIDS collects data for only its portion of the network
Switch or router NIDSs can collect data on all ports
8
Figure 10-4: Intrusion Detection Systems (IDSs)
Network IDSs (NIDSs)
NIDS placement
Between main firewall and internal or external network for relevant or all attacks
At internal points to detect internal mischief
Weaknesses
Blind spots in network where no NIDS data is collected
Cannot filter encrypted packets